From vigneshdhanraj.g at gmail.com Tue Dec 1 07:18:07 2015 From: vigneshdhanraj.g at gmail.com (VigneshDhanraj G) Date: Tue, 1 Dec 2015 12:48:07 +0530 Subject: [Samba] NFSV4 Client setup problem Message-ID: Hi, I tried to bring up nfsv4 client setup, but when i joining AD server from my LINUX machine i always get below error "kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not found in Kerberos database Failed to join domain: failed to connect to AD: Server not found in Kerberos database" wbinfo -u command gives the user list net ads info gives the details of the AD when i tried to login from AD administrator user i am not able to login using ssh. i am using debian wheezy as client and windows 2003 Server as AD. my samba conf [global] security = ADS realm = INDIA.LOCAL # If the system doesn't find the domain controller automatically, you may need the following line password server = INDIA.LOCAL # note that workgroup is the 'short' domain name workgroup = INDIA # winbind separator = + winbind refresh tickets = yes winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes winbind use default domain = yes restrict anonymous = 2 kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab name resolve order = lmhosts host could anyone help regarding this? Regards, Vigneshdhanraj G From belle at bazuin.nl Tue Dec 1 08:24:21 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Tue, 1 Dec 2015 09:24:21 +0100 Subject: [Samba] NFSV4 Client setup problem In-Reply-To: References: Message-ID: Few things, - check your resolv.conf, make sure your Samba AD the first nameservers - check if you resolv.conf search, has, search india.local - is the time in sync with the DC? - on debian, a login as "Administrator" (if mapped to root) wont work. ( or remove the mini - in general, dont give Administrator a UID/GID - in general, dont use Administrator for ssh logins, but thats a choice, beter is, create a new user, and give that one admin rights. And have a look in to this script, works good on wheezy. https://secure.bazuin.nl/scripts/these_are_experimental_scripts/setup-nfsv4-kerberos.sh last. With above you can login without a password, but no tgt ticket is generated. for fix that, add "kinit -f -p" in the bashrc Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens VigneshDhanraj G > Verzonden: dinsdag 1 december 2015 8:18 > Aan: samba-technical at lists.samba.org; samba at lists.samba.org > Onderwerp: [Samba] NFSV4 Client setup problem > > Hi, > > I tried to bring up nfsv4 client setup, but when i joining AD server from > my LINUX machine i always get below error > > "kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not found in > Kerberos database > Failed to join domain: failed to connect to AD: Server not found in > Kerberos database" > > wbinfo -u command gives the user list > net ads info gives the details of the AD > > when i tried to login from AD administrator user i am not able to login > using ssh. > > i am using debian wheezy as client and windows 2003 Server as AD. > > my samba conf > [global] > security = ADS > realm = INDIA.LOCAL > # If the system doesn't find the domain controller automatically, you may > need the following line > password server = INDIA.LOCAL > # note that workgroup is the 'short' domain name > workgroup = INDIA > # winbind separator = + > winbind refresh tickets = yes > winbind enum users = yes > winbind enum groups = yes > template homedir = /home/%D/%U > template shell = /bin/bash > client use spnego = yes > client ntlmv2 auth = yes > encrypt passwords = yes > winbind use default domain = yes > restrict anonymous = 2 > kerberos method = secrets and keytab > dedicated keytab file = /etc/krb5.keytab > name resolve order = lmhosts host > > > could anyone help regarding this? > > Regards, > Vigneshdhanraj G > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From kseeger at samba.org Tue Dec 1 09:49:46 2015 From: kseeger at samba.org (Karolin Seeger) Date: Tue, 1 Dec 2015 10:49:46 +0100 Subject: [Samba] [Announce] Samba 4.3.2 Available for Download Message-ID: <20151201094944.GA5607@carrie> ======================================================= "The most important thing about Spaceship Earth - an instruction book didn't come with it." R. Buckminster Fuller ====================================================== Release Announcements --------------------- This is the latest stable release of Samba 4.3. Changes since 4.3.1: -------------------- o Michael Adam * BUG 11577: ctdb: Open the RO tracking db with perms 0600 instead of 0000. o Jeremy Allison * BUG 11452: s3-smbd: Fix old DOS client doing wildcard delete - gives an attribute type of zero. * BUG 11565: auth: gensec: Fix a memory leak. * BUG 11566: lib: util: Make non-critical message a warning. * BUG 11589: s3: smbd: If EAs are turned off on a share don't allow an SMB2 create containing them. * BUG 11615: s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle. o Ralph Boehme * BUG 11562: s4:lib/messaging: Use correct path for names.tdb. * BUG 11564: async_req: Fix non-blocking connect(). o Volker Lendecke * BUG 11243: vfs_gpfs: Re-enable share modes. * BUG 11570: smbd: Send SMB2 oplock breaks unencrypted. * BUG 11612: winbind: Fix crash on invalid idmap configs. o YvanM * BUG 11584: manpage: Correct small typo error. o Stefan Metzmacher * BUG 11327: dcerpc.idl: Accept invalid dcerpc_bind_nak pdus. * BUG 11581: s3:smb2_server: Make the logic of SMB2_CANCEL DLIST_REMOVE() clearer. o Marc Muehlfeld * BUG 9912: Changing log level of two entries to DBG_NOTICE. * BUG 11581: s3-smbd: Fix use after issue in smbd_smb2_request_dispatch(). o Noel Power * BUG 11569: Fix winbindd crashes with samlogon for trusted domain user. * BUG 11597: Backport some valgrind fixes from upstream master. o Andreas Schneider * BUG 11511: Add libreplace dependency to texpect, fixes a linking error on Solaris. * BUG 11512: s4: Fix linking of 'smbtorture' on Solaris. o Uri Simchoni * BUG 11608: auth: Consistent handling of well-known alias as primary gid. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== Older release notes to follow: ------------------------------ ============================= Release Notes for Samba 4.3.1 October 20, 2015 ============================= This is the latest stable release of Samba 4.3. Changes since 4.3.0: -------------------- o Jeremy Allison * BUG 10252: s3: smbd: Fix our access-based enumeration on "hide unreadable" to match Windows. * BUG 10634: smbd: Fix file name buflen and padding in notify repsonse. * BUG 11486: s3: smbd: Fix mkdir race condition. * BUG 11522: s3: smbd: Fix opening/creating :stream files on the root share directory. * BUG 11535: s3: smbd: Fix NULL pointer bug introduced by previous 'raw' * stream fix (bug #11522). * BUG 11555: s3: lsa: lookup_name() logic for unqualified (no DOMAIN\ component) names is incorrect. o Ralph Boehme * BUG 11535: s3: smbd: Fix a crash in unix_convert(). * BUG 11543: vfs_fruit: Return value of ad_pack in vfs_fruit.c. * BUG 11549: s3:locking: Initialize lease pointer in share_mode_traverse_fn(). * BUG 11550: s3:smbstatus: Add stream name to share_entry_forall(). * BUG 11555: s3:lib: Validate domain name in lookup_wellknown_name(). o Günther Deschner * BUG 11038: kerberos: Make sure we only use prompter type when available. o Volker Lendecke * BUG 11038: winbind: Fix 100% loop. * BUG 11053: source3/lib/msghdr.c: Fix compiling error on Solaris. o Stefan Metzmacher * BUG 11316: s3:ctdbd_conn: make sure we destroy tevent_fd before closing the socket. * BUG 11515: s4:lib/messaging: Use 'msg.lock' and 'msg.sock' for messaging related subdirs. * BUG 11526: lib/param: Fix hiding of FLAG_SYNONYM values. o Björn Jacke * BUG 10365: nss_winbind: Fix hang on Solaris on big groups. * BUG 11355: build: Use as-needed linker flag also on OpenBSD. o Har Gagan Sahai * BUG 11509: s3: dfs: Fix a crash when the dfs targets are disabled. o Andreas Schneider * BUG 11502: pam_winbind: Fix a segfault if initialization fails. o Uri Simchoni * BUG 11528: net: Fix a crash with 'net ads keytab create'. * BUG 11547: vfs_commit: set the fd on open before calling SMB_VFS_FSTAT. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ---------------------------------------------------------------------- ============================= Release Notes for Samba 4.3.0 September 8, 2015 ============================= This is the first stable release of Samba 4.3. UPGRADING ========= Read the "New FileChangeNotify subsystem" and "smb.conf changes" sections (below). NEW FEATURES ============ Logging ------- The logging code now supports logging to multiple backends. In addition to the previously available syslog and file backends, the backends for logging to the systemd-journal, lttng and gpfs have been added. Please consult the section for the 'logging' parameter in the smb.conf manpage for details. Spotlight --------- Support for Apple's Spotlight has been added by integrating with Gnome Tracker. For detailed instructions how to build and setup Samba for Spotlight, please see the Samba wiki: New FileChangeNotify subsystem ------------------------------ Samba now contains a new subsystem to do FileChangeNotify. The previous system used a central database, notify_index.tdb, to store all notification requests. In particular in a cluster this turned out to be a major bottleneck, because some hot records need to be bounced back and forth between nodes on every change event like a new created file. The new FileChangeNotify subsystem works with a central daemon per node. Every FileChangeNotify request and every event are handled by an asynchronous message from smbd to the notify daemon. The notify daemon maintains a database of all FileChangeNotify requests in memory and will distribute the notify events accordingly. This database is asynchronously distributed in the cluster by the notify daemons. The notify daemon is supposed to scale a lot better than the previous implementation. The functional advantage is cross-node kernel change notify: Files created via NFS will be seen by SMB clients on other nodes per FileChangeNotify, despite the fact that popular cluster file systems do not offer cross-node inotify. Two changes to the configuration were required for this new subsystem: The parameters "change notify" and "kernel change notify" are not per-share anymore but must be set globally. So it is no longer possible to enable or disable notify per share, the notify daemon has no notion of a share, it only works on absolute paths. New SMB profiling code ---------------------- The code for SMB (SMB1, SMB2 and SMB3) profiling uses a tdb instead of sysv IPC shared memory. This avoids performance problems and NUMA effects. The profile stats are a bit more detailed than before. Improved DCERPC man in the middle detection for kerberos -------------------------------------------------------- The gssapi based kerberos backends for gensec have support for DCERPC header signing when using DCERPC_AUTH_LEVEL_PRIVACY. SMB signing required in winbindd by default ------------------------------------------- The effective value for "client signing" is required by default for winbindd, if the primary domain uses active directory. Experimental NTDB was removed ----------------------------- The experimental NTDB library introduced in Samba 4.0 has been removed again. Improved support for trusted domains (as AD DC) ----------------------------------------------- The support for trusted domains/forests has improved a lot. samba-tool got "domain trust" subcommands to manage trusts: create - Create a domain or forest trust. delete - Delete a domain trust. list - List domain trusts. namespaces - Manage forest trust namespaces. show - Show trusted domain details. validate - Validate a domain trust. External trusts between individual domains work in both ways (inbound and outbound). The same applies to root domains of a forest trust. The transitive routing into the other forest is fully functional for kerberos, but not yet supported for NTLMSSP. While a lot of things are working fine, there are currently a few limitations: - Both sides of the trust need to fully trust each other! - No SID filtering rules are applied at all! - This means DCs of domain A can grant domain admin rights in domain B. - It's not possible to add users/groups of a trusted domain into domain groups. SMB 3.1.1 supported ------------------- Both client and server have support for SMB 3.1.1 now. This is the dialect introduced with Windows 10, it improves the secure negotiation of SMB dialects and features. There's also a new optinal encryption algorithm aes-gcm-128, but for now this is only selected as fallback and aes-ccm-128 is preferred because of the better performance. This might change in future versions when hardware encryption will be supported. See https://bugzilla.samba.org/show_bug.cgi?id=11451. New smbclient subcommands ------------------------- - Query a directory for change notifications: notify - Server side copy: scopy New rpcclient subcommands ------------------------- netshareenumall - Enumerate all shares netsharegetinfo - Get Share Info netsharesetinfo - Set Share Info netsharesetdfsflags - Set DFS flags netfileenum - Enumerate open files netnamevalidate - Validate sharename netfilegetsec - Get File security netsessdel - Delete Session netsessenum - Enumerate Sessions netdiskenum - Enumerate Disks netconnenum - Enumerate Connections netshareadd - Add share netsharedel - Delete share New modules ----------- idmap_script - see 'man 8 idmap_script' vfs_unityed_media - see 'man 8 vfs_unityed_media' vfs_shell_snap - see 'man 8 vfs_shell_snap' New sparsely connected replia graph (Improved KCC) -------------------------------------------------- The Knowledge Consistency Checker (KCC) maintains a replication graph for DCs across an AD network. The existing Samba KCC uses a fully connected graph, so that each DC replicates from all the others, which does not scale well with large networks. In 4.3 there is an experimental new KCC that creates a sparsely connected replication graph and closely follows Microsoft's specification. It is turned off by default. To use the new KCC, set "kccsrv:samba_kcc=true" in smb.conf and let us know how it goes. You should consider doing this if you are making a large new network. For small networks there is little benefit and you can always switch over at a later date. Configurable TLS protocol support, with better defaults ------------------------------------------------------- The "tls priority" option can be used to change the supported TLS protocols. The default is to disable SSLv3, which is no longer considered secure. Samba-tool now supports all 7 FSMO roles ------------------------------------------------------- Previously "samba-tool fsmo" could only show, transfer or seize the five well-known FSMO roles: Schema Master Domain Naming Master RID Master PDC Emulator Infrastructure Master It can now also show, transfer or seize the DNS infrastructure roles: DomainDnsZones Infrastructure Master ForestDnsZones Infrastructure Master CTDB logging changes -------------------- The destination for CTDB logging is now set via a single new configuration variable CTDB_LOGGING. This replaces CTDB_LOGFILE and CTDB_SYSLOG, which have both been removed. See ctdbd.conf(5) for details of CTDB_LOGGING. CTDB no longer runs a separate logging daemon. CTDB NFS support changes ------------------------ CTDB's NFS service management has been combined into a single 60.nfs event script. This updated 60.nfs script now uses a call-out to interact with different NFS implementations. See the CTDB_NFS_CALLOUT option in the ctdbd.conf(5) manual page for details. A default call-out is provided to interact with the Linux kernel NFS implementation. The 60.ganesha event script has been removed - a sample call-out is provided for NFS Ganesha, based on this script. The method of configuring NFS RPC checks has been improved. See ctdb/config/nfs-checks.d/README for details. Improved Cross-Compiling Support -------------------------------- A new "hybrid" build configuration mode is added to improve cross-compilation support. A common challenge in cross-compilation is that of obtaining the results of tests that have to run on the target, during the configuration phase of the build. The Samba build system already supports the following means to do so: - Executing configure tests using the --cross-execute parameter - Obtaining the results from an answers file using the --cross-answers parameter The first method has the drawback of inaccurate results if the tests are run using an emulator, or a need to be connected to a running target while building, if the tests are to be run on an actual target. The second method presents a challenge of figuring out the test results. The new hybrid mode runs the tests and records the result in an answer file. To activate this mode, use both --cross-execute and --cross-answers in the same configure invocation. This mode can be activated once against a running target, and then the generated answers file can be used in subsequent builds. Also supplied is an example script that can be used as the cross-execute program. This script copies the test to a running target and runs the test on the target, obtaining the result. The obtained results are more accurate than running the test with an emulator, because they reflect the exact kernel and system libraries that exist on the target. Improved Sparse File Support ---------------------------- Support for the FSCTL_SET_ZERO_DATA and FSCTL_QUERY_ALLOCATED_RANGES SMB2 requests has been added to the smbd file server. This allows for clients to deallocate (hole punch) regions within a sparse file, and check which portions of a file are allocated. ###################################################################### Changes ####### smb.conf changes ---------------- Parameter Name Description Default -------------- ----------- ------- logging New (empty) msdfs shuffle referrals New no smbd profiling level New off spotlight New no tls priority New NORMAL:-VERS-SSL3.0 use ntdb Removed change notify Changed to [global] kernel change notify Changed to [global] client max protocol Changed default SMB3_11 server max protocol Changed default SMB3_11 Removed modules --------------- vfs_notify_fam - see section 'New FileChangeNotify subsystem'. KNOWN ISSUES ============ Currently none. CHANGES SINCE 4.2.0rc4 ====================== o Andrew Bartlett * Bug 10973: No objectClass found in replPropertyMetaData on ordinary objects (non-deleted) * Bug 11429: Python bindings don't check integer types * Bug 11430: Python bindings don't check array sizes o Ralph Boehme * Bug 11467: Handling of 0 byte resource fork stream o Volker Lendecke * Bug 11488: AD samr GetGroupsForUser fails for users with "()" in their name o Stefan Metzmacher * Bug 11429: Python bindings don't check integer types o Matthieu Patou * Bug 10973: No objectClass found in replPropertyMetaData on ordinary objects (non-deleted) CHANGES SINCE 4.2.0rc3 ====================== o Ralph Boehme * Bug 11444: Crash in notify_remove caused by change notify = no o Günther Deschner * Bug 11411: smbtorture does not build when configured --with-system-mitkrb5 o Volker Lendecke * Bug 11455: fix recursion problem in rep_strtoll in lib/replace/replace.c * Bug 11464: xid2sid gives inconsistent results * Bug 11465: ctdb: Fix the build on FreeBSD 10.1 o Roel van Meer * Bug 11427: nmbd incorrectly matches netbios names as own name o Stefan Metzmacher * Bug 11451: Poor SMB3 encryption performance with AES-GCM * Bug 11458: --bundled-libraries=!ldb,!pyldb,!pyldb-util doesn't disable ldb build and install o Andreas Schneider * Bug 9862: Samba "map to guest = Bad uid" doesn't work CHANGES SINCE 4.3.0rc2 ====================== o Andrew Bartlett * Bug 11436: samba-tool uncaught exception error * Bug 10493: revert LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN changes o Ralph Boehme * Bug 11278: Stream names with colon don't work with fruit:encoding = native * Bug 11426: net share allowedusers crashes o Amitay Isaacs * Bug 11432: Fix crash in nested ctdb banning * Bug 11434: Cannot build ctdbpmda * Bug 11431: CTDB's eventscript error handling is broken o Stefan Metzmacher * Bug 11451: Poor SMB3 encryption performance with AES-GCM (part1) * Bug 11316: tevent_fd needs to be destroyed before closing the fd o Arvid Requate * Bug 11291: NetApp joined to a Samba/ADDC cannot resolve SIDs o Martin Schwenke * Bug 11432: Fix crash in nested ctdb banning CHANGES SINCE 4.3.0rc1 ====================== o Jeremy Allison * BUG 11359: strsep is not available on Solaris o Björn Baumbach * BUG 11421: Build with GPFS support is broken o Justin Maggard * BUG 11320: "force group" with local group not working o Martin Schwenke * BUG 11424: Build broken with --disable-python ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ================ Download Details ================ The uncompressed tarballs and patch files have been signed using GnuPG (ID 6568B7EA). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.3.2.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: Digital signature URL: From rowlandpenny241155 at gmail.com Tue Dec 1 10:00:39 2015 From: rowlandpenny241155 at gmail.com (Rowland Penny) Date: Tue, 01 Dec 2015 10:00:39 +0000 Subject: [Samba] NFSV4 Client setup problem In-Reply-To: References: Message-ID: <565D6FC7.5060109@gmail.com> On 01/12/15 08:24, L.P.H. van Belle wrote: > Few things, > > - check your resolv.conf, make sure your Samba AD the first nameservers > - check if you resolv.conf search, has, search india.local > - is the time in sync with the DC? > - on debian, a login as "Administrator" (if mapped to root) wont work. ( or remove the mini > - in general, dont give Administrator a UID/GID > - in general, dont use Administrator for ssh logins, but thats a choice, beter is, create a new user, and give that one admin rights. > > And have a look in to this script, works good on wheezy. > https://secure.bazuin.nl/scripts/these_are_experimental_scripts/setup-nfsv4-kerberos.sh > > last. > With above you can login without a password, but no tgt ticket is generated. > for fix that, add "kinit -f -p" in the bashrc > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens VigneshDhanraj G >> Verzonden: dinsdag 1 december 2015 8:18 >> Aan: samba-technical at lists.samba.org; samba at lists.samba.org >> Onderwerp: [Samba] NFSV4 Client setup problem >> >> Hi, >> >> I tried to bring up nfsv4 client setup, but when i joining AD server from >> my LINUX machine i always get below error >> >> "kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not found in >> Kerberos database >> Failed to join domain: failed to connect to AD: Server not found in >> Kerberos database" >> >> wbinfo -u command gives the user list >> net ads info gives the details of the AD >> >> when i tried to login from AD administrator user i am not able to login >> using ssh. >> >> i am using debian wheezy as client and windows 2003 Server as AD. >> >> my samba conf >> [global] >> security = ADS >> realm = INDIA.LOCAL >> # If the system doesn't find the domain controller automatically, you may >> need the following line >> password server = INDIA.LOCAL >> # note that workgroup is the 'short' domain name >> workgroup = INDIA >> # winbind separator = + >> winbind refresh tickets = yes >> winbind enum users = yes >> winbind enum groups = yes >> template homedir = /home/%D/%U >> template shell = /bin/bash >> client use spnego = yes >> client ntlmv2 auth = yes >> encrypt passwords = yes >> winbind use default domain = yes >> restrict anonymous = 2 >> kerberos method = secrets and keytab >> dedicated keytab file = /etc/krb5.keytab >> name resolve order = lmhosts host >> >> >> could anyone help regarding this? >> >> Regards, >> Vigneshdhanraj G >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > Is Avahi running? If so, this may be part of your problems and you have a couple of options, stop using .local (this is the best option) or turn off Avahi. I would also suggest you go here: https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member Follow this and set up your smb.conf correctly, you don't appear to have anywhere to store your users & groups. Rowland From rowlandpenny241155 at gmail.com Tue Dec 1 10:31:57 2015 From: rowlandpenny241155 at gmail.com (Rowland Penny) Date: Tue, 01 Dec 2015 10:31:57 +0000 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: References: <565CAF9A.60700@gmail.com> <565CB4EE.1020903@gmail.com> <565CBA81.1070709@gmail.com> Message-ID: <565D771D.4010801@gmail.com> On 30/11/15 22:38, Jonathan S. Fisher wrote: > Thank you Rowland for the help so far. I followed the directions on > that page very precisely. I was able to join the domain, but the RPC > stuff still doesn't work and I'm still having the same problem. The > actual root problem is that up to this point, winbind works for about > a day or so then I start getting NT_STATUS_ACCESS_DENIED. > > Anyway, after the join, winbind works right now: > > sudo wbinfo -a administrator > Enter administrator's password: > plaintext password authentication succeeded > > Checking RPC: > > sudo net rpc info -Uadministrator > Unable to find a suitable server for domain WINDOWS > > Here is my new config: > > /etc/hosts > 127.0.0.1 localhost > > /etc/krb5.conf > [libdefaults] > default_realm = WINDOWS.CORP.XXX.COM > > /etc/samba/smb.conf > [global] > netbios name=freeradius > security=ADS > workgroup=WINDOWS > realm=WINDOWS.CORP.XXX.COM > > log file=/var/log/samba/%m.log > log level=1 > > dedicated keytab file=/etc/krb5.keytab > kerberos method=secrets and keytab > winbind refresh tickets=yes > > winbind trusted domains only=no > winbind use default domain=yes > winbind enum users=yes > winbind enum groups=yes > > load printers=no > template shell=/bin/false > > idmap config WINDOWS:backend=rid > idmap config WINDOWS:range=10000-99999 > > > You still need a bit more in your smb.conf: idmap config *:backend = tdb idmap config *:range = 2000-9999 You need these lines to get the builtin users & groups mapped. I think your problem is DNS related, you should be able to ping a DC via ipaddress & hostname ping -c1 192.168.127.131 ping -c1 whiskey.windows.corp.XXX.com ping -c1 whiskey ping -c1 192.168.112.4 ping -c1 wine.windows.corp.XXX.com ping -c1 wine The above commands should all return a reply. Does your dhcp server deliver the required info? Does 'hostname -d' return the fully qualified domain name of the client? Is there a firewall running on the client? if so, try turning it off. If you follow the Samba wiki, I can assure you that it does work: rowland at debnet:~/Downloads$ sudo net rpc info -Uadministrator [sudo] password for rowland: Enter administrator's password: Domain Name: SAMDOM Domain SID: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx Sequence number: 1 Num users: XXXXX Num domain groups: XXXX Num local groups: XXXX If you are having any problems understanding or following the wiki, please tell us, otherwise we will just assume everybody understands it :-) Rowland From lists at merit.unu.edu Tue Dec 1 11:16:11 2015 From: lists at merit.unu.edu (samba list) Date: Tue, 1 Dec 2015 12:16:11 +0100 Subject: [Samba] dbcheck reporting errors Message-ID: <565D817B.90703@merit.unu.edu> Hi all, Our domain is running perfectly, but for the fun of it, I tried a samba-tool dbcheck, and (unexpected actually!) it returned many errors, on many users, like this: > ERROR: wrongly formatted userParameters on CN=username1,CN=Users,DC=samba,DC=company,DC=com, should not be psudo-UTF8 encoded > Not changing userParameters from UTF8 encoding on CN=username1,CN=Users,DC=samba,DC=company,DC=com (yes: it says "psudo-UTF8") This is Version 4.2.5-SerNet-Debian-8.wheezy (upgraded from 4.1.17) in an AD config. We mostly use ADUC to manage users. Are we having problems, without feeling it (yet)..? MJ From rowlandpenny241155 at gmail.com Tue Dec 1 11:50:40 2015 From: rowlandpenny241155 at gmail.com (Rowland Penny) Date: Tue, 01 Dec 2015 11:50:40 +0000 Subject: [Samba] dbcheck reporting errors In-Reply-To: <565D817B.90703@merit.unu.edu> References: <565D817B.90703@merit.unu.edu> Message-ID: <565D8990.3070600@gmail.com> On 01/12/15 11:16, samba list wrote: > Hi all, > > Our domain is running perfectly, but for the fun of it, I tried a > samba-tool dbcheck, and (unexpected actually!) it returned many > errors, on many users, like this: > >> ERROR: wrongly formatted userParameters on >> CN=username1,CN=Users,DC=samba,DC=company,DC=com, should not be >> psudo-UTF8 encoded >> Not changing userParameters from UTF8 encoding on >> CN=username1,CN=Users,DC=samba,DC=company,DC=com > (yes: it says "psudo-UTF8") > > This is Version 4.2.5-SerNet-Debian-8.wheezy (upgraded from 4.1.17) in > an AD config. We mostly use ADUC to manage users. > > Are we having problems, without feeling it (yet)..? > > MJ > Not sure, what you have proved is that Andrew Bartlett cannot spell 'pseudo' :-D Have a look at this thread here: http://samba.2283325.n4.nabble.com/PATCHES-Fix-userParameters-once-and-for-all-td4667772.html Rowland From lists at merit.unu.edu Tue Dec 1 12:53:30 2015 From: lists at merit.unu.edu (samba list) Date: Tue, 1 Dec 2015 13:53:30 +0100 Subject: [Samba] dbcheck reporting errors In-Reply-To: <565D8990.3070600@gmail.com> References: <565D817B.90703@merit.unu.edu> <565D8990.3070600@gmail.com> Message-ID: <565D984A.5090808@merit.unu.edu> On 1-12-2015 12:50, Rowland Penny wrote: > Not sure, what you have proved is that Andrew Bartlett cannot spell > 'pseudo' :-D :-) > > Have a look at this thread here: > > http://samba.2283325.n4.nabble.com/PATCHES-Fix-userParameters-once-and-for-all-td4667772.html Yes, I had read that thread too, however, I don't understand what it actually means. I guess the same goes for you. I'll make a test install and try a --fix on a backup, to see what that does... From cpservicespb at gmail.com Tue Dec 1 13:09:41 2015 From: cpservicespb at gmail.com (CpServiceSPb .) Date: Tue, 1 Dec 2015 16:09:41 +0300 Subject: [Samba] Functionality of Nmbd at Active Directory mode of Samba4 ! Message-ID: As I know runnig of Nmbd at Acitve Directory mode is quite unofficial now (but possible) . I will not ask why it is not reccomded to run Nmbd within Samba4 started at AD mode. But if somebody can tell, you are wellcome. But when nmb code implementation is planned to AD part ? That is when nmb functionnality adding to Samba4 acting as AD is planned ? To bring possibiity to use full-forced Neighborhood browsing at AD mode (with LMB/DMB roles for instance) . From rowlandpenny241155 at gmail.com Tue Dec 1 13:18:42 2015 From: rowlandpenny241155 at gmail.com (Rowland Penny) Date: Tue, 01 Dec 2015 13:18:42 +0000 Subject: [Samba] dbcheck reporting errors In-Reply-To: <565D984A.5090808@merit.unu.edu> References: <565D817B.90703@merit.unu.edu> <565D8990.3070600@gmail.com> <565D984A.5090808@merit.unu.edu> Message-ID: <565D9E32.4000405@gmail.com> On 01/12/15 12:53, samba list wrote: > On 1-12-2015 12:50, Rowland Penny wrote: >> Not sure, what you have proved is that Andrew Bartlett cannot spell >> 'pseudo' :-D > :-) > >> >> Have a look at this thread here: >> >> http://samba.2283325.n4.nabble.com/PATCHES-Fix-userParameters-once-and-for-all-td4667772.html >> > Yes, I had read that thread too, however, I don't understand what it > actually means. I guess the same goes for you. I think it means there is something in your users parameters that is not in a UTF8 format, but this is not really a problem because it doesn't need to be, so it doesn't do anything. It would probably have been better not to print anything to screen or logfile. Rowland > > I'll make a test install and try a --fix on a backup, to see what that > does... > From rowlandpenny241155 at gmail.com Tue Dec 1 13:30:18 2015 From: rowlandpenny241155 at gmail.com (Rowland Penny) Date: Tue, 01 Dec 2015 13:30:18 +0000 Subject: [Samba] Functionality of Nmbd at Active Directory mode of Samba4 ! In-Reply-To: References: Message-ID: <565DA0EA.7030405@gmail.com> On 01/12/15 13:09, CpServiceSPb . wrote: > As I know runnig of Nmbd at Acitve Directory mode is quite unofficial now > (but possible) . There was some talk about stopping anybody being able to do this. > > I will not ask why it is not reccomded to run Nmbd within Samba4 started at > AD mode. > But if somebody can tell, you are wellcome. If you run 'nmbd' with 'samba' i.e. on an AD DC, you are duplicating the code in the 'nmb' component of the 'samba' deamon, this is definitely not recommended. You could turn off 'nmb', but again this is not recommended, the rest of the 'samba' deamon relies on 'nmb' not the external 'nmbd' Or to put it another way, if you are running 'nmbd' with an AD DC, I would suggest you stop, sooner or later, you are going to have problems. > But when nmb code implementation is planned to AD part ? > That is when nmb functionnality adding to Samba4 acting as AD is planned ? > To bring possibiity to use full-forced Neighborhood browsing at AD mode > (with LMB/DMB roles for instance) . Well probably not any time soon, (unless you are prepared to come up with patches), this appears to be one of those things that would be nice to have, but not at the top of the list. It also seems to be disappearing from windows, so why waste valuable time doing something that will possibly no longer be needed. Rowland From infractory at gmail.com Tue Dec 1 13:33:34 2015 From: infractory at gmail.com (mathias dufresne) Date: Tue, 1 Dec 2015 14:33:34 +0100 Subject: [Samba] Functionality of Nmbd at Active Directory mode of Samba4 ! In-Reply-To: References: Message-ID: Hi, I can be wrong but I believe there is no nmbd when Samba is run in AD mode because as AD is quiet structural in many company it must not fail. To not fail each company will have to deploy enough infrastructure to avoid failure. Once you started to deploy all these machines adding several others machines to serve files do not seems to hard. Another point is what kind of file sharing: - If you serve files for Windows clients you may prefer to use winbind to build system users for that file servers, for the files ACLs match Windows attributes of users. - if you serve ffiles for UNIX or Linux machine you don't need Samba, NFS would do the job. But the users could come from AD, on these file servers users would be created using SSSD or nslcd to be built using rfc2307 attributes. On AD DC you need only two shares: sysvol + netlogon. Both are Windows shares. Both will work perfectly once Winbind is configured on AD DC to retrieve users from AD. I expect without Winbind configured sometimes Samba won't be able to check users rights, but I can be wrong. i could add that Samba is not yet multi-threaded so one task per process and one task will be able to get 100% CPU on one and only one core at one moment. To be able to use more physical CPU for the same task on the same physical machine you could consider to use virtual machines. With virtual machines you can have several Samba running inside different VMs on the same physical CPU. So you can have more than only 100% of one CPU core used for the same task on the same physical computer. Now VM usage + split of file servers => no need of nmbd on AD DC. Nmbd will be run on file servers which serve files for Windows computers. That's just my own point of view, built according to own understanding of Samba. That means I can be really far from the original "why" : ) Cheers, mathias 2015-12-01 14:09 GMT+01:00 CpServiceSPb . : > As I know runnig of Nmbd at Acitve Directory mode is quite unofficial now > (but possible) . > > I will not ask why it is not reccomded to run Nmbd within Samba4 started at > AD mode. > But if somebody can tell, you are wellcome. > > But when nmb code implementation is planned to AD part ? > That is when nmb functionnality adding to Samba4 acting as AD is planned ? > To bring possibiity to use full-forced Neighborhood browsing at AD mode > (with LMB/DMB roles for instance) . > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From viktor at troja.ch Tue Dec 1 14:12:55 2015 From: viktor at troja.ch (Viktor Trojanovic) Date: Tue, 1 Dec 2015 15:12:55 +0100 Subject: [Samba] GPO templates problem In-Reply-To: <565648DF.1060208@codesa.co.cu> References: <565648DF.1060208@codesa.co.cu> Message-ID: <565DAAE7.80300@troja.ch> On 26.11.2015 00:48, Hector Suarez Planas wrote: > Greetings. > > I set up a new Samba 4 AD Server and I have some errors. On the tree > 4.1 this errors not appeared and until 4.2.3: > > - On the RSAT: GPO Management ---> Computer Settings ---> Policies > ---> Windows Settings ---> Security Settings, the console gave this > error: "Windows cannot load the temnplate", and not show several options. > - Another error: "The Server Is Not Operational". I have the DNS > configurated correctly and the network connections are right. > > :-( > Hi Hector, If you still need help on this, you should consider posting more information, such as your smb.conf, the result of the AD DC troubleshooting operations mentioned in the Samba Wiki (https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting), and also your error logs. Viktor From viktor at troja.ch Tue Dec 1 14:15:11 2015 From: viktor at troja.ch (Viktor Trojanovic) Date: Tue, 1 Dec 2015 15:15:11 +0100 Subject: [Samba] GPO templates problem In-Reply-To: <5A4051EA-71EC-4AF1-9C42-F1650FF69314@kiuni.de> References: <565648DF.1060208@codesa.co.cu> <5A4051EA-71EC-4AF1-9C42-F1650FF69314@kiuni.de> Message-ID: <565DAB6F.7080103@troja.ch> Hi Tim, I don't think this is an adm(x) problem as he's experiencing issues also in the Policies branch of the GPO tree. Viktor On 26.11.2015 13:15, Tim wrote: > This sounds like a problem I had too. In my situation a ms update compromised the administrative templates. You can get the templates from ms. Search for "download Microsoft administrative templates" and choose a link to the official website. > These links don't work on my mobile so I can't tell a deeper link, sorry. > > Regards > Tim > > Am 26. November 2015 00:48:47 MEZ, schrieb Hector Suarez Planas : >> Greetings. >> >> I set up a new Samba 4 AD Server and I have some errors. On the tree >> 4.1 >> this errors not appeared and until 4.2.3: >> >> - On the RSAT: GPO Management ---> Computer Settings ---> Policies ---> >> >> Windows Settings ---> Security Settings, the console gave this error: >> "Windows cannot load the temnplate", and not show several options. >> - Another error: "The Server Is Not Operational". I have the DNS >> configurated correctly and the network connections are right. >> >> :-( >> >> -- >> ===================================== >> Lic. Hector Suarez Planas >> Administrador Nodo CODESA >> Santiago de Cuba >> ------------------------------------- >> Blog: http://nihilanthlnxc.cubava.cu/ >> ICQ ID: 681729738 >> Conferendo ID: hspcuba >> ===================================== >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba From mjirou at gmail.com Tue Dec 1 14:26:53 2015 From: mjirou at gmail.com (Marc JIROU) Date: Tue, 1 Dec 2015 15:26:53 +0100 Subject: [Samba] Symlink with mklink Message-ID: Hi, I'm using windows 7 as client and a Samba 4.1.21 server. I would like to create symbolic link on a share with mklink, it failes with a reparse point error message. Trying to find more information i found this discussion https://lists.samba.org/archive/samba-technical/2014-September/102388.html So it seems that i'm not the only one to trying to do that without success. Reading microsoft SMB documentation i found that this feature is optional and the server may or may not support it. Is it something that exists in newest version, or maybe it is in the roadmap, or will never be supported ? Best regards, Marc From lists at merit.unu.edu Tue Dec 1 15:27:20 2015 From: lists at merit.unu.edu (samba list) Date: Tue, 1 Dec 2015 16:27:20 +0100 Subject: [Samba] dbcheck reporting errors In-Reply-To: <565D9E32.4000405@gmail.com> References: <565D817B.90703@merit.unu.edu> <565D8990.3070600@gmail.com> <565D984A.5090808@merit.unu.edu> <565D9E32.4000405@gmail.com> Message-ID: <565DBC58.8020907@merit.unu.edu> On 1-12-2015 14:18, Rowland Penny wrote: > I think it means there is something in your users parameters that is not > in a UTF8 format, but this is not really a problem because it doesn't > need to be, so it doesn't do anything. It would probably have been > better not to print anything to screen or logfile. So, running a dbcheck --fix changes this: old, and faulty according to the dbcheck: > userParameters: bQA6ACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgA > kAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIA replaced with, after using --fix: > userParameters:: YgBRAEEANgBBAEMAQQBBAEkAQQBBAGcAQQBDAEEAQQBJ > EEASQBBAEEAZwBBAEMAQQBBAEkAQQBBAGcAQQBDAEEAQQBJAEEAQQBnAEEAQ > BBAEMAQQBBAEkAQQBCAGsAQQBBAGsAQQBJAEEAQQBnAEEAQwBBAEEASQBBAE > AQQBBAGcAQQBDAEEAQQBJAEEAQQBnAEEAQwBBAEEASQBBAEEAZwBBAEMAQQB > AEEAQQBJAEEAQQBnAEEAQwBBAEEASQBBAEEAZwBBAEMAQQBBAA== and obviously it changes whenChanged / uSNChanged. I have not yet done it on my production domain. Waiting if perhaps someone else encountered this as well, and knows if the --fix has no side effects... MJ From jonathan at springventuregroup.com Tue Dec 1 15:47:30 2015 From: jonathan at springventuregroup.com (Jonathan S. Fisher) Date: Tue, 1 Dec 2015 09:47:30 -0600 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: <565D771D.4010801@gmail.com> References: <565CAF9A.60700@gmail.com> <565CB4EE.1020903@gmail.com> <565CBA81.1070709@gmail.com> <565D771D.4010801@gmail.com> Message-ID: Great things to investigate... thank you. Ok, so everything is pingable. I've checked to make sure I can send TCP and UDP traffic between the hosts with netcat. > Does your dhcp server deliver the required info? For DNS? Yes, it tells the client to use 192.168.127.129. I'd be in a world of hurt otherwise! > Does 'hostname -d' return the fully qualified domain name of the client? No, it doesn't return anything actually! Maybe this is why is keeps trying to send ask for SRV records in WINDOWS instead of WINDOWS.CORP.XXX.COM > Is there a firewall running on the client? if so, try turning it off. Yep, it's off. Off on the servers too. > If you follow the Samba wiki, I can assure you that it does work: I know :) The documentation is very clear, it's some oddity about my network I'm sure. I'll look into the hostname -d and see if I can figure out why that's not returning anything On Tue, Dec 1, 2015 at 4:31 AM, Rowland Penny wrote: > On 30/11/15 22:38, Jonathan S. Fisher wrote: > >> Thank you Rowland for the help so far. I followed the directions on that >> page very precisely. I was able to join the domain, but the RPC stuff still >> doesn't work and I'm still having the same problem. The actual root problem >> is that up to this point, winbind works for about a day or so then I start >> getting NT_STATUS_ACCESS_DENIED. >> >> Anyway, after the join, winbind works right now: >> >> sudo wbinfo -a administrator >> Enter administrator's password: >> plaintext password authentication succeeded >> >> Checking RPC: >> >> sudo net rpc info -Uadministrator >> Unable to find a suitable server for domain WINDOWS >> >> Here is my new config: >> >> /etc/hosts >> 127.0.0.1 localhost >> >> /etc/krb5.conf >> [libdefaults] >> default_realm = WINDOWS.CORP.XXX.COM >> >> /etc/samba/smb.conf >> [global] >> netbios name=freeradius >> security=ADS >> workgroup=WINDOWS >> realm=WINDOWS.CORP.XXX.COM >> >> log file=/var/log/samba/%m.log >> log level=1 >> >> dedicated keytab file=/etc/krb5.keytab >> kerberos method=secrets and keytab >> winbind refresh tickets=yes >> >> winbind trusted domains only=no >> winbind use default domain=yes >> winbind enum users=yes >> winbind enum groups=yes >> >> load printers=no >> template shell=/bin/false >> >> idmap config WINDOWS:backend=rid >> idmap config WINDOWS:range=10000-99999 >> >> >> >> > You still need a bit more in your smb.conf: > > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > You need these lines to get the builtin users & groups mapped. > > I think your problem is DNS related, you should be able to ping a DC via > ipaddress & hostname > > ping -c1 192.168.127.131 > ping -c1 whiskey.windows.corp.XXX.com > ping -c1 whiskey > ping -c1 192.168.112.4 > ping -c1 wine.windows.corp.XXX.com > ping -c1 wine > > The above commands should all return a reply. > > Does your dhcp server deliver the required info? > > Does 'hostname -d' return the fully qualified domain name of the client? > > Is there a firewall running on the client? if so, try turning it off. > > If you follow the Samba wiki, I can assure you that it does work: > > rowland at debnet:~/Downloads$ sudo net rpc info -Uadministrator > [sudo] password for rowland: > Enter administrator's password: > Domain Name: SAMDOM > Domain SID: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx > Sequence number: 1 > Num users: XXXXX > Num domain groups: XXXX > Num local groups: XXXX > > If you are having any problems understanding or following the wiki, please > tell us, otherwise we will just assume everybody understands it :-) > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer. From jonathan at springventuregroup.com Tue Dec 1 16:02:37 2015 From: jonathan at springventuregroup.com (Jonathan S. Fisher) Date: Tue, 1 Dec 2015 10:02:37 -0600 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: References: <565CAF9A.60700@gmail.com> <565CB4EE.1020903@gmail.com> <565CBA81.1070709@gmail.com> <565D771D.4010801@gmail.com> Message-ID: Well I got one step farther... hostname -d and hostname -f now work correctly if I add this line to /etc/hosts /etc/hosts 127.0.0.1 localhost 127.0.1.1 freeradius.windows.corp.springventuregroup.com freeradius But same error on the rpc command. It's still asking DNS for "_ldap._tcp.pdc._msdcs.WINDOWS" not "_ldap._tcp.pdc._msdcs.WINDOWS.CORP.XXX.COM" Can you do a tcpdump on yours and see what the desired behavior is? I used this command: "sudo tcpdump -vvv -s 0 -l -n port 53 -w dns.pcap". Start the dump, then run "sudo net rpc info -Uadministrator" On Tue, Dec 1, 2015 at 9:47 AM, Jonathan S. Fisher < jonathan at springventuregroup.com> wrote: > Great things to investigate... thank you. > > Ok, so everything is pingable. I've checked to make sure I can send TCP > and UDP traffic between the hosts with netcat. > > > Does your dhcp server deliver the required info? > For DNS? Yes, it tells the client to use 192.168.127.129. I'd be in a > world of hurt otherwise! > > > Does 'hostname -d' return the fully qualified domain name of the client? > No, it doesn't return anything actually! Maybe this is why is keeps trying > to send ask for SRV records in WINDOWS instead of WINDOWS.CORP.XXX.COM > > > Is there a firewall running on the client? if so, try turning it off. > Yep, it's off. Off on the servers too. > > > If you follow the Samba wiki, I can assure you that it does work: > I know :) The documentation is very clear, it's some oddity about my > network I'm sure. > > I'll look into the hostname -d and see if I can figure out why that's not > returning anything > > > On Tue, Dec 1, 2015 at 4:31 AM, Rowland Penny < > rowlandpenny241155 at gmail.com> wrote: > >> On 30/11/15 22:38, Jonathan S. Fisher wrote: >> >>> Thank you Rowland for the help so far. I followed the directions on that >>> page very precisely. I was able to join the domain, but the RPC stuff still >>> doesn't work and I'm still having the same problem. The actual root problem >>> is that up to this point, winbind works for about a day or so then I start >>> getting NT_STATUS_ACCESS_DENIED. >>> >>> Anyway, after the join, winbind works right now: >>> >>> sudo wbinfo -a administrator >>> Enter administrator's password: >>> plaintext password authentication succeeded >>> >>> Checking RPC: >>> >>> sudo net rpc info -Uadministrator >>> Unable to find a suitable server for domain WINDOWS >>> >>> Here is my new config: >>> >>> /etc/hosts >>> 127.0.0.1 localhost >>> >>> /etc/krb5.conf >>> [libdefaults] >>> default_realm = WINDOWS.CORP.XXX.COM >>> >>> /etc/samba/smb.conf >>> [global] >>> netbios name=freeradius >>> security=ADS >>> workgroup=WINDOWS >>> realm=WINDOWS.CORP.XXX.COM >>> >>> log file=/var/log/samba/%m.log >>> log level=1 >>> >>> dedicated keytab file=/etc/krb5.keytab >>> kerberos method=secrets and keytab >>> winbind refresh tickets=yes >>> >>> winbind trusted domains only=no >>> winbind use default domain=yes >>> winbind enum users=yes >>> winbind enum groups=yes >>> >>> load printers=no >>> template shell=/bin/false >>> >>> idmap config WINDOWS:backend=rid >>> idmap config WINDOWS:range=10000-99999 >>> >>> >>> >>> >> You still need a bit more in your smb.conf: >> >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> >> You need these lines to get the builtin users & groups mapped. >> >> I think your problem is DNS related, you should be able to ping a DC via >> ipaddress & hostname >> >> ping -c1 192.168.127.131 >> ping -c1 whiskey.windows.corp.XXX.com >> ping -c1 whiskey >> ping -c1 192.168.112.4 >> ping -c1 wine.windows.corp.XXX.com >> ping -c1 wine >> >> The above commands should all return a reply. >> >> Does your dhcp server deliver the required info? >> >> Does 'hostname -d' return the fully qualified domain name of the client? >> >> Is there a firewall running on the client? if so, try turning it off. >> >> If you follow the Samba wiki, I can assure you that it does work: >> >> rowland at debnet:~/Downloads$ sudo net rpc info -Uadministrator >> [sudo] password for rowland: >> Enter administrator's password: >> Domain Name: SAMDOM >> Domain SID: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx >> Sequence number: 1 >> Num users: XXXXX >> Num domain groups: XXXX >> Num local groups: XXXX >> >> If you are having any problems understanding or following the wiki, >> please tell us, otherwise we will just assume everybody understands it :-) >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > -- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer. From rowlandpenny241155 at gmail.com Tue Dec 1 16:10:54 2015 From: rowlandpenny241155 at gmail.com (Rowland Penny) Date: Tue, 01 Dec 2015 16:10:54 +0000 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: References: <565CAF9A.60700@gmail.com> <565CB4EE.1020903@gmail.com> <565CBA81.1070709@gmail.com> <565D771D.4010801@gmail.com> Message-ID: <565DC68E.4050707@gmail.com> On 01/12/15 15:47, Jonathan S. Fisher wrote: > Great things to investigate... thank you. > > Ok, so everything is pingable. I've checked to make sure I can send > TCP and UDP traffic between the hosts with netcat. > > > Does your dhcp server deliver the required info? > For DNS? Yes, it tells the client to use 192.168.127.129. I'd be in a > world of hurt otherwise! > > > Does 'hostname -d' return the fully qualified domain name of the client? > No, it doesn't return anything actually! Maybe this is why is keeps > trying to send ask for SRV records in WINDOWS instead of > WINDOWS.CORP.XXX.COM Then your dhcp server isn't sending all the required info, or your dhcpclient isn't using all it gets :-) My dhcp servers sends: subnet-mask broadcast-address time-offset routers domain-name domain-name-servers netbios-name-servers ntp-servers Rowland From infractory at gmail.com Tue Dec 1 16:15:29 2015 From: infractory at gmail.com (mathias dufresne) Date: Tue, 1 Dec 2015 17:15:29 +0100 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: References: <565CAF9A.60700@gmail.com> <565CB4EE.1020903@gmail.com> <565CBA81.1070709@gmail.com> <565D771D.4010801@gmail.com> Message-ID: Could you please extract there the content of the following files on host named freeradius please: /etc/resolv.conf /etc/krb5.conf /etc/samba/smb.conf 2015-12-01 17:02 GMT+01:00 Jonathan S. Fisher < jonathan at springventuregroup.com>: > Well I got one step farther... > > hostname -d and hostname -f now work correctly if I add this line to > /etc/hosts > > /etc/hosts > 127.0.0.1 localhost > 127.0.1.1 freeradius.windows.corp.springventuregroup.com freeradius > > But same error on the rpc command. It's still asking DNS for > "_ldap._tcp.pdc._msdcs.WINDOWS" > not "_ldap._tcp.pdc._msdcs.WINDOWS.CORP.XXX.COM" > > Can you do a tcpdump on yours and see what the desired behavior is? I used > this command: "sudo tcpdump -vvv -s 0 -l -n port 53 -w dns.pcap". Start the > dump, then run "sudo net rpc info -Uadministrator" > > > On Tue, Dec 1, 2015 at 9:47 AM, Jonathan S. Fisher < > jonathan at springventuregroup.com> wrote: > > > Great things to investigate... thank you. > > > > Ok, so everything is pingable. I've checked to make sure I can send TCP > > and UDP traffic between the hosts with netcat. > > > > > Does your dhcp server deliver the required info? > > For DNS? Yes, it tells the client to use 192.168.127.129. I'd be in a > > world of hurt otherwise! > > > > > Does 'hostname -d' return the fully qualified domain name of the > client? > > No, it doesn't return anything actually! Maybe this is why is keeps > trying > > to send ask for SRV records in WINDOWS instead of WINDOWS.CORP.XXX.COM > > > > > Is there a firewall running on the client? if so, try turning it off. > > Yep, it's off. Off on the servers too. > > > > > If you follow the Samba wiki, I can assure you that it does work: > > I know :) The documentation is very clear, it's some oddity about my > > network I'm sure. > > > > I'll look into the hostname -d and see if I can figure out why that's not > > returning anything > > > > > > On Tue, Dec 1, 2015 at 4:31 AM, Rowland Penny < > > rowlandpenny241155 at gmail.com> wrote: > > > >> On 30/11/15 22:38, Jonathan S. Fisher wrote: > >> > >>> Thank you Rowland for the help so far. I followed the directions on > that > >>> page very precisely. I was able to join the domain, but the RPC stuff > still > >>> doesn't work and I'm still having the same problem. The actual root > problem > >>> is that up to this point, winbind works for about a day or so then I > start > >>> getting NT_STATUS_ACCESS_DENIED. > >>> > >>> Anyway, after the join, winbind works right now: > >>> > >>> sudo wbinfo -a administrator > >>> Enter administrator's password: > >>> plaintext password authentication succeeded > >>> > >>> Checking RPC: > >>> > >>> sudo net rpc info -Uadministrator > >>> Unable to find a suitable server for domain WINDOWS > >>> > >>> Here is my new config: > >>> > >>> /etc/hosts > >>> 127.0.0.1 localhost > >>> > >>> /etc/krb5.conf > >>> [libdefaults] > >>> default_realm = WINDOWS.CORP.XXX.COM > >>> > >>> /etc/samba/smb.conf > >>> [global] > >>> netbios name=freeradius > >>> security=ADS > >>> workgroup=WINDOWS > >>> realm=WINDOWS.CORP.XXX.COM > >>> > >>> log file=/var/log/samba/%m.log > >>> log level=1 > >>> > >>> dedicated keytab file=/etc/krb5.keytab > >>> kerberos method=secrets and keytab > >>> winbind refresh tickets=yes > >>> > >>> winbind trusted domains only=no > >>> winbind use default domain=yes > >>> winbind enum users=yes > >>> winbind enum groups=yes > >>> > >>> load printers=no > >>> template shell=/bin/false > >>> > >>> idmap config WINDOWS:backend=rid > >>> idmap config WINDOWS:range=10000-99999 > >>> > >>> > >>> > >>> > >> You still need a bit more in your smb.conf: > >> > >> idmap config *:backend = tdb > >> idmap config *:range = 2000-9999 > >> > >> You need these lines to get the builtin users & groups mapped. > >> > >> I think your problem is DNS related, you should be able to ping a DC via > >> ipaddress & hostname > >> > >> ping -c1 192.168.127.131 > >> ping -c1 whiskey.windows.corp.XXX.com > >> ping -c1 whiskey > >> ping -c1 192.168.112.4 > >> ping -c1 wine.windows.corp.XXX.com > >> ping -c1 wine > >> > >> The above commands should all return a reply. > >> > >> Does your dhcp server deliver the required info? > >> > >> Does 'hostname -d' return the fully qualified domain name of the client? > >> > >> Is there a firewall running on the client? if so, try turning it off. > >> > >> If you follow the Samba wiki, I can assure you that it does work: > >> > >> rowland at debnet:~/Downloads$ sudo net rpc info -Uadministrator > >> [sudo] password for rowland: > >> Enter administrator's password: > >> Domain Name: SAMDOM > >> Domain SID: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx > >> Sequence number: 1 > >> Num users: XXXXX > >> Num domain groups: XXXX > >> Num local groups: XXXX > >> > >> If you are having any problems understanding or following the wiki, > >> please tell us, otherwise we will just assume everybody understands it > :-) > >> > >> Rowland > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > > > > > > -- > Email Confidentiality Notice: The information contained in this > transmission is confidential, proprietary or privileged and may be subject > to protection under the law, including the Health Insurance Portability and > Accountability Act (HIPAA). The message is intended for the sole use of the > individual or entity to whom it is addressed. If you are not the intended > recipient, you are notified that any use, distribution or copying of the > message is strictly prohibited and may subject you to criminal or civil > penalties. If you received this transmission in error, please contact the > sender immediately by replying to this email and delete the material from > any computer. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From cpservicespb at gmail.com Tue Dec 1 16:19:42 2015 From: cpservicespb at gmail.com (CpServiceSPb .) Date: Tue, 1 Dec 2015 19:19:42 +0300 Subject: [Samba] Functionality of Nmbd at Active Directory mode of Samba4 ! Message-ID: > If you run 'nmbd' with 'samba' i.e. on an AD DC, you are duplicating the code in the 'nmb' component of the 'samba' deamon, this is definitely > not recommended. You could turn off 'nmb', but again this is not recommended, the rest of the 'samba' deamon relies on 'nmb' not the > external 'nmbd' . > Or to put it another way, if you are running 'nmbd' with an AD DC, I would suggest you stop, sooner or later, you are going to have problems. Unfortunatelly, may be you are right. :(( When I run Nmbd with Saba at AD mode, I don' t remember exactly now, but if Nmbd started first and then Samba daemon, error was or vice versa. > Well probably not any time soon, (unless you are prepared to come up with patches), this appears to be one of those things that would be nice > to have, but not at the top of the list. It also seems to be disappearing from windows, so why waste valuable time doing something > that will possibly no longer be needed. It also seems to be disappearing from Windows - but hasn' t been disappeared and i think will not be disappeared form quite long time. More over many pc station are equipped Windows XP yet, not even Windows 7. As following, it can be necessary for a quite long time. >From mathias > Now VM usage + split of file servers => no need of nmbd on AD DC. Nmbd will be run on file servers which serve files for Windows computers. > That's just my own point of view, built according to own understanding of Samba. That means I can be really far from the original "why" : ) I know many people who has AD DC 2008R, even 2003R2 at working position. And people who is connected to its DCs or servered by it very active uses Windows analogue of nmb functionality (built-in in Windows of course) in their LANs. I will remember, that nmbd in addition makes server visible in Network Neighborhood, in some points takes part of accessing to it by NetBios name (additionally to IP) , maintains computers list for group, can acts as LMB and/or DMB that is in general makes possible Neighborhood Browsing. Quite a big function capacity in my oppinion. And it is more comfortable to get AD DC with fully working Neignborhood Browsing. And some of them people (mentioned above) stopped to migrate their Windows AD DCs to Samba4 one because of the reason - lack of discussion functionality. As following, I consider important working full nmb functional with AD DC at Samba4. May be I am wrong, but moving code from nmbd (s3) is necessary only to AD DC nmb code part (s4) , of course with some editions. But I may be wrong. *Rowland, *can you point me to files from AD DC sources where nmb code is presented ? May be I will be able to start "process" of working under it. :)) From rowlandpenny241155 at gmail.com Tue Dec 1 16:27:23 2015 From: rowlandpenny241155 at gmail.com (Rowland Penny) Date: Tue, 01 Dec 2015 16:27:23 +0000 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: References: <565CAF9A.60700@gmail.com> <565CB4EE.1020903@gmail.com> <565CBA81.1070709@gmail.com> <565D771D.4010801@gmail.com> Message-ID: <565DCA6B.1030404@gmail.com> On 01/12/15 16:02, Jonathan S. Fisher wrote: > Well I got one step farther... > > hostname -d and hostname -f now work correctly if I add this line to > /etc/hosts > > /etc/hosts > 127.0.0.1 localhost > 127.0.1.1 freeradius.windows.corp.springventuregroup.com > freeradius > > But same error on the rpc command. It's still asking DNS for > "_ldap._tcp.pdc._msdcs.WINDOWS" not > "_ldap._tcp.pdc._msdcs.WINDOWS.CORP.XXX.COM > " > > Can you do a tcpdump on yours and see what the desired behavior is? I > used this command: "sudo tcpdump-vvv -s 0 -l -n port 53 -w dns.pcap". > Start the dump, then run "sudo net rpc info -Uadministrator" > > If you are using 127.0.1.1 in etc/hosts on Ubuntu, then you are using dnsmasq. If you are using dnsmasq, then it is unlikely your dns setup will find the DC Just a thought, is there a DNS server running on the AD DC ? There should be and your client should be using this as its DNS server, AD lives and dies on DNS. There shouldn't be a dns server running on your domain member, it should be using the AD dns server. Rowland From jonathan at springventuregroup.com Tue Dec 1 16:36:30 2015 From: jonathan at springventuregroup.com (Jonathan S. Fisher) Date: Tue, 1 Dec 2015 10:36:30 -0600 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: <565DCA6B.1030404@gmail.com> References: <565CAF9A.60700@gmail.com> <565CB4EE.1020903@gmail.com> <565CBA81.1070709@gmail.com> <565D771D.4010801@gmail.com> <565DCA6B.1030404@gmail.com> Message-ID: Checked with the network guy... yes, the main DNS is indeed dnsmasq. He has a delegation though, so any query for WINDOWS.corp.XXX.com winds up going to to the correct place: domain=/windows.corp.XXX.com/192.168.127.141 domain=/windows.corp.XXX.com/192.168.112.4 The DC's (192.168.127.141, 192.168.112.4) are indeed running DNS (I can dig at them). Would it just be easier to make this host have a static IP? If so, what settings does samba need for DNS? Here's the other files as requested: /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 192.168.127.129 search windows.corp.xxx.com /etc/krb5.conf [libdefaults] default_realm = WINDOWS.CORP.XXX.COM /etc/samba/smb.conf [global] netbios name=freeradius security=ADS workgroup=WINDOWS realm=WINDOWS.CORP.XXX.COM local master=no log file=/var/log/samba/%m.log log level=3 dedicated keytab file=/etc/krb5.keytab kerberos method=secrets and keytab winbind refresh tickets=yes winbind trusted domains only=no winbind enum users=yes winbind enum groups=yes winbind nested groups=yes load printers=no template shell=/bin/false idmap config WINDOWS:backend=autorid idmap config WINDOWS:range=10000-99999 On Tue, Dec 1, 2015 at 10:27 AM, Rowland Penny wrote: > On 01/12/15 16:02, Jonathan S. Fisher wrote: > >> Well I got one step farther... >> >> hostname -d and hostname -f now work correctly if I add this line to >> /etc/hosts >> >> /etc/hosts >> 127.0.0.1 localhost >> 127.0.1.1 freeradius.windows.corp.springventuregroup.com < >> http://freeradius.windows.corp.springventuregroup.com> freeradius >> >> But same error on the rpc command. It's still asking DNS for >> "_ldap._tcp.pdc._msdcs.WINDOWS" not "_ldap._tcp.pdc._ >> msdcs.WINDOWS.CORP.XXX.COM " >> >> Can you do a tcpdump on yours and see what the desired behavior is? I >> used this command: "sudo tcpdump-vvv -s 0 -l -n port 53 -w dns.pcap". Start >> the dump, then run "sudo net rpc info -Uadministrator" >> >> >> > If you are using 127.0.1.1 in etc/hosts on Ubuntu, then you are using > dnsmasq. > If you are using dnsmasq, then it is unlikely your dns setup will find the > DC > Just a thought, is there a DNS server running on the AD DC ? > There should be and your client should be using this as its DNS server, AD > lives and dies on DNS. > There shouldn't be a dns server running on your domain member, it should > be using the AD dns server. > > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer. From rowlandpenny241155 at gmail.com Tue Dec 1 16:39:19 2015 From: rowlandpenny241155 at gmail.com (Rowland Penny) Date: Tue, 01 Dec 2015 16:39:19 +0000 Subject: [Samba] Functionality of Nmbd at Active Directory mode of Samba4 ! In-Reply-To: References: Message-ID: <565DCD37.5000203@gmail.com> On 01/12/15 16:19, CpServiceSPb . wrote: >> If you run 'nmbd' with 'samba' i.e. on an AD DC, you are duplicating > the code in the 'nmb' component of the 'samba' deamon, this is definitely >> not recommended. You could turn off 'nmb', but again this is > not recommended, the rest of the 'samba' deamon relies on 'nmb' not the >> external 'nmbd' . >> Or to put it another way, if you are running 'nmbd' with an AD DC, I > would suggest you stop, sooner or later, you are going to have problems. > Unfortunatelly, may be you are right. :(( > When I run Nmbd with Saba at AD mode, I don' t remember exactly now, but if > Nmbd started first and then Samba daemon, error was or vice versa. > > >> Well probably not any time soon, (unless you are prepared to come up with > patches), this appears to be one of those things that would be nice >> to have, but not at the top of the list. It also seems to be disappearing > from windows, so why waste valuable time doing something >> that will possibly no longer be needed. > It also seems to be disappearing from Windows - but hasn' t been > disappeared and i think will not be disappeared form quite long time. > More over many pc station are equipped Windows XP yet, not even Windows 7. > As following, it can be necessary for a quite long time. There is nothing stopping you connecting directly to your shares, or using a domain member as a fileserver In my personal opinion, you are risking trouble by still using XP, yes I know that sometimes you have to, but I would suggest that you start making plans to replace XP, I would not put it past microsoft coming up with something to stop later versions of windows connecting to XP PCs. You are also risking any unknown security holes (unknown to everybody but the black hats, that is) in XP, these holes will not be fixed. > > From mathias >> Now VM usage + split of file servers => no need of nmbd on AD DC. Nmbd > will be run on file servers which serve files for Windows computers. >> That's just my own point of view, built according to own understanding of > Samba. That means I can be really far from the original "why" : ) > > I know many people who has AD DC 2008R, even 2003R2 at working position. > And people who is connected to its DCs or servered by it very active uses > Windows analogue of nmb functionality (built-in in Windows of course) in > their LANs. > I will remember, that nmbd in addition makes server visible in Network > Neighborhood, in some points takes part of accessing to it by NetBios name > (additionally to IP) , > maintains computers list for group, can acts as LMB and/or DMB that is in > general makes possible Neighborhood Browsing. > Quite a big function capacity in my oppinion. > > And it is more comfortable to get AD DC with fully working Neignborhood > Browsing. > And some of them people (mentioned above) stopped to migrate their Windows > AD DCs to Samba4 one because of the reason - lack of discussion > functionality. > As following, I consider important working full nmb functional with AD DC > at Samba4. > > > May be I am wrong, but moving code from nmbd (s3) is necessary only to AD > DC nmb code part (s4) , of course with some editions. > But I may be wrong. > > *Rowland, *can you point me to files from AD DC sources where nmb code is > presented ? > > > May be I will be able to start "process" of working under it. :)) All I can suggest is you get hold of 'samba-master' from samba git and see if you can work out how to do this. To me 'C' comes between 'B' & 'D' :-D i.e. I haven't a clue Rowland From marciobacci at gmail.com Tue Dec 1 16:45:48 2015 From: marciobacci at gmail.com (Marcio Demetrio Bacci) Date: Tue, 1 Dec 2015 14:45:48 -0200 Subject: [Samba] Problems with authentication in Samba4 Message-ID: Hi, I'm having problems to authenticate users with winbind. I'm implementing Squid3 Server and this server is working properly. But I think there is a problem with winbind (perhaps winbind separator), because when I put ^ as separator, how in Domain^Users, the error message appeared: root at proxy:~# *echo "bacci Domain^Users" | /usr/lib/squid3/wbinfo_group.pl * failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name Domain^Users failed to call wbcStringToSid: WBC_ERR_INVALID_PARAM Could not convert sid to gid ERR But, when I put %20 as separator, how in Domain%20Users, the authentication is OK. root at proxy:~# *echo "bacci Domain%20Users" | /usr/lib/squid3/wbinfo_group.pl * OK My environment is: Samba 4.2.1 on Debian 7.2 as DC Samba 4.1.17 on Debian 7.2 and Squid 3.1 as Proxy. Here is my smb.conf in Proxy Server (Member Server) [global] netbios name = DC1 workgroup = EMPRESA security = ads realm = EMPRESA.COM encrypt passwords = yes dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab preferred master = no idmap config *:backend = tdb idmap config *:range = 1000-3000 idmap config EMPRESA:backend = ad idmap config EMPRESA:schema_mode = rfc2307 idmap config EMPRESA:range = 10000-9999999 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes username map = /etc/samba/user.map Is there any way to fix this problem in the Winbind? From jonathan at springventuregroup.com Tue Dec 1 16:45:47 2015 From: jonathan at springventuregroup.com (Jonathan S. Fisher) Date: Tue, 1 Dec 2015 10:45:47 -0600 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: References: <565CAF9A.60700@gmail.com> <565CB4EE.1020903@gmail.com> <565CBA81.1070709@gmail.com> <565D771D.4010801@gmail.com> <565DCA6B.1030404@gmail.com> Message-ID: Rowland, any chance you could do the packet capture I described? It's really bothering me. Thank you! On Tue, Dec 1, 2015 at 10:36 AM, Jonathan S. Fisher < jonathan at springventuregroup.com> wrote: > Checked with the network guy... yes, the main DNS is indeed dnsmasq. He > has a delegation though, so any query for WINDOWS.corp.XXX.com winds up > going to to the correct place: > > domain=/windows.corp.XXX.com/192.168.127.141 > domain=/windows.corp.XXX.com/192.168.112.4 > > The DC's (192.168.127.141, 192.168.112.4) are indeed running DNS (I can > dig at them). Would it just be easier to make this host have a static IP? > If so, what settings does samba need for DNS? > > Here's the other files as requested: > > /etc/resolv.conf > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by > resolvconf(8) > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN > nameserver 192.168.127.129 > search windows.corp.xxx.com > > /etc/krb5.conf > [libdefaults] > default_realm = WINDOWS.CORP.XXX.COM > > /etc/samba/smb.conf > [global] > netbios name=freeradius > security=ADS > workgroup=WINDOWS > realm=WINDOWS.CORP.XXX.COM > local master=no > > log file=/var/log/samba/%m.log > log level=3 > > dedicated keytab file=/etc/krb5.keytab > kerberos method=secrets and keytab > winbind refresh tickets=yes > > winbind trusted domains only=no > winbind enum users=yes > winbind enum groups=yes > winbind nested groups=yes > > load printers=no > template shell=/bin/false > > idmap config WINDOWS:backend=autorid > idmap config WINDOWS:range=10000-99999 > > On Tue, Dec 1, 2015 at 10:27 AM, Rowland Penny < > rowlandpenny241155 at gmail.com> wrote: > >> On 01/12/15 16:02, Jonathan S. Fisher wrote: >> >>> Well I got one step farther... >>> >>> hostname -d and hostname -f now work correctly if I add this line to >>> /etc/hosts >>> >>> /etc/hosts >>> 127.0.0.1 localhost >>> 127.0.1.1 freeradius.windows.corp.springventuregroup.com < >>> http://freeradius.windows.corp.springventuregroup.com> freeradius >>> >>> But same error on the rpc command. It's still asking DNS for >>> "_ldap._tcp.pdc._msdcs.WINDOWS" not "_ldap._tcp.pdc._ >>> msdcs.WINDOWS.CORP.XXX.COM " >>> >>> Can you do a tcpdump on yours and see what the desired behavior is? I >>> used this command: "sudo tcpdump-vvv -s 0 -l -n port 53 -w dns.pcap". Start >>> the dump, then run "sudo net rpc info -Uadministrator" >>> >>> >>> >> If you are using 127.0.1.1 in etc/hosts on Ubuntu, then you are using >> dnsmasq. >> If you are using dnsmasq, then it is unlikely your dns setup will find >> the DC >> Just a thought, is there a DNS server running on the AD DC ? >> There should be and your client should be using this as its DNS server, >> AD lives and dies on DNS. >> There shouldn't be a dns server running on your domain member, it should >> be using the AD dns server. >> >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > -- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer. From rowlandpenny241155 at gmail.com Tue Dec 1 16:46:23 2015 From: rowlandpenny241155 at gmail.com (Rowland Penny) Date: Tue, 01 Dec 2015 16:46:23 +0000 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: References: <565CAF9A.60700@gmail.com> <565CB4EE.1020903@gmail.com> <565CBA81.1070709@gmail.com> <565D771D.4010801@gmail.com> <565DCA6B.1030404@gmail.com> Message-ID: <565DCEDF.9060809@gmail.com> On 01/12/15 16:36, Jonathan S. Fisher wrote: > Checked with the network guy... yes, the main DNS is indeed dnsmasq. > He has a delegation though, so any query for WINDOWS.corp.XXX.com > winds up going to to the correct place: Why, in your deity's name, why????? > > domain=/windows.corp.XXX.com/192.168.127.141 > > domain=/windows.corp.XXX.com/192.168.112.4 > > > The DC's (192.168.127.141, 192.168.112.4) are indeed running DNS (I > can dig at them). Would it just be easier to make this host have a > static IP? If so, what settings does samba need for DNS? > > Here's the other files as requested: > > /etc/resolv.conf > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by > resolvconf(8) > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN > nameserver 192.168.127.129 Replace '192.168.127.129' with '192.168.127.141' # i.e. one of your DCs Mind you, until you get 'hostname -f' to return your FQDN, it will not work correctly. Rowland > search windows.corp.xxx.com > > /etc/krb5.conf > [libdefaults] > default_realm = WINDOWS.CORP.XXX.COM > > /etc/samba/smb.conf > [global] > netbios name=freeradius > security=ADS > workgroup=WINDOWS > realm=WINDOWS.CORP.XXX.COM > local master=no > > log file=/var/log/samba/%m.log > log level=3 > > dedicated keytab file=/etc/krb5.keytab > kerberos method=secrets and keytab > winbind refresh tickets=yes > > winbind trusted domains only=no > winbind enum users=yes > winbind enum groups=yes > winbind nested groups=yes > > load printers=no > template shell=/bin/false > > idmap config WINDOWS:backend=autorid > idmap config WINDOWS:range=10000-99999 > From rowlandpenny241155 at gmail.com Tue Dec 1 17:05:08 2015 From: rowlandpenny241155 at gmail.com (Rowland Penny) Date: Tue, 01 Dec 2015 17:05:08 +0000 Subject: [Samba] Problems with authentication in Samba4 In-Reply-To: References: Message-ID: <565DD344.2000902@gmail.com> On 01/12/15 16:45, Marcio Demetrio Bacci wrote: > Hi, > > I'm having problems to authenticate users with winbind. I'm implementing > Squid3 Server and this server is working properly. But I think there is a > problem with winbind (perhaps winbind separator), because when I put ^ as > separator, how in Domain^Users, the error message appeared: > > > root at proxy:~# *echo "bacci Domain^Users" | /usr/lib/squid3/wbinfo_group.pl > * > failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND > Could not lookup name Domain^Users > failed to call wbcStringToSid: WBC_ERR_INVALID_PARAM > Could not convert sid to gid > ERR > > But, when I put %20 as separator, how in Domain%20Users, the authentication > is OK. > > root at proxy:~# *echo "bacci Domain%20Users" | > /usr/lib/squid3/wbinfo_group.pl * > OK > > My environment is: Samba 4.2.1 on Debian 7.2 as DC > Samba 4.1.17 on Debian 7.2 and Squid 3.1 as Proxy. > > Here is my smb.conf in Proxy Server (Member Server) > > [global] > netbios name = DC1 > workgroup = EMPRESA > security = ads > realm = EMPRESA.COM > encrypt passwords = yes > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > preferred master = no > idmap config *:backend = tdb > idmap config *:range = 1000-3000 > idmap config EMPRESA:backend = ad > idmap config EMPRESA:schema_mode = rfc2307 > idmap config EMPRESA:range = 10000-9999999 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = yes > > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > username map = /etc/samba/user.map > > Is there any way to fix this problem in the Winbind? Why do you need to use '^' ? getent group Domain^Users doesn't work either, but getent group Domain\ Users does Rowland From jonathan at springventuregroup.com Tue Dec 1 17:15:21 2015 From: jonathan at springventuregroup.com (Jonathan S. Fisher) Date: Tue, 1 Dec 2015 11:15:21 -0600 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: <565DCEDF.9060809@gmail.com> References: <565CAF9A.60700@gmail.com> <565CB4EE.1020903@gmail.com> <565CBA81.1070709@gmail.com> <565D771D.4010801@gmail.com> <565DCA6B.1030404@gmail.com> <565DCEDF.9060809@gmail.com> Message-ID: So your client did no DNS lookups?? That's crazy. Could they be cached? (Can you disable nscd if you have it running and try again?) >Why, in your deity's name, why????? I'm starting my own caliphate. Seems to be all the rage these days. Dnsmasq isn't running locally... it's the main DNS server at 192.168.127.129. At one time I guess we were running Bind, but he switched to dnsmasq for simplicity. If there's a legit reason why Windows needs to handle 100% of the DNS and DHCP for the network... well that's a little scary of a thought. Are these things in no way interoperable? > Mind you, until you get 'hostname -f' to return your FQDN, it will not work correctly. Well this "works" right now with what I put into /etc/hosts. Are you saying it has to work purely from dhcp? *Jonathan S. Fisher* *VP - Information Technology* *Spring Venture Group* (o) 913-653-8820 On Tue, Dec 1, 2015 at 10:46 AM, Rowland Penny wrote: > On 01/12/15 16:36, Jonathan S. Fisher wrote: > >> Checked with the network guy... yes, the main DNS is indeed dnsmasq. He >> has a delegation though, so any query for WINDOWS.corp.XXX.com < >> http://WINDOWS.corp.XXX.com> winds up going to to the correct place: >> > > Why, in your deity's name, why????? > > >> domain=/windows.corp.XXX.com/192.168.127.141 < >> http://windows.corp.XXX.com/192.168.127.141> >> domain=/windows.corp.XXX.com/192.168.112.4 < >> http://windows.corp.XXX.com/192.168.112.4> >> >> The DC's (192.168.127.141, 192.168.112.4) are indeed running DNS (I can >> dig at them). Would it just be easier to make this host have a static IP? >> If so, what settings does samba need for DNS? >> >> Here's the other files as requested: >> >> /etc/resolv.conf >> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by >> resolvconf(8) >> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN >> nameserver 192.168.127.129 >> > > Replace '192.168.127.129' with '192.168.127.141' # i.e. one of your DCs > > Mind you, until you get 'hostname -f' to return your FQDN, it will not > work correctly. > > Rowland > > search windows.corp.xxx.com >> >> /etc/krb5.conf >> [libdefaults] >> default_realm = WINDOWS.CORP.XXX.COM >> >> /etc/samba/smb.conf >> [global] >> netbios name=freeradius >> security=ADS >> workgroup=WINDOWS >> realm=WINDOWS.CORP.XXX.COM >> local master=no >> >> log file=/var/log/samba/%m.log >> log level=3 >> >> dedicated keytab file=/etc/krb5.keytab >> kerberos method=secrets and keytab >> winbind refresh tickets=yes >> >> winbind trusted domains only=no >> winbind enum users=yes >> winbind enum groups=yes >> winbind nested groups=yes >> >> load printers=no >> template shell=/bin/false >> >> idmap config WINDOWS:backend=autorid >> idmap config WINDOWS:range=10000-99999 >> >> > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer. From jra at samba.org Tue Dec 1 17:19:55 2015 From: jra at samba.org (Jeremy Allison) Date: Tue, 1 Dec 2015 09:19:55 -0800 Subject: [Samba] Symlink with mklink In-Reply-To: References: Message-ID: <20151201171955.GB4148@jeremy-ThinkPad-T430s> On Tue, Dec 01, 2015 at 03:26:53PM +0100, Marc JIROU wrote: > Hi, > > I'm using windows 7 as client and a Samba 4.1.21 server. > I would like to create symbolic link on a share with mklink, > it failes with a reparse point error message. > > Trying to find more information i found this discussion > https://lists.samba.org/archive/samba-technical/2014-September/102388.html > > So it seems that i'm not the only one to trying to do that without success. > > Reading microsoft SMB documentation i found that this feature is optional > and the > server may or may not support it. > > Is it something that exists in newest version, or maybe it is in the > roadmap, or will > never be supported ? Doesn't exist yet. No one has really found a pressing need for it. It's not too difficult to support. If you have a pressing need for it you can always hire a Samba support company to implement it (or wait until one of the Team employers has a pressing need for it :-). From jonathan at springventuregroup.com Tue Dec 1 17:27:02 2015 From: jonathan at springventuregroup.com (Jonathan S. Fisher) Date: Tue, 1 Dec 2015 11:27:02 -0600 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: <565DD757.4080102@gmail.com> References: <565CAF9A.60700@gmail.com> <565CB4EE.1020903@gmail.com> <565CBA81.1070709@gmail.com> <565D771D.4010801@gmail.com> <565DCA6B.1030404@gmail.com> <565DD1C3.3070600@gmail.com> <565DD757.4080102@gmail.com> Message-ID: >It isn't running, one of the first things I do when setting up a new DC is to remove nscd if it is installed. Ah ok... well this isn't a DC, just a member... is NSCD ok to run as a member? Otherwise I can remove it. > you get a caching dnsmasq server as standard Not on ubuntu server... There is no dnsmasq package installed nor is it in ps -ef > If you have to have that 127.0.1.1 line in /etc/hosts, you have dns problems. I'll try to figure out how to get the client to have a FQDN without the line in /etc/hosts I really am starting to hate Active Directory... On Tue, Dec 1, 2015 at 11:22 AM, Rowland Penny wrote: > On 01/12/15 17:09, Jonathan S. Fisher wrote: > > So your client did no DNS lookups?? That's crazy. Could they be cached? > (Can you disable nscd if you have it running and try again?) > > > It isn't running, one of the first things I do when setting up a new DC is > to remove nscd if it is installed. > > > >Why, in your deity's name, why????? > > I'm starting my own caliphate. Seems to be all the rage these days. > > Dnsmasq isn't running locally... it's the main DNS server at > 192.168.127.129. At one time I guess we were running Bind, but he switched > to dnsmasq for simplicity. If there's a legit reason why Windows needs to > handle 100% of the DNS and DHCP for the network... well that's a little > scary of a thought. Are these things in no way interoperable? > > > On Ubuntu, you get a caching dnsmasq server as standard, this is > controlled by Network Manager, this shouldn't be running on an AD client > (note this is only from my experience, it seems to interfere with AD dns). > > DHCP doesn't need to be running on the DC, but it needs to give your > client the required info, see my previous post for what mine sends. > Your AD clients need to use your AD DCs as their DNS servers, anything > your DCs don't know about i.e. google should be forwarded to a DNS server > that does i.e. your dnsmasq machine > > Your problem isn't that net is using the workgroup name, it is that your > machine doesn't seem to know who it is and where the DCs are :-) > > > > Mind you, until you get 'hostname -f' to return your FQDN, it will not > work correctly. > Well this "works" right now with what I put into /etc/hosts. Are you > saying it has to work purely from dhcp? > > > > If you have to have that 127.0.1.1 line in /etc/hosts, you have dns > problems. > > Rowland > > -- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer. From rowlandpenny241155 at gmail.com Tue Dec 1 18:12:08 2015 From: rowlandpenny241155 at gmail.com (Rowland Penny) Date: Tue, 01 Dec 2015 18:12:08 +0000 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: References: <565CAF9A.60700@gmail.com> <565CB4EE.1020903@gmail.com> <565CBA81.1070709@gmail.com> <565D771D.4010801@gmail.com> <565DCA6B.1030404@gmail.com> <565DD1C3.3070600@gmail.com> <565DD757.4080102@gmail.com> Message-ID: <565DE2F8.7000009@gmail.com> On 01/12/15 17:27, Jonathan S. Fisher wrote: >> It isn't running, one of the first things I do when setting up a new DC is > to remove nscd if it is installed. > Ah ok... well this isn't a DC, just a member... is NSCD ok to run as a > member? Otherwise I can remove it. I would remove it, everything dns wise should come from an AD DC > >> you get a caching dnsmasq server as standard > Not on ubuntu server... There is no dnsmasq package installed nor is it in > ps -ef Ah, so no GUI then, ok in this case you probably wont have Network Manager installed either. >> If you have to have that 127.0.1.1 line in /etc/hosts, you have dns > problems. > I'll try to figure out how to get the client to have a FQDN without the > line in /etc/hosts If this machine is going to be a fileserver, you would probably be better using a fixed ip, but if you going to have other Unix domain members using dhcp, you need to sort this problem. > > I really am starting to hate Active Directory... I just hate microsoft, it cuts out the middle man :-D Rowland > > On Tue, Dec 1, 2015 at 11:22 AM, Rowland Penny > wrote: >> On 01/12/15 17:09, Jonathan S. Fisher wrote: >> >> So your client did no DNS lookups?? That's crazy. Could they be cached? >> (Can you disable nscd if you have it running and try again?) >> >> >> It isn't running, one of the first things I do when setting up a new DC is >> to remove nscd if it is installed. >> >> >>> Why, in your deity's name, why????? >> I'm starting my own caliphate. Seems to be all the rage these days. >> >> Dnsmasq isn't running locally... it's the main DNS server at >> 192.168.127.129. At one time I guess we were running Bind, but he switched >> to dnsmasq for simplicity. If there's a legit reason why Windows needs to >> handle 100% of the DNS and DHCP for the network... well that's a little >> scary of a thought. Are these things in no way interoperable? >> >> >> On Ubuntu, you get a caching dnsmasq server as standard, this is >> controlled by Network Manager, this shouldn't be running on an AD client >> (note this is only from my experience, it seems to interfere with AD dns). >> >> DHCP doesn't need to be running on the DC, but it needs to give your >> client the required info, see my previous post for what mine sends. >> Your AD clients need to use your AD DCs as their DNS servers, anything >> your DCs don't know about i.e. google should be forwarded to a DNS server >> that does i.e. your dnsmasq machine >> >> Your problem isn't that net is using the workgroup name, it is that your >> machine doesn't seem to know who it is and where the DCs are :-) >> >> >>> Mind you, until you get 'hostname -f' to return your FQDN, it will not >> work correctly. >> Well this "works" right now with what I put into /etc/hosts. Are you >> saying it has to work purely from dhcp? >> >> >> >> If you have to have that 127.0.1.1 line in /etc/hosts, you have dns >> problems. >> >> Rowland >> >> From post at rolandgruber.de Tue Dec 1 19:17:20 2015 From: post at rolandgruber.de (Roland Gruber) Date: Tue, 01 Dec 2015 20:17:20 +0100 Subject: [Samba] LDAP Account Manager 5.2.RC1 with extended Windows support and more password expiration jobs In-Reply-To: <1448921401.3103.12.camel@samba.org> References: <565C979E.5050601@rolandgruber.de> <1448921401.3103.12.camel@samba.org> Message-ID: <565DF240.8050200@rolandgruber.de> Hi Andrew, On 30.11.2015 23:10, Andrew Bartlett wrote: > Would it help if we generated a config file for this as part of our > provision process? sounds great. I can provide you a template config file and a short description for the installation if you want. -- Best regards Roland -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature URL: From lingpanda101 at gmail.com Tue Dec 1 20:14:30 2015 From: lingpanda101 at gmail.com (James) Date: Tue, 1 Dec 2015 15:14:30 -0500 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5658A45D.6080406@gmail.com> References: <56435CD0.4090409@tu-berlin.de> <201511121123.00490.walk2sun@arcor.de> <564C9CEB.2040104@tu-berlin.de> <564DC3F7.3090409@tu-berlin.de> <564DE9F5.6020100@tu-berlin.de> <001b01d12367$4558b4a0$d00a1de0$@tplk.loc> <564F14CB.2010208@tu-berlin.de> <564F2A11.8080106@gmail.com> <564F59E6.5010902@gmail.com> <56572F7B.9020004@tu-berlin.de> <56585967.2060006@gmail.com> <565865C0.9020500@gmail.com> <565868EC.8030104@gmail.com> <56586D7C.50101@gmail.com> <56587A34.5090100@gmail.com> <56589AFE.9070200@gmail.com> <5658A45D.6080406@gmail.com> Message-ID: <565DFFA6.1020705@gmail.com> On 11/27/2015 1:43 PM, Rowland Penny wrote: > On 27/11/15 18:03, James wrote: >> On 11/27/2015 10:43 AM, Rowland Penny wrote: >>> On 27/11/15 15:24, mathias dufresne wrote: >>>> >>>> >>>> 2015-11-27 15:49 GMT+01:00 Rowland Penny >>>> >: >>>> >>>> On 27/11/15 14:30, James wrote: >>>> >>>> On 11/27/2015 9:16 AM, Rowland Penny wrote: >>>> >>>> On 27/11/15 13:23, James wrote: >>>> >>>> On 11/26/2015 11:12 AM, Ole Traupe wrote: >>>> >>>> >>>> Then you re-run your test with only DC2 up >>>> and running. >>>> Note DNS have need time to be updated if >>>> you are using others DNS servers between >>>> clients and AD DCs. >>>> >>>> The SOA RR identifies a primary DNS name >>>> server for the zone as the best source of >>>> information for the data within that zone and >>>> as a entity processing the updates for the >>>> zone. >>>> >>>> The NS resource record is used to notate which >>>> DNS servers are designated as authoritative >>>> for the zone. Listing a server in the NS RR, >>>> it becomes known to others as an authoritative >>>> server for the zone. This means that any >>>> server specified in the NS RR is to be >>>> considered an authoritative source by others, >>>> and is able to answer with certainty any >>>> queries made for names included in the zone. >>>> >>>> Much of the above was taken almost verbatim >>>> from online Microsoft tech documents. I don't >>>> believe that DC's create NS records by >>>> default. >>>> >>>> >>>> You mean Samba DCs or DCs in general? >>>> >>>> I am not sure I understand the above. Do you >>>> suggest to create another NS record for the >>>> Second_DC, or not to? >>>> >>>> In the resolv.conf on my member servers both DCs >>>> are listed as DNS servers. I like to think that >>>> the member servers eventually ask the second DNS >>>> server, if the first won't respond. This seems to >>>> be reflected by ping taking more than 5 s for the >>>> first packet to arrive. >>>> >>>> BUT what does the second DNS server (Second_DC) >>>> reply? Which logon server does it announce? >>>> >>>> >>>> DNS can be very confusing. You do not need to create a >>>> NS record for your second DC if the zone is directory >>>> integrated. By default the DC is authoritative for >>>> that zone. >>>> >>>> >>>> Probably with windows it is, but not with Samba AD, you >>>> only get one NS and one SOA. The only authoritative Samba >>>> AD DC is the first one, when you join a second DC, it runs >>>> the same code that created the SOA during the first DCs >>>> provision and because the SOA already exists, it fails. >>>> >>>> Rowland >>>> >>>> >>>> Yikes! Are you saying DC's with directory integrated zones are >>>> not authoritative for them? That means a NS record needs to be >>>> created manually for each DC added. >>>> >>>> >>>> Yes, that's about the size of it. no matter how many DCs you join, >>>> you only have one NS, the original DC. >>>> >>>> I have been trying to alter the code, but I am struggling to get >>>> another NS record added during the join, it doesn't help that I >>>> have no idea what a windows DC SOA record looks like, does each DC >>>> have a separate SOA record? or is it like the Samba SOA record and >>>> there is only one with multiple NS records? >>>> >>>> Yes each Windows has SOA record. In fact I expect there is no SOA >>>> record really on MS AD. I expect SOA management is something like >>>> when a DC receive request for SOA it replies "I am SOA". >>>> On MS AD all DC have a NS record. My second mail about that thread >>>> from Sunday the 22nd of November is showing different DNS queries I >>>> did on MS AD domain (a 2008 r2 domain with only 2 DC, Microsoft DC). >>>> >>>> Finally I would look into samba_dnsupdate to add creation of NS >>>> record. I expect this tool is run when samba starts. >>>> Unfortunately I did not find the right option to add to >>>> samba_dnsupdate for it really creates DNS entries. Even with >>>> kerberos ticket already created before running that command. I >>>> received a mail recently about another Samba user using internal >>>> DNS for his AD hosted by Samba. This person was facing same issue >>>> has me (missing DNS entries, samba_dnsupdate not adding entries). >>>> To workaround that issue he modified samba_dnsupdate and he >>>> commented that line (line 413): >>>> os.unlink(tmpfile) >>>> >>>> Doing that samba_dnsupdate does not remove tmp file. This tmp file >>>> contains nsupdate commands which are launched by samba_dnsupdate. >>>> Finally he uses these nsupdate commands from tmp files without -g >>>> option and he's DNS entries are now created. >>>> I must say I did yet try that process. >>>> >>> >>> If you follow the 'join' code, you end up at 'add_at_record' in >>> sambadns.py. This is run by the initial provision and again when any >>> DCs are joined. I have tried adding a check to see if the SOA exists >>> and only creating it if it doesn't, otherwise just add the NS >>> records etc, I can add the A record for the subsequent DC bit not >>> its NS record. This is what the initial SOA record looks like: >>> >>> dn: >>> DC=@,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >>> objectClass: top >>> objectClass: dnsNode >>> instanceType: 4 >>> whenCreated: 20151106115624.0Z >>> uSNCreated: 3657 >>> showInAdvancedViewOnly: TRUE >>> name: @ >>> objectGUID: 7ad014c4-c1e9-4cb4-9f0d-96d0272af23d >>> objectCategory: >>> CN=Dns-Node,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com >>> dc: @ >>> whenChanged: 20151122115408.0Z >>> dnsRecord: NDR: struct dnsp_DnssrvRpcRecord >>> wDataLength : 0x004f (79) >>> wType : DNS_TYPE_SOA (6) >>> version : 0x05 (5) >>> rank : DNS_RANK_ZONE (240) >>> flags : 0x0000 (0) >>> dwSerial : 0x00000062 (98) >>> dwTtlSeconds : 0x00000e10 (3600) >>> dwReserved : 0x00000000 (0) >>> dwTimeStamp : 0x00377e73 (3636851) >>> data : union dnsRecordData(case 6) >>> soa: struct dnsp_soa >>> serial : 0x00000063 (99) >>> refresh : 0x00000384 (900) >>> retry : 0x00000258 (600) >>> expire : 0x00015180 (86400) >>> minimum : 0x00000e10 (3600) >>> mname : dc1.samdom.example.com >>> rname : hostmaster.samdom.example.com >>> >>> dnsRecord: NDR: struct dnsp_DnssrvRpcRecord >>> wDataLength : 0x001a (26) >>> wType : DNS_TYPE_NS (2) >>> version : 0x05 (5) >>> rank : DNS_RANK_ZONE (240) >>> flags : 0x0000 (0) >>> dwSerial : 0x00000062 (98) >>> dwTtlSeconds : 0x00000384 (900) >>> dwReserved : 0x00000000 (0) >>> dwTimeStamp : 0x00000000 (0) >>> data : union dnsRecordData(case 2) >>> ns : dc1.samdom.example.com >>> >>> dnsRecord: NDR: struct dnsp_DnssrvRpcRecord >>> wDataLength : 0x0004 (4) >>> wType : DNS_TYPE_A (1) >>> version : 0x05 (5) >>> rank : DNS_RANK_ZONE (240) >>> flags : 0x0000 (0) >>> dwSerial : 0x00000062 (98) >>> dwTtlSeconds : 0x00000384 (900) >>> dwReserved : 0x00000000 (0) >>> dwTimeStamp : 0x00000000 (0) >>> data : union dnsRecordData(case 1) >>> ipv4 : 192.168.0.5 >>> >>> uSNChanged: 29974 >>> distinguishedName: >>> DC=@,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >>> >>> >>> I can add the NS record for the second DC with samba-tool, but not >>> by modifying the 'add_at_record' code. >>> >>> I tried doing an internet search, but cannot find anything that >>> shows the SOA objects in AD for a windows server, so I don't know if >>> windows uses separate SOA object records for each DC, or is it just >>> one SOA object record (like Samba uses) with an NS record added for >>> each DC. >>> >>> Rowland >>> >> Rowland, >> >> This is what I have been able to dig up but nothing concrete. >> >> https://www.petri.com/forums/forum/microsoft-networking-services/active-directory/18697-ad-zones-and-dns-soa-records >> >> >> and >> >> http://www.dell.com/support/article/us/en/19/SLN156678/en >> >> Both state that each DC should have it's own SOA if it's directory >> integrated. However looking here >> >> http://blogs.msmvps.com/acefekay/2013/04/30/dns-zone-types-explained-and-their-significance-in-active-directory/ >> >> >> says that the SOA should rotate > > Hi, thanks for that, but I am fairly sure I have already seen them, or > others just like them, the problem is that windows is a point & click > OS and that is all I have been able to find. I cannot find anywhere an > example of what a SOA record looks like in a windows AD database. All > I can find says that every DC should have a SOA record, now does this > mean one like Samba's, where it is just one AD object with multiple NS > records (one per DC), or should there actually be an individual SOA > record per DC, if so, then Samba's DNS server is very possibly broken. > > Does anybody have an ldif from a windows AD domain showing the SOA > records and are they willing to share it?? > > Rowland > > Rowland, This document https://technet.microsoft.com/en-us/library/dd197552%28v=ws.10%29.aspx states the following. "The authoritative DNS server for the zone containing the client FQDN responds to the SOA-type query. For standard primary zones, the primary server (owner) returned in the SOA query response is fixed and static. It always matches the exact DNS name as it appears in the SOA RR stored with the zone. If, however, the zone being updated is directory-integrated, any DNS server that is running on a domain controller for the Active Directory domain in the FQDN can respond and *dynamically insert its own name as the primary server (owner) of the zone in the SOA query response*."* *I found this link http://rakhesh.com/windows/soa-records-and-dynamic-dns-in-windows/ where this users example seems to corroborate this. All my nslookups report only one primary name server. It appears my Zone is behaving as a primary and not a directory-intergrated. -- -James From hector.suarez at codesa.co.cu Tue Dec 1 17:09:10 2015 From: hector.suarez at codesa.co.cu (Hector Suarez Planas) Date: Tue, 1 Dec 2015 12:09:10 -0500 Subject: [Samba] GPO templates problem In-Reply-To: <565DAAE7.80300@troja.ch> References: <565648DF.1060208@codesa.co.cu> <565DAAE7.80300@troja.ch> Message-ID: <565DD436.4010703@codesa.co.cu> Greetings. El 01/12/2015 a las 09:12 AM, Viktor Trojanovic escribió: > On 26.11.2015 00:48, Hector Suarez Planas wrote: >> Greetings. >> >> I set up a new Samba 4 AD Server and I have some errors. On the tree >> 4.1 this errors not appeared and until 4.2.3: >> >> - On the RSAT: GPO Management ---> Computer Settings ---> Policies >> ---> Windows Settings ---> Security Settings, the console gave this >> error: "Windows cannot load the temnplate", and not show several >> options. >> - Another error: "The Server Is Not Operational". I have the DNS >> configurated correctly and the network connections are right. >> >> :-( >> > Hi Hector, > > If you still need help on this, you should consider posting more > information, such as your smb.conf, the result of the AD DC > troubleshooting operations mentioned in the Samba Wiki > (https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting), and > also your error logs. > > Viktor Here is: smb.conf: [global] workgroup = TT realm = tt.cu netbios name = PDC-MASTER-1 server role = active directory domain controller idmap_ldb:use rfc2307 = yes server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, smb server services = -s3fs +dns allow dns updates = secure dns forwarder = 172.16.1.2 dcerpc endpoint servers = +winreg +srvsvc interfaces = eth0 lo template shell = /bin/false log file = /var/log/samba/tt.cu.log syslog = 0 log level = 3 vfs objects = full_audit template homedir = /home/users/%ACCOUNTNAME% [netlogon] path = /var/lib/samba/sysvol/tt.cu/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No I add a PC with Windows 8.1 to domain. On the attachment I show you the Administrative Tools. The Group Policy Management don't show the default options for the Security Settings of Computer Settings. The Samba 4 Domain was recently created. :-( -- ===================================== Lic. Hector Suarez Planas Administrador Nodo CODESA Santiago de Cuba ------------------------------------- Blog: http://nihilanthlnxc.cubava.cu/ ICQ ID: 681729738 Conferendo ID: hspcuba ===================================== From jonathan at springventuregroup.com Tue Dec 1 20:40:00 2015 From: jonathan at springventuregroup.com (Jonathan S. Fisher) Date: Tue, 1 Dec 2015 14:40:00 -0600 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: <565DE2F8.7000009@gmail.com> References: <565CAF9A.60700@gmail.com> <565CB4EE.1020903@gmail.com> <565CBA81.1070709@gmail.com> <565D771D.4010801@gmail.com> <565DCA6B.1030404@gmail.com> <565DD1C3.3070600@gmail.com> <565DD757.4080102@gmail.com> <565DE2F8.7000009@gmail.com> Message-ID: So everything with the hostname with now resolving correctly, without the 127.0.1.1 hack anymore. We just had to make sure DHCP was handing out the correct domain, which it is now: $ hostname -d windows.corp.XXX.com $ hostname -f freeradius.windows.corp.XXX.com I deleted all the shared secrets, removed the computer from AD and rejoined... but of course, we're still getting the exact same issue... :( It's still trying to query the wrong DNS entry. On Tue, Dec 1, 2015 at 12:12 PM, Rowland Penny wrote: > On 01/12/15 17:27, Jonathan S. Fisher wrote: > >> It isn't running, one of the first things I do when setting up a new DC is >>> >> to remove nscd if it is installed. >> Ah ok... well this isn't a DC, just a member... is NSCD ok to run as a >> member? Otherwise I can remove it. >> > > I would remove it, everything dns wise should come from an AD DC > > >> you get a caching dnsmasq server as standard >>> >> Not on ubuntu server... There is no dnsmasq package installed nor is it >> in >> ps -ef >> > > Ah, so no GUI then, ok in this case you probably wont have Network Manager > installed either. > > If you have to have that 127.0.1.1 line in /etc/hosts, you have dns >>> >> problems. >> I'll try to figure out how to get the client to have a FQDN without the >> line in /etc/hosts >> > > If this machine is going to be a fileserver, you would probably be better > using a fixed ip, but if you going to have other Unix domain members using > dhcp, you need to sort this problem. > > >> I really am starting to hate Active Directory... >> > > I just hate microsoft, it cuts out the middle man :-D > > Rowland > > >> On Tue, Dec 1, 2015 at 11:22 AM, Rowland Penny < >> rowlandpenny241155 at gmail.com >> >>> wrote: >>> On 01/12/15 17:09, Jonathan S. Fisher wrote: >>> >>> So your client did no DNS lookups?? That's crazy. Could they be cached? >>> (Can you disable nscd if you have it running and try again?) >>> >>> >>> It isn't running, one of the first things I do when setting up a new DC >>> is >>> to remove nscd if it is installed. >>> >>> >>> Why, in your deity's name, why????? >>>> >>> I'm starting my own caliphate. Seems to be all the rage these days. >>> >>> Dnsmasq isn't running locally... it's the main DNS server at >>> 192.168.127.129. At one time I guess we were running Bind, but he >>> switched >>> to dnsmasq for simplicity. If there's a legit reason why Windows needs to >>> handle 100% of the DNS and DHCP for the network... well that's a little >>> scary of a thought. Are these things in no way interoperable? >>> >>> >>> On Ubuntu, you get a caching dnsmasq server as standard, this is >>> controlled by Network Manager, this shouldn't be running on an AD client >>> (note this is only from my experience, it seems to interfere with AD >>> dns). >>> >>> DHCP doesn't need to be running on the DC, but it needs to give your >>> client the required info, see my previous post for what mine sends. >>> Your AD clients need to use your AD DCs as their DNS servers, anything >>> your DCs don't know about i.e. google should be forwarded to a DNS server >>> that does i.e. your dnsmasq machine >>> >>> Your problem isn't that net is using the workgroup name, it is that your >>> machine doesn't seem to know who it is and where the DCs are :-) >>> >>> >>> Mind you, until you get 'hostname -f' to return your FQDN, it will not >>>> >>> work correctly. >>> Well this "works" right now with what I put into /etc/hosts. Are you >>> saying it has to work purely from dhcp? >>> >>> >>> >>> If you have to have that 127.0.1.1 line in /etc/hosts, you have dns >>> problems. >>> >>> Rowland >>> >>> >>> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer. From rowlandpenny241155 at gmail.com Tue Dec 1 20:54:39 2015 From: rowlandpenny241155 at gmail.com (Rowland Penny) Date: Tue, 01 Dec 2015 20:54:39 +0000 Subject: [Samba] GPO templates problem In-Reply-To: <565DD436.4010703@codesa.co.cu> References: <565648DF.1060208@codesa.co.cu> <565DAAE7.80300@troja.ch> <565DD436.4010703@codesa.co.cu> Message-ID: <565E090F.80902@gmail.com> On 01/12/15 17:09, Hector Suarez Planas wrote: > Greetings. > > El 01/12/2015 a las 09:12 AM, Viktor Trojanovic escribió: >> On 26.11.2015 00:48, Hector Suarez Planas wrote: >>> Greetings. >>> >>> I set up a new Samba 4 AD Server and I have some errors. On the tree >>> 4.1 this errors not appeared and until 4.2.3: >>> >>> - On the RSAT: GPO Management ---> Computer Settings ---> Policies >>> ---> Windows Settings ---> Security Settings, the console gave this >>> error: "Windows cannot load the temnplate", and not show several >>> options. >>> - Another error: "The Server Is Not Operational". I have the DNS >>> configurated correctly and the network connections are right. >>> >>> :-( >>> >> Hi Hector, >> >> If you still need help on this, you should consider posting more >> information, such as your smb.conf, the result of the AD DC >> troubleshooting operations mentioned in the Samba Wiki >> (https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting), and >> also your error logs. >> >> Viktor > > Here is: > > smb.conf: > > [global] > workgroup = TT > realm = tt.cu > netbios name = PDC-MASTER-1 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbind, ntp_signd, kcc, dnsupdate, smb > server services = -s3fs +dns > allow dns updates = secure > dns forwarder = 172.16.1.2 > dcerpc endpoint servers = +winreg +srvsvc > interfaces = eth0 lo > template shell = /bin/false > log file = /var/log/samba/tt.cu.log > syslog = 0 > log level = 3 > vfs objects = full_audit > template homedir = /home/users/%ACCOUNTNAME% > > > Try removing the 'server services' lines and the 'dcerpc endpoint servers' line, I cannot see any reason for having them, they also don't look right. Rowland From abartlet at samba.org Tue Dec 1 22:05:10 2015 From: abartlet at samba.org (Andrew Bartlett) Date: Wed, 02 Dec 2015 11:05:10 +1300 Subject: [Samba] LDAP Account Manager 5.2.RC1 with extended Windows support and more password expiration jobs In-Reply-To: <565DF240.8050200@rolandgruber.de> References: <565C979E.5050601@rolandgruber.de> <1448921401.3103.12.camel@samba.org> <565DF240.8050200@rolandgruber.de> Message-ID: <1449007510.19054.0.camel@samba.org> On Tue, 2015-12-01 at 20:17 +0100, Roland Gruber wrote: > Hi Andrew, > > On 30.11.2015 23:10, Andrew Bartlett wrote: > > Would it help if we generated a config file for this as part of our > > provision process?   > > sounds great. I can provide you a template config file and a short > description for the installation if you want. That would be great.  Patches or Pull requests against our github repo are even better :-) Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part URL: From abartlet at samba.org Tue Dec 1 22:10:43 2015 From: abartlet at samba.org (Andrew Bartlett) Date: Wed, 02 Dec 2015 11:10:43 +1300 Subject: [Samba] dbcheck reporting errors In-Reply-To: <565D817B.90703@merit.unu.edu> References: <565D817B.90703@merit.unu.edu> Message-ID: <1449007843.19054.5.camel@samba.org> On Tue, 2015-12-01 at 12:16 +0100, samba list wrote: > Hi all, > > Our domain is running perfectly, but for the fun of it, I tried a > samba-tool dbcheck, and (unexpected actually!) it returned many > errors, > on many users, like this: > > > ERROR: wrongly formatted userParameters on > > CN=username1,CN=Users,DC=samba,DC=company,DC=com, should not be > > psudo-UTF8 encoded > > Not changing userParameters from UTF8 encoding on > > CN=username1,CN=Users,DC=samba,DC=company,DC=com > (yes: it says "psudo-UTF8") > > This is Version 4.2.5-SerNet-Debian-8.wheezy (upgraded from 4.1.17) > in > an AD config. We mostly use ADUC to manage users. > > Are we having problems, without feeling it (yet)..? The issue is that different parts of Samba (classicupgrade, DRS replciation, LDAP, SAMR RPC) encoded the attribute in different ways.   We have settled on storing the binary value obtained over SAMR directly in the database, and having the other methods use the same format.   The issue is that the 'string' is not really a string, but a binary buffer that is written over a UTF16-LE string on the windows client and then passed in that buffer.  In the past, we would attempt to convert this UTF16-LE into UTF8, and often truncate it at the first \0 when replicating.   The fix should be safe, we actually have specific tests for this dbcheck rule (sadly unlike most of the others). Andrew Bartlett > --  Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba From craig at mypenguin.net.au Wed Dec 2 02:28:27 2015 From: craig at mypenguin.net.au (craig at mypenguin.net.au) Date: Wed, 2 Dec 2015 13:28:27 +1100 Subject: [Samba] "Failed to add users for testing" - pdb_getsampwnam (TDB): error fetching database Message-ID: <20151202022827.GA26941@mypenguin.net.au> Hi, Running samba-4.1.12-24 on Centos 7.1, I've created about 15 user accounts which are working perfectly, then for some reason today I go to create another account and it starts erroring? Config; security = user passdb backend = tdbsam [root at sysvm-smb samba]# pdbedit -a testing new password: retype new password: Failed to add entry for user testing. With Debugging; ------------- Cut ------------- Attempting to find a passdb backend to match tdbsam (tdbsam) No builtin backend found, trying to load plugin Probing module 'tdbsam' Probing module 'tdbsam': Trying to load from /usr/lib64/samba/pdb/tdbsam.so Module 'tdbsam' loaded Attempting to register passdb backend tdbsam Successfully added passdb backend 'tdbsam' Found pdb backend tdbsam pdb backend tdbsam has a valid init new password: retype new password: tdbsam_open: successfully opened /var/lib/samba/private/passdb.tdb pdb_getsampwnam (TDB): error fetching database. Key: USER_testing Finding user testing Trying _Get_Pwnam(), username as lowercase is testing Trying _Get_Pwnam(), username as uppercase is TESTING Checking combinations of 0 uppercase letters in testing Get_Pwnam_internals didn't find user [testing]! Could not find user testing and no add script defined Failed to add entry for user testing. ------------- Cut ------------- Regards, Craig From belle at bazuin.nl Wed Dec 2 07:54:27 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Wed, 2 Dec 2015 08:54:27 +0100 Subject: [Samba] Problems with authentication in Samba4 In-Reply-To: <565DD344.2000902@gmail.com> References: Message-ID: Hai, I cant remember exactly how my setup on wheezy did these, im running now Jessie squid 3.5.10 with 3 authentication layers and 1 group check, and this works perfectly. ( squid recompiled with ssl enabled from sid ) For the wbinfo, ( i dont use that one but here a test ) echo "myusers my_internet_users"| /usr/lib/squid/ext_wbinfo_group_acl -d show the correct output ( OK ) same for echo "myusers DOMAIN\\my_internet_users"| /usr/lib/squid/ext_wbinfo_group_acl -d so i can only think of 3 things. 1) you group is missing a GID 2) the wbinfo_group from wheezy is to old. 3) remove the space from the squid, but since your using domain users, Create a new group without spaces. If you want a nice squid example, just ask, i'll post my setup. Oh and above did also work good for me on wheezy with squid 3.4.8(backports) Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny > Verzonden: dinsdag 1 december 2015 18:05 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Problems with authentication in Samba4 > > On 01/12/15 16:45, Marcio Demetrio Bacci wrote: > > Hi, > > > > I'm having problems to authenticate users with winbind. I'm implementing > > Squid3 Server and this server is working properly. But I think there is > a > > problem with winbind (perhaps winbind separator), because when I put ^ > as > > separator, how in Domain^Users, the error message appeared: > > > > > > root at proxy:~# *echo "bacci Domain^Users" | > /usr/lib/squid3/wbinfo_group.pl > > * > > failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND > > Could not lookup name Domain^Users > > failed to call wbcStringToSid: WBC_ERR_INVALID_PARAM > > Could not convert sid to gid > > ERR > > > > But, when I put %20 as separator, how in Domain%20Users, the > authentication > > is OK. > > > > root at proxy:~# *echo "bacci Domain%20Users" | > > /usr/lib/squid3/wbinfo_group.pl * > > OK > > > > My environment is: Samba 4.2.1 on Debian 7.2 as DC > > Samba 4.1.17 on Debian 7.2 and Squid 3.1 as Proxy. > > > > Here is my smb.conf in Proxy Server (Member Server) > > > > [global] > > netbios name = DC1 > > workgroup = EMPRESA > > security = ads > > realm = EMPRESA.COM > > encrypt passwords = yes > > dedicated keytab file = /etc/krb5.keytab > > kerberos method = secrets and keytab > > preferred master = no > > idmap config *:backend = tdb > > idmap config *:range = 1000-3000 > > idmap config EMPRESA:backend = ad > > idmap config EMPRESA:schema_mode = rfc2307 > > idmap config EMPRESA:range = 10000-9999999 > > > > winbind nss info = rfc2307 > > winbind trusted domains only = no > > winbind use default domain = yes > > winbind enum users = yes > > winbind enum groups = yes > > winbind refresh tickets = yes > > > > vfs objects = acl_xattr > > map acl inherit = Yes > > store dos attributes = Yes > > username map = /etc/samba/user.map > > > > Is there any way to fix this problem in the Winbind? > > Why do you need to use '^' ? > getent group Domain^Users doesn't work either, but getent group Domain\ > Users does > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From lists at merit.unu.edu Wed Dec 2 08:51:33 2015 From: lists at merit.unu.edu (mj) Date: Wed, 2 Dec 2015 09:51:33 +0100 Subject: [Samba] dbcheck reporting errors In-Reply-To: <1449007843.19054.5.camel@samba.org> References: <565D817B.90703@merit.unu.edu> <1449007843.19054.5.camel@samba.org> Message-ID: <565EB115.7020309@merit.unu.edu> Hi Andrew, On 12/01/2015 11:10 PM, Andrew Bartlett wrote: > The fix should be safe, we actually have specific tests for this > dbcheck rule (sadly unlike most of the others). Thanks for letting know. MJ From rowlandpenny241155 at gmail.com Wed Dec 2 09:20:11 2015 From: rowlandpenny241155 at gmail.com (Rowland Penny) Date: Wed, 02 Dec 2015 09:20:11 +0000 Subject: [Samba] "Failed to add users for testing" - pdb_getsampwnam (TDB): error fetching database In-Reply-To: <20151202022827.GA26941@mypenguin.net.au> References: <20151202022827.GA26941@mypenguin.net.au> Message-ID: <565EB7CB.4020804@gmail.com> On 02/12/15 02:28, craig at mypenguin.net.au wrote: > Hi, > > Running samba-4.1.12-24 on Centos 7.1, I've created about 15 user > accounts which are working perfectly, then for some reason today I go to > create another account and it starts erroring? > > Config; > security = user > passdb backend = tdbsam > > > [root at sysvm-smb samba]# pdbedit -a testing > new password: > retype new password: > Failed to add entry for user testing. > > > With Debugging; > ------------- Cut ------------- > Attempting to find a passdb backend to match tdbsam (tdbsam) > No builtin backend found, trying to load plugin > Probing module 'tdbsam' > Probing module 'tdbsam': Trying to load from > /usr/lib64/samba/pdb/tdbsam.so > Module 'tdbsam' loaded > Attempting to register passdb backend tdbsam > Successfully added passdb backend 'tdbsam' > Found pdb backend tdbsam > pdb backend tdbsam has a valid init > new password: > retype new password: > tdbsam_open: successfully opened /var/lib/samba/private/passdb.tdb > pdb_getsampwnam (TDB): error fetching database. > Key: USER_testing > Finding user testing > Trying _Get_Pwnam(), username as lowercase is testing > Trying _Get_Pwnam(), username as uppercase is TESTING > Checking combinations of 0 uppercase letters in testing > Get_Pwnam_internals didn't find user [testing]! > Could not find user testing and no add script defined > Failed to add entry for user testing. > I think you will find that you are trying to create a samba user and samba cannot find a Unix user with the same name. To prove this, create the user first as a Unix user with adduser or whatever centos uses, then try again with pdbedit. Rowland From infractory at gmail.com Wed Dec 2 09:28:15 2015 From: infractory at gmail.com (mathias dufresne) Date: Wed, 2 Dec 2015 10:28:15 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <56587A34.5090100@gmail.com> References: <56435CD0.4090409@tu-berlin.de> <201511121123.00490.walk2sun@arcor.de> <564C9CEB.2040104@tu-berlin.de> <564DC3F7.3090409@tu-berlin.de> <564DE9F5.6020100@tu-berlin.de> <001b01d12367$4558b4a0$d00a1de0$@tplk.loc> <564F14CB.2010208@tu-berlin.de> <564F2A11.8080106@gmail.com> <564F59E6.5010902@gmail.com> <56572F7B.9020004@tu-berlin.de> <56585967.2060006@gmail.com> <565865C0.9020500@gmail.com> <565868EC.8030104@gmail.com> <56586D7C.50101@gmail.com> <56587A34.5090100@gmail.com> Message-ID: 2015-11-27 16:43 GMT+01:00 Rowland Penny : > On 27/11/15 15:24, mathias dufresne wrote: > >> >> >> 2015-11-27 15:49 GMT+01:00 Rowland Penny > >: >> >> >> On 27/11/15 14:30, James wrote: >> >> On 11/27/2015 9:16 AM, Rowland Penny wrote: >> >> On 27/11/15 13:23, James wrote: >> >> On 11/26/2015 11:12 AM, Ole Traupe wrote: >> >> >> Then you re-run your test with only DC2 up >> and running. >> Note DNS have need time to be updated if >> you are using others DNS servers between >> clients and AD DCs. >> >> The SOA RR identifies a primary DNS name >> server for the zone as the best source of >> information for the data within that zone and >> as a entity processing the updates for the zone. >> >> The NS resource record is used to notate which >> DNS servers are designated as authoritative >> for the zone. Listing a server in the NS RR, >> it becomes known to others as an authoritative >> server for the zone. This means that any >> server specified in the NS RR is to be >> considered an authoritative source by others, >> and is able to answer with certainty any >> queries made for names included in the zone. >> >> Much of the above was taken almost verbatim >> from online Microsoft tech documents. I don't >> believe that DC's create NS records by default. >> >> >> You mean Samba DCs or DCs in general? >> >> I am not sure I understand the above. Do you >> suggest to create another NS record for the >> Second_DC, or not to? >> >> In the resolv.conf on my member servers both DCs >> are listed as DNS servers. I like to think that >> the member servers eventually ask the second DNS >> server, if the first won't respond. This seems to >> be reflected by ping taking more than 5 s for the >> first packet to arrive. >> >> BUT what does the second DNS server (Second_DC) >> reply? Which logon server does it announce? >> >> >> DNS can be very confusing. You do not need to create a >> NS record for your second DC if the zone is directory >> integrated. By default the DC is authoritative for >> that zone. >> >> >> Probably with windows it is, but not with Samba AD, you >> only get one NS and one SOA. The only authoritative Samba >> AD DC is the first one, when you join a second DC, it runs >> the same code that created the SOA during the first DCs >> provision and because the SOA already exists, it fails. >> >> Rowland >> >> >> Yikes! Are you saying DC's with directory integrated zones are >> not authoritative for them? That means a NS record needs to be >> created manually for each DC added. >> >> >> Yes, that's about the size of it. no matter how many DCs you join, >> you only have one NS, the original DC. >> >> I have been trying to alter the code, but I am struggling to get >> another NS record added during the join, it doesn't help that I >> have no idea what a windows DC SOA record looks like, does each DC >> have a separate SOA record? or is it like the Samba SOA record and >> there is only one with multiple NS records? >> >> Yes each Windows has SOA record. In fact I expect there is no SOA record >> really on MS AD. I expect SOA management is something like when a DC >> receive request for SOA it replies "I am SOA". >> On MS AD all DC have a NS record. My second mail about that thread from >> Sunday the 22nd of November is showing different DNS queries I did on MS AD >> domain (a 2008 r2 domain with only 2 DC, Microsoft DC). >> >> Finally I would look into samba_dnsupdate to add creation of NS record. I >> expect this tool is run when samba starts. >> Unfortunately I did not find the right option to add to samba_dnsupdate >> for it really creates DNS entries. Even with kerberos ticket already >> created before running that command. I received a mail recently about >> another Samba user using internal DNS for his AD hosted by Samba. This >> person was facing same issue has me (missing DNS entries, samba_dnsupdate >> not adding entries). To workaround that issue he modified samba_dnsupdate >> and he commented that line (line 413): >> os.unlink(tmpfile) >> >> Doing that samba_dnsupdate does not remove tmp file. This tmp file >> contains nsupdate commands which are launched by samba_dnsupdate. >> Finally he uses these nsupdate commands from tmp files without -g option >> and he's DNS entries are now created. >> I must say I did yet try that process. >> >> > If you follow the 'join' code, you end up at 'add_at_record' in > sambadns.py. This is run by the initial provision and again when any DCs > are joined. I have tried adding a check to see if the SOA exists and only > creating it if it doesn't, otherwise just add the NS records etc, I can add > the A record for the subsequent DC bit not its NS record. This is what the > initial SOA record looks like: > > dn: DC=@,DC=samdom.example.com > ,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com > objectClass: top > objectClass: dnsNode > instanceType: 4 > whenCreated: 20151106115624.0Z > uSNCreated: 3657 > showInAdvancedViewOnly: TRUE > name: @ > objectGUID: 7ad014c4-c1e9-4cb4-9f0d-96d0272af23d > objectCategory: > CN=Dns-Node,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com > dc: @ > whenChanged: 20151122115408.0Z > dnsRecord: NDR: struct dnsp_DnssrvRpcRecord > wDataLength : 0x004f (79) > wType : DNS_TYPE_SOA (6) > version : 0x05 (5) > rank : DNS_RANK_ZONE (240) > flags : 0x0000 (0) > dwSerial : 0x00000062 (98) > dwTtlSeconds : 0x00000e10 (3600) > dwReserved : 0x00000000 (0) > dwTimeStamp : 0x00377e73 (3636851) > data : union dnsRecordData(case 6) > soa: struct dnsp_soa > serial : 0x00000063 (99) > refresh : 0x00000384 (900) > retry : 0x00000258 (600) > expire : 0x00015180 (86400) > minimum : 0x00000e10 (3600) > mname : dc1.samdom.example.com > rname : hostmaster.samdom.example.com > > dnsRecord: NDR: struct dnsp_DnssrvRpcRecord > wDataLength : 0x001a (26) > wType : DNS_TYPE_NS (2) > version : 0x05 (5) > rank : DNS_RANK_ZONE (240) > flags : 0x0000 (0) > dwSerial : 0x00000062 (98) > dwTtlSeconds : 0x00000384 (900) > dwReserved : 0x00000000 (0) > dwTimeStamp : 0x00000000 (0) > data : union dnsRecordData(case 2) > ns : dc1.samdom.example.com > > dnsRecord: NDR: struct dnsp_DnssrvRpcRecord > wDataLength : 0x0004 (4) > wType : DNS_TYPE_A (1) > version : 0x05 (5) > rank : DNS_RANK_ZONE (240) > flags : 0x0000 (0) > dwSerial : 0x00000062 (98) > dwTtlSeconds : 0x00000384 (900) > dwReserved : 0x00000000 (0) > dwTimeStamp : 0x00000000 (0) > data : union dnsRecordData(case 1) > ipv4 : 192.168.0.5 > > uSNChanged: 29974 > distinguishedName: DC=@,DC=samdom.example.com > ,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com > > > I can add the NS record for the second DC with samba-tool, but not by > modifying the 'add_at_record' code. > > I tried doing an internet search, but cannot find anything that shows the > SOA objects in AD for a windows server, so I don't know if windows uses > separate SOA object records for each DC, or is it just one SOA object > record (like Samba uses) with an NS record added for each DC. > > > Rowland, I'll have a look on both MS DC I prepared 10 days ago to see if there is a LDAP for SOA in MS AD database. As shown 10 days ago MS DC always reply "I am SOA" when they have DNS service started which is not mandatory if you have already a DNS infrastructure (from DCs or any other DNS). From rowlandpenny241155 at gmail.com Wed Dec 2 09:51:39 2015 From: rowlandpenny241155 at gmail.com (Rowland Penny) Date: Wed, 02 Dec 2015 09:51:39 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: References: <56435CD0.4090409@tu-berlin.de> <201511121123.00490.walk2sun@arcor.de> <564C9CEB.2040104@tu-berlin.de> <564DC3F7.3090409@tu-berlin.de> <564DE9F5.6020100@tu-berlin.de> <001b01d12367$4558b4a0$d00a1de0$@tplk.loc> <564F14CB.2010208@tu-berlin.de> <564F2A11.8080106@gmail.com> <564F59E6.5010902@gmail.com> <56572F7B.9020004@tu-berlin.de> <56585967.2060006@gmail.com> <565865C0.9020500@gmail.com> <565868EC.8030104@gmail.com> <56586D7C.50101@gmail.com> <56587A34.5090100@gmail.com> Message-ID: <565EBF2B.7070901@gmail.com> On 02/12/15 09:28, mathias dufresne wrote: > 2015-11-27 16:43 GMT+01:00 Rowland Penny : > >> On 27/11/15 15:24, mathias dufresne wrote: >> >>> >>> 2015-11-27 15:49 GMT+01:00 Rowland Penny >> >: >>> >>> >>> On 27/11/15 14:30, James wrote: >>> >>> On 11/27/2015 9:16 AM, Rowland Penny wrote: >>> >>> On 27/11/15 13:23, James wrote: >>> >>> On 11/26/2015 11:12 AM, Ole Traupe wrote: >>> >>> >>> Then you re-run your test with only DC2 up >>> and running. >>> Note DNS have need time to be updated if >>> you are using others DNS servers between >>> clients and AD DCs. >>> >>> The SOA RR identifies a primary DNS name >>> server for the zone as the best source of >>> information for the data within that zone and >>> as a entity processing the updates for the zone. >>> >>> The NS resource record is used to notate which >>> DNS servers are designated as authoritative >>> for the zone. Listing a server in the NS RR, >>> it becomes known to others as an authoritative >>> server for the zone. This means that any >>> server specified in the NS RR is to be >>> considered an authoritative source by others, >>> and is able to answer with certainty any >>> queries made for names included in the zone. >>> >>> Much of the above was taken almost verbatim >>> from online Microsoft tech documents. I don't >>> believe that DC's create NS records by default. >>> >>> >>> You mean Samba DCs or DCs in general? >>> >>> I am not sure I understand the above. Do you >>> suggest to create another NS record for the >>> Second_DC, or not to? >>> >>> In the resolv.conf on my member servers both DCs >>> are listed as DNS servers. I like to think that >>> the member servers eventually ask the second DNS >>> server, if the first won't respond. This seems to >>> be reflected by ping taking more than 5 s for the >>> first packet to arrive. >>> >>> BUT what does the second DNS server (Second_DC) >>> reply? Which logon server does it announce? >>> >>> >>> DNS can be very confusing. You do not need to create a >>> NS record for your second DC if the zone is directory >>> integrated. By default the DC is authoritative for >>> that zone. >>> >>> >>> Probably with windows it is, but not with Samba AD, you >>> only get one NS and one SOA. The only authoritative Samba >>> AD DC is the first one, when you join a second DC, it runs >>> the same code that created the SOA during the first DCs >>> provision and because the SOA already exists, it fails. >>> >>> Rowland >>> >>> >>> Yikes! Are you saying DC's with directory integrated zones are >>> not authoritative for them? That means a NS record needs to be >>> created manually for each DC added. >>> >>> >>> Yes, that's about the size of it. no matter how many DCs you join, >>> you only have one NS, the original DC. >>> >>> I have been trying to alter the code, but I am struggling to get >>> another NS record added during the join, it doesn't help that I >>> have no idea what a windows DC SOA record looks like, does each DC >>> have a separate SOA record? or is it like the Samba SOA record and >>> there is only one with multiple NS records? >>> >>> Yes each Windows has SOA record. In fact I expect there is no SOA record >>> really on MS AD. I expect SOA management is something like when a DC >>> receive request for SOA it replies "I am SOA". >>> On MS AD all DC have a NS record. My second mail about that thread from >>> Sunday the 22nd of November is showing different DNS queries I did on MS AD >>> domain (a 2008 r2 domain with only 2 DC, Microsoft DC). >>> >>> Finally I would look into samba_dnsupdate to add creation of NS record. I >>> expect this tool is run when samba starts. >>> Unfortunately I did not find the right option to add to samba_dnsupdate >>> for it really creates DNS entries. Even with kerberos ticket already >>> created before running that command. I received a mail recently about >>> another Samba user using internal DNS for his AD hosted by Samba. This >>> person was facing same issue has me (missing DNS entries, samba_dnsupdate >>> not adding entries). To workaround that issue he modified samba_dnsupdate >>> and he commented that line (line 413): >>> os.unlink(tmpfile) >>> >>> Doing that samba_dnsupdate does not remove tmp file. This tmp file >>> contains nsupdate commands which are launched by samba_dnsupdate. >>> Finally he uses these nsupdate commands from tmp files without -g option >>> and he's DNS entries are now created. >>> I must say I did yet try that process. >>> >>> >> If you follow the 'join' code, you end up at 'add_at_record' in >> sambadns.py. This is run by the initial provision and again when any DCs >> are joined. I have tried adding a check to see if the SOA exists and only >> creating it if it doesn't, otherwise just add the NS records etc, I can add >> the A record for the subsequent DC bit not its NS record. This is what the >> initial SOA record looks like: >> >> dn: DC=@,DC=samdom.example.com >> ,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >> objectClass: top >> objectClass: dnsNode >> instanceType: 4 >> whenCreated: 20151106115624.0Z >> uSNCreated: 3657 >> showInAdvancedViewOnly: TRUE >> name: @ >> objectGUID: 7ad014c4-c1e9-4cb4-9f0d-96d0272af23d >> objectCategory: >> CN=Dns-Node,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com >> dc: @ >> whenChanged: 20151122115408.0Z >> dnsRecord: NDR: struct dnsp_DnssrvRpcRecord >> wDataLength : 0x004f (79) >> wType : DNS_TYPE_SOA (6) >> version : 0x05 (5) >> rank : DNS_RANK_ZONE (240) >> flags : 0x0000 (0) >> dwSerial : 0x00000062 (98) >> dwTtlSeconds : 0x00000e10 (3600) >> dwReserved : 0x00000000 (0) >> dwTimeStamp : 0x00377e73 (3636851) >> data : union dnsRecordData(case 6) >> soa: struct dnsp_soa >> serial : 0x00000063 (99) >> refresh : 0x00000384 (900) >> retry : 0x00000258 (600) >> expire : 0x00015180 (86400) >> minimum : 0x00000e10 (3600) >> mname : dc1.samdom.example.com >> rname : hostmaster.samdom.example.com >> >> dnsRecord: NDR: struct dnsp_DnssrvRpcRecord >> wDataLength : 0x001a (26) >> wType : DNS_TYPE_NS (2) >> version : 0x05 (5) >> rank : DNS_RANK_ZONE (240) >> flags : 0x0000 (0) >> dwSerial : 0x00000062 (98) >> dwTtlSeconds : 0x00000384 (900) >> dwReserved : 0x00000000 (0) >> dwTimeStamp : 0x00000000 (0) >> data : union dnsRecordData(case 2) >> ns : dc1.samdom.example.com >> >> dnsRecord: NDR: struct dnsp_DnssrvRpcRecord >> wDataLength : 0x0004 (4) >> wType : DNS_TYPE_A (1) >> version : 0x05 (5) >> rank : DNS_RANK_ZONE (240) >> flags : 0x0000 (0) >> dwSerial : 0x00000062 (98) >> dwTtlSeconds : 0x00000384 (900) >> dwReserved : 0x00000000 (0) >> dwTimeStamp : 0x00000000 (0) >> data : union dnsRecordData(case 1) >> ipv4 : 192.168.0.5 >> >> uSNChanged: 29974 >> distinguishedName: DC=@,DC=samdom.example.com >> ,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >> >> >> I can add the NS record for the second DC with samba-tool, but not by >> modifying the 'add_at_record' code. >> >> I tried doing an internet search, but cannot find anything that shows the >> SOA objects in AD for a windows server, so I don't know if windows uses >> separate SOA object records for each DC, or is it just one SOA object >> record (like Samba uses) with an NS record added for each DC. >> >> >> Rowland, > I'll have a look on both MS DC I prepared 10 days ago to see if there is a > LDAP for SOA in MS AD database. > As shown 10 days ago MS DC always reply "I am SOA" when they have DNS > service started which is not mandatory if you have already a DNS > infrastructure (from DCs or any other DNS). This would help with what I am trying to find out. I can find on the internet multiple instances of 'every DC running dns should have a SOA record', but I cannot find any concrete examples of an ldif that shows this. Does each DC have a separate SOA record in AD, or is there just one SOA record and the DC just claims to be the SOA, or is there just one SOA record with an NS record for each DC. Samba would seem to be the later, but I am struggling with adding the NS record for a new DC during the join, I think what happens is that the NS record does get added, but is wiped out when replication kicks in. It is very easy to add the NS record after the join with samba-tool. Rowland From lists at merit.unu.edu Wed Dec 2 10:31:01 2015 From: lists at merit.unu.edu (mj) Date: Wed, 2 Dec 2015 11:31:01 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <565EBF2B.7070901@gmail.com> References: <56435CD0.4090409@tu-berlin.de> <201511121123.00490.walk2sun@arcor.de> <564C9CEB.2040104@tu-berlin.de> <564DC3F7.3090409@tu-berlin.de> <564DE9F5.6020100@tu-berlin.de> <001b01d12367$4558b4a0$d00a1de0$@tplk.loc> <564F14CB.2010208@tu-berlin.de> <564F2A11.8080106@gmail.com> <564F59E6.5010902@gmail.com> <56572F7B.9020004@tu-berlin.de> <56585967.2060006@gmail.com> <565865C0.9020500@gmail.com> <565868EC.8030104@gmail.com> <56586D7C.50101@gmail.com> <56587A34.5090100@gmail.com> <565EBF2B.7070901@gmail.com> Message-ID: <565EC865.4060309@merit.unu.edu> > I can find on the internet multiple instances of 'every DC running dns > should have a SOA record', but I cannot find any concrete examples of an > ldif that shows this. Does each DC have a separate SOA record in AD, or > is there just one SOA record and the DC just claims to be the SOA, or is > there just one SOA record with an NS record for each DC. Samba would > seem to be the later, but I am struggling with adding the NS record for > a new DC during the join, I think what happens is that the NS record > does get added, but is wiped out when replication kicks in. It is very > easy to add the NS record after the join with samba-tool. > > Rowland > Hi, I remember vaguely that someone once told me that MS DCs always announce themselves as the soa if asked. If they always reply that, perhaps there is no need for it to actually be in the database (so it would perhaps not show up in an ldif) MJ From infractory at gmail.com Wed Dec 2 10:40:05 2015 From: infractory at gmail.com (mathias dufresne) Date: Wed, 2 Dec 2015 11:40:05 +0100 Subject: [Samba] Functionality of Nmbd at Active Directory mode of Samba4 ! In-Reply-To: References: Message-ID: 2015-12-01 17:19 GMT+01:00 CpServiceSPb . : > > If you run 'nmbd' with 'samba' i.e. on an AD DC, you are duplicating > the code in the 'nmb' component of the 'samba' deamon, this is definitely > > not recommended. You could turn off 'nmb', but again this is > not recommended, the rest of the 'samba' deamon relies on 'nmb' not the > > external 'nmbd' . > > > Or to put it another way, if you are running 'nmbd' with an AD DC, I > would suggest you stop, sooner or later, you are going to have problems. > Unfortunatelly, may be you are right. :(( > When I run Nmbd with Saba at AD mode, I don' t remember exactly now, but if > Nmbd started first and then Samba daemon, error was or vice versa. > > > > Well probably not any time soon, (unless you are prepared to come up with > patches), this appears to be one of those things that would be nice > > to have, but not at the top of the list. It also seems to be disappearing > from windows, so why waste valuable time doing something > > that will possibly no longer be needed. > It also seems to be disappearing from Windows - but hasn' t been > disappeared and i think will not be disappeared form quite long time. > More over many pc station are equipped Windows XP yet, not even Windows 7. > As following, it can be necessary for a quite long time. > > From mathias > > Now VM usage + split of file servers => no need of nmbd on AD DC. Nmbd > will be run on file servers which serve files for Windows computers. > > That's just my own point of view, built according to own understanding of > Samba. That means I can be really far from the original "why" : ) > > I know many people who has AD DC 2008R, even 2003R2 at working position. > And people who is connected to its DCs or servered by it very active uses > Windows analogue of nmb functionality (built-in in Windows of course) in > their LANs. > I worked for years for a small company building planes: Airbus. They do have lot of DC, lot of file servers, they use ADAM intensively too. I don't remember they were using WINS service. DC are meant to authenticate clients. That specific process is based on DNS to guess where to authenticate. In fact having DC in network neighborhood is good for mini-parks only. If you have 2 files server and 2 DC, 50 clients, at worst you will have 54 entries in network neighborhood. Now think about same network neighborhood when you have 50 DC, 250 file servers and tenths of thousands clients. Wouldn't be easier for your users to have only these file servers in their network neighborhood rather than all clients + all DC + somewhere in the middle some lost file servers? > I will remember, that nmbd in addition makes server visible in Network > Neighborhood, in some points takes part of accessing to it by NetBios name > (additionally to IP) , > maintains computers list for group, can acts as LMB and/or DMB that is in > general makes possible Neighborhood Browsing. > Quite a big function capacity in my oppinion. > I'm lacking knowledge about MS AD but I was believing AD was coming with its own replacement of that election process. If I'm wrong the fact DC are not part of that process does not seems to be a too big issue if they are not file server. > > And it is more comfortable to get AD DC with fully working Neignborhood > Browsing. > For lazy admins on small park, it could be. For DC with short names in a big park, you lose time opening the network neighborhood, waiting it fill up, dig into declared machines to find the one you was looking for rather than just typing "\\my_dc_name" in windows explorer address bar. > And some of them people (mentioned above) stopped to migrate their Windows > AD DCs to Samba4 one because of the reason - lack of discussion > functionality. > "lack of discussion" functionality: what did you meant? They really stopped digging into Samba AD because they didn't find their DC in the network neighborhood? No they must have better reasons I think. I should have missed the meaning of what you said... > As following, I consider important working full nmb functional with AD DC > at Samba4. > > > May be I am wrong, but moving code from nmbd (s3) is necessary only to AD > DC nmb code part (s4) , of course with some editions. > But I may be wrong. > > *Rowland, *can you point me to files from AD DC sources where nmb code is > presented ? > > > May be I will be able to start "process" of working under it. :)) > > Good luck! Always a good idea to help opensource :) From rowlandpenny241155 at gmail.com Wed Dec 2 10:57:59 2015 From: rowlandpenny241155 at gmail.com (Rowland Penny) Date: Wed, 02 Dec 2015 10:57:59 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <565EC865.4060309@merit.unu.edu> References: <56435CD0.4090409@tu-berlin.de> <201511121123.00490.walk2sun@arcor.de> <564C9CEB.2040104@tu-berlin.de> <564DC3F7.3090409@tu-berlin.de> <564DE9F5.6020100@tu-berlin.de> <001b01d12367$4558b4a0$d00a1de0$@tplk.loc> <564F14CB.2010208@tu-berlin.de> <564F2A11.8080106@gmail.com> <564F59E6.5010902@gmail.com> <56572F7B.9020004@tu-berlin.de> <56585967.2060006@gmail.com> <565865C0.9020500@gmail.com> <565868EC.8030104@gmail.com> <56586D7C.50101@gmail.com> <56587A34.5090100@gmail.com> <565EBF2B.7070901@gmail.com> <565EC865.4060309@merit.unu.edu> Message-ID: <565ECEB7.9080201@gmail.com> On 02/12/15 10:31, mj wrote: >> I can find on the internet multiple instances of 'every DC running dns >> should have a SOA record', but I cannot find any concrete examples of an >> ldif that shows this. Does each DC have a separate SOA record in AD, or >> is there just one SOA record and the DC just claims to be the SOA, or is >> there just one SOA record with an NS record for each DC. Samba would >> seem to be the later, but I am struggling with adding the NS record for >> a new DC during the join, I think what happens is that the NS record >> does get added, but is wiped out when replication kicks in. It is very >> easy to add the NS record after the join with samba-tool. >> >> Rowland >> > Hi, > > I remember vaguely that someone once told me that MS DCs always > announce themselves as the soa if asked. If they always reply that, > perhaps there is no need for it to actually be in the database (so it > would perhaps not show up in an ldif) > > MJ > This is what I think happens and if this is the case, then samba itself will have to do this, but I have added an NS record for the 2nd DC to the SOA record with samba-tool and if I use nslookup I get this: nslookup > set querytype=soa > samdom.example.com Server: 192.168.0.5 Address: 192.168.0.5#53 samdom.example.com origin = dc1.samdom.example.com mail addr = hostmaster.samdom.example.com serial = 101 refresh = 900 retry = 600 expire = 86400 minimum = 3600 If I then exit from nslookup and swap the nameservers in /etc/resolv.conf and rerun nslookup, I get this: nslookup > set querytype=soa > samdom.example.com Server: 192.168.0.6 Address: 192.168.0.6#53 samdom.example.com origin = dc2.samdom.example.com mail addr = hostmaster.samdom.example.com serial = 101 refresh = 900 retry = 600 expire = 86400 minimum = 3600 Which, to me, says that both DCs are authoritative for the domain, if this is correct, I just need to find a way of adding the NS record during the join. Rowland From infractory at gmail.com Wed Dec 2 10:57:59 2015 From: infractory at gmail.com (mathias dufresne) Date: Wed, 2 Dec 2015 11:57:59 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <565EBF2B.7070901@gmail.com> References: <56435CD0.4090409@tu-berlin.de> <201511121123.00490.walk2sun@arcor.de> <564C9CEB.2040104@tu-berlin.de> <564DC3F7.3090409@tu-berlin.de> <564DE9F5.6020100@tu-berlin.de> <001b01d12367$4558b4a0$d00a1de0$@tplk.loc> <564F14CB.2010208@tu-berlin.de> <564F2A11.8080106@gmail.com> <564F59E6.5010902@gmail.com> <56572F7B.9020004@tu-berlin.de> <56585967.2060006@gmail.com> <565865C0.9020500@gmail.com> <565868EC.8030104@gmail.com> <56586D7C.50101@gmail.com> <56587A34.5090100@gmail.com> <565EBF2B.7070901@gmail.com> Message-ID: That seems really simpler to merely reply "I am SOA" than having one entry in LDAP for each DC running DNS. Just for replilcation it would generate mess. In MS AD world you can disable DNS after you built your AD, in that case there is one NS record per zone to remove, I don't know if MS DC do that but that's sound already complex enough to not have added removing of SOA LDAP entry on each DC in addition to this NS removal... For all that I expect there is no SOA record in MS AD LDAP tree. I'll try to remember to test removing DNS service from one MS DC, to check is NS records are modified... 2015-12-02 10:51 GMT+01:00 Rowland Penny : > On 02/12/15 09:28, mathias dufresne wrote: > >> 2015-11-27 16:43 GMT+01:00 Rowland Penny : >> >> On 27/11/15 15:24, mathias dufresne wrote: >>> >>> >>>> 2015-11-27 15:49 GMT+01:00 Rowland Penny >>> >: >>>> >>>> >>>> On 27/11/15 14:30, James wrote: >>>> >>>> On 11/27/2015 9:16 AM, Rowland Penny wrote: >>>> >>>> On 27/11/15 13:23, James wrote: >>>> >>>> On 11/26/2015 11:12 AM, Ole Traupe wrote: >>>> >>>> >>>> Then you re-run your test with only DC2 up >>>> and running. >>>> Note DNS have need time to be updated if >>>> you are using others DNS servers between >>>> clients and AD DCs. >>>> >>>> The SOA RR identifies a primary DNS name >>>> server for the zone as the best source of >>>> information for the data within that zone and >>>> as a entity processing the updates for the >>>> zone. >>>> >>>> The NS resource record is used to notate which >>>> DNS servers are designated as authoritative >>>> for the zone. Listing a server in the NS RR, >>>> it becomes known to others as an authoritative >>>> server for the zone. This means that any >>>> server specified in the NS RR is to be >>>> considered an authoritative source by others, >>>> and is able to answer with certainty any >>>> queries made for names included in the zone. >>>> >>>> Much of the above was taken almost verbatim >>>> from online Microsoft tech documents. I don't >>>> believe that DC's create NS records by default. >>>> >>>> >>>> You mean Samba DCs or DCs in general? >>>> >>>> I am not sure I understand the above. Do you >>>> suggest to create another NS record for the >>>> Second_DC, or not to? >>>> >>>> In the resolv.conf on my member servers both DCs >>>> are listed as DNS servers. I like to think that >>>> the member servers eventually ask the second DNS >>>> server, if the first won't respond. This seems to >>>> be reflected by ping taking more than 5 s for the >>>> first packet to arrive. >>>> >>>> BUT what does the second DNS server (Second_DC) >>>> reply? Which logon server does it announce? >>>> >>>> >>>> DNS can be very confusing. You do not need to create a >>>> NS record for your second DC if the zone is directory >>>> integrated. By default the DC is authoritative for >>>> that zone. >>>> >>>> >>>> Probably with windows it is, but not with Samba AD, you >>>> only get one NS and one SOA. The only authoritative Samba >>>> AD DC is the first one, when you join a second DC, it runs >>>> the same code that created the SOA during the first DCs >>>> provision and because the SOA already exists, it fails. >>>> >>>> Rowland >>>> >>>> >>>> Yikes! Are you saying DC's with directory integrated zones are >>>> not authoritative for them? That means a NS record needs to be >>>> created manually for each DC added. >>>> >>>> >>>> Yes, that's about the size of it. no matter how many DCs you join, >>>> you only have one NS, the original DC. >>>> >>>> I have been trying to alter the code, but I am struggling to get >>>> another NS record added during the join, it doesn't help that I >>>> have no idea what a windows DC SOA record looks like, does each DC >>>> have a separate SOA record? or is it like the Samba SOA record and >>>> there is only one with multiple NS records? >>>> >>>> Yes each Windows has SOA record. In fact I expect there is no SOA record >>>> really on MS AD. I expect SOA management is something like when a DC >>>> receive request for SOA it replies "I am SOA". >>>> On MS AD all DC have a NS record. My second mail about that thread from >>>> Sunday the 22nd of November is showing different DNS queries I did on >>>> MS AD >>>> domain (a 2008 r2 domain with only 2 DC, Microsoft DC). >>>> >>>> Finally I would look into samba_dnsupdate to add creation of NS record. >>>> I >>>> expect this tool is run when samba starts. >>>> Unfortunately I did not find the right option to add to samba_dnsupdate >>>> for it really creates DNS entries. Even with kerberos ticket already >>>> created before running that command. I received a mail recently about >>>> another Samba user using internal DNS for his AD hosted by Samba. This >>>> person was facing same issue has me (missing DNS entries, >>>> samba_dnsupdate >>>> not adding entries). To workaround that issue he modified >>>> samba_dnsupdate >>>> and he commented that line (line 413): >>>> os.unlink(tmpfile) >>>> >>>> Doing that samba_dnsupdate does not remove tmp file. This tmp file >>>> contains nsupdate commands which are launched by samba_dnsupdate. >>>> Finally he uses these nsupdate commands from tmp files without -g option >>>> and he's DNS entries are now created. >>>> I must say I did yet try that process. >>>> >>>> >>>> If you follow the 'join' code, you end up at 'add_at_record' in >>> sambadns.py. This is run by the initial provision and again when any DCs >>> are joined. I have tried adding a check to see if the SOA exists and only >>> creating it if it doesn't, otherwise just add the NS records etc, I can >>> add >>> the A record for the subsequent DC bit not its NS record. This is what >>> the >>> initial SOA record looks like: >>> >>> dn: DC=@,DC=samdom.example.com >>> ,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >>> objectClass: top >>> objectClass: dnsNode >>> instanceType: 4 >>> whenCreated: 20151106115624.0Z >>> uSNCreated: 3657 >>> showInAdvancedViewOnly: TRUE >>> name: @ >>> objectGUID: 7ad014c4-c1e9-4cb4-9f0d-96d0272af23d >>> objectCategory: >>> CN=Dns-Node,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com >>> dc: @ >>> whenChanged: 20151122115408.0Z >>> dnsRecord: NDR: struct dnsp_DnssrvRpcRecord >>> wDataLength : 0x004f (79) >>> wType : DNS_TYPE_SOA (6) >>> version : 0x05 (5) >>> rank : DNS_RANK_ZONE (240) >>> flags : 0x0000 (0) >>> dwSerial : 0x00000062 (98) >>> dwTtlSeconds : 0x00000e10 (3600) >>> dwReserved : 0x00000000 (0) >>> dwTimeStamp : 0x00377e73 (3636851) >>> data : union dnsRecordData(case 6) >>> soa: struct dnsp_soa >>> serial : 0x00000063 (99) >>> refresh : 0x00000384 (900) >>> retry : 0x00000258 (600) >>> expire : 0x00015180 (86400) >>> minimum : 0x00000e10 (3600) >>> mname : dc1.samdom.example.com >>> rname : hostmaster.samdom.example.com >>> >>> dnsRecord: NDR: struct dnsp_DnssrvRpcRecord >>> wDataLength : 0x001a (26) >>> wType : DNS_TYPE_NS (2) >>> version : 0x05 (5) >>> rank : DNS_RANK_ZONE (240) >>> flags : 0x0000 (0) >>> dwSerial : 0x00000062 (98) >>> dwTtlSeconds : 0x00000384 (900) >>> dwReserved : 0x00000000 (0) >>> dwTimeStamp : 0x00000000 (0) >>> data : union dnsRecordData(case 2) >>> ns : dc1.samdom.example.com >>> >>> dnsRecord: NDR: struct dnsp_DnssrvRpcRecord >>> wDataLength : 0x0004 (4) >>> wType : DNS_TYPE_A (1) >>> version : 0x05 (5) >>> rank : DNS_RANK_ZONE (240) >>> flags : 0x0000 (0) >>> dwSerial : 0x00000062 (98) >>> dwTtlSeconds : 0x00000384 (900) >>> dwReserved : 0x00000000 (0) >>> dwTimeStamp : 0x00000000 (0) >>> data : union dnsRecordData(case 1) >>> ipv4 : 192.168.0.5 >>> >>> uSNChanged: 29974 >>> distinguishedName: DC=@,DC=samdom.example.com >>> ,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >>> >>> >>> I can add the NS record for the second DC with samba-tool, but not by >>> modifying the 'add_at_record' code. >>> >>> I tried doing an internet search, but cannot find anything that shows the >>> SOA objects in AD for a windows server, so I don't know if windows uses >>> separate SOA object records for each DC, or is it just one SOA object >>> record (like Samba uses) with an NS record added for each DC. >>> >>> >>> Rowland, >>> >> I'll have a look on both MS DC I prepared 10 days ago to see if there is a >> LDAP for SOA in MS AD database. >> As shown 10 days ago MS DC always reply "I am SOA" when they have DNS >> service started which is not mandatory if you have already a DNS >> infrastructure (from DCs or any other DNS). >> > > This would help with what I am trying to find out. > > I can find on the internet multiple instances of 'every DC running dns > should have a SOA record', but I cannot find any concrete examples of an > ldif that shows this. Does each DC have a separate SOA record in AD, or is > there just one SOA record and the DC just claims to be the SOA, or is there > just one SOA record with an NS record for each DC. Samba would seem to be > the later, but I am struggling with adding the NS record for a new DC > during the join, I think what happens is that the NS record does get added, > but is wiped out when replication kicks in. It is very easy to add the NS > record after the join with samba-tool. > > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From infractory at gmail.com Wed Dec 2 11:59:43 2015 From: infractory at gmail.com (mathias dufresne) Date: Wed, 2 Dec 2015 12:59:43 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <565ECEB7.9080201@gmail.com> References: <56435CD0.4090409@tu-berlin.de> <201511121123.00490.walk2sun@arcor.de> <564C9CEB.2040104@tu-berlin.de> <564DC3F7.3090409@tu-berlin.de> <564DE9F5.6020100@tu-berlin.de> <001b01d12367$4558b4a0$d00a1de0$@tplk.loc> <564F14CB.2010208@tu-berlin.de> <564F2A11.8080106@gmail.com> <564F59E6.5010902@gmail.com> <56572F7B.9020004@tu-berlin.de> <56585967.2060006@gmail.com> <565865C0.9020500@gmail.com> <565868EC.8030104@gmail.com> <56586D7C.50101@gmail.com> <56587A34.5090100@gmail.com> <565EBF2B.7070901@gmail.com> <565EC865.4060309@merit.unu.edu> <565ECEB7.9080201@gmail.com> Message-ID: Rowland, What did you request as DNS? Samba + Bind + DLZ ? If yes, the fact your two DNS are replying "I am SOA" is a feature from Bind9 or from DLZ patch. That's important as a standard Samba AD designed without Bind is using LDAP defined entry for SOA. Asking to the five Samba DC I have here who's SOA, they all replied the same server, the one declared in SOA LDAP entry. Of course all DC are declared as NS in that zone. That behavior is the same for SAMBA.DOMAIN.TLD zone and for _msdcs.SAMBA.DOAMIN.TLD zone. And where is SOA is important as samba_dnsupdate is using, sometimes, that SOA to guess where to push changes. I'm absolutely sure of that because I started to interest myself in SOA after samba_dnsupdate complains about my SOA which was not pointing to the right server. 2015-12-02 11:57 GMT+01:00 Rowland Penny : > On 02/12/15 10:31, mj wrote: > >> I can find on the internet multiple instances of 'every DC running dns >>> should have a SOA record', but I cannot find any concrete examples of an >>> ldif that shows this. Does each DC have a separate SOA record in AD, or >>> is there just one SOA record and the DC just claims to be the SOA, or is >>> there just one SOA record with an NS record for each DC. Samba would >>> seem to be the later, but I am struggling with adding the NS record for >>> a new DC during the join, I think what happens is that the NS record >>> does get added, but is wiped out when replication kicks in. It is very >>> easy to add the NS record after the join with samba-tool. >>> >>> Rowland >>> >>> Hi, >> >> I remember vaguely that someone once told me that MS DCs always announce >> themselves as the soa if asked. If they always reply that, perhaps there is >> no need for it to actually be in the database (so it would perhaps not show >> up in an ldif) >> >> MJ >> >> > This is what I think happens and if this is the case, then samba itself > will have to do this, but I have added an NS record for the 2nd DC to the > SOA record with samba-tool and if I use nslookup I get this: > > nslookup > > set querytype=soa > > samdom.example.com > Server: 192.168.0.5 > Address: 192.168.0.5#53 > > samdom.example.com > origin = dc1.samdom.example.com > mail addr = hostmaster.samdom.example.com > serial = 101 > refresh = 900 > retry = 600 > expire = 86400 > minimum = 3600 > > If I then exit from nslookup and swap the nameservers in /etc/resolv.conf > and rerun nslookup, I get this: > > nslookup > > set querytype=soa > > samdom.example.com > Server: 192.168.0.6 > Address: 192.168.0.6#53 > > samdom.example.com > origin = dc2.samdom.example.com > mail addr = hostmaster.samdom.example.com > serial = 101 > refresh = 900 > retry = 600 > expire = 86400 > minimum = 3600 > > Which, to me, says that both DCs are authoritative for the domain, if this > is correct, I just need to find a way of adding the NS record during the > join. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From infractory at gmail.com Wed Dec 2 12:08:58 2015 From: infractory at gmail.com (mathias dufresne) Date: Wed, 2 Dec 2015 13:08:58 +0100 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: References: <565CAF9A.60700@gmail.com> <565CB4EE.1020903@gmail.com> <565CBA81.1070709@gmail.com> <565D771D.4010801@gmail.com> <565DCA6B.1030404@gmail.com> <565DD1C3.3070600@gmail.com> <565DD757.4080102@gmail.com> <565DE2F8.7000009@gmail.com> Message-ID: Can't you just disable dnsmasq service? You don't seem to be too much confident in that tool and you have DNS issue... dnsmasq has most certainly a good reason to exist. I just don't know it. In IT for work we generally don't need such tool as infrastructures of companies are meant to be stable. As the clients configuration. So I would start with dnsmasq removal, then I would [learn how to] configure manually this client, then I would re-run test, starting with small tests (DNS with dig/nslookup, kinit...) 2015-12-01 21:40 GMT+01:00 Jonathan S. Fisher < jonathan at springventuregroup.com>: > So everything with the hostname with now resolving correctly, without the > 127.0.1.1 hack anymore. We just had to make sure DHCP was handing out the > correct domain, which it is now: > > $ hostname -d > windows.corp.XXX.com > $ hostname -f > freeradius.windows.corp.XXX.com > > I deleted all the shared secrets, removed the computer from AD and > rejoined... but of course, we're still getting the exact same issue... :( > It's still trying to query the wrong DNS entry. > > > On Tue, Dec 1, 2015 at 12:12 PM, Rowland Penny < > rowlandpenny241155 at gmail.com > > wrote: > > > On 01/12/15 17:27, Jonathan S. Fisher wrote: > > > >> It isn't running, one of the first things I do when setting up a new DC > is > >>> > >> to remove nscd if it is installed. > >> Ah ok... well this isn't a DC, just a member... is NSCD ok to run as a > >> member? Otherwise I can remove it. > >> > > > > I would remove it, everything dns wise should come from an AD DC > > > > > >> you get a caching dnsmasq server as standard > >>> > >> Not on ubuntu server... There is no dnsmasq package installed nor is it > >> in > >> ps -ef > >> > > > > Ah, so no GUI then, ok in this case you probably wont have Network > Manager > > installed either. > > > > If you have to have that 127.0.1.1 line in /etc/hosts, you have dns > >>> > >> problems. > >> I'll try to figure out how to get the client to have a FQDN without the > >> line in /etc/hosts > >> > > > > If this machine is going to be a fileserver, you would probably be better > > using a fixed ip, but if you going to have other Unix domain members > using > > dhcp, you need to sort this problem. > > > > > >> I really am starting to hate Active Directory... > >> > > > > I just hate microsoft, it cuts out the middle man :-D > > > > Rowland > > > > > >> On Tue, Dec 1, 2015 at 11:22 AM, Rowland Penny < > >> rowlandpenny241155 at gmail.com > >> > >>> wrote: > >>> On 01/12/15 17:09, Jonathan S. Fisher wrote: > >>> > >>> So your client did no DNS lookups?? That's crazy. Could they be cached? > >>> (Can you disable nscd if you have it running and try again?) > >>> > >>> > >>> It isn't running, one of the first things I do when setting up a new DC > >>> is > >>> to remove nscd if it is installed. > >>> > >>> > >>> Why, in your deity's name, why????? > >>>> > >>> I'm starting my own caliphate. Seems to be all the rage these days. > >>> > >>> Dnsmasq isn't running locally... it's the main DNS server at > >>> 192.168.127.129. At one time I guess we were running Bind, but he > >>> switched > >>> to dnsmasq for simplicity. If there's a legit reason why Windows needs > to > >>> handle 100% of the DNS and DHCP for the network... well that's a little > >>> scary of a thought. Are these things in no way interoperable? > >>> > >>> > >>> On Ubuntu, you get a caching dnsmasq server as standard, this is > >>> controlled by Network Manager, this shouldn't be running on an AD > client > >>> (note this is only from my experience, it seems to interfere with AD > >>> dns). > >>> > >>> DHCP doesn't need to be running on the DC, but it needs to give your > >>> client the required info, see my previous post for what mine sends. > >>> Your AD clients need to use your AD DCs as their DNS servers, anything > >>> your DCs don't know about i.e. google should be forwarded to a DNS > server > >>> that does i.e. your dnsmasq machine > >>> > >>> Your problem isn't that net is using the workgroup name, it is that > your > >>> machine doesn't seem to know who it is and where the DCs are :-) > >>> > >>> > >>> Mind you, until you get 'hostname -f' to return your FQDN, it will not > >>>> > >>> work correctly. > >>> Well this "works" right now with what I put into /etc/hosts. Are you > >>> saying it has to work purely from dhcp? > >>> > >>> > >>> > >>> If you have to have that 127.0.1.1 line in /etc/hosts, you have dns > >>> problems. > >>> > >>> Rowland > >>> > >>> > >>> > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > Email Confidentiality Notice: The information contained in this > transmission is confidential, proprietary or privileged and may be subject > to protection under the law, including the Health Insurance Portability and > Accountability Act (HIPAA). The message is intended for the sole use of the > individual or entity to whom it is addressed. If you are not the intended > recipient, you are notified that any use, distribution or copying of the > message is strictly prohibited and may subject you to criminal or civil > penalties. If you received this transmission in error, please contact the > sender immediately by replying to this email and delete the material from > any computer. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From rowlandpenny241155 at gmail.com Wed Dec 2 12:24:50 2015 From: rowlandpenny241155 at gmail.com (Rowland Penny) Date: Wed, 02 Dec 2015 12:24:50 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: References: <56435CD0.4090409@tu-berlin.de> <564DC3F7.3090409@tu-berlin.de> <564DE9F5.6020100@tu-berlin.de> <001b01d12367$4558b4a0$d00a1de0$@tplk.loc> <564F14CB.2010208@tu-berlin.de> <564F2A11.8080106@gmail.com> <564F59E6.5010902@gmail.com> <56572F7B.9020004@tu-berlin.de> <56585967.2060006@gmail.com> <565865C0.9020500@gmail.com> <565868EC.8030104@gmail.com> <56586D7C.50101@gmail.com> <56587A34.5090100@gmail.com> <565EBF2B.7070901@gmail.com> <565EC865.4060309@merit.unu.edu> <565ECEB7.9080201@gmail.com> Message-ID: <565EE312.2040906@gmail.com> On 02/12/15 11:59, mathias dufresne wrote: > Rowland, > > What did you request as DNS? Samba + Bind + DLZ ? > If yes, the fact your two DNS are replying "I am SOA" is a feature from > Bind9 or from DLZ patch. Yes, I use bind9 with the dlz backend. > > That's important as a standard Samba AD designed without Bind is using LDAP > defined entry for SOA. Asking to the five Samba DC I have here who's SOA, > they all replied the same server, the one declared in SOA LDAP entry. > Of course all DC are declared as NS in that zone. Not sure if this is a bind9 feature, does your SOA record have the NS records for all the DCs, if not, then the first DC will be the only Authoritative server. > > That behavior is the same for SAMBA.DOMAIN.TLD zone and for > _msdcs.SAMBA.DOAMIN.TLD zone. > > And where is SOA is important as samba_dnsupdate is using, sometimes, that > SOA to guess where to push changes. I'm absolutely sure of that because I > started to interest myself in SOA after samba_dnsupdate complains about my > SOA which was not pointing to the right server. > > > 2015-12-02 11:57 GMT+01:00 Rowland Penny : > >> On 02/12/15 10:31, mj wrote: >> >>> I can find on the internet multiple instances of 'every DC running dns >>>> should have a SOA record', but I cannot find any concrete examples of an >>>> ldif that shows this. Does each DC have a separate SOA record in AD, or >>>> is there just one SOA record and the DC just claims to be the SOA, or is >>>> there just one SOA record with an NS record for each DC. Samba would >>>> seem to be the later, but I am struggling with adding the NS record for >>>> a new DC during the join, I think what happens is that the NS record >>>> does get added, but is wiped out when replication kicks in. It is very >>>> easy to add the NS record after the join with samba-tool. >>>> >>>> Rowland >>>> >>>> Hi, >>> I remember vaguely that someone once told me that MS DCs always announce >>> themselves as the soa if asked. If they always reply that, perhaps there is >>> no need for it to actually be in the database (so it would perhaps not show >>> up in an ldif) >>> >>> MJ >>> >>> >> This is what I think happens and if this is the case, then samba itself >> will have to do this, but I have added an NS record for the 2nd DC to the >> SOA record with samba-tool and if I use nslookup I get this: >> >> nslookup >>> set querytype=soa >>> samdom.example.com >> Server: 192.168.0.5 >> Address: 192.168.0.5#53 >> >> samdom.example.com >> origin = dc1.samdom.example.com >> mail addr = hostmaster.samdom.example.com >> serial = 101 >> refresh = 900 >> retry = 600 >> expire = 86400 >> minimum = 3600 >> >> If I then exit from nslookup and swap the nameservers in /etc/resolv.conf >> and rerun nslookup, I get this: >> >> nslookup >>> set querytype=soa >>> samdom.example.com >> Server: 192.168.0.6 >> Address: 192.168.0.6#53 >> >> samdom.example.com >> origin = dc2.samdom.example.com >> mail addr = hostmaster.samdom.example.com >> serial = 101 >> refresh = 900 >> retry = 600 >> expire = 86400 >> minimum = 3600 >> >> Which, to me, says that both DCs are authoritative for the domain, if this >> is correct, I just need to find a way of adding the NS record during the >> join. >> >> Rowland >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> From mjirou at gmail.com Wed Dec 2 13:30:00 2015 From: mjirou at gmail.com (Marc JIROU) Date: Wed, 2 Dec 2015 14:30:00 +0100 Subject: [Samba] Symlink with mklink In-Reply-To: <20151201171955.GB4148@jeremy-ThinkPad-T430s> References: <20151201171955.GB4148@jeremy-ThinkPad-T430s> Message-ID: > I'm using windows 7 as client and a Samba 4.1.21 server. > > I would like to create symbolic link on a share with mklink, > > it failes with a reparse point error message. > > > > Trying to find more information i found this discussion > > > https://lists.samba.org/archive/samba-technical/2014-September/102388.html > > > > So it seems that i'm not the only one to trying to do that without > success. > > > > Reading microsoft SMB documentation i found that this feature is optional > > and the > > server may or may not support it. > > > > Is it something that exists in newest version, or maybe it is in the > > roadmap, or will > > never be supported ? > > Doesn't exist yet. No one has really found a pressing > need for it. It's not too difficult to support. > > If you have a pressing need for it you can always > hire a Samba support company to implement it (or > wait until one of the Team employers has a pressing > need for it :-). > So no one is interesting in having symbolic link on a samba server ? When i was looking for informations, most of people think that symbolic link are reserved to NTFS and can't exists on a smb server, that why no one ask for. I'm pretty sure a lot of people are waiting for this ( at least people that use unix system ) but that's just my personnal opinion Regards From infractory at gmail.com Wed Dec 2 13:35:51 2015 From: infractory at gmail.com (mathias dufresne) Date: Wed, 2 Dec 2015 14:35:51 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <565EE312.2040906@gmail.com> References: <56435CD0.4090409@tu-berlin.de> <564DC3F7.3090409@tu-berlin.de> <564DE9F5.6020100@tu-berlin.de> <001b01d12367$4558b4a0$d00a1de0$@tplk.loc> <564F14CB.2010208@tu-berlin.de> <564F2A11.8080106@gmail.com> <564F59E6.5010902@gmail.com> <56572F7B.9020004@tu-berlin.de> <56585967.2060006@gmail.com> <565865C0.9020500@gmail.com> <565868EC.8030104@gmail.com> <56586D7C.50101@gmail.com> <56587A34.5090100@gmail.com> <565EBF2B.7070901@gmail.com> <565EC865.4060309@merit.unu.edu> <565ECEB7.9080201@gmail.com> <565EE312.2040906@gmail.com> Message-ID: 2015-12-02 13:24 GMT+01:00 Rowland Penny : > On 02/12/15 11:59, mathias dufresne wrote: > >> Rowland, >> >> What did you request as DNS? Samba + Bind + DLZ ? >> If yes, the fact your two DNS are replying "I am SOA" is a feature from >> Bind9 or from DLZ patch. >> > > Yes, I use bind9 with the dlz backend. > > >> That's important as a standard Samba AD designed without Bind is using >> LDAP >> defined entry for SOA. Asking to the five Samba DC I have here who's SOA, >> they all replied the same server, the one declared in SOA LDAP entry. >> Of course all DC are declared as NS in that zone. >> > > Not sure if this is a bind9 feature, does your SOA record have the NS > records for all the DCs, if not, then the first DC will be the only > Authoritative server. For me, I can be wrong, SOA is referencing one and only one DNS server. You can haev several NS and only one SOA. That's why I said several that I think MS DC reply "I am SOA" and I don't wrote that I think MS DCreply "I am one SOA". In Samba AD there is a LDAP entry for SOA record. This entry references only one server. I have several NS declared, one per DC as all my DC (Samba standard DC, no bind-dlz) are hosting the two DNS zones. Now about if the fact your Bind DNS servers are behaving like MS DNS, as my Samba DNS are not behaving like MS DNS, I expect this behavior change comes from the fact we are not using the same DNS servers. As when DNS request are sent from clients to DNS servers Samba is not involved (your client ask directly to your Bind9-dlz servers) I think the difference in our DNS SOA replies comes from the fact our DNS softwares are different. This can be easily tested from your side: you have a Bind9-dlz infrastructure, use it to create a new fake zone, build that zone identically as the one used by Samba, perhaps just renaming your AD zone, then you will be able to ask your own Bind9-dlz DNS server about SOA for that new zone. Then you'll see if your Bind reply "I am SOA" or if they reply "this one is SOA". From belle at bazuin.nl Wed Dec 2 13:41:22 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Wed, 2 Dec 2015 14:41:22 +0100 Subject: [Samba] 2 questions: Can I add another smtp line into master.cf for spam assassin? & spa-policy.pl In-Reply-To: References: Message-ID: Hai,   I run this on a debian Jessie, postfix 2.11 (all debian packages )   Route for me is like this. -> postscreen -> policy-weight -> policy-spf -> clamsmtp (-> spamassassin) -> user     A1. I have in main.cfg    content_filter = clamsmtp:127.0.0.1:10025   A2.  Yes, you can. This is how i did set up.. ..there maybe improvements on this, but for now works for me.  ( i used this site for my example : https://wiki.dest-unreachable.net/pages/viewpage.action?pageId=15892484 )   example master.cf   smtp      inet  n       -       -       -       1       postscreen smtpd     pass  -       -       -       -       -       smtpd   -o content_filter=spamassassin dnsblog   unix  -       -       -       -       0       dnsblog tlsproxy  unix  -       -       -       -       0       tlsproxy submission inet n       -       -       -       -       smtpd   -o syslog_name=postfix/submission   -o smtpd_tls_security_level=encrypt   -o smtpd_sasl_auth_enable=yes   -o content_filter=spamassassin   -o smtpd_client_restrictions=permit_sasl_authenticated,reject   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject   -o milter_macro_daemon_name=ORIGINATING smtps     inet  n       -       -       -       -       smtpd   -o syslog_name=postfix/smtps   -o smtpd_tls_wrappermode=yes   -o smtpd_sasl_auth_enable=yes   -o content_filter=spamassassin   -o smtpd_client_restrictions=permit_sasl_authenticated,reject   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject   -o milter_macro_daemon_name=ORIGINATING     ## Postfix SPF Check (package to install : postfix-policyd-spf-perl ) policy-spf  unix  -       n       n       -       0       spawn   user=policyd-spf argv=/usr/sbin/postfix-policyd-spf-perl   ## spamassasin (package to install : spamassassin spamd  ) spamassassin unix -     n       n       -       -       pipe   user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}   ## clamsmtp (package to install : clamsmtp ) clamsmtp      unix  -       -       n       -       16      smtp   -o smtp_data_done_timeout=1200   -o smtp_send_xforward_command=yes   -o disable_dns_lookups=yes   # reinjection from spamassassin into mailflow after checks 127.0.0.1:10026 inet    n       -       n       -       16       smtpd   -o content_filter=   -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks   -o local_recipient_maps=   -o relay_recipient_maps=   -o smtpd_helo_restrictions=   -o smtpd_client_restrictions=   -o smtpd_sender_restrictions=   -o smtpd_recipient_restrictions=permit_mynetworks,reject   -o mynetworks=127.0.0.0/8   -o mynetworks_style=host   -o smtpd_authorized_xforward_hosts=127.0.0.0/8         Van: robert at chalmers.com.au [mailto:owner-postfix-users at postfix.org] Namens Robert Chalmers Verzonden: woensdag 2 december 2015 13:26 Aan: Postfix users Onderwerp: 2 questions: Can I add another smtp line into master.cf for spam assassin? & spa-policy.pl   Q1.   Already in my master.cf I have smtp      inet  n       -       n       -       1       postscreen #smtp      inet  n       -       n       -       -       smtpd -vv smtpd     pass  -       -       n       -       -       smtpd dnsblog   unix  -       -       n       -       0       dnsblog tlsproxy  unix  -       -       n       -       0       tlsproxy submission inet n       -       n       -       -       smtpd  -o smtpd_tls_security_level=encrypt  -o syslog_name=postfix/submission  -o smtpd_tls_security_level=encrypt  -o smtpd_milters=inet:127.0.0.1:8891 smtp      unix  -       -       n  However, the set up for spamassassin requires another smtp line. smtp      inet  n       -       -       -       -       smtpd -o content_filter=spamfilter So are they mutually exclusive ? or can I use it without breaking postfix already. thanks     Q2 Is it possible to implement spfpolicy, and greypolicy and if so how?   I have tired - but mail then fails.             Robert Chalmers robert at chalmers.com.au  Quantum Radio: http://tinyurl.com/lwwddov Mac mini 6.2 - 2012, Intel Core i7,2.3 GHz, Memory:16 GB. El-Capitan 10.11. 2TB Storage made up of -  Drive 0:HGST HTS721010A9E630. Upper bay. Drive 1:ST1000LM024 HN-M101MBB. Lower Bay       From belle at bazuin.nl Wed Dec 2 13:47:10 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Wed, 2 Dec 2015 14:47:10 +0100 Subject: [Samba] 2 questions: Can I add another smtp line into master.cf for spam assassin? & spa-policy.pl In-Reply-To: References: Message-ID: Sorry wrong list, .. :-/ my outlook replace sometimes the reply email adres to the mail below the one i selected.. :-/ Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle > Verzonden: woensdag 2 december 2015 14:41 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] 2 questions: Can I add another smtp line into > master.cf for spam assassin? & spa-policy.pl > > Hai, > > > > I run this on a debian Jessie, postfix 2.11 (all debian packages ) > > > > Route for me is like this. > > -> postscreen -> policy-weight -> policy-spf -> clamsmtp (-> spamassassin) > -> user > > > > > > A1. > > I have in main.cfg > > > > content_filter = clamsmtp:127.0.0.1:10025 > > > > A2.  Yes, you can. This is how i did set up.. ..there maybe improvements > on this, but for now works for me. > >  ( i used this site for my example : > > https://wiki.dest-unreachable.net/pages/viewpage.action?pageId=15892484 ) > > > > example master.cf > > > > smtp      inet  n       -       -       -       1       postscreen > > smtpd     pass  -       -       -       -       -       smtpd > >   -o content_filter=spamassassin > > dnsblog   unix  -       -       -       -       0       dnsblog > > tlsproxy  unix  -       -       -       -       0       tlsproxy > > submission inet n       -       -       -       -       smtpd > >   -o syslog_name=postfix/submission > >   -o smtpd_tls_security_level=encrypt > >   -o smtpd_sasl_auth_enable=yes > >   -o content_filter=spamassassin > >   -o smtpd_client_restrictions=permit_sasl_authenticated,reject > >   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject > >   -o milter_macro_daemon_name=ORIGINATING > > smtps     inet  n       -       -       -       -       smtpd > >   -o syslog_name=postfix/smtps > >   -o smtpd_tls_wrappermode=yes > >   -o smtpd_sasl_auth_enable=yes > >   -o content_filter=spamassassin > >   -o smtpd_client_restrictions=permit_sasl_authenticated,reject > >   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject > >   -o milter_macro_daemon_name=ORIGINATING > > > > > > ## Postfix SPF Check (package to install : postfix-policyd-spf-perl ) > > policy-spf  unix  -       n       n       -       0       spawn > >   user=policyd-spf argv=/usr/sbin/postfix-policyd-spf-perl > > > > ## spamassasin (package to install : spamassassin spamd  ) > > spamassassin unix -     n       n       -       -       pipe > >   user=debian-spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f > ${sender} ${recipient} > > > > ## clamsmtp (package to install : clamsmtp ) > > clamsmtp      unix  -       -       n       -       16      smtp > >   -o smtp_data_done_timeout=1200 > >   -o smtp_send_xforward_command=yes > >   -o disable_dns_lookups=yes > > > > # reinjection from spamassassin into mailflow after checks > > 127.0.0.1:10026 inet    n       -       n       -       16       smtpd > >   -o content_filter= > >   -o > receive_override_options=no_unknown_recipient_checks,no_header_body_checks > >   -o local_recipient_maps= > >   -o relay_recipient_maps= > >   -o smtpd_helo_restrictions= > >   -o smtpd_client_restrictions= > >   -o smtpd_sender_restrictions= > >   -o smtpd_recipient_restrictions=permit_mynetworks,reject > >   -o mynetworks=127.0.0.0/8 > >   -o mynetworks_style=host > >   -o smtpd_authorized_xforward_hosts=127.0.0.0/8 > > > > > > > > > > > Van: robert at chalmers.com.au [mailto:owner-postfix-users at postfix.org] > Namens Robert Chalmers > Verzonden: woensdag 2 december 2015 13:26 > Aan: Postfix users > Onderwerp: 2 questions: Can I add another smtp line into master.cf for > spam assassin? & spa-policy.pl > > > > > Q1. > > > > > > Already in my master.cf I have > > smtp      inet  n       -       n       -       1       postscreen > #smtp      inet  n       -       n       -       -       smtpd -vv > smtpd     pass  -       -       n       -       -       smtpd > dnsblog   unix  -       -       n       -       0       dnsblog > tlsproxy  unix  -       -       n       -       0       tlsproxy > submission inet n       -       n       -       -       smtpd >  -o smtpd_tls_security_level=encrypt >  -o syslog_name=postfix/submission >  -o smtpd_tls_security_level=encrypt >  -o smtpd_milters=inet:127.0.0.1:8891 > smtp      unix  -       -       n > > However, the set up for spamassassin requires another smtp line. > > smtp      inet  n       -       -       -       -       smtpd -o > content_filter=spamfilter > So are they mutually exclusive ? or can I use it without breaking postfix > already. > thanks > > > > > > > > > Q2 > > > Is it possible to implement spfpolicy, and greypolicy and if so how? > > > > > > I have tired - but mail then fails. > > > > > > > > > > > > > > > > > > > > Robert Chalmers > > > robert at chalmers.com.au  Quantum Radio: http://tinyurl.com/lwwddov > > > Mac mini 6.2 - 2012, Intel Core i7,2.3 GHz, Memory:16 GB. El-Capitan > 10.11. 2TB Storage made up of - > > > Drive 0:HGST HTS721010A9E630. Upper bay. Drive 1:ST1000LM024 HN-M101MBB. > Lower Bay > > > > > > > > > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From bob at donelsontrophy.net Wed Dec 2 14:41:16 2015 From: bob at donelsontrophy.net (Bob of Donelson Trophy) Date: Wed, 02 Dec 2015 08:41:16 -0600 Subject: [Samba] Symlink with mklink In-Reply-To: References: <20151201171955.GB4148@jeremy-ThinkPad-T430s> Message-ID: <8e51f1dc507ef9fe53170750aca5bcb9@donelsontrophy.net> Months ago (do not remember exactly how I did this) I setup a directory on my samba member server that is are common company files that are shared across most users. This directory was separate and unrelated to 'folder redirection'. If my memory is correct, I read up in Windows 7 hardlinks(?) and applied what I had learned there and it worked. I then created a GPO that "maps drives" and mapped that directory to a drive for W7 to "see." I had to adjust the ACL rights to allow a user group I created with 'setfacl'. As users were added to that group access to this "common directory" was permitted. I am sorry, but I am too busy with production the rest of this week and may not have time to find my notes on what I did until next week. Hope this will push you in a good direction. --- _______________________________ Bob Wooden of Donelson Trophy 615.885.2846 www.donelsontrophy.com [2] "Everyone deserves an award!!" On 2015-12-02 07:30, Marc JIROU wrote: >> I'm using windows 7 as client and a Samba 4.1.21 server. > I would like to create symbolic link on a share with mklink, it failes with a reparse point error message. Trying to find more information i found this discussion https://lists.samba.org/archive/samba-technical/2014-September/102388.html [1] So it seems that i'm not the only one to trying to do that without success. Reading microsoft SMB documentation i found that this feature is optional and the server may or may not support it. Is it something that exists in newest version, or maybe it is in the roadmap, or will never be supported ? Doesn't exist yet. No one has really found a pressing need for it. It's not too difficult to support. If you have a pressing need for it you can always hire a Samba support company to implement it (or wait until one of the Team employers has a pressing need for it :-). So no one is interesting in having symbolic link on a samba server ? When i was looking for informations, most of people think that symbolic link are reserved to NTFS and can't exists on a smb server, that why no one ask for. I'm pretty sure a lot of people are waiting for this ( at least people that use unix system ) but that's just my personnal opinion Regards Links: ------ [1] https://lists.samba.org/archive/samba-technical/2014-September/102388.html [2] http://www.donelsontrophy.com From lingpanda101 at gmail.com Wed Dec 2 14:57:18 2015 From: lingpanda101 at gmail.com (James) Date: Wed, 2 Dec 2015 09:57:18 -0500 Subject: [Samba] Backup Member Server Message-ID: <565F06CE.5010804@gmail.com> Hello, Can someone point me to documentation on how to best backup a samba member server? I see the wiki currently does not contain one. Is it as simple as backup all shared folders with rysnc or similar that will preserve ACLS along with the smb.conf? I'm currently relying on a raid solution. Thanks. -- -James From jonathan at springventuregroup.com Wed Dec 2 15:34:32 2015 From: jonathan at springventuregroup.com (Jonathan S. Fisher) Date: Wed, 2 Dec 2015 09:34:32 -0600 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: References: <565CAF9A.60700@gmail.com> <565CB4EE.1020903@gmail.com> <565CBA81.1070709@gmail.com> <565D771D.4010801@gmail.com> <565DCA6B.1030404@gmail.com> <565DD1C3.3070600@gmail.com> <565DD757.4080102@gmail.com> <565DE2F8.7000009@gmail.com> Message-ID: Dnsmasq is not running locally! Disabling it would do nothing but stop DHCP and DNS forwarding for 2000+ soon to be irate people. What I am going to do however is bypass DHCP completely and assign a static address with DNS pointed straight at active directory. If that still doesn't work, I think I can definitely narrow this down to a bug in Active Directory, our AD configuration, or a bug in Samba. On Wed, Dec 2, 2015 at 6:08 AM, mathias dufresne wrote: > Can't you just disable dnsmasq service? > > You don't seem to be too much confident in that tool and you have DNS > issue... > > dnsmasq has most certainly a good reason to exist. I just don't know it. In > IT for work we generally don't need such tool as infrastructures of > companies are meant to be stable. As the clients configuration. > > So I would start with dnsmasq removal, then I would [learn how to] > configure manually this client, then I would re-run test, starting with > small tests (DNS with dig/nslookup, kinit...) > > 2015-12-01 21:40 GMT+01:00 Jonathan S. Fisher < > jonathan at springventuregroup.com>: > > > So everything with the hostname with now resolving correctly, without the > > 127.0.1.1 hack anymore. We just had to make sure DHCP was handing out the > > correct domain, which it is now: > > > > $ hostname -d > > windows.corp.XXX.com > > $ hostname -f > > freeradius.windows.corp.XXX.com > > > > I deleted all the shared secrets, removed the computer from AD and > > rejoined... but of course, we're still getting the exact same issue... :( > > It's still trying to query the wrong DNS entry. > > > > > > On Tue, Dec 1, 2015 at 12:12 PM, Rowland Penny < > > rowlandpenny241155 at gmail.com > > > wrote: > > > > > On 01/12/15 17:27, Jonathan S. Fisher wrote: > > > > > >> It isn't running, one of the first things I do when setting up a new > DC > > is > > >>> > > >> to remove nscd if it is installed. > > >> Ah ok... well this isn't a DC, just a member... is NSCD ok to run as a > > >> member? Otherwise I can remove it. > > >> > > > > > > I would remove it, everything dns wise should come from an AD DC > > > > > > > > >> you get a caching dnsmasq server as standard > > >>> > > >> Not on ubuntu server... There is no dnsmasq package installed nor is > it > > >> in > > >> ps -ef > > >> > > > > > > Ah, so no GUI then, ok in this case you probably wont have Network > > Manager > > > installed either. > > > > > > If you have to have that 127.0.1.1 line in /etc/hosts, you have dns > > >>> > > >> problems. > > >> I'll try to figure out how to get the client to have a FQDN without > the > > >> line in /etc/hosts > > >> > > > > > > If this machine is going to be a fileserver, you would probably be > better > > > using a fixed ip, but if you going to have other Unix domain members > > using > > > dhcp, you need to sort this problem. > > > > > > > > >> I really am starting to hate Active Directory... > > >> > > > > > > I just hate microsoft, it cuts out the middle man :-D > > > > > > Rowland > > > > > > > > >> On Tue, Dec 1, 2015 at 11:22 AM, Rowland Penny < > > >> rowlandpenny241155 at gmail.com > > >> > > >>> wrote: > > >>> On 01/12/15 17:09, Jonathan S. Fisher wrote: > > >>> > > >>> So your client did no DNS lookups?? That's crazy. Could they be > cached? > > >>> (Can you disable nscd if you have it running and try again?) > > >>> > > >>> > > >>> It isn't running, one of the first things I do when setting up a new > DC > > >>> is > > >>> to remove nscd if it is installed. > > >>> > > >>> > > >>> Why, in your deity's name, why????? > > >>>> > > >>> I'm starting my own caliphate. Seems to be all the rage these days. > > >>> > > >>> Dnsmasq isn't running locally... it's the main DNS server at > > >>> 192.168.127.129. At one time I guess we were running Bind, but he > > >>> switched > > >>> to dnsmasq for simplicity. If there's a legit reason why Windows > needs > > to > > >>> handle 100% of the DNS and DHCP for the network... well that's a > little > > >>> scary of a thought. Are these things in no way interoperable? > > >>> > > >>> > > >>> On Ubuntu, you get a caching dnsmasq server as standard, this is > > >>> controlled by Network Manager, this shouldn't be running on an AD > > client > > >>> (note this is only from my experience, it seems to interfere with AD > > >>> dns). > > >>> > > >>> DHCP doesn't need to be running on the DC, but it needs to give your > > >>> client the required info, see my previous post for what mine sends. > > >>> Your AD clients need to use your AD DCs as their DNS servers, > anything > > >>> your DCs don't know about i.e. google should be forwarded to a DNS > > server > > >>> that does i.e. your dnsmasq machine > > >>> > > >>> Your problem isn't that net is using the workgroup name, it is that > > your > > >>> machine doesn't seem to know who it is and where the DCs are :-) > > >>> > > >>> > > >>> Mind you, until you get 'hostname -f' to return your FQDN, it will > not > > >>>> > > >>> work correctly. > > >>> Well this "works" right now with what I put into /etc/hosts. Are you > > >>> saying it has to work purely from dhcp? > > >>> > > >>> > > >>> > > >>> If you have to have that 127.0.1.1 line in /etc/hosts, you have dns > > >>> problems. > > >>> > > >>> Rowland > > >>> > > >>> > > >>> > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > > Email Confidentiality Notice: The information contained in this > > transmission is confidential, proprietary or privileged and may be > subject > > to protection under the law, including the Health Insurance Portability > and > > Accountability Act (HIPAA). The message is intended for the sole use of > the > > individual or entity to whom it is addressed. If you are not the intended > > recipient, you are notified that any use, distribution or copying of the > > message is strictly prohibited and may subject you to criminal or civil > > penalties. If you received this transmission in error, please contact the > > sender immediately by replying to this email and delete the material from > > any computer. > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer. From infractory at gmail.com Wed Dec 2 15:43:39 2015 From: infractory at gmail.com (mathias dufresne) Date: Wed, 2 Dec 2015 16:43:39 +0100 Subject: [Samba] Backup Member Server In-Reply-To: <565F06CE.5010804@gmail.com> References: <565F06CE.5010804@gmail.com> Message-ID: Erf... Best backup are expensive :p Buy a backup robot, buy another one, put them in separated datacenters, which could on separated continent... I'm joking. But the question pushed me to. You can backup your data or backup your configuration. You can of course backup both. Then what configuration? I smb.conf enough? Do you have to backup your pam configuration too? I'd say you would have to backup everything, all modified files to obtain that configuration which make that server your own file server, member of a greater thing. Now rsync should do the trick as it is used to synchronize Sysvol shares, which contain ACLs. Sysvol should use Windows(-like) ACLs, your share(s) should contains Windows files, with MS ACLs, rsync should do the job. Then the point is the keep several versions of files on separated machines. I'm not a backup expert but that seems to me a good start for your reflections. Cheers, mathias 2015-12-02 15:57 GMT+01:00 James : > Hello, > > Can someone point me to documentation on how to best backup a samba > member server? I see the wiki currently does not contain one. > > Is it as simple as backup all shared folders with rysnc or similar that > will preserve ACLS along with the smb.conf? I'm currently relying on a raid > solution. Thanks. > > -- > -James > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From infractory at gmail.com Wed Dec 2 16:07:07 2015 From: infractory at gmail.com (mathias dufresne) Date: Wed, 2 Dec 2015 17:07:07 +0100 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: References: <565CAF9A.60700@gmail.com> <565CB4EE.1020903@gmail.com> <565CBA81.1070709@gmail.com> <565D771D.4010801@gmail.com> <565DCA6B.1030404@gmail.com> <565DD1C3.3070600@gmail.com> <565DD757.4080102@gmail.com> <565DE2F8.7000009@gmail.com> Message-ID: OK, sorry, I haven't re-read the whole thread carefully enough. >From what I understand sometimes your DNS request are truncated, asking for machineName.windows rahter than machineName.windows.rest.of.your.domain.tld So you have to find what is cutting your DNS requests. If I'm wrong, don't read the rest :p First I would test my DNS resolution using dig, host or nslookup and check with tcpdump if that resolution is working correctly. If request is not truncated your issue comes from something else than your DNS resolution configuration. ex: dig @192.168.127.129 whiskey.windows.corp.XXX.com dig @192.168.127.141 whiskey.windows.corp.XXX.com dig @192.168.112.4 whiskey.windows.corp.XXX.com If it works, I would continue with simple command, perhaps a kinit as that one should, I believe, also launch several DNS query (if your krb5.conf is still alsmot empty). Here you continue to check with tcpdump what DNS request your client is launching (ex: on the client: tcpdump -i eth0 port domain) The point is to define where is the issue, removing points where doubt exists. DNS queries are DNS queries. Kerberos seems to be acting simply just for a kinit. Finally once dig and kinit are working, you could dig into Samba configuration. 2015-12-02 16:34 GMT+01:00 Jonathan S. Fisher < jonathan at springventuregroup.com>: > Dnsmasq is not running locally! Disabling it would do nothing but stop > DHCP and DNS forwarding for 2000+ soon to be irate people. > > What I am going to do however is bypass DHCP completely and assign a > static address with DNS pointed straight at active directory. If that still > doesn't work, I think I can definitely narrow this down to a bug in Active > Directory, our AD configuration, or a bug in Samba. > > On Wed, Dec 2, 2015 at 6:08 AM, mathias dufresne > wrote: > >> Can't you just disable dnsmasq service? >> >> You don't seem to be too much confident in that tool and you have DNS >> issue... >> >> dnsmasq has most certainly a good reason to exist. I just don't know it. >> In >> IT for work we generally don't need such tool as infrastructures of >> companies are meant to be stable. As the clients configuration. >> >> So I would start with dnsmasq removal, then I would [learn how to] >> configure manually this client, then I would re-run test, starting with >> small tests (DNS with dig/nslookup, kinit...) >> >> 2015-12-01 21:40 GMT+01:00 Jonathan S. Fisher < >> jonathan at springventuregroup.com>: >> >> > So everything with the hostname with now resolving correctly, without >> the >> > 127.0.1.1 hack anymore. We just had to make sure DHCP was handing out >> the >> > correct domain, which it is now: >> > >> > $ hostname -d >> > windows.corp.XXX.com >> > $ hostname -f >> > freeradius.windows.corp.XXX.com >> > >> > I deleted all the shared secrets, removed the computer from AD and >> > rejoined... but of course, we're still getting the exact same issue... >> :( >> > It's still trying to query the wrong DNS entry. >> > >> > >> > On Tue, Dec 1, 2015 at 12:12 PM, Rowland Penny < >> > rowlandpenny241155 at gmail.com >> > > wrote: >> > >> > > On 01/12/15 17:27, Jonathan S. Fisher wrote: >> > > >> > >> It isn't running, one of the first things I do when setting up a new >> DC >> > is >> > >>> >> > >> to remove nscd if it is installed. >> > >> Ah ok... well this isn't a DC, just a member... is NSCD ok to run as >> a >> > >> member? Otherwise I can remove it. >> > >> >> > > >> > > I would remove it, everything dns wise should come from an AD DC >> > > >> > > >> > >> you get a caching dnsmasq server as standard >> > >>> >> > >> Not on ubuntu server... There is no dnsmasq package installed nor >> is it >> > >> in >> > >> ps -ef >> > >> >> > > >> > > Ah, so no GUI then, ok in this case you probably wont have Network >> > Manager >> > > installed either. >> > > >> > > If you have to have that 127.0.1.1 line in /etc/hosts, you have dns >> > >>> >> > >> problems. >> > >> I'll try to figure out how to get the client to have a FQDN without >> the >> > >> line in /etc/hosts >> > >> >> > > >> > > If this machine is going to be a fileserver, you would probably be >> better >> > > using a fixed ip, but if you going to have other Unix domain members >> > using >> > > dhcp, you need to sort this problem. >> > > >> > > >> > >> I really am starting to hate Active Directory... >> > >> >> > > >> > > I just hate microsoft, it cuts out the middle man :-D >> > > >> > > Rowland >> > > >> > > >> > >> On Tue, Dec 1, 2015 at 11:22 AM, Rowland Penny < >> > >> rowlandpenny241155 at gmail.com >> > >> >> > >>> wrote: >> > >>> On 01/12/15 17:09, Jonathan S. Fisher wrote: >> > >>> >> > >>> So your client did no DNS lookups?? That's crazy. Could they be >> cached? >> > >>> (Can you disable nscd if you have it running and try again?) >> > >>> >> > >>> >> > >>> It isn't running, one of the first things I do when setting up a >> new DC >> > >>> is >> > >>> to remove nscd if it is installed. >> > >>> >> > >>> >> > >>> Why, in your deity's name, why????? >> > >>>> >> > >>> I'm starting my own caliphate. Seems to be all the rage these days. >> > >>> >> > >>> Dnsmasq isn't running locally... it's the main DNS server at >> > >>> 192.168.127.129. At one time I guess we were running Bind, but he >> > >>> switched >> > >>> to dnsmasq for simplicity. If there's a legit reason why Windows >> needs >> > to >> > >>> handle 100% of the DNS and DHCP for the network... well that's a >> little >> > >>> scary of a thought. Are these things in no way interoperable? >> > >>> >> > >>> >> > >>> On Ubuntu, you get a caching dnsmasq server as standard, this is >> > >>> controlled by Network Manager, this shouldn't be running on an AD >> > client >> > >>> (note this is only from my experience, it seems to interfere with AD >> > >>> dns). >> > >>> >> > >>> DHCP doesn't need to be running on the DC, but it needs to give your >> > >>> client the required info, see my previous post for what mine sends. >> > >>> Your AD clients need to use your AD DCs as their DNS servers, >> anything >> > >>> your DCs don't know about i.e. google should be forwarded to a DNS >> > server >> > >>> that does i.e. your dnsmasq machine >> > >>> >> > >>> Your problem isn't that net is using the workgroup name, it is that >> > your >> > >>> machine doesn't seem to know who it is and where the DCs are :-) >> > >>> >> > >>> >> > >>> Mind you, until you get 'hostname -f' to return your FQDN, it will >> not >> > >>>> >> > >>> work correctly. >> > >>> Well this "works" right now with what I put into /etc/hosts. Are you >> > >>> saying it has to work purely from dhcp? >> > >>> >> > >>> >> > >>> >> > >>> If you have to have that 127.0.1.1 line in /etc/hosts, you have dns >> > >>> problems. >> > >>> >> > >>> Rowland >> > >>> >> > >>> >> > >>> >> > > >> > > -- >> > > To unsubscribe from this list go to the following URL and read the >> > > instructions: https://lists.samba.org/mailman/options/samba >> > > >> > >> > -- >> > Email Confidentiality Notice: The information contained in this >> > transmission is confidential, proprietary or privileged and may be >> subject >> > to protection under the law, including the Health Insurance Portability >> and >> > Accountability Act (HIPAA). The message is intended for the sole use of >> the >> > individual or entity to whom it is addressed. If you are not the >> intended >> > recipient, you are notified that any use, distribution or copying of the >> > message is strictly prohibited and may subject you to criminal or civil >> > penalties. If you received this transmission in error, please contact >> the >> > sender immediately by replying to this email and delete the material >> from >> > any computer. >> > -- >> > To unsubscribe from this list go to the following URL and read the >> > instructions: https://lists.samba.org/mailman/options/samba >> > >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > > Email Confidentiality Notice: The information contained in this > transmission is confidential, proprietary or privileged and may be subject > to protection under the law, including the Health Insurance Portability and > Accountability Act (HIPAA). The message is intended for the sole use of the > individual or entity to whom it is addressed. If you are not the intended > recipient, you are notified that any use, distribution or copying of the > message is strictly prohibited and may subject you to criminal or civil > penalties. If you received this transmission in error, please contact the > sender immediately by replying to this email and delete the material from > any computer. > From infractory at gmail.com Wed Dec 2 16:25:12 2015 From: infractory at gmail.com (mathias dufresne) Date: Wed, 2 Dec 2015 17:25:12 +0100 Subject: [Samba] Undestructible DNS entry Message-ID: Hi all, I'm unable to delete a DNS entry, this entry does not exist. The entry is A record in _msdcs zone for an old DC which was demoted. I tried to use samba-tool dns to delete it but without success: samba-tool dns delete m703 _msdcs.ad.domain.tld \ m701._msdcs.ad.domain.tld A 10.16.28.27 -k yes ERROR: Record does not exist I found undeleted entry in LDAP, removed it without success: the entry: ldbsearch -H $sam -b 'DC=DOMAINDNSZONES,DC=AD,DC=DOMAIN,DC=TLD' objectclass=* | grep 701 dn: DC=m701,DC=ad.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=ad,DC=domain,DC=tld name: m701 dc: m701 distinguishedName: DC=m701,DC=ad.domain.tld,CN=MicrosoftDNS,DC=Dom Of course I can't delete this entry from RSAT DNS tool, the error is: The record cannot be deleted. The record does not exist. The question is simple: how to get rid of that entry? If I was gambler I would bet on some data, possibly base64 encrypted, remaining on some other LDAP entry. I mostly lose my bets. Thank you for your time, best regards, mathias From bob at donelsontrophy.net Wed Dec 2 16:27:33 2015 From: bob at donelsontrophy.net (Bob of Donelson Trophy) Date: Wed, 02 Dec 2015 10:27:33 -0600 Subject: [Samba] Backup Member Server In-Reply-To: References: <565F06CE.5010804@gmail.com> Message-ID: <21b23bf592bb68b172ed2829efd46cb1@donelsontrophy.net> For what it is worth I use a script to backup the ACL permissions attribute. That script uses rsync to push to a server at a different location (catastrophic event failure). Unfortunately all other backup options I have looked at do NOT support ACL attributes successfully. Only rsync with "-A" and "-X" switches active. Does not mean that there is not something else out there, somewhere that does. (MD post brings to my attention that currently I am not backing up my configuration . . . need to correct that asap. Thanks, MD) --- _______________________________ Bob Wooden of Donelson Trophy 615.885.2846 www.donelsontrophy.com [2] "Everyone deserves an award!!" On 2015-12-02 09:43, mathias dufresne wrote: > Erf... Best backup are expensive :p > Buy a backup robot, buy another one, put them in separated datacenters, > which could on separated continent... > > I'm joking. But the question pushed me to. You can backup your data or > backup your configuration. You can of course backup both. > > Then what configuration? I smb.conf enough? Do you have to backup your pam > configuration too? I'd say you would have to backup everything, all > modified files to obtain that configuration which make that server your own > file server, member of a greater thing. > > Now rsync should do the trick as it is used to synchronize Sysvol shares, > which contain ACLs. > > Sysvol should use Windows(-like) ACLs, your share(s) should contains > Windows files, with MS ACLs, rsync should do the job. > > Then the point is the keep several versions of files on separated machines. > > I'm not a backup expert but that seems to me a good start for your > reflections. > > Cheers, > > mathias > > 2015-12-02 15:57 GMT+01:00 James : > >> Hello, Can someone point me to documentation on how to best backup a samba member server? I see the wiki currently does not contain one. Is it as simple as backup all shared folders with rysnc or similar that will preserve ACLS along with the smb.conf? I'm currently relying on a raid solution. Thanks. -- -James -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba [1] Links: ------ [1] https://lists.samba.org/mailman/options/samba [2] http://www.donelsontrophy.com From jonathan at springventuregroup.com Wed Dec 2 16:27:56 2015 From: jonathan at springventuregroup.com (Jonathan S. Fisher) Date: Wed, 2 Dec 2015 10:27:56 -0600 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: References: <565CAF9A.60700@gmail.com> <565CB4EE.1020903@gmail.com> <565CBA81.1070709@gmail.com> <565D771D.4010801@gmail.com> <565DCA6B.1030404@gmail.com> <565DD1C3.3070600@gmail.com> <565DD757.4080102@gmail.com> <565DE2F8.7000009@gmail.com> Message-ID: Great thanks, I'll start digging into that. So your running theory is that one of the DNS resolution attempts is returning .WINDOWS not . WINDOWS.CORP.XXX.com? On Wed, Dec 2, 2015 at 10:07 AM, mathias dufresne wrote: > OK, sorry, I haven't re-read the whole thread carefully enough. > From what I understand sometimes your DNS request are truncated, asking for > machineName.windows rahter than machineName.windows.rest.of.your.domain.tld > > So you have to find what is cutting your DNS requests. If I'm wrong, don't > read the rest :p > > First I would test my DNS resolution using dig, host or nslookup and check > with tcpdump if that resolution is working correctly. If request is not > truncated your issue comes from something else than your DNS resolution > configuration. > ex: > dig @192.168.127.129 whiskey.windows.corp.XXX.com > dig @192.168.127.141 whiskey.windows.corp.XXX.com > dig @192.168.112.4 whiskey.windows.corp.XXX.com > > > If it works, I would continue with simple command, perhaps a kinit as that > one should, I believe, also launch several DNS query (if your krb5.conf is > still alsmot empty). > Here you continue to check with tcpdump what DNS request your client is > launching (ex: on the client: tcpdump -i eth0 port domain) > > The point is to define where is the issue, removing points where doubt > exists. > DNS queries are DNS queries. Kerberos seems to be acting simply just for a > kinit. > > Finally once dig and kinit are working, you could dig into Samba > configuration. > > 2015-12-02 16:34 GMT+01:00 Jonathan S. Fisher < > jonathan at springventuregroup.com>: > > > Dnsmasq is not running locally! Disabling it would do nothing but stop > > DHCP and DNS forwarding for 2000+ soon to be irate people. > > > > What I am going to do however is bypass DHCP completely and assign a > > static address with DNS pointed straight at active directory. If that > still > > doesn't work, I think I can definitely narrow this down to a bug in > Active > > Directory, our AD configuration, or a bug in Samba. > > > > On Wed, Dec 2, 2015 at 6:08 AM, mathias dufresne > > wrote: > > > >> Can't you just disable dnsmasq service? > >> > >> You don't seem to be too much confident in that tool and you have DNS > >> issue... > >> > >> dnsmasq has most certainly a good reason to exist. I just don't know it. > >> In > >> IT for work we generally don't need such tool as infrastructures of > >> companies are meant to be stable. As the clients configuration. > >> > >> So I would start with dnsmasq removal, then I would [learn how to] > >> configure manually this client, then I would re-run test, starting with > >> small tests (DNS with dig/nslookup, kinit...) > >> > >> 2015-12-01 21:40 GMT+01:00 Jonathan S. Fisher < > >> jonathan at springventuregroup.com>: > >> > >> > So everything with the hostname with now resolving correctly, without > >> the > >> > 127.0.1.1 hack anymore. We just had to make sure DHCP was handing out > >> the > >> > correct domain, which it is now: > >> > > >> > $ hostname -d > >> > windows.corp.XXX.com > >> > $ hostname -f > >> > freeradius.windows.corp.XXX.com > >> > > >> > I deleted all the shared secrets, removed the computer from AD and > >> > rejoined... but of course, we're still getting the exact same issue... > >> :( > >> > It's still trying to query the wrong DNS entry. > >> > > >> > > >> > On Tue, Dec 1, 2015 at 12:12 PM, Rowland Penny < > >> > rowlandpenny241155 at gmail.com > >> > > wrote: > >> > > >> > > On 01/12/15 17:27, Jonathan S. Fisher wrote: > >> > > > >> > >> It isn't running, one of the first things I do when setting up a > new > >> DC > >> > is > >> > >>> > >> > >> to remove nscd if it is installed. > >> > >> Ah ok... well this isn't a DC, just a member... is NSCD ok to run > as > >> a > >> > >> member? Otherwise I can remove it. > >> > >> > >> > > > >> > > I would remove it, everything dns wise should come from an AD DC > >> > > > >> > > > >> > >> you get a caching dnsmasq server as standard > >> > >>> > >> > >> Not on ubuntu server... There is no dnsmasq package installed nor > >> is it > >> > >> in > >> > >> ps -ef > >> > >> > >> > > > >> > > Ah, so no GUI then, ok in this case you probably wont have Network > >> > Manager > >> > > installed either. > >> > > > >> > > If you have to have that 127.0.1.1 line in /etc/hosts, you have dns > >> > >>> > >> > >> problems. > >> > >> I'll try to figure out how to get the client to have a FQDN without > >> the > >> > >> line in /etc/hosts > >> > >> > >> > > > >> > > If this machine is going to be a fileserver, you would probably be > >> better > >> > > using a fixed ip, but if you going to have other Unix domain members > >> > using > >> > > dhcp, you need to sort this problem. > >> > > > >> > > > >> > >> I really am starting to hate Active Directory... > >> > >> > >> > > > >> > > I just hate microsoft, it cuts out the middle man :-D > >> > > > >> > > Rowland > >> > > > >> > > > >> > >> On Tue, Dec 1, 2015 at 11:22 AM, Rowland Penny < > >> > >> rowlandpenny241155 at gmail.com > >> > >> > >> > >>> wrote: > >> > >>> On 01/12/15 17:09, Jonathan S. Fisher wrote: > >> > >>> > >> > >>> So your client did no DNS lookups?? That's crazy. Could they be > >> cached? > >> > >>> (Can you disable nscd if you have it running and try again?) > >> > >>> > >> > >>> > >> > >>> It isn't running, one of the first things I do when setting up a > >> new DC > >> > >>> is > >> > >>> to remove nscd if it is installed. > >> > >>> > >> > >>> > >> > >>> Why, in your deity's name, why????? > >> > >>>> > >> > >>> I'm starting my own caliphate. Seems to be all the rage these > days. > >> > >>> > >> > >>> Dnsmasq isn't running locally... it's the main DNS server at > >> > >>> 192.168.127.129. At one time I guess we were running Bind, but he > >> > >>> switched > >> > >>> to dnsmasq for simplicity. If there's a legit reason why Windows > >> needs > >> > to > >> > >>> handle 100% of the DNS and DHCP for the network... well that's a > >> little > >> > >>> scary of a thought. Are these things in no way interoperable? > >> > >>> > >> > >>> > >> > >>> On Ubuntu, you get a caching dnsmasq server as standard, this is > >> > >>> controlled by Network Manager, this shouldn't be running on an AD > >> > client > >> > >>> (note this is only from my experience, it seems to interfere with > AD > >> > >>> dns). > >> > >>> > >> > >>> DHCP doesn't need to be running on the DC, but it needs to give > your > >> > >>> client the required info, see my previous post for what mine > sends. > >> > >>> Your AD clients need to use your AD DCs as their DNS servers, > >> anything > >> > >>> your DCs don't know about i.e. google should be forwarded to a DNS > >> > server > >> > >>> that does i.e. your dnsmasq machine > >> > >>> > >> > >>> Your problem isn't that net is using the workgroup name, it is > that > >> > your > >> > >>> machine doesn't seem to know who it is and where the DCs are :-) > >> > >>> > >> > >>> > >> > >>> Mind you, until you get 'hostname -f' to return your FQDN, it will > >> not > >> > >>>> > >> > >>> work correctly. > >> > >>> Well this "works" right now with what I put into /etc/hosts. Are > you > >> > >>> saying it has to work purely from dhcp? > >> > >>> > >> > >>> > >> > >>> > >> > >>> If you have to have that 127.0.1.1 line in /etc/hosts, you have > dns > >> > >>> problems. > >> > >>> > >> > >>> Rowland > >> > >>> > >> > >>> > >> > >>> > >> > > > >> > > -- > >> > > To unsubscribe from this list go to the following URL and read the > >> > > instructions: https://lists.samba.org/mailman/options/samba > >> > > > >> > > >> > -- > >> > Email Confidentiality Notice: The information contained in this > >> > transmission is confidential, proprietary or privileged and may be > >> subject > >> > to protection under the law, including the Health Insurance > Portability > >> and > >> > Accountability Act (HIPAA). The message is intended for the sole use > of > >> the > >> > individual or entity to whom it is addressed. If you are not the > >> intended > >> > recipient, you are notified that any use, distribution or copying of > the > >> > message is strictly prohibited and may subject you to criminal or > civil > >> > penalties. If you received this transmission in error, please contact > >> the > >> > sender immediately by replying to this email and delete the material > >> from > >> > any computer. > >> > -- > >> > To unsubscribe from this list go to the following URL and read the > >> > instructions: https://lists.samba.org/mailman/options/samba > >> > > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > > > > > > Email Confidentiality Notice: The information contained in this > > transmission is confidential, proprietary or privileged and may be > subject > > to protection under the law, including the Health Insurance Portability > and > > Accountability Act (HIPAA). The message is intended for the sole use of > the > > individual or entity to whom it is addressed. If you are not the intended > > recipient, you are notified that any use, distribution or copying of the > > message is strictly prohibited and may subject you to criminal or civil > > penalties. If you received this transmission in error, please contact the > > sender immediately by replying to this email and delete the material from > > any computer. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer. From lingpanda101 at gmail.com Wed Dec 2 16:34:30 2015 From: lingpanda101 at gmail.com (James) Date: Wed, 2 Dec 2015 11:34:30 -0500 Subject: [Samba] Undestructible DNS entry In-Reply-To: References: Message-ID: <565F1D96.2040200@gmail.com> On 12/2/2015 11:25 AM, mathias dufresne wrote: > Hi all, > > I'm unable to delete a DNS entry, this entry does not exist. > > The entry is A record in _msdcs zone for an old DC which was demoted. > > I tried to use samba-tool dns to delete it but without success: > samba-tool dns delete m703 _msdcs.ad.domain.tld \ > m701._msdcs.ad.domain.tld A 10.16.28.27 -k yes > ERROR: Record does not exist > > I found undeleted entry in LDAP, removed it without success: > the entry: > ldbsearch -H $sam -b 'DC=DOMAINDNSZONES,DC=AD,DC=DOMAIN,DC=TLD' > objectclass=* | grep 701 > dn: > DC=m701,DC=ad.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=ad,DC=domain,DC=tld > name: m701 > dc: m701 > distinguishedName: DC=m701,DC=ad.domain.tld,CN=MicrosoftDNS,DC=Dom > > Of course I can't delete this entry from RSAT DNS tool, the error is: > The record cannot be deleted. > The record does not exist. > > The question is simple: how to get rid of that entry? > If I was gambler I would bet on some data, possibly base64 encrypted, > remaining on some other LDAP entry. I mostly lose my bets. > > Thank you for your time, best regards, > > mathias I've had similar issues. I had to use ADSI to delete the entry. Open ADSI and under Connection point choose "Select or type a Distinguished Name or Naming Contest:" Map the following to your domain. You should see the entry. Right click and delete. DC=domain.local,cn=MicrosoftDns,dc=DomainDnsZones,dc=domain,dc=local -- -James From jra at samba.org Wed Dec 2 16:39:27 2015 From: jra at samba.org (Jeremy Allison) Date: Wed, 2 Dec 2015 08:39:27 -0800 Subject: [Samba] Symlink with mklink In-Reply-To: References: <20151201171955.GB4148@jeremy-ThinkPad-T430s> Message-ID: <20151202163927.GA816@jra3> On Wed, Dec 02, 2015 at 02:30:00PM +0100, Marc JIROU wrote: > > So no one is interesting in having symbolic link on a samba server ? > > When i was looking for informations, most of people think that symbolic > link are > reserved to NTFS and can't exists on a smb server, that why no one ask for. > > I'm pretty sure a lot of people are waiting for this ( at least people that > use unix system ) > but that's just my personnal opinion Well people use symlinks on Samba servers all the time. But they create and manage them on the UNIX side and the Windows clients are unaware of them. What advantage does having the clients aware of the link bring ? Remember, we already restrict the clients from traversing outside of the share path. From rowlandpenny241155 at gmail.com Wed Dec 2 16:39:40 2015 From: rowlandpenny241155 at gmail.com (Rowland Penny) Date: Wed, 02 Dec 2015 16:39:40 +0000 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: References: <565CBA81.1070709@gmail.com> <565D771D.4010801@gmail.com> <565DCA6B.1030404@gmail.com> <565DD1C3.3070600@gmail.com> <565DD757.4080102@gmail.com> <565DE2F8.7000009@gmail.com> Message-ID: <565F1ECC.50702@gmail.com> On 02/12/15 15:34, Jonathan S. Fisher wrote: > Dnsmasq is not running locally! Disabling it would do nothing but stop DHCP > and DNS forwarding for 2000+ soon to be irate people. There is nothing wrong with dnsmasq, it just has no place in a AD domain. Your AD domain should probably separate from your regular domain i.e. something like 'internal.your.domain' Your AD DC should be running a dns server, and forwarding to the dnsmasq machine for anything outside the AD domain. Your client needs to be using 'internal.your.domain' as its domain, it also needs to be using the DC as its only DC, unless you have more than one DC, in which case you can use all your DCs as name servers. If you follow the Samba wiki, it will work, if it doesn't, then it is probably down to your network. Rowland > > What I am going to do however is bypass DHCP completely and assign a static > address with DNS pointed straight at active directory. If that still > doesn't work, I think I can definitely narrow this down to a bug in Active > Directory, our AD configuration, or a bug in Samba. > > From rowlandpenny241155 at gmail.com Wed Dec 2 16:40:32 2015 From: rowlandpenny241155 at gmail.com (Rowland Penny) Date: Wed, 02 Dec 2015 16:40:32 +0000 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: References: <565D771D.4010801@gmail.com> <565DCA6B.1030404@gmail.com> <565DD1C3.3070600@gmail.com> <565DD757.4080102@gmail.com> <565DE2F8.7000009@gmail.com> Message-ID: <565F1F00.90104@gmail.com> On 02/12/15 16:27, Jonathan S. Fisher wrote: > Great thanks, I'll start digging into that. So your running theory is that > one of the DNS resolution attempts is returning .WINDOWS not . > WINDOWS.CORP.XXX.com? This is not your problem. Rowland > > On Wed, Dec 2, 2015 at 10:07 AM, mathias dufresne > wrote: > >> OK, sorry, I haven't re-read the whole thread carefully enough. >> From what I understand sometimes your DNS request are truncated, asking for >> machineName.windows rahter than machineName.windows.rest.of.your.domain.tld >> >> So you have to find what is cutting your DNS requests. If I'm wrong, don't >> read the rest :p >> >> First I would test my DNS resolution using dig, host or nslookup and check >> with tcpdump if that resolution is working correctly. If request is not >> truncated your issue comes from something else than your DNS resolution >> configuration. >> ex: >> dig @192.168.127.129 whiskey.windows.corp.XXX.com >> dig @192.168.127.141 whiskey.windows.corp.XXX.com >> dig @192.168.112.4 whiskey.windows.corp.XXX.com >> >> >> If it works, I would continue with simple command, perhaps a kinit as that >> one should, I believe, also launch several DNS query (if your krb5.conf is >> still alsmot empty). >> Here you continue to check with tcpdump what DNS request your client is >> launching (ex: on the client: tcpdump -i eth0 port domain) >> >> The point is to define where is the issue, removing points where doubt >> exists. >> DNS queries are DNS queries. Kerberos seems to be acting simply just for a >> kinit. >> >> Finally once dig and kinit are working, you could dig into Samba >> configuration. >> >> 2015-12-02 16:34 GMT+01:00 Jonathan S. Fisher < >> jonathan at springventuregroup.com>: >> >>> Dnsmasq is not running locally! Disabling it would do nothing but stop >>> DHCP and DNS forwarding for 2000+ soon to be irate people. >>> >>> What I am going to do however is bypass DHCP completely and assign a >>> static address with DNS pointed straight at active directory. If that >> still >>> doesn't work, I think I can definitely narrow this down to a bug in >> Active >>> Directory, our AD configuration, or a bug in Samba. >>> >>> On Wed, Dec 2, 2015 at 6:08 AM, mathias dufresne >>> wrote: >>> >>>> Can't you just disable dnsmasq service? >>>> >>>> You don't seem to be too much confident in that tool and you have DNS >>>> issue... >>>> >>>> dnsmasq has most certainly a good reason to exist. I just don't know it. >>>> In >>>> IT for work we generally don't need such tool as infrastructures of >>>> companies are meant to be stable. As the clients configuration. >>>> >>>> So I would start with dnsmasq removal, then I would [learn how to] >>>> configure manually this client, then I would re-run test, starting with >>>> small tests (DNS with dig/nslookup, kinit...) >>>> >>>> 2015-12-01 21:40 GMT+01:00 Jonathan S. Fisher < >>>> jonathan at springventuregroup.com>: >>>> >>>>> So everything with the hostname with now resolving correctly, without >>>> the >>>>> 127.0.1.1 hack anymore. We just had to make sure DHCP was handing out >>>> the >>>>> correct domain, which it is now: >>>>> >>>>> $ hostname -d >>>>> windows.corp.XXX.com >>>>> $ hostname -f >>>>> freeradius.windows.corp.XXX.com >>>>> >>>>> I deleted all the shared secrets, removed the computer from AD and >>>>> rejoined... but of course, we're still getting the exact same issue... >>>> :( >>>>> It's still trying to query the wrong DNS entry. >>>>> >>>>> >>>>> On Tue, Dec 1, 2015 at 12:12 PM, Rowland Penny < >>>>> rowlandpenny241155 at gmail.com >>>>>> wrote: >>>>>> On 01/12/15 17:27, Jonathan S. Fisher wrote: >>>>>> >>>>>>> It isn't running, one of the first things I do when setting up a >> new >>>> DC >>>>> is >>>>>>> to remove nscd if it is installed. >>>>>>> Ah ok... well this isn't a DC, just a member... is NSCD ok to run >> as >>>> a >>>>>>> member? Otherwise I can remove it. >>>>>>> >>>>>> I would remove it, everything dns wise should come from an AD DC >>>>>> >>>>>> >>>>>>> you get a caching dnsmasq server as standard >>>>>>> Not on ubuntu server... There is no dnsmasq package installed nor >>>> is it >>>>>>> in >>>>>>> ps -ef >>>>>>> >>>>>> Ah, so no GUI then, ok in this case you probably wont have Network >>>>> Manager >>>>>> installed either. >>>>>> >>>>>> If you have to have that 127.0.1.1 line in /etc/hosts, you have dns >>>>>>> problems. >>>>>>> I'll try to figure out how to get the client to have a FQDN without >>>> the >>>>>>> line in /etc/hosts >>>>>>> >>>>>> If this machine is going to be a fileserver, you would probably be >>>> better >>>>>> using a fixed ip, but if you going to have other Unix domain members >>>>> using >>>>>> dhcp, you need to sort this problem. >>>>>> >>>>>> >>>>>>> I really am starting to hate Active Directory... >>>>>>> >>>>>> I just hate microsoft, it cuts out the middle man :-D >>>>>> >>>>>> Rowland >>>>>> >>>>>> >>>>>>> On Tue, Dec 1, 2015 at 11:22 AM, Rowland Penny < >>>>>>> rowlandpenny241155 at gmail.com >>>>>>> >>>>>>>> wrote: >>>>>>>> On 01/12/15 17:09, Jonathan S. Fisher wrote: >>>>>>>> >>>>>>>> So your client did no DNS lookups?? That's crazy. Could they be >>>> cached? >>>>>>>> (Can you disable nscd if you have it running and try again?) >>>>>>>> >>>>>>>> >>>>>>>> It isn't running, one of the first things I do when setting up a >>>> new DC >>>>>>>> is >>>>>>>> to remove nscd if it is installed. >>>>>>>> >>>>>>>> >>>>>>>> Why, in your deity's name, why????? >>>>>>>> I'm starting my own caliphate. Seems to be all the rage these >> days. >>>>>>>> Dnsmasq isn't running locally... it's the main DNS server at >>>>>>>> 192.168.127.129. At one time I guess we were running Bind, but he >>>>>>>> switched >>>>>>>> to dnsmasq for simplicity. If there's a legit reason why Windows >>>> needs >>>>> to >>>>>>>> handle 100% of the DNS and DHCP for the network... well that's a >>>> little >>>>>>>> scary of a thought. Are these things in no way interoperable? >>>>>>>> >>>>>>>> >>>>>>>> On Ubuntu, you get a caching dnsmasq server as standard, this is >>>>>>>> controlled by Network Manager, this shouldn't be running on an AD >>>>> client >>>>>>>> (note this is only from my experience, it seems to interfere with >> AD >>>>>>>> dns). >>>>>>>> >>>>>>>> DHCP doesn't need to be running on the DC, but it needs to give >> your >>>>>>>> client the required info, see my previous post for what mine >> sends. >>>>>>>> Your AD clients need to use your AD DCs as their DNS servers, >>>> anything >>>>>>>> your DCs don't know about i.e. google should be forwarded to a DNS >>>>> server >>>>>>>> that does i.e. your dnsmasq machine >>>>>>>> >>>>>>>> Your problem isn't that net is using the workgroup name, it is >> that >>>>> your >>>>>>>> machine doesn't seem to know who it is and where the DCs are :-) >>>>>>>> >>>>>>>> >>>>>>>> Mind you, until you get 'hostname -f' to return your FQDN, it will >>>> not >>>>>>>> work correctly. >>>>>>>> Well this "works" right now with what I put into /etc/hosts. Are >> you >>>>>>>> saying it has to work purely from dhcp? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> If you have to have that 127.0.1.1 line in /etc/hosts, you have >> dns >>>>>>>> problems. >>>>>>>> >>>>>>>> Rowland >>>>>>>> >>>>>>>> >>>>>>>> >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL and read the >>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>> >>>>> -- >>>>> Email Confidentiality Notice: The information contained in this >>>>> transmission is confidential, proprietary or privileged and may be >>>> subject >>>>> to protection under the law, including the Health Insurance >> Portability >>>> and >>>>> Accountability Act (HIPAA). The message is intended for the sole use >> of >>>> the >>>>> individual or entity to whom it is addressed. If you are not the >>>> intended >>>>> recipient, you are notified that any use, distribution or copying of >> the >>>>> message is strictly prohibited and may subject you to criminal or >> civil >>>>> penalties. If you received this transmission in error, please contact >>>> the >>>>> sender immediately by replying to this email and delete the material >>>> from >>>>> any computer. >>>>> -- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>> >>> Email Confidentiality Notice: The information contained in this >>> transmission is confidential, proprietary or privileged and may be >> subject >>> to protection under the law, including the Health Insurance Portability >> and >>> Accountability Act (HIPAA). The message is intended for the sole use of >> the >>> individual or entity to whom it is addressed. If you are not the intended >>> recipient, you are notified that any use, distribution or copying of the >>> message is strictly prohibited and may subject you to criminal or civil >>> penalties. If you received this transmission in error, please contact the >>> sender immediately by replying to this email and delete the material from >>> any computer. >>> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> From danielmadrid19 at gmail.com Wed Dec 2 16:45:51 2015 From: danielmadrid19 at gmail.com (=?UTF-8?Q?Daniel_Carrasco_Mar=C3=ADn?=) Date: Wed, 2 Dec 2015 17:45:51 +0100 Subject: [Samba] Backup Member Server In-Reply-To: <565F06CE.5010804@gmail.com> References: <565F06CE.5010804@gmail.com> Message-ID: What about a backup solution like Bacula/Bareos?. If I'm not wrong it preserve all acls. I've restored a full virtual machine using Bareos an all worked fine. Greetings!! Hello, Can someone point me to documentation on how to best backup a samba member server? I see the wiki currently does not contain one. Is it as simple as backup all shared folders with rysnc or similar that will preserve ACLS along with the smb.conf? I'm currently relying on a raid solution. Thanks. -- -James -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba From mjirou at gmail.com Wed Dec 2 16:48:11 2015 From: mjirou at gmail.com (Marc JIROU) Date: Wed, 2 Dec 2015 17:48:11 +0100 Subject: [Samba] Symlink with mklink In-Reply-To: <20151202163927.GA816@jra3> References: <20151201171955.GB4148@jeremy-ThinkPad-T430s> <20151202163927.GA816@jra3> Message-ID: > > > So no one is interesting in having symbolic link on a samba server ? > > > > When i was looking for informations, most of people think that symbolic > > link are > > reserved to NTFS and can't exists on a smb server, that why no one ask > for. > > > > I'm pretty sure a lot of people are waiting for this ( at least people > that > > use unix system ) > > but that's just my personnal opinion > > Well people use symlinks on Samba servers all the time. > But they create and manage them on the UNIX side and > the Windows clients are unaware of them. > > What advantage does having the clients aware of the > link bring ? Remember, we already restrict the clients > from traversing outside of the share path. > Don't you think that i will be easier to support mklink symlink creation, instead of having to ssh/rsh ... to a linux box to make a ln ? People do it all the time because they have no choice. As you said people are doing it all the time but have no easy way to do it, and as samba is offering file services to windows users most of them have no knowledge how to do it. From bob at donelsontrophy.net Wed Dec 2 17:07:02 2015 From: bob at donelsontrophy.net (Bob of Donelson Trophy) Date: Wed, 02 Dec 2015 11:07:02 -0600 Subject: [Samba] Symlink with mklink In-Reply-To: <20151202163927.GA816@jra3> References: <20151201171955.GB4148@jeremy-ThinkPad-T430s> <20151202163927.GA816@jra3> Message-ID: I am sure glad to see this. My method was a crude and difficult solutions to a simple linux/unix symbolic link. Will be fixing my mess, soon. Thanks Jeremy. --- _______________________________ Bob Wooden of Donelson Trophy 615.885.2846 www.donelsontrophy.com [1] "Everyone deserves an award!!" On 2015-12-02 10:39, Jeremy Allison wrote: > On Wed, Dec 02, 2015 at 02:30:00PM +0100, Marc JIROU wrote: > >> So no one is interesting in having symbolic link on a samba server ? When i was looking for informations, most of people think that symbolic link are reserved to NTFS and can't exists on a smb server, that why no one ask for. I'm pretty sure a lot of people are waiting for this ( at least people that use unix system ) but that's just my personnal opinion > > Well people use symlinks on Samba servers all the time. > But they create and manage them on the UNIX side and > the Windows clients are unaware of them. > > What advantage does having the clients aware of the > link bring ? Remember, we already restrict the clients > from traversing outside of the share path. Links: ------ [1] http://www.donelsontrophy.com From slow at samba.org Wed Dec 2 17:07:37 2015 From: slow at samba.org (Ralph Boehme) Date: Wed, 2 Dec 2015 18:07:37 +0100 Subject: [Samba] Symlink with mklink In-Reply-To: <20151202163927.GA816@jra3> References: <20151201171955.GB4148@jeremy-ThinkPad-T430s> <20151202163927.GA816@jra3> Message-ID: <20151202170736.GC8885@sernet.sernet.private> On Wed, Dec 02, 2015 at 08:39:27AM -0800, Jeremy Allison wrote: > On Wed, Dec 02, 2015 at 02:30:00PM +0100, Marc JIROU wrote: > > > > So no one is interesting in having symbolic link on a samba server ? > > > > When i was looking for informations, most of people think that symbolic > > link are > > reserved to NTFS and can't exists on a smb server, that why no one ask for. > > > > I'm pretty sure a lot of people are waiting for this ( at least people that > > use unix system ) > > but that's just my personnal opinion > > Well people use symlinks on Samba servers all the time. > But they create and manage them on the UNIX side and > the Windows clients are unaware of them. > > What advantage does having the clients aware of the > link bring ? POSIX clients, eg OS X loves symlinks. -Ralph From jra at samba.org Wed Dec 2 17:10:17 2015 From: jra at samba.org (Jeremy Allison) Date: Wed, 2 Dec 2015 09:10:17 -0800 Subject: [Samba] Symlink with mklink In-Reply-To: <20151202170736.GC8885@sernet.sernet.private> References: <20151201171955.GB4148@jeremy-ThinkPad-T430s> <20151202163927.GA816@jra3> <20151202170736.GC8885@sernet.sernet.private> Message-ID: <20151202171017.GB816@jra3> On Wed, Dec 02, 2015 at 06:07:37PM +0100, Ralph Boehme wrote: > On Wed, Dec 02, 2015 at 08:39:27AM -0800, Jeremy Allison wrote: > > On Wed, Dec 02, 2015 at 02:30:00PM +0100, Marc JIROU wrote: > > > > > > So no one is interesting in having symbolic link on a samba server ? > > > > > > When i was looking for informations, most of people think that symbolic > > > link are > > > reserved to NTFS and can't exists on a smb server, that why no one ask for. > > > > > > I'm pretty sure a lot of people are waiting for this ( at least people that > > > use unix system ) > > > but that's just my personnal opinion > > > > Well people use symlinks on Samba servers all the time. > > But they create and manage them on the UNIX side and > > the Windows clients are unaware of them. > > > > What advantage does having the clients aware of the > > link bring ? > > POSIX clients, eg OS X loves symlinks. Well yes, but we already have the infrastructure for that (along with all the security protections that took a while to get right). Adding Windows client-aware symlink means the same level of detail needed for a feature that is disabled by default on Windows and most people are unaware of. I'm not saying we shouldn't do it - just we need to be aware of who needs it and the trade-offs. If a customer pays to have it done I'd be happy to add it, but we have a lot of other features I think have higher priority for expanding Samba use right now (hyperV handle support for example). From mjirou at gmail.com Wed Dec 2 17:26:35 2015 From: mjirou at gmail.com (Marc JIROU) Date: Wed, 2 Dec 2015 18:26:35 +0100 Subject: [Samba] Fwd: Symlink with mklink In-Reply-To: References: <20151201171955.GB4148@jeremy-ThinkPad-T430s> <20151202163927.GA816@jra3> <20151202170736.GC8885@sernet.sernet.private> <20151202171017.GB816@jra3> Message-ID: 2015-12-02 18:10 GMT+01:00 Jeremy Allison : > On Wed, Dec 02, 2015 at 06:07:37PM +0100, Ralph Boehme wrote: > > On Wed, Dec 02, 2015 at 08:39:27AM -0800, Jeremy Allison wrote: > > > On Wed, Dec 02, 2015 at 02:30:00PM +0100, Marc JIROU wrote: > > > > > > > > So no one is interesting in having symbolic link on a samba server ? > > > > > > > > When i was looking for informations, most of people think that > symbolic > > > > link are > > > > reserved to NTFS and can't exists on a smb server, that why no one > ask for. > > > > > > > > I'm pretty sure a lot of people are waiting for this ( at least > people that > > > > use unix system ) > > > > but that's just my personnal opinion > > > > > > Well people use symlinks on Samba servers all the time. > > > But they create and manage them on the UNIX side and > > > the Windows clients are unaware of them. > > > > > > What advantage does having the clients aware of the > > > link bring ? > > > > POSIX clients, eg OS X loves symlinks. > > Well yes, but we already have the infrastructure > for that (along with all the security protections > that took a while to get right). > > Adding Windows client-aware symlink means the same > level of detail needed for a feature that is disabled > by default on Windows and most people are unaware of. > > I'm not saying we shouldn't do it - just we need to > be aware of who needs it and the trade-offs. > > If a customer pays to have it done I'd be happy to > add it, but we have a lot of other features I think > have higher priority for expanding Samba use right > now (hyperV handle support for example). > I don't think it a so small feature. Imagine what will happend if you remove it from nfs ? I have to admit that it is certainly less fanzy than other features, but it shoud be in the basic survival kit ... Regards, Marc From infractory at gmail.com Wed Dec 2 17:31:26 2015 From: infractory at gmail.com (mathias dufresne) Date: Wed, 2 Dec 2015 18:31:26 +0100 Subject: [Samba] Undestructible DNS entry In-Reply-To: <565F1D96.2040200@gmail.com> References: <565F1D96.2040200@gmail.com> Message-ID: Thank you James for your reply. Unfortunately using ADSI did not shown any entry related to that demoted DC. Anyway, once more, my bad : ) The undeletable DNS entry was not some pointing to "m701" but some IP pointing to "m701.". Then there was an LDAP entry for cn=m701.,,DC=_msdcs..... And using the right DN the LDAP entry was removed and the DNS entry disappeared. To finally see my error I used the following piece of awk: ldbsearch -H $sam -b 'DC=FORESTDNSZONES,DC=AD,DC=DOMAIN,DC=TLD' dnsRecord=* | awk '{ if($1 == "dnsRecord::") { res = $2; if ($2 !~ /==$/) { getline ; if($1 !~ /:$/) res = res $1 } if($1 !~ /:$/) {while($1 !~ /==$/) { getline ; res = res $1 } } } system("echo " res " | base64 -d && echo "); if ($1 == "dn:") print $0 }' The awk itself is not nice to read, awk as one-liner... It prints DN and decode (and print) dnsRecord. The ldbsearch was performed on -b 'DC=FORESTDNSZONES,DC=AD,DC=DOMAIN,DC=TLD' This last point is important as it seems _msdcs zone is stored there when standard DNS zone seems stored in "DC=DomainDnsZones". Then I must say if I understood that earlier I would certainly have been able to delete this entry using ADSI tool. Thanks again James : ) Sorry for noise all! 2015-12-02 17:34 GMT+01:00 James : > On 12/2/2015 11:25 AM, mathias dufresne wrote: > >> Hi all, >> >> I'm unable to delete a DNS entry, this entry does not exist. >> >> The entry is A record in _msdcs zone for an old DC which was demoted. >> >> I tried to use samba-tool dns to delete it but without success: >> samba-tool dns delete m703 _msdcs.ad.domain.tld \ >> m701._msdcs.ad.domain.tld A 10.16.28.27 -k yes >> ERROR: Record does not exist >> >> I found undeleted entry in LDAP, removed it without success: >> the entry: >> ldbsearch -H $sam -b 'DC=DOMAINDNSZONES,DC=AD,DC=DOMAIN,DC=TLD' >> objectclass=* | grep 701 >> dn: >> >> DC=m701,DC=ad.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=ad,DC=domain,DC=tld >> name: m701 >> dc: m701 >> distinguishedName: DC=m701,DC=ad.domain.tld,CN=MicrosoftDNS,DC=Dom >> >> Of course I can't delete this entry from RSAT DNS tool, the error is: >> The record cannot be deleted. >> The record does not exist. >> >> The question is simple: how to get rid of that entry? >> If I was gambler I would bet on some data, possibly base64 encrypted, >> remaining on some other LDAP entry. I mostly lose my bets. >> >> Thank you for your time, best regards, >> >> mathias >> > I've had similar issues. I had to use ADSI to delete the entry. > > Open ADSI and under Connection point choose "Select or type a > Distinguished Name or Naming Contest:" > > Map the following to your domain. You should see the entry. Right click > and delete. > > DC=domain.local,cn=MicrosoftDns,dc=DomainDnsZones,dc=domain,dc=local > > -- > -James > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From mmuehlfeld at samba.org Wed Dec 2 19:06:02 2015 From: mmuehlfeld at samba.org (Marc Muehlfeld) Date: Wed, 2 Dec 2015 20:06:02 +0100 Subject: [Samba] Backup Member Server In-Reply-To: <565F06CE.5010804@gmail.com> References: <565F06CE.5010804@gmail.com> Message-ID: <565F411A.6000205@samba.org> Hello James, Am 02.12.2015 um 15:57 schrieb James: > Can someone point me to documentation on how to best backup a samba > member server? I see the wiki currently does not contain one. > > Is it as simple as backup all shared folders with rysnc or similar that > will preserve ACLS along with the smb.conf? I'm currently relying on a > raid solution. Thanks. Yes, I should finally write that doc. :-) What you should backup on a Domain Member: 1.) All files (share content and whatever else is important for you) 2.) Your smb.conf 3.) Your Samba databases (you can do a hotbackup with tdbbackup) Some notes about 3.: Depending on what your Domain Member is doing, some of the tdb files are important, while others are recreated and can get lost. There's nothing wrong if you backup all. :-) When I write the Wiki page, I might list which file is important for which case. Regards, Marc From jonathan at springventuregroup.com Wed Dec 2 22:39:18 2015 From: jonathan at springventuregroup.com (Jonathan S. Fisher) Date: Wed, 2 Dec 2015 16:39:18 -0600 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: <565F1F00.90104@gmail.com> References: <565D771D.4010801@gmail.com> <565DCA6B.1030404@gmail.com> <565DD1C3.3070600@gmail.com> <565DD757.4080102@gmail.com> <565DE2F8.7000009@gmail.com> <565F1F00.90104@gmail.com> Message-ID: All the DNS stuff checks out. The names resolve as they should (They pass all checks Mathias suggested). They all give the exact same answers. hostname -A is showing correctly. I nuked the boxed and reinstalled. Same problem. It simply won't request the ActiveDirectory SRV records from WINDOWS.CORP.XXX.COM, it requests them from WINDOWS and is disappointed when there isn't any DNS setup there. Why does samba keep wanting to use the workgroup name instead of the FQDN? Is there some sort of logging we can enable to figure out why it's choosing to behave this way? Rowland: Dnsmasq is not running on the AD subdomain. Those requests are passed immediately to the windows boxen. On Wed, Dec 2, 2015 at 10:40 AM, Rowland Penny wrote: > On 02/12/15 16:27, Jonathan S. Fisher wrote: > >> Great thanks, I'll start digging into that. So your running theory is that >> one of the DNS resolution attempts is returning .WINDOWS not . >> WINDOWS.CORP.XXX.com? >> > > This is not your problem. > > Rowland > > > >> On Wed, Dec 2, 2015 at 10:07 AM, mathias dufresne >> wrote: >> >> OK, sorry, I haven't re-read the whole thread carefully enough. >>> From what I understand sometimes your DNS request are truncated, asking >>> for >>> machineName.windows rahter than >>> machineName.windows.rest.of.your.domain.tld >>> >>> So you have to find what is cutting your DNS requests. If I'm wrong, >>> don't >>> read the rest :p >>> >>> First I would test my DNS resolution using dig, host or nslookup and >>> check >>> with tcpdump if that resolution is working correctly. If request is not >>> truncated your issue comes from something else than your DNS resolution >>> configuration. >>> ex: >>> dig @192.168.127.129 whiskey.windows.corp.XXX.com >>> dig @192.168.127.141 whiskey.windows.corp.XXX.com >>> dig @192.168.112.4 whiskey.windows.corp.XXX.com >>> >>> >>> If it works, I would continue with simple command, perhaps a kinit as >>> that >>> one should, I believe, also launch several DNS query (if your krb5.conf >>> is >>> still alsmot empty). >>> Here you continue to check with tcpdump what DNS request your client is >>> launching (ex: on the client: tcpdump -i eth0 port domain) >>> >>> The point is to define where is the issue, removing points where doubt >>> exists. >>> DNS queries are DNS queries. Kerberos seems to be acting simply just for >>> a >>> kinit. >>> >>> Finally once dig and kinit are working, you could dig into Samba >>> configuration. >>> >>> 2015-12-02 16:34 GMT+01:00 Jonathan S. Fisher < >>> jonathan at springventuregroup.com>: >>> >>> Dnsmasq is not running locally! Disabling it would do nothing but stop >>>> DHCP and DNS forwarding for 2000+ soon to be irate people. >>>> >>>> What I am going to do however is bypass DHCP completely and assign a >>>> static address with DNS pointed straight at active directory. If that >>>> >>> still >>> >>>> doesn't work, I think I can definitely narrow this down to a bug in >>>> >>> Active >>> >>>> Directory, our AD configuration, or a bug in Samba. >>>> >>>> On Wed, Dec 2, 2015 at 6:08 AM, mathias dufresne >>>> wrote: >>>> >>>> Can't you just disable dnsmasq service? >>>>> >>>>> You don't seem to be too much confident in that tool and you have DNS >>>>> issue... >>>>> >>>>> dnsmasq has most certainly a good reason to exist. I just don't know >>>>> it. >>>>> In >>>>> IT for work we generally don't need such tool as infrastructures of >>>>> companies are meant to be stable. As the clients configuration. >>>>> >>>>> So I would start with dnsmasq removal, then I would [learn how to] >>>>> configure manually this client, then I would re-run test, starting with >>>>> small tests (DNS with dig/nslookup, kinit...) >>>>> >>>>> 2015-12-01 21:40 GMT+01:00 Jonathan S. Fisher < >>>>> jonathan at springventuregroup.com>: >>>>> >>>>> So everything with the hostname with now resolving correctly, without >>>>>> >>>>> the >>>>> >>>>>> 127.0.1.1 hack anymore. We just had to make sure DHCP was handing out >>>>>> >>>>> the >>>>> >>>>>> correct domain, which it is now: >>>>>> >>>>>> $ hostname -d >>>>>> windows.corp.XXX.com >>>>>> $ hostname -f >>>>>> freeradius.windows.corp.XXX.com >>>>>> >>>>>> I deleted all the shared secrets, removed the computer from AD and >>>>>> rejoined... but of course, we're still getting the exact same issue... >>>>>> >>>>> :( >>>>> >>>>>> It's still trying to query the wrong DNS entry. >>>>>> >>>>>> >>>>>> On Tue, Dec 1, 2015 at 12:12 PM, Rowland Penny < >>>>>> rowlandpenny241155 at gmail.com >>>>>> >>>>>>> wrote: >>>>>>> On 01/12/15 17:27, Jonathan S. Fisher wrote: >>>>>>> >>>>>>> It isn't running, one of the first things I do when setting up a >>>>>>>> >>>>>>> new >>> >>>> DC >>>>> >>>>>> is >>>>>> >>>>>>> to remove nscd if it is installed. >>>>>>>> Ah ok... well this isn't a DC, just a member... is NSCD ok to run >>>>>>>> >>>>>>> as >>> >>>> a >>>>> >>>>>> member? Otherwise I can remove it. >>>>>>>> >>>>>>>> I would remove it, everything dns wise should come from an AD DC >>>>>>> >>>>>>> >>>>>>> you get a caching dnsmasq server as standard >>>>>>>> Not on ubuntu server... There is no dnsmasq package installed nor >>>>>>>> >>>>>>> is it >>>>> >>>>>> in >>>>>>>> ps -ef >>>>>>>> >>>>>>>> Ah, so no GUI then, ok in this case you probably wont have Network >>>>>>> >>>>>> Manager >>>>>> >>>>>>> installed either. >>>>>>> >>>>>>> If you have to have that 127.0.1.1 line in /etc/hosts, you have dns >>>>>>> >>>>>>>> problems. >>>>>>>> I'll try to figure out how to get the client to have a FQDN without >>>>>>>> >>>>>>> the >>>>> >>>>>> line in /etc/hosts >>>>>>>> >>>>>>>> If this machine is going to be a fileserver, you would probably be >>>>>>> >>>>>> better >>>>> >>>>>> using a fixed ip, but if you going to have other Unix domain members >>>>>>> >>>>>> using >>>>>> >>>>>>> dhcp, you need to sort this problem. >>>>>>> >>>>>>> >>>>>>> I really am starting to hate Active Directory... >>>>>>>> >>>>>>>> I just hate microsoft, it cuts out the middle man :-D >>>>>>> >>>>>>> Rowland >>>>>>> >>>>>>> >>>>>>> On Tue, Dec 1, 2015 at 11:22 AM, Rowland Penny < >>>>>>>> rowlandpenny241155 at gmail.com >>>>>>>> >>>>>>>> wrote: >>>>>>>>> On 01/12/15 17:09, Jonathan S. Fisher wrote: >>>>>>>>> >>>>>>>>> So your client did no DNS lookups?? That's crazy. Could they be >>>>>>>>> >>>>>>>> cached? >>>>> >>>>>> (Can you disable nscd if you have it running and try again?) >>>>>>>>> >>>>>>>>> >>>>>>>>> It isn't running, one of the first things I do when setting up a >>>>>>>>> >>>>>>>> new DC >>>>> >>>>>> is >>>>>>>>> to remove nscd if it is installed. >>>>>>>>> >>>>>>>>> >>>>>>>>> Why, in your deity's name, why????? >>>>>>>>> I'm starting my own caliphate. Seems to be all the rage these >>>>>>>>> >>>>>>>> days. >>> >>>> Dnsmasq isn't running locally... it's the main DNS server at >>>>>>>>> 192.168.127.129. At one time I guess we were running Bind, but he >>>>>>>>> switched >>>>>>>>> to dnsmasq for simplicity. If there's a legit reason why Windows >>>>>>>>> >>>>>>>> needs >>>>> >>>>>> to >>>>>> >>>>>>> handle 100% of the DNS and DHCP for the network... well that's a >>>>>>>>> >>>>>>>> little >>>>> >>>>>> scary of a thought. Are these things in no way interoperable? >>>>>>>>> >>>>>>>>> >>>>>>>>> On Ubuntu, you get a caching dnsmasq server as standard, this is >>>>>>>>> controlled by Network Manager, this shouldn't be running on an AD >>>>>>>>> >>>>>>>> client >>>>>> >>>>>>> (note this is only from my experience, it seems to interfere with >>>>>>>>> >>>>>>>> AD >>> >>>> dns). >>>>>>>>> >>>>>>>>> DHCP doesn't need to be running on the DC, but it needs to give >>>>>>>>> >>>>>>>> your >>> >>>> client the required info, see my previous post for what mine >>>>>>>>> >>>>>>>> sends. >>> >>>> Your AD clients need to use your AD DCs as their DNS servers, >>>>>>>>> >>>>>>>> anything >>>>> >>>>>> your DCs don't know about i.e. google should be forwarded to a DNS >>>>>>>>> >>>>>>>> server >>>>>> >>>>>>> that does i.e. your dnsmasq machine >>>>>>>>> >>>>>>>>> Your problem isn't that net is using the workgroup name, it is >>>>>>>>> >>>>>>>> that >>> >>>> your >>>>>> >>>>>>> machine doesn't seem to know who it is and where the DCs are :-) >>>>>>>>> >>>>>>>>> >>>>>>>>> Mind you, until you get 'hostname -f' to return your FQDN, it will >>>>>>>>> >>>>>>>> not >>>>> >>>>>> work correctly. >>>>>>>>> Well this "works" right now with what I put into /etc/hosts. Are >>>>>>>>> >>>>>>>> you >>> >>>> saying it has to work purely from dhcp? >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> If you have to have that 127.0.1.1 line in /etc/hosts, you have >>>>>>>>> >>>>>>>> dns >>> >>>> problems. >>>>>>>>> >>>>>>>>> Rowland >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>> To unsubscribe from this list go to the following URL and read the >>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>>> >>>>>>> -- >>>>>> Email Confidentiality Notice: The information contained in this >>>>>> transmission is confidential, proprietary or privileged and may be >>>>>> >>>>> subject >>>>> >>>>>> to protection under the law, including the Health Insurance >>>>>> >>>>> Portability >>> >>>> and >>>>> >>>>>> Accountability Act (HIPAA). The message is intended for the sole use >>>>>> >>>>> of >>> >>>> the >>>>> >>>>>> individual or entity to whom it is addressed. If you are not the >>>>>> >>>>> intended >>>>> >>>>>> recipient, you are notified that any use, distribution or copying of >>>>>> >>>>> the >>> >>>> message is strictly prohibited and may subject you to criminal or >>>>>> >>>>> civil >>> >>>> penalties. If you received this transmission in error, please contact >>>>>> >>>>> the >>>>> >>>>>> sender immediately by replying to this email and delete the material >>>>>> >>>>> from >>>>> >>>>>> any computer. >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL and read the >>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>> >>>>>> -- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>> >>>>> >>>> Email Confidentiality Notice: The information contained in this >>>> transmission is confidential, proprietary or privileged and may be >>>> >>> subject >>> >>>> to protection under the law, including the Health Insurance Portability >>>> >>> and >>> >>>> Accountability Act (HIPAA). The message is intended for the sole use of >>>> >>> the >>> >>>> individual or entity to whom it is addressed. If you are not the >>>> intended >>>> recipient, you are notified that any use, distribution or copying of the >>>> message is strictly prohibited and may subject you to criminal or civil >>>> penalties. If you received this transmission in error, please contact >>>> the >>>> sender immediately by replying to this email and delete the material >>>> from >>>> any computer. >>>> >>>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer. From Luchko.D at digdes.com Thu Dec 3 07:53:43 2015 From: Luchko.D at digdes.com (Luchko Dmitriy) Date: Thu, 3 Dec 2015 07:53:43 +0000 Subject: [Samba] Disable KCC in Samba Message-ID: Hi, colleges, We have a big environment with windows domains controllers. We know that KCC in samba doesn't work well now. How we can disable KCC in Samba and create site-link manually? Best regards,   DMITRIY LUCHKO From Luchko.D at digdes.com Thu Dec 3 08:02:33 2015 From: Luchko.D at digdes.com (Luchko Dmitriy) Date: Thu, 3 Dec 2015 08:02:33 +0000 Subject: [Samba] DRS_The specified I/O operation on %hs was not completed before the time-out period expired.' Message-ID: Hi, When we try replicate domain tree from Win DC to Samba DC we have timeout error: ERROR(): DsReplicaSync failed - drsException: DsReplicaSync failed (-1073741643, '{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.') File "/usr/lib64/python2.7/site-packages/samba/netcmd/drs.py", line 345, in run drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle, source_dsa_guid, NC, req_options) File "/usr/lib64/python2.7/site-packages/samba/drs_utils.py", line 83, in sendDsReplicaSync raise drsException("DsReplicaSync failed %s" % estr) Best regards,   DMITRIY LUCHKO From abartlet at samba.org Thu Dec 3 08:15:46 2015 From: abartlet at samba.org (Andrew Bartlett) Date: Thu, 03 Dec 2015 21:15:46 +1300 Subject: [Samba] Disable KCC in Samba In-Reply-To: References: Message-ID: <1449130546.1535.11.camel@samba.org> On Thu, 2015-12-03 at 07:53 +0000, Luchko Dmitriy wrote: > Hi, colleges, > > We have a big environment with windows domains controllers. > We know that KCC in samba doesn't work well now. How we can disable > KCC in Samba and create site-link manually? The new 'samba_kcc' python-based KCC should work for what you need, just enable it per the instructions in the WHATSNEW for Samba 4.3.0 (where we first introduced it). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba From Luchko.D at digdes.com Thu Dec 3 08:51:56 2015 From: Luchko.D at digdes.com (Luchko Dmitriy) Date: Thu, 3 Dec 2015 08:51:56 +0000 Subject: [Samba] Disable KCC in Samba In-Reply-To: <1449130546.1535.11.camel@samba.org> References: <1449130546.1535.11.camel@samba.org> Message-ID: I read about 4.3.0 and we test this version in polygon. In production we have more than 80 sites and about 200 domain controllers. In test environment we have a lot warning KCC (samba 4.3.), and we suggest in production we have the same picture. Will you make change in KCC for nearest Samba release? Best regards, DMITRIY LUCHKO -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Andrew Bartlett Sent: Thursday, December 03, 2015 11:16 AM To: Luchko Dmitriy ; samba at lists.samba.org Subject: Re: [Samba] Disable KCC in Samba On Thu, 2015-12-03 at 07:53 +0000, Luchko Dmitriy wrote: > Hi, colleges, > > We have a big environment with windows domains controllers. > We know that KCC in samba doesn't work well now. How we can disable > KCC in Samba and create site-link manually? The new 'samba_kcc' python-based KCC should work for what you need, just enable it per the instructions in the WHATSNEW for Samba 4.3.0 (where we first introduced it). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba From rowlandpenny241155 at gmail.com Thu Dec 3 10:01:03 2015 From: rowlandpenny241155 at gmail.com (Rowland Penny) Date: Thu, 03 Dec 2015 10:01:03 +0000 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: References: <565DCA6B.1030404@gmail.com> <565DD1C3.3070600@gmail.com> <565DD757.4080102@gmail.com> <565DE2F8.7000009@gmail.com> <565F1F00.90104@gmail.com> Message-ID: <566012DF.6000001@gmail.com> On 02/12/15 22:39, Jonathan S. Fisher wrote: > All the DNS stuff checks out. The names resolve as they should (They > pass all checks Mathias suggested). They all give the exact same > answers. hostname -A is showing correctly. > > I nuked the boxed and reinstalled. Same problem. It simply won't > request the ActiveDirectory SRV records from WINDOWS.CORP.XXX.COM > , it requests them from WINDOWS and is > disappointed when there isn't any DNS setup there. > > Why does samba keep wanting to use the workgroup name instead of the > FQDN? Is there some sort of logging we can enable to figure out why > it's choosing to behave this way? > > Rowland: Dnsmasq is not running on the AD subdomain. Those requests > are passed immediately to the windows boxen. > > OK, what do these commands return when run on the client: host -t SRV _ldap._tcp.windows.corp.xxx.com. host -t SRV _kerberos._udp.windows.corp.xxx.com. host -t A yourclientshostname.windows.corp.xxx.com. host -t SRV ipaddress_returned_by_last_command Rowland From infractory at gmail.com Thu Dec 3 12:44:43 2015 From: infractory at gmail.com (mathias dufresne) Date: Thu, 3 Dec 2015 13:44:43 +0100 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: References: <565CAF9A.60700@gmail.com> <565CB4EE.1020903@gmail.com> <565CBA81.1070709@gmail.com> <565D771D.4010801@gmail.com> <565DCA6B.1030404@gmail.com> <565DD1C3.3070600@gmail.com> <565DD757.4080102@gmail.com> <565DE2F8.7000009@gmail.com> Message-ID: 2015-12-02 17:27 GMT+01:00 Jonathan S. Fisher < jonathan at springventuregroup.com>: > Great thanks, I'll start digging into that. So your running theory is that > one of the DNS resolution attempts is returning .WINDOWS not . > WINDOWS.CORP.XXX.com? > I'm not sure, that's your issue, not mine, but you seemed to mean that FQDN are truncated in some DNS search. At least that's what I understand from your first mail when you wrote: "From Wireshark: Queries _ldap._tcp.pdc._msdcs.WINDOWS: type SRV, class IN Name: _ldap._tcp.pdc._msdcs.WINDOWS" So yes I would say there is something wrong in the way your DNS requests are forged: they are using the domain name. So, for me, the next question is: is that domain reduction happens on all requests or only those made by Samba. To know that the point is to avoid Samba. That's why I proposed to proceed with: - some DNS requests -> you said they worked using the three DNS servers you have (the real one, the two from Samba) -> the system does not seem to truncat by himself / always the requests. - some kinit -> kinit with no configuration to force Kerberos servers should send SRV requests to guess how to contact a kerberos server. You seemed to say kinit was working. Next step I would change my resolv.conf to put as nameserver in it only your DC, no search, no domain. The point here is to test your DNS from Samba, and in parallel to avoid the main DNS server which uses dnsmasq. And I would then redo all these tests, including those proposed by Rowland. If you don't have truncated requests until there, I would suggest you find something strange in Samba. But as long as you didn't performed all that successfully, I would suggest an issue in your DNS resolving stack. Cheers, mathias > > On Wed, Dec 2, 2015 at 10:07 AM, mathias dufresne > wrote: > >> OK, sorry, I haven't re-read the whole thread carefully enough. >> From what I understand sometimes your DNS request are truncated, asking >> for >> machineName.windows rahter than >> machineName.windows.rest.of.your.domain.tld >> >> So you have to find what is cutting your DNS requests. If I'm wrong, don't >> read the rest :p >> >> First I would test my DNS resolution using dig, host or nslookup and check >> with tcpdump if that resolution is working correctly. If request is not >> truncated your issue comes from something else than your DNS resolution >> configuration. >> ex: >> dig @192.168.127.129 whiskey.windows.corp.XXX.com >> dig @192.168.127.141 whiskey.windows.corp.XXX.com >> dig @192.168.112.4 whiskey.windows.corp.XXX.com >> >> >> If it works, I would continue with simple command, perhaps a kinit as that >> one should, I believe, also launch several DNS query (if your krb5.conf is >> still alsmot empty). >> Here you continue to check with tcpdump what DNS request your client is >> launching (ex: on the client: tcpdump -i eth0 port domain) >> >> The point is to define where is the issue, removing points where doubt >> exists. >> DNS queries are DNS queries. Kerberos seems to be acting simply just for a >> kinit. >> >> Finally once dig and kinit are working, you could dig into Samba >> configuration. >> >> 2015-12-02 16:34 GMT+01:00 Jonathan S. Fisher < >> jonathan at springventuregroup.com>: >> >> > Dnsmasq is not running locally! Disabling it would do nothing but stop >> > DHCP and DNS forwarding for 2000+ soon to be irate people. >> > >> > What I am going to do however is bypass DHCP completely and assign a >> > static address with DNS pointed straight at active directory. If that >> still >> > doesn't work, I think I can definitely narrow this down to a bug in >> Active >> > Directory, our AD configuration, or a bug in Samba. >> > >> > On Wed, Dec 2, 2015 at 6:08 AM, mathias dufresne >> > wrote: >> > >> >> Can't you just disable dnsmasq service? >> >> >> >> You don't seem to be too much confident in that tool and you have DNS >> >> issue... >> >> >> >> dnsmasq has most certainly a good reason to exist. I just don't know >> it. >> >> In >> >> IT for work we generally don't need such tool as infrastructures of >> >> companies are meant to be stable. As the clients configuration. >> >> >> >> So I would start with dnsmasq removal, then I would [learn how to] >> >> configure manually this client, then I would re-run test, starting with >> >> small tests (DNS with dig/nslookup, kinit...) >> >> >> >> 2015-12-01 21:40 GMT+01:00 Jonathan S. Fisher < >> >> jonathan at springventuregroup.com>: >> >> >> >> > So everything with the hostname with now resolving correctly, without >> >> the >> >> > 127.0.1.1 hack anymore. We just had to make sure DHCP was handing out >> >> the >> >> > correct domain, which it is now: >> >> > >> >> > $ hostname -d >> >> > windows.corp.XXX.com >> >> > $ hostname -f >> >> > freeradius.windows.corp.XXX.com >> >> > >> >> > I deleted all the shared secrets, removed the computer from AD and >> >> > rejoined... but of course, we're still getting the exact same >> issue... >> >> :( >> >> > It's still trying to query the wrong DNS entry. >> >> > >> >> > >> >> > On Tue, Dec 1, 2015 at 12:12 PM, Rowland Penny < >> >> > rowlandpenny241155 at gmail.com >> >> > > wrote: >> >> > >> >> > > On 01/12/15 17:27, Jonathan S. Fisher wrote: >> >> > > >> >> > >> It isn't running, one of the first things I do when setting up a >> new >> >> DC >> >> > is >> >> > >>> >> >> > >> to remove nscd if it is installed. >> >> > >> Ah ok... well this isn't a DC, just a member... is NSCD ok to run >> as >> >> a >> >> > >> member? Otherwise I can remove it. >> >> > >> >> >> > > >> >> > > I would remove it, everything dns wise should come from an AD DC >> >> > > >> >> > > >> >> > >> you get a caching dnsmasq server as standard >> >> > >>> >> >> > >> Not on ubuntu server... There is no dnsmasq package installed nor >> >> is it >> >> > >> in >> >> > >> ps -ef >> >> > >> >> >> > > >> >> > > Ah, so no GUI then, ok in this case you probably wont have Network >> >> > Manager >> >> > > installed either. >> >> > > >> >> > > If you have to have that 127.0.1.1 line in /etc/hosts, you have dns >> >> > >>> >> >> > >> problems. >> >> > >> I'll try to figure out how to get the client to have a FQDN >> without >> >> the >> >> > >> line in /etc/hosts >> >> > >> >> >> > > >> >> > > If this machine is going to be a fileserver, you would probably be >> >> better >> >> > > using a fixed ip, but if you going to have other Unix domain >> members >> >> > using >> >> > > dhcp, you need to sort this problem. >> >> > > >> >> > > >> >> > >> I really am starting to hate Active Directory... >> >> > >> >> >> > > >> >> > > I just hate microsoft, it cuts out the middle man :-D >> >> > > >> >> > > Rowland >> >> > > >> >> > > >> >> > >> On Tue, Dec 1, 2015 at 11:22 AM, Rowland Penny < >> >> > >> rowlandpenny241155 at gmail.com >> >> > >> >> >> > >>> wrote: >> >> > >>> On 01/12/15 17:09, Jonathan S. Fisher wrote: >> >> > >>> >> >> > >>> So your client did no DNS lookups?? That's crazy. Could they be >> >> cached? >> >> > >>> (Can you disable nscd if you have it running and try again?) >> >> > >>> >> >> > >>> >> >> > >>> It isn't running, one of the first things I do when setting up a >> >> new DC >> >> > >>> is >> >> > >>> to remove nscd if it is installed. >> >> > >>> >> >> > >>> >> >> > >>> Why, in your deity's name, why????? >> >> > >>>> >> >> > >>> I'm starting my own caliphate. Seems to be all the rage these >> days. >> >> > >>> >> >> > >>> Dnsmasq isn't running locally... it's the main DNS server at >> >> > >>> 192.168.127.129. At one time I guess we were running Bind, but he >> >> > >>> switched >> >> > >>> to dnsmasq for simplicity. If there's a legit reason why Windows >> >> needs >> >> > to >> >> > >>> handle 100% of the DNS and DHCP for the network... well that's a >> >> little >> >> > >>> scary of a thought. Are these things in no way interoperable? >> >> > >>> >> >> > >>> >> >> > >>> On Ubuntu, you get a caching dnsmasq server as standard, this is >> >> > >>> controlled by Network Manager, this shouldn't be running on an AD >> >> > client >> >> > >>> (note this is only from my experience, it seems to interfere >> with AD >> >> > >>> dns). >> >> > >>> >> >> > >>> DHCP doesn't need to be running on the DC, but it needs to give >> your >> >> > >>> client the required info, see my previous post for what mine >> sends. >> >> > >>> Your AD clients need to use your AD DCs as their DNS servers, >> >> anything >> >> > >>> your DCs don't know about i.e. google should be forwarded to a >> DNS >> >> > server >> >> > >>> that does i.e. your dnsmasq machine >> >> > >>> >> >> > >>> Your problem isn't that net is using the workgroup name, it is >> that >> >> > your >> >> > >>> machine doesn't seem to know who it is and where the DCs are :-) >> >> > >>> >> >> > >>> >> >> > >>> Mind you, until you get 'hostname -f' to return your FQDN, it >> will >> >> not >> >> > >>>> >> >> > >>> work correctly. >> >> > >>> Well this "works" right now with what I put into /etc/hosts. Are >> you >> >> > >>> saying it has to work purely from dhcp? >> >> > >>> >> >> > >>> >> >> > >>> >> >> > >>> If you have to have that 127.0.1.1 line in /etc/hosts, you have >> dns >> >> > >>> problems. >> >> > >>> >> >> > >>> Rowland >> >> > >>> >> >> > >>> >> >> > >>> >> >> > > >> >> > > -- >> >> > > To unsubscribe from this list go to the following URL and read the >> >> > > instructions: https://lists.samba.org/mailman/options/samba >> >> > > >> >> > >> >> > -- >> >> > Email Confidentiality Notice: The information contained in this >> >> > transmission is confidential, proprietary or privileged and may be >> >> subject >> >> > to protection under the law, including the Health Insurance >> Portability >> >> and >> >> > Accountability Act (HIPAA). The message is intended for the sole use >> of >> >> the >> >> > individual or entity to whom it is addressed. If you are not the >> >> intended >> >> > recipient, you are notified that any use, distribution or copying of >> the >> >> > message is strictly prohibited and may subject you to criminal or >> civil >> >> > penalties. If you received this transmission in error, please contact >> >> the >> >> > sender immediately by replying to this email and delete the material >> >> from >> >> > any computer. >> >> > -- >> >> > To unsubscribe from this list go to the following URL and read the >> >> > instructions: https://lists.samba.org/mailman/options/samba >> >> > >> >> -- >> >> To unsubscribe from this list go to the following URL and read the >> >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> > >> > >> > Email Confidentiality Notice: The information contained in this >> > transmission is confidential, proprietary or privileged and may be >> subject >> > to protection under the law, including the Health Insurance Portability >> and >> > Accountability Act (HIPAA). The message is intended for the sole use of >> the >> > individual or entity to whom it is addressed. If you are not the >> intended >> > recipient, you are notified that any use, distribution or copying of the >> > message is strictly prohibited and may subject you to criminal or civil >> > penalties. If you received this transmission in error, please contact >> the >> > sender immediately by replying to this email and delete the material >> from >> > any computer. >> > >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > > Email Confidentiality Notice: The information contained in this > transmission is confidential, proprietary or privileged and may be subject > to protection under the law, including the Health Insurance Portability and > Accountability Act (HIPAA). The message is intended for the sole use of the > individual or entity to whom it is addressed. If you are not the intended > recipient, you are notified that any use, distribution or copying of the > message is strictly prohibited and may subject you to criminal or civil > penalties. If you received this transmission in error, please contact the > sender immediately by replying to this email and delete the material from > any computer. > From rpenny at samba.org Thu Dec 3 13:15:00 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 03 Dec 2015 13:15:00 +0000 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: <56603E91.5020601@gmail.com> References: <56603E91.5020601@gmail.com> Message-ID: <56604054.3060000@samba.org> On 03/12/15 13:07, Rowland Penny wrote: > > > > > 2015-12-02 17:27 GMT+01:00 Jonathan S. Fisher < > jonathan at springventuregroup.com>: > > > Great thanks, I'll start digging into that. So your running theory is that > > one of the DNS resolution attempts is returning .WINDOWS not . > > WINDOWS.CORP.XXX.com? > > > > I'm not sure, that's your issue, not mine, but you seemed to mean that FQDN > are truncated in some DNS search. > At least that's what I understand from your first mail when you wrote: > > "From Wireshark: > > Queries > _ldap._tcp.pdc._msdcs.WINDOWS: type SRV, class IN > Name: _ldap._tcp.pdc._msdcs.WINDOWS" > > So yes I would say there is something wrong in the way your DNS requests > are forged: they are using the domain name. > > So, for me, the next question is: is that domain reduction happens on all > requests or only those made by Samba. > > To know that the point is to avoid Samba. > > That's why I proposed to proceed with: > - some DNS requests -> you said they worked using the three DNS servers you > have (the real one, the two from Samba) -> the system does not seem to > truncat by himself / always the requests. > - some kinit -> kinit with no configuration to force Kerberos servers > should send SRV requests to guess how to contact a kerberos server. You > seemed to say kinit was working. > > Next step I would change my resolv.conf to put as nameserver in it only > your DC, no search, no domain. The point here is to test your DNS from > Samba, and in parallel to avoid the main DNS server which uses dnsmasq. > > And I would then redo all these tests, including those proposed by Rowland. > > If you don't have truncated requests until there, I would suggest you find > something strange in Samba. But as long as you didn't performed all that > successfully, I would suggest an issue in your DNS resolving stack. > > Cheers, > > mathias > > This is basically what I wanted to find out, does the OP have a problem or not, if he answers my post, we may find out and move on from there. Rowland From jonathan at springventuregroup.com Thu Dec 3 16:06:03 2015 From: jonathan at springventuregroup.com (Jonathan S. Fisher) Date: Thu, 3 Dec 2015 10:06:03 -0600 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: <56604054.3060000@samba.org> References: <56603E91.5020601@gmail.com> <56604054.3060000@samba.org> Message-ID: > host -t SRV _ldap._tcp.windows.corp.XXX.com _ldap._tcp.windows.corp.XXX.com has SRV record 0 100 389 whiskey.windows.corp.XXX.com. _ldap._tcp.windows.corp.XXX.com has SRV record 0 100 389 wine.windows.corp.XXX.com. > host -t SRV _kerberos._udp.windows.corp.XXX.com _kerberos._udp.windows.corp.XXX.com has SRV record 0 100 88 whiskey.windows.corp.XXX.com. _kerberos._udp.windows.corp.XXX.com has SRV record 0 100 88 wine.windows.corp.XXX.com. > host -t A freeradius.windows.corp.XXX.com. freeradius.windows.corp.XXX.com has address 192.168.127.134 > host -t SRV 192.168.127.134 134.127.168.192.in-addr.arpa domain name pointer freeradius.windows.corp.XXX.com. I tried the same thing with ".WINDOWS" and it doesn't work of course... On Thu, Dec 3, 2015 at 7:15 AM, Rowland penny wrote: > On 03/12/15 13:07, Rowland Penny wrote: > >> >> >> >> >> 2015-12-02 17:27 GMT+01:00 Jonathan S. Fisher < >> jonathan at springventuregroup.com>: >> >> > Great thanks, I'll start digging into that. So your running theory is >> that >> > one of the DNS resolution attempts is returning .WINDOWS not . >> > WINDOWS.CORP.XXX.com? >> > >> >> I'm not sure, that's your issue, not mine, but you seemed to mean that >> FQDN >> are truncated in some DNS search. >> At least that's what I understand from your first mail when you wrote: >> >> "From Wireshark: >> >> Queries >> _ldap._tcp.pdc._msdcs.WINDOWS: type SRV, class IN >> Name: _ldap._tcp.pdc._msdcs.WINDOWS" >> >> So yes I would say there is something wrong in the way your DNS requests >> are forged: they are using the domain name. >> >> So, for me, the next question is: is that domain reduction happens on all >> requests or only those made by Samba. >> >> To know that the point is to avoid Samba. >> >> That's why I proposed to proceed with: >> - some DNS requests -> you said they worked using the three DNS servers >> you >> have (the real one, the two from Samba) -> the system does not seem to >> truncat by himself / always the requests. >> - some kinit -> kinit with no configuration to force Kerberos servers >> should send SRV requests to guess how to contact a kerberos server. You >> seemed to say kinit was working. >> >> Next step I would change my resolv.conf to put as nameserver in it only >> your DC, no search, no domain. The point here is to test your DNS from >> Samba, and in parallel to avoid the main DNS server which uses dnsmasq. >> >> And I would then redo all these tests, including those proposed by >> Rowland. >> >> If you don't have truncated requests until there, I would suggest you find >> something strange in Samba. But as long as you didn't performed all that >> successfully, I would suggest an issue in your DNS resolving stack. >> >> Cheers, >> >> mathias >> >> >> > This is basically what I wanted to find out, does the OP have a problem or > not, if he answers my post, we may find out and move on from there. > > > Rowland > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer. From rpenny at samba.org Thu Dec 3 16:26:38 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 03 Dec 2015 16:26:38 +0000 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: References: <56603E91.5020601@gmail.com> <56604054.3060000@samba.org> Message-ID: <56606D3E.4050908@samba.org> On 03/12/15 16:06, Jonathan S. Fisher wrote: > > host -t SRV _ldap._tcp.windows.corp.XXX.com > > _ldap._tcp.windows.corp.XXX.com has > SRV record 0 100 389 whiskey.windows.corp.XXX.com > . > _ldap._tcp.windows.corp.XXX.com has > SRV record 0 100 389 wine.windows.corp.XXX.com > . > > > host -t SRV _kerberos._udp.windows.corp.XXX.com > > _kerberos._udp.windows.corp.XXX.com > has SRV record 0 100 88 whiskey.windows.corp.XXX.com > . > _kerberos._udp.windows.corp.XXX.com > has SRV record 0 100 88 wine.windows.corp.XXX.com > . > > > host -t A freeradius.windows.corp.XXX.com > . > freeradius.windows.corp.XXX.com > has address 192.168.127.134 > > > host -t SRV 192.168.127.134 > 134.127.168.192.in-addr.arpa domain name pointer > freeradius.windows.corp.XXX.com . > > I tried the same thing with ".WINDOWS" and it doesn't work of course... > > > Your DNS appears to be working :-) Lets move on from there: Quick recap: 'hostname' should return 'freeradius' 'hostname -d' should return 'windows.corp.xxx.com' 'hostname -f' should return 'freeradius.windows.corp.xxx.com' 'hostname -i' should return '192.168.127.134' /etc/resolv.conf should contain this: search windows.corp.xxx.com nameserver 'ip of first DC' nameserver 'ip of second DC' /etc/krb5.conf should contain this: [libdefaults] default_realm = WINDOWS.CORP.XXX.COM smb.conf is setup as per the samba wiki If you run 'net ads testjoin' it should return 'Join is OK' If all the above is complied with, running 'sudo net rpc info -UAdministrator' should return something like this: Domain Name: SAMDOM Domain SID: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx Sequence number: 1 Num users: XXX Num domain groups: XX Num local groups: XX If it doesn't, add this line to smb.conf: log level = 10 Restart samba and try again Rowland From jonathan at springventuregroup.com Thu Dec 3 17:52:13 2015 From: jonathan at springventuregroup.com (Jonathan S. Fisher) Date: Thu, 3 Dec 2015 11:52:13 -0600 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: <56606D3E.4050908@samba.org> References: <56603E91.5020601@gmail.com> <56604054.3060000@samba.org> <56606D3E.4050908@samba.org> Message-ID: jonathan.fisher at freeradius:~$ sudo net ads join -Uadministrator Enter administrator's password: Using short domain name -- WINDOWS Joined 'FREERADIUS' to dns domain 'windows.corp.XXX.com' jonathan.fisher at freeradius:~$ hostname freeradius jonathan.fisher at freeradius:~$ hostname -d windows.corp.XXX.com jonathan.fisher at freeradius:~$ hostname -f freeradius.windows.corp.XXX.com jonathan.fisher at freeradius:~$ hostname -i 192.168.127.134 jonathan.fisher at freeradius:~$ cat /etc/krb5.conf [libdefaults] default_realm = WINDOWS.CORP.XXX.COM jonathan.fisher at freeradius:~$ cat /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 192.168.127.129 search windows.corp.XXX.com jonathan.fisher at freeradius:~$ sudo net ads testjoin Join is OK jonathan.fisher at freeradius:~$ sudo service sernet-samba-winbindd restart && sudo service sernet-samba-nmbd restart && sudo service sernet-samba-smbd restart Shutting down SAMBA winbindd : * Starting SAMBA winbindd : * Shutting down SAMBA nmbd : * Starting SAMBA nmbd : * Shutting down SAMBA smbd : * Starting SAMBA smbd : * jonathan.fisher at freeradius:~$ sudo wbinfo -i WINDOWS\\administrator WINDOWS\administrator:*:4294967295:4294967295:Administrator:/home/WINDOWS/administrator:/bin/false jonathan.fisher at freeradius:~$ sudo net rpc info -UWINDOWS\\Administrator Unable to find a suitable server for domain WINDOWS Sigh. I really appreciate your guy's help. I know this thread is starting to drone on. On Thu, Dec 3, 2015 at 10:26 AM, Rowland penny wrote: > On 03/12/15 16:06, Jonathan S. Fisher wrote: > >> > host -t SRV _ldap._tcp.windows.corp.XXX.com < >> http://tcp.windows.corp.XXX.com> >> _ldap._tcp.windows.corp.XXX.com has >> SRV record 0 100 389 whiskey.windows.corp.XXX.com < >> http://whiskey.windows.corp.XXX.com>. >> _ldap._tcp.windows.corp.XXX.com has >> SRV record 0 100 389 wine.windows.corp.XXX.com < >> http://wine.windows.corp.XXX.com>. >> >> > host -t SRV _kerberos._udp.windows.corp.XXX.com < >> http://udp.windows.corp.XXX.com> >> _kerberos._udp.windows.corp.XXX.com >> has SRV record 0 100 88 whiskey.windows.corp.XXX.com < >> http://whiskey.windows.corp.XXX.com>. >> _kerberos._udp.windows.corp.XXX.com >> has SRV record 0 100 88 wine.windows.corp.XXX.com < >> http://wine.windows.corp.XXX.com>. >> >> > host -t A freeradius.windows.corp.XXX.com < >> http://freeradius.windows.corp.XXX.com>. >> freeradius.windows.corp.XXX.com >> has address 192.168.127.134 >> >> > host -t SRV 192.168.127.134 >> 134.127.168.192.in-addr.arpa domain name pointer >> freeradius.windows.corp.XXX.com . >> >> I tried the same thing with ".WINDOWS" and it doesn't work of course... >> >> >> >> > Your DNS appears to be working :-) > > Lets move on from there: > > Quick recap: > 'hostname' should return 'freeradius' > 'hostname -d' should return 'windows.corp.xxx.com' > 'hostname -f' should return 'freeradius.windows.corp.xxx.com' > 'hostname -i' should return '192.168.127.134' > > /etc/resolv.conf should contain this: > > search windows.corp.xxx.com > nameserver 'ip of first DC' > nameserver 'ip of second DC' > > /etc/krb5.conf should contain this: > > [libdefaults] > default_realm = WINDOWS.CORP.XXX.COM > > > smb.conf is setup as per the samba wiki > > If you run 'net ads testjoin' it should return 'Join is OK' > > If all the above is complied with, running 'sudo net rpc info > -UAdministrator' should return something like this: > > Domain Name: SAMDOM > Domain SID: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx > Sequence number: 1 > Num users: XXX > Num domain groups: XX > Num local groups: XX > > If it doesn't, add this line to smb.conf: log level = 10 > Restart samba and try again > > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer. From lingpanda101 at gmail.com Thu Dec 3 18:22:29 2015 From: lingpanda101 at gmail.com (James) Date: Thu, 3 Dec 2015 13:22:29 -0500 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: References: <56603E91.5020601@gmail.com> <56604054.3060000@samba.org> <56606D3E.4050908@samba.org> Message-ID: <56608865.4030406@gmail.com> On 12/3/2015 12:52 PM, Jonathan S. Fisher wrote: > jonathan.fisher at freeradius:~$ sudo net ads join -Uadministrator > Enter administrator's password: > Using short domain name -- WINDOWS > Joined 'FREERADIUS' to dns domain 'windows.corp.XXX.com' > jonathan.fisher at freeradius:~$ hostname > freeradius > jonathan.fisher at freeradius:~$ hostname -d > windows.corp.XXX.com > jonathan.fisher at freeradius:~$ hostname -f > freeradius.windows.corp.XXX.com > jonathan.fisher at freeradius:~$ hostname -i > 192.168.127.134 > jonathan.fisher at freeradius:~$ cat /etc/krb5.conf > [libdefaults] > default_realm = WINDOWS.CORP.XXX.COM > jonathan.fisher at freeradius:~$ cat /etc/resolv.conf > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by > resolvconf(8) > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN > nameserver 192.168.127.129 > search windows.corp.XXX.com > jonathan.fisher at freeradius:~$ sudo net ads testjoin > Join is OK > jonathan.fisher at freeradius:~$ sudo service sernet-samba-winbindd restart && > sudo service sernet-samba-nmbd restart && sudo service sernet-samba-smbd > restart > Shutting down SAMBA winbindd : * > Starting SAMBA winbindd : * > Shutting down SAMBA nmbd : * > Starting SAMBA nmbd : * > Shutting down SAMBA smbd : * > Starting SAMBA smbd : * > jonathan.fisher at freeradius:~$ sudo wbinfo -i WINDOWS\\administrator > WINDOWS\administrator:*:4294967295:4294967295:Administrator:/home/WINDOWS/administrator:/bin/false > jonathan.fisher at freeradius:~$ sudo net rpc info -UWINDOWS\\Administrator > Unable to find a suitable server for domain WINDOWS > > > Sigh. I really appreciate your guy's help. I know this thread is starting > to drone on. > > > On Thu, Dec 3, 2015 at 10:26 AM, Rowland penny wrote: > >> On 03/12/15 16:06, Jonathan S. Fisher wrote: >> >>>> host -t SRV _ldap._tcp.windows.corp.XXX.com < >>> http://tcp.windows.corp.XXX.com> >>> _ldap._tcp.windows.corp.XXX.com has >>> SRV record 0 100 389 whiskey.windows.corp.XXX.com < >>> http://whiskey.windows.corp.XXX.com>. >>> _ldap._tcp.windows.corp.XXX.com has >>> SRV record 0 100 389 wine.windows.corp.XXX.com < >>> http://wine.windows.corp.XXX.com>. >>> >>>> host -t SRV _kerberos._udp.windows.corp.XXX.com < >>> http://udp.windows.corp.XXX.com> >>> _kerberos._udp.windows.corp.XXX.com >>> has SRV record 0 100 88 whiskey.windows.corp.XXX.com < >>> http://whiskey.windows.corp.XXX.com>. >>> _kerberos._udp.windows.corp.XXX.com >>> has SRV record 0 100 88 wine.windows.corp.XXX.com < >>> http://wine.windows.corp.XXX.com>. >>> >>>> host -t A freeradius.windows.corp.XXX.com < >>> http://freeradius.windows.corp.XXX.com>. >>> freeradius.windows.corp.XXX.com >>> has address 192.168.127.134 >>> >>>> host -t SRV 192.168.127.134 >>> 134.127.168.192.in-addr.arpa domain name pointer >>> freeradius.windows.corp.XXX.com . >>> >>> I tried the same thing with ".WINDOWS" and it doesn't work of course... >>> >>> >>> >>> >> Your DNS appears to be working :-) >> >> Lets move on from there: >> >> Quick recap: >> 'hostname' should return 'freeradius' >> 'hostname -d' should return 'windows.corp.xxx.com' >> 'hostname -f' should return 'freeradius.windows.corp.xxx.com' >> 'hostname -i' should return '192.168.127.134' >> >> /etc/resolv.conf should contain this: >> >> search windows.corp.xxx.com >> nameserver 'ip of first DC' >> nameserver 'ip of second DC' >> >> /etc/krb5.conf should contain this: >> >> [libdefaults] >> default_realm = WINDOWS.CORP.XXX.COM >> >> >> smb.conf is setup as per the samba wiki >> >> If you run 'net ads testjoin' it should return 'Join is OK' >> >> If all the above is complied with, running 'sudo net rpc info >> -UAdministrator' should return something like this: >> >> Domain Name: SAMDOM >> Domain SID: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx >> Sequence number: 1 >> Num users: XXX >> Num domain groups: XX >> Num local groups: XX >> >> If it doesn't, add this line to smb.conf: log level = 10 >> Restart samba and try again >> >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> Anything helpful if you run with a debug level of 10? "sudo net rpc info -UWINDOWS\\Administrator -d 10" -- -James From jonathan at springventuregroup.com Thu Dec 3 19:01:20 2015 From: jonathan at springventuregroup.com (Jonathan S. Fisher) Date: Thu, 3 Dec 2015 13:01:20 -0600 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: <56608865.4030406@gmail.com> References: <56603E91.5020601@gmail.com> <56604054.3060000@samba.org> <56606D3E.4050908@samba.org> <56608865.4030406@gmail.com> Message-ID: Couple of questions... * Is it safe to clear out the /var/cache/samba and rejoin? * What is this lmhosts thing it's looking for? * Is this what went wrong? > internal_resolve_name: looking up WINDOWS#1b (sitename (null)) jonathan.fisher at freeradius:~$ sudo net rpc info -UWINDOWS\\Administrator -d 10 INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 scavenger: 10 dns: 10 ldb: 10 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 scavenger: 10 dns: 10 ldb: 10 Processing section "[global]" doing parameter netbios name = freeradius doing parameter security = ADS doing parameter workgroup = WINDOWS doing parameter realm = WINDOWS.CORP.XXX.COM doing parameter local master = no doing parameter log file = /var/log/samba/%m.log doing parameter log level = 3 doing parameter dedicated keytab file = /etc/krb5.keytab doing parameter kerberos method = secrets and keytab doing parameter winbind refresh tickets = yes doing parameter winbind trusted domains only = no doing parameter winbind use default domain = no doing parameter winbind enum users = yes doing parameter winbind enum groups = yes doing parameter winbind nested groups = yes doing parameter load printers = no doing parameter idmap config WINDOWS:backend = autorid doing parameter idmap config WINDOWS:range = 10000-99999 doing parameter domain master = no doing parameter local master = no doing parameter preferred master = no doing parameter template homedir = /home/%D/%U doing parameter root preexec = /usr/local/sbin/mkhomedir.sh %U pm_process() returned Yes lp_servicenumber: couldn't find homes Netbios name list:- my_netbios_names[0]="FREERADIUS" added interface eth0 ip=192.168.127.134 bcast=192.168.127.255 netmask=255.255.255.0 Registering messaging pointer for type 2 - private_data=(nil) Registering messaging pointer for type 9 - private_data=(nil) Registered MSG_REQ_POOL_USAGE Registering messaging pointer for type 11 - private_data=(nil) Registering messaging pointer for type 12 - private_data=(nil) Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED Registering messaging pointer for type 1 - private_data=(nil) Registering messaging pointer for type 5 - private_data=(nil) internal_resolve_name: looking up WINDOWS#1b (sitename (null)) Opening cache file at /var/cache/samba/gencache.tdb Opening cache file at /var/cache/samba/gencache_notrans.tdb no entry for WINDOWS#1B found. resolve_ads: Attempting to resolve PDC for WINDOWS using DNS dns_send_req: Failed to resolve _ldap._tcp.pdc._msdcs.WINDOWS (Success) ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_UNSUCCESSFUL) internal_resolve_name: looking up WINDOWS#1b (sitename (null)) no entry for WINDOWS#1B found. resolve_lmhosts: Attempting lmhosts lookup for name WINDOWS<0x1b> resolve_lmhosts: Attempting lmhosts lookup for name WINDOWS<0x1b> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory resolve_wins: WINS server resolution selected and no WINS servers listed. resolve_hosts: not appropriate for name type <0x1b> name_resolve_bcast: Attempting broadcast lookup for name WINDOWS<0x1b> Unable to resolve PDC server address Unable to find a suitable server for domain WINDOWS failed to make ipc connection: NT_STATUS_UNSUCCESSFUL return code = -1 Freeing parametrics: *Jonathan S. Fisher* *VP - Information Technology* *Spring Venture Group* On Thu, Dec 3, 2015 at 12:22 PM, James wrote: > On 12/3/2015 12:52 PM, Jonathan S. Fisher wrote: > >> jonathan.fisher at freeradius:~$ sudo net ads join -Uadministrator >> Enter administrator's password: >> Using short domain name -- WINDOWS >> Joined 'FREERADIUS' to dns domain 'windows.corp.XXX.com' >> jonathan.fisher at freeradius:~$ hostname >> freeradius >> jonathan.fisher at freeradius:~$ hostname -d >> windows.corp.XXX.com >> jonathan.fisher at freeradius:~$ hostname -f >> freeradius.windows.corp.XXX.com >> jonathan.fisher at freeradius:~$ hostname -i >> 192.168.127.134 >> jonathan.fisher at freeradius:~$ cat /etc/krb5.conf >> [libdefaults] >> default_realm = WINDOWS.CORP.XXX.COM >> jonathan.fisher at freeradius:~$ cat /etc/resolv.conf >> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by >> resolvconf(8) >> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN >> nameserver 192.168.127.129 >> search windows.corp.XXX.com >> jonathan.fisher at freeradius:~$ sudo net ads testjoin >> Join is OK >> jonathan.fisher at freeradius:~$ sudo service sernet-samba-winbindd restart >> && >> sudo service sernet-samba-nmbd restart && sudo service sernet-samba-smbd >> restart >> Shutting down SAMBA winbindd : * >> Starting SAMBA winbindd : * >> Shutting down SAMBA nmbd : * >> Starting SAMBA nmbd : * >> Shutting down SAMBA smbd : * >> Starting SAMBA smbd : * >> jonathan.fisher at freeradius:~$ sudo wbinfo -i WINDOWS\\administrator >> >> WINDOWS\administrator:*:4294967295:4294967295:Administrator:/home/WINDOWS/administrator:/bin/false >> jonathan.fisher at freeradius:~$ sudo net rpc info -UWINDOWS\\Administrator >> Unable to find a suitable server for domain WINDOWS >> >> >> Sigh. I really appreciate your guy's help. I know this thread is starting >> to drone on. >> >> >> On Thu, Dec 3, 2015 at 10:26 AM, Rowland penny wrote: >> >> On 03/12/15 16:06, Jonathan S. Fisher wrote: >>> >>> host -t SRV _ldap._tcp.windows.corp.XXX.com < >>>>> >>>> http://tcp.windows.corp.XXX.com> >>>> _ldap._tcp.windows.corp.XXX.com has >>>> SRV record 0 100 389 whiskey.windows.corp.XXX.com < >>>> http://whiskey.windows.corp.XXX.com>. >>>> _ldap._tcp.windows.corp.XXX.com has >>>> SRV record 0 100 389 wine.windows.corp.XXX.com < >>>> http://wine.windows.corp.XXX.com>. >>>> >>>> host -t SRV _kerberos._udp.windows.corp.XXX.com < >>>>> >>>> http://udp.windows.corp.XXX.com> >>>> _kerberos._udp.windows.corp.XXX.com >>>> has SRV record 0 100 88 whiskey.windows.corp.XXX.com < >>>> http://whiskey.windows.corp.XXX.com>. >>>> _kerberos._udp.windows.corp.XXX.com >>>> has SRV record 0 100 88 wine.windows.corp.XXX.com < >>>> http://wine.windows.corp.XXX.com>. >>>> >>>> host -t A freeradius.windows.corp.XXX.com < >>>>> >>>> http://freeradius.windows.corp.XXX.com>. >>>> freeradius.windows.corp.XXX.com >>> > >>>> has address 192.168.127.134 >>>> >>>> host -t SRV 192.168.127.134 >>>>> >>>> 134.127.168.192.in-addr.arpa domain name pointer >>>> freeradius.windows.corp.XXX.com >>> >. >>>> >>>> I tried the same thing with ".WINDOWS" and it doesn't work of course... >>>> >>>> >>>> >>>> >>>> Your DNS appears to be working :-) >>> >>> Lets move on from there: >>> >>> Quick recap: >>> 'hostname' should return 'freeradius' >>> 'hostname -d' should return 'windows.corp.xxx.com' >>> 'hostname -f' should return 'freeradius.windows.corp.xxx.com' >>> 'hostname -i' should return '192.168.127.134' >>> >>> /etc/resolv.conf should contain this: >>> >>> search windows.corp.xxx.com >>> nameserver 'ip of first DC' >>> nameserver 'ip of second DC' >>> >>> /etc/krb5.conf should contain this: >>> >>> [libdefaults] >>> default_realm = WINDOWS.CORP.XXX.COM >>> >>> >>> smb.conf is setup as per the samba wiki >>> >>> If you run 'net ads testjoin' it should return 'Join is OK' >>> >>> If all the above is complied with, running 'sudo net rpc info >>> -UAdministrator' should return something like this: >>> >>> Domain Name: SAMDOM >>> Domain SID: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx >>> Sequence number: 1 >>> Num users: XXX >>> Num domain groups: XX >>> Num local groups: XX >>> >>> If it doesn't, add this line to smb.conf: log level = 10 >>> Restart samba and try again >>> >>> >>> Rowland >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> Anything helpful if you run with a debug level of 10? > > "sudo net rpc info -UWINDOWS\\Administrator -d 10" > > > > > -- > -James > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer. From Michael.Tompkins at xerox.com Thu Dec 3 19:25:31 2015 From: Michael.Tompkins at xerox.com (Tompkins, Michael) Date: Thu, 3 Dec 2015 19:25:31 +0000 Subject: [Samba] NT_STATUS_BAD_NETWORK_PATH writing/deleting files to MAC 0S 10.9.5 server Message-ID: <3DC32481DC539740B472688020FE7AC815E9FA10@USA7109MB022.na.xerox.net> We have a workflow using smbclient that writes a lock directory and lock file in that directory, creates another directory, writes some files, and then deletes the lock file and directory. If we do this one right after another, it eventually (after 5 to 10 tries) gives us back a NT_STATUS_BAD_NETWORK_PATH error. We have created scripts and sent the same workflow to our MAC server and another to a Windows 2012 server, and the windows server has no problems with it. It appears to be a Mac issue since it happens using 3.6.5, 4.0.7, 4.1.17 and 4.1.19. I've scoured the web and can't find an answer. I'm hoping someone has seen a similar issue. Regards, Mike From rpenny at samba.org Thu Dec 3 19:39:05 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 03 Dec 2015 19:39:05 +0000 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: References: <56603E91.5020601@gmail.com> <56604054.3060000@samba.org> <56606D3E.4050908@samba.org> Message-ID: <56609A59.4030304@samba.org> On 03/12/15 17:52, Jonathan S. Fisher wrote: > > > jonathan.fisher at freeradius:~$ sudo net ads join -Uadministrator > Enter administrator's password: > Using short domain name -- WINDOWS > Joined 'FREERADIUS' to dns domain 'windows.corp.XXX.com > ' > jonathan.fisher at freeradius:~$ hostname > freeradius > jonathan.fisher at freeradius:~$ hostname -d > windows.corp.XXX.com > jonathan.fisher at freeradius:~$ hostname -f > freeradius.windows.corp.XXX.com > jonathan.fisher at freeradius:~$ hostname -i > 192.168.127.134 > jonathan.fisher at freeradius:~$ cat /etc/krb5.conf > [libdefaults] > default_realm = WINDOWS.CORP.XXX.COM > jonathan.fisher at freeradius:~$ cat /etc/resolv.conf > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by > resolvconf(8) > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN > nameserver 192.168.127.129 > search windows.corp.XXX.com OK, earlier you posted this: 192.168.127.131 whiskey.windows.corp.XXX.com whiskey 192.168.112.4 wine..windows.corp.XXX.com wine So what is '192.168.127.129' ? it certainly isn't one of your DCs, which is what it should be pointing at. I am sure I have said this before, but your AD domain clients must use a DC for a nameserver. Fix this and I am fairly sure everything will work as it should. Rowland > jonathan.fisher at freeradius:~$ sudo net ads testjoin > Join is OK > jonathan.fisher at freeradius:~$ sudo service sernet-samba-winbindd > restart && sudo service sernet-samba-nmbd restart && sudo service > sernet-samba-smbd restart > Shutting down SAMBA winbindd : * > Starting SAMBA winbindd : * > Shutting down SAMBA nmbd : * > Starting SAMBA nmbd : * > Shutting down SAMBA smbd : * > Starting SAMBA smbd : * > jonathan.fisher at freeradius:~$ sudo wbinfo -i WINDOWS\\administrator > WINDOWS\administrator:*:4294967295:4294967295:Administrator:/home/WINDOWS/administrator:/bin/false > jonathan.fisher at freeradius:~$ sudo net rpc info -UWINDOWS\\Administrator > Unable to find a suitable server for domain WINDOWS > > > Sigh. I really appreciate your guy's help. I know this thread is > starting to drone on. > > From Michael.Tompkins at xerox.com Thu Dec 3 19:50:32 2015 From: Michael.Tompkins at xerox.com (Tompkins, Michael) Date: Thu, 3 Dec 2015 19:50:32 +0000 Subject: [Samba] Cross-compiling 4.3.2 for Intel/PowerPC causes Python errors Message-ID: <3DC32481DC539740B472688020FE7AC815E9FA4E@USA7109MB022.na.xerox.net> We've been trying to cross compile since 4.1 for PowerPC but were never able to get it to happen and was told it broke with the introduction of Waf. Now we're trying for the latest release, have read some things on the web improvements have been made in this area, but can't seem to get it to build. It appears it's trying to build samba ( we only use smbclient ) for Intel, and also trying to build Python for Intel, but it really only needs to run on the compiler server Linux I7, not our target systems which are PowerPC and Intel systems. Is my understanding correct for Python only needed during the configure and build stage for samba? Any information on this would be greatly appreciated! Regards, Mike From jra at samba.org Thu Dec 3 20:16:22 2015 From: jra at samba.org (Jeremy Allison) Date: Thu, 3 Dec 2015 12:16:22 -0800 Subject: [Samba] NT_STATUS_BAD_NETWORK_PATH writing/deleting files to MAC 0S 10.9.5 server In-Reply-To: <3DC32481DC539740B472688020FE7AC815E9FA10@USA7109MB022.na.xerox.net> References: <3DC32481DC539740B472688020FE7AC815E9FA10@USA7109MB022.na.xerox.net> Message-ID: <20151203201622.GS816@jra3> On Thu, Dec 03, 2015 at 07:25:31PM +0000, Tompkins, Michael wrote: > We have a workflow using smbclient that writes a lock directory and lock file in that directory, creates another directory, writes some files, and then deletes the lock file and directory. If we do this one right after another, it eventually (after 5 to 10 tries) gives us back a NT_STATUS_BAD_NETWORK_PATH error. We have created scripts and sent the same workflow to our MAC server and another to a Windows 2012 server, and the windows server has no problems with it. It appears to be a Mac issue since it happens using 3.6.5, 4.0.7, 4.1.17 and 4.1.19. I've scoured the web and can't find an answer. I'm hoping someone has seen a similar issue. Please log a bug, and then upload debug level 10 traces and wireshark traces of the problem. Thanks ! Jeremy. From jonathan at springventuregroup.com Thu Dec 3 20:29:47 2015 From: jonathan at springventuregroup.com (Jonathan S. Fisher) Date: Thu, 3 Dec 2015 14:29:47 -0600 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: <56609A59.4030304@samba.org> References: <56603E91.5020601@gmail.com> <56604054.3060000@samba.org> <56606D3E.4050908@samba.org> <56609A59.4030304@samba.org> Message-ID: 192.168.127.129 is the core DNS server. It forwards anything in the windows subdomain straight to the DCs, so it doesn't matter if this client is pointed at the DC or the main DNS server. Either way, it still does the wrong behavior, which is use the short .WINDOWS instead of . WINDOWS.CORP.XXX.COM I removed all .tdb files, purged /var/cache/samba, removed /etc/krb5.tdb, and deleted the computer account out of AD. I have a feeling this line is significant, but I'm not sure what it means: internal_resolve_name: looking up WINDOWS#1b (sitename (null)) jonathan.fisher at freeradius:~$ hostname freeradius jonathan.fisher at freeradius:~$ hostname -d windows.corp.XXX.com jonathan.fisher at freeradius:~$ hostname -f freeradius.windows.corp.XXX.com jonathan.fisher at freeradius:~$ cat /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 192.168.127.131 nameserver 192.168.112.4 search windows.corp.XXX.com jonathan.fisher at freeradius:~$ cat /etc/krb5.conf [libdefaults] default_realm = WINDOWS.CORP.XXX.COM jonathan.fisher at freeradius:~$ sudo net ads join -Uadministrator Enter administrator's password: Using short domain name -- WINDOWS Joined 'FREERADIUS' to dns domain 'windows.corp.XXX.com' jonathan.fisher at freeradius:~$ sudo service sernet-samba-winbindd restart && sudo service sernet-samba-nmbd restart && sudo service sernet-samba-smbd restart Shutting down SAMBA winbindd : * Warning: /usr/sbin/winbindd not running ! Starting SAMBA winbindd : * Warning: /var/run/samba/winbindd.pid exists ! * Shutting down SAMBA nmbd : * Starting SAMBA nmbd : * Shutting down SAMBA smbd : * Starting SAMBA smbd : * jonathan.fisher at freeradius:~$ sudo service sernet-samba-winbindd restart && sudo service sernet-samba-nmbd restart && sudo service sernet-samba-smbd restart Shutting down SAMBA winbindd : * Starting SAMBA winbindd : * Shutting down SAMBA nmbd : * Starting SAMBA nmbd : * Shutting down SAMBA smbd : * Starting SAMBA smbd : * jonathan.fisher at freeradius:~$ sudo wbinfo -i WINDOWS\\administrator WINDOWS\administrator:*:4294967295:4294967295:Administrator:/home/WINDOWS/administrator:/bin/false jonathan.fisher at freeradius:~$ sudo net rpc info -UWINDOWS\\Administrator Unable to find a suitable server for domain WINDOWS jonathan.fisher at freeradius:~$ sudo net rpc info -UWINDOWS\\Administrator -d 10 INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 scavenger: 10 dns: 10 ldb: 10 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 scavenger: 10 dns: 10 ldb: 10 Processing section "[global]" doing parameter netbios name = freeradius doing parameter security = ADS doing parameter workgroup = WINDOWS doing parameter realm = WINDOWS.CORP.XXX.COM doing parameter local master = no doing parameter log file = /var/log/samba/%m.log doing parameter log level = 3 doing parameter dedicated keytab file = /etc/krb5.keytab doing parameter kerberos method = secrets and keytab doing parameter winbind refresh tickets = yes doing parameter winbind trusted domains only = no doing parameter winbind use default domain = no doing parameter winbind enum users = yes doing parameter winbind enum groups = yes doing parameter winbind nested groups = yes doing parameter load printers = no doing parameter idmap config WINDOWS:backend = autorid doing parameter idmap config WINDOWS:range = 10000-99999 doing parameter domain master = no doing parameter local master = no doing parameter preferred master = no doing parameter template homedir = /home/%D/%U doing parameter root preexec = /usr/local/sbin/mkhomedir.sh %U pm_process() returned Yes lp_servicenumber: couldn't find homes Netbios name list:- my_netbios_names[0]="FREERADIUS" added interface eth0 ip=192.168.127.134 bcast=192.168.127.255 netmask=255.255.255.0 Registering messaging pointer for type 2 - private_data=(nil) Registering messaging pointer for type 9 - private_data=(nil) Registered MSG_REQ_POOL_USAGE Registering messaging pointer for type 11 - private_data=(nil) Registering messaging pointer for type 12 - private_data=(nil) Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED Registering messaging pointer for type 1 - private_data=(nil) Registering messaging pointer for type 5 - private_data=(nil) internal_resolve_name: looking up WINDOWS#1b (sitename (null)) Opening cache file at /var/cache/samba/gencache.tdb Opening cache file at /var/cache/samba/gencache_notrans.tdb no entry for WINDOWS#1B found. resolve_ads: Attempting to resolve PDC for WINDOWS using DNS dns_send_req: Failed to resolve _ldap._tcp.pdc._msdcs.WINDOWS (Success) ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_UNSUCCESSFUL) internal_resolve_name: looking up WINDOWS#1b (sitename (null)) no entry for WINDOWS#1B found. resolve_lmhosts: Attempting lmhosts lookup for name WINDOWS<0x1b> resolve_lmhosts: Attempting lmhosts lookup for name WINDOWS<0x1b> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory resolve_wins: WINS server resolution selected and no WINS servers listed. resolve_hosts: not appropriate for name type <0x1b> name_resolve_bcast: Attempting broadcast lookup for name WINDOWS<0x1b> Unable to resolve PDC server address Unable to find a suitable server for domain WINDOWS failed to make ipc connection: NT_STATUS_UNSUCCESSFUL return code = -1 Freeing parametrics: jonathan.fisher at freeradius:~$ *Jonathan S. Fisher* *VP - Information Technology* *Spring Venture Group* On Thu, Dec 3, 2015 at 1:39 PM, Rowland penny wrote: > On 03/12/15 17:52, Jonathan S. Fisher wrote: > >> >> >> jonathan.fisher at freeradius:~$ sudo net ads join -Uadministrator >> Enter administrator's password: >> Using short domain name -- WINDOWS >> Joined 'FREERADIUS' to dns domain 'windows.corp.XXX.com < >> http://windows.corp.XXX.com>' >> jonathan.fisher at freeradius:~$ hostname >> freeradius >> jonathan.fisher at freeradius:~$ hostname -d >> windows.corp.XXX.com >> jonathan.fisher at freeradius:~$ hostname -f >> freeradius.windows.corp.XXX.com >> jonathan.fisher at freeradius:~$ hostname -i >> 192.168.127.134 >> jonathan.fisher at freeradius:~$ cat /etc/krb5.conf >> [libdefaults] >> default_realm = WINDOWS.CORP.XXX.COM >> jonathan.fisher at freeradius:~$ cat /etc/resolv.conf >> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by >> resolvconf(8) >> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN >> nameserver 192.168.127.129 >> search windows.corp.XXX.com >> > > OK, earlier you posted this: > > 192.168.127.131 whiskey.windows.corp.XXX.com < > http://whiskey.windows.corp.XXX.com> whiskey > 192.168.112.4 wine..windows.corp.XXX.com > wine > > So what is '192.168.127.129' ? it certainly isn't one of your DCs, which > is what it should be pointing at. I am sure I have said this before, but > your AD domain clients must use a DC for a nameserver. > > Fix this and I am fairly sure everything will work as it should. > > Rowland > > > jonathan.fisher at freeradius:~$ sudo net ads testjoin >> Join is OK >> jonathan.fisher at freeradius:~$ sudo service sernet-samba-winbindd restart >> && sudo service sernet-samba-nmbd restart && sudo service sernet-samba-smbd >> restart >> Shutting down SAMBA winbindd : * >> Starting SAMBA winbindd : * >> Shutting down SAMBA nmbd : * >> Starting SAMBA nmbd : * >> Shutting down SAMBA smbd : * >> Starting SAMBA smbd : * >> jonathan.fisher at freeradius:~$ sudo wbinfo -i WINDOWS\\administrator >> >> WINDOWS\administrator:*:4294967295:4294967295:Administrator:/home/WINDOWS/administrator:/bin/false >> jonathan.fisher at freeradius:~$ sudo net rpc info -UWINDOWS\\Administrator >> Unable to find a suitable server for domain WINDOWS >> >> >> Sigh. I really appreciate your guy's help. I know this thread is starting >> to drone on. >> >> >> > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer. From rpenny at samba.org Thu Dec 3 20:45:09 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 03 Dec 2015 20:45:09 +0000 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: References: <56603E91.5020601@gmail.com> <56604054.3060000@samba.org> <56606D3E.4050908@samba.org> <56609A59.4030304@samba.org> Message-ID: <5660A9D5.5070303@samba.org> On 03/12/15 20:29, Jonathan S. Fisher wrote: > 192.168.127.129 is the core DNS server. It forwards anything in the > windows subdomain straight to the DCs, so it doesn't matter if this > client is pointed at the DC or the main DNS server. Either way, it > still does the wrong behavior, which is use the short .WINDOWS instead > of .WINDOWS.CORP.XXX.COM well it obviously isn't working your way, try pointing the client at a DC and *ignore* your main DNS server, also the WINDOWS you are referring to isn't your DNS domain, it is the NETBios domain name, it is one of the ways Samba works. I am very sure I have said this before, but I will say it again, your AD DNS domain should be separate from your main DNS domain, your AD clients should use the AD DCs as their nameservers and anything they do not know about (i.e. google) should be forwarded to a DNS server that does, in your case, probably the dnsmasq server. All I can add is that my AD domain (and probably everybody else's) works like the above and it *works*. Rowland > > I removed all .tdb files, purged /var/cache/samba, removed > /etc/krb5.tdb, and deleted the computer account out of AD. > > I have a feeling this line is significant, but I'm not sure what it > means: internal_resolve_name: looking up WINDOWS#1b (sitename (null)) > > > jonathan.fisher at freeradius:~$ hostname > freeradius > jonathan.fisher at freeradius:~$ hostname -d > windows.corp.XXX.com > jonathan.fisher at freeradius:~$ hostname -f > freeradius.windows.corp.XXX.com > jonathan.fisher at freeradius:~$ cat /etc/resolv.conf > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by > resolvconf(8) > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN > nameserver 192.168.127.131 > nameserver 192.168.112.4 > search windows.corp.XXX.com > jonathan.fisher at freeradius:~$ cat /etc/krb5.conf > [libdefaults] > default_realm = WINDOWS.CORP.XXX.COM > jonathan.fisher at freeradius:~$ sudo net ads join -Uadministrator > Enter administrator's password: > Using short domain name -- WINDOWS > Joined 'FREERADIUS' to dns domain 'windows.corp.XXX.com > ' > jonathan.fisher at freeradius:~$ sudo service sernet-samba-winbindd > restart && sudo service sernet-samba-nmbd restart && sudo service > sernet-samba-smbd restart > Shutting down SAMBA winbindd : * Warning: /usr/sbin/winbindd not > running ! > Starting SAMBA winbindd : * Warning: /var/run/samba/winbindd.pid > exists ! > * > Shutting down SAMBA nmbd : * > Starting SAMBA nmbd : * > Shutting down SAMBA smbd : * > Starting SAMBA smbd : * > jonathan.fisher at freeradius:~$ sudo service sernet-samba-winbindd > restart && sudo service sernet-samba-nmbd restart && sudo service > sernet-samba-smbd restart > Shutting down SAMBA winbindd : * > Starting SAMBA winbindd : * > Shutting down SAMBA nmbd : * > Starting SAMBA nmbd : * > Shutting down SAMBA smbd : * > Starting SAMBA smbd : * > jonathan.fisher at freeradius:~$ sudo wbinfo -i WINDOWS\\administrator > WINDOWS\administrator:*:4294967295:4294967295:Administrator:/home/WINDOWS/administrator:/bin/false > jonathan.fisher at freeradius:~$ sudo net rpc info -UWINDOWS\\Administrator > Unable to find a suitable server for domain WINDOWS > jonathan.fisher at freeradius:~$ sudo net rpc info > -UWINDOWS\\Administrator -d 10 > INFO: Current debug levels: > all: 10 > tdb: 10 > printdrivers: 10 > lanman: 10 > smb: 10 > rpc_parse: 10 > rpc_srv: 10 > rpc_cli: 10 > passdb: 10 > sam: 10 > auth: 10 > winbind: 10 > vfs: 10 > idmap: 10 > quota: 10 > acls: 10 > locking: 10 > msdfs: 10 > dmapi: 10 > registry: 10 > scavenger: 10 > dns: 10 > ldb: 10 > lp_load_ex: refreshing parameters > Initialising global parameters > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > INFO: Current debug levels: > all: 10 > tdb: 10 > printdrivers: 10 > lanman: 10 > smb: 10 > rpc_parse: 10 > rpc_srv: 10 > rpc_cli: 10 > passdb: 10 > sam: 10 > auth: 10 > winbind: 10 > vfs: 10 > idmap: 10 > quota: 10 > acls: 10 > locking: 10 > msdfs: 10 > dmapi: 10 > registry: 10 > scavenger: 10 > dns: 10 > ldb: 10 > Processing section "[global]" > doing parameter netbios name = freeradius > doing parameter security = ADS > doing parameter workgroup = WINDOWS > doing parameter realm = WINDOWS.CORP.XXX.COM > doing parameter local master = no > doing parameter log file = /var/log/samba/%m.log > doing parameter log level = 3 > doing parameter dedicated keytab file = /etc/krb5.keytab > doing parameter kerberos method = secrets and keytab > doing parameter winbind refresh tickets = yes > doing parameter winbind trusted domains only = no > doing parameter winbind use default domain = no > doing parameter winbind enum users = yes > doing parameter winbind enum groups = yes > doing parameter winbind nested groups = yes > doing parameter load printers = no > doing parameter idmap config WINDOWS:backend = autorid > doing parameter idmap config WINDOWS:range = 10000-99999 > doing parameter domain master = no > doing parameter local master = no > doing parameter preferred master = no > doing parameter template homedir = /home/%D/%U > doing parameter root preexec = /usr/local/sbin/mkhomedir.sh %U > pm_process() returned Yes > lp_servicenumber: couldn't find homes > Netbios name list:- > my_netbios_names[0]="FREERADIUS" > added interface eth0 ip=192.168.127.134 bcast=192.168.127.255 > netmask=255.255.255.0 > Registering messaging pointer for type 2 - private_data=(nil) > Registering messaging pointer for type 9 - private_data=(nil) > Registered MSG_REQ_POOL_USAGE > Registering messaging pointer for type 11 - private_data=(nil) > Registering messaging pointer for type 12 - private_data=(nil) > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED > Registering messaging pointer for type 1 - private_data=(nil) > Registering messaging pointer for type 5 - private_data=(nil) > internal_resolve_name: looking up WINDOWS#1b (sitename (null)) > Opening cache file at /var/cache/samba/gencache.tdb > Opening cache file at /var/cache/samba/gencache_notrans.tdb > no entry for WINDOWS#1B found. > resolve_ads: Attempting to resolve PDC for WINDOWS using DNS > dns_send_req: Failed to resolve _ldap._tcp.pdc._msdcs.WINDOWS (Success) > ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_UNSUCCESSFUL) > internal_resolve_name: looking up WINDOWS#1b (sitename (null)) > no entry for WINDOWS#1B found. > resolve_lmhosts: Attempting lmhosts lookup for name WINDOWS<0x1b> > resolve_lmhosts: Attempting lmhosts lookup for name WINDOWS<0x1b> > startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No > such file or directory > resolve_wins: WINS server resolution selected and no WINS servers listed. > resolve_hosts: not appropriate for name type <0x1b> > name_resolve_bcast: Attempting broadcast lookup for name WINDOWS<0x1b> > Unable to resolve PDC server address > Unable to find a suitable server for domain WINDOWS > failed to make ipc connection: NT_STATUS_UNSUCCESSFUL > return code = -1 > Freeing parametrics: > jonathan.fisher at freeradius:~$ > > From jonathan at springventuregroup.com Thu Dec 3 20:45:24 2015 From: jonathan at springventuregroup.com (Jonathan S. Fisher) Date: Thu, 3 Dec 2015 14:45:24 -0600 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: References: <56603E91.5020601@gmail.com> <56604054.3060000@samba.org> <56606D3E.4050908@samba.org> <56609A59.4030304@samba.org> Message-ID: Ok, I really do think that line is significant, I checked in AD and my sitename is "Default-First-Site-Name" On Thu, Dec 3, 2015 at 2:29 PM, Jonathan S. Fisher < jonathan at springventuregroup.com> wrote: > 192.168.127.129 is the core DNS server. It forwards anything in the > windows subdomain straight to the DCs, so it doesn't matter if this client > is pointed at the DC or the main DNS server. Either way, it still does the > wrong behavior, which is use the short .WINDOWS instead of . > WINDOWS.CORP.XXX.COM > > I removed all .tdb files, purged /var/cache/samba, removed /etc/krb5.tdb, > and deleted the computer account out of AD. > > I have a feeling this line is significant, but I'm not sure what it means: > internal_resolve_name: looking up WINDOWS#1b (sitename (null)) > > > jonathan.fisher at freeradius:~$ hostname > freeradius > jonathan.fisher at freeradius:~$ hostname -d > windows.corp.XXX.com > jonathan.fisher at freeradius:~$ hostname -f > freeradius.windows.corp.XXX.com > jonathan.fisher at freeradius:~$ cat /etc/resolv.conf > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by > resolvconf(8) > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN > nameserver 192.168.127.131 > nameserver 192.168.112.4 > search windows.corp.XXX.com > jonathan.fisher at freeradius:~$ cat /etc/krb5.conf > [libdefaults] > default_realm = WINDOWS.CORP.XXX.COM > jonathan.fisher at freeradius:~$ sudo net ads join -Uadministrator > Enter administrator's password: > Using short domain name -- WINDOWS > Joined 'FREERADIUS' to dns domain 'windows.corp.XXX.com' > jonathan.fisher at freeradius:~$ sudo service sernet-samba-winbindd restart > && sudo service sernet-samba-nmbd restart && sudo service sernet-samba-smbd > restart > Shutting down SAMBA winbindd : * Warning: /usr/sbin/winbindd not running > ! > Starting SAMBA winbindd : * Warning: /var/run/samba/winbindd.pid exists ! > * > Shutting down SAMBA nmbd : * > Starting SAMBA nmbd : * > Shutting down SAMBA smbd : * > Starting SAMBA smbd : * > jonathan.fisher at freeradius:~$ sudo service sernet-samba-winbindd restart > && sudo service sernet-samba-nmbd restart && sudo service sernet-samba-smbd > restart > Shutting down SAMBA winbindd : * > Starting SAMBA winbindd : * > Shutting down SAMBA nmbd : * > Starting SAMBA nmbd : * > Shutting down SAMBA smbd : * > Starting SAMBA smbd : * > jonathan.fisher at freeradius:~$ sudo wbinfo -i WINDOWS\\administrator > > WINDOWS\administrator:*:4294967295:4294967295:Administrator:/home/WINDOWS/administrator:/bin/false > jonathan.fisher at freeradius:~$ sudo net rpc info -UWINDOWS\\Administrator > Unable to find a suitable server for domain WINDOWS > jonathan.fisher at freeradius:~$ sudo net rpc info -UWINDOWS\\Administrator > -d 10 > INFO: Current debug levels: > all: 10 > tdb: 10 > printdrivers: 10 > lanman: 10 > smb: 10 > rpc_parse: 10 > rpc_srv: 10 > rpc_cli: 10 > passdb: 10 > sam: 10 > auth: 10 > winbind: 10 > vfs: 10 > idmap: 10 > quota: 10 > acls: 10 > locking: 10 > msdfs: 10 > dmapi: 10 > registry: 10 > scavenger: 10 > dns: 10 > ldb: 10 > lp_load_ex: refreshing parameters > Initialising global parameters > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > INFO: Current debug levels: > all: 10 > tdb: 10 > printdrivers: 10 > lanman: 10 > smb: 10 > rpc_parse: 10 > rpc_srv: 10 > rpc_cli: 10 > passdb: 10 > sam: 10 > auth: 10 > winbind: 10 > vfs: 10 > idmap: 10 > quota: 10 > acls: 10 > locking: 10 > msdfs: 10 > dmapi: 10 > registry: 10 > scavenger: 10 > dns: 10 > ldb: 10 > Processing section "[global]" > doing parameter netbios name = freeradius > doing parameter security = ADS > doing parameter workgroup = WINDOWS > doing parameter realm = WINDOWS.CORP.XXX.COM > doing parameter local master = no > doing parameter log file = /var/log/samba/%m.log > doing parameter log level = 3 > doing parameter dedicated keytab file = /etc/krb5.keytab > doing parameter kerberos method = secrets and keytab > doing parameter winbind refresh tickets = yes > doing parameter winbind trusted domains only = no > doing parameter winbind use default domain = no > doing parameter winbind enum users = yes > doing parameter winbind enum groups = yes > doing parameter winbind nested groups = yes > doing parameter load printers = no > doing parameter idmap config WINDOWS:backend = autorid > doing parameter idmap config WINDOWS:range = 10000-99999 > doing parameter domain master = no > doing parameter local master = no > doing parameter preferred master = no > doing parameter template homedir = /home/%D/%U > doing parameter root preexec = /usr/local/sbin/mkhomedir.sh %U > pm_process() returned Yes > lp_servicenumber: couldn't find homes > Netbios name list:- > my_netbios_names[0]="FREERADIUS" > added interface eth0 ip=192.168.127.134 bcast=192.168.127.255 > netmask=255.255.255.0 > Registering messaging pointer for type 2 - private_data=(nil) > Registering messaging pointer for type 9 - private_data=(nil) > Registered MSG_REQ_POOL_USAGE > Registering messaging pointer for type 11 - private_data=(nil) > Registering messaging pointer for type 12 - private_data=(nil) > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED > Registering messaging pointer for type 1 - private_data=(nil) > Registering messaging pointer for type 5 - private_data=(nil) > internal_resolve_name: looking up WINDOWS#1b (sitename (null)) > Opening cache file at /var/cache/samba/gencache.tdb > Opening cache file at /var/cache/samba/gencache_notrans.tdb > no entry for WINDOWS#1B found. > resolve_ads: Attempting to resolve PDC for WINDOWS using DNS > dns_send_req: Failed to resolve _ldap._tcp.pdc._msdcs.WINDOWS (Success) > ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_UNSUCCESSFUL) > internal_resolve_name: looking up WINDOWS#1b (sitename (null)) > no entry for WINDOWS#1B found. > resolve_lmhosts: Attempting lmhosts lookup for name WINDOWS<0x1b> > resolve_lmhosts: Attempting lmhosts lookup for name WINDOWS<0x1b> > startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No > such file or directory > resolve_wins: WINS server resolution selected and no WINS servers listed. > resolve_hosts: not appropriate for name type <0x1b> > name_resolve_bcast: Attempting broadcast lookup for name WINDOWS<0x1b> > Unable to resolve PDC server address > Unable to find a suitable server for domain WINDOWS > failed to make ipc connection: NT_STATUS_UNSUCCESSFUL > return code = -1 > Freeing parametrics: > jonathan.fisher at freeradius:~$ > > > *Jonathan S. Fisher* > *VP - Information Technology* > *Spring Venture Group* > > On Thu, Dec 3, 2015 at 1:39 PM, Rowland penny wrote: > >> On 03/12/15 17:52, Jonathan S. Fisher wrote: >> >>> >>> >>> jonathan.fisher at freeradius:~$ sudo net ads join -Uadministrator >>> Enter administrator's password: >>> Using short domain name -- WINDOWS >>> Joined 'FREERADIUS' to dns domain 'windows.corp.XXX.com < >>> http://windows.corp.XXX.com>' >>> jonathan.fisher at freeradius:~$ hostname >>> freeradius >>> jonathan.fisher at freeradius:~$ hostname -d >>> windows.corp.XXX.com >>> jonathan.fisher at freeradius:~$ hostname -f >>> freeradius.windows.corp.XXX.com >>> jonathan.fisher at freeradius:~$ hostname -i >>> 192.168.127.134 >>> jonathan.fisher at freeradius:~$ cat /etc/krb5.conf >>> [libdefaults] >>> default_realm = WINDOWS.CORP.XXX.COM >>> jonathan.fisher at freeradius:~$ cat /etc/resolv.conf >>> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by >>> resolvconf(8) >>> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN >>> nameserver 192.168.127.129 >>> search windows.corp.XXX.com >>> >> >> OK, earlier you posted this: >> >> 192.168.127.131 whiskey.windows.corp.XXX.com < >> http://whiskey.windows.corp.XXX.com> whiskey >> 192.168.112.4 wine..windows.corp.XXX.com >> wine >> >> So what is '192.168.127.129' ? it certainly isn't one of your DCs, which >> is what it should be pointing at. I am sure I have said this before, but >> your AD domain clients must use a DC for a nameserver. >> >> Fix this and I am fairly sure everything will work as it should. >> >> Rowland >> >> >> jonathan.fisher at freeradius:~$ sudo net ads testjoin >>> Join is OK >>> jonathan.fisher at freeradius:~$ sudo service sernet-samba-winbindd >>> restart && sudo service sernet-samba-nmbd restart && sudo service >>> sernet-samba-smbd restart >>> Shutting down SAMBA winbindd : * >>> Starting SAMBA winbindd : * >>> Shutting down SAMBA nmbd : * >>> Starting SAMBA nmbd : * >>> Shutting down SAMBA smbd : * >>> Starting SAMBA smbd : * >>> jonathan.fisher at freeradius:~$ sudo wbinfo -i WINDOWS\\administrator >>> >>> WINDOWS\administrator:*:4294967295:4294967295:Administrator:/home/WINDOWS/administrator:/bin/false >>> jonathan.fisher at freeradius:~$ sudo net rpc info -UWINDOWS\\Administrator >>> Unable to find a suitable server for domain WINDOWS >>> >>> >>> Sigh. I really appreciate your guy's help. I know this thread is >>> starting to drone on. >>> >>> >>> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > -- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer. From rpenny at samba.org Thu Dec 3 20:49:01 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 03 Dec 2015 20:49:01 +0000 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: References: <56603E91.5020601@gmail.com> <56604054.3060000@samba.org> <56606D3E.4050908@samba.org> <56609A59.4030304@samba.org> Message-ID: <5660AABD.7030201@samba.org> On 03/12/15 20:45, Jonathan S. Fisher wrote: > Ok, I really do think that line is significant, I checked in AD and my > sitename is "Default-First-Site-Name" > Words fail me, unless you explicitly set your site name when you provision, your site name will be "Default-First-Site-Name" Rowland From jonathan at springventuregroup.com Thu Dec 3 20:54:55 2015 From: jonathan at springventuregroup.com (Jonathan S. Fisher) Date: Thu, 3 Dec 2015 14:54:55 -0600 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: <5660AABD.7030201@samba.org> References: <56603E91.5020601@gmail.com> <56604054.3060000@samba.org> <56606D3E.4050908@samba.org> <56609A59.4030304@samba.org> <5660AABD.7030201@samba.org> Message-ID: >unless you explicitly set your site name when you provision I guess we didn't. Is that an issue? I still wonder why that says "null" when, even if we used the default, our sitename is not null. > well it obviously isn't working your way To be sure, I took a packet capture. It shows the DNS is going straight to the DCs, so in reality it is working the way you are describing: It is ignoring the main DNS server. Here, check this out: jonathan.fisher at freeradius:~$ nslookup whiskey.windows.corp.XXX.com *Server: 192.168.127.131* Address: 192.168.127.131#53 Name: whiskey.windows.corp.XXX.com Address: 192.168.127.131 On Thu, Dec 3, 2015 at 2:49 PM, Rowland penny wrote: > On 03/12/15 20:45, Jonathan S. Fisher wrote: > >> Ok, I really do think that line is significant, I checked in AD and my >> sitename is "Default-First-Site-Name" >> >> > Words fail me, unless you explicitly set your site name when you > provision, your site name will be "Default-First-Site-Name" > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer. From rpenny at samba.org Thu Dec 3 21:06:07 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 03 Dec 2015 21:06:07 +0000 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: References: <56603E91.5020601@gmail.com> <56604054.3060000@samba.org> <56606D3E.4050908@samba.org> <56609A59.4030304@samba.org> <5660AABD.7030201@samba.org> Message-ID: <5660AEBF.7020706@samba.org> On 03/12/15 20:54, Jonathan S. Fisher wrote: > >unless you explicitly set your site name when you provision > I guess we didn't. Is that an issue? I still wonder why that says > "null" when, even if we used the default, our sitename is not null. > No it isn't an issue, why are you now worrying about something that has nothing to do with your problem. > > well it obviously isn't working your way > To be sure, I took a packet capture. It shows the DNS is going > straight to the DCs, so in reality it is working the way you are > describing: It is ignoring the main DNS server. Here, check this out: > > jonathan.fisher at freeradius:~$ nslookup whiskey.windows.corp.XXX.com > > *Server:192.168.127.131* > Address:192.168.127.131#53 > > Name:whiskey.windows.corp.XXX.com > Address: 192.168.127.131 > > > Look, I will say it again, a bit more forcefully this time, *DO NOT USE ANYTHING BUT YOUR DCs AS NAMESERVERS ON YOUR AD CLIENTS* Rowland From jonathan at springventuregroup.com Thu Dec 3 21:12:49 2015 From: jonathan at springventuregroup.com (Jonathan S. Fisher) Date: Thu, 3 Dec 2015 15:12:49 -0600 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: <5660AEBF.7020706@samba.org> References: <56603E91.5020601@gmail.com> <56604054.3060000@samba.org> <56606D3E.4050908@samba.org> <56609A59.4030304@samba.org> <5660AABD.7030201@samba.org> <5660AEBF.7020706@samba.org> Message-ID: Rowland, I hear and understand you loud and clear. If you could point out below what is the problem, because the client seems to be configured correctly as you have asked: root at freeradius:~# nslookup 192.168.127.131 Server: 192.168.127.131 Address: 192.168.127.131#53 Non-authoritative answer: 131.127.168.192.in-addr.arpa name = whiskey.windows.corp.XXX.com. Authoritative answers can be found from: root at freeradius:~# nslookup 192.168.112.4 Server: 192.168.127.131 Address: 192.168.127.131#53 Non-authoritative answer: 4.112.168.192.in-addr.arpa name = wine.windows.corp.XXX.com. Authoritative answers can be found from: root at freeradius:~# cat /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 192.168.127.131 nameserver 192.168.112.4 search windows.corp.XXX.com Both of those are DCs, both of them resolve correctly forward and reverse, and both of them are in resolv.conf... is this incorrect yes/no? *Jonathan S. Fisher* *VP - Information Technology* *Spring Venture Group* On Thu, Dec 3, 2015 at 3:06 PM, Rowland penny wrote: > On 03/12/15 20:54, Jonathan S. Fisher wrote: > >> >unless you explicitly set your site name when you provision >> I guess we didn't. Is that an issue? I still wonder why that says "null" >> when, even if we used the default, our sitename is not null. >> >> > No it isn't an issue, why are you now worrying about something that has > nothing to do with your problem. > > > well it obviously isn't working your way >> To be sure, I took a packet capture. It shows the DNS is going straight >> to the DCs, so in reality it is working the way you are describing: It is >> ignoring the main DNS server. Here, check this out: >> >> jonathan.fisher at freeradius:~$ nslookup whiskey.windows.corp.XXX.com < >> http://whiskey.windows.corp.XXX.com> >> *Server:192.168.127.131* >> Address:192.168.127.131#53 >> >> Name:whiskey.windows.corp.XXX.com >> Address: 192.168.127.131 >> >> >> >> > Look, I will say it again, a bit more forcefully this time, *DO NOT USE > ANYTHING BUT YOUR DCs AS NAMESERVERS ON YOUR AD CLIENTS* > > > Rowland > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer. From rpenny at samba.org Thu Dec 3 21:47:48 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 03 Dec 2015 21:47:48 +0000 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: References: <56603E91.5020601@gmail.com> <56604054.3060000@samba.org> <56606D3E.4050908@samba.org> <56609A59.4030304@samba.org> <5660AABD.7030201@samba.org> <5660AEBF.7020706@samba.org> Message-ID: <5660B884.5030700@samba.org> On 03/12/15 21:12, Jonathan S. Fisher wrote: > Rowland, I hear and understand you loud and clear. If you could point > out below what is the problem, because the client seems to be > configured correctly as you have asked: > > > root at freeradius:~# nslookup 192.168.127.131 > Server:192.168.127.131 > Address:192.168.127.131#53 > > Non-authoritative answer: > 131.127.168.192.in-addr.arpaname = whiskey.windows.corp.XXX.com > . > > Authoritative answers can be found from: > > root at freeradius:~# nslookup 192.168.112.4 > Server:192.168.127.131 > Address:192.168.127.131#53 > > Non-authoritative answer: > 4.112.168.192.in-addr.arpaname = wine.windows.corp.XXX.com > . > > Authoritative answers can be found from: > > root at freeradius:~# cat /etc/resolv.conf > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by > resolvconf(8) > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN > nameserver 192.168.127.131 > nameserver 192.168.112.4 > search windows.corp.XXX.com > > Both of those are DCs, both of them resolve correctly forward and > reverse, and both of them are in resolv.conf... is this incorrect yes/no? > > This is what I would expect to see and the net command should now work. What you seem to be mixing up, is the NETBios name 'WINDOWS' with the dns domain/realm name 'windows.corps.xxx.com' , Samba uses the first in searches but also uses the second in its dns/realm searches. Your problem (as far as I can see) is being caused by Samba not being able to find any DCs due to a DNS problem. Active Directory is based heavily around DNS, if you get this wrong, then everything fails, this is why it is recommended to use a separate dns domain for the AD domain i.e. if your registered domain is 'example.com' use 'internal.example.com' instead. Rowland From jonathan at springventuregroup.com Thu Dec 3 21:55:15 2015 From: jonathan at springventuregroup.com (Jonathan S. Fisher) Date: Thu, 3 Dec 2015 15:55:15 -0600 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: <5660B884.5030700@samba.org> References: <56603E91.5020601@gmail.com> <56604054.3060000@samba.org> <56606D3E.4050908@samba.org> <56609A59.4030304@samba.org> <5660AABD.7030201@samba.org> <5660AEBF.7020706@samba.org> <5660B884.5030700@samba.org> Message-ID: It doesn't work, even with the DNS set as such: root at freeradius:~# sudo net rpc info -UWINDOWS\\Administrator Unable to find a suitable server for domain WINDOWS Our registered domain is XXX.com. corp.XXX.com and windows.corp.XXX.com are internal and not resolvable on any public DNS server. I was curious if anyone else had any comments on these two questions I had: * What is this lmhosts thing it's looking for? * Is this what went wrong? > internal_resolve_name: looking up WINDOWS#1b (sitename (null)) What is lmhosts? What does it think our sitename is null? On Thu, Dec 3, 2015 at 3:47 PM, Rowland penny wrote: > On 03/12/15 21:12, Jonathan S. Fisher wrote: > >> Rowland, I hear and understand you loud and clear. If you could point out >> below what is the problem, because the client seems to be configured >> correctly as you have asked: >> >> >> root at freeradius:~# nslookup 192.168.127.131 >> Server:192.168.127.131 >> Address:192.168.127.131#53 >> >> Non-authoritative answer: >> 131.127.168.192.in-addr.arpaname = whiskey.windows.corp.XXX.com < >> http://whiskey.windows.corp.XXX.com>. >> >> Authoritative answers can be found from: >> >> root at freeradius:~# nslookup 192.168.112.4 >> Server:192.168.127.131 >> Address:192.168.127.131#53 >> >> Non-authoritative answer: >> 4.112.168.192.in-addr.arpaname = wine.windows.corp.XXX.com < >> http://wine.windows.corp.XXX.com>. >> >> Authoritative answers can be found from: >> >> root at freeradius:~# cat /etc/resolv.conf >> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by >> resolvconf(8) >> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN >> nameserver 192.168.127.131 >> nameserver 192.168.112.4 >> search windows.corp.XXX.com >> >> Both of those are DCs, both of them resolve correctly forward and >> reverse, and both of them are in resolv.conf... is this incorrect yes/no? >> >> >> > This is what I would expect to see and the net command should now work. > What you seem to be mixing up, is the NETBios name 'WINDOWS' with the dns > domain/realm name 'windows.corps.xxx.com' , Samba uses the first in > searches but also uses the second in its dns/realm searches. > Your problem (as far as I can see) is being caused by Samba not being able > to find any DCs due to a DNS problem. Active Directory is based heavily > around DNS, if you get this wrong, then everything fails, this is why it is > recommended to use a separate dns domain for the AD domain i.e. if your > registered domain is 'example.com' use 'internal.example.com' instead. > > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer. From rpenny at samba.org Thu Dec 3 22:08:08 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 03 Dec 2015 22:08:08 +0000 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: References: <56603E91.5020601@gmail.com> <56604054.3060000@samba.org> <56606D3E.4050908@samba.org> <56609A59.4030304@samba.org> <5660AABD.7030201@samba.org> <5660AEBF.7020706@samba.org> <5660B884.5030700@samba.org> Message-ID: <5660BD48.10006@samba.org> On 03/12/15 21:55, Jonathan S. Fisher wrote: > It doesn't work, even with the DNS set as such: > > root at freeradius:~# sudo net rpc info -UWINDOWS\\Administrator > Unable to find a suitable server for domain WINDOWS > > Our registered domain is XXX.com. corp.XXX.com > and windows.corp.XXX.com are internal > and not resolvable on any public DNS server. > > I was curious if anyone else had any comments on these two questions I > had: > > * What is this lmhosts thing it's looking for? lmhosts is the windows version of /etc/hosts, if you have a line in smb.conf that references this, I would suggest you remove it unless it matches the default one: name resolve order = lmhosts wins host bcast > * Is this what went wrong? > internal_resolve_name: looking up > WINDOWS#1b (sitename (null)) Possibly, but your client should find everything via DNS. Does your smb.conf match the one that can be found on the Samba wiki (with changes for your NETBios name & realm)? This is known to work. Rowland > > What is lmhosts? > What does it think our sitename is null? > > From nick.couchman at seakr.com Thu Dec 3 22:54:21 2015 From: nick.couchman at seakr.com (Nick Couchman) Date: Thu, 3 Dec 2015 15:54:21 -0700 (MST) Subject: [Samba] Linux & NFSv4 ACLs Message-ID: <1741451491.2972398.1449183261663.JavaMail.zimbra@seakr.com> I have a situation where I need to share, via Samba, a filesystem mounted via NFSv4. I'm struggling with the best way to make Samba see the NFSv4 ACLs and enumerate them to provide the proper SMB/CIFS access to the files, instead of "Access Denied" errors that I currently get. Looking at the Samba source, the only obvious NFSv4 stuff appears to be the following: - zfsacl, available only on Solaris or FreeBSD, which provides NFSv4 ACL support simply because that's what ZFS uses. Don't see a way to use this on Linux. - gpfs, available only if you happen to have the GPFS code/headers installed (gpfs_gpl.h), and I cannot find an obvious place to get those, or if they are even freely-available. - aixacl/aixacl2, looks like it only works on AIX. First, am I correct in the above findings - that there is no way to operate any of these three modules on Linux out of the box? Second, am I missing something obvious related to NFSv4 ACLs on Linux, or is there some other VFS module somewhere that supports NFSv4 ACLs? Also, no, it is not an option to mount the filesystems in question with NFSv3 + ACLs - due to NFS referrals, automatic mounting of sub-filesystems, etc., I really need it to use NFSv4. Any advice? -Nick == This e-mail may contain SEAKR Engineering (SEAKR) Confidential and Proprietary Information. If this message is not intended for you, you are strictly prohibited from using this message, its contents or attachments in any way. If you have received this message in error, please delete the message from your mailbox. This e-mail may contain export-controlled material and should be handled accordingly. From jra at samba.org Fri Dec 4 00:23:34 2015 From: jra at samba.org (Jeremy Allison) Date: Thu, 3 Dec 2015 16:23:34 -0800 Subject: [Samba] Linux & NFSv4 ACLs In-Reply-To: <1741451491.2972398.1449183261663.JavaMail.zimbra@seakr.com> References: <1741451491.2972398.1449183261663.JavaMail.zimbra@seakr.com> Message-ID: <20151204002334.GY816@jra3> On Thu, Dec 03, 2015 at 03:54:21PM -0700, Nick Couchman wrote: > I have a situation where I need to share, via Samba, a filesystem mounted via NFSv4. I'm struggling with the best way to make Samba see the NFSv4 ACLs and enumerate them to provide the proper SMB/CIFS access to the files, instead of "Access Denied" errors that I currently get. > > Looking at the Samba source, the only obvious NFSv4 stuff appears to be the following: > - zfsacl, available only on Solaris or FreeBSD, which provides NFSv4 ACL support simply because that's what ZFS uses. Don't see a way to use this on Linux. > - gpfs, available only if you happen to have the GPFS code/headers installed (gpfs_gpl.h), and I cannot find an obvious place to get those, or if they are even freely-available. > - aixacl/aixacl2, looks like it only works on AIX. > > First, am I correct in the above findings - that there is no way to operate any of these three modules on Linux out of the box? Second, am I missing something obvious related to NFSv4 ACLs on Linux, or is there some other VFS module somewhere that supports NFSv4 ACLs? > > Also, no, it is not an option to mount the filesystems in question with NFSv3 + ACLs - due to NFS referrals, automatic mounting of sub-filesystems, etc., I really need it to use NFSv4. > > Any advice? How are the NFSv4 ACL exposed to Linux command-line tools ? Are there such ? From nick.couchman at seakr.com Fri Dec 4 01:03:39 2015 From: nick.couchman at seakr.com (Nick Couchman) Date: Thu, 3 Dec 2015 18:03:39 -0700 (MST) Subject: [Samba] Linux & NFSv4 ACLs In-Reply-To: <20151204002334.GY816@jra3> References: <1741451491.2972398.1449183261663.JavaMail.zimbra@seakr.com> <20151204002334.GY816@jra3> Message-ID: <88B4D9E2-2B27-4374-A0FB-FD1F8189CF84@seakr.com> > On Dec 3, 2015, at 17:24, Jeremy Allison wrote: > >> On Thu, Dec 03, 2015 at 03:54:21PM -0700, Nick Couchman wrote: >> I have a situation where I need to share, via Samba, a filesystem mounted via NFSv4. I'm struggling with the best way to make Samba see the NFSv4 ACLs and enumerate them to provide the proper SMB/CIFS access to the files, instead of "Access Denied" errors that I currently get. >> >> Looking at the Samba source, the only obvious NFSv4 stuff appears to be the following: >> - zfsacl, available only on Solaris or FreeBSD, which provides NFSv4 ACL support simply because that's what ZFS uses. Don't see a way to use this on Linux. >> - gpfs, available only if you happen to have the GPFS code/headers installed (gpfs_gpl.h), and I cannot find an obvious place to get those, or if they are even freely-available. >> - aixacl/aixacl2, looks like it only works on AIX. >> >> First, am I correct in the above findings - that there is no way to operate any of these three modules on Linux out of the box? Second, am I missing something obvious related to NFSv4 ACLs on Linux, or is there some other VFS module somewhere that supports NFSv4 ACLs? >> >> Also, no, it is not an option to mount the filesystems in question with NFSv3 + ACLs - due to NFS referrals, automatic mounting of sub-filesystems, etc., I really need it to use NFSv4. >> >> Any advice? > > How are the NFSv4 ACL exposed to Linux command-line > tools ? Are there such ? Yeah, CentOS 7 has nfs4_getfacl and nfs4_setfacl. Will send example output. == This e-mail may contain SEAKR Engineering (SEAKR) Confidential and Proprietary Information. If this message is not intended for you, you are strictly prohibited from using this message, its contents or attachments in any way. If you have received this message in error, please delete the message from your mailbox. This e-mail may contain export-controlled material and should be handled accordingly. From jra at samba.org Fri Dec 4 01:13:51 2015 From: jra at samba.org (Jeremy Allison) Date: Thu, 3 Dec 2015 17:13:51 -0800 Subject: [Samba] Linux & NFSv4 ACLs In-Reply-To: <88B4D9E2-2B27-4374-A0FB-FD1F8189CF84@seakr.com> References: <1741451491.2972398.1449183261663.JavaMail.zimbra@seakr.com> <20151204002334.GY816@jra3> <88B4D9E2-2B27-4374-A0FB-FD1F8189CF84@seakr.com> Message-ID: <20151204011351.GB30269@jra3> On Thu, Dec 03, 2015 at 06:03:39PM -0700, Nick Couchman wrote: > > > On Dec 3, 2015, at 17:24, Jeremy Allison wrote: > > > >> On Thu, Dec 03, 2015 at 03:54:21PM -0700, Nick Couchman wrote: > >> I have a situation where I need to share, via Samba, a filesystem mounted via NFSv4. I'm struggling with the best way to make Samba see the NFSv4 ACLs and enumerate them to provide the proper SMB/CIFS access to the files, instead of "Access Denied" errors that I currently get. > >> > >> Looking at the Samba source, the only obvious NFSv4 stuff appears to be the following: > >> - zfsacl, available only on Solaris or FreeBSD, which provides NFSv4 ACL support simply because that's what ZFS uses. Don't see a way to use this on Linux. > >> - gpfs, available only if you happen to have the GPFS code/headers installed (gpfs_gpl.h), and I cannot find an obvious place to get those, or if they are even freely-available. > >> - aixacl/aixacl2, looks like it only works on AIX. > >> > >> First, am I correct in the above findings - that there is no way to operate any of these three modules on Linux out of the box? Second, am I missing something obvious related to NFSv4 ACLs on Linux, or is there some other VFS module somewhere that supports NFSv4 ACLs? > >> > >> Also, no, it is not an option to mount the filesystems in question with NFSv3 + ACLs - due to NFS referrals, automatic mounting of sub-filesystems, etc., I really need it to use NFSv4. > >> > >> Any advice? > > > > How are the NFSv4 ACL exposed to Linux command-line > > tools ? Are there such ? > > Yeah, CentOS 7 has nfs4_getfacl and nfs4_setfacl. Will send example output. OK, what I need is access to the source code of these to see how they're getting programatic access to the ACL data. Given that it shouldn't be too hard to adapt source3/modules/vfs_nfs4acl_xattr.c to use the underlying API these tools use. From nick.couchman at seakr.com Fri Dec 4 02:31:36 2015 From: nick.couchman at seakr.com (Nick Couchman) Date: Thu, 3 Dec 2015 19:31:36 -0700 (MST) Subject: [Samba] Linux & NFSv4 ACLs In-Reply-To: <1423175629.3000616.1449196277868.JavaMail.zimbra@seakr.com> References: <1741451491.2972398.1449183261663.JavaMail.zimbra@seakr.com> <20151204002334.GY816@jra3> <88B4D9E2-2B27-4374-A0FB-FD1F8189CF84@seakr.com> <20151204011351.GB30269@jra3> Message-ID: <2046438122.3000623.1449196296226.JavaMail.zimbra@seakr.com> ----- Original Message ----- > From: "Jeremy Allison" > To: "Nick E Couchman" > Cc: samba at lists.samba.org > Sent: Thursday, December 3, 2015 6:13:51 PM > Subject: Re: [Samba] Linux & NFSv4 ACLs > On Thu, Dec 03, 2015 at 06:03:39PM -0700, Nick Couchman wrote: >> >> > On Dec 3, 2015, at 17:24, Jeremy Allison wrote: >> > >> >> On Thu, Dec 03, 2015 at 03:54:21PM -0700, Nick Couchman wrote: >> >> I have a situation where I need to share, via Samba, a filesystem mounted via >> >> NFSv4. I'm struggling with the best way to make Samba see the NFSv4 ACLs and >> >> enumerate them to provide the proper SMB/CIFS access to the files, instead of >> >> "Access Denied" errors that I currently get. >> >> >> >> Looking at the Samba source, the only obvious NFSv4 stuff appears to be the >> >> following: >> >> - zfsacl, available only on Solaris or FreeBSD, which provides NFSv4 ACL support >> >> simply because that's what ZFS uses. Don't see a way to use this on Linux. >> >> - gpfs, available only if you happen to have the GPFS code/headers installed >> >> (gpfs_gpl.h), and I cannot find an obvious place to get those, or if they are >> >> even freely-available. >> >> - aixacl/aixacl2, looks like it only works on AIX. >> >> >> >> First, am I correct in the above findings - that there is no way to operate any >> >> of these three modules on Linux out of the box? Second, am I missing something >> >> obvious related to NFSv4 ACLs on Linux, or is there some other VFS module >> >> somewhere that supports NFSv4 ACLs? >> >> >> >> Also, no, it is not an option to mount the filesystems in question with NFSv3 + >> >> ACLs - due to NFS referrals, automatic mounting of sub-filesystems, etc., I >> >> really need it to use NFSv4. >> >> >> >> Any advice? >> > >> > How are the NFSv4 ACL exposed to Linux command-line >> > tools ? Are there such ? >> >> Yeah, CentOS 7 has nfs4_getfacl and nfs4_setfacl. Will send example output. > > OK, what I need is access to the source code of > these to see how they're getting programatic > access to the ACL data. > > Given that it shouldn't be too hard to adapt > source3/modules/vfs_nfs4acl_xattr.c to use the > underlying API these tools use. Try these pages (U Michigan): http://www.citi.umich.edu/projects/nfsv4/linux/nfs4-acl-tools/ http://www.citi.umich.edu/projects/nfsv4/linux/ and here: http://wiki.linux-nfs.org/wiki/index.php/ACLs I'm pretty sure that first link is the source that the RHEL/CentOS tools comes from. Here's output from YUM on CentOS [root at snapshots ~]# yum whatprovies *bin/nfs4_getfacl Loaded plugins: fastestmirror No such command: whatprovies. Please use /usr/bin/yum --help [root at snapshots ~]# yum whatprovides *bin/nfs4_getfacl Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * extras: linux.mirrors.es.net nfs4-acl-tools-0.3.3-13.el7.x86_64 : The nfs4 ACL tools Repo : base Matched from: Filename : /usr/bin/nfs4_getfacl -Nick == This e-mail may contain SEAKR Engineering (SEAKR) Confidential and Proprietary Information. If this message is not intended for you, you are strictly prohibited from using this message, its contents or attachments in any way. If you have received this message in error, please delete the message from your mailbox. This e-mail may contain export-controlled material and should be handled accordingly. From emz at norma.perm.ru Fri Dec 4 06:22:03 2015 From: emz at norma.perm.ru (Eugene M. Zheganin) Date: Fri, 4 Dec 2015 11:22:03 +0500 Subject: [Samba] Samba, ZFS ACLs File Deletion and w Message-ID: <5661310B.3090906@norma.perm.ru> Hi. I'm using Samba on FreeBSD to host various file servers. Recently I've noticed one weird thing: samba needs w flag on file for being able to delete it, plus, when 'force user' is used, samba needs additional flags for group owning the file. Not sure if it was there all the time and it's just me, or may be this is an intended behaviour (I hope not), so, anyway I'll describe it. I'm using ZFS and NFSv4 ACLs on all of my servers, along with libsunacl library and zfsacl vfs object. It's reproducible on all recent 4.1.x, 4.2.x and 4.3.x versions. Suppose I have a share: [test] comment = Test Directory path = /var/www/test guest ok = no browseable = yes writable = yes printable = no create mask = 664 directory mask = 775 map hidden = no map archive = no map system = no vfs objects = recycle zfsacl nfs4:acedup = merge nfs4:chown = yes nfs4:mode = special zfsacl:acesort = dontcare Permissions for a /var/www/test: # getfacl /var/www/test # file: /var/www/test # owner: root # group: wheel group:domain users:rwxpDdaARWcCos:fd----:allow owner@:rwxpDdaARWcCos:fd----:allow group@:r-x---a-R-c--s:------:allow everyone@:r-x---a-R-c--s:------:allow Suppose I put file on this share, and mount it via SMB on same server on /mnt/smb2 (using user tatjana), thus I should be able to access the file locally and via SMB. lets' put an 444 file php.ini into it. So: # getfacl /var/www/test/php.ini # file: /var/www/test/php.ini # owner: tatjana # group: wheel owner@:r-----aARWcCos:------:allow group@:r-----a-R-c--s:------:allow everyone@:r-----a-R-c--s:------:allow php.ini hasn't w set, but the parent directory has both dD, should be sufficient having only D to delete files. But samba cannot, until the w flag is set: # rm /mnt/smb2/php.ini rm: /mnt/smb2/php.ini: Permission denied Okay, let's put a dD on file: # setfacl -m user:tatjana:rdDaARWcCos::allow /var/www/test/php.ini # getfacl /var/www/test/php.ini # file: /var/www/test/php.ini # owner: tatjana # group: wheel user:tatjana:r---DdaARWcCos:------:allow owner@:r-----aARWcCos:------:allow group@:r-----a-R-c--s:------:allow everyone@:r-----a-R-c--s:------:allow # rm /mnt/smb2/php.ini rm: /mnt/smb2/php.ini: Permission denied Let's put a w on a file (this can be done via SMB either): # chmod 644 /var/www/test/php.ini # getfacl /var/www/test/php.ini # file: /var/www/test/php.ini # owner: tatjana # group: wheel owner@:rw-p--aARWcCos:------:allow group@:r-----a-R-c--s:------:allow everyone@:r-----a-R-c--s:------:allow # rm /var/www/test/php.ini # (success) In the same time this user - tatjana - is able to delete file locally: # su - tatjana [tatjana at gw0:~]> getfacl /var/www/test/php.ini # file: /var/www/test/php.ini # owner: tatjana # group: wheel owner@:r-----aARWcCos:------:allow group@:r-----a-R-c--s:------:allow everyone@:r-----a-R-c--s:------:allow [tatjana at gw0:~]> rm /var/www/test/php.ini [tatjana at gw0:~]> So, do I misunderstand something ? Now, about 'force user': Suppose I have a share: [www] comment = web directory path = /var/www guest ok = no browseable = yes writable = yes printable = no create mask = 664 directory mask = 775 force user = root map hidden = no map archive = no map system = no wide links = yes vfs objects = recycle zfsacl nfs4:acedup = merge nfs4:chown = yes nfs4:mode = special zfsacl:acesort = dontcare Suppose it's mounted on /mnt/smb under same user. Notice the 'force user' is set, and it's root. Now lets put a file in 755 directory, owned by root: # getfacl /var/www/asterisk # file: /var/www/asterisk # owner: root # group: wheel owner@:rwxp--aARWcCos:------:allow group@:r-x---a-R-c--s:------:allow everyone@:r-x---a-R-c--s:------:allow # ls -ld /mnt/smb/asterisk drwxr-xr-x 1 root wheel 16384 5 фев 2014 /mnt/smb/asterisk (same directory) [root at gw0:/mnt/smb]# touch /mnt/smb/asterisk/1 touch: /mnt/smb/asterisk/1: Permission denied Of course root is able to create files in it locally: # touch /var/www/asterisk/1 # rm /var/www/asterisk/1 This is because for some reason group+w is needed: # chmod 775 /var/www/asterisk # touch /mnt/smb/asterisk/1 # rm /mnt/smb/asterisk/1 Again, do I misunderstand something ? Thanks. Eugene. From goetz.reinicke at filmakademie.de Fri Dec 4 08:16:00 2015 From: goetz.reinicke at filmakademie.de (=?UTF-8?Q?G=c3=b6tz_Reinicke_-_IT_Koordinator?=) Date: Fri, 4 Dec 2015 09:16:00 +0100 Subject: [Samba] Share free size vs. filesystem free size - dont match Message-ID: <56614BC0.2010204@filmakademie.de> Hi, we have a red hat el 6.7 server still with samba-3.6.23. I know that is a bit old, but running fine for us most of the time. After running slowly out of space on a share I checked the server and saw this: On my Mac OS X Client and a Windows 7 Client the share is shown with a capacity of about 220 GB, 70GB free. The filesystems the share is hosted on is 545GB in size and 32 GB free. Quotas are enabled but unlimited for me. Question: Why dose the clients show more than 2 times of free space as the filesystem has? Any ideas, suggestions, hints? (Updating to samba 4.x is not an option yet ... but 2016 ;) ) Thanks and regards . Götz From belle at bazuin.nl Fri Dec 4 08:54:13 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Fri, 4 Dec 2015 09:54:13 +0100 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: <5660BD48.10006@samba.org> References: Message-ID: Hai Jonathan, Can you give try the following : what is the output of hostname -y. You probly get the messages " hostname: Local domain name not set. " Dont worry, should not hurt, but for thesting, you can set : sysctl -w kernel.domainname="windows.corp.XXX.com" and for testing you can try to set you resolv.conf to ( domain windows.corp.XXX.com search windows.corp.XXX.com nameserver ip_samba_dc1 nameserver ip_samba_dc2 Yes.. !! domain and search are mutaliy exclusive.. we know, but try it. Restart neworking after above changes. The output of /etc/hostname ( should contain only the (hostname -s) value ) Can you try the following. Put in smb.conf dns proxy = yes restart samba. Run : testparm -v | grep net , i want to see the output. Especialy netbios name = Test above out, one at a time. I say, start with the dns proxy in smb.conf Then the resolv.conf Then the kernel domain Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny > Verzonden: donderdag 3 december 2015 23:08 > Aan: sambalist > Onderwerp: Re: [Samba] After joining domain, Samba uses the workgroup > name, not the FQDN when running the net ads command > > On 03/12/15 21:55, Jonathan S. Fisher wrote: > > It doesn't work, even with the DNS set as such: > > > > root at freeradius:~# sudo net rpc info -UWINDOWS\\Administrator > > Unable to find a suitable server for domain WINDOWS > > > > Our registered domain is XXX.com. corp.XXX.com > > and windows.corp.XXX.com are internal > > and not resolvable on any public DNS server. > > > > I was curious if anyone else had any comments on these two questions I > > had: > > > > * What is this lmhosts thing it's looking for? > > lmhosts is the windows version of /etc/hosts, if you have a line in > smb.conf that references this, I would suggest you remove it unless it > matches the default one: name resolve order = lmhosts wins host bcast > > > * Is this what went wrong? > internal_resolve_name: looking up > > WINDOWS#1b (sitename (null)) > > Possibly, but your client should find everything via DNS. > Does your smb.conf match the one that can be found on the Samba wiki > (with changes for your NETBios name & realm)? This is known to work. > > Rowland > > > > > What is lmhosts? > > What does it think our sitename is null? > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From belle at bazuin.nl Fri Dec 4 08:58:54 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Fri, 4 Dec 2015 09:58:54 +0100 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: <5660BD48.10006@samba.org> References: Message-ID: And last thing i forgot. Is this server having multiple interfaces ? Yes, set in smb.conf interfaces = 127.0.0.1 bind interfaces only = No and can you post the complete krb5.conf again. I did not see in libdefaults. dns_lookup_kdc = true dns_lookup_realm = false Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny > Verzonden: donderdag 3 december 2015 23:08 > Aan: sambalist > Onderwerp: Re: [Samba] After joining domain, Samba uses the workgroup > name, not the FQDN when running the net ads command > > On 03/12/15 21:55, Jonathan S. Fisher wrote: > > It doesn't work, even with the DNS set as such: > > > > root at freeradius:~# sudo net rpc info -UWINDOWS\\Administrator > > Unable to find a suitable server for domain WINDOWS > > > > Our registered domain is XXX.com. corp.XXX.com > > and windows.corp.XXX.com are internal > > and not resolvable on any public DNS server. > > > > I was curious if anyone else had any comments on these two questions I > > had: > > > > * What is this lmhosts thing it's looking for? > > lmhosts is the windows version of /etc/hosts, if you have a line in > smb.conf that references this, I would suggest you remove it unless it > matches the default one: name resolve order = lmhosts wins host bcast > > > * Is this what went wrong? > internal_resolve_name: looking up > > WINDOWS#1b (sitename (null)) > > Possibly, but your client should find everything via DNS. > Does your smb.conf match the one that can be found on the Samba wiki > (with changes for your NETBios name & realm)? This is known to work. > > Rowland > > > > > What is lmhosts? > > What does it think our sitename is null? > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From belle at bazuin.nl Fri Dec 4 09:02:07 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Fri, 4 Dec 2015 10:02:07 +0100 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: References: <5660BD48.10006@samba.org> Message-ID: Oeps.. .. :-/ I missing my coffee today.. > interfaces = 127.0.0.1 ADD_IP_CLIENTSAMBA_HERE > bind interfaces only = Yes > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle > Verzonden: vrijdag 4 december 2015 9:59 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] After joining domain, Samba uses the workgroup > name, not the FQDN when running the net ads command > > And last thing i forgot. > > Is this server having multiple interfaces ? > Yes, set in smb.conf > interfaces = 127.0.0.1 > bind interfaces only = No> > and can you post the complete krb5.conf again. > I did not see in libdefaults. > dns_lookup_kdc = true > dns_lookup_realm = false > > Greetz, > > Louis > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny > > Verzonden: donderdag 3 december 2015 23:08 > > Aan: sambalist > > Onderwerp: Re: [Samba] After joining domain, Samba uses the workgroup > > name, not the FQDN when running the net ads command > > > > On 03/12/15 21:55, Jonathan S. Fisher wrote: > > > It doesn't work, even with the DNS set as such: > > > > > > root at freeradius:~# sudo net rpc info -UWINDOWS\\Administrator > > > Unable to find a suitable server for domain WINDOWS > > > > > > Our registered domain is XXX.com. corp.XXX.com > > > and windows.corp.XXX.com are internal > > > and not resolvable on any public DNS server. > > > > > > I was curious if anyone else had any comments on these two questions I > > > had: > > > > > > * What is this lmhosts thing it's looking for? > > > > lmhosts is the windows version of /etc/hosts, if you have a line in > > smb.conf that references this, I would suggest you remove it unless it > > matches the default one: name resolve order = lmhosts wins host bcast > > > > > * Is this what went wrong? > internal_resolve_name: looking up > > > WINDOWS#1b (sitename (null)) > > > > Possibly, but your client should find everything via DNS. > > Does your smb.conf match the one that can be found on the Samba wiki > > (with changes for your NETBios name & realm)? This is known to work. > > > > Rowland > > > > > > > > What is lmhosts? > > > What does it think our sitename is null? > > > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From rpenny at samba.org Fri Dec 4 09:11:24 2015 From: rpenny at samba.org (Rowland penny) Date: Fri, 04 Dec 2015 09:11:24 +0000 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: References: Message-ID: <566158BC.4020405@samba.org> On 04/12/15 08:58, L.P.H. van Belle wrote: > And last thing i forgot. > > Is this server having multiple interfaces ? > Yes, set in smb.conf > interfaces = 127.0.0.1 > bind interfaces only = No > > and can you post the complete krb5.conf again. > I did not see in libdefaults. > dns_lookup_kdc = true > dns_lookup_realm = false > > You don't actually need those lines, they are the defaults, but it wouldn't hurt if they were there :-) I still think it is his weird dns setup, were he has a dnsmasq server replicating what the DCs know (or is supposed to). I think the sheer fact that he didn't know what lmhosts is, says a lot. Rowland From sven.schwedas at tao.at Fri Dec 4 09:21:11 2015 From: sven.schwedas at tao.at (Sven Schwedas) Date: Fri, 4 Dec 2015 10:21:11 +0100 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: <566158BC.4020405@samba.org> References: <566158BC.4020405@samba.org> Message-ID: <56615B07.4030204@tao.at> On 2015-12-04 10:11, Rowland penny wrote: > I still think it is his weird dns setup, were he has a dnsmasq server > replicating what the DCs know (or is supposed to). I think the sheer > fact that he didn't know what lmhosts is, says a lot. We're using such a setup in production without any problems. How about less wild blind guessing and user shaming, and more actual help? -- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas Systemadministrator TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz Mail/XMPP: sven.schwedas at tao.at | +43 (0)680 301 7167 http://software.tao.at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature URL: From belle at bazuin.nl Fri Dec 4 09:25:49 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Fri, 4 Dec 2015 10:25:49 +0100 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: <566158BC.4020405@samba.org> References: Message-ID: Im guessing, since he has multiple domains there, im thinking the "resolv" order is wrong, something in that direction An option is also to set multiple searches. And in the order so the "samba dns domain" comes first. Like search windows.corp.XXX.com corp.XXX.com etc.XXX.com but i need his result of my last question first. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny > Verzonden: vrijdag 4 december 2015 10:11 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] After joining domain, Samba uses the workgroup > name, not the FQDN when running the net ads command > > On 04/12/15 08:58, L.P.H. van Belle wrote: > > And last thing i forgot. > > > > Is this server having multiple interfaces ? > > Yes, set in smb.conf > > interfaces = 127.0.0.1 > > bind interfaces only = No > > > > and can you post the complete krb5.conf again. > > I did not see in libdefaults. > > dns_lookup_kdc = true > > dns_lookup_realm = false > > > > > > You don't actually need those lines, they are the defaults, but it > wouldn't hurt if they were there :-) > > I still think it is his weird dns setup, were he has a dnsmasq server > replicating what the DCs know (or is supposed to). I think the sheer > fact that he didn't know what lmhosts is, says a lot. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From rpenny at samba.org Fri Dec 4 09:33:58 2015 From: rpenny at samba.org (Rowland penny) Date: Fri, 04 Dec 2015 09:33:58 +0000 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: <56615B07.4030204@tao.at> References: <566158BC.4020405@samba.org> <56615B07.4030204@tao.at> Message-ID: <56615E06.2030805@samba.org> On 04/12/15 09:21, Sven Schwedas wrote: > On 2015-12-04 10:11, Rowland penny wrote: >> I still think it is his weird dns setup, were he has a dnsmasq server >> replicating what the DCs know (or is supposed to). I think the sheer >> fact that he didn't know what lmhosts is, says a lot. > We're using such a setup in production without any problems. How about > less wild blind guessing and user shaming, and more actual help? > > > Sven, you may be using a similar system, but it isn't recommended. The OP is having problems getting a Samba domain member working, I have tried to point him in the direction of a known working set up, once he has this working, what he does with it, is up to him. He may be able to use the dnsmasq server, I don't know, but if he has a working system and it stops working when he adds in the dnsmasq server, he will know where to look, won't he! Rowland From nico.deranter at esaturnus.com Fri Dec 4 11:52:46 2015 From: nico.deranter at esaturnus.com (Nico De Ranter) Date: Fri, 4 Dec 2015 12:52:46 +0100 Subject: [Samba] How to set unix properties from command line Message-ID: Samba version: 4.1.17 I want to use a Samba AD controller to manage access to both my Windows and Linux boxes. I managed to import my old Samba users using pdbedit however as I want to use the new Samba AD controller to manage access to the Linux workstations too I want to configure Unix properties on all my accounts. Unfortunately I cannot find any command-line tool on Linux that will allow me to easily fill in these properties. I looked at samba-tool and pdbedit but they seem to be able to change only basic settings. I know I can do it through RSAT but I don't want to have to start a Windows vm just to manage my users. How can I manage Unix properties for my Samba AD users from the command-line in Linux? Thanks in advance, Nico -- Nico De Ranter Operations Engineer T. +32 16 40 12 82 M. +32 497 91 53 78 From luke.bigum at lmax.com Fri Dec 4 12:04:46 2015 From: luke.bigum at lmax.com (Luke Bigum) Date: Fri, 4 Dec 2015 12:04:46 +0000 (UTC) Subject: [Samba] How to set unix properties from command line In-Reply-To: References: Message-ID: <418508756.10479622.1449230686984.JavaMail.zimbra@lmax.com> Relevant bits from our user creation script: samba-tool user create -H ldaps://${DC} -k yes --random-password --surname="${SNAME}" --given-name="${FNAME}" --mail-address="${EMAILSETUP}" --uid=${USERID} --uid-number=${MYUID} --gid-number=100 --login-shell="${USHELL}" --gecos="${GECOS}" ${USERID} samba-tool user setpassword ${USERID} -H ldaps://${DC} -k yes --newpassword="${PASSWD}" LDIF="${LDIF} replace: unixHomeDirectory unixHomeDirectory: ${UHOMEDIR} -" ldapmodify -Y GSSAPI -Q -O minssf=0,maxssf=0 -H ldaps://${DC} -f <( echo "${LDIF}" ) -- Luke Bigum Senior Systems Engineer Information Systems Ph: +44 (0) 20 3192 2520 ----- Original Message ----- From: "Nico De Ranter" To: samba at lists.samba.org Sent: Friday, 4 December, 2015 11:52:46 AM Subject: [Samba] How to set unix properties from command line Samba version: 4.1.17 I want to use a Samba AD controller to manage access to both my Windows and Linux boxes. I managed to import my old Samba users using pdbedit however as I want to use the new Samba AD controller to manage access to the Linux workstations too I want to configure Unix properties on all my accounts. Unfortunately I cannot find any command-line tool on Linux that will allow me to easily fill in these properties. I looked at samba-tool and pdbedit but they seem to be able to change only basic settings. I know I can do it through RSAT but I don't want to have to start a Windows vm just to manage my users. How can I manage Unix properties for my Samba AD users from the command-line in Linux? Thanks in advance, Nico -- Nico De Ranter Operations Engineer T. +32 16 40 12 82 M. +32 497 91 53 78 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba --- LMAX Exchange, Yellow Building, 1A Nicholas Road, London W11 4AN http://www.LMAX.com/ #1 Fastest Growing Tech Company in the UK - Sunday Times Tech Track 100 (2014) 2015 Best Margin Sector Platform - Profit & Loss Readers' Choice Awards 2015 Best FX Trading Venue - ECN/MTF - WSL Institutional Trading Awards 2014 Best Margin Sector Platform - Profit & Loss Readers' Choice Awards 2014 Best FX Trading Venue - ECN/MTF - WSL Institutional Trading Awards 2014 Best Infrastructure/Technology Initiative - WSL Institutional Trading Awards 2013 #15 Fastest Growing Tech Company in the UK - Sunday Times Tech Track 100 2013 Best Overall Testing Project - The European Software Testing Awards 2013 Best Margin Sector Platform - Profit & Loss Readers' Choice Awards 2013 Best FX Trading Platform - ECN/MTF - WSL Institutional Trading Awards 2013 Best Executing Venue - Forex Magnates Awards --- FX and CFDs are leveraged products that can result in losses exceeding your deposit. They are not suitable for everyone so please ensure you fully understand the risks involved. This message and its attachments are confidential, may not be disclosed or used by any person other than the addressee and are intended only for the named recipient(s). This message is not intended for any recipient(s) who based on their nationality, place of business, domicile or for any other reason, is/are subject to local laws or regulations which prohibit the provision of such products and services. This message is subject to the following terms (http://lmax.com/pdf/general-disclaimers.pdf), if you cannot access these, please notify us by replying to this email and we will send you the terms. If you are not the intended recipient, please notify the sender immediately and delete any copies of this message. LMAX Exchange is the trading name of LMAX Limited. LMAX Limited operates a multilateral trading facility. LMAX Limited is authorised and regulated by the Financial Conduct Authority (firm registration number 509778) and is a company registered in England and Wales (number 6505809). LMAX Hong Kong Limited is a wholly-owned subsidiary of LMAX Limited. LMAX Hong Kong is licensed by the Securities and Futures Commission in Hong Kong to conduct Type 3 (leveraged foreign exchange trading) regulated activity with CE Number BDV088. From rpenny at samba.org Fri Dec 4 12:48:25 2015 From: rpenny at samba.org (Rowland penny) Date: Fri, 04 Dec 2015 12:48:25 +0000 Subject: [Samba] How to set unix properties from command line In-Reply-To: References: Message-ID: <56618B99.1010705@samba.org> On 04/12/15 11:52, Nico De Ranter wrote: > Samba version: 4.1.17 > > I want to use a Samba AD controller to manage access to both my Windows and > Linux boxes. I managed to import my old Samba users using pdbedit however > as I want to use the new Samba AD controller to manage access to the Linux > workstations too I want to configure Unix properties on all my accounts. > Unfortunately I cannot find any command-line tool on Linux that will allow > me to easily fill in these properties. I looked at samba-tool and pdbedit > but they seem to be able to change only basic settings. I know I can do it > through RSAT but I don't want to have to start a Windows vm just to manage > my users. > > How can I manage Unix properties for my Samba AD users from the > command-line in Linux? > > Thanks in advance, > > Nico > well, if my patches ever get accepted, you will be able to do with samba-tool what the Unix attributes tab on ADUC does. Until then, you will have to resort to using a script to do this. If your old setup was an NT4-style domain, you could have used the classic-upgrade, this would have imported all of your old users & groups along with all their RFC2307 attributes. Rowland From ole.traupe at tu-berlin.de Fri Dec 4 14:27:53 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Fri, 4 Dec 2015 15:27:53 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <56586915.7010502@gmail.com> References: <56435CD0.4090409@tu-berlin.de> <201511121123.00490.walk2sun@arcor.de> <564C9CEB.2040104@tu-berlin.de> <564DC3F7.3090409@tu-berlin.de> <564DE9F5.6020100@tu-berlin.de> <001b01d12367$4558b4a0$d00a1de0$@tplk.loc> <564F14CB.2010208@tu-berlin.de> <564F2A11.8080106@gmail.com> <565726BA.5050008@tu-berlin.de> <56585824.2080808@gmail.com> <56586655.6090501@gmail.com> <56586915.7010502@gmail.com> Message-ID: <5661A2E9.8040103@tu-berlin.de> >> What SOA RR for DC2? >> >> You can only have one SOA record. >> >> Rowland >> >> > I meant did he update the SOA record to reflect that DC2 is now SOA. > Sorry that I wasn't responding for so long. As I stated earlier (sorry for the confusion), I demoted DC1 a while ago. So DC2 is now SOA and that is reflected by my DNS. Lets talk about first/second DC isntead. Ole From ole.traupe at tu-berlin.de Fri Dec 4 16:20:55 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Fri, 4 Dec 2015 17:20:55 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5661B426.1060209@gmail.com> References: <56435CD0.4090409@tu-berlin.de> <5643674F.3040308@gmail.com> <564398C5.90304@tu-berlin.de> <56439B48.8000902@gmail.com> <564C71F9.4030307@tu-berlin.de> <564C874C.5070604@gmail.com> <564C9BBE.7080403@tu-berlin.de> <564CDAF3.7070105@gmail.com> <5661B143.40502@tu-berlin.de> <5661B426.1060209@gmail.com> Message-ID: <5661BD67.8000305@tu-berlin.de> > Hi, If you can bear with me, I am trying to get the join to add the NS > for the joining DC to the SOA, I believe I may be near to get this > working (after leading myself down the garden path, what I tried > previously, didn't work), once it does, I should be able answer your > question, my test domain is using the internal dns. > > Rowland I am happy to hear that and hope that solves the problem! I have tested fail-over now with the new NS record, but the situation is more or less the same: - created the NS record and waited until I found the record to be replicated - restarted the windows machine I wanted to test this on - suspended the 1st DC (currently a VM) - tried to log-on to the windows test machine - results: 1. first log-on for a user takes ~30 seconds (on a second test it was up to 60 s) 2. following second log-on takes only 5 s 3. third log-on takes 2-3 s Confirmed this with a second user, the same time-out pattern. Seems to me that Windows 7 keeps its default DC but is willing to make exceptions on a user basis? However, I cannot say whether this actually is a server authentication or an offline log-on. I looked into the Windows logs ("Security") but didn't find anything conclusive. Two other things to mention: - From Windows, I can access my home and other network shares (located on a Samba 4 member server) as usual with out any problem (which is good!!) - But when I try to ssh to a member server, it still takes forever, and a 'kinit' on a member server gives this: "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while getting initial credentials" My /etc/krb5.conf looks like this (following your suggestions, Rowland, as everything else are defaults): [libdefaults] default_realm = MY.DOMAIN.TLD And my /etc/resolv.conf is this: search my.domain.tld nameserver IP_of_1st_DC nameserver IP_of_2nd_DC So from a Windows client point of view, I am more or less fine (even without restarting the machines). But it would be great if I could log-in to the Linux member servers as well. Ole From rpenny at samba.org Fri Dec 4 16:42:37 2015 From: rpenny at samba.org (Rowland penny) Date: Fri, 04 Dec 2015 16:42:37 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5661BD67.8000305@tu-berlin.de> References: <56435CD0.4090409@tu-berlin.de> <5643674F.3040308@gmail.com> <564398C5.90304@tu-berlin.de> <56439B48.8000902@gmail.com> <564C71F9.4030307@tu-berlin.de> <564C874C.5070604@gmail.com> <564C9BBE.7080403@tu-berlin.de> <564CDAF3.7070105@gmail.com> <5661B143.40502@tu-berlin.de> <5661B426.1060209@gmail.com> <5661BD67.8000305@tu-berlin.de> Message-ID: <5661C27D.1090308@samba.org> On 04/12/15 16:20, Ole Traupe wrote: > >> Hi, If you can bear with me, I am trying to get the join to add the >> NS for the joining DC to the SOA, I believe I may be near to get this >> working (after leading myself down the garden path, what I tried >> previously, didn't work), once it does, I should be able answer your >> question, my test domain is using the internal dns. >> >> Rowland > > > I am happy to hear that and hope that solves the problem! I have > tested fail-over now with the new NS record, but the situation is more > or less the same: > > - created the NS record and waited until I found the record to be > replicated > - restarted the windows machine I wanted to test this on > - suspended the 1st DC (currently a VM) > - tried to log-on to the windows test machine > - results: > > 1. first log-on for a user takes ~30 seconds (on a second test it was > up to 60 s) > 2. following second log-on takes only 5 s > 3. third log-on takes 2-3 s > > Confirmed this with a second user, the same time-out pattern. Seems to > me that Windows 7 keeps its default DC but is willing to make > exceptions on a user basis? > > However, I cannot say whether this actually is a server authentication > or an offline log-on. I looked into the Windows logs ("Security") but > didn't find anything conclusive. > > > Two other things to mention: > > - From Windows, I can access my home and other network shares (located > on a Samba 4 member server) as usual with out any problem (which is > good!!) > > - But when I try to ssh to a member server, it still takes forever, > and a 'kinit' on a member server gives this: > "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while > getting initial credentials" > > > My /etc/krb5.conf looks like this (following your suggestions, > Rowland, as everything else are defaults): > > [libdefaults] > default_realm = MY.DOMAIN.TLD > > And my /etc/resolv.conf is this: > > search my.domain.tld > nameserver IP_of_1st_DC > nameserver IP_of_2nd_DC > > > So from a Windows client point of view, I am more or less fine (even > without restarting the machines). But it would be great if I could > log-in to the Linux member servers as well. > > Ole > > > I am getting nearer, I can now add another NS record to the SOA whilst joining a DC, it's the wrong record, but it was added :-D Now to get it to add the correct NS record (after I figure out just where I went wrong). Rowland From rob.mason at acasta.co.uk Fri Dec 4 17:38:53 2015 From: rob.mason at acasta.co.uk (Rob Mason) Date: Fri, 4 Dec 2015 17:38:53 -0000 Subject: [Samba] setproctitle Errors Message-ID: <00d601d12eba$ab237f00$016a7d00$@acasta.co.uk> Hi List I've spun up a fresh Debian 8 VM to test out the upgrade steps for a Debian samba 4.1.17 package deployment to a compiled samba 4.2.5. All seem s to work fine (apt-get remove samba first, followed by configure/make/install), but I get the following errors in my samba.log: samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor Is this error serious? Do I need to worry? I've filtered through similar posts, but a solution wasn't forthcoming. My ./configure line is as follows (mainly to modify installation locations): ./configure --enable-fhs --prefix=/usr --sysconfdir=/etc --localstatedir=/var --with-privatedir=/var/lib/samba/private --with-piddir=/var/run/samba --with-pammodulesdir=/lib/x86_64-linux-gnu/security --libdir=/usr/lib/x86_64-linux-gnu --with-modulesdir=/usr/lib/x86_64-linux-gnu/samba --datadir=/usr/share --with-lockdir=/var/run/samba --with-statedir=/var/lib/samba --with-cachedir=/var/cache/samba Thanks -- Rob Mason Acasta Ltd - A Crown Commercial Service Supplier. CyberEssentials Certified QGCE013. The original of this email was scanned by the Acasta SMTP mail relay for known viruses at 17:38 on 04/12/2015 and was found to be virus free - ClamAV 0.98.7/21134/Fri Dec 4 13:36:45 2015. Acasta Ltd. Registered in England 6619191. 42 Pitt Street, Barnsley, S70 1BB. VAT Registered 934 6797 75. From rpenny at samba.org Fri Dec 4 17:54:20 2015 From: rpenny at samba.org (Rowland penny) Date: Fri, 04 Dec 2015 17:54:20 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5661C27D.1090308@samba.org> References: <56435CD0.4090409@tu-berlin.de> <5643674F.3040308@gmail.com> <564398C5.90304@tu-berlin.de> <56439B48.8000902@gmail.com> <564C71F9.4030307@tu-berlin.de> <564C874C.5070604@gmail.com> <564C9BBE.7080403@tu-berlin.de> <564CDAF3.7070105@gmail.com> <5661B143.40502@tu-berlin.de> <5661B426.1060209@gmail.com> <5661BD67.8000305@tu-berlin.de> <5661C27D.1090308@samba.org> Message-ID: <5661D34C.5070101@samba.org> On 04/12/15 16:42, Rowland penny wrote: > On 04/12/15 16:20, Ole Traupe wrote: >> >>> Hi, If you can bear with me, I am trying to get the join to add the >>> NS for the joining DC to the SOA, I believe I may be near to get >>> this working (after leading myself down the garden path, what I >>> tried previously, didn't work), once it does, I should be able >>> answer your question, my test domain is using the internal dns. >>> >>> Rowland >> >> >> I am happy to hear that and hope that solves the problem! I have >> tested fail-over now with the new NS record, but the situation is >> more or less the same: >> >> - created the NS record and waited until I found the record to be >> replicated >> - restarted the windows machine I wanted to test this on >> - suspended the 1st DC (currently a VM) >> - tried to log-on to the windows test machine >> - results: >> >> 1. first log-on for a user takes ~30 seconds (on a second test it was >> up to 60 s) >> 2. following second log-on takes only 5 s >> 3. third log-on takes 2-3 s >> >> Confirmed this with a second user, the same time-out pattern. Seems >> to me that Windows 7 keeps its default DC but is willing to make >> exceptions on a user basis? >> >> However, I cannot say whether this actually is a server >> authentication or an offline log-on. I looked into the Windows logs >> ("Security") but didn't find anything conclusive. >> >> >> Two other things to mention: >> >> - From Windows, I can access my home and other network shares >> (located on a Samba 4 member server) as usual with out any problem >> (which is good!!) >> >> - But when I try to ssh to a member server, it still takes forever, >> and a 'kinit' on a member server gives this: >> "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while >> getting initial credentials" >> >> >> My /etc/krb5.conf looks like this (following your suggestions, >> Rowland, as everything else are defaults): >> >> [libdefaults] >> default_realm = MY.DOMAIN.TLD >> >> And my /etc/resolv.conf is this: >> >> search my.domain.tld >> nameserver IP_of_1st_DC >> nameserver IP_of_2nd_DC >> >> >> So from a Windows client point of view, I am more or less fine (even >> without restarting the machines). But it would be great if I could >> log-in to the Linux member servers as well. >> >> Ole >> >> >> > > I am getting nearer, I can now add another NS record to the SOA whilst > joining a DC, it's the wrong record, but it was added :-D > > Now to get it to add the correct NS record (after I figure out just > where I went wrong). > > Rowland > OK, I have now created the correct SOA NS record whilst joining a new DC using the internal DNS server. If I run nslookup against each test DC, I get back the same nameserver. If I do the same on my normal domain that uses Bind9, I get a different nameserver from each DC. TESTDOMAIN: root at testdc2:~# nslookup > set querytype=soa > example.lan Server: 192.168.0.240 Address: 192.168.0.240#53 example.lan origin = testdc1.example.lan mail addr = hostmaster.example.lan serial = 3 refresh = 900 retry = 600 expire = 86400 minimum = 3600 Swap nameservers in resolv.conf root at testdc2:~# nslookup > set querytype=soa > example.lan Server: 192.168.0.241 Address: 192.168.0.241#53 example.lan origin = testdc1.example.lan mail addr = hostmaster.example.lan serial = 3 refresh = 900 retry = 600 expire = 86400 minimum = 3600 NORMAL DOMAIN: root at dc1:~# nslookup > set querytype=soa > samdom.example.com Server: 192.168.0.6 Address: 192.168.0.6#53 samdom.example.com origin = dc2.samdom.example.com mail addr = hostmaster.samdom.example.com serial = 101 refresh = 900 retry = 600 expire = 86400 minimum = 3600 swap nameservers in resolv.conf root at dc1:~# nslookup > set querytype=soa > samdom.example.com Server: 192.168.0.5 Address: 192.168.0.5#53 samdom.example.com origin = dc1.samdom.example.com mail addr = hostmaster.samdom.example.com serial = 101 refresh = 900 retry = 600 expire = 86400 minimum = 3600 Sorry Kia, but I think the moral of the story here is, don't use the internal dns server, use bind9 instead. Rowland From infractory at gmail.com Fri Dec 4 18:58:55 2015 From: infractory at gmail.com (mathias dufresne) Date: Fri, 4 Dec 2015 19:58:55 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5661BD67.8000305@tu-berlin.de> References: <56435CD0.4090409@tu-berlin.de> <5643674F.3040308@gmail.com> <564398C5.90304@tu-berlin.de> <56439B48.8000902@gmail.com> <564C71F9.4030307@tu-berlin.de> <564C874C.5070604@gmail.com> <564C9BBE.7080403@tu-berlin.de> <564CDAF3.7070105@gmail.com> <5661B143.40502@tu-berlin.de> <5661B426.1060209@gmail.com> <5661BD67.8000305@tu-berlin.de> Message-ID: To check which DC was used to connect on simply type "set" in MSDOS console (cmd). Then look for a line which contain a DC name. For Windows they should try to find a DC at logon time, according to their IP address and AD sites configuration as explained earlier I think. This process includes DNS SRV request to find LDAP server list and then LDAP requests are sent to received SRV to find one working server, something like one replying the quicker (that's a foggy notion for me :) For Linux and kinit that should be based on DNS resolution and caching if some. Now how kinit chose a Kerberos server from DNS I no real idea. It is possible to force usage of one particular kerberos server forcing it in some configuration file and then using that file in $KRB5_CONFIG environment variable. At least you could use that to test if kinit works when forced on the remaining server. But that does not answer the question of failover for Linux parts :( 2015-12-04 17:20 GMT+01:00 Ole Traupe : > > Hi, If you can bear with me, I am trying to get the join to add the NS for >> the joining DC to the SOA, I believe I may be near to get this working >> (after leading myself down the garden path, what I tried previously, didn't >> work), once it does, I should be able answer your question, my test domain >> is using the internal dns. >> >> Rowland >> > > > I am happy to hear that and hope that solves the problem! I have tested > fail-over now with the new NS record, but the situation is more or less the > same: > > - created the NS record and waited until I found the record to be > replicated > - restarted the windows machine I wanted to test this on > - suspended the 1st DC (currently a VM) > - tried to log-on to the windows test machine > - results: > > 1. first log-on for a user takes ~30 seconds (on a second test it was up > to 60 s) > 2. following second log-on takes only 5 s > 3. third log-on takes 2-3 s > > Confirmed this with a second user, the same time-out pattern. Seems to me > that Windows 7 keeps its default DC but is willing to make exceptions on a > user basis? > > However, I cannot say whether this actually is a server authentication or > an offline log-on. I looked into the Windows logs ("Security") but didn't > find anything conclusive. > > > Two other things to mention: > > - From Windows, I can access my home and other network shares (located on > a Samba 4 member server) as usual with out any problem (which is good!!) > > - But when I try to ssh to a member server, it still takes forever, and a > 'kinit' on a member server gives this: > "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while getting > initial credentials" > > > My /etc/krb5.conf looks like this (following your suggestions, Rowland, as > everything else are defaults): > > [libdefaults] > default_realm = MY.DOMAIN.TLD > > And my /etc/resolv.conf is this: > > search my.domain.tld > nameserver IP_of_1st_DC > nameserver IP_of_2nd_DC > > > So from a Windows client point of view, I am more or less fine (even > without restarting the machines). But it would be great if I could log-in > to the Linux member servers as well. > > > Ole > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From rpenny at samba.org Fri Dec 4 18:59:36 2015 From: rpenny at samba.org (Rowland penny) Date: Fri, 04 Dec 2015 18:59:36 +0000 Subject: [Samba] setproctitle Errors In-Reply-To: <00d601d12eba$ab237f00$016a7d00$@acasta.co.uk> References: <00d601d12eba$ab237f00$016a7d00$@acasta.co.uk> Message-ID: <5661E298.9050907@samba.org> On 04/12/15 17:38, Rob Mason wrote: > Hi List > > I've spun up a fresh Debian 8 VM to test out the upgrade steps for a Debian > samba 4.1.17 package deployment to a compiled samba 4.2.5. All seem s to > work fine (apt-get remove samba first, followed by configure/make/install), > but I get the following errors in my samba.log: > > samba: setproctitle not initialized, please either call setproctitle_init() > or link against libbsd-ctor > > Is this error serious? Do I need to worry? I've filtered through similar > posts, but a solution wasn't forthcoming. > > My ./configure line is as follows (mainly to modify installation locations): > > > ./configure --enable-fhs --prefix=/usr --sysconfdir=/etc > --localstatedir=/var --with-privatedir=/var/lib/samba/private > --with-piddir=/var/run/samba > --with-pammodulesdir=/lib/x86_64-linux-gnu/security > --libdir=/usr/lib/x86_64-linux-gnu > --with-modulesdir=/usr/lib/x86_64-linux-gnu/samba --datadir=/usr/share > --with-lockdir=/var/run/samba --with-statedir=/var/lib/samba > --with-cachedir=/var/cache/samba > > Thanks > > Don't worry, it is just a common warning message that just never seems to get fixed. The only affect it will have is the space it takes up in your logfiles. Rowland From jra at samba.org Fri Dec 4 20:22:06 2015 From: jra at samba.org (Jeremy Allison) Date: Fri, 4 Dec 2015 12:22:06 -0800 Subject: [Samba] Linux & NFSv4 ACLs In-Reply-To: <2046438122.3000623.1449196296226.JavaMail.zimbra@seakr.com> References: <1741451491.2972398.1449183261663.JavaMail.zimbra@seakr.com> <20151204002334.GY816@jra3> <88B4D9E2-2B27-4374-A0FB-FD1F8189CF84@seakr.com> <20151204011351.GB30269@jra3> <2046438122.3000623.1449196296226.JavaMail.zimbra@seakr.com> Message-ID: <20151204202206.GB15590@jra3> On Thu, Dec 03, 2015 at 07:31:36PM -0700, Nick Couchman wrote: > > Try these pages (U Michigan): > http://www.citi.umich.edu/projects/nfsv4/linux/nfs4-acl-tools/ > http://www.citi.umich.edu/projects/nfsv4/linux/ > > and here: > http://wiki.linux-nfs.org/wiki/index.php/ACLs > > I'm pretty sure that first link is the source that the RHEL/CentOS tools comes from. Here's output from YUM on CentOS > > [root at snapshots ~]# yum whatprovies *bin/nfs4_getfacl > Loaded plugins: fastestmirror > No such command: whatprovies. Please use /usr/bin/yum --help > [root at snapshots ~]# yum whatprovides *bin/nfs4_getfacl > Loaded plugins: fastestmirror > Loading mirror speeds from cached hostfile > * extras: linux.mirrors.es.net > nfs4-acl-tools-0.3.3-13.el7.x86_64 : The nfs4 ACL tools > Repo : base > Matched from: > Filename : /usr/bin/nfs4_getfacl Thanks for that. The problem is /usr/bin/nfs4_getfacl uses an internal library to get marshall/unmarshall the ACL data into EA's. I don't think that library is installed (and there's no nfs4_acl-dev package). From nick.couchman at seakr.com Fri Dec 4 20:37:33 2015 From: nick.couchman at seakr.com (Nick Couchman) Date: Fri, 4 Dec 2015 13:37:33 -0700 (MST) Subject: [Samba] Linux & NFSv4 ACLs In-Reply-To: <1206991747.3015654.1449261418444.JavaMail.zimbra@seakr.com> References: <1741451491.2972398.1449183261663.JavaMail.zimbra@seakr.com> <20151204002334.GY816@jra3> <88B4D9E2-2B27-4374-A0FB-FD1F8189CF84@seakr.com> <20151204011351.GB30269@jra3> <2046438122.3000623.1449196296226.JavaMail.zimbra@seakr.com> <20151204202206.GB15590@jra3> Message-ID: <1661877766.3015687.1449261453082.JavaMail.zimbra@seakr.com> ----- Original Message ----- > From: "Jeremy Allison" > To: "Nick E Couchman" > Cc: samba at lists.samba.org > Sent: Friday, December 4, 2015 1:22:06 PM > Subject: Re: [Samba] Linux & NFSv4 ACLs > On Thu, Dec 03, 2015 at 07:31:36PM -0700, Nick Couchman wrote: >> >> Try these pages (U Michigan): >> http://www.citi.umich.edu/projects/nfsv4/linux/nfs4-acl-tools/ >> http://www.citi.umich.edu/projects/nfsv4/linux/ >> >> and here: >> http://wiki.linux-nfs.org/wiki/index.php/ACLs >> >> I'm pretty sure that first link is the source that the RHEL/CentOS tools comes >> from. Here's output from YUM on CentOS >> >> [root at snapshots ~]# yum whatprovies *bin/nfs4_getfacl >> Loaded plugins: fastestmirror >> No such command: whatprovies. Please use /usr/bin/yum --help >> [root at snapshots ~]# yum whatprovides *bin/nfs4_getfacl >> Loaded plugins: fastestmirror >> Loading mirror speeds from cached hostfile >> * extras: linux.mirrors.es.net >> nfs4-acl-tools-0.3.3-13.el7.x86_64 : The nfs4 ACL tools >> Repo : base >> Matched from: >> Filename : /usr/bin/nfs4_getfacl > > Thanks for that. The problem is /usr/bin/nfs4_getfacl > uses an internal library to get marshall/unmarshall the > ACL data into EA's. I don't think that library is > installed (and there's no nfs4_acl-dev package). If I do a "ldd /usr/bin/nfs4_getfacl" here are the results: [root at pv-nas ~]# ldd `which nfs4_getfacl` linux-vdso.so.1 => (0x00007fffa76f6000) libattr.so.1 => /lib64/libattr.so.1 (0x00007ffe77f2c000) libc.so.6 => /lib64/libc.so.6 (0x00007ffe77b98000) /lib64/ld-linux-x86-64.so.2 (0x00007ffe7833d000) So, I don't see any shared library specifically for NFSv4 stuff, just the libattr dependency. I'm guessing this is what you mean - that there isn't a shared library available with an API you could use in a Samba VFS module to abstract the calls for getting/setting the NFSv4 ACLs - you'd have to actually write the entire library inside the VFS module? I'll poke around and see if anyone has written a shared library on Linux for NFSv4 ACLs. -Nick == This e-mail may contain SEAKR Engineering (SEAKR) Confidential and Proprietary Information. If this message is not intended for you, you are strictly prohibited from using this message, its contents or attachments in any way. If you have received this message in error, please delete the message from your mailbox. This e-mail may contain export-controlled material and should be handled accordingly. From abartlet at samba.org Fri Dec 4 20:42:41 2015 From: abartlet at samba.org (Andrew Bartlett) Date: Sat, 05 Dec 2015 09:42:41 +1300 Subject: [Samba] Disable KCC in Samba In-Reply-To: References: <1449130546.1535.11.camel@samba.org> Message-ID: <1449261761.15594.12.camel@samba.org> On Thu, 2015-12-03 at 08:51 +0000, Luchko Dmitriy wrote: > I read about 4.3.0 and we test this version in polygon. In production > we have more than 80 sites and about 200 domain controllers. In test > environment we have a lot warning KCC (samba 4.3.), and we suggest in > production we have the same picture. > > Will you make change in KCC for nearest Samba release? While some improvements have been made after Samba 4.3, the major development effort on that particular tool has concluded for now. A good way to improve it would be to add a patch to Samba to fix the issue, backed with a test and sample database (which is the reason for the --export-ldif option) that demonstrates the issue. This is another case where your proposed use of Samba is currently larger than what we have presently anticipated. I'm not saying it is impossible - quite the opposite - just that you may need to work with us to ensure it works well. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba From jra at samba.org Fri Dec 4 20:54:00 2015 From: jra at samba.org (Jeremy Allison) Date: Fri, 4 Dec 2015 12:54:00 -0800 Subject: [Samba] Linux & NFSv4 ACLs In-Reply-To: <1661877766.3015687.1449261453082.JavaMail.zimbra@seakr.com> References: <1741451491.2972398.1449183261663.JavaMail.zimbra@seakr.com> <20151204002334.GY816@jra3> <88B4D9E2-2B27-4374-A0FB-FD1F8189CF84@seakr.com> <20151204011351.GB30269@jra3> <2046438122.3000623.1449196296226.JavaMail.zimbra@seakr.com> <20151204202206.GB15590@jra3> <1661877766.3015687.1449261453082.JavaMail.zimbra@seakr.com> Message-ID: <20151204205400.GC15590@jra3> On Fri, Dec 04, 2015 at 01:37:33PM -0700, Nick Couchman wrote: > ----- Original Message ----- > > From: "Jeremy Allison" > > To: "Nick E Couchman" > > Cc: samba at lists.samba.org > > Sent: Friday, December 4, 2015 1:22:06 PM > > Subject: Re: [Samba] Linux & NFSv4 ACLs > > > On Thu, Dec 03, 2015 at 07:31:36PM -0700, Nick Couchman wrote: > >> > >> Try these pages (U Michigan): > >> http://www.citi.umich.edu/projects/nfsv4/linux/nfs4-acl-tools/ > >> http://www.citi.umich.edu/projects/nfsv4/linux/ > >> > >> and here: > >> http://wiki.linux-nfs.org/wiki/index.php/ACLs > >> > >> I'm pretty sure that first link is the source that the RHEL/CentOS tools comes > >> from. Here's output from YUM on CentOS > >> > >> [root at snapshots ~]# yum whatprovies *bin/nfs4_getfacl > >> Loaded plugins: fastestmirror > >> No such command: whatprovies. Please use /usr/bin/yum --help > >> [root at snapshots ~]# yum whatprovides *bin/nfs4_getfacl > >> Loaded plugins: fastestmirror > >> Loading mirror speeds from cached hostfile > >> * extras: linux.mirrors.es.net > >> nfs4-acl-tools-0.3.3-13.el7.x86_64 : The nfs4 ACL tools > >> Repo : base > >> Matched from: > >> Filename : /usr/bin/nfs4_getfacl > > > > Thanks for that. The problem is /usr/bin/nfs4_getfacl > > uses an internal library to get marshall/unmarshall the > > ACL data into EA's. I don't think that library is > > installed (and there's no nfs4_acl-dev package). > > If I do a "ldd /usr/bin/nfs4_getfacl" here are the results: > [root at pv-nas ~]# ldd `which nfs4_getfacl` > linux-vdso.so.1 => (0x00007fffa76f6000) > libattr.so.1 => /lib64/libattr.so.1 (0x00007ffe77f2c000) > libc.so.6 => /lib64/libc.so.6 (0x00007ffe77b98000) > /lib64/ld-linux-x86-64.so.2 (0x00007ffe7833d000) > > > So, I don't see any shared library specifically for NFSv4 stuff, just the libattr dependency. I'm guessing this is what you mean - that there isn't a shared library available with an API you could use in a Samba VFS module to abstract the calls for getting/setting the NFSv4 ACLs - you'd have to actually write the entire library inside the VFS module? Yep, that's exactly is. Internal to nfs4_getfacl source there's libnfs4acl/, which does what we need, but it doesn't get installed by 'make install'. From jeff.sadowski at gmail.com Fri Dec 4 22:43:44 2015 From: jeff.sadowski at gmail.com (Jeff Sadowski) Date: Fri, 4 Dec 2015 15:43:44 -0700 Subject: [Samba] template shell RFC2307 loginShell Message-ID: We use power broker here at work and where wondering why we need it. I was able to setup a new linux server using samba and am able to login with my active directory accounts but I couldn't figure out how to set the login shells. I have a work around but would like feedback in my /etc/samba/smb.conf I have the following security = ads realm = DOMAIN.LONG workgroup = DOMAIN idmap config DOMAIN : backend = ad idmap config DOMAIN : range = 1000-999999999 #should not get here idmap config * : range = 999999998-999999999 idmap config * :backend =rid template homedir = /nfs/homes/%U template shell = /nfs/homes/%U/.default_shell winbind use default domain = yes restrict anonymous = 2 allowing users to pick their shell using ln -s /bin/bash ~/.default_shell or ln -s /bin/tcsh ~/.default_shell ... It will be easy to create the .default shell for each user using a simple script I can run on a machine that has power broker but I am wondering what others have done to allow users to pick their shell using samba to authenticate? What are the downsides of doing it the way I did it? is there a way to use the loginShell provided by rfc2307 that I haven't found documented in samba? I'm using samba version 4.1.6 if that makes a difference. I could probably find a way to upgrade if there is support in newer versions. From rpenny at samba.org Fri Dec 4 23:00:52 2015 From: rpenny at samba.org (Rowland penny) Date: Fri, 04 Dec 2015 23:00:52 +0000 Subject: [Samba] template shell RFC2307 loginShell In-Reply-To: References: Message-ID: <56621B24.7080200@samba.org> On 04/12/15 22:43, Jeff Sadowski wrote: > We use power broker here at work and where wondering why we need it. > > I was able to setup a new linux server using samba and am able to login > with my active directory accounts but I couldn't figure out how to set the > login shells. > I have a work around but would like feedback > in my /etc/samba/smb.conf I have the following > > security = ads > realm = DOMAIN.LONG > workgroup = DOMAIN > idmap config DOMAIN : backend = ad > idmap config DOMAIN : range = 1000-999999999 > #should not get here > idmap config * : range = 999999998-999999999 > idmap config * :backend =rid > template homedir = /nfs/homes/%U > template shell = /nfs/homes/%U/.default_shell > winbind use default domain = yes > restrict anonymous = 2 > Have you considered reading the Samba wiki ? Your 'idmap config' block should look similar to this: # Default idmap config used for BUILTIN and local accounts/groups idmap config *:backend = tdb idmap config *:range = 2000-9999 # idmap config for domain SAMDOM idmap config DOMAIN:backend = ad idmap config DOMAIN:schema_mode = rfc2307 idmap config DOMAIN:range = 10000-99999 # Use template settings for login shell and home directory winbind nss info = template template shell = /nfs/homes/%U/.default_shell template homedir = /nfs/homes/%U Though as you seem to be using uidNumber & gidNumber attributes, you could also store the loginShell and unixHomedir in AD as well. Rowland > allowing users to pick their shell using > ln -s /bin/bash ~/.default_shell > or > ln -s /bin/tcsh ~/.default_shell > ... > > It will be easy to create the .default shell for each user using a simple > script I can run on a machine that has power broker but I am wondering what > others have done to allow users to pick their shell using samba to > authenticate? > What are the downsides of doing it the way I did it? > > is there a way to use the loginShell provided by rfc2307 that I haven't > found documented in samba? > > I'm using samba version 4.1.6 if that makes a difference. I could probably > find a way to upgrade if there is support in newer versions. From jeff.sadowski at gmail.com Sat Dec 5 02:47:14 2015 From: jeff.sadowski at gmail.com (Jeff Sadowski) Date: Fri, 4 Dec 2015 19:47:14 -0700 Subject: [Samba] template shell RFC2307 loginShell In-Reply-To: <56621B24.7080200@samba.org> References: <56621B24.7080200@samba.org> Message-ID: Thank you Rowland for looking at it. I did read the wiki here https://wiki.samba.org/index.php/Idmap_config_ad that is how I got as far as I did; that and the idmap_ad man page. I could not find how to use the loginShell is there a variable I can use for it in the template or an option to set to use it? loginShell and unixHomedir are not mentioned on the wiki that I could find. I'm good with the templated homedir but curious how to use the unixHomedir. It seems that the schema_mode = rfc2307 is the default as it works fine except for the default shells which I have the workaround for. I think I will move them out of their home directories and set them else ware, where users will need to ask to change the shell. I purposefully set rid as the default backend if one does not exist explicit for the domain as it worked better for me. What I did with the default backend should stop the login if the domain isn't explicitly defined. On Fri, Dec 4, 2015 at 4:00 PM, Rowland penny wrote: > On 04/12/15 22:43, Jeff Sadowski wrote: > >> We use power broker here at work and where wondering why we need it. >> >> I was able to setup a new linux server using samba and am able to login >> with my active directory accounts but I couldn't figure out how to set the >> login shells. >> I have a work around but would like feedback >> in my /etc/samba/smb.conf I have the following >> >> security = ads >> realm = DOMAIN.LONG >> workgroup = DOMAIN >> idmap config DOMAIN : backend = ad >> idmap config DOMAIN : range = 1000-999999999 >> #should not get here >> idmap config * : range = 999999998-999999999 >> idmap config * :backend =rid >> template homedir = /nfs/homes/%U >> template shell = /nfs/homes/%U/.default_shell >> winbind use default domain = yes >> restrict anonymous = 2 >> >> > Have you considered reading the Samba wiki ? > Your 'idmap config' block should look similar to this: > > # Default idmap config used for BUILTIN and local accounts/groups > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > # idmap config for domain SAMDOM > idmap config DOMAIN:backend = ad > idmap config DOMAIN:schema_mode = rfc2307 > idmap config DOMAIN:range = 10000-99999 > > # Use template settings for login shell and home directory > winbind nss info = template > template shell = /nfs/homes/%U/.default_shell > template homedir = /nfs/homes/%U > > Though as you seem to be using uidNumber & gidNumber attributes, you could > also store the loginShell and unixHomedir in AD as well. > > Rowland > > > allowing users to pick their shell using >> ln -s /bin/bash ~/.default_shell >> or >> ln -s /bin/tcsh ~/.default_shell >> ... >> >> It will be easy to create the .default shell for each user using a simple >> script I can run on a machine that has power broker but I am wondering >> what >> others have done to allow users to pick their shell using samba to >> authenticate? >> What are the downsides of doing it the way I did it? >> >> is there a way to use the loginShell provided by rfc2307 that I haven't >> found documented in samba? >> >> I'm using samba version 4.1.6 if that makes a difference. I could probably >> find a way to upgrade if there is support in newer versions. >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From jeff.sadowski at gmail.com Sat Dec 5 02:48:53 2015 From: jeff.sadowski at gmail.com (Jeff Sadowski) Date: Fri, 4 Dec 2015 19:48:53 -0700 Subject: [Samba] template shell RFC2307 loginShell In-Reply-To: References: <56621B24.7080200@samba.org> Message-ID: I see what I missed now the winbind nss info = rfc2307 option ahhh I will try that monday. On Fri, Dec 4, 2015 at 7:47 PM, Jeff Sadowski wrote: > Thank you Rowland for looking at it. > I did read the wiki here https://wiki.samba.org/index.php/Idmap_config_ad > that is how I got as far as I did; that and the idmap_ad man page. I could > not find how to use the loginShell is there a variable I can use for it in > the template or an option to set to use it? loginShell and unixHomedir are > not mentioned on the wiki that I could find. I'm good with the templated > homedir but curious how to use the unixHomedir. It seems that the schema_mode > = rfc2307 is the default as it works fine except for the default shells > which I have the workaround for. I think I will move them out of their home > directories and set them else ware, where users will need to ask to change > the shell. I purposefully set rid as the default backend if one does not > exist explicit for the domain as it worked better for me. What I did with > the default backend should stop the login if the domain isn't explicitly > defined. > > > > On Fri, Dec 4, 2015 at 4:00 PM, Rowland penny wrote: > >> On 04/12/15 22:43, Jeff Sadowski wrote: >> >>> We use power broker here at work and where wondering why we need it. >>> >>> I was able to setup a new linux server using samba and am able to login >>> with my active directory accounts but I couldn't figure out how to set >>> the >>> login shells. >>> I have a work around but would like feedback >>> in my /etc/samba/smb.conf I have the following >>> >>> security = ads >>> realm = DOMAIN.LONG >>> workgroup = DOMAIN >>> idmap config DOMAIN : backend = ad >>> idmap config DOMAIN : range = 1000-999999999 >>> #should not get here >>> idmap config * : range = 999999998-999999999 >>> idmap config * :backend =rid >>> template homedir = /nfs/homes/%U >>> template shell = /nfs/homes/%U/.default_shell >>> winbind use default domain = yes >>> restrict anonymous = 2 >>> >>> >> Have you considered reading the Samba wiki ? >> Your 'idmap config' block should look similar to this: >> >> # Default idmap config used for BUILTIN and local accounts/groups >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> >> # idmap config for domain SAMDOM >> idmap config DOMAIN:backend = ad >> idmap config DOMAIN:schema_mode = rfc2307 >> idmap config DOMAIN:range = 10000-99999 >> >> # Use template settings for login shell and home directory >> winbind nss info = template >> template shell = /nfs/homes/%U/.default_shell >> template homedir = /nfs/homes/%U >> >> Though as you seem to be using uidNumber & gidNumber attributes, you >> could also store the loginShell and unixHomedir in AD as well. >> >> Rowland >> >> >> allowing users to pick their shell using >>> ln -s /bin/bash ~/.default_shell >>> or >>> ln -s /bin/tcsh ~/.default_shell >>> ... >>> >>> It will be easy to create the .default shell for each user using a simple >>> script I can run on a machine that has power broker but I am wondering >>> what >>> others have done to allow users to pick their shell using samba to >>> authenticate? >>> What are the downsides of doing it the way I did it? >>> >>> is there a way to use the loginShell provided by rfc2307 that I haven't >>> found documented in samba? >>> >>> I'm using samba version 4.1.6 if that makes a difference. I could >>> probably >>> find a way to upgrade if there is support in newer versions. >>> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > From rpenny at samba.org Sat Dec 5 09:34:57 2015 From: rpenny at samba.org (Rowland penny) Date: Sat, 05 Dec 2015 09:34:57 +0000 Subject: [Samba] template shell RFC2307 loginShell In-Reply-To: References: <56621B24.7080200@samba.org> Message-ID: <5662AFC1.400@samba.org> On 05/12/15 02:47, Jeff Sadowski wrote: > Thank you Rowland for looking at it. > I did read the wiki here > https://wiki.samba.org/index.php/Idmap_config_ad that is how I got as > far as I did; that and the idmap_ad man page. I could not find how to > use the loginShell is there a variable I can use for it in the > template or an option to set to use it? loginShell and unixHomedir are > not mentioned on the wiki that I could find. I'm good with the > templated homedir but curious how to use the unixHomedir. It seems > that the schema_mode = rfc2307 is the default as it works fine except > for the default shells which I have the workaround for. I think I will > move them out of their home directories and set them else ware, where > users will need to ask to change the shell. I purposefully set rid as > the default backend if one does not exist explicit for the domain as > it worked better for me. What I did with the default backend should > stop the login if the domain isn't explicitly defined. > > > > On Fri, Dec 4, 2015 at 4:00 PM, Rowland penny > wrote: > > On 04/12/15 22:43, Jeff Sadowski wrote: > > We use power broker here at work and where wondering why we > need it. > > I was able to setup a new linux server using samba and am able > to login > with my active directory accounts but I couldn't figure out > how to set the > login shells. > I have a work around but would like feedback > in my /etc/samba/smb.conf I have the following > > security = ads > realm = DOMAIN.LONG > workgroup = DOMAIN > idmap config DOMAIN : backend = ad > idmap config DOMAIN : range = 1000-999999999 > #should not get here > idmap config * : range = 999999998-999999999 > idmap config * :backend =rid > template homedir = /nfs/homes/%U > template shell = /nfs/homes/%U/.default_shell > winbind use default domain = yes > restrict anonymous = 2 > > > Have you considered reading the Samba wiki ? > Your 'idmap config' block should look similar to this: > > # Default idmap config used for BUILTIN and local accounts/groups > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > # idmap config for domain SAMDOM > idmap config DOMAIN:backend = ad > idmap config DOMAIN:schema_mode = rfc2307 > idmap config DOMAIN:range = 10000-99999 > > # Use template settings for login shell and home directory > winbind nss info = template > template shell = /nfs/homes/%U/.default_shell > template homedir = /nfs/homes/%U > > Though as you seem to be using uidNumber & gidNumber attributes, > you could also store the loginShell and unixHomedir in AD as well. > > Rowland > > > allowing users to pick their shell using > ln -s /bin/bash ~/.default_shell > or > ln -s /bin/tcsh ~/.default_shell > ... > > It will be easy to create the .default shell for each user > using a simple > script I can run on a machine that has power broker but I am > wondering what > others have done to allow users to pick their shell using samba to > authenticate? > What are the downsides of doing it the way I did it? > > is there a way to use the loginShell provided by rfc2307 that > I haven't > found documented in samba? > > I'm using samba version 4.1.6 if that makes a difference. I > could probably > find a way to upgrade if there is support in newer versions. > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > Samba AD as standard comes with the ability to add RFC2307 attributes to a user or group (see here for more info: https://www.ietf.org/rfc/rfc2307.txt) What this means is, if you give a user a uidNumber and at least 'Domain Users' a gidNumber, then the user will become visible on a Unix domain member (aka Unix workstation). If you study the list of attributes on the link above, you will find that there are more attributes available, amongst them are loginShell and homeDirectory. The first is where you can store the users login shell (obviously), but there is a problem with the second, AD already has an attribute with the same name to store the users windows home directory path, so this became unixHomeDirectory and is where you can store the users Unix home directory. If you require more info on the RFC2307 attributes, please ask. Now, as for the 'idmap config' block and which to use, this is down to the sysadmin (i.e. you) and is based on what you require. There are several backends available, but only two are regularly used, the 'ad' and 'rid' backends. Lets deal with the 'rid' backend first, this is used if you don't want (or need) to add RFC2307 attributes to AD. Your users & groups will be mapped to a number inside the range you set i.e. idmap config SAMDOM:range = 10000-99999. It uses an algorithm to create the IDs from the user/group RID and as long as you use the same 'idmap config' block on every Unix machine, you will get the same Unix ID on every Unix machine. The downside is that you cannot set individual homedirs & shells for users and will have to use the template lines in smb.conf. The 'ad' backend is different, it uses the RFC2307 attributes for the user/group IDs, this does of course mean that you have to add a uidNumber attribute containing a unique number to any users that you need to be visible to Unix *and* add a gidNumber to Domain Users at least. These numbers must be inside the range you set in smb.conf, any numbers outside the range will be ignored. You can go further with the 'ad' backend, you can add the loginShell attribute containing the users shell (/bin/bash for instance), you can also add the unixHomeDirectory attribute containing the path to the users home directory. To use these, you would also need to have the line 'winbind nss info = rfc2307' in smb.conf. If you don't want to add these further attributes, you can add 'winbind nss info = template' instead and also add the template lines. You need these lines in smb.conf: idmap config *:backend = tdb idmap config *:range = 2000-9999 These lines are where Samba will store the mappings for the builtin users & groups, without these, it is very unlikely Samba will work correctly. Again, any questions, please ask. Rowland From cpservicespb at gmail.com Sat Dec 5 11:45:10 2015 From: cpservicespb at gmail.com (CpServiceSPb .) Date: Sat, 5 Dec 2015 14:45:10 +0300 Subject: [Samba] Functionality of Nmbd at Active Directory mode of Samba4 ! In-Reply-To: References: Message-ID: > There is nothing stopping you connecting directly to your shares, or using a domain member as a fileserver I agree, but for most of users T talked with, via friendly name (NetBios) but not quite long (DNS) is more comfortable. > In my personal opinion, you are risking trouble by still using XP, yes I know that sometimes you have to, but I would suggest that you start > making plans to replace XP, I would not put it past microsoft coming up with something to stop later versions of windows connecting to XP PCs. > You are also risking any unknown security holes (unknown to everybody but the black hats, that is) in XP, these holes will not be fixed. 1. Windows 7/8 have NetBios functionality (NeighborHood browser ability) , not only XP (and of course server line of MS have also) ; 2. I know about that (risky and so on) . But there are different conditions: financial, organization, lawing, technical, and so on, to go faster to moving forward to Win after XP (life after death :)) ) . > All I can suggest is you get hold of 'samba-master' from samba git and see if you can work out how to do this. To me 'C' comes between 'B' & > 'D' :-D i.e. I haven't a clue Not much, but thank you. I did at such way when I began to write (code) multi group LMB/DMB functionlity among IP address space for Nmbd and now I have almost completely working solution (that allows browsing even for roadwarriors, what was necessary for me) . *For mathia * > I worked for years for a small company building planes: Airbus. They do have lot of DC, lot of file servers, they use ADAM intensively too. I don't > remember they were using WINS service. DC are > meant to authenticate clients. That specific process is based on DNS to guess where to authenticate. > In fact having DC in network neighborhood is good for mini-parks only. If you have 2 files > server and 2 DC, 50 clients, at worst you will have 54 entries in network neighborhood. Now think about same network neighborhood when you have 50 > DC, 250 file servers and tenths of > thousands clients. Wouldn't be easier for your users to have only these file servers in their network neighborhood rather than all clients + all DC + > somewhere in the middle some lost file servers? As I mentionrd above, there are different situation in different organizations, commercial/non commercial/edicational/military/peaceful. :) Mostly using of NetBios abilities is applicable for home/small/medium business. But even in big business companiest it can be used via Wins. No, for conditions I touched with, wouldn' t. It would easy for users (first of all and then for lazy admins :)) ) to have choise to make possibility to see computers at list (including file servers) or not to see. Users who can/wants to use accss to servers/computers by name they are wellcome, users who can /want to access internal resources by IP or by other way (DNS or other which is used at your organization) , they are wellcome. Society of freedom choise. Is it ? By the way, why is it good for miniparks only ? You may not answer to this question. It can well working for quite big parks also. If you meant broadcast, I may partially agree with you, but modern netcards as communication lines have big broadband. :)) > I'm lacking knowledge about MS AD but I was believing AD was coming with its own replacement of that election process. > If I'm wrong the fact DC are not part of that process does not seems to be a too big issue if they are not file server. I don' t know any replacement of such operation, there are two choises: use or not (be or not to be :)) ). And also I heard about MS policy declares one server for each role.:))) But ..... As I said there are different orgs in or with different conditions. > For lazy admins on small park, it could be. For DC with short names in a big park, you lose time opening the network > neighborhood, waiting it fill up, dig into declared machines to find the one you was looking for rather than just typing "\\my_dc_name" in windows > explorer address bar. For first two statements see above. :)) About losing time, in my oppinion not always, because list is builded for some time (not zerod after 1 minute) . Regarding typing of \\DC_name, your users and admis have to be equiped with big memory. :))) Sometimes is quite difficult to remember of 2 DCs names (even one DC name) , but if you talked about 50+ DCs or many DCs + some fileservers ... You are a monster. :)) > "lack of discussion" functionality: what did you meant? I meant that absence of functionality we duscussed about. Not else. > They really stopped digging into Samba AD because they didn't find their DC in the network neighborhood? No they must have better reasons I think. Please take in mind, that Samba3/4 Nmbd functionality is not limited of showing/hiding Samba3/4 server itself at Net list, it can (or often is) be as LMB (local master) and/or DMB (domain master) that means quite more, means maintaining and providing Nethood list to other DCs, servers, clients. > Good luck! Always a good idea to help opensource :) Thanks. Do you want to join me at this beginning ? :) P. S.: I offer to stop this duscussion.If Samba development team will addso to the code it is will be very nice. If you, mathias or others want to make it in your/their own or take part in it, it will benice also. :) If you or others want to help me in it, you are wellcome. From rpenny at samba.org Sat Dec 5 12:09:02 2015 From: rpenny at samba.org (Rowland penny) Date: Sat, 05 Dec 2015 12:09:02 +0000 Subject: [Samba] Functionality of Nmbd at Active Directory mode of Samba4 ! In-Reply-To: References: Message-ID: <5662D3DE.7070800@samba.org> On 05/12/15 11:45, CpServiceSPb . wrote: >> There is nothing stopping you connecting directly to your shares, or using a domain member as a fileserver > I agree, but for most of users T talked with, via friendly name > (NetBios) but not quite long (DNS) is more comfortable. > >> In my personal opinion, you are risking trouble by still using XP, yes I know that sometimes you have to, but I would suggest that you start >> making plans to replace XP, I would not put it past microsoft coming up with something to stop later versions of windows connecting to XP PCs. >> You are also risking any unknown security holes (unknown to everybody but the black hats, that is) in XP, these holes will not be fixed. > 1. Windows 7/8 have NetBios functionality (NeighborHood browser ability) , > not only XP (and of course server line of MS have also) ; > 2. I know about that (risky and so on) . But there are different > conditions: financial, organization, lawing, technical, and so on, to go > faster to moving forward to Win after XP (life after death :)) ) . > > >> All I can suggest is you get hold of 'samba-master' from samba git and see if you can work out how to do this. To me 'C' comes between 'B' & >> 'D' :-D i.e. I haven't a clue > Not much, but thank you. > I did at such way when I began to write (code) multi group LMB/DMB > functionlity among IP address space for Nmbd and now I have almost > completely working solution (that allows browsing even for roadwarriors, > what was necessary for me) . > > > *For mathia * > > I worked for years for a small company building planes: Airbus. They do > have lot of DC, lot of file servers, they use ADAM intensively too. I don't >> remember they were using WINS service. DC are > meant to authenticate > clients. That specific process is based on DNS to guess where to > authenticate. >> In fact having DC in network neighborhood is good for mini-parks only. If > you have 2 files >> server and 2 DC, 50 clients, at worst you will have 54 entries in network > neighborhood. Now think about same network neighborhood when you have 50 >> DC, 250 file servers and tenths of >> thousands clients. Wouldn't be easier for your users to have only these > file servers in their network neighborhood rather than all clients + all DC > + >> somewhere in the middle some lost file servers? > As I mentionrd above, there are different situation in different > organizations, commercial/non commercial/edicational/military/peaceful. :) > Mostly using of NetBios abilities is applicable for home/small/medium > business. > But even in big business companiest it can be used via Wins. > No, for conditions I touched with, wouldn' t. > It would easy for users (first of all and then for lazy admins :)) ) to > have choise to make possibility to see computers at list (including file > servers) or not to see. > Users who can/wants to use accss to servers/computers by name they are > wellcome, users who can /want to access internal resources by IP or by > other way (DNS or other which is used at your organization) , they are > wellcome. > Society of freedom choise. Is it ? > > By the way, why is it good for miniparks only ? You may not answer to this > question. It can well working for quite big parks also. > If you meant broadcast, I may partially agree with you, but modern netcards > as communication lines have big broadband. :)) > >> I'm lacking knowledge about MS AD but I was believing AD was coming with its own replacement of that election process. >> If I'm wrong the fact DC are not part of that process does not seems to be a too big issue if they are not file server. > I don' t know any replacement of such operation, there are two choises: use > or not (be or not to be :)) ). > And also I heard about MS policy declares one server for each role.:))) > But ..... > As I said there are different orgs in or with different conditions. > >> For lazy admins on small park, it could be. For DC with short names in a big park, you lose time opening the network >> neighborhood, waiting it fill up, dig into declared machines to find the one you was looking for rather than just typing "\\my_dc_name" in windows >> explorer address bar. > For first two statements see above. :)) > About losing time, in my oppinion not always, because list is builded for > some time (not zerod after 1 minute) . > Regarding typing of \\DC_name, your users and admis have to be equiped with > big memory. :))) > Sometimes is quite difficult to remember of 2 DCs names (even one DC name) > , but if you talked about 50+ DCs or many DCs + some fileservers ... > You are a monster. :)) > >> "lack of discussion" functionality: what did you meant? > I meant that absence of functionality we duscussed about. Not else. > >> They really stopped digging into Samba AD because they didn't find their DC in the network neighborhood? No they must have better reasons I think. > Please take in mind, that Samba3/4 Nmbd functionality is not limited of > showing/hiding Samba3/4 server itself at Net list, it can (or often is) be > as LMB (local master) and/or DMB (domain master) that means quite more, > means maintaining and providing Nethood list to other DCs, servers, clients. > >> Good luck! Always a good idea to help opensource :) > Thanks. Do you want to join me at this beginning ? :) > > P. S.: I offer to stop this duscussion.If Samba development team will addso > to the code it is will be very nice. > If you, mathias or others want to make it in your/their own or take part in > it, it will benice also. :) > If you or others want to help me in it, you are wellcome. Obviously to you, the lack of network browsing is a big deal, to others, it is just not that important. There are things required that take priority over this, so until one of the main developers (or more likely, their employer) require it, network browsing will probably not get 'fixed'. If you can fix it, you will need to supply patches against samba-master to either samba-technical or https://github.com/samba-team/samba Rowland From cpservicespb at gmail.com Sat Dec 5 13:15:28 2015 From: cpservicespb at gmail.com (CpServiceSPb .) Date: Sat, 5 Dec 2015 16:15:28 +0300 Subject: [Samba] Functionality of Nmbd at Active Directory mode of Samba4 ! Message-ID: P. p. S.: Oh, I have remember. Quite important thing. There are some soft where is not address line where you can put \\server\folder address to access or you can not get access resource via \\server\folder, it only via computer list. For example: Far. By typing \\server - there is error. Only: Alt+F1/F2, network, MS Windows Network, GroupName, CompName. If it is visible - Samba4 with Nmbd, it is here at list and it is accessible, if Samba4 as DC (no Nmbd) , that is no in list and not accessible. From miguelmedalha at sapo.pt Sat Dec 5 13:04:56 2015 From: miguelmedalha at sapo.pt (Miguel Medalha) Date: Sat, 05 Dec 2015 13:04:56 +0000 Subject: [Samba] Functionality of Nmbd at Active Directory mode of Samba4 ! Message-ID: >> There is nothing stopping you connecting directly to your shares, or > >>using a domain member as a fileserver  >I agree, but for most of users T talked with, via friendly name  >(NetBios) but not quite long (DNS) is more comfortable. What do you mean? I have a Samba AD Domain Controller also acting as a file server and I connect to shares using short names, not DNS names. Once I introduce the name of the server in Explorer like \\Server it will show me all the available shares. It won't show in "Network  neighborhood" but WHO CARES? From cpservicespb at gmail.com Sat Dec 5 13:43:12 2015 From: cpservicespb at gmail.com (CpServiceSPb .) Date: Sat, 5 Dec 2015 16:43:12 +0300 Subject: [Samba] Functionality of Nmbd at Active Directory mode of Samba4 ! In-Reply-To: References: Message-ID: > Obviously to you, the lack of network browsing is a big deal, to others, > it is just not that important. Not to me only, also to people whom I know of and to people whom know those people of. :)) > There are things required that take > priority over this, so until one of the main developers (or more likely, > their employer) require it, network browsing will probably not get > 'fixed'. Ok. I have already understood it. :) > If you can fix it, you will need to supply patches against > samba-master to either samba-technical or > https://github.com/samba-team/samba I think simple moving code from nmbd s3 to s4 will not be applicable. Anyway thanks. P. S.: There is one more functionality question: Samba4 fileserver (acts as fileserver now, with Nmbd also) but with LDAP as backend. But it are messages of other topic. From viktor at troja.ch Sat Dec 5 14:18:00 2015 From: viktor at troja.ch (Viktor Trojanovic) Date: Sat, 5 Dec 2015 15:18:00 +0100 Subject: [Samba] Functionality of Nmbd at Active Directory mode of Samba4 ! In-Reply-To: References: Message-ID: On 05 Dec 2015, at 14:43, CpServiceSPb . wrote: >> Obviously to you, the lack of network browsing is a big deal, to others, >> it is just not that important. > Not to me only, also to people whom I know of and to people whom know > those people of. :)) I really don't see the need for browsing an AD DC. I prefer it does the job it's supposed to do well which means that the code should be appropriately streamlined. You can still use a different mode of Samba if all you need is to quickly share some files. Even in a very small AD environment, you should implement a separate Samba member for file serving purposes. You might, like me, decide to do this in a virtual instance rather than adding a second machine. This allows you to be compliant with the AD concept and still do all on one machine which is perfectly fine for the home office. What's more, if your office ever starts to grow and you decide a single server doesn't cut it anymore, you can always and easily move the virtual instance to a separate server with very little reconfiguration, and without touching the DC instance. Viktor From cpservicespb at gmail.com Sat Dec 5 14:38:46 2015 From: cpservicespb at gmail.com (CpServiceSPb .) Date: Sat, 5 Dec 2015 17:38:46 +0300 Subject: [Samba] Fwd: Functionality of Nmbd at Active Directory mode of Samba4 ! In-Reply-To: References: Message-ID: > I really don't see the need for browsing an AD DC. I prefer it does the job it's supposed to do well which means that the code should be appropriately > streamlined. You can still use a different mode of Samba if all you need is to quickly share some files. > Even in a very small AD environment, you should implement a separate Samba member for file serving purposes. You might, like me, decide to do this in a > virtual instance rather than adding a second machine. This allows you to be compliant with the AD concept and still do all on one machine which is > perfectly fine for the home office. > What's more, if your office ever starts to grow and you decide a single server doesn't cut it anymore, you can always and easily move the virtual instance > to a separate server with very little reconfiguration, and without touching the DC instance. You, of course can not need this functions. May be it is easier to you to build your infrastructure. :) But as I said many people (I know, said that the needs and it would be more comfortable to have it and use it, especially, if they have all-in-one-box as Linux allow to have) . As I know, AD concept doesn' t exclude browsing as well. :)) As I mentioned some posts earlier, I am not MS concept follower - one role - one hard computer (at this time virtual machine) : AD - one hard/virtual PC, dns - other, NetBios (with brosing, i. e. fileserver) - other, dhcp - one other and so on. :) As I mentioned earlier one more thing, Nmbd proved not only showin itself PC on network, it holds some masters (local/domain) . At the time I can' t exactly claim does Samba4 as DC holds LMB/DMB (as I know it is as DC have to be also DMB and have name<1B> if of course it is not turned off) . As I mentioned earlier, some times access to files stored at DC is necessary, not all soft allows to do so by \\server\folder if it is not at list. So, somebody can not need it, somebody can need it. But if this functionality is presented at the soft, if you don' t need it, you simply can either not turn it on or switch it off. But if there is no necessary feature, even if you need it you can not launch it. Are you agree ? :) P. S.: You may not answer to this last question. :) From anrdaemon at yandex.ru Sat Dec 5 16:56:42 2015 From: anrdaemon at yandex.ru (Andrey Repin) Date: Sat, 5 Dec 2015 19:56:42 +0300 Subject: [Samba] Functionality of Nmbd at Active Directory mode of Samba4 ! In-Reply-To: References: Message-ID: <15010140704.20151205195642@yandex.ru> Greetings, CpServiceSPb .! > P. p. S.: Oh, I have remember. > Quite important thing. > There are some soft where is not address line where you can put > \\server\folder address to access or you can not get access resource via > \\server\folder, it only via computer list. > For example: Far. > By typing \\server - there is error. net:\\server Sometimes, you have to read documentation. > Only: Alt+F1/F2, network, MS Windows Network, GroupName, CompName. > If it is visible - Samba4 with Nmbd, it is here at list and it is > accessible, if Samba4 as DC (no Nmbd) , that is no in list and not > accessible. That's simply not true. And you could always use 'cd \\server\share' or 'goto:\\server\share\'. That doesn't make the invisibility of DC in the network neighborhood any less annoying. Not all companies are as "small" as Airbus. Some barely can afford a standalone server, and even that necessity is highly questioned by the administration. -- With best regards, Andrey Repin Saturday, December 5, 2015 19:52:37 Sorry for my terrible english... From jra at samba.org Sat Dec 5 17:26:58 2015 From: jra at samba.org (Jeremy Allison) Date: Sat, 5 Dec 2015 09:26:58 -0800 Subject: [Samba] Functionality of Nmbd at Active Directory mode of Samba4 ! In-Reply-To: <5662D3DE.7070800@samba.org> References: <5662D3DE.7070800@samba.org> Message-ID: <20151205172658.GA2880@jeremy-acer> On Sat, Dec 05, 2015 at 12:09:02PM +0000, Rowland penny wrote: > > Obviously to you, the lack of network browsing is a big deal, to others, it > is just not that important. There are things required that take priority > over this, so until one of the main developers (or more likely, their > employer) require it, network browsing will probably not get 'fixed'. If you > can fix it, you will need to supply patches against samba-master to either > samba-technical or https://github.com/samba-team/samba So here's the deal. Getting network browing right is hard and dangerous (security-wise) and is a solved problem with nmbd. That code hasn't needed security updates in a few years (which I'm very glad of, as I wrote most of it :-). Now, when Samba-AD was being developed, everything was originally being re-written. This has since been discovered to be A.Bad.Idea. But this means some functionality that isn't in stable nmbd got put into the Samba-ad code (mostly the WINS replication stuff). These days few people depend on network browsing on AD-DC's to work, so the situation (some parts being in nmbd, some parts being elsewhere) remains. To break the logjam, funding needs to be found to finish the browsing code in the AD-DC, or to add the extra functionality to nmbd (my preferred solution, as that is simpler code). But it isn't going to happen without someone who *needs* this stepping up and funding it or donating working code. Jeremy. From cpservicespb at gmail.com Sat Dec 5 20:38:32 2015 From: cpservicespb at gmail.com (CpServiceSPb .) Date: Sat, 5 Dec 2015 23:38:32 +0300 Subject: [Samba] Fwd: Functionality of Nmbd at Active Directory mode of Samba4 ! In-Reply-To: <15010140704.20151205195642@yandex.ru> References: <15010140704.20151205195642@yandex.ru> Message-ID: > net:\\server > Sometimes, you have to read documentation. Oh, no. It have to do users, who use Far. :) I remembered just first camt to my head. :)) And try to explain it of nubers of users. Especially acconuters... You as Russians can know it. I know some other soft where there is no such ability (access by \\server\folder) But can not remember it at the time. > That's simply not true. > And you could always use 'cd \\server\share' or 'goto:\\server\share\'. You are not right. It is _partially_ true. >> If it is visible - Samba4 with Nmbd, it is here at list ... But this is true. :)) >> if Samba4 as DC (no Nmbd) , that is no in list And it is true. :)) > That doesn't make the invisibility of DC in the network neighborhood any less annoying. > Not all companies are as "small" as Airbus. Some barely can afford a standalone > server, and even that necessity is highly questioned by the administration. But I didn' t understand, are you "for" or "against" presenting Nmb functionality at Samba DC part code ? So, I offer people to combine ther efforts to make code of Nmb within Saba4 DC together instead of posting messages. :)) P. S.: > Sorry for my terrible english... I know a little bit Russian. We can duscuss privately by Russian. From cpservicespb at gmail.com Sun Dec 6 12:26:44 2015 From: cpservicespb at gmail.com (CpServiceSPb .) Date: Sun, 6 Dec 2015 15:26:44 +0300 Subject: [Samba] Functionality of Nmbd at Active Directory mode of Samba4 ! In-Reply-To: References: <15010140704.20151205195642@yandex.ru> Message-ID: > But it isn't going to happen without someone who *needs* this stepping up and funding it or donating working code. What donation amount do you estimate of to do so ? From miguelmedalha at sapo.pt Sun Dec 6 15:19:39 2015 From: miguelmedalha at sapo.pt (Miguel Medalha) Date: Sun, 06 Dec 2015 15:19:39 +0000 Subject: [Samba] Functionality of Nmbd at Active Directory mode of Samba4 ! Message-ID: > There are some soft where is not address line where you can put > \\server\folder address to access or you can not get access resource via > \\server\folder, it only via computer list. Why not map the share to a drive letter in those cases? I just don't see such a big problem... From cpservicespb at gmail.com Sun Dec 6 15:23:53 2015 From: cpservicespb at gmail.com (CpServiceSPb .) Date: Sun, 6 Dec 2015 18:23:53 +0300 Subject: [Samba] Functionality of Nmbd at Active Directory mode of Samba4 ! Message-ID: You meant making disk Z: as \\server\folder, did you ? 2015-12-06 18:19 GMT+03:00 Miguel Medalha : > > There are some soft where is not address line where you can put > > \\server\folder address to access or you can not get access resource via > > \\server\folder, it only via computer list. > > Why not map the share to a drive letter in those cases? I just don't see > such a big problem... From cpservicespb at gmail.com Sun Dec 6 18:18:39 2015 From: cpservicespb at gmail.com (CpServiceSPb .) Date: Sun, 6 Dec 2015 21:18:39 +0300 Subject: [Samba] Functionality of Nmbd at Active Directory mode of Samba4 ! In-Reply-To: <566466f8.a7dbc20a.3e763.1bb5SMTPIN_ADDED_MISSING@mx.google.com> References: <566466f8.a7dbc20a.3e763.1bb5SMTPIN_ADDED_MISSING@mx.google.com> Message-ID: >> You meant making disk Z: as \\server\folder, did you ? > Yup! Some time ago virus crypting files on disks renewed its activity. And it crypts many file formats (foc, xls, jpg, rar and soon) on all available disk at system. If there is mapped network share as disk, probability of damaging files is increased despite on antivirus soft. Unfortunatelly. From dbundus at gmail.com Sun Dec 6 20:41:01 2015 From: dbundus at gmail.com (Dave Bundus) Date: Sun, 6 Dec 2015 15:41:01 -0500 Subject: [Samba] Internal Error: Signal 11 in winbindd log when authenticating against AD Message-ID: After upgrading to freeradius 2.2.9 and winbindd 4.1.6 on Ubuntu 14:03 I began receiving the below messages in the winbindd log. These messages did not happen when testing under a low volume of requests, but now in production I am receiving approximately 100 of these messages per hour. The same error message occurs on 3 servers sharing the same configuration. After the message is posted to the log. Successful logins immediately resume. This error has not kept a user from logging in. The AD servers I am authenticating against are running server 2012 R2 INTERNAL ERROR: Signal 11 in pid 4569 (4.1.6-Ubuntu) Please read the Trouble-Shooting section of the Samba HOWTO [2015/12/06 15:22:01.936253, 0] ../lib/util/fault.c:75(fault_report) =============================================================== [2015/12/06 15:22:01.936329, 0] ../source3/lib/util.c:785(smb_panic_s3) PANIC (pid 4569): internal error [2015/12/06 15:22:01.936943, 0] ../source3/lib/util.c:896(log_stack_trace) BACKTRACE: 22 stack frames: #0 /usr/lib/i386-linux-gnu/libsmbconf.so.0(log_stack_trace+0x29) [0xb6cc6a39] #1 /usr/lib/i386-linux-gnu/libsmbconf.so.0(smb_panic_s3+0x28) [0xb6cc6b38] #2 /usr/lib/i386-linux-gnu/libsamba-util.so.0(smb_panic+0x3a) [0xb75d42ba] #3 /usr/lib/i386-linux-gnu/libsamba-util.so.0(+0x1a551) [0xb75d4551] #4 [0xb761dc8c] #5 /usr/lib/i386-linux-gnu/samba/liblibcli_netlogon3.so.0(rpccli_netlogon_sam_network_logon+0x13d) [0xb72a0f1d] #6 /usr/sbin/winbindd(+0x36327) [0xb7677327] #7 /usr/sbin/winbindd(winbindd_dual_pam_auth_crap+0x423) [0xb767b753] #8 /usr/sbin/winbindd(+0x51c7d) [0xb7692c7d] #9 /usr/lib/i386-linux-gnu/libtevent.so.0(+0x8516) [0xb6b34516] #10 /usr/lib/i386-linux-gnu/libtevent.so.0(+0x676e) [0xb6b3276e] #11 /usr/lib/i386-linux-gnu/libtevent.so.0(_tevent_loop_once+0xa0) [0xb6b2eca0] #12 /usr/sbin/winbindd(+0x546b1) [0xb76956b1] #13 /usr/sbin/winbindd(+0x54edd) [0xb7695edd] #14 /usr/lib/i386-linux-gnu/libtevent.so.0(+0x38e2) [0xb6b2f8e2] #15 /usr/lib/i386-linux-gnu/libtevent.so.0(tevent_common_loop_immediate+0xe8) [0xb6b2f578] #16 /usr/lib/i386-linux-gnu/libtevent.so.0(+0x82b5) [0xb6b342b5] #17 /usr/lib/i386-linux-gnu/libtevent.so.0(+0x676e) [0xb6b3276e] #18 /usr/lib/i386-linux-gnu/libtevent.so.0(_tevent_loop_once+0xa0) [0xb6b2eca0] #19 /usr/sbin/winbindd(main+0xd23) [0xb765b783] #20 /lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3) [0xb6996a83] #21 /usr/sbin/winbindd(+0x1b005) [0xb765c005] [2015/12/06 15:22:01.937950, 0] ../source3/lib/util.c:797(smb_panic_s3) smb_panic(): calling panic action [/usr/share/samba/panic-action 4569] : [2015/12/06 15:22:01.940773, 0] ../source3/lib/util.c:805(smb_panic_s3) : smb_panic(): action returned status 0 [2015/12/06 15:22:01.940921, 0] ../source3/lib/dumpcore.c:317(dump_core) dumping core in /var/log/samba/cores/winbindd From nkadel at gmail.com Mon Dec 7 04:35:36 2015 From: nkadel at gmail.com (Nico Kadel-Garcia) Date: Sun, 6 Dec 2015 23:35:36 -0500 Subject: [Samba] Linux & NFSv4 ACLs In-Reply-To: <20151204205400.GC15590@jra3> References: <1741451491.2972398.1449183261663.JavaMail.zimbra@seakr.com> <20151204002334.GY816@jra3> <88B4D9E2-2B27-4374-A0FB-FD1F8189CF84@seakr.com> <20151204011351.GB30269@jra3> <2046438122.3000623.1449196296226.JavaMail.zimbra@seakr.com> <20151204202206.GB15590@jra3> <1661877766.3015687.1449261453082.JavaMail.zimbra@seakr.com> <20151204205400.GC15590@jra3> Message-ID: On Fri, Dec 4, 2015 at 3:54 PM, Jeremy Allison wrote: > On Fri, Dec 04, 2015 at 01:37:33PM -0700, Nick Couchman wrote: >> So, I don't see any shared library specifically for NFSv4 stuff, just the libattr dependency. I'm guessing this is what you mean - that there isn't a shared library available with an API you could use in a Samba VFS module to abstract the calls for getting/setting the NFSv4 ACLs - you'd have to actually write the entire library inside the VFS module? > > Yep, that's exactly is. Internal to nfs4_getfacl > source there's libnfs4acl/, which does what we need, > but it doesn't get installed by 'make install'. I did some work with this maybe.... 4 years ago now? If you recompile the "nfs4-acl-tools" SRPM on CentOS or RHEL with the graphical options enabled, you get a very helpful graphical tool for this. It can and does work, but it can be very tricky to set all the relevant levels of permissions. In the Linux NFSv4 world, they are *order sensitive* settings, and do not map completely to NTFS style permissions. But you can get close enough to call it jazz if you don't try to get too clever with it..... From Volker.Lendecke at SerNet.DE Mon Dec 7 05:51:09 2015 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Mon, 7 Dec 2015 06:51:09 +0100 Subject: [Samba] Internal Error: Signal 11 in winbindd log when authenticating against AD In-Reply-To: References: Message-ID: <20151207055109.GA3235@sernet.de> On Sun, Dec 06, 2015 at 03:41:01PM -0500, Dave Bundus wrote: > After upgrading to freeradius 2.2.9 and winbindd 4.1.6 on Ubuntu 14:03 I > began receiving the below messages in the winbindd log. These messages did > not happen when testing under a low volume of requests, but now in > production I am receiving approximately 100 of these messages per hour. > The same error message occurs on 3 servers sharing the same configuration. Can you install the debuginfo packages, so that we get a better stack trace? Thanks, Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kontakt at sernet.de From infractory at gmail.com Mon Dec 7 09:20:05 2015 From: infractory at gmail.com (mathias dufresne) Date: Mon, 7 Dec 2015 10:20:05 +0100 Subject: [Samba] Functionality of Nmbd at Active Directory mode of Samba4 ! In-Reply-To: References: Message-ID: 2015-12-05 12:45 GMT+01:00 CpServiceSPb . : > > > *For mathia * > > I worked for years for a small company building planes: Airbus. They do > have lot of DC, lot of file servers, they use ADAM intensively too. I don't > > remember they were using WINS service. DC are > meant to authenticate > clients. That specific process is based on DNS to guess where to > authenticate. > > In fact having DC in network neighborhood is good for mini-parks only. If > you have 2 files > > server and 2 DC, 50 clients, at worst you will have 54 entries in network > neighborhood. Now think about same network neighborhood when you have 50 > > DC, 250 file servers and tenths of > > thousands clients. Wouldn't be easier for your users to have only these > file servers in their network neighborhood rather than all clients + all DC > + > > somewhere in the middle some lost file servers? > As I mentionrd above, there are different situation in different > organizations, commercial/non commercial/edicational/military/peaceful. :) > Mostly using of NetBios abilities is applicable for home/small/medium > business. > But even in big business companiest it can be used via Wins. > What gives you Wins? The ability to use short names I believe. Active Directory uses DNS to store hosts names. Yes they are stored in a long form called FQDN which is boring to type but MS Windows systems comes with domains search options, as are UNIXes boxes. Filling some searched domain you should be able to use short names, as if you were having Wins. > No, for conditions I touched with, wouldn' t. > I did not understand anything. > It would easy for users (first of all and then for lazy admins :)) ) to > have choise to make possibility to see computers at list (including file > servers) or not to see. > As explained, users don't have to access DC. DC are meant to discuss with others systems (OSes) to authentication. No access means no need to put them into Network Neighborhood. Admins can access DC with short names as explained earlier. > Users who can/wants to use accss to servers/computers by name they are > wellcome, users who can /want to access internal resources by IP or by > other way (DNS or other which is used at your organization) , they are > wellcome. > Society of freedom choise. Is it ? > Again, I don't understand why you write that: we can access DC using \\ or \\ or \\ So it seems to me you shout against something which is working as expected... > > By the way, why is it good for miniparks only ? You may not answer to this > question. It can well working for quite big parks also. > If you meant broadcast, I may partially agree with you, but modern netcards > as communication lines have big broadband. :)) > No I did not meant broadcast issue but organizational issue. I give (again) the example: You have 10 DC. You have 50 servers (files servers) You have 2000 workstations. Files servers are in network neighborhood, so 50 entries in there. Workstations are in network neighborhood, 2050 entries in there. You add your 10 DC in network neighborhood and you have 2060 entries in your network neighborhood. I can't see how it simpler to look for into a list of 2000+ entries manually to find one server when you can access it by IP, FQDN or shortname (again, short name is accessible only for admin who know how to configure a MS Windows system). > > > I'm lacking knowledge about MS AD but I was believing AD was coming with > its own replacement of that election process. > We saw : ) > > If I'm wrong the fact DC are not part of that process does not seems to > be a too big issue if they are not file server. > That's it, no issue if they are not files server. > > I don' t know any replacement of such operation, there are two choises: use > or not (be or not to be :)) ). > And also I heard about MS policy declares one server for each role.:))) > But ..... > As I said there are different orgs in or with different conditions. > > > For lazy admins on small park, it could be. For DC with short names in a > big park, you lose time opening the network > > neighborhood, waiting it fill up, dig into declared machines to find the > one you was looking for rather than just typing "\\my_dc_name" in windows > > explorer address bar. > Once more, learn how to configure searched domains on MS Windows systems. > > For first two statements see above. :)) > About losing time, in my oppinion not always, because list is builded for > some time (not zerod after 1 minute) . > Regarding typing of \\DC_name, your users and admis have to be equiped with > big memory. :))) > Sometimes is quite difficult to remember of 2 DCs names (even one DC name) > , but if you talked about 50+ DCs or many DCs + some fileservers ... > You are a monster. :)) > > > "lack of discussion" functionality: what did you meant? > > I meant that absence of functionality we duscussed about. Not else. > > > They really stopped digging into Samba AD because they didn't find their > DC in the network neighborhood? No they must have better reasons I think. > > Please take in mind, that Samba3/4 Nmbd functionality is not limited of > showing/hiding Samba3/4 server itself at Net list, it can (or often is) be > as LMB (local master) and/or DMB (domain master) that means quite more, > means maintaining and providing Nethood list to other DCs, servers, > clients. > > > Good luck! Always a good idea to help opensource :) > > Thanks. Do you want to join me at this beginning ? :) > No. As explained I can't see any interest in that. For me network neighborhood is THE place to avoid. Perhaps because I work for big company for too much time. And something else: I'm currently working for a big company, trying to design a (very) big domain. We are already trying to find financial resources to help Samba team to develop what we need for scalability. In others words, we have already enough to do with our own issues. > > P. S.: I offer to stop this duscussion.If Samba development team will addso > to the code it is will be very nice. > If you, mathias or others want to make it in your/their own or take part in > it, it will benice also. :) > If you or others want to help me in it, you are wellcome. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From infractory at gmail.com Mon Dec 7 09:25:55 2015 From: infractory at gmail.com (mathias dufresne) Date: Mon, 7 Dec 2015 10:25:55 +0100 Subject: [Samba] Functionality of Nmbd at Active Directory mode of Samba4 ! In-Reply-To: References: Message-ID: 2015-12-05 14:15 GMT+01:00 CpServiceSPb . : > P. p. S.: Oh, I have remember. > Quite important thing. > There are some soft where is not address line where you can put > \\server\folder address to access or you can not get access resource via > \\server\folder, it only via computer list. > For example: Far. > By typing \\server - there is error. > Only: Alt+F1/F2, network, MS Windows Network, GroupName, CompName. > If it is visible - Samba4 with Nmbd, it is here at list and it is > accessible, if Samba4 as DC (no Nmbd) , that is no in list and not > accessible. You can certainly mount \\server\folder into a new drive (map a drive to letter)I expect Far is able to access all drives declared on your computer. Now I understand this process needs you to work more than before. Anyway, I can't see there a show stopper... From infractory at gmail.com Mon Dec 7 09:30:23 2015 From: infractory at gmail.com (mathias dufresne) Date: Mon, 7 Dec 2015 10:30:23 +0100 Subject: [Samba] Fwd: Functionality of Nmbd at Active Directory mode of Samba4 ! In-Reply-To: References: <15010140704.20151205195642@yandex.ru> Message-ID: 2015-12-05 21:38 GMT+01:00 CpServiceSPb . : > > net:\\server > > Sometimes, you have to read documentation. > > Oh, no. > It have to do users, who use Far. :) > I remembered just first camt to my head. :)) > And try to explain it of nubers of users. > Especially acconuters... > You as Russians can know it. > I know some other soft where there is no such ability (access by > \\server\folder) > But can not remember it at the time. > Here I stopped reading. When you post for mailing I expect you hope some read you. I expect you expect some of your readers would help you. Taking time to write correctly would be showing respect to whom can help you. From cpservicespb at gmail.com Mon Dec 7 09:44:04 2015 From: cpservicespb at gmail.com (CpServiceSPb .) Date: Mon, 7 Dec 2015 12:44:04 +0300 Subject: [Samba] Fwd: Functionality of Nmbd at Active Directory mode of Samba4 ! In-Reply-To: References: <15010140704.20151205195642@yandex.ru> Message-ID: If my messages seems somehow unreadable - I sent it from Gmail Web UI. mathias dufresne, read my 2 or 3 last messages. I wrote about mounting \\server\share as disk and risky fo viruses crypting files. Also read messages other, who does not work in AirBus. And more over, it' s your oppinion. But I see useless of more discussion at atll. If you want to combine your efforts to help with getting browsing with DC, you are wellcome. If not, I don' t understand your reasons of posting messages, additionally, as I wrote and some others wrote , not only I need such func. > When you post for mailing I expect you hope some read you. I expect you expect some of your readers would help you. Taking time to write correctly would be showing > respect to whom can help you It is preferrable to say it to yourself firstly, because your posts didn' t bring any progress in getting working one. As a result, if you want to join you are wellcome, otherwise, I stop duscussion with you. 2015-12-07 12:30 GMT+03:00 mathias dufresne : > > > 2015-12-05 21:38 GMT+01:00 CpServiceSPb . : > >> > net:\\server >> > Sometimes, you have to read documentation. >> >> Oh, no. >> It have to do users, who use Far. :) >> I remembered just first camt to my head. :)) >> And try to explain it of nubers of users. >> Especially acconuters... >> You as Russians can know it. >> I know some other soft where there is no such ability (access by >> \\server\folder) >> But can not remember it at the time. >> > > Here I stopped reading. > When you post for mailing I expect you hope some read you. I expect you > expect some of your readers would help you. Taking time to write correctly > would be showing respect to whom can help you. > From infractory at gmail.com Mon Dec 7 09:52:02 2015 From: infractory at gmail.com (mathias dufresne) Date: Mon, 7 Dec 2015 10:52:02 +0100 Subject: [Samba] Fwd: Functionality of Nmbd at Active Directory mode of Samba4 ! In-Reply-To: References: <15010140704.20151205195642@yandex.ru> Message-ID: 2015-12-07 10:44 GMT+01:00 CpServiceSPb . : > If my messages seems somehow unreadable - I sent it from Gmail Web UI. > > mathias dufresne, read my 2 or 3 last messages. > I wrote about mounting \\server\share as disk and risky fo viruses > crypting files. > Also read messages other, who does not work in AirBus. > > And more over, it' s your oppinion. > But I see useless of more discussion at atll. > If you want to combine your efforts to help with getting browsing with DC, > you are wellcome. > If not, I don' t understand your reasons of posting messages, > additionally, as I wrote and some others wrote , not only I need such func. > > > When you post for mailing I expect you hope some read you. I expect you > expect some of your readers would help you. Taking time to write correctly > would be showing > > respect to whom can help you > > It is preferrable to say it to yourself firstly, because your posts didn' > t bring any progress in getting working one. > In fact, they should have help you: you complained because you can't use short names with AD because of lack of Wins and I explained how to work around that issue. Who's not reading mails? Cheers : ) > > As a result, if you want to join you are wellcome, otherwise, I stop > duscussion with you. > > > 2015-12-07 12:30 GMT+03:00 mathias dufresne : > >> >> >> 2015-12-05 21:38 GMT+01:00 CpServiceSPb . : >> >>> > net:\\server >>> > Sometimes, you have to read documentation. >>> >>> Oh, no. >>> It have to do users, who use Far. :) >>> I remembered just first camt to my head. :)) >>> And try to explain it of nubers of users. >>> Especially acconuters... >>> You as Russians can know it. >>> I know some other soft where there is no such ability (access by >>> \\server\folder) >>> But can not remember it at the time. >>> >> >> Here I stopped reading. >> When you post for mailing I expect you hope some read you. I expect you >> expect some of your readers would help you. Taking time to write correctly >> would be showing respect to whom can help you. >> > > From nico.deranter at esaturnus.com Mon Dec 7 10:15:02 2015 From: nico.deranter at esaturnus.com (Nico De Ranter) Date: Mon, 7 Dec 2015 11:15:02 +0100 Subject: [Samba] How to set unix properties from command line In-Reply-To: <56618B99.1010705@samba.org> References: <56618B99.1010705@samba.org> Message-ID: On Fri, Dec 4, 2015 at 1:48 PM, Rowland penny wrote: > On 04/12/15 11:52, Nico De Ranter wrote: > >> Samba version: 4.1.17 >> >> I want to use a Samba AD controller to manage access to both my Windows >> and >> Linux boxes. I managed to import my old Samba users using pdbedit however >> as I want to use the new Samba AD controller to manage access to the Linux >> workstations too I want to configure Unix properties on all my accounts. >> Unfortunately I cannot find any command-line tool on Linux that will allow >> me to easily fill in these properties. I looked at samba-tool and pdbedit >> but they seem to be able to change only basic settings. I know I can do >> it >> through RSAT but I don't want to have to start a Windows vm just to manage >> my users. >> >> How can I manage Unix properties for my Samba AD users from the >> command-line in Linux? >> >> Thanks in advance, >> >> Nico >> >> > well, if my patches ever get accepted, you will be able to do with > samba-tool what the Unix attributes tab on ADUC does. Until then, you will > have to resort to using a script to do this. > > If your old setup was an NT4-style domain, you could have used the > classic-upgrade, this would have imported all of your old users & groups > along with all their RFC2307 attributes. > > I tried doing a classic-upgrade the upgrade process always crashes without clearly specifying why. Therefor I reverted to using pdbedit which appeared to be working fine, but now I noticed the export step skipped a number of users ("build_sam_pass: Failing attempt to store user with non-uid based user RID") unfortunately pdbedit doesn't seem to keep the user id's (or at least it is not filling in the id's in the unix attributes) Nico -- Nico De Ranter Operations Engineer T. +32 16 40 12 82 M. +32 497 91 53 78 From cpservicespb at gmail.com Mon Dec 7 10:15:20 2015 From: cpservicespb at gmail.com (CpServiceSPb .) Date: Mon, 7 Dec 2015 13:15:20 +0300 Subject: [Samba] Fwd: Functionality of Nmbd at Active Directory mode of Samba4 ! In-Reply-To: References: <15010140704.20151205195642@yandex.ru> Message-ID: Mathias. Firstly, Wins is not browsing service as itself, it is one of NetBios name resolution way, additionally to broadcast. That it looks like NetBios DNS. :) Secondly, I know and I can (in myself) use either DNS, NetBios (without browsing) \\serverName\folder , map to disk, even \\serverIP\\folder. Nevertheless there are users (many of them can not) , more risk of viruses (mapping to disk) , lack of possibility to have separate server for it and other reasons. But the main thing of my posts was not asking ways to bypass "problem" , that is to finding ways of accessing resources without browsing. The main thing was getting answer how to get browsing within DC with Samba4, not else. Or asking dev. team to add/make code working to have fully compliant AD DC (as Windows one) . Fill difference. :)) So, if you have to join, you are wellcome. Anyway. With many good wishes... 2015-12-07 12:52 GMT+03:00 mathias dufresne : > > 2015-12-07 10:44 GMT+01:00 CpServiceSPb . : > >> If my messages seems somehow unreadable - I sent it from Gmail Web UI. >> >> mathias dufresne, read my 2 or 3 last messages. >> I wrote about mounting \\server\share as disk and risky fo viruses >> crypting files. >> Also read messages other, who does not work in AirBus. >> >> And more over, it' s your oppinion. >> But I see useless of more discussion at atll. >> If you want to combine your efforts to help with getting browsing with >> DC, you are wellcome. >> If not, I don' t understand your reasons of posting messages, >> additionally, as I wrote and some others wrote , not only I need such func. >> >> > When you post for mailing I expect you hope some read you. I expect you >> expect some of your readers would help you. Taking time to write correctly >> would be showing >> > respect to whom can help you >> >> It is preferrable to say it to yourself firstly, because your posts didn' >> t bring any progress in getting working one. >> > > In fact, they should have help you: you complained because you can't use > short names with AD because of lack of Wins and I explained how to work > around that issue. > > Who's not reading mails? > > Cheers : ) > > >> >> As a result, if you want to join you are wellcome, otherwise, I stop >> duscussion with you. >> >> >> 2015-12-07 12:30 GMT+03:00 mathias dufresne : >> >>> >>> >>> 2015-12-05 21:38 GMT+01:00 CpServiceSPb . : >>> >>>> > net:\\server >>>> > Sometimes, you have to read documentation. >>>> >>>> Oh, no. >>>> It have to do users, who use Far. :) >>>> I remembered just first camt to my head. :)) >>>> And try to explain it of nubers of users. >>>> Especially acconuters... >>>> You as Russians can know it. >>>> I know some other soft where there is no such ability (access by >>>> \\server\folder) >>>> But can not remember it at the time. >>>> >>> >>> Here I stopped reading. >>> When you post for mailing I expect you hope some read you. I expect you >>> expect some of your readers would help you. Taking time to write correctly >>> would be showing respect to whom can help you. >>> >> >> > From rpenny at samba.org Mon Dec 7 10:24:14 2015 From: rpenny at samba.org (Rowland penny) Date: Mon, 07 Dec 2015 10:24:14 +0000 Subject: [Samba] How to set unix properties from command line In-Reply-To: References: <56618B99.1010705@samba.org> Message-ID: <56655E4E.4010307@samba.org> On 07/12/15 10:15, Nico De Ranter wrote: > > > On Fri, Dec 4, 2015 at 1:48 PM, Rowland penny > wrote: > > On 04/12/15 11:52, Nico De Ranter wrote: > > Samba version: 4.1.17 > > I want to use a Samba AD controller to manage access to both > my Windows and > Linux boxes. I managed to import my old Samba users using > pdbedit however > as I want to use the new Samba AD controller to manage access > to the Linux > workstations too I want to configure Unix properties on all my > accounts. > Unfortunately I cannot find any command-line tool on Linux > that will allow > me to easily fill in these properties. I looked at samba-tool > and pdbedit > but they seem to be able to change only basic settings. I > know I can do it > through RSAT but I don't want to have to start a Windows vm > just to manage > my users. > > How can I manage Unix properties for my Samba AD users from the > command-line in Linux? > > Thanks in advance, > > Nico > > > well, if my patches ever get accepted, you will be able to do with > samba-tool what the Unix attributes tab on ADUC does. Until then, > you will have to resort to using a script to do this. > > If your old setup was an NT4-style domain, you could have used the > classic-upgrade, this would have imported all of your old users & > groups along with all their RFC2307 attributes. > > > I tried doing a classic-upgrade the upgrade process always crashes > without clearly specifying why. Therefor I reverted to using pdbedit > which appeared to be working fine, but now I noticed the export step > skipped a number of users ("build_sam_pass: Failing attempt to store > user with non-uid based user RID") Have you checked the failed users, do they have uidNumber attributes and if so, do they contain numbers? > > unfortunately pdbedit doesn't seem to keep the user id's (or at least > it is not filling in the id's in the unix attributes) pdbedit doesn't work on the info stored in ldap, it works on a Samba tdb file and as such it may not have the info available. Depending on how many users, groups and computers you have, it may be easier to just start again and create a new AD domain and import your users etc from a csv file or similar. Rowland > > > From nico.deranter at esaturnus.com Mon Dec 7 10:38:38 2015 From: nico.deranter at esaturnus.com (Nico De Ranter) Date: Mon, 7 Dec 2015 11:38:38 +0100 Subject: [Samba] Caching user accounts on a Linux portable Message-ID: I'm setting up a new Samba-based AD domain. The domain will be used to authenticate access to both Windows and Linux desktops and portables. When a Windows portable is not able to access the AD servers (e.g. you are using a portable outside of the office) you can still happily logon using cached credentials (as long as the user logged on the pc at least once before). Is there a way to get the same behaviour on Linux? I want my linux-laptop users to be able to logon to their laptops even if they are not connected to the network. I know I can add local accounts to /etc/passwd but that kind of defeats the purpose of setting up an AD domain. Nico -- Nico De Ranter Operations Engineer T. +32 16 40 12 82 M. +32 497 91 53 78 From belle at bazuin.nl Mon Dec 7 10:57:51 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Mon, 7 Dec 2015 11:57:51 +0100 Subject: [Samba] Caching user accounts on a Linux portable In-Reply-To: References: Message-ID: Hai Nico, Yes, you can do the same for linux laptops. Read : https://wiki.samba.org/index.php/PAM_Offline_Authentication And here is an example. https://www.clearos.com/resources/documentation/clearos/content:en_us:kb_howtos_add_linux_workstation_to_the_samba_domain Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Nico De Ranter > Verzonden: maandag 7 december 2015 11:39 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Caching user accounts on a Linux portable > > I'm setting up a new Samba-based AD domain. The domain will be used to > authenticate access to both Windows and Linux desktops and portables. > When > a Windows portable is not able to access the AD servers (e.g. you are > using > a portable outside of the office) you can still happily logon using > cached > credentials (as long as the user logged on the pc at least once before). > Is there a way to get the same behaviour on Linux? I want my linux-laptop > users to be able to logon to their laptops even if they are not connected > to the network. I know I can add local accounts to /etc/passwd but that > kind of defeats the purpose of setting up an AD domain. > > Nico > > > -- > Nico De Ranter > > Operations Engineer > > T. +32 16 40 12 82 > > M. +32 497 91 53 78 > > > > > > > > > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From lancelot0501 at gmail.com Mon Dec 7 11:02:51 2015 From: lancelot0501 at gmail.com (Dave B) Date: Mon, 7 Dec 2015 12:02:51 +0100 Subject: [Samba] Replication issue Message-ID: Greetings, I inherited a samba based domain at my work with two domain controllers running Zentyal 3.4.8 with samba version 4.1.6-Zentyal. I don't know if it's modified by the Zentyal team but they don't support this version anymore, that's why I'm writing to this list. The previos sysadmin told me that replication stopped working a while back, but only in one direction. PDC gets replicated to SDC successfully but SDC does not get replicated to PDC. If I run the samba-tool drs replicate PDC SDC DC=mydomain,DC=lan --full-sync command I get the following error: ERROR(): DsReplicaSync failed - drsException: DsReplicaSync failed (58, 'WERR_BAD_NET_RESP') Running samba-tool drs showrepl command on SDC returnt no error, running it on PDC returns this: DC=mydomain,DC=lan Default-First-Site-Name\SDC via RPC DSA object GUID: 0a989f75-b8b8-4ae4-a6d3-b1a66fa1f895 Last attempt @ Mon Dec 7 11:58:50 2015 CET failed, result 58 (WERR_BAD_NET_RESP) 6922 consecutive failure(s). Last success @ Mon Dec 7 11:58:47 2015 CET I've found similar problems, but no solution so far, so any help would be appreciated! Thanks in advance, David From nico.deranter at esaturnus.com Mon Dec 7 12:00:06 2015 From: nico.deranter at esaturnus.com (Nico De Ranter) Date: Mon, 7 Dec 2015 13:00:06 +0100 Subject: [Samba] Caching user accounts on a Linux portable In-Reply-To: References: Message-ID: Thanks! That's exactly what I was looking for. Nico On Mon, Dec 7, 2015 at 11:57 AM, L.P.H. van Belle wrote: > Hai Nico, > > Yes, you can do the same for linux laptops. > Read : https://wiki.samba.org/index.php/PAM_Offline_Authentication > > And here is an example. > > https://www.clearos.com/resources/documentation/clearos/content:en_us:kb_howtos_add_linux_workstation_to_the_samba_domain > > Greetz, > > Louis > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Nico De Ranter > > Verzonden: maandag 7 december 2015 11:39 > > Aan: samba at lists.samba.org > > Onderwerp: [Samba] Caching user accounts on a Linux portable > > > > I'm setting up a new Samba-based AD domain. The domain will be used to > > authenticate access to both Windows and Linux desktops and portables. > > When > > a Windows portable is not able to access the AD servers (e.g. you are > > using > > a portable outside of the office) you can still happily logon using > > cached > > credentials (as long as the user logged on the pc at least once before). > > Is there a way to get the same behaviour on Linux? I want my > linux-laptop > > users to be able to logon to their laptops even if they are not > connected > > to the network. I know I can add local accounts to /etc/passwd but that > > kind of defeats the purpose of setting up an AD domain. > > > > Nico > > > > > > -- > > Nico De Ranter > > > > Operations Engineer > > > -- Nico De Ranter Operations Engineer T. +32 16 40 12 82 M. +32 497 91 53 78 eSATURNUS Romeinse straat 12 3001 Leuven – Belgium T. +32 16 40 12 82 F. +32 16 40 84 77 www.esaturnus.com From infractory at gmail.com Mon Dec 7 12:21:41 2015 From: infractory at gmail.com (mathias dufresne) Date: Mon, 7 Dec 2015 13:21:41 +0100 Subject: [Samba] Replication issue In-Reply-To: References: Message-ID: Before digging into the whole stack of what composed an AD, I would try to replace this second DC (the one you called SDC). When joining a DC to a Samba AD domain,if this DC was already decalred as DC, Samba first demote that DC to then start a the whole process to join that DC to the domain. And that whole process includes re-creation of the AD database locally with full synchronisation. Not sure that solves your issue, but it could. In fact I would first test using a third (virtual) machine to create a third DC, just to check your AD is able to synchronize. Then, if it works, I would re-join the broken DC. Cheers, mathias 2015-12-07 12:02 GMT+01:00 Dave B : > Greetings, > > I inherited a samba based domain at my work with two domain controllers > running Zentyal 3.4.8 with samba version 4.1.6-Zentyal. I don't know if > it's modified by the Zentyal team but they don't support this version > anymore, that's why I'm writing to this list. > The previos sysadmin told me that replication stopped working a while back, > but only in one direction. PDC gets replicated to SDC successfully but SDC > does not get replicated to PDC. > > If I run the samba-tool drs replicate PDC SDC DC=mydomain,DC=lan > --full-sync command I get the following error: > ERROR(): DsReplicaSync failed - > drsException: DsReplicaSync failed (58, 'WERR_BAD_NET_RESP') > > Running samba-tool drs showrepl command on SDC returnt no error, running it > on PDC returns this: > DC=mydomain,DC=lan > Default-First-Site-Name\SDC via RPC > DSA object GUID: 0a989f75-b8b8-4ae4-a6d3-b1a66fa1f895 > Last attempt @ Mon Dec 7 11:58:50 2015 CET failed, result > 58 (WERR_BAD_NET_RESP) > 6922 consecutive failure(s). > Last success @ Mon Dec 7 11:58:47 2015 CET > > I've found similar problems, but no solution so far, so any help would be > appreciated! > > Thanks in advance, > David > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From infractory at gmail.com Mon Dec 7 12:24:01 2015 From: infractory at gmail.com (mathias dufresne) Date: Mon, 7 Dec 2015 13:24:01 +0100 Subject: [Samba] Caching user accounts on a Linux portable In-Reply-To: References: Message-ID: In case of... SSSD comes also with a caching method. Using SSSD rather than Winbind could help in certain cases... 2015-12-07 13:00 GMT+01:00 Nico De Ranter : > Thanks! That's exactly what I was looking for. > > Nico > > > > On Mon, Dec 7, 2015 at 11:57 AM, L.P.H. van Belle wrote: > > > Hai Nico, > > > > Yes, you can do the same for linux laptops. > > Read : https://wiki.samba.org/index.php/PAM_Offline_Authentication > > > > And here is an example. > > > > > https://www.clearos.com/resources/documentation/clearos/content:en_us:kb_howtos_add_linux_workstation_to_the_samba_domain > > > > Greetz, > > > > Louis > > > -----Oorspronkelijk bericht----- > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Nico De > Ranter > > > Verzonden: maandag 7 december 2015 11:39 > > > Aan: samba at lists.samba.org > > > Onderwerp: [Samba] Caching user accounts on a Linux portable > > > > > > I'm setting up a new Samba-based AD domain. The domain will be used to > > > authenticate access to both Windows and Linux desktops and portables. > > > When > > > a Windows portable is not able to access the AD servers (e.g. you are > > > using > > > a portable outside of the office) you can still happily logon using > > > cached > > > credentials (as long as the user logged on the pc at least once > before). > > > Is there a way to get the same behaviour on Linux? I want my > > linux-laptop > > > users to be able to logon to their laptops even if they are not > > connected > > > to the network. I know I can add local accounts to /etc/passwd but > that > > > kind of defeats the purpose of setting up an AD domain. > > > > > > Nico > > > > > > > > > -- > > > Nico De Ranter > > > > > > Operations Engineer > > > > > > > > -- > Nico De Ranter > > Operations Engineer > > T. +32 16 40 12 82 > > M. +32 497 91 53 78 > > > > > > > > > eSATURNUS > Romeinse straat 12 > 3001 Leuven – Belgium > > T. +32 16 40 12 82 > F. +32 16 40 84 77 > www.esaturnus.com > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From infractory at gmail.com Mon Dec 7 12:36:54 2015 From: infractory at gmail.com (mathias dufresne) Date: Mon, 7 Dec 2015 13:36:54 +0100 Subject: [Samba] Give users possibility to manage part of their AD account Message-ID: Hi all, Is there a way to give users (all AD users for a start) the possibility to manage themselves some of their user attributes (as loginShell for example)? Thanks and regards, mathias From nico.deranter at esaturnus.com Mon Dec 7 12:42:51 2015 From: nico.deranter at esaturnus.com (Nico De Ranter) Date: Mon, 7 Dec 2015 13:42:51 +0100 Subject: [Samba] Caching user accounts on a Linux portable In-Reply-To: References: Message-ID: I tried using sssd but I couldn't get it working based on the info on https://wiki.samba.org/index.php/Sssd I may give it another go anyway. Nico On Mon, Dec 7, 2015 at 1:24 PM, mathias dufresne wrote: > In case of... SSSD comes also with a caching method. Using SSSD rather than > Winbind could help in certain cases... > > 2015-12-07 13:00 GMT+01:00 Nico De Ranter : > > > Thanks! That's exactly what I was looking for. > > > > Nico > > > > > > > > On Mon, Dec 7, 2015 at 11:57 AM, L.P.H. van Belle > wrote: > > > > > Hai Nico, > > > > > > Yes, you can do the same for linux laptops. > > > Read : https://wiki.samba.org/index.php/PAM_Offline_Authentication > > > > > > And here is an example. > > > > > > > > > https://www.clearos.com/resources/documentation/clearos/content:en_us:kb_howtos_add_linux_workstation_to_the_samba_domain > > > > > > Greetz, > > > > > > Louis > > > > -----Oorspronkelijk bericht----- > > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Nico De > > Ranter > > > > Verzonden: maandag 7 december 2015 11:39 > > > > Aan: samba at lists.samba.org > > > > Onderwerp: [Samba] Caching user accounts on a Linux portable > > > > > > > > I'm setting up a new Samba-based AD domain. The domain will be used > to > > > > authenticate access to both Windows and Linux desktops and portables. > > > > When > > > > a Windows portable is not able to access the AD servers (e.g. you are > > > > using > > > > a portable outside of the office) you can still happily logon using > > > > cached > > > > credentials (as long as the user logged on the pc at least once > > before). > > > > Is there a way to get the same behaviour on Linux? I want my > > > linux-laptop > > > > users to be able to logon to their laptops even if they are not > > > connected > > > > to the network. I know I can add local accounts to /etc/passwd but > > that > > > > kind of defeats the purpose of setting up an AD domain. > > > > > > > > Nico > > > > > > > > > > > > -- > > > > Nico De Ranter > > > > > -- Nico De Ranter Operations Engineer T. +32 16 40 12 82 M. +32 497 91 53 78 eSATURNUS Romeinse straat 12 3001 Leuven – Belgium T. +32 16 40 12 82 F. +32 16 40 84 77 www.esaturnus.com From nico.deranter at esaturnus.com Mon Dec 7 12:52:46 2015 From: nico.deranter at esaturnus.com (Nico De Ranter) Date: Mon, 7 Dec 2015 13:52:46 +0100 Subject: [Samba] userid shows 4294967295 Message-ID: Hello again, I'm getting close to a working setup but still run into glitches here and there. I have 2 Ubuntu servers working as AD server, one Ubuntu desktop with winbind configured. I've setup a number of accounts with Unix properties. I've been primarily testing with my own account which works just fine. I've now assigned Unix properties to another account. When I run 'wbinfo -i' on the AD server I see the correct info: root at dc1:~# wbinfo -i test OFFICE\test:*:10000:500:test:/home/OFFICE/test:/bin/false When I try the same thing on the client I get: root at testpc2:~# wbinfo -i test test:*:4294967295:4294967295::/home/test:/bin/bash I also tried some other accounts and got the same result. The only account that seems to work fine is my own account (and no it is not in /etc/passwd :-) Any idea what might be wrong? smb.conf on the client: [global] security = ADS workgroup = OFFICE realm = WIN.OFFICE log file = /var/log/samba/%m.log log level = 1 dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind refresh tickets = yes winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind offline logon = yes client signing = yes client use spnego = yes idmap config = ad winbind nss info = rfc2307 # Default idmap config used for BUILTIN and local accounts/groups idmap backend = tdb idmap range = 100-499 # idmap config for domain OFFICE idmap config OFFICE : backend = ad idmap config OFFICE : schema_mode = rfc2307 idmap config OFFICE : range = 500-29999 It worked for the user with uid 1048, it doesn't work for uid 1059, 1000, 9999, 10000 -- Nico De Ranter Operations Engineer T. +32 16 40 12 82 M. +32 497 91 53 78 From carlos.hollow at gmail.com Mon Dec 7 12:56:13 2015 From: carlos.hollow at gmail.com (Carlos A. P. Cunha) Date: Mon, 7 Dec 2015 10:56:13 -0200 Subject: [Samba] NTLMSSP NTLM2 packet check failed due to invalid signature Message-ID: <566581ED.9040707@gmail.com> HI! My server Samba 4 version 4.3.0, running since August, do not is a problem, but my i see this messages logs every 1 minutes, any ideas? Dec 7 10:40:24 dc-linux samba[4912]: [2015/12/07 10:40:24.260707, 0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) Dec 7 10:40:24 dc-linux samba[4912]: NTLMSSP NTLM2 packet check failed due to invalid signature! Dec 7 10:40:24 dc-linux samba[4912]: [2015/12/07 10:40:24.280740, 0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) Dec 7 10:40:24 dc-linux samba[4912]: NTLMSSP NTLM2 packet check failed due to invalid signature! Thanks! From infractory at gmail.com Mon Dec 7 13:00:54 2015 From: infractory at gmail.com (mathias dufresne) Date: Mon, 7 Dec 2015 14:00:54 +0100 Subject: [Samba] Caching user accounts on a Linux portable In-Reply-To: References: Message-ID: Samba can suit much configurations, wiki shows only a few. Perhaps you'll find information there, I just had a look on that page, not read it carefully. https://www.oostergo.net/node/87 Anyway there is: # Allow offline logins by locally storing password hashes (default: false). cache_credentials = true to add to your SSSD domain section. Cheers, mathias 2015-12-07 13:42 GMT+01:00 Nico De Ranter : > > I tried using sssd but I couldn't get it working based on the info on > https://wiki.samba.org/index.php/Sssd > > I may give it another go anyway. > > Nico > > On Mon, Dec 7, 2015 at 1:24 PM, mathias dufresne > wrote: > >> In case of... SSSD comes also with a caching method. Using SSSD rather >> than >> Winbind could help in certain cases... >> >> 2015-12-07 13:00 GMT+01:00 Nico De Ranter : >> >> > Thanks! That's exactly what I was looking for. >> > >> > Nico >> > >> > >> > >> > On Mon, Dec 7, 2015 at 11:57 AM, L.P.H. van Belle >> wrote: >> > >> > > Hai Nico, >> > > >> > > Yes, you can do the same for linux laptops. >> > > Read : https://wiki.samba.org/index.php/PAM_Offline_Authentication >> > > >> > > And here is an example. >> > > >> > > >> > >> https://www.clearos.com/resources/documentation/clearos/content:en_us:kb_howtos_add_linux_workstation_to_the_samba_domain >> > > >> > > Greetz, >> > > >> > > Louis >> > > > -----Oorspronkelijk bericht----- >> > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Nico De >> > Ranter >> > > > Verzonden: maandag 7 december 2015 11:39 >> > > > Aan: samba at lists.samba.org >> > > > Onderwerp: [Samba] Caching user accounts on a Linux portable >> > > > >> > > > I'm setting up a new Samba-based AD domain. The domain will be used >> to >> > > > authenticate access to both Windows and Linux desktops and >> portables. >> > > > When >> > > > a Windows portable is not able to access the AD servers (e.g. you >> are >> > > > using >> > > > a portable outside of the office) you can still happily logon using >> > > > cached >> > > > credentials (as long as the user logged on the pc at least once >> > before). >> > > > Is there a way to get the same behaviour on Linux? I want my >> > > linux-laptop >> > > > users to be able to logon to their laptops even if they are not >> > > connected >> > > > to the network. I know I can add local accounts to /etc/passwd but >> > that >> > > > kind of defeats the purpose of setting up an AD domain. >> > > > >> > > > Nico >> > > > >> > > > >> > > > -- >> > > > Nico De Ranter >> > > > >> > > -- > Nico De Ranter > > Operations Engineer > > T. +32 16 40 12 82 > > M. +32 497 91 53 78 > > > > > > > > > eSATURNUS > Romeinse straat 12 > 3001 Leuven – Belgium > > T. +32 16 40 12 82 > F. +32 16 40 84 77 > www.esaturnus.com > > > > > > > > From infractory at gmail.com Mon Dec 7 13:10:20 2015 From: infractory at gmail.com (mathias dufresne) Date: Mon, 7 Dec 2015 14:10:20 +0100 Subject: [Samba] userid shows 4294967295 In-Reply-To: References: Message-ID: I expect the difference comes from the fact you are using ID mapping because, according to what I believe I understood, ID map generates UID (the map) and gives these generated UID to users. So one system give one UID to your teset users, another system gives him another UID. You can configure into AD uidNumber and gidNumber to give your AD users definitive UID/GID. Adding that information to AD is not enough as on UNIX/Linux system you use something to build users using information grab in AD. So you have to use a tool which will use GIDs and UIDs you defined in AD. According to my own opinion Winbind is meant to build UNIX system users for Samba file sharing as Winbind rely mostly on MS Windows stuff to build users. This has sense: Samba host files for Windows systems, ACLs must be consistent, so on Samba file servers AD users should be built using MS information from AD. To use AD as a database to build UNIX/Linux systems users you should have a look on SSSD or nslcd, they are more flexible, more designed to build UNIX users from AD. Cheers, mathias 2015-12-07 13:52 GMT+01:00 Nico De Ranter : > Hello again, > > I'm getting close to a working setup but still run into glitches here and > there. > > I have 2 Ubuntu servers working as AD server, one Ubuntu desktop with > winbind configured. I've setup a number of accounts with Unix > properties. I've been primarily testing with my own account which works > just fine. I've now assigned Unix properties to another account. When I > run 'wbinfo -i' on the AD server I see the correct info: > > root at dc1:~# wbinfo -i test > OFFICE\test:*:10000:500:test:/home/OFFICE/test:/bin/false > > When I try the same thing on the client I get: > > root at testpc2:~# wbinfo -i test > test:*:4294967295:4294967295::/home/test:/bin/bash > > I also tried some other accounts and got the same result. The only account > that seems to work fine is my own account (and no it is not in /etc/passwd > :-) > > Any idea what might be wrong? > > smb.conf on the client: > > [global] > security = ADS > workgroup = OFFICE > realm = WIN.OFFICE > > log file = /var/log/samba/%m.log > log level = 1 > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > winbind refresh tickets = yes > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind offline logon = yes > > client signing = yes > client use spnego = yes > > idmap config = ad > winbind nss info = rfc2307 > > # Default idmap config used for BUILTIN and local accounts/groups > idmap backend = tdb > idmap range = 100-499 > > # idmap config for domain OFFICE > idmap config OFFICE : backend = ad > idmap config OFFICE : schema_mode = rfc2307 > idmap config OFFICE : range = 500-29999 > > It worked for the user with uid 1048, it doesn't work for uid 1059, 1000, > 9999, 10000 > > -- > Nico De Ranter > > Operations Engineer > > T. +32 16 40 12 82 > > M. +32 497 91 53 78 > > > > > > > > > > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From infractory at gmail.com Mon Dec 7 13:17:24 2015 From: infractory at gmail.com (mathias dufresne) Date: Mon, 7 Dec 2015 14:17:24 +0100 Subject: [Samba] DRS_The specified I/O operation on %hs was not completed before the time-out period expired.' In-Reply-To: References: Message-ID: Hi Luchko, How many objects are in your MS AD database? The question because I was not able to run successfully a "samba-tool drs replicate ... domain" if my Samba AD database was filled with 40000+ objects. Same issue with ldapcmp but for ldapcmp there are two workaround: comparing the database piece by piece (searching all containers and compare all container per container without recursion) or run the ldapcmp using tdb:///path/to/file.tdb rather than ldap://DCname. 2015-12-03 9:02 GMT+01:00 Luchko Dmitriy : > Hi, > When we try replicate domain tree from Win DC to Samba DC we have timeout > error: > > ERROR(): DsReplicaSync failed - > drsException: DsReplicaSync failed (-1073741643, '{Device Timeout} The > specified I/O operation on %hs was not completed before the time-out period > expired.') > File "/usr/lib64/python2.7/site-packages/samba/netcmd/drs.py", line 345, > in run > drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle, > source_dsa_guid, NC, req_options) > File "/usr/lib64/python2.7/site-packages/samba/drs_utils.py", line 83, > in sendDsReplicaSync > raise drsException("DsReplicaSync failed %s" % estr) > > Best regards, > DMITRIY LUCHKO > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From nico.deranter at esaturnus.com Mon Dec 7 14:18:47 2015 From: nico.deranter at esaturnus.com (Nico De Ranter) Date: Mon, 7 Dec 2015 15:18:47 +0100 Subject: [Samba] userid shows 4294967295 In-Reply-To: References: Message-ID: I am using rfc2307 unix properties in AD. So I would expect winbind to use the uid and gid from rfc2307. Hmm, I just noticed that 'wbinfo -i test' actually gives me different results on my first AD, second AD and client. Only the first AD shows the result that I'm actually expecting. Somehow the others are ignoring the rfc2307 info. Nico On Mon, Dec 7, 2015 at 2:10 PM, mathias dufresne wrote: > I expect the difference comes from the fact you are using ID mapping > because, according to what I believe I understood, ID map generates UID > (the map) and gives these generated UID to users. So one system give one > UID to your teset users, another system gives him another UID. > > You can configure into AD uidNumber and gidNumber to give your AD users > definitive UID/GID. > Adding that information to AD is not enough as on UNIX/Linux system you use > something to build users using information grab in AD. So you have to use a > tool which will use GIDs and UIDs you defined in AD. > > According to my own opinion Winbind is meant to build UNIX system users for > Samba file sharing as Winbind rely mostly on MS Windows stuff to build > users. This has sense: Samba host files for Windows systems, ACLs must be > consistent, so on Samba file servers AD users should be built using MS > information from AD. > > To use AD as a database to build UNIX/Linux systems users you should have a > look on SSSD or nslcd, they are more flexible, more designed to build UNIX > users from AD. > > Cheers, > > mathias > > 2015-12-07 13:52 GMT+01:00 Nico De Ranter : > > > Hello again, > > > > I'm getting close to a working setup but still run into glitches here and > > there. > > > > I have 2 Ubuntu servers working as AD server, one Ubuntu desktop with > > winbind configured. I've setup a number of accounts with Unix > > properties. I've been primarily testing with my own account which works > > just fine. I've now assigned Unix properties to another account. When I > > run 'wbinfo -i' on the AD server I see the correct info: > > > > root at dc1:~# wbinfo -i test > > OFFICE\test:*:10000:500:test:/home/OFFICE/test:/bin/false > > > > When I try the same thing on the client I get: > > > > root at testpc2:~# wbinfo -i test > > test:*:4294967295:4294967295::/home/test:/bin/bash > > > > I also tried some other accounts and got the same result. The only > account > > that seems to work fine is my own account (and no it is not in > /etc/passwd > > :-) > > > > Any idea what might be wrong? > > > > smb.conf on the client: > > > > [global] > > security = ADS > > workgroup = OFFICE > > realm = WIN.OFFICE > > > > log file = /var/log/samba/%m.log > > log level = 1 > > > > dedicated keytab file = /etc/krb5.keytab > > kerberos method = secrets and keytab > > > > winbind refresh tickets = yes > > winbind trusted domains only = no > > winbind use default domain = yes > > winbind enum users = yes > > winbind enum groups = yes > > winbind offline logon = yes > > > > client signing = yes > > client use spnego = yes > > > > idmap config = ad > > winbind nss info = rfc2307 > > > > # Default idmap config used for BUILTIN and local accounts/groups > > idmap backend = tdb > > idmap range = 100-499 > > > > # idmap config for domain OFFICE > > idmap config OFFICE : backend = ad > > idmap config OFFICE : schema_mode = rfc2307 > > idmap config OFFICE : range = 500-29999 > > > > It worked for the user with uid 1048, it doesn't work for uid 1059, 1000, > > 9999, 10000 > > > > > -- Nico De Ranter Operations Engineer T. +32 16 40 12 82 M. +32 497 91 53 78 From stefan at kania-online.de Mon Dec 7 15:06:45 2015 From: stefan at kania-online.de (Stefan Kania) Date: Mon, 7 Dec 2015 16:06:45 +0100 Subject: [Samba] userid shows 4294967295 In-Reply-To: References: Message-ID: <5665A085.70305@kania-online.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 There is one parameter in your smb.conf missing: idmap config * : range 1000000-1999999 Or any other range other then the range of your Domain OFFICE Then you should do a "net cache flush" or better restart your samba-daemon. Am 07.12.15 um 13:52 schrieb Nico De Ranter: > Hello again, > > I'm getting close to a working setup but still run into glitches > here and there. > > I have 2 Ubuntu servers working as AD server, one Ubuntu desktop > with winbind configured. I've setup a number of accounts with > Unix properties. I've been primarily testing with my own account > which works just fine. I've now assigned Unix properties to > another account. When I run 'wbinfo -i' on the AD server I see the > correct info: > > root at dc1:~# wbinfo -i test > OFFICE\test:*:10000:500:test:/home/OFFICE/test:/bin/false > > When I try the same thing on the client I get: > > root at testpc2:~# wbinfo -i test > test:*:4294967295:4294967295::/home/test:/bin/bash > > I also tried some other accounts and got the same result. The > only account that seems to work fine is my own account (and no it > is not in /etc/passwd :-) > > Any idea what might be wrong? > > smb.conf on the client: > > [global] security = ADS workgroup = OFFICE realm = WIN.OFFICE > > log file = /var/log/samba/%m.log log level = 1 > > dedicated keytab file = /etc/krb5.keytab kerberos method = secrets > and keytab > > winbind refresh tickets = yes winbind trusted domains only = no > winbind use default domain = yes winbind enum users = yes winbind > enum groups = yes winbind offline logon = yes > > client signing = yes client use spnego = yes > > idmap config = ad winbind nss info = rfc2307 > > # Default idmap config used for BUILTIN and local accounts/groups > idmap backend = tdb idmap range = 100-499 > > # idmap config for domain OFFICE idmap config OFFICE : backend = ad > idmap config OFFICE : schema_mode = rfc2307 idmap config OFFICE : > range = 500-29999 > > It worked for the user with uid 1048, it doesn't work for uid > 1059, 1000, 9999, 10000 > -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iEYEARECAAYFAlZloIUACgkQ2JOGcNAHDTbAWgCcDdpPfgI+z5OonQc9Xh71yU75 WbkAn2WN3zj2o1TmZSTFSemN/QmbNQqF =Jlvw -----END PGP SIGNATURE----- From rpenny at samba.org Mon Dec 7 15:27:52 2015 From: rpenny at samba.org (Rowland penny) Date: Mon, 07 Dec 2015 15:27:52 +0000 Subject: [Samba] userid shows 4294967295 In-Reply-To: References: Message-ID: <5665A578.2070103@samba.org> On 07/12/15 12:52, Nico De Ranter wrote: > Hello again, > > I'm getting close to a working setup but still run into glitches here and > there. > > I have 2 Ubuntu servers working as AD server, one Ubuntu desktop with > winbind configured. I've setup a number of accounts with Unix > properties. I've been primarily testing with my own account which works > just fine. I've now assigned Unix properties to another account. When I > run 'wbinfo -i' on the AD server I see the correct info: > > root at dc1:~# wbinfo -i test > OFFICE\test:*:10000:500:test:/home/OFFICE/test:/bin/false > > When I try the same thing on the client I get: > > root at testpc2:~# wbinfo -i test > test:*:4294967295:4294967295::/home/test:/bin/bash > > I also tried some other accounts and got the same result. The only account > that seems to work fine is my own account (and no it is not in /etc/passwd > :-) > > Any idea what might be wrong? > > smb.conf on the client: > > [global] > security = ADS > workgroup = OFFICE > realm = WIN.OFFICE > > log file = /var/log/samba/%m.log > log level = 1 > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > winbind refresh tickets = yes > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind offline logon = yes > > client signing = yes > client use spnego = yes > > idmap config = ad > winbind nss info = rfc2307 > > # Default idmap config used for BUILTIN and local accounts/groups > idmap backend = tdb > idmap range = 100-499 > > # idmap config for domain OFFICE > idmap config OFFICE : backend = ad > idmap config OFFICE : schema_mode = rfc2307 > idmap config OFFICE : range = 500-29999 Your 'idmap config' block really should look like this: idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config SAMDOM:backend = ad idmap config SAMDOM:schema_mode = rfc2307 idmap config SAMDOM:range = 10000-99999 Also why are you using such strange ID numbers? Rowland > It worked for the user with uid 1048, it doesn't work for uid 1059, 1000, > 9999, 10000 > From jeff.sadowski at gmail.com Mon Dec 7 15:42:10 2015 From: jeff.sadowski at gmail.com (Jeff Sadowski) Date: Mon, 7 Dec 2015 08:42:10 -0700 Subject: [Samba] template shell RFC2307 loginShell In-Reply-To: <5662AFC1.400@samba.org> References: <56621B24.7080200@samba.org> <5662AFC1.400@samba.org> Message-ID: I finally got to test it and it works OK something really strange is occurring though It works good as follows except for groups but I'll look at that latter as I see others have mentioned some issues with groups here is my /etc/samba/smb.conf security = ads realm = DOMAIN.LONG workgroup = DOMAIN idmap config * : backend = tdb idmap config * : range = 900-999 idmap config DOMAIN:backend = ad idmap config DOMAIN:range = 1000-99999 idmap config DOMAIN:schema_mode = rfc2307 winbind nss info = rfc2307 winbind use default domain = yes # so that the users show up in getent winbind enum users = Yes # doesn't seem to do the same for groups :-/ winbind enum groups = Yes restrict anonymous = 2 What is strange is when I use the ranges like so idmap config * : range = 1000-9999 idmap config DOMAIN:range = 10000-99999 only a small fraction of my users show up when I do a "getent passwd" they all seem to show up when I do a "wbinfo -u" and all my users uids are over 10000 when I set it back to idmap config * : range = 900-999 idmap config DOMAIN:range = 1000-99999 I see all my users So going further I find that when I run "id" as myuser I didn't see all my groups but if I ran "id myuser" I did see all my users So I tried idmap config * : range = 100000-1099999 idmap config DOMAIN:range = 0-99999 and now when I run "id" as myuser I see all my group On Sat, Dec 5, 2015 at 2:34 AM, Rowland penny wrote: > On 05/12/15 02:47, Jeff Sadowski wrote: > >> Thank you Rowland for looking at it. >> I did read the wiki here https://wiki.samba.org/index.php/Idmap_config_ad >> that is how I got as far as I did; that and the idmap_ad man page. I could >> not find how to use the loginShell is there a variable I can use for it in >> the template or an option to set to use it? loginShell and unixHomedir are >> not mentioned on the wiki that I could find. I'm good with the templated >> homedir but curious how to use the unixHomedir. It seems that the >> schema_mode = rfc2307 is the default as it works fine except for the >> default shells which I have the workaround for. I think I will move them >> out of their home directories and set them else ware, where users will need >> to ask to change the shell. I purposefully set rid as the default backend >> if one does not exist explicit for the domain as it worked better for me. >> What I did with the default backend should stop the login if the domain >> isn't explicitly defined. >> >> >> >> On Fri, Dec 4, 2015 at 4:00 PM, Rowland penny > rpenny at samba.org>> wrote: >> >> On 04/12/15 22:43, Jeff Sadowski wrote: >> >> We use power broker here at work and where wondering why we >> need it. >> >> I was able to setup a new linux server using samba and am able >> to login >> with my active directory accounts but I couldn't figure out >> how to set the >> login shells. >> I have a work around but would like feedback >> in my /etc/samba/smb.conf I have the following >> >> security = ads >> realm = DOMAIN.LONG >> workgroup = DOMAIN >> idmap config DOMAIN : backend = ad >> idmap config DOMAIN : range = 1000-999999999 >> #should not get here >> idmap config * : range = 999999998-999999999 >> idmap config * :backend =rid >> template homedir = /nfs/homes/%U >> template shell = /nfs/homes/%U/.default_shell >> winbind use default domain = yes >> restrict anonymous = 2 >> >> >> Have you considered reading the Samba wiki ? >> Your 'idmap config' block should look similar to this: >> >> # Default idmap config used for BUILTIN and local accounts/groups >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> >> # idmap config for domain SAMDOM >> idmap config DOMAIN:backend = ad >> idmap config DOMAIN:schema_mode = rfc2307 >> idmap config DOMAIN:range = 10000-99999 >> >> # Use template settings for login shell and home directory >> winbind nss info = template >> template shell = /nfs/homes/%U/.default_shell >> template homedir = /nfs/homes/%U >> >> Though as you seem to be using uidNumber & gidNumber attributes, >> you could also store the loginShell and unixHomedir in AD as well. >> >> Rowland >> >> >> allowing users to pick their shell using >> ln -s /bin/bash ~/.default_shell >> or >> ln -s /bin/tcsh ~/.default_shell >> ... >> >> It will be easy to create the .default shell for each user >> using a simple >> script I can run on a machine that has power broker but I am >> wondering what >> others have done to allow users to pick their shell using samba to >> authenticate? >> What are the downsides of doing it the way I did it? >> >> is there a way to use the loginShell provided by rfc2307 that >> I haven't >> found documented in samba? >> >> I'm using samba version 4.1.6 if that makes a difference. I >> could probably >> find a way to upgrade if there is support in newer versions. >> >> >> >> -- To unsubscribe from this list go to the following URL and read >> the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> > Samba AD as standard comes with the ability to add RFC2307 attributes to a > user or group (see here for more info: > https://www.ietf.org/rfc/rfc2307.txt) > What this means is, if you give a user a uidNumber and at least 'Domain > Users' a gidNumber, then the user will become visible on a Unix domain > member (aka Unix workstation). > If you study the list of attributes on the link above, you will find that > there are more attributes available, amongst them are loginShell and > homeDirectory. The first is where you can store the users login shell > (obviously), but there is a problem with the second, AD already has an > attribute with the same name to store the users windows home directory > path, so this became unixHomeDirectory and is where you can store the users > Unix home directory. > If you require more info on the RFC2307 attributes, please ask. > > Now, as for the 'idmap config' block and which to use, this is down to the > sysadmin (i.e. you) and is based on what you require. > There are several backends available, but only two are regularly used, the > 'ad' and 'rid' backends. Lets deal with the 'rid' backend first, this is > used if you don't want (or need) to add RFC2307 attributes to AD. Your > users & groups will be mapped to a number inside the range you set i.e. > idmap config SAMDOM:range = 10000-99999. It uses an algorithm to create the > IDs from the user/group RID and as long as you use the same 'idmap config' > block on every Unix machine, you will get the same Unix ID on every Unix > machine. The downside is that you cannot set individual homedirs & shells > for users and will have to use the template lines in smb.conf. > > The 'ad' backend is different, it uses the RFC2307 attributes for the > user/group IDs, this does of course mean that you have to add a uidNumber > attribute containing a unique number to any users that you need to be > visible to Unix *and* add a gidNumber to Domain Users at least. These > numbers must be inside the range you set in smb.conf, any numbers outside > the range will be ignored. > You can go further with the 'ad' backend, you can add the loginShell > attribute containing the users shell (/bin/bash for instance), you can also > add the unixHomeDirectory attribute containing the path to the users home > directory. To use these, you would also need to have the line 'winbind nss > info = rfc2307' in smb.conf. If you don't want to add these further > attributes, you can add 'winbind nss info = template' instead and also add > the template lines. > > You need these lines in smb.conf: > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > These lines are where Samba will store the mappings for the builtin users > & groups, without these, it is very unlikely Samba will work correctly. > > Again, any questions, please ask. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From jeff.sadowski at gmail.com Mon Dec 7 15:59:40 2015 From: jeff.sadowski at gmail.com (Jeff Sadowski) Date: Mon, 7 Dec 2015 08:59:40 -0700 Subject: [Samba] template shell RFC2307 loginShell In-Reply-To: References: <56621B24.7080200@samba.org> <5662AFC1.400@samba.org> Message-ID: bad testing for groups. Working with many systems I found I must have been testing on another system then what I was configuring. idmap config * : range = 100000-1099999 idmap config DOMAIN:range = 0-99999 worked no different to me from idmap config * : range = 900-999 idmap config DOMAIN:range = 1000-99999 so I will set it back. On Mon, Dec 7, 2015 at 8:42 AM, Jeff Sadowski wrote: > I finally got to test it and it works OK > something really strange is occurring though > > It works good as follows except for groups but I'll look at that latter as > I see others have mentioned some issues with groups > here is my /etc/samba/smb.conf > > security = ads > realm = DOMAIN.LONG > workgroup = DOMAIN > idmap config * : backend = tdb > idmap config * : range = 900-999 > idmap config DOMAIN:backend = ad > idmap config DOMAIN:range = 1000-99999 > idmap config DOMAIN:schema_mode = rfc2307 winbind nss info = rfc2307 > winbind use default domain = yes > # so that the users show up in getent > winbind enum users = Yes > # doesn't seem to do the same for groups :-/ > winbind enum groups = Yes > restrict anonymous = 2 > > What is strange is when I use the ranges like so > > idmap config * : range = 1000-9999 > idmap config DOMAIN:range = 10000-99999 > > only a small fraction of my users show up when I do a "getent passwd" > they all seem to show up when I do a "wbinfo -u" > and all my users uids are over 10000 > > when I set it back to > > idmap config * : range = 900-999 > idmap config DOMAIN:range = 1000-99999 > > I see all my users > > > So going further I find that when I run "id" as myuser I didn't see all my > groups but if I ran "id myuser" I did see all my users > So I tried > > idmap config * : range = 100000-1099999 > idmap config DOMAIN:range = 0-99999 > > and now when I run "id" as myuser I see all my group > > > On Sat, Dec 5, 2015 at 2:34 AM, Rowland penny wrote: > >> On 05/12/15 02:47, Jeff Sadowski wrote: >> >>> Thank you Rowland for looking at it. >>> I did read the wiki here >>> https://wiki.samba.org/index.php/Idmap_config_ad that is how I got as >>> far as I did; that and the idmap_ad man page. I could not find how to use >>> the loginShell is there a variable I can use for it in the template or an >>> option to set to use it? loginShell and unixHomedir are not mentioned on >>> the wiki that I could find. I'm good with the templated homedir but curious >>> how to use the unixHomedir. It seems that the schema_mode = rfc2307 is the >>> default as it works fine except for the default shells which I have the >>> workaround for. I think I will move them out of their home directories and >>> set them else ware, where users will need to ask to change the shell. I >>> purposefully set rid as the default backend if one does not exist explicit >>> for the domain as it worked better for me. What I did with the default >>> backend should stop the login if the domain isn't explicitly defined. >>> >>> >>> >>> On Fri, Dec 4, 2015 at 4:00 PM, Rowland penny >> rpenny at samba.org>> wrote: >>> >>> On 04/12/15 22:43, Jeff Sadowski wrote: >>> >>> We use power broker here at work and where wondering why we >>> need it. >>> >>> I was able to setup a new linux server using samba and am able >>> to login >>> with my active directory accounts but I couldn't figure out >>> how to set the >>> login shells. >>> I have a work around but would like feedback >>> in my /etc/samba/smb.conf I have the following >>> >>> security = ads >>> realm = DOMAIN.LONG >>> workgroup = DOMAIN >>> idmap config DOMAIN : backend = ad >>> idmap config DOMAIN : range = 1000-999999999 >>> #should not get here >>> idmap config * : range = 999999998-999999999 >>> idmap config * :backend =rid >>> template homedir = /nfs/homes/%U >>> template shell = /nfs/homes/%U/.default_shell >>> winbind use default domain = yes >>> restrict anonymous = 2 >>> >>> >>> Have you considered reading the Samba wiki ? >>> Your 'idmap config' block should look similar to this: >>> >>> # Default idmap config used for BUILTIN and local >>> accounts/groups >>> idmap config *:backend = tdb >>> idmap config *:range = 2000-9999 >>> >>> # idmap config for domain SAMDOM >>> idmap config DOMAIN:backend = ad >>> idmap config DOMAIN:schema_mode = rfc2307 >>> idmap config DOMAIN:range = 10000-99999 >>> >>> # Use template settings for login shell and home directory >>> winbind nss info = template >>> template shell = /nfs/homes/%U/.default_shell >>> template homedir = /nfs/homes/%U >>> >>> Though as you seem to be using uidNumber & gidNumber attributes, >>> you could also store the loginShell and unixHomedir in AD as well. >>> >>> Rowland >>> >>> >>> allowing users to pick their shell using >>> ln -s /bin/bash ~/.default_shell >>> or >>> ln -s /bin/tcsh ~/.default_shell >>> ... >>> >>> It will be easy to create the .default shell for each user >>> using a simple >>> script I can run on a machine that has power broker but I am >>> wondering what >>> others have done to allow users to pick their shell using samba >>> to >>> authenticate? >>> What are the downsides of doing it the way I did it? >>> >>> is there a way to use the loginShell provided by rfc2307 that >>> I haven't >>> found documented in samba? >>> >>> I'm using samba version 4.1.6 if that makes a difference. I >>> could probably >>> find a way to upgrade if there is support in newer versions. >>> >>> >>> >>> -- To unsubscribe from this list go to the following URL and >>> read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >>> >> Samba AD as standard comes with the ability to add RFC2307 attributes to >> a user or group (see here for more info: >> https://www.ietf.org/rfc/rfc2307.txt) >> What this means is, if you give a user a uidNumber and at least 'Domain >> Users' a gidNumber, then the user will become visible on a Unix domain >> member (aka Unix workstation). >> If you study the list of attributes on the link above, you will find that >> there are more attributes available, amongst them are loginShell and >> homeDirectory. The first is where you can store the users login shell >> (obviously), but there is a problem with the second, AD already has an >> attribute with the same name to store the users windows home directory >> path, so this became unixHomeDirectory and is where you can store the users >> Unix home directory. >> If you require more info on the RFC2307 attributes, please ask. >> >> Now, as for the 'idmap config' block and which to use, this is down to >> the sysadmin (i.e. you) and is based on what you require. >> There are several backends available, but only two are regularly used, >> the 'ad' and 'rid' backends. Lets deal with the 'rid' backend first, this >> is used if you don't want (or need) to add RFC2307 attributes to AD. Your >> users & groups will be mapped to a number inside the range you set i.e. >> idmap config SAMDOM:range = 10000-99999. It uses an algorithm to create the >> IDs from the user/group RID and as long as you use the same 'idmap config' >> block on every Unix machine, you will get the same Unix ID on every Unix >> machine. The downside is that you cannot set individual homedirs & shells >> for users and will have to use the template lines in smb.conf. >> >> The 'ad' backend is different, it uses the RFC2307 attributes for the >> user/group IDs, this does of course mean that you have to add a uidNumber >> attribute containing a unique number to any users that you need to be >> visible to Unix *and* add a gidNumber to Domain Users at least. These >> numbers must be inside the range you set in smb.conf, any numbers outside >> the range will be ignored. >> You can go further with the 'ad' backend, you can add the loginShell >> attribute containing the users shell (/bin/bash for instance), you can also >> add the unixHomeDirectory attribute containing the path to the users home >> directory. To use these, you would also need to have the line 'winbind nss >> info = rfc2307' in smb.conf. If you don't want to add these further >> attributes, you can add 'winbind nss info = template' instead and also add >> the template lines. >> >> You need these lines in smb.conf: >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> >> These lines are where Samba will store the mappings for the builtin users >> & groups, without these, it is very unlikely Samba will work correctly. >> >> Again, any questions, please ask. >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > From nico.deranter at esaturnus.com Mon Dec 7 16:08:45 2015 From: nico.deranter at esaturnus.com (Nico De Ranter) Date: Mon, 7 Dec 2015 17:08:45 +0100 Subject: [Samba] userid shows 4294967295 In-Reply-To: <5665A578.2070103@samba.org> References: <5665A578.2070103@samba.org> Message-ID: I'm coming from a Debian system so my system accounts are below 1000, regular accounts start at 1000. For some historical reason somebody gave our main group id 500 so therefor I want my usable range to start at 500. Do I need both idmap config *:range and idmap config SAMDOM:range? I also tried with only 'idmap config *:range' but that didn't seem to help. I'll try again tomorrow. I also noticed that my second AD didn't have rfc2307 enabled so that may also have introduced some issues. @Stefan Kania, thanks for the 'net cache flush', I didn't know that. Nico On Mon, Dec 7, 2015 at 4:27 PM, Rowland penny wrote: > On 07/12/15 12:52, Nico De Ranter wrote: > >> Hello again, >> >> I'm getting close to a working setup but still run into glitches here and >> there. >> >> I have 2 Ubuntu servers working as AD server, one Ubuntu desktop with >> winbind configured. I've setup a number of accounts with Unix >> properties. I've been primarily testing with my own account which works >> just fine. I've now assigned Unix properties to another account. When I >> run 'wbinfo -i' on the AD server I see the correct info: >> >> root at dc1:~# wbinfo -i test >> OFFICE\test:*:10000:500:test:/home/OFFICE/test:/bin/false >> >> When I try the same thing on the client I get: >> >> root at testpc2:~# wbinfo -i test >> test:*:4294967295:4294967295::/home/test:/bin/bash >> >> I also tried some other accounts and got the same result. The only >> account >> that seems to work fine is my own account (and no it is not in /etc/passwd >> :-) >> >> Any idea what might be wrong? >> >> smb.conf on the client: >> >> [global] >> security = ADS >> workgroup = OFFICE >> realm = WIN.OFFICE >> >> log file = /var/log/samba/%m.log >> log level = 1 >> >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> >> winbind refresh tickets = yes >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> winbind offline logon = yes >> >> client signing = yes >> client use spnego = yes >> >> idmap config = ad >> winbind nss info = rfc2307 >> >> # Default idmap config used for BUILTIN and local accounts/groups >> idmap backend = tdb >> idmap range = 100-499 >> >> # idmap config for domain OFFICE >> idmap config OFFICE : backend = ad >> idmap config OFFICE : schema_mode = rfc2307 >> idmap config OFFICE : range = 500-29999 >> > > Your 'idmap config' block really should look like this: > > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > idmap config SAMDOM:backend = ad > idmap config SAMDOM:schema_mode = rfc2307 > idmap config SAMDOM:range = 10000-99999 > > Also why are you using such strange ID numbers? > > Rowland > > It worked for the user with uid 1048, it doesn't work for uid 1059, 1000, >> 9999, 10000 >> >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- Nico De Ranter Operations Engineer T. +32 16 40 12 82 M. +32 497 91 53 78 From rpenny at samba.org Mon Dec 7 16:20:42 2015 From: rpenny at samba.org (Rowland penny) Date: Mon, 07 Dec 2015 16:20:42 +0000 Subject: [Samba] template shell RFC2307 loginShell In-Reply-To: References: <56621B24.7080200@samba.org> <5662AFC1.400@samba.org> Message-ID: <5665B1DA.7000706@samba.org> On 07/12/15 15:42, Jeff Sadowski wrote: > I finally got to test it and it works OK > something really strange is occurring though > > It works good as follows except for groups but I'll look at that > latter as I see others have mentioned some issues with groups > here is my /etc/samba/smb.conf > > security = ads > realm = DOMAIN.LONG > workgroup = DOMAIN > idmap config * : backend = tdb > idmap config * : range = 900-999 > idmap config DOMAIN:backend = ad > idmap config DOMAIN:range = 1000-99999 > idmap config DOMAIN:schema_mode = rfc2307 winbind nss info = > rfc2307 winbind use default domain = yes > # so that the users show up in getent > winbind enum users = Yes > # doesn't seem to do the same for groups :-/ > winbind enum groups = Yes > restrict anonymous = 2 > > What is strange is when I use the ranges like so > > idmap config * : range = 1000-9999 > idmap config DOMAIN:range = 10000-99999 > > only a small fraction of my users show up when I do a "getent passwd" > they all seem to show up when I do a "wbinfo -u" > and all my users uids are over 10000 > > when I set it back to > > idmap config * : range = 900-999 > idmap config DOMAIN:range = 1000-99999 > > I see all my users > > > So going further I find that when I run "id" as myuser I didn't see > all my groups but if I ran "id myuser" I did see all my users > So I tried > > idmap config * : range = 100000-1099999 > idmap config DOMAIN:range = 0-99999 > > and now when I run "id" as myuser I see all my group You posted that you were using Samba version 4.1.6, this usually means Ubuntu, in which case: 0-999 is reserved for the system users & groups (root etc), 1000 upwards is where you should be putting your local Unix users & groups. This means that you shouldn't really use any number under a '1000' for AD users & groups and you should also leave a small space for local users & groups, hence the advice on the wiki is to use '2000-9999' for your builtin AD users & groups and to use '10000' upwards for your AD users & groups. This means if you give 'Domain Users' the gidNumber of '10000' and then give your users uidNumbers starting from '10000' and use the 'idmap config' block from the wiki, you will be able to see all your users & groups via getent. Note that 'getent group' will not show anything, but 'getent group Domain\ Users' will. You can start both your user & group IDs from '10000', there is no reason to use different ranges. using wbinfo to show users works differently to getent, using 'wbinfo -u' to show your users ensures that winbind can connect to AD, you need to use getent to make sure that your OS can connect to AD, if getent doesn't show your user or group, then the OS will not know about it. Rowland > > > On Sat, Dec 5, 2015 at 2:34 AM, Rowland penny > wrote: > > On 05/12/15 02:47, Jeff Sadowski wrote: > > Thank you Rowland for looking at it. > I did read the wiki here > https://wiki.samba.org/index.php/Idmap_config_ad that is how I > got as far as I did; that and the idmap_ad man page. I could > not find how to use the loginShell is there a variable I can > use for it in the template or an option to set to use it? > loginShell and unixHomedir are not mentioned on the wiki that > I could find. I'm good with the templated homedir but curious > how to use the unixHomedir. It seems that the schema_mode = > rfc2307 is the default as it works fine except for the default > shells which I have the workaround for. I think I will move > them out of their home directories and set them else ware, > where users will need to ask to change the shell. I > purposefully set rid as the default backend if one does not > exist explicit for the domain as it worked better for me. What > I did with the default backend should stop the login if the > domain isn't explicitly defined. > > > > On Fri, Dec 4, 2015 at 4:00 PM, Rowland penny > > >> wrote: > > On 04/12/15 22:43, Jeff Sadowski wrote: > > We use power broker here at work and where wondering > why we > need it. > > I was able to setup a new linux server using samba and > am able > to login > with my active directory accounts but I couldn't > figure out > how to set the > login shells. > I have a work around but would like feedback > in my /etc/samba/smb.conf I have the following > > security = ads > realm = DOMAIN.LONG > workgroup = DOMAIN > idmap config DOMAIN : backend = ad > idmap config DOMAIN : range = 1000-999999999 > #should not get here > idmap config * : range = 999999998-999999999 > idmap config * :backend =rid > template homedir = /nfs/homes/%U > template shell = /nfs/homes/%U/.default_shell > winbind use default domain = yes > restrict anonymous = 2 > > > Have you considered reading the Samba wiki ? > Your 'idmap config' block should look similar to this: > > # Default idmap config used for BUILTIN and local > accounts/groups > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > # idmap config for domain SAMDOM > idmap config DOMAIN:backend = ad > idmap config DOMAIN:schema_mode = rfc2307 > idmap config DOMAIN:range = 10000-99999 > > # Use template settings for login shell and home > directory > winbind nss info = template > template shell = /nfs/homes/%U/.default_shell > template homedir = /nfs/homes/%U > > Though as you seem to be using uidNumber & gidNumber > attributes, > you could also store the loginShell and unixHomedir in AD > as well. > > Rowland > > > allowing users to pick their shell using > ln -s /bin/bash ~/.default_shell > or > ln -s /bin/tcsh ~/.default_shell > ... > > It will be easy to create the .default shell for each user > using a simple > script I can run on a machine that has power broker > but I am > wondering what > others have done to allow users to pick their shell > using samba to > authenticate? > What are the downsides of doing it the way I did it? > > is there a way to use the loginShell provided by > rfc2307 that > I haven't > found documented in samba? > > I'm using samba version 4.1.6 if that makes a > difference. I > could probably > find a way to upgrade if there is support in newer > versions. > > > > -- To unsubscribe from this list go to the following > URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > > Samba AD as standard comes with the ability to add RFC2307 > attributes to a user or group (see here for more info: > https://www.ietf.org/rfc/rfc2307.txt) > What this means is, if you give a user a uidNumber and at least > 'Domain Users' a gidNumber, then the user will become visible on a > Unix domain member (aka Unix workstation). > If you study the list of attributes on the link above, you will > find that there are more attributes available, amongst them are > loginShell and homeDirectory. The first is where you can store the > users login shell (obviously), but there is a problem with the > second, AD already has an attribute with the same name to store > the users windows home directory path, so this became > unixHomeDirectory and is where you can store the users Unix home > directory. > If you require more info on the RFC2307 attributes, please ask. > > Now, as for the 'idmap config' block and which to use, this is > down to the sysadmin (i.e. you) and is based on what you require. > There are several backends available, but only two are regularly > used, the 'ad' and 'rid' backends. Lets deal with the 'rid' > backend first, this is used if you don't want (or need) to add > RFC2307 attributes to AD. Your users & groups will be mapped to a > number inside the range you set i.e. idmap config SAMDOM:range = > 10000-99999. It uses an algorithm to create the IDs from the > user/group RID and as long as you use the same 'idmap config' > block on every Unix machine, you will get the same Unix ID on > every Unix machine. The downside is that you cannot set individual > homedirs & shells for users and will have to use the template > lines in smb.conf. > > The 'ad' backend is different, it uses the RFC2307 attributes for > the user/group IDs, this does of course mean that you have to add > a uidNumber attribute containing a unique number to any users that > you need to be visible to Unix *and* add a gidNumber to Domain > Users at least. These numbers must be inside the range you set in > smb.conf, any numbers outside the range will be ignored. > You can go further with the 'ad' backend, you can add the > loginShell attribute containing the users shell (/bin/bash for > instance), you can also add the unixHomeDirectory attribute > containing the path to the users home directory. To use these, you > would also need to have the line 'winbind nss info = rfc2307' in > smb.conf. If you don't want to add these further attributes, you > can add 'winbind nss info = template' instead and also add the > template lines. > > You need these lines in smb.conf: > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > These lines are where Samba will store the mappings for the > builtin users & groups, without these, it is very unlikely Samba > will work correctly. > > Again, any questions, please ask. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > From rpenny at samba.org Mon Dec 7 16:27:50 2015 From: rpenny at samba.org (Rowland penny) Date: Mon, 07 Dec 2015 16:27:50 +0000 Subject: [Samba] userid shows 4294967295 In-Reply-To: References: <5665A578.2070103@samba.org> Message-ID: <5665B386.4000506@samba.org> On 07/12/15 16:08, Nico De Ranter wrote: > > I'm coming from a Debian system so my system accounts are below 1000, > regular accounts start at 1000. For some historical reason somebody > gave our main group id 500 so therefor I want my usable range to start > at 500. Bad idea, you will probably need at least one local Unix user, where are you going to put it. My advice would be to follow the Samba wiki and use the numbers you will find there. > > Do I need both idmap config *:range and idmap config SAMDOM:range? I > also tried with only 'idmap config *:range' but that didn't seem to > help. I'll try again tomorrow. Yes you do, the first is for the builtin user & group mappings and the second is for your AD users & groups. > > I also noticed that my second AD didn't have rfc2307 enabled so that > may also have introduced some issues. Not really, all the info should be in AD, you probably just need to add 'idmap_ldb:use rfc2307 = yes' to smb.conf on the second DC. Rowland > > @Stefan Kania, thanks for the 'net cache flush', I didn't know that. > > Nico > > > On Mon, Dec 7, 2015 at 4:27 PM, Rowland penny > wrote: > > On 07/12/15 12:52, Nico De Ranter wrote: > > Hello again, > > I'm getting close to a working setup but still run into > glitches here and > there. > > I have 2 Ubuntu servers working as AD server, one Ubuntu > desktop with > winbind configured. I've setup a number of accounts with Unix > properties. I've been primarily testing with my own account > which works > just fine. I've now assigned Unix properties to another > account. When I > run 'wbinfo -i' on the AD server I see the correct info: > > root at dc1:~# wbinfo -i test > OFFICE\test:*:10000:500:test:/home/OFFICE/test:/bin/false > > When I try the same thing on the client I get: > > root at testpc2:~# wbinfo -i test > test:*:4294967295:4294967295::/home/test:/bin/bash > > I also tried some other accounts and got the same result. The > only account > that seems to work fine is my own account (and no it is not in > /etc/passwd > :-) > > Any idea what might be wrong? > > smb.conf on the client: > > [global] > security = ADS > workgroup = OFFICE > realm = WIN.OFFICE > > log file = /var/log/samba/%m.log > log level = 1 > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > winbind refresh tickets = yes > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind offline logon = yes > > client signing = yes > client use spnego = yes > > idmap config = ad > winbind nss info = rfc2307 > > # Default idmap config used for BUILTIN and local > accounts/groups > idmap backend = tdb > idmap range = 100-499 > > # idmap config for domain OFFICE > idmap config OFFICE : backend = ad > idmap config OFFICE : schema_mode = rfc2307 > idmap config OFFICE : range = 500-29999 > > > Your 'idmap config' block really should look like this: > > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > idmap config SAMDOM:backend = ad > idmap config SAMDOM:schema_mode = rfc2307 > idmap config SAMDOM:range = 10000-99999 > > Also why are you using such strange ID numbers? > > Rowland > > It worked for the user with uid 1048, it doesn't work for uid > 1059, 1000, > 9999, 10000 > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > > > -- > Nico De Ranter > > Operations Engineer > > T. +32 16 40 12 82 > > M. +32 497 91 53 78 > > > > > > > > > > > > ** > > * > * > > > From ole.traupe at tu-berlin.de Mon Dec 7 16:51:10 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Mon, 7 Dec 2015 17:51:10 +0100 Subject: [Samba] Permission Denied In-Reply-To: <5655A8AC.1010202@gmail.com> References: <5655A8AC.1010202@gmail.com> Message-ID: <5665B8FE.9050503@tu-berlin.de> >> drwxrwxr-x 2 root domain admins >> does not work an a member server without the user mapping or a bit >> different rights. >> So set Adminstrator:"domain admins" on this folder OR use the user >> mapping. > > This would mean that you would have to give Administrator a uidNumber, > breaking the link between 'root' and 'Administrator'. Not saying this > is a bad idea, just that you should be aware of it. > > Rowland Just reading this accidentally and finding out that "id Administrator" gives "id: Administrator: No such user" on all my machines, including DCs, and member servers where I explicitly mapped Administrator to root. Looking into ADUC, it turns out that Administrator has a uid: "0". Does that mean that I did this at some point (can't remember it). Any bad consequences, if I take NIS settings back for Administrator? Ole From rpenny at samba.org Mon Dec 7 17:12:05 2015 From: rpenny at samba.org (Rowland penny) Date: Mon, 07 Dec 2015 17:12:05 +0000 Subject: [Samba] Permission Denied In-Reply-To: <5665B8FE.9050503@tu-berlin.de> References: <5655A8AC.1010202@gmail.com> <5665B8FE.9050503@tu-berlin.de> Message-ID: <5665BDE5.1010702@samba.org> On 07/12/15 16:51, Ole Traupe wrote: > >>> drwxrwxr-x 2 root domain admins >>> does not work an a member server without the user mapping or a bit >>> different rights. >>> So set Adminstrator:"domain admins" on this folder OR use the user >>> mapping. >> >> This would mean that you would have to give Administrator a >> uidNumber, breaking the link between 'root' and 'Administrator'. Not >> saying this is a bad idea, just that you should be aware of it. >> >> Rowland > > Just reading this accidentally and finding out that "id Administrator" > gives "id: Administrator: No such user" on all my machines, including > DCs, and member servers where I explicitly mapped Administrator to > root. Looking into ADUC, it turns out that Administrator has a uid: > "0". Does that mean that I did this at some point (can't remember it). > Any bad consequences, if I take NIS settings back for Administrator? > > Ole > > There are two ways of mapping Administrator: A) user a 'username map' line in smb.conf on a domain member, this will point to a file similar to this: !root = SAMDOM\Administrator SAMDOM\administrator This will map the windows 'Administrator' to the Unix user 'root' and you will be able to alter ACLs on Samba Unix shares from windows. B) Give Administrator a uidNumber, This would then make Administrator a normal Unix user, so you would have to ensure that s/he had the required permissions to change ACLs on a Samba Unix share from windows. You pays your money and make your own choice which to use. You can, at any time, remove anything that you have done to Administrator and go back to Standard. Rowland From jonathan at springventuregroup.com Mon Dec 7 18:04:27 2015 From: jonathan at springventuregroup.com (Jonathan S. Fisher) Date: Mon, 7 Dec 2015 12:04:27 -0600 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: <56615E06.2030805@samba.org> References: <566158BC.4020405@samba.org> <56615B07.4030204@tao.at> <56615E06.2030805@samba.org> Message-ID: Hey Rowland, be kind and avoid passive aggressive comments. I'm just looking to try and get this to work, thanks. If I knew everything already, I wouldn't be here asking questions and trying to solve my own problem. I appreciate your help so far, but if you don't have anything nice say, please just ignore this thread. So: jonathan.fisher at freeradius:~$ sudo hostname -y hostname: Local domain name not set jonathan.fisher at freeradius:~$ sudo hostname -d windows.corp.springventuregroup.com jonathan.fisher at freeradius:~$ sudo hostname -f freeradius.windows.corp.springventuregroup.com Unfortunately, since this box is an LXC container, I can't run the syctl command: jonathan.fisher at freeradius:~$ sysctl -w kernel.domainname=" windows.corp.XXX.com" sysctl: permission denied on key 'kernel.domainname' We're good here: jonathan.fisher at freeradius:~$ cat /etc/hostname freeradiusjonathan.fisher at freeradius:~$ So I added dns proxy = true No dice, same output as before. Made this change: jonathan.fisher at freeradius:~$ cat /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN domain windows.corp.springventuregroup.com search windows.corp.pringventuregroupcom nameserver 192.168.127.131 nameserver 192.168.112.4 Also the same output, but this message popped up after restarting samba: jonathan.fisher at freeradius:~$ sudo service sernet-samba-winbindd restart && sudo service sernet-samba-nmbd restart && sudo service sernet-samba-smbd restart sudo: unable to resolve host freeradius Shutting down SAMBA winbindd : * Starting SAMBA winbindd : * sudo: unable to resolve host freeradius Shutting down SAMBA nmbd : * Starting SAMBA nmbd : * sudo: unable to resolve host freeradius Shutting down SAMBA smbd : * Starting SAMBA smbd : * No idea if that's relevant... So I undid the resolv.conf change, and here's the output of testparam: jonathan.fisher at freeradius:~$ testparm -v | grep net Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions netbios name = FREERADIUS netbios aliases = netbios scope = disable netbios = No dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver Sigh... thanks. I'm appreciate your patience and your help. On Fri, Dec 4, 2015 at 3:33 AM, Rowland penny wrote: > On 04/12/15 09:21, Sven Schwedas wrote: > >> On 2015-12-04 10:11, Rowland penny wrote: >> >>> I still think it is his weird dns setup, were he has a dnsmasq server >>> replicating what the DCs know (or is supposed to). I think the sheer >>> fact that he didn't know what lmhosts is, says a lot. >>> >> We're using such a setup in production without any problems. How about >> less wild blind guessing and user shaming, and more actual help? >> >> >> >> > Sven, you may be using a similar system, but it isn't recommended. The OP > is having problems getting a Samba domain member working, I have tried to > point him in the direction of a known working set up, once he has this > working, what he does with it, is up to him. He may be able to use the > dnsmasq server, I don't know, but if he has a working system and it stops > working when he adds in the dnsmasq server, he will know where to look, > won't he! > > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer. From rpenny at samba.org Mon Dec 7 18:23:42 2015 From: rpenny at samba.org (Rowland penny) Date: Mon, 07 Dec 2015 18:23:42 +0000 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: References: <566158BC.4020405@samba.org> <56615B07.4030204@tao.at> <56615E06.2030805@samba.org> Message-ID: <5665CEAE.1010606@samba.org> On 07/12/15 18:04, Jonathan S. Fisher wrote: > Hey Rowland, be kind and avoid passive aggressive comments. I'm just > looking to try and get this to work, thanks. If I knew everything > already, I wouldn't be here asking questions and trying to solve my > own problem. I appreciate your help so far, but if you don't have > anything nice say, please just ignore this thread. If I upset you, I apologise, but I was posting what I was thinking, you are trying to get Samba working with a strange setup and you do not seem to want to take advice. Get it working in a known way and then adapt it to your network. > > So: > jonathan.fisher at freeradius:~$ sudo hostname -y > hostname: Local domain name not set > jonathan.fisher at freeradius:~$ sudo hostname -d > windows.corp.springventuregroup.com > > jonathan.fisher at freeradius:~$ sudo hostname -f > freeradius.windows.corp.springventuregroup.com > > > Unfortunately, since this box is an LXC container, I can't run the > syctl command: > jonathan.fisher at freeradius:~$ sysctl -w > kernel.domainname="windows.corp.XXX.com " > sysctl: permission denied on key 'kernel.domainname' > And this is (as far as I can remember) the first time you have mentioned that you are using an LXC container, could this have something to do with your problem? Is there any way you could setup a client on bare metal and once you have got this working, base your LXC setup on this. Normally getting a Unix client to work with an AD DC is fairly easy, as long as you are aware of the pitfalls. Rowland > We're good here: > jonathan.fisher at freeradius:~$ cat /etc/hostname > freeradiusjonathan.fisher at freeradius:~$ > > So I added > dns proxy = true > > No dice, same output as before. > > Made this change: > jonathan.fisher at freeradius:~$ cat /etc/resolv.conf > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by > resolvconf(8) > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN > domain windows.corp.springventuregroup.com > > search windows.corp.pringventuregroupcom > nameserver 192.168.127.131 > nameserver 192.168.112.4 > > Also the same output, but this message popped up after restarting samba: > jonathan.fisher at freeradius:~$ sudo service sernet-samba-winbindd > restart && sudo service sernet-samba-nmbd restart && sudo service > sernet-samba-smbd restart > sudo: unable to resolve host freeradius > Shutting down SAMBA winbindd : * > Starting SAMBA winbindd : * > sudo: unable to resolve host freeradius > Shutting down SAMBA nmbd : * > Starting SAMBA nmbd : * > sudo: unable to resolve host freeradius > Shutting down SAMBA smbd : * > Starting SAMBA smbd : * > > No idea if that's relevant... > > So I undid the resolv.conf change, and here's the output of testparam: > > jonathan.fisher at freeradius:~$ testparm -v | grep net > Load smb config files from /etc/samba/smb.conf > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > Loaded services file OK. > Server role: ROLE_DOMAIN_MEMBER > > Press enter to see a dump of your service definitions > > netbios name = FREERADIUS > netbios aliases = > netbios scope = > disable netbios = No > dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, > lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, > backupkey, dnsserver > > Sigh... thanks. I'm appreciate your patience and your help. > > From jeff.sadowski at gmail.com Mon Dec 7 18:49:13 2015 From: jeff.sadowski at gmail.com (Jeff Sadowski) Date: Mon, 7 Dec 2015 11:49:13 -0700 Subject: [Samba] template shell RFC2307 loginShell In-Reply-To: <5665B1DA.7000706@samba.org> References: <56621B24.7080200@samba.org> <5662AFC1.400@samba.org> <5665B1DA.7000706@samba.org> Message-ID: But that doesn't work for me. As I am saying If I set it like that I only see 7 domain users with getent passwd experimenting I see if I set idmap config * : range = 2000-7999 idmap config DOMAIN:range = 8000-99999 I see all my users. which is really odd because all my users have uids above 10000 What other trouble shooting steps can I take to see why this is acting this way? I edit /etc/samba/smb.conf I run a script with the following service winbind stop service samba stop net cache flush rm -f /var/lib/samba/*.tdb rm -f /var/lib/samba/group_mapping.ldb sleep 1 service samba start service winbind start then I do getent passwd|wc -l ########################3 when idmap config DOMAIN:range = 10000-99999 # getent passwd|wc -l 47 when idmap config DOMAIN:range = 9000-99999 # getent passwd|wc -l 109 when idmap config DOMAIN:range = 8000-99999 # getent passwd|wc -l 801 that seems to be as many as I can get still doesn't add up as # cat /etc/passwd|wc -l 40 # wbinfo -u|wc -l 798 So I should have 838 users. But no matter what I set idmap config DOMAIN:range to I don't see any more than 801 users with getent passwd On Mon, Dec 7, 2015 at 9:20 AM, Rowland penny wrote: > On 07/12/15 15:42, Jeff Sadowski wrote: > >> I finally got to test it and it works OK >> something really strange is occurring though >> >> It works good as follows except for groups but I'll look at that latter >> as I see others have mentioned some issues with groups >> here is my /etc/samba/smb.conf >> >> security = ads >> realm = DOMAIN.LONG >> workgroup = DOMAIN >> idmap config * : backend = tdb >> idmap config * : range = 900-999 >> idmap config DOMAIN:backend = ad >> idmap config DOMAIN:range = 1000-99999 >> idmap config DOMAIN:schema_mode = rfc2307 winbind nss info = >> rfc2307 winbind use default domain = yes >> # so that the users show up in getent >> winbind enum users = Yes >> # doesn't seem to do the same for groups :-/ >> winbind enum groups = Yes >> restrict anonymous = 2 >> >> What is strange is when I use the ranges like so >> >> idmap config * : range = 1000-9999 >> idmap config DOMAIN:range = 10000-99999 >> >> only a small fraction of my users show up when I do a "getent passwd" >> they all seem to show up when I do a "wbinfo -u" >> and all my users uids are over 10000 >> >> when I set it back to >> >> idmap config * : range = 900-999 >> idmap config DOMAIN:range = 1000-99999 >> >> I see all my users >> >> >> So going further I find that when I run "id" as myuser I didn't see all >> my groups but if I ran "id myuser" I did see all my users >> So I tried >> >> idmap config * : range = 100000-1099999 >> idmap config DOMAIN:range = 0-99999 >> >> and now when I run "id" as myuser I see all my group >> > > You posted that you were using Samba version 4.1.6, this usually means > Ubuntu, in which case: 0-999 is reserved for the system users & groups > (root etc), 1000 upwards is where you should be putting your local Unix > users & groups. This means that you shouldn't really use any number under a > '1000' for AD users & groups and you should also leave a small space for > local users & groups, hence the advice on the wiki is to use '2000-9999' > for your builtin AD users & groups and to use '10000' upwards for your AD > users & groups. > > This means if you give 'Domain Users' the gidNumber of '10000' and then > give your users uidNumbers starting from '10000' and use the 'idmap config' > block from the wiki, you will be able to see all your users & groups via > getent. Note that 'getent group' will not show anything, but 'getent group > Domain\ Users' will. > > You can start both your user & group IDs from '10000', there is no reason > to use different ranges. > > using wbinfo to show users works differently to getent, using 'wbinfo -u' > to show your users ensures that winbind can connect to AD, you need to use > getent to make sure that your OS can connect to AD, if getent doesn't show > your user or group, then the OS will not know about it. > > Rowland > > >> >> On Sat, Dec 5, 2015 at 2:34 AM, Rowland penny > rpenny at samba.org>> wrote: >> >> On 05/12/15 02:47, Jeff Sadowski wrote: >> >> Thank you Rowland for looking at it. >> I did read the wiki here >> https://wiki.samba.org/index.php/Idmap_config_ad that is how I >> got as far as I did; that and the idmap_ad man page. I could >> not find how to use the loginShell is there a variable I can >> use for it in the template or an option to set to use it? >> loginShell and unixHomedir are not mentioned on the wiki that >> I could find. I'm good with the templated homedir but curious >> how to use the unixHomedir. It seems that the schema_mode = >> rfc2307 is the default as it works fine except for the default >> shells which I have the workaround for. I think I will move >> them out of their home directories and set them else ware, >> where users will need to ask to change the shell. I >> purposefully set rid as the default backend if one does not >> exist explicit for the domain as it worked better for me. What >> I did with the default backend should stop the login if the >> domain isn't explicitly defined. >> >> >> >> On Fri, Dec 4, 2015 at 4:00 PM, Rowland penny >> >> >> wrote: >> >> On 04/12/15 22:43, Jeff Sadowski wrote: >> >> We use power broker here at work and where wondering >> why we >> need it. >> >> I was able to setup a new linux server using samba and >> am able >> to login >> with my active directory accounts but I couldn't >> figure out >> how to set the >> login shells. >> I have a work around but would like feedback >> in my /etc/samba/smb.conf I have the following >> >> security = ads >> realm = DOMAIN.LONG >> workgroup = DOMAIN >> idmap config DOMAIN : backend = ad >> idmap config DOMAIN : range = 1000-999999999 >> #should not get here >> idmap config * : range = 999999998-999999999 >> idmap config * :backend =rid >> template homedir = /nfs/homes/%U >> template shell = /nfs/homes/%U/.default_shell >> winbind use default domain = yes >> restrict anonymous = 2 >> >> >> Have you considered reading the Samba wiki ? >> Your 'idmap config' block should look similar to this: >> >> # Default idmap config used for BUILTIN and local >> accounts/groups >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> >> # idmap config for domain SAMDOM >> idmap config DOMAIN:backend = ad >> idmap config DOMAIN:schema_mode = rfc2307 >> idmap config DOMAIN:range = 10000-99999 >> >> # Use template settings for login shell and home >> directory >> winbind nss info = template >> template shell = /nfs/homes/%U/.default_shell >> template homedir = /nfs/homes/%U >> >> Though as you seem to be using uidNumber & gidNumber >> attributes, >> you could also store the loginShell and unixHomedir in AD >> as well. >> >> Rowland >> >> >> allowing users to pick their shell using >> ln -s /bin/bash ~/.default_shell >> or >> ln -s /bin/tcsh ~/.default_shell >> ... >> >> It will be easy to create the .default shell for each user >> using a simple >> script I can run on a machine that has power broker >> but I am >> wondering what >> others have done to allow users to pick their shell >> using samba to >> authenticate? >> What are the downsides of doing it the way I did it? >> >> is there a way to use the loginShell provided by >> rfc2307 that >> I haven't >> found documented in samba? >> >> I'm using samba version 4.1.6 if that makes a >> difference. I >> could probably >> find a way to upgrade if there is support in newer >> versions. >> >> >> >> -- To unsubscribe from this list go to the following >> URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> >> Samba AD as standard comes with the ability to add RFC2307 >> attributes to a user or group (see here for more info: >> https://www.ietf.org/rfc/rfc2307.txt) >> What this means is, if you give a user a uidNumber and at least >> 'Domain Users' a gidNumber, then the user will become visible on a >> Unix domain member (aka Unix workstation). >> If you study the list of attributes on the link above, you will >> find that there are more attributes available, amongst them are >> loginShell and homeDirectory. The first is where you can store the >> users login shell (obviously), but there is a problem with the >> second, AD already has an attribute with the same name to store >> the users windows home directory path, so this became >> unixHomeDirectory and is where you can store the users Unix home >> directory. >> If you require more info on the RFC2307 attributes, please ask. >> >> Now, as for the 'idmap config' block and which to use, this is >> down to the sysadmin (i.e. you) and is based on what you require. >> There are several backends available, but only two are regularly >> used, the 'ad' and 'rid' backends. Lets deal with the 'rid' >> backend first, this is used if you don't want (or need) to add >> RFC2307 attributes to AD. Your users & groups will be mapped to a >> number inside the range you set i.e. idmap config SAMDOM:range = >> 10000-99999. It uses an algorithm to create the IDs from the >> user/group RID and as long as you use the same 'idmap config' >> block on every Unix machine, you will get the same Unix ID on >> every Unix machine. The downside is that you cannot set individual >> homedirs & shells for users and will have to use the template >> lines in smb.conf. >> >> The 'ad' backend is different, it uses the RFC2307 attributes for >> the user/group IDs, this does of course mean that you have to add >> a uidNumber attribute containing a unique number to any users that >> you need to be visible to Unix *and* add a gidNumber to Domain >> Users at least. These numbers must be inside the range you set in >> smb.conf, any numbers outside the range will be ignored. >> You can go further with the 'ad' backend, you can add the >> loginShell attribute containing the users shell (/bin/bash for >> instance), you can also add the unixHomeDirectory attribute >> containing the path to the users home directory. To use these, you >> would also need to have the line 'winbind nss info = rfc2307' in >> smb.conf. If you don't want to add these further attributes, you >> can add 'winbind nss info = template' instead and also add the >> template lines. >> >> You need these lines in smb.conf: >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> >> These lines are where Samba will store the mappings for the >> builtin users & groups, without these, it is very unlikely Samba >> will work correctly. >> >> Again, any questions, please ask. >> >> Rowland >> >> -- To unsubscribe from this list go to the following URL and read >> the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From ole.traupe at tu-berlin.de Mon Dec 7 18:55:51 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Mon, 7 Dec 2015 19:55:51 +0100 Subject: [Samba] userid shows 4294967295 In-Reply-To: <5665B386.4000506@samba.org> References: <5665A578.2070103@samba.org> <5665B386.4000506@samba.org> Message-ID: <5665D637.1040106@tu-berlin.de> I always wondered why to reserve 8000 IDs for built-in accounts. I see ~40 built-in groups in ADUC and 2 such users (Administrator and Guest)... Ole Am 07.12.2015 um 17:27 schrieb Rowland penny: > On 07/12/15 16:08, Nico De Ranter wrote: >> >> I'm coming from a Debian system so my system accounts are below 1000, >> regular accounts start at 1000. For some historical reason somebody >> gave our main group id 500 so therefor I want my usable range to >> start at 500. > > Bad idea, you will probably need at least one local Unix user, where > are you going to put it. My advice would be to follow the Samba wiki > and use the numbers you will find there. > >> >> Do I need both idmap config *:range and idmap config SAMDOM:range? >> I also tried with only 'idmap config *:range' but that didn't seem to >> help. I'll try again tomorrow. > > Yes you do, the first is for the builtin user & group mappings and the > second is for your AD users & groups. > >> >> I also noticed that my second AD didn't have rfc2307 enabled so that >> may also have introduced some issues. > > Not really, all the info should be in AD, you probably just need to > add 'idmap_ldb:use rfc2307 = yes' to smb.conf on the second DC. > > Rowland > >> >> @Stefan Kania, thanks for the 'net cache flush', I didn't know that. >> >> Nico >> >> >> On Mon, Dec 7, 2015 at 4:27 PM, Rowland penny > > wrote: >> >> On 07/12/15 12:52, Nico De Ranter wrote: >> >> Hello again, >> >> I'm getting close to a working setup but still run into >> glitches here and >> there. >> >> I have 2 Ubuntu servers working as AD server, one Ubuntu >> desktop with >> winbind configured. I've setup a number of accounts with Unix >> properties. I've been primarily testing with my own account >> which works >> just fine. I've now assigned Unix properties to another >> account. When I >> run 'wbinfo -i' on the AD server I see the correct info: >> >> root at dc1:~# wbinfo -i test >> OFFICE\test:*:10000:500:test:/home/OFFICE/test:/bin/false >> >> When I try the same thing on the client I get: >> >> root at testpc2:~# wbinfo -i test >> test:*:4294967295:4294967295::/home/test:/bin/bash >> >> I also tried some other accounts and got the same result. The >> only account >> that seems to work fine is my own account (and no it is not in >> /etc/passwd >> :-) >> >> Any idea what might be wrong? >> >> smb.conf on the client: >> >> [global] >> security = ADS >> workgroup = OFFICE >> realm = WIN.OFFICE >> >> log file = /var/log/samba/%m.log >> log level = 1 >> >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> >> winbind refresh tickets = yes >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> winbind offline logon = yes >> >> client signing = yes >> client use spnego = yes >> >> idmap config = ad >> winbind nss info = rfc2307 >> >> # Default idmap config used for BUILTIN and local >> accounts/groups >> idmap backend = tdb >> idmap range = 100-499 >> >> # idmap config for domain OFFICE >> idmap config OFFICE : backend = ad >> idmap config OFFICE : schema_mode = rfc2307 >> idmap config OFFICE : range = 500-29999 >> >> >> Your 'idmap config' block really should look like this: >> >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> idmap config SAMDOM:backend = ad >> idmap config SAMDOM:schema_mode = rfc2307 >> idmap config SAMDOM:range = 10000-99999 >> >> Also why are you using such strange ID numbers? >> >> Rowland >> >> It worked for the user with uid 1048, it doesn't work for uid >> 1059, 1000, >> 9999, 10000 >> >> >> >> -- To unsubscribe from this list go to the following URL and >> read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> >> >> -- >> Nico De Ranter >> >> Operations Engineer >> >> T. +32 16 40 12 82 >> >> M. +32 497 91 53 78 >> >> >> >> >> >> >> >> >> >> >> >> ** >> >> * >> * >> >> >> > From ole.traupe at tu-berlin.de Mon Dec 7 18:59:34 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Mon, 7 Dec 2015 19:59:34 +0100 Subject: [Samba] Permission Denied In-Reply-To: <5665BDE5.1010702@samba.org> References: <5655A8AC.1010202@gmail.com> <5665B8FE.9050503@tu-berlin.de> <5665BDE5.1010702@samba.org> Message-ID: <5665D716.5090402@tu-berlin.de> > There are two ways of mapping Administrator: > A) user a 'username map' line in smb.conf on a domain member, this > will point to a file similar to this: > !root = SAMDOM\Administrator SAMDOM\administrator > This will map the windows 'Administrator' to the Unix user 'root' > and you will be able to alter ACLs on Samba Unix > shares from windows. > > B) Give Administrator a uidNumber, This would then make Administrator > a normal Unix user, so you would have to ensure that s/he had the > required permissions to change ACLs on a Samba Unix share from windows. > > You pays your money and make your own choice which to use. > > You can, at any time, remove anything that you have done to > Administrator and go back to Standard. Looks like I somehow did both, which surely is contra-productive. I better remove the unix attributes for Administrator... Thanks, Rowland! Ole > > Rowland > > From rpenny at samba.org Mon Dec 7 19:07:32 2015 From: rpenny at samba.org (Rowland penny) Date: Mon, 07 Dec 2015 19:07:32 +0000 Subject: [Samba] template shell RFC2307 loginShell In-Reply-To: References: <56621B24.7080200@samba.org> <5662AFC1.400@samba.org> <5665B1DA.7000706@samba.org> Message-ID: <5665D8F4.6090902@samba.org> On 07/12/15 18:49, Jeff Sadowski wrote: > But that doesn't work for me. As I am saying > If I set it like that I only see 7 domain users with getent passwd > experimenting I see if I set > > idmap config * : range = 2000-7999 > idmap config DOMAIN:range = 8000-99999 > > I see all my users. > > which is really odd because all my users have uids above 10000 > > What other trouble shooting steps can I take to see why this is acting > this way? > > I edit /etc/samba/smb.conf > I run a script with the following > > service winbind stop > service samba stop > net cache flush > rm -f /var/lib/samba/*.tdb > rm -f /var/lib/samba/group_mapping.ldb > sleep 1 > service samba start > service winbind start > > then I do > getent passwd|wc -l > > ########################3 > > when > > idmap config DOMAIN:range = 10000-99999 > > # getent passwd|wc -l > 47 > > when > > idmap config DOMAIN:range = 9000-99999 > > # getent passwd|wc -l > 109 > > when > > idmap config DOMAIN:range = 8000-99999 > > # getent passwd|wc -l > 801 > > that seems to be as many as I can get > still doesn't add up as > > # cat /etc/passwd|wc -l > 40 > > # wbinfo -u|wc -l > 798 > > So I should have 838 > users. > But no matter what I set idmap config DOMAIN:range to I don't see any > more than 801 users with getent passwd > > OK, lets step back a bit here, can you confirm: All your users have a uidNumber attribute containing a unique number between 10000 to 99999 ? Does 'Domain Users' have a gidNumber attribute containing a number between 10000 to 99999 ? Any user that doesn't have a uidNumber, or one outside the 10000-99999 will be ignored, could this be your problem? What OS is the client running on and what is the AD DC ? Rowland From jeff.sadowski at gmail.com Mon Dec 7 19:13:28 2015 From: jeff.sadowski at gmail.com (Jeff Sadowski) Date: Mon, 7 Dec 2015 12:13:28 -0700 Subject: [Samba] template shell RFC2307 loginShell In-Reply-To: References: <56621B24.7080200@samba.org> <5662AFC1.400@samba.org> <5665B1DA.7000706@samba.org> Message-ID: I had some users with bigger uids then 99999 so I bumped up DOMAIN:range to idmap config DOMAIN:range = 8000-9999999 # getent passwd|wc -l 806 yeah I got 5 more users I wrote a simple loop like so wbinfo -u|while read i; do id $i|cut -d, -f1; done > users_list.txt puts out some nice errors id: guest: no such user id: administrator: no such user ... I'm going to guess none have the uid variable in ad. On Mon, Dec 7, 2015 at 11:49 AM, Jeff Sadowski wrote: > But that doesn't work for me. As I am saying > If I set it like that I only see 7 domain users with getent passwd > experimenting I see if I set > > idmap config * : range = 2000-7999 > idmap config DOMAIN:range = 8000-99999 > > I see all my users. > > which is really odd because all my users have uids above 10000 > > What other trouble shooting steps can I take to see why this is acting > this way? > > I edit /etc/samba/smb.conf > I run a script with the following > > service winbind stop > service samba stop > net cache flush > rm -f /var/lib/samba/*.tdb > rm -f /var/lib/samba/group_mapping.ldb > sleep 1 > service samba start > service winbind start > > then I do > getent passwd|wc -l > > ########################3 > > when > > idmap config DOMAIN:range = 10000-99999 > > # getent passwd|wc -l > 47 > > when > > idmap config DOMAIN:range = 9000-99999 > > # getent passwd|wc -l > 109 > > when > > idmap config DOMAIN:range = 8000-99999 > > # getent passwd|wc -l > 801 > > that seems to be as many as I can get > still doesn't add up as > > # cat /etc/passwd|wc -l > 40 > > # wbinfo -u|wc -l > 798 > > So I should have 838 > users. > But no matter what I set idmap config DOMAIN:range to I don't see any more > than 801 users with getent passwd > > > On Mon, Dec 7, 2015 at 9:20 AM, Rowland penny wrote: > >> On 07/12/15 15:42, Jeff Sadowski wrote: >> >>> I finally got to test it and it works OK >>> something really strange is occurring though >>> >>> It works good as follows except for groups but I'll look at that latter >>> as I see others have mentioned some issues with groups >>> here is my /etc/samba/smb.conf >>> >>> security = ads >>> realm = DOMAIN.LONG >>> workgroup = DOMAIN >>> idmap config * : backend = tdb >>> idmap config * : range = 900-999 >>> idmap config DOMAIN:backend = ad >>> idmap config DOMAIN:range = 1000-99999 >>> idmap config DOMAIN:schema_mode = rfc2307 winbind nss info = >>> rfc2307 winbind use default domain = yes >>> # so that the users show up in getent >>> winbind enum users = Yes >>> # doesn't seem to do the same for groups :-/ >>> winbind enum groups = Yes >>> restrict anonymous = 2 >>> >>> What is strange is when I use the ranges like so >>> >>> idmap config * : range = 1000-9999 >>> idmap config DOMAIN:range = 10000-99999 >>> >>> only a small fraction of my users show up when I do a "getent passwd" >>> they all seem to show up when I do a "wbinfo -u" >>> and all my users uids are over 10000 >>> >>> when I set it back to >>> >>> idmap config * : range = 900-999 >>> idmap config DOMAIN:range = 1000-99999 >>> >>> I see all my users >>> >>> >>> So going further I find that when I run "id" as myuser I didn't see all >>> my groups but if I ran "id myuser" I did see all my users >>> So I tried >>> >>> idmap config * : range = 100000-1099999 >>> idmap config DOMAIN:range = 0-99999 >>> >>> and now when I run "id" as myuser I see all my group >>> >> >> You posted that you were using Samba version 4.1.6, this usually means >> Ubuntu, in which case: 0-999 is reserved for the system users & groups >> (root etc), 1000 upwards is where you should be putting your local Unix >> users & groups. This means that you shouldn't really use any number under a >> '1000' for AD users & groups and you should also leave a small space for >> local users & groups, hence the advice on the wiki is to use '2000-9999' >> for your builtin AD users & groups and to use '10000' upwards for your AD >> users & groups. >> >> This means if you give 'Domain Users' the gidNumber of '10000' and then >> give your users uidNumbers starting from '10000' and use the 'idmap config' >> block from the wiki, you will be able to see all your users & groups via >> getent. Note that 'getent group' will not show anything, but 'getent group >> Domain\ Users' will. >> >> You can start both your user & group IDs from '10000', there is no reason >> to use different ranges. >> >> using wbinfo to show users works differently to getent, using 'wbinfo -u' >> to show your users ensures that winbind can connect to AD, you need to use >> getent to make sure that your OS can connect to AD, if getent doesn't show >> your user or group, then the OS will not know about it. >> >> Rowland >> >> >>> >>> On Sat, Dec 5, 2015 at 2:34 AM, Rowland penny >> rpenny at samba.org>> wrote: >>> >>> On 05/12/15 02:47, Jeff Sadowski wrote: >>> >>> Thank you Rowland for looking at it. >>> I did read the wiki here >>> https://wiki.samba.org/index.php/Idmap_config_ad that is how I >>> got as far as I did; that and the idmap_ad man page. I could >>> not find how to use the loginShell is there a variable I can >>> use for it in the template or an option to set to use it? >>> loginShell and unixHomedir are not mentioned on the wiki that >>> I could find. I'm good with the templated homedir but curious >>> how to use the unixHomedir. It seems that the schema_mode = >>> rfc2307 is the default as it works fine except for the default >>> shells which I have the workaround for. I think I will move >>> them out of their home directories and set them else ware, >>> where users will need to ask to change the shell. I >>> purposefully set rid as the default backend if one does not >>> exist explicit for the domain as it worked better for me. What >>> I did with the default backend should stop the login if the >>> domain isn't explicitly defined. >>> >>> >>> >>> On Fri, Dec 4, 2015 at 4:00 PM, Rowland penny >>> >>> >> wrote: >>> >>> On 04/12/15 22:43, Jeff Sadowski wrote: >>> >>> We use power broker here at work and where wondering >>> why we >>> need it. >>> >>> I was able to setup a new linux server using samba and >>> am able >>> to login >>> with my active directory accounts but I couldn't >>> figure out >>> how to set the >>> login shells. >>> I have a work around but would like feedback >>> in my /etc/samba/smb.conf I have the following >>> >>> security = ads >>> realm = DOMAIN.LONG >>> workgroup = DOMAIN >>> idmap config DOMAIN : backend = ad >>> idmap config DOMAIN : range = 1000-999999999 >>> #should not get here >>> idmap config * : range = 999999998-999999999 >>> idmap config * :backend =rid >>> template homedir = /nfs/homes/%U >>> template shell = /nfs/homes/%U/.default_shell >>> winbind use default domain = yes >>> restrict anonymous = 2 >>> >>> >>> Have you considered reading the Samba wiki ? >>> Your 'idmap config' block should look similar to this: >>> >>> # Default idmap config used for BUILTIN and local >>> accounts/groups >>> idmap config *:backend = tdb >>> idmap config *:range = 2000-9999 >>> >>> # idmap config for domain SAMDOM >>> idmap config DOMAIN:backend = ad >>> idmap config DOMAIN:schema_mode = rfc2307 >>> idmap config DOMAIN:range = 10000-99999 >>> >>> # Use template settings for login shell and home >>> directory >>> winbind nss info = template >>> template shell = /nfs/homes/%U/.default_shell >>> template homedir = /nfs/homes/%U >>> >>> Though as you seem to be using uidNumber & gidNumber >>> attributes, >>> you could also store the loginShell and unixHomedir in AD >>> as well. >>> >>> Rowland >>> >>> >>> allowing users to pick their shell using >>> ln -s /bin/bash ~/.default_shell >>> or >>> ln -s /bin/tcsh ~/.default_shell >>> ... >>> >>> It will be easy to create the .default shell for each >>> user >>> using a simple >>> script I can run on a machine that has power broker >>> but I am >>> wondering what >>> others have done to allow users to pick their shell >>> using samba to >>> authenticate? >>> What are the downsides of doing it the way I did it? >>> >>> is there a way to use the loginShell provided by >>> rfc2307 that >>> I haven't >>> found documented in samba? >>> >>> I'm using samba version 4.1.6 if that makes a >>> difference. I >>> could probably >>> find a way to upgrade if there is support in newer >>> versions. >>> >>> >>> >>> -- To unsubscribe from this list go to the following >>> URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >>> >>> Samba AD as standard comes with the ability to add RFC2307 >>> attributes to a user or group (see here for more info: >>> https://www.ietf.org/rfc/rfc2307.txt) >>> What this means is, if you give a user a uidNumber and at least >>> 'Domain Users' a gidNumber, then the user will become visible on a >>> Unix domain member (aka Unix workstation). >>> If you study the list of attributes on the link above, you will >>> find that there are more attributes available, amongst them are >>> loginShell and homeDirectory. The first is where you can store the >>> users login shell (obviously), but there is a problem with the >>> second, AD already has an attribute with the same name to store >>> the users windows home directory path, so this became >>> unixHomeDirectory and is where you can store the users Unix home >>> directory. >>> If you require more info on the RFC2307 attributes, please ask. >>> >>> Now, as for the 'idmap config' block and which to use, this is >>> down to the sysadmin (i.e. you) and is based on what you require. >>> There are several backends available, but only two are regularly >>> used, the 'ad' and 'rid' backends. Lets deal with the 'rid' >>> backend first, this is used if you don't want (or need) to add >>> RFC2307 attributes to AD. Your users & groups will be mapped to a >>> number inside the range you set i.e. idmap config SAMDOM:range = >>> 10000-99999. It uses an algorithm to create the IDs from the >>> user/group RID and as long as you use the same 'idmap config' >>> block on every Unix machine, you will get the same Unix ID on >>> every Unix machine. The downside is that you cannot set individual >>> homedirs & shells for users and will have to use the template >>> lines in smb.conf. >>> >>> The 'ad' backend is different, it uses the RFC2307 attributes for >>> the user/group IDs, this does of course mean that you have to add >>> a uidNumber attribute containing a unique number to any users that >>> you need to be visible to Unix *and* add a gidNumber to Domain >>> Users at least. These numbers must be inside the range you set in >>> smb.conf, any numbers outside the range will be ignored. >>> You can go further with the 'ad' backend, you can add the >>> loginShell attribute containing the users shell (/bin/bash for >>> instance), you can also add the unixHomeDirectory attribute >>> containing the path to the users home directory. To use these, you >>> would also need to have the line 'winbind nss info = rfc2307' in >>> smb.conf. If you don't want to add these further attributes, you >>> can add 'winbind nss info = template' instead and also add the >>> template lines. >>> >>> You need these lines in smb.conf: >>> idmap config *:backend = tdb >>> idmap config *:range = 2000-9999 >>> >>> These lines are where Samba will store the mappings for the >>> builtin users & groups, without these, it is very unlikely Samba >>> will work correctly. >>> >>> Again, any questions, please ask. >>> >>> Rowland >>> >>> -- To unsubscribe from this list go to the following URL and >>> read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >>> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > From ole.traupe at tu-berlin.de Mon Dec 7 19:17:48 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Mon, 7 Dec 2015 20:17:48 +0100 Subject: [Samba] Permission Denied In-Reply-To: <5665D716.5090402@tu-berlin.de> References: <5655A8AC.1010202@gmail.com> <5665B8FE.9050503@tu-berlin.de> <5665BDE5.1010702@samba.org> <5665D716.5090402@tu-berlin.de> Message-ID: <5665DB5C.3000902@tu-berlin.de> > Looks like I somehow did both, which surely is contra-productive. I > better remove the unix attributes for Administrator... > If I do this (rely on the user map file containing "!root = BPN\Administrator BPN\administrator"), should I expect "id Administrator" to give anything? Ole From rpenny at samba.org Mon Dec 7 19:18:39 2015 From: rpenny at samba.org (Rowland penny) Date: Mon, 07 Dec 2015 19:18:39 +0000 Subject: [Samba] userid shows 4294967295 In-Reply-To: <5665D637.1040106@tu-berlin.de> References: <5665A578.2070103@samba.org> <5665B386.4000506@samba.org> <5665D637.1040106@tu-berlin.de> Message-ID: <5665DB8F.20001@samba.org> On 07/12/15 18:55, Ole Traupe wrote: > I always wondered why to reserve 8000 IDs for built-in accounts. I see > ~40 built-in groups in ADUC and 2 such users (Administrator and Guest)... > > Ole > > There are more potential users and groups than that, but you are correct, you do not actually need that number, it was based on this: Unix uses 0-999 for system users & groups (yes I know redhat used to use 0-499, but they now use 0-999) ADUC starts Unix IDs at 10000 If you use a range for the builtin users & groups above the domain range, it could get in the way if your AD domain grows enough, so why not put it below the AD range? If this is done, where to put it? You will probably require some Unix users, so they will start at 1000, hence for ease, 2000 was chosen as the start ID for the builtin range and as it could only go upto 9999, this was chosen as the end number. Rowland From rpenny at samba.org Mon Dec 7 19:25:54 2015 From: rpenny at samba.org (Rowland penny) Date: Mon, 07 Dec 2015 19:25:54 +0000 Subject: [Samba] template shell RFC2307 loginShell In-Reply-To: References: <56621B24.7080200@samba.org> <5662AFC1.400@samba.org> <5665B1DA.7000706@samba.org> Message-ID: <5665DD42.8080301@samba.org> On 07/12/15 19:13, Jeff Sadowski wrote: > I had some users with bigger uids then 99999 so I bumped up > DOMAIN:range to > > idmap config DOMAIN:range = 8000-9999999 > > # getent passwd|wc -l > 806 > > yeah I got 5 more users > > I wrote a simple loop like so > > wbinfo -u|while read i; do id $i|cut -d, -f1; done > users_list.txt > > puts out some nice errors > > id: guest: no such user > id: administrator: no such user > ... > I'm going to guess none have the uid variable in ad. Probably not, but the two above probably shouldn't have one anyway. Rowland > > From rpenny at samba.org Mon Dec 7 19:28:47 2015 From: rpenny at samba.org (Rowland penny) Date: Mon, 07 Dec 2015 19:28:47 +0000 Subject: [Samba] Permission Denied In-Reply-To: <5665DB5C.3000902@tu-berlin.de> References: <5655A8AC.1010202@gmail.com> <5665B8FE.9050503@tu-berlin.de> <5665BDE5.1010702@samba.org> <5665D716.5090402@tu-berlin.de> <5665DB5C.3000902@tu-berlin.de> Message-ID: <5665DDEF.7090509@samba.org> On 07/12/15 19:17, Ole Traupe wrote: > >> Looks like I somehow did both, which surely is contra-productive. I >> better remove the unix attributes for Administrator... >> > > If I do this (rely on the user map file containing "!root = > BPN\Administrator BPN\administrator"), should I expect "id > Administrator" to give anything? > > Ole > Only a Samba AD DC, you will not get anything from 'getent Administrator' on a Unix domain member, but remember, with the user map 'Administrator' becomes 'root' :-) Rowland From jeff.sadowski at gmail.com Mon Dec 7 19:28:47 2015 From: jeff.sadowski at gmail.com (Jeff Sadowski) Date: Mon, 7 Dec 2015 12:28:47 -0700 Subject: [Samba] template shell RFC2307 loginShell In-Reply-To: <5665D8F4.6090902@samba.org> References: <56621B24.7080200@samba.org> <5662AFC1.400@samba.org> <5665B1DA.7000706@samba.org> <5665D8F4.6090902@samba.org> Message-ID: wbinfo -u|while read i; do id $i|cut -d, -f1; done > users_list.txt 2> bad_list.txt # cat users_list.txt | cut -d'(' -f1|cut -d= -f2|sort -n|head -n 1 9102 # cat users_list.txt | cut -d'(' -f1|cut -d= -f2|sort -n|tail -n 1 8921272 seems to be my issue thank you. # cat bad_list.txt |wc -l 32 looking through those users I found none had uids or gids but I don't care about any of them # cat users_list.txt | wc -l 766 # cat /etc/passwd|wc -l 40 # getent passwd|wc -l 806 yeah the numbers add up also # cat /etc/passwd|wc -l 40 # wbinfo -u|wc -l 798 # cat bad_list.txt |wc -l 32 798+40-32=806 All unseen users have no uids On Mon, Dec 7, 2015 at 12:07 PM, Rowland penny wrote: > On 07/12/15 18:49, Jeff Sadowski wrote: > >> But that doesn't work for me. As I am saying >> If I set it like that I only see 7 domain users with getent passwd >> experimenting I see if I set >> >> idmap config * : range = 2000-7999 >> idmap config DOMAIN:range = 8000-99999 >> >> I see all my users. >> >> which is really odd because all my users have uids above 10000 >> >> What other trouble shooting steps can I take to see why this is acting >> this way? >> >> I edit /etc/samba/smb.conf >> I run a script with the following >> >> service winbind stop >> service samba stop >> net cache flush >> rm -f /var/lib/samba/*.tdb >> rm -f /var/lib/samba/group_mapping.ldb >> sleep 1 >> service samba start >> service winbind start >> >> then I do >> getent passwd|wc -l >> >> ########################3 >> >> when >> >> idmap config DOMAIN:range = 10000-99999 >> >> # getent passwd|wc -l >> 47 >> >> when >> >> idmap config DOMAIN:range = 9000-99999 >> >> # getent passwd|wc -l >> 109 >> >> when >> >> idmap config DOMAIN:range = 8000-99999 >> >> # getent passwd|wc -l >> 801 >> >> that seems to be as many as I can get >> still doesn't add up as >> >> # cat /etc/passwd|wc -l >> 40 >> >> # wbinfo -u|wc -l >> 798 >> >> So I should have 838 >> users. >> But no matter what I set idmap config DOMAIN:range to I don't see any >> more than 801 users with getent passwd >> >> >> > OK, lets step back a bit here, can you confirm: > All your users have a uidNumber attribute containing a unique number > between 10000 to 99999 ? > Does 'Domain Users' have a gidNumber attribute containing a number between > 10000 to 99999 ? > > Any user that doesn't have a uidNumber, or one outside the 10000-99999 > will be ignored, could this be your problem? > > What OS is the client running on and what is the AD DC ? > > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From rpenny at samba.org Mon Dec 7 19:30:30 2015 From: rpenny at samba.org (Rowland penny) Date: Mon, 07 Dec 2015 19:30:30 +0000 Subject: [Samba] template shell RFC2307 loginShell In-Reply-To: References: <56621B24.7080200@samba.org> <5662AFC1.400@samba.org> <5665B1DA.7000706@samba.org> <5665D8F4.6090902@samba.org> Message-ID: <5665DE56.9050309@samba.org> On 07/12/15 19:28, Jeff Sadowski wrote: > wbinfo -u|while read i; do id $i|cut -d, -f1; done > users_list.txt 2> > bad_list.txt > > # cat users_list.txt | cut -d'(' -f1|cut -d= -f2|sort -n|head -n 1 > 9102 > > # cat users_list.txt | cut -d'(' -f1|cut -d= -f2|sort -n|tail -n 1 > 8921272 > > seems to be my issue thank you. > > # cat bad_list.txt |wc -l > 32 > > looking through those users I found none had uids or gids but I don't > care about any of them > > # cat users_list.txt | wc -l > 766 > # cat /etc/passwd|wc -l > 40 > # getent passwd|wc -l > 806 > > yeah the numbers add up > > also > # cat /etc/passwd|wc -l > 40 > # wbinfo -u|wc -l > 798 > # cat bad_list.txt |wc -l > 32 > > 798+40-32=806 > > All unseen users have no uids Great, I think you have got it working :-) Rowland > > > > On Mon, Dec 7, 2015 at 12:07 PM, Rowland penny > wrote: > > On 07/12/15 18:49, Jeff Sadowski wrote: > > But that doesn't work for me. As I am saying > If I set it like that I only see 7 domain users with getent passwd > experimenting I see if I set > > idmap config * : range = 2000-7999 > idmap config DOMAIN:range = 8000-99999 > > I see all my users. > > which is really odd because all my users have uids above 10000 > > What other trouble shooting steps can I take to see why this > is acting this way? > > I edit /etc/samba/smb.conf > I run a script with the following > > service winbind stop > service samba stop > net cache flush > rm -f /var/lib/samba/*.tdb > rm -f /var/lib/samba/group_mapping.ldb > sleep 1 > service samba start > service winbind start > > then I do > getent passwd|wc -l > > ########################3 > > when > > idmap config DOMAIN:range = 10000-99999 > > # getent passwd|wc -l > 47 > > when > > idmap config DOMAIN:range = 9000-99999 > > # getent passwd|wc -l > 109 > > when > > idmap config DOMAIN:range = 8000-99999 > > # getent passwd|wc -l > 801 > > that seems to be as many as I can get > still doesn't add up as > > # cat /etc/passwd|wc -l > 40 > > # wbinfo -u|wc -l > 798 > > So I should have 838 > users. > But no matter what I set idmap config DOMAIN:range to I don't > see any more than 801 users with getent passwd > > > > OK, lets step back a bit here, can you confirm: > All your users have a uidNumber attribute containing a unique > number between 10000 to 99999 ? > Does 'Domain Users' have a gidNumber attribute containing a number > between 10000 to 99999 ? > > Any user that doesn't have a uidNumber, or one outside the > 10000-99999 will be ignored, could this be your problem? > > What OS is the client running on and what is the AD DC ? > > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > From ole.traupe at tu-berlin.de Mon Dec 7 19:39:27 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Mon, 7 Dec 2015 20:39:27 +0100 Subject: [Samba] userid shows 4294967295 In-Reply-To: <5665DB8F.20001@samba.org> References: <5665A578.2070103@samba.org> <5665B386.4000506@samba.org> <5665D637.1040106@tu-berlin.de> <5665DB8F.20001@samba.org> Message-ID: <5665E06F.8070503@tu-berlin.de> Am 07.12.2015 um 20:18 schrieb Rowland penny: > On 07/12/15 18:55, Ole Traupe wrote: >> I always wondered why to reserve 8000 IDs for built-in accounts. I >> see ~40 built-in groups in ADUC and 2 such users (Administrator and >> Guest)... >> >> Ole >> >> > > There are more potential users and groups than that, but you are > correct, you do not actually need that number, it was based on this: > > Unix uses 0-999 for system users & groups (yes I know redhat used to > use 0-499, but they now use 0-999) Ok, so I will have to face facts when migrating to CentOS 7. :-/ > ADUC starts Unix IDs at 10000 > > If you use a range for the builtin users & groups above the domain > range, it could get in the way if your AD domain grows enough, so why > not put it below the AD range? > If this is done, where to put it? You will probably require some Unix > users, so they will start at 1000, hence for ease, 2000 was chosen as > the start ID for the builtin range and as it could only go upto 9999, > this was chosen as the end number. Makes sense. Stupid me thought: what a waste of (non-existent, non-material) space: # idmap config *:range = 1000-1999 # idmap config domain:range = 2000-99999 > > Rowland > Can I ask something related? Once I had used '23456' as uid for some test account, ADUC always wants to go that high, although I have plenty of space below that. Is there a way to get rid of this behavior? Ole From ole.traupe at tu-berlin.de Mon Dec 7 19:42:53 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Mon, 7 Dec 2015 20:42:53 +0100 Subject: [Samba] Permission Denied In-Reply-To: <5665DDEF.7090509@samba.org> References: <5655A8AC.1010202@gmail.com> <5665B8FE.9050503@tu-berlin.de> <5665BDE5.1010702@samba.org> <5665D716.5090402@tu-berlin.de> <5665DB5C.3000902@tu-berlin.de> <5665DDEF.7090509@samba.org> Message-ID: <5665E13D.4080802@tu-berlin.de> >> If I do this (rely on the user map file containing "!root = >> BPN\Administrator BPN\administrator"), should I expect "id >> Administrator" to give anything? >> >> Ole >> > > Only a Samba AD DC, you will not get anything from 'getent > Administrator' on a Unix domain member, but remember, with the user > map 'Administrator' becomes 'root' :-) Yes, and I can manage share permissions via ADUC due to the user mapping. But on the DCs I still get "No such user" (although I don't have any appearent problem). Ole From jra at samba.org Mon Dec 7 19:52:57 2015 From: jra at samba.org (Jeremy Allison) Date: Mon, 7 Dec 2015 11:52:57 -0800 Subject: [Samba] Functionality of Nmbd at Active Directory mode of Samba4 ! In-Reply-To: References: <15010140704.20151205195642@yandex.ru> Message-ID: <20151207195257.GC34271@jra3> On Sun, Dec 06, 2015 at 03:26:44PM +0300, CpServiceSPb . wrote: > > But it isn't going to happen without someone who *needs* this stepping up > and funding it or donating working code. > > What donation amount do you estimate of to do so ? Talk to vendors directly for an exact quote. From rpenny at samba.org Mon Dec 7 19:54:27 2015 From: rpenny at samba.org (Rowland penny) Date: Mon, 07 Dec 2015 19:54:27 +0000 Subject: [Samba] Permission Denied In-Reply-To: <5665E13D.4080802@tu-berlin.de> References: <5655A8AC.1010202@gmail.com> <5665B8FE.9050503@tu-berlin.de> <5665BDE5.1010702@samba.org> <5665D716.5090402@tu-berlin.de> <5665DB5C.3000902@tu-berlin.de> <5665DDEF.7090509@samba.org> <5665E13D.4080802@tu-berlin.de> Message-ID: <5665E3F3.5010100@samba.org> On 07/12/15 19:42, Ole Traupe wrote: > >>> If I do this (rely on the user map file containing "!root = >>> BPN\Administrator BPN\administrator"), should I expect "id >>> Administrator" to give anything? >>> >>> Ole >>> >> >> Only a Samba AD DC, you will not get anything from 'getent >> Administrator' on a Unix domain member, but remember, with the user >> map 'Administrator' becomes 'root' :-) > > Yes, and I can manage share permissions via ADUC due to the user mapping. > > But on the DCs I still get "No such user" (although I don't have any > appearent problem). > > Ole > > > Have you changed anything on the DCs ? Are the winbind nss links in place ? (not sure if this makes any difference, but I always create them) if I run 'id Administrator', I get: uid=0(root) gid=100(users) groups=0(root),100(users),3000004(SAMdom\Group Policy Creator Owners),3000006(SAMDOM\Enterprise Admins),3000008(SAMDOM\Domain Admins),3000007(SAMDOM\Schema Admins) 'getent password Administrator' returns: SAMDOM\Administrator:*:0:100::/home/Administrator:/bin/bash Rowland From jeff.sadowski at gmail.com Mon Dec 7 19:56:02 2015 From: jeff.sadowski at gmail.com (Jeff Sadowski) Date: Mon, 7 Dec 2015 12:56:02 -0700 Subject: [Samba] Adding an AD group to /etc/sudoers? Message-ID: I can't seem to get this working and here is what I have done so far. I am using samba 4.1.6 my /etc/samba/smb.conf looks like so security = ads realm = DOMAIN.LONG workgroup = DOMAIN idmap config * : backend = tdb idmap config * : range = 2000-7999 idmap config DOMAIN:backend = ad idmap config DOMAIN:range = 8000-9999999 idmap config DOMAIN:schema_mode = rfc2307 winbind nss info = rfc2307 winbind use default domain = yes winbind nested groups=yes # so that the users show up in getent winbind enum users = Yes # doesn't seem to do the same for groups :-/ winbind enum groups = Yes restrict anonymous = 2 In AD my group it has a gid 8001 #getent group it it:x:8001:myusername,others in /etc/sudoers is the line %it ALL=(ALL:ALL) ALL when I ssh to said machine like so ssh myusername at problemhost then run a command like so > sudo echo [sudo] password for myusername: myusername is not in the sudoers file. This incident will be reported. I tried adding another line to /etc/sudoers as follows %DOMAIN\\it ALL=(ALL:ALL) ALL and %DOMAIN\it ALL=(ALL:ALL) ALL but neither of them work either. I seem to be able to get into the nfs shares I have group permissions to but I can not get sudo to work with my AD user group. From mmuehlfeld at samba.org Mon Dec 7 20:44:51 2015 From: mmuehlfeld at samba.org (Marc Muehlfeld) Date: Mon, 7 Dec 2015 21:44:51 +0100 Subject: [Samba] Give users possibility to manage part of their AD account In-Reply-To: References: Message-ID: <5665EFC3.7000402@samba.org> Hello, Am 07.12.2015 um 13:36 schrieb mathias dufresne: > Is there a way to give users (all AD users for a start) the possibility to > manage themselves some of their user attributes (as loginShell for example)? This sounds dangerous, but you can set directory ACLs for that. Two examples for delegation tasks, you can find in these doc: https://wiki.samba.org/index.php/Delegation/Join_machines_to_a_domain https://wiki.samba.org/index.php/Delegation/Account_management But be warned: Setting wrong ACLs in your directory can have serious effects - from security issues to a broken AD. So make sure you have a working backup and know exactly what you're doing! Regards, Marc From jra at samba.org Mon Dec 7 23:10:40 2015 From: jra at samba.org (Jeremy Allison) Date: Mon, 7 Dec 2015 15:10:40 -0800 Subject: [Samba] Cross-compiling 4.3.2 for Intel/PowerPC causes Python errors In-Reply-To: <3DC32481DC539740B472688020FE7AC815E9FA4E@USA7109MB022.na.xerox.net> References: <3DC32481DC539740B472688020FE7AC815E9FA4E@USA7109MB022.na.xerox.net> Message-ID: <20151207231040.GB11737@jra3> On Thu, Dec 03, 2015 at 07:50:32PM +0000, Tompkins, Michael wrote: > We've been trying to cross compile since 4.1 for PowerPC but were never able to get it to happen and was told it broke with the introduction of Waf. Now we're trying for the latest release, have read some things on the web improvements have been made in this area, but can't seem to get it to build. It appears it's trying to build samba ( we only use smbclient ) for Intel, and also trying to build Python for Intel, but it really only needs to run on the compiler server Linux I7, not our target systems which are PowerPC and Intel systems. Is my understanding correct for Python only needed during the configure and build stage for samba? Any information on this would be greatly appreciated! As far as I know this page: https://wiki.samba.org/index.php/Waf#cross-compiling correctly describes cross-compiling. I did get it to work for ARM for a vendor. From amartin at xes-inc.com Mon Dec 7 22:49:46 2015 From: amartin at xes-inc.com (Andrew Martin) Date: Mon, 7 Dec 2015 16:49:46 -0600 (CST) Subject: [Samba] Log all successful authentications In-Reply-To: <835874815.152249.1449528354988.JavaMail.zimbra@xes-inc.com> Message-ID: <619070413.152890.1449528586943.JavaMail.zimbra@xes-inc.com> Hello, I am running a Samba 4 AD server on Ubuntu 14.04. Is it possible to log whenevever a user successfully logs into a computer or whenever a successful LDAP authentication occurs? Ideally this would include both the username and the IP address from where the request originated. Is this possible? Thanks, Andrew From sonicsmith at gmail.com Mon Dec 7 23:21:00 2015 From: sonicsmith at gmail.com (Sonic) Date: Mon, 7 Dec 2015 18:21:00 -0500 Subject: [Samba] Problems mapping a network drive on my PC to a LINUX directory using samba In-Reply-To: References: Message-ID: On Mon, Dec 7, 2015 at 5:16 PM, Kenneth Watanabe wrote: >Below is the /etc/samba/smb.cnf file By default the file is smb.conf unless you're specifically starting Samba using a different named file. > [share] > path = /home/kwatanabe/share > available = yes > valid users = kwatanabe > read only = No > browseable = yes > public = yes > writeable = yes > create mask = 0777 > directory mask = 0777 For starters I would suggest simplifying your share definition: In at least one case you use the main parameter and its synonym, too easy to shoot yourself in the foot this way. I also suggest using the main parameters and staying away from their synonyms for consistency, readability, and troubleshooting - I've wished for Samba to deprecate the synonyms for a long time. You may consider dropping the parameters that are simply echoing the defaults. Next drop the conflicting statements - you're stating only a specific user is valid "valid users = kwatanabe", yet also claiming "guests ok = yes" (you're using the synonym "public"). And temporarily drop the mask parameters until you have the basics down. Leaves us with: [share] path = /home/kwatanabe/share valid users = kwatanabe read only = No Then make sure you've added the user kwatanabe to Samba and set its Samba password. Note that I'm not aware of "share" being a reserved name in Samba but you may want to stay away from it as a section name as it is a possibility. Always test your smb.conf file with "testparm". And make sure the guest account actually exists on your system "username map" can assist if needed. As to the missing protocols on you Windows system (you may need them), that's for the Windows support forum :-) Chris From h.reindl at thelounge.net Mon Dec 7 23:58:28 2015 From: h.reindl at thelounge.net (Reindl Harald) Date: Tue, 8 Dec 2015 00:58:28 +0100 Subject: [Samba] Log all successful authentications In-Reply-To: <619070413.152890.1449528586943.JavaMail.zimbra@xes-inc.com> References: <619070413.152890.1449528586943.JavaMail.zimbra@xes-inc.com> Message-ID: <56661D24.2040200@thelounge.net> Am 07.12.2015 um 23:49 schrieb Andrew Martin: > I am running a Samba 4 AD server on Ubuntu 14.04. Is it possible to log > whenevever a user successfully logs into a computer or whenever a successful > LDAP authentication occurs? Ideally this would include both the username and the > IP address from where the request originated. Is this possible? consult the manpage for "log level" - while i honestly could puke about every samba log entry source file and line number cluttering the logs and hence reduced it to a minimum nobody but developers care about "../source3/auth/auth.c:305" and hence that should be logged only in a debug level log level = 1 auth:2 passdb:2 tdb:1 vfs:1 smb:1 locking:1 sam:1 winbind:1 idmap:1 quota:1 acls:0 msdfs:1 dmapi:1 registry:1 printdrivers:0 lanman:0 rpc_parse:0 rpc_srv:0 rpc_cli:0 [2015/12/08 00:56:03.049763, 2] ../source3/auth/auth.c:305(auth_check_ntlm_password) check_ntlm_password: authentication for user [reindl] -> [reindl] -> [reindl] succeeded -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: From fgonzalez at estudiantes.uci.cu Tue Dec 8 03:15:12 2015 From: fgonzalez at estudiantes.uci.cu (=?utf-8?Q?Felipe=5FG0NZ=C3=81LEZ=5FSANTIAG0?=) Date: Mon, 7 Dec 2015 22:15:12 -0500 (CST) Subject: [Samba] joining to WinServer2012/2012R2 In-Reply-To: <1862256976.14965526.1449544350223.JavaMail.zimbra@estudiantes.uci.cu> Message-ID: <1794215651.14966281.1449544512763.JavaMail.zimbra@estudiantes.uci.cu> HELLO: It is possible to join a Samba4 DC to a WindowsServer 2012/2012R2 ? Or just to join to previously versions of Windows Server (WS2000-WS2003)? Regards. Phillip. From nico.deranter at esaturnus.com Tue Dec 8 08:51:35 2015 From: nico.deranter at esaturnus.com (Nico De Ranter) Date: Tue, 8 Dec 2015 09:51:35 +0100 Subject: [Samba] userid shows 4294967295 In-Reply-To: <5665B386.4000506@samba.org> References: <5665A578.2070103@samba.org> <5665B386.4000506@samba.org> Message-ID: On Mon, Dec 7, 2015 at 5:27 PM, Rowland penny wrote: > On 07/12/15 16:08, Nico De Ranter wrote: > >> >> I'm coming from a Debian system so my system accounts are below 1000, >> regular accounts start at 1000. For some historical reason somebody gave >> our main group id 500 so therefor I want my usable range to start at 500. >> > > Bad idea, you will probably need at least one local Unix user, where are > you going to put it. My advice would be to follow the Samba wiki and use > the numbers you will find there. > It may be a bad idea but it is the reality I need to live with. I'm adding an AD domain to an existing Linux network. Renumbering my existing Linux users (and therefor ownership of all files on all linux systems) is simply out of the question. However I intend to assign unix properties to all my users and groups in AD hand picking the ID's to match the existing ones anyway. Any new user will get an id above 10000. > > >> Do I need both idmap config *:range and idmap config SAMDOM:range? I >> also tried with only 'idmap config *:range' but that didn't seem to help. >> I'll try again tomorrow. >> > > Yes you do, the first is for the builtin user & group mappings and the > second is for your AD users & groups. > > >> I also noticed that my second AD didn't have rfc2307 enabled so that may >> also have introduced some issues. >> > > Not really, all the info should be in AD, you probably just need to add > 'idmap_ldb:use rfc2307 = yes' to smb.conf on the second DC. > > Rowland > > >> @Stefan Kania, thanks for the 'net cache flush', I didn't know that. >> >> Nico >> >> Nico -- Nico De Ranter Operations Engineer T. +32 16 40 12 82 M. +32 497 91 53 78 From nico.deranter at esaturnus.com Tue Dec 8 08:53:17 2015 From: nico.deranter at esaturnus.com (Nico De Ranter) Date: Tue, 8 Dec 2015 09:53:17 +0100 Subject: [Samba] userid shows 4294967295 In-Reply-To: <5665E06F.8070503@tu-berlin.de> References: <5665A578.2070103@samba.org> <5665B386.4000506@samba.org> <5665D637.1040106@tu-berlin.de> <5665DB8F.20001@samba.org> <5665E06F.8070503@tu-berlin.de> Message-ID: On Mon, Dec 7, 2015 at 8:39 PM, Ole Traupe wrote: > >> > Can I ask something related? Once I had used '23456' as uid for some test > account, ADUC always wants to go that high, although I have plenty of space > below that. Is there a way to get rid of this behavior? > > Ole I believe there is a registry setting on Windows to change that. Unfortunately I cannot find the webpage where I read that immediately. Nico -- Nico De Ranter Operations Engineer T. +32 16 40 12 82 M. +32 497 91 53 78 From kseeger at samba.org Tue Dec 8 09:34:55 2015 From: kseeger at samba.org (Karolin Seeger) Date: Tue, 8 Dec 2015 10:34:55 +0100 Subject: [Samba] [ANNOUNCE] Samba 4.2.6 Available for Download Message-ID: <20151208093455.GA7048@carrie> ============================================================= "You've gotta dance like there's nobody watching, Love like you'll never be hurt, Sing like there's nobody listening, And live like it's heaven on earth." William W. Purkey ============================================================= Release Announcements --------------------- This is the latest stable release of Samba 4.2. Changes since 4.2.5: -------------------- o Michael Adam * BUG 11365: ctdb: Strip trailing spaces from nodes file. * BUG 11577: ctdb: Open the RO tracking db with perms 0600 instead of 0000. * BUG 11619: doc: Fix a typo in the smb.conf manpage. o Jeremy Allison * BUG 11452: s3-smbd: Fix old DOS client doing wildcard delete - gives a attribute type of zero. * BUG 11565: auth: gensec: Fix a memory leak. * BUG 11566: lib: util: Make non-critical message a warning. * BUG 11589: s3: smbd: If EA's are turned off on a share don't allow an SMB2 create containing them. * BUG 11615: s3: smbd: have_file_open_below() fails to enumerate open files below an open directory handle. o Ralph Boehme * BUG 11564: async_req: Fix non-blocking connect(). o Volker Lendecke * BUG 11243: vfs_gpfs: Re-enable share modes. * BUG 11570: smbd: Send SMB2 oplock breaks unencrypted. o YvanM * BUG 11584: manpage: Correct small typo error. o Marc Muehlfeld * BUG 9912: Changing log level of two entries to from 1 to 3. o Andreas Schneider * BUG 11346: wafsamba: Also build libraries with RELRO protection. * BUG 11563: nss_wins: Do not run into use after free issues when we access memory allocated on the globals and the global being reinitialized. o Karolin Seeger * BUG 11619: docs: Fix some typos in the idmap config section of man 5 smb.conf. o Noel Power * BUG 11569: Fix winbindd crashes with samlogon for trusted domain user. * BUG 11597: Backport some valgrind fixes from upstream master. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba 4.1 or later product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ================ Download Details ================ The uncompressed tarballs and patch files have been signed using GnuPG (ID 6568B7EA). The source code can be downloaded from: https://download.samba.org/samba/ftp/stable/ The release notes are available online at: https://www.samba.org/samba/history/samba-4.2.6.html Binary packages will be made available on a volunteer basis from https://download.samba.org/samba/ftp/Binary_Packages/ Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: Digital signature URL: From belle at bazuin.nl Tue Dec 8 10:57:13 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Tue, 8 Dec 2015 11:57:13 +0100 Subject: [Samba] userid shows 4294967295 In-Reply-To: References: <5665B386.4000506@samba.org> Message-ID: Hai Nico, You can change de defaults in samba, but read the whole e-mail first. Look here. http://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC Per default Active Directory starts assigning UIDs/GIDs both at 10000 Adapt the following two attributes to your needs and save the changes. msSFU30MaxUidNumber: 10000 msSFU30MaxGidNumber: 10000 If you run the following, you can change the UID/GID. Be take notice of the following. Debian PAM had settings with minimum uid=1000 so change then also if needed. There may be more thens to adjust to uid 500+. ############ copy past this. ( 6 lines, beware for line breaks. ) # works if you dns domain has 2 dots like internal.domain.tld # NETBIOSNAME=$(samba-tool domain info `hostname -f` | grep Netbios | cut -d":" -f2 | cut -c2-100) FOREST_DC=$(samba-tool domain info `hostname -f` | grep Forest | cut -d":" -f2) FOREST_SUB_DC1=$(echo $FOREST_DC | cut -d"." -f1| cut -c1-100) FOREST_SUB_DC2=$(echo $FOREST_DC | cut -d"." -f2| cut -c1-100) FOREST_SUB_DC3=$(echo $FOREST_DC | cut -d"." -f3) # ldbedit -H /var/lib/samba/private/sam.ldb -s base -b CN=${NETBIOSNAME},CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=${FOREST_SUB_DC1},DC=${FOREST_SUB_DC2},DC=${FOREST_SUB_DC3} ############ copy past this. BUT ! What i would do in you case. Export the current users to csv from the old domain. Import the user with the correct uid and same for the groups. Leave the samba defaults uid/gid at 10000. So for every new you start of 10000, this way you can slowly move away from the low uid/gids. I have a csv setup like this. Department;First_Letter_of_firstname.;Surename;Firstname_full;loginname;phone-nr;emailadres; And i import like this ; cat /home/samba/backup/users.csv | awk -F ";" '{system("/usr/bin/samba-tool user create "$5" --mail-address="$7" \ --given-name="$2" --surname=\""$3"\" --telephone-number="$6" --department="$1" --description=\""$1"\" \ --random-password --userou=ou=Company ")}'; For you just add things from below: --rfc2307-from-nss Copy Unix user attributes from NSS (will be overridden by explicit UID/GID/GECOS/shell) --nis-domain=NIS_DOMAIN User's Unix/RFC2307 NIS domain --unix-home=UNIX_HOME User's Unix/RFC2307 home directory --uid=UID User's Unix/RFC2307 username --uid-number=UID_NUMBER User's Unix/RFC2307 numeric UID --gid-number=GID_NUMBER User's Unix/RFC2307 primary GID number --gecos=GECOS User's Unix/RFC2307 GECOS field --login-shell=LOGIN_SHELL User's Unix/RFC2307 login shell So a few suggestions which you can adapt to you environment. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Nico De Ranter > Verzonden: dinsdag 8 december 2015 9:52 > Aan: Rowland penny > CC: samba > Onderwerp: Re: [Samba] userid shows 4294967295 > > On Mon, Dec 7, 2015 at 5:27 PM, Rowland penny wrote: > > > On 07/12/15 16:08, Nico De Ranter wrote: > > > >> > >> I'm coming from a Debian system so my system accounts are below 1000, > >> regular accounts start at 1000. For some historical reason somebody > gave > >> our main group id 500 so therefor I want my usable range to start at > 500. > >> > > > > Bad idea, you will probably need at least one local Unix user, where are > > you going to put it. My advice would be to follow the Samba wiki and use > > the numbers you will find there. > > > > It may be a bad idea but it is the reality I need to live with. I'm > adding > an AD domain to an existing Linux network. Renumbering my existing Linux > users (and therefor ownership of all files on all linux systems) is simply > out of the question. > > However I intend to assign unix properties to all my users and groups in > AD > hand picking the ID's to match the existing ones anyway. Any new user > will > get an id above 10000. > > > > > > > >> Do I need both idmap config *:range and idmap config SAMDOM:range? I > >> also tried with only 'idmap config *:range' but that didn't seem to > help. > >> I'll try again tomorrow. > >> > > > > Yes you do, the first is for the builtin user & group mappings and the > > second is for your AD users & groups. > > > > > >> I also noticed that my second AD didn't have rfc2307 enabled so that > may > >> also have introduced some issues. > >> > > > > Not really, all the info should be in AD, you probably just need to add > > 'idmap_ldb:use rfc2307 = yes' to smb.conf on the second DC. > > > > Rowland > > > > > >> @Stefan Kania, thanks for the 'net cache flush', I didn't know that. > >> > >> Nico > >> > >> > Nico > > > -- > Nico De Ranter > > Operations Engineer > > T. +32 16 40 12 82 > > M. +32 497 91 53 78 > > > > > > > > > > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From jmhunter1 at gmail.com Tue Dec 8 10:58:43 2015 From: jmhunter1 at gmail.com (Jonathan Hunter) Date: Tue, 8 Dec 2015 10:58:43 +0000 Subject: [Samba] userid shows 4294967295 In-Reply-To: References: <5665A578.2070103@samba.org> <5665B386.4000506@samba.org> <5665D637.1040106@tu-berlin.de> <5665DB8F.20001@samba.org> <5665E06F.8070503@tu-berlin.de> Message-ID: Hi, On 8 December 2015 at 08:53, Nico De Ranter wrote: > On Mon, Dec 7, 2015 at 8:39 PM, Ole Traupe > wrote: > > Can I ask something related? Once I had used '23456' as uid for some test > > account, ADUC always wants to go that high, although I have plenty of > space > > below that. Is there a way to get rid of this behavior? > This is stored in AD & documented here. You can use adsiedit or similar to change these values: https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC#Defining_the_next_UID.2FGID_to_use -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein From marciofoz at gmail.com Tue Dec 8 12:27:43 2015 From: marciofoz at gmail.com (Marcio Costa) Date: Tue, 8 Dec 2015 10:27:43 -0200 Subject: [Samba] Samba4 ad dc with Centos7 Message-ID: Hello, I may have a problem with winbind setup. -with wbinfo -g and wbinfo -u I get all group/user from AD/DC. -with getent group "Domain Users" and getent passwd "remote_user" I can see the info about the specific group and specific user. -with getent group and getent passwd I only see my local group/users. -I believe that using "getent group" and "getent passwd" I must see all users, right ? -I'm using the SerNetSamba Version 4.2.5-SerNet-RedHat-19.el7; -ps auxf show me: root 24519 0.0 4.5 578196 45700 ? Ss 09:59 0:00 /usr/sbin/samba -D root 24527 0.0 3.2 578196 32812 ? S 09:59 0:00 \_ /usr/sbin/samba -D root 24529 0.0 4.7 617856 48016 ? Ss 09:59 0:00 | \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground root 24546 0.0 3.2 617856 32936 ? S 09:59 0:00 | \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground root 24536 0.0 3.2 578196 32788 ? S 09:59 0:00 \_ /usr/sbin/samba -D root 24541 0.0 4.5 587664 46480 ? Ss 09:59 0:00 | \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground root 24545 0.0 3.5 605676 36492 ? S 09:59 0:00 | \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground root 24555 0.0 3.6 605992 36680 ? S 10:00 0:00 | \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground -ls /lib64 lrwxrwxrwx. 1 root root 19 Dez 3 11:09 /lib64/libnss_winbind.so -> libnss_winbind.so.2 -rwxr-xr-x. 1 root root 20K Out 28 07:44 /lib64/libnss_winbind.so.2 -/etc/nsswitch.conf passwd: files winbind shadow: files winbind group: files winbind -smb.conf [global] workgroup = INTRANET realm = INTRANET.UNV netbios name = ITU server role = active directory domain controller dns forwarder = 10.2.3.4 idmap_ldb:use rfc2307 = yes idmap config INTRANET:backend = ad idmap config INTRANET:schema_mode = rfc2307 idmap config INTRANET:range = 10000-9999999 idmap uid = 10000-9999999 idmap gid = 1000-9999999 # Use settings from AD for login shell and home directory winbind nss info = rfc2307 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes I appreciate any help about this issue. Thank you. From belle at bazuin.nl Tue Dec 8 12:42:03 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Tue, 8 Dec 2015 13:42:03 +0100 Subject: [Samba] Samba4 ad dc with Centos7 In-Reply-To: References: Message-ID: Hai, Few things. > idmap gid = 1000-9999999 did you also change the start GID in the AD? https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC#Defining_the_next_UID.2FGID_to_use > "getent group" and "getent passwd" On a DC, use : getent group "domain users" shows only the group name + GID. You setup looks almost good, im only missing something like : ## map id's outside to domain to tdb files. ## map ids from the domain and (*) the range may not overlap ! idmap config * : backend = tdb idmap config * : range = 2000-9999 Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marcio Costa > Verzonden: dinsdag 8 december 2015 13:28 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Samba4 ad dc with Centos7 > > Hello, I may have a problem with winbind setup. > > -with wbinfo -g and wbinfo -u I get all group/user from AD/DC. > -with getent group "Domain Users" and getent passwd "remote_user" I can > see > the info about the specific group and specific user. > -with getent group and getent passwd I only see my local group/users. > > -I believe that using "getent group" and "getent passwd" I must see all > users, right ? > > > -I'm using the SerNetSamba Version 4.2.5-SerNet-RedHat-19.el7; > -ps auxf show me: > root 24519 0.0 4.5 578196 45700 ? Ss 09:59 0:00 > /usr/sbin/samba -D > root 24527 0.0 3.2 578196 32812 ? S 09:59 0:00 \_ > /usr/sbin/samba -D > root 24529 0.0 4.7 617856 48016 ? Ss 09:59 0:00 | \_ > /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground > root 24546 0.0 3.2 617856 32936 ? S 09:59 0:00 | > \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground > > root 24536 0.0 3.2 578196 32788 ? S 09:59 0:00 \_ > /usr/sbin/samba -D > root 24541 0.0 4.5 587664 46480 ? Ss 09:59 0:00 | \_ > /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground > root 24545 0.0 3.5 605676 36492 ? S 09:59 0:00 | > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes -- > foreground > root 24555 0.0 3.6 605992 36680 ? S 10:00 0:00 | > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes -- > foreground > > -ls /lib64 > lrwxrwxrwx. 1 root root 19 Dez 3 11:09 /lib64/libnss_winbind.so -> > libnss_winbind.so.2 > -rwxr-xr-x. 1 root root 20K Out 28 07:44 /lib64/libnss_winbind.so.2 > > -/etc/nsswitch.conf > passwd: files winbind > shadow: files winbind > group: files winbind > > -smb.conf > [global] > workgroup = INTRANET > realm = INTRANET.UNV > netbios name = ITU > server role = active directory domain controller > dns forwarder = 10.2.3.4 > idmap_ldb:use rfc2307 = yes > > idmap config INTRANET:backend = ad > idmap config INTRANET:schema_mode = rfc2307 > idmap config INTRANET:range = 10000-9999999 > > idmap uid = 10000-9999999 > idmap gid = 1000-9999999 > > # Use settings from AD for login shell and home directory > winbind nss info = rfc2307 > > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > I appreciate any help about this issue. > Thank you. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From infractory at gmail.com Tue Dec 8 13:10:34 2015 From: infractory at gmail.com (mathias dufresne) Date: Tue, 8 Dec 2015 14:10:34 +0100 Subject: [Samba] Samba4 ad dc with Centos7 In-Reply-To: References: Message-ID: I believe there is no enumeration allowed by default whatever you use to generate system users from AD (winbind, sssd or nslcd). Cheers, mathias 2015-12-08 13:42 GMT+01:00 L.P.H. van Belle : > Hai, > > Few things. > > > idmap gid = 1000-9999999 > did you also change the start GID in the AD? > > https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC#Defining_the_next_UID.2FGID_to_use > > > "getent group" and "getent passwd" > On a DC, use : getent group "domain users" > shows only the group name + GID. > > You setup looks almost good, im only missing something like : > > ## map id's outside to domain to tdb files. > ## map ids from the domain and (*) the range may not overlap ! > idmap config * : backend = tdb > idmap config * : range = 2000-9999 > > > Greetz, > > Louis > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marcio Costa > > Verzonden: dinsdag 8 december 2015 13:28 > > Aan: samba at lists.samba.org > > Onderwerp: [Samba] Samba4 ad dc with Centos7 > > > > Hello, I may have a problem with winbind setup. > > > > -with wbinfo -g and wbinfo -u I get all group/user from AD/DC. > > -with getent group "Domain Users" and getent passwd "remote_user" I can > > see > > the info about the specific group and specific user. > > -with getent group and getent passwd I only see my local group/users. > > > > -I believe that using "getent group" and "getent passwd" I must see all > > users, right ? > > > > > > -I'm using the SerNetSamba Version 4.2.5-SerNet-RedHat-19.el7; > > -ps auxf show me: > > root 24519 0.0 4.5 578196 45700 ? Ss 09:59 0:00 > > /usr/sbin/samba -D > > root 24527 0.0 3.2 578196 32812 ? S 09:59 0:00 \_ > > /usr/sbin/samba -D > > root 24529 0.0 4.7 617856 48016 ? Ss 09:59 0:00 | \_ > > /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground > > root 24546 0.0 3.2 617856 32936 ? S 09:59 0:00 | > > \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground > > > > root 24536 0.0 3.2 578196 32788 ? S 09:59 0:00 \_ > > /usr/sbin/samba -D > > root 24541 0.0 4.5 587664 46480 ? Ss 09:59 0:00 | \_ > > /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground > > root 24545 0.0 3.5 605676 36492 ? S 09:59 0:00 | > > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes -- > > foreground > > root 24555 0.0 3.6 605992 36680 ? S 10:00 0:00 | > > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes -- > > foreground > > > > -ls /lib64 > > lrwxrwxrwx. 1 root root 19 Dez 3 11:09 /lib64/libnss_winbind.so -> > > libnss_winbind.so.2 > > -rwxr-xr-x. 1 root root 20K Out 28 07:44 /lib64/libnss_winbind.so.2 > > > > -/etc/nsswitch.conf > > passwd: files winbind > > shadow: files winbind > > group: files winbind > > > > -smb.conf > > [global] > > workgroup = INTRANET > > realm = INTRANET.UNV > > netbios name = ITU > > server role = active directory domain controller > > dns forwarder = 10.2.3.4 > > idmap_ldb:use rfc2307 = yes > > > > idmap config INTRANET:backend = ad > > idmap config INTRANET:schema_mode = rfc2307 > > idmap config INTRANET:range = 10000-9999999 > > > > idmap uid = 10000-9999999 > > idmap gid = 1000-9999999 > > > > # Use settings from AD for login shell and home directory > > winbind nss info = rfc2307 > > > > winbind use default domain = yes > > winbind enum users = yes > > winbind enum groups = yes > > > > I appreciate any help about this issue. > > Thank you. > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From rpenny at samba.org Tue Dec 8 13:11:33 2015 From: rpenny at samba.org (Rowland penny) Date: Tue, 08 Dec 2015 13:11:33 +0000 Subject: [Samba] Samba4 ad dc with Centos7 In-Reply-To: References: Message-ID: <5666D705.8020401@samba.org> On 08/12/15 12:27, Marcio Costa wrote: > Hello, I may have a problem with winbind setup. > > -with wbinfo -g and wbinfo -u I get all group/user from AD/DC. > -with getent group "Domain Users" and getent passwd "remote_user" I can see > the info about the specific group and specific user. > -with getent group and getent passwd I only see my local group/users. > > -I believe that using "getent group" and "getent passwd" I must see all > users, right ? > > > -I'm using the SerNetSamba Version 4.2.5-SerNet-RedHat-19.el7; > -ps auxf show me: > root 24519 0.0 4.5 578196 45700 ? Ss 09:59 0:00 > /usr/sbin/samba -D > root 24527 0.0 3.2 578196 32812 ? S 09:59 0:00 \_ > /usr/sbin/samba -D > root 24529 0.0 4.7 617856 48016 ? Ss 09:59 0:00 | \_ > /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground > root 24546 0.0 3.2 617856 32936 ? S 09:59 0:00 | > \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground > > root 24536 0.0 3.2 578196 32788 ? S 09:59 0:00 \_ > /usr/sbin/samba -D > root 24541 0.0 4.5 587664 46480 ? Ss 09:59 0:00 | \_ > /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground > root 24545 0.0 3.5 605676 36492 ? S 09:59 0:00 | > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground > root 24555 0.0 3.6 605992 36680 ? S 10:00 0:00 | > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground > > -ls /lib64 > lrwxrwxrwx. 1 root root 19 Dez 3 11:09 /lib64/libnss_winbind.so -> > libnss_winbind.so.2 > -rwxr-xr-x. 1 root root 20K Out 28 07:44 /lib64/libnss_winbind.so.2 > > -/etc/nsswitch.conf > passwd: files winbind > shadow: files winbind > group: files winbind > > -smb.conf > [global] > workgroup = INTRANET > realm = INTRANET.UNV > netbios name = ITU > server role = active directory domain controller > dns forwarder = 10.2.3.4 > idmap_ldb:use rfc2307 = yes You might as well remove these lines below, they do nothing on a Samba DC, well they have *never* worked for me, winbind on a DC works differently from on a domain member. > > idmap config INTRANET:backend = ad > idmap config INTRANET:schema_mode = rfc2307 > idmap config INTRANET:range = 10000-9999999 > > idmap uid = 10000-9999999 > idmap gid = 1000-9999999 > > # Use settings from AD for login shell and home directory > winbind nss info = rfc2307 > > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > I appreciate any help about this issue. > Thank you. If you want to use the DC for anything other than authentication and don't want to use the 3000000 numbers, you will need to give your users a uidNumber attribute containing a unique number inside the range you want to use. Rowland From belle at bazuin.nl Tue Dec 8 13:15:00 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Tue, 8 Dec 2015 14:15:00 +0100 Subject: [Samba] Samba4 ad dc with Centos7 In-Reply-To: References: Message-ID: Wel, thats wrong, when i to the following.     wbinfo –u  i get all my users. wbinfo –g i get all my groups getent passwd username   i get my user:UID:GID:NAME:homedir:shel id username  gives also the correct info.. (uid= .. gid= ) groups =  etc..    And i use winbind on a DC. ( samba 4.2.5 sernet  on debian wheezy )     Greetz,   Louis         Van: mathias dufresne [mailto:infractory at gmail.com] Verzonden: dinsdag 8 december 2015 14:11 Aan: L.P.H. van Belle CC: samba at lists.samba.org Onderwerp: Re: [Samba] Samba4 ad dc with Centos7   I believe there is no enumeration allowed by default whatever you use to generate system users from AD (winbind, sssd or nslcd).   Cheers,   mathias   2015-12-08 13:42 GMT+01:00 L.P.H. van Belle : Hai, Few things. > idmap gid = 1000-9999999 did you also change the start GID in the AD? https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC#Defining_the_next_UID.2FGID_to_use > "getent group" and "getent passwd" On a DC, use  : getent group "domain users" shows only the group name + GID. You setup looks almost good, im only missing something like :       ## map id's outside to domain to tdb files.         ## map ids from the domain and (*) the range may not overlap !       idmap config * : backend = tdb       idmap config * : range = 2000-9999 Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marcio Costa > Verzonden: dinsdag 8 december 2015 13:28 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Samba4 ad dc with Centos7 > > Hello, I may have a problem with winbind setup. > > -with wbinfo -g and wbinfo -u I get all group/user from AD/DC. > -with getent group "Domain Users" and getent passwd "remote_user" I can > see > the info about the specific group and specific user. > -with getent group and getent passwd I only see my local group/users. > > -I believe that using "getent group" and "getent passwd" I must see all > users, right ? > > > -I'm using the SerNetSamba Version 4.2.5-SerNet-RedHat-19.el7; > -ps auxf show me: > root     24519  0.0  4.5 578196 45700 ?        Ss   09:59   0:00 > /usr/sbin/samba -D > root     24527  0.0  3.2 578196 32812 ?        S    09:59   0:00  \_ > /usr/sbin/samba -D > root     24529  0.0  4.7 617856 48016 ?        Ss   09:59   0:00  |   \_ > /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground > root     24546  0.0  3.2 617856 32936 ?        S    09:59   0:00  | > \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground > > root     24536  0.0  3.2 578196 32788 ?        S    09:59   0:00  \_ > /usr/sbin/samba -D > root     24541  0.0  4.5 587664 46480 ?        Ss   09:59   0:00  |   \_ > /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground > root     24545  0.0  3.5 605676 36492 ?        S    09:59   0:00  | > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes -- > foreground > root     24555  0.0  3.6 605992 36680 ?        S    10:00   0:00  | > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes -- > foreground > > -ls /lib64 > lrwxrwxrwx. 1 root root  19 Dez  3 11:09 /lib64/libnss_winbind.so -> > libnss_winbind.so.2 > -rwxr-xr-x. 1 root root 20K Out 28 07:44 /lib64/libnss_winbind.so.2 > > -/etc/nsswitch.conf > passwd:     files winbind > shadow:     files winbind > group:      files winbind > > -smb.conf > [global] >         workgroup = INTRANET >         realm = INTRANET.UNV >         netbios name = ITU >         server role = active directory domain controller >         dns forwarder = 10.2.3.4 >         idmap_ldb:use rfc2307 = yes > >         idmap config INTRANET:backend = ad >         idmap config INTRANET:schema_mode = rfc2307 >         idmap config INTRANET:range = 10000-9999999 > >         idmap uid = 10000-9999999 >         idmap gid = 1000-9999999 > >         # Use settings from AD for login shell and home directory >         winbind nss info = rfc2307 > >         winbind use default domain = yes >         winbind enum users = yes >         winbind enum groups = yes > > I appreciate any help about this issue. > Thank you. > -- > To unsubscribe from this list go to the following URL and read the > instructions:  https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions:  https://lists.samba.org/mailman/options/samba   From belle at bazuin.nl Tue Dec 8 13:32:49 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Tue, 8 Dec 2015 14:32:49 +0100 Subject: [Samba] Samba4 ad dc with Centos7 In-Reply-To: References: Message-ID: Lets keep it on the samba list, so everbody can learn from it..    You did modify nsswitch.conf    passwd:         compat winbind group:          compat winbind   Greetz,   Louis     Van: Marcio Costa [mailto:marciofoz at gmail.com] Verzonden: dinsdag 8 december 2015 14:11 Aan: L.P.H. van Belle Onderwerp: Re: [Samba] Samba4 ad dc with Centos7   Hi!. -> Yes, in RSAT I've assigned: Domain Users->properties->Unix Attributes-> NIS: intranet GID: 10000   remote user->properties->Unix Attributes-> NIS Domain: intranet UID: 10000 Primay group name/GID: Domain Users ->do modifications, but still not working...         idmap config *:backend = tdb         idmap config *:range = 2000-9999         idmap config INTRANET:backend = ad         idmap config INTRANET:schema_mode = rfc2307         idmap config INTRANET:range = 10000-9999999         idmap uid = 10000-9999999         idmap gid = 10000-9999999 Its may be a missing library ? Regards Marcio     2015-12-08 10:42 GMT-02:00 L.P.H. van Belle : Hai, Few things. > idmap gid = 1000-9999999 did you also change the start GID in the AD? https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC#Defining_the_next_UID.2FGID_to_use > "getent group" and "getent passwd" On a DC, use  : getent group "domain users" shows only the group name + GID. You setup looks almost good, im only missing something like :       ## map id's outside to domain to tdb files.         ## map ids from the domain and (*) the range may not overlap !       idmap config * : backend = tdb       idmap config * : range = 2000-9999 Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marcio Costa > Verzonden: dinsdag 8 december 2015 13:28 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Samba4 ad dc with Centos7 > > Hello, I may have a problem with winbind setup. > > -with wbinfo -g and wbinfo -u I get all group/user from AD/DC. > -with getent group "Domain Users" and getent passwd "remote_user" I can > see > the info about the specific group and specific user. > -with getent group and getent passwd I only see my local group/users. > > -I believe that using "getent group" and "getent passwd" I must see all > users, right ? > > > -I'm using the SerNetSamba Version 4.2.5-SerNet-RedHat-19.el7; > -ps auxf show me: > root     24519  0.0  4.5 578196 45700 ?        Ss   09:59   0:00 > /usr/sbin/samba -D > root     24527  0.0  3.2 578196 32812 ?        S    09:59   0:00  \_ > /usr/sbin/samba -D > root     24529  0.0  4.7 617856 48016 ?        Ss   09:59   0:00  |   \_ > /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground > root     24546  0.0  3.2 617856 32936 ?        S    09:59   0:00  | > \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground > > root     24536  0.0  3.2 578196 32788 ?        S    09:59   0:00  \_ > /usr/sbin/samba -D > root     24541  0.0  4.5 587664 46480 ?        Ss   09:59   0:00  |   \_ > /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground > root     24545  0.0  3.5 605676 36492 ?        S    09:59   0:00  | > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes -- > foreground > root     24555  0.0  3.6 605992 36680 ?        S    10:00   0:00  | > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes -- > foreground > > -ls /lib64 > lrwxrwxrwx. 1 root root  19 Dez  3 11:09 /lib64/libnss_winbind.so -> > libnss_winbind.so.2 > -rwxr-xr-x. 1 root root 20K Out 28 07:44 /lib64/libnss_winbind.so.2 > > -/etc/nsswitch.conf > passwd:     files winbind > shadow:     files winbind > group:      files winbind > > -smb.conf > [global] >         workgroup = INTRANET >         realm = INTRANET.UNV >         netbios name = ITU >         server role = active directory domain controller >         dns forwarder = 10.2.3.4 >         idmap_ldb:use rfc2307 = yes > >         idmap config INTRANET:backend = ad >         idmap config INTRANET:schema_mode = rfc2307 >         idmap config INTRANET:range = 10000-9999999 > >         idmap uid = 10000-9999999 >         idmap gid = 1000-9999999 > >         # Use settings from AD for login shell and home directory >         winbind nss info = rfc2307 > >         winbind use default domain = yes >         winbind enum users = yes >         winbind enum groups = yes > > I appreciate any help about this issue. > Thank you. > -- > To unsubscribe from this list go to the following URL and read the > instructions:  https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions:  https://lists.samba.org/mailman/options/samba   From belle at bazuin.nl Tue Dec 8 13:37:26 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Tue, 8 Dec 2015 14:37:26 +0100 Subject: [Samba] Samba4 ad dc with Centos7 In-Reply-To: References: Message-ID: On the DC, when i run getent passwd                         i only see my linux users. getent passwd username          shows the ad user.   Same for the groups   Greetz,   Louis     Van: Marcio Costa [mailto:marciofoz at gmail.com] Verzonden: dinsdag 8 december 2015 14:35 Aan: L.P.H. van Belle Onderwerp: Re: [Samba] Samba4 ad dc with Centos7   Hi! If you run 'getent passwd', do you see all the users (ad+local) or only local users ?   2015-12-08 11:15 GMT-02:00 L.P.H. van Belle : Wel, thats wrong, when i to the following.     wbinfo –u  i get all my users. wbinfo –g i get all my groups getent passwd username   i get my user:UID:GID:NAME:homedir:shel id username  gives also the correct info.. (uid= .. gid= ) groups =  etc..    And i use winbind on a DC. ( samba 4.2.5 sernet  on debian wheezy )     Greetz,   Louis         Van: mathias dufresne [mailto:infractory at gmail.com] Verzonden: dinsdag 8 december 2015 14:11 Aan: L.P.H. van Belle CC: samba at lists.samba.org Onderwerp: Re: [Samba] Samba4 ad dc with Centos7   I believe there is no enumeration allowed by default whatever you use to generate system users from AD (winbind, sssd or nslcd).   Cheers,   mathias   2015-12-08 13:42 GMT+01:00 L.P.H. van Belle : Hai, Few things. > idmap gid = 1000-9999999 did you also change the start GID in the AD? https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC#Defining_the_next_UID.2FGID_to_use > "getent group" and "getent passwd" On a DC, use  : getent group "domain users" shows only the group name + GID. You setup looks almost good, im only missing something like :       ## map id's outside to domain to tdb files.         ## map ids from the domain and (*) the range may not overlap !       idmap config * : backend = tdb       idmap config * : range = 2000-9999 Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marcio Costa > Verzonden: dinsdag 8 december 2015 13:28 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Samba4 ad dc with Centos7 > > Hello, I may have a problem with winbind setup. > > -with wbinfo -g and wbinfo -u I get all group/user from AD/DC. > -with getent group "Domain Users" and getent passwd "remote_user" I can > see > the info about the specific group and specific user. > -with getent group and getent passwd I only see my local group/users. > > -I believe that using "getent group" and "getent passwd" I must see all > users, right ? > > > -I'm using the SerNetSamba Version 4.2.5-SerNet-RedHat-19.el7; > -ps auxf show me: > root     24519  0.0  4.5 578196 45700 ?        Ss   09:59   0:00 > /usr/sbin/samba -D > root     24527  0.0  3.2 578196 32812 ?        S    09:59   0:00  \_ > /usr/sbin/samba -D > root     24529  0.0  4.7 617856 48016 ?        Ss   09:59   0:00  |   \_ > /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground > root     24546  0.0  3.2 617856 32936 ?        S    09:59   0:00  | > \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground > > root     24536  0.0  3.2 578196 32788 ?        S    09:59   0:00  \_ > /usr/sbin/samba -D > root     24541  0.0  4.5 587664 46480 ?        Ss   09:59   0:00  |   \_ > /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground > root     24545  0.0  3.5 605676 36492 ?        S    09:59   0:00  | > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes -- > foreground > root     24555  0.0  3.6 605992 36680 ?        S    10:00   0:00  | > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes -- > foreground > > -ls /lib64 > lrwxrwxrwx. 1 root root  19 Dez  3 11:09 /lib64/libnss_winbind.so -> > libnss_winbind.so.2 > -rwxr-xr-x. 1 root root 20K Out 28 07:44 /lib64/libnss_winbind.so.2 > > -/etc/nsswitch.conf > passwd:     files winbind > shadow:     files winbind > group:      files winbind > > -smb.conf > [global] >         workgroup = INTRANET >         realm = INTRANET.UNV >         netbios name = ITU >         server role = active directory domain controller >         dns forwarder = 10.2.3.4 >         idmap_ldb:use rfc2307 = yes > >         idmap config INTRANET:backend = ad >         idmap config INTRANET:schema_mode = rfc2307 >         idmap config INTRANET:range = 10000-9999999 > >         idmap uid = 10000-9999999 >         idmap gid = 1000-9999999 > >         # Use settings from AD for login shell and home directory >         winbind nss info = rfc2307 > >         winbind use default domain = yes >         winbind enum users = yes >         winbind enum groups = yes > > I appreciate any help about this issue. > Thank you. > -- > To unsubscribe from this list go to the following URL and read the > instructions:  https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions:  https://lists.samba.org/mailman/options/samba   -- To unsubscribe from this list go to the following URL and read the instructions:  https://lists.samba.org/mailman/options/samba   From infractory at gmail.com Tue Dec 8 13:39:11 2015 From: infractory at gmail.com (mathias dufresne) Date: Tue, 8 Dec 2015 14:39:11 +0100 Subject: [Samba] Permission Denied In-Reply-To: <5665E3F3.5010100@samba.org> References: <5655A8AC.1010202@gmail.com> <5665B8FE.9050503@tu-berlin.de> <5665BDE5.1010702@samba.org> <5665D716.5090402@tu-berlin.de> <5665DB5C.3000902@tu-berlin.de> <5665DDEF.7090509@samba.org> <5665E13D.4080802@tu-berlin.de> <5665E3F3.5010100@samba.org> Message-ID: Ole, Did you configure PAM to use AD as a users source ? You need to have Winbind or SSSD or nslcd configured to access your AD + configure PAM + configure nsswitch.conf. Then you will system users from AD (ie "getent passwd my-ad-account" would work). Cheers, mathias 2015-12-07 20:54 GMT+01:00 Rowland penny : > On 07/12/15 19:42, Ole Traupe wrote: > >> >> If I do this (rely on the user map file containing "!root = >>>> BPN\Administrator BPN\administrator"), should I expect "id Administrator" >>>> to give anything? >>>> >>>> Ole >>>> >>>> >>> Only a Samba AD DC, you will not get anything from 'getent >>> Administrator' on a Unix domain member, but remember, with the user map >>> 'Administrator' becomes 'root' :-) >>> >> >> Yes, and I can manage share permissions via ADUC due to the user mapping. >> >> But on the DCs I still get "No such user" (although I don't have any >> appearent problem). >> >> Ole >> >> >> >> > Have you changed anything on the DCs ? Are the winbind nss links in place > ? (not sure if this makes any difference, but I always create them) > > if I run 'id Administrator', I get: > > uid=0(root) gid=100(users) groups=0(root),100(users),3000004(SAMdom\Group > Policy Creator Owners),3000006(SAMDOM\Enterprise > Admins),3000008(SAMDOM\Domain Admins),3000007(SAMDOM\Schema Admins) > > 'getent password Administrator' returns: > > SAMDOM\Administrator:*:0:100::/home/Administrator:/bin/bash > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From lingpanda101 at gmail.com Tue Dec 8 13:41:22 2015 From: lingpanda101 at gmail.com (James) Date: Tue, 8 Dec 2015 08:41:22 -0500 Subject: [Samba] Log all successful authentications In-Reply-To: <619070413.152890.1449528586943.JavaMail.zimbra@xes-inc.com> References: <619070413.152890.1449528586943.JavaMail.zimbra@xes-inc.com> Message-ID: <5666DE02.1060509@gmail.com> On 12/7/2015 5:49 PM, Andrew Martin wrote: > Hello, > > I am running a Samba 4 AD server on Ubuntu 14.04. Is it possible to log > whenevever a user successfully logs into a computer or whenever a successful > LDAP authentication occurs? Ideally this would include both the username and the > IP address from where the request originated. Is this possible? > > Thanks, > > Andrew > Not at the moment. I believe I recall it being something the developers are working to improve upon. -- -James From infractory at gmail.com Tue Dec 8 13:55:31 2015 From: infractory at gmail.com (mathias dufresne) Date: Tue, 8 Dec 2015 14:55:31 +0100 Subject: [Samba] Samba4 ad dc with Centos7 In-Reply-To: References: Message-ID: That's what I thought, and why I told there is no enumeration for system users. wbinfo can get a whole list of all Samba users (I believe it can do that with AD or NT4 or standalone). But wbinfo does not show system users, it shows Samba users which can become system users once they are transformed (with pam tools as winbind, sssd or nslcd). I insist because after months spent here and years with Samba I feel confusion (for me and for some users of that mailing list) between Samba's system users (users from Samba usable on system side, here the system it the one hosting Samba, the server system), Samba users (Samba internal users) and client system users (system users which access to the share). With domains there is also system users built from the domain (Windows system users SAMDOM\my-user or Linux user from AD/NT4 built with winbind or sssd or nslcd). Just my 2 cents, best regards, mathias 2015-12-08 14:37 GMT+01:00 L.P.H. van Belle : > On the DC, when i run > > getent passwd i only see my linux users. > > getent passwd username shows the ad user. > > > > Same for the groups > > > > Greetz, > > > > Louis > > > > > > > Van: Marcio Costa [mailto:marciofoz at gmail.com] > Verzonden: dinsdag 8 december 2015 14:35 > Aan: L.P.H. van Belle > Onderwerp: Re: [Samba] Samba4 ad dc with Centos7 > > > > > Hi! > If you run 'getent passwd', do you see all the users (ad+local) or only > local users ? > > > > > 2015-12-08 11:15 GMT-02:00 L.P.H. van Belle : > > Wel, thats wrong, when i to the following. > > > > wbinfo –u i get all my users. > > wbinfo –g i get all my groups > > getent passwd username i get my user:UID:GID:NAME:homedir:shel > > id username gives also the correct info.. (uid= .. gid= ) groups = etc.. > > > > And i use winbind on a DC. ( samba 4.2.5 sernet on debian wheezy ) > > > > > > Greetz, > > > > Louis > > > > > > > > > > > Van: mathias dufresne [mailto:infractory at gmail.com] > Verzonden: dinsdag 8 december 2015 14:11 > Aan: L.P.H. van Belle > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] Samba4 ad dc with Centos7 > > > > > > I believe there is no enumeration allowed by default whatever you use to > generate system users from AD (winbind, sssd or nslcd). > > > > > Cheers, > > > > > > mathias > > > > > > 2015-12-08 13:42 GMT+01:00 L.P.H. van Belle : > > Hai, > > Few things. > > > idmap gid = 1000-9999999 > did you also change the start GID in the AD? > > https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC#Defining_the_next_UID.2FGID_to_use > > > "getent group" and "getent passwd" > On a DC, use : getent group "domain users" > shows only the group name + GID. > > You setup looks almost good, im only missing something like : > > ## map id's outside to domain to tdb files. > ## map ids from the domain and (*) the range may not overlap ! > idmap config * : backend = tdb > idmap config * : range = 2000-9999 > > > Greetz, > > Louis > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marcio Costa > > Verzonden: dinsdag 8 december 2015 13:28 > > Aan: samba at lists.samba.org > > Onderwerp: [Samba] Samba4 ad dc with Centos7 > > > > > Hello, I may have a problem with winbind setup. > > > > -with wbinfo -g and wbinfo -u I get all group/user from AD/DC. > > -with getent group "Domain Users" and getent passwd "remote_user" I can > > see > > the info about the specific group and specific user. > > -with getent group and getent passwd I only see my local group/users. > > > > -I believe that using "getent group" and "getent passwd" I must see all > > users, right ? > > > > > > -I'm using the SerNetSamba Version 4.2.5-SerNet-RedHat-19.el7; > > -ps auxf show me: > > root 24519 0.0 4.5 578196 45700 ? Ss 09:59 0:00 > > /usr/sbin/samba -D > > root 24527 0.0 3.2 578196 32812 ? S 09:59 0:00 \_ > > /usr/sbin/samba -D > > root 24529 0.0 4.7 617856 48016 ? Ss 09:59 0:00 | \_ > > /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground > > root 24546 0.0 3.2 617856 32936 ? S 09:59 0:00 | > > \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground > > > > root 24536 0.0 3.2 578196 32788 ? S 09:59 0:00 \_ > > /usr/sbin/samba -D > > root 24541 0.0 4.5 587664 46480 ? Ss 09:59 0:00 | \_ > > /usr/sbin/winbindd -D --option=server role check:inhibit=yes --foreground > > root 24545 0.0 3.5 605676 36492 ? S 09:59 0:00 | > > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes -- > > foreground > > root 24555 0.0 3.6 605992 36680 ? S 10:00 0:00 | > > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes -- > > foreground > > > > -ls /lib64 > > lrwxrwxrwx. 1 root root 19 Dez 3 11:09 /lib64/libnss_winbind.so -> > > libnss_winbind.so.2 > > -rwxr-xr-x. 1 root root 20K Out 28 07:44 /lib64/libnss_winbind.so.2 > > > > -/etc/nsswitch.conf > > passwd: files winbind > > shadow: files winbind > > group: files winbind > > > > -smb.conf > > [global] > > workgroup = INTRANET > > realm = INTRANET.UNV > > netbios name = ITU > > server role = active directory domain controller > > dns forwarder = 10.2.3.4 > > idmap_ldb:use rfc2307 = yes > > > > idmap config INTRANET:backend = ad > > idmap config INTRANET:schema_mode = rfc2307 > > idmap config INTRANET:range = 10000-9999999 > > > > idmap uid = 10000-9999999 > > idmap gid = 1000-9999999 > > > > # Use settings from AD for login shell and home directory > > winbind nss info = rfc2307 > > > > winbind use default domain = yes > > winbind enum users = yes > > winbind enum groups = yes > > > > I appreciate any help about this issue. > > Thank you. > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From amartin at xes-inc.com Tue Dec 8 14:20:45 2015 From: amartin at xes-inc.com (Andrew Martin) Date: Tue, 8 Dec 2015 08:20:45 -0600 (CST) Subject: [Samba] Log all successful authentications In-Reply-To: <56661D24.2040200@thelounge.net> References: <619070413.152890.1449528586943.JavaMail.zimbra@xes-inc.com> <56661D24.2040200@thelounge.net> Message-ID: <535480144.13576.1449584445736.JavaMail.zimbra@xes-inc.com> ----- Original Message ----- > From: "Reindl Harald" > To: samba at lists.samba.org > Sent: Monday, December 7, 2015 5:58:28 PM > Subject: Re: [Samba] Log all successful authentications > > > > Am 07.12.2015 um 23:49 schrieb Andrew Martin: > > I am running a Samba 4 AD server on Ubuntu 14.04. Is it possible to log > > whenevever a user successfully logs into a computer or whenever a > > successful > > LDAP authentication occurs? Ideally this would include both the username > > and the > > IP address from where the request originated. Is this possible? > > consult the manpage for "log level" - while i honestly could puke about > every samba log entry source file and line number cluttering the logs > and hence reduced it to a minimum > > nobody but developers care about "../source3/auth/auth.c:305" and hence > that should be logged only in a debug level > > log level = 1 auth:2 passdb:2 tdb:1 vfs:1 smb:1 locking:1 sam:1 > winbind:1 idmap:1 quota:1 acls:0 msdfs:1 dmapi:1 registry:1 > printdrivers:0 lanman:0 rpc_parse:0 rpc_srv:0 rpc_cli:0 > > > [2015/12/08 00:56:03.049763, 2] > ../source3/auth/auth.c:305(auth_check_ntlm_password) > check_ntlm_password: authentication for user [reindl] -> [reindl] -> > [reindl] succeeded > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba Reindl, Thanks for the clarification. Do you know if this also logs basic LDAP queries as well (e.g if a user logs into a webapp that supports LDAP authentication)? Or is this logging restricted to only Windows clients? Thanks, Andrew From ole.traupe at tu-berlin.de Tue Dec 8 14:26:13 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Tue, 8 Dec 2015 15:26:13 +0100 Subject: [Samba] Backup Member Server In-Reply-To: <565F411A.6000205@samba.org> References: <565F06CE.5010804@gmail.com> <565F411A.6000205@samba.org> Message-ID: <5666E885.3060800@tu-berlin.de> Besides, obviously, the potential shared data on file servers, can't you just use the script that is introduced for backing up DCs? At least if the complete Samba installation is in "/usr/local/samba"... https://wiki.samba.org/index.php/Backup_and_restore_an_Samba_AD_DC Am 02.12.2015 um 20:06 schrieb Marc Muehlfeld: > Hello James, > > Am 02.12.2015 um 15:57 schrieb James: >> Can someone point me to documentation on how to best backup a samba >> member server? I see the wiki currently does not contain one. >> >> Is it as simple as backup all shared folders with rysnc or similar that >> will preserve ACLS along with the smb.conf? I'm currently relying on a >> raid solution. Thanks. > > Yes, I should finally write that doc. :-) > > > What you should backup on a Domain Member: > 1.) All files (share content and whatever else is important for you) > 2.) Your smb.conf > 3.) Your Samba databases (you can do a hotbackup with tdbbackup) > > > > Some notes about 3.: > Depending on what your Domain Member is doing, some of the tdb files are > important, while others are recreated and can get lost. There's nothing > wrong if you backup all. :-) When I write the Wiki page, I might list > which file is important for which case. > > > Regards, > Marc > From rpenny at samba.org Tue Dec 8 14:46:07 2015 From: rpenny at samba.org (Rowland penny) Date: Tue, 08 Dec 2015 14:46:07 +0000 Subject: [Samba] Samba4 ad dc with Centos7 In-Reply-To: References: Message-ID: <5666ED2F.6090101@samba.org> On 08/12/15 13:55, mathias dufresne wrote: > That's what I thought, and why I told there is no enumeration for system > users. > wbinfo can get a whole list of all Samba users (I believe it can do that > with AD or NT4 or standalone). But wbinfo does not show system users, it > shows Samba users which can become system users once they are transformed > (with pam tools as winbind, sssd or nslcd). > > I insist because after months spent here and years with Samba I feel > confusion (for me and for some users of that mailing list) between Samba's > system users (users from Samba usable on system side, here the system it > the one hosting Samba, the server system), Samba users (Samba internal > users) and client system users (system users which access to the share). > With domains there is also system users built from the domain (Windows > system users SAMDOM\my-user or Linux user from AD/NT4 built with winbind or > sssd or nslcd). > > Just my 2 cents, best regards, > > mathias > > > OK, before version 4.0.0, Samba was just a bridge between windows & Unix, but with the release of version 4.0.0, it became as though it was also a part of windows. There is no such thing as a Samba system user, even if you are running Samba as an AD DC. If you run Samba as a client you can make your users, windows users, Unix users or both, depending on how you set up Samba. If you just want to use Samba 4 for authenticate users, you do not need to do anything else but create the users, however if you want to connect your users to the DC or for your users to be Unix users, there must be some way to map your users to Unix IDs. On the DC, unless overridden, idmap.ldb is used, this stores mappings between user & group RIDs and xidNumbers that will be used by the DC as Unix IDs. You can override the xidNumbers by adding a uidNumber attribute to your users, if this is done, the contents of the uidNumber will be used instead of the xidNumber. On a domain member, you have two basic ways of mapping AD users to Unix users, the 'ad' & 'rid' backends. The 'rid' backend does not need anything adding to AD, it maps user RIDs to Unix IDs with an algorithm and so, you should get the same ID number on all domain members. The 'ad' backend entails adding rfc2307 attributes to a user, any user that doesn't get the required attributes, will be invisible to Unix. For a user to access a share on a Unix machine, the user *must* be known to the underlying Unix OS, this means using winbind with either the 'ad' or 'rid' backend (there are other ways of doing this, but they are not part of Samba and this is the Samba list). Rowland From belle at bazuin.nl Tue Dec 8 14:54:14 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Tue, 8 Dec 2015 15:54:14 +0100 Subject: [Samba] Samba4 ad dc with Centos7 In-Reply-To: References: Message-ID: I dont see the difference, i think its all how you interper it. ( sorry about the spelling errors.. ) For example > wbinfo can get a whole list of all Samba users (I believe it can do that > with AD or NT4 or standalone Which is exact what i want. > wbinfo does not show system users.. which is also exact what i want. > wbinfo does not show system users, it > shows Samba users which can become system users once they are transformed > (with pam tools as winbind, sssd or nslcd). Again exact what i want. > I feel > confusion (for me and for some users of that mailing list) between Samba's > system users (users from Samba usable on system side, here the system it > the one hosting Samba, the server system), Samba users (Samba internal > users) and client system users (system users which access to the share). > With domains there is also system users built from the domain (Windows > system users SAMDOM\my-user or Linux user from AD/NT4 built with winbind Yeah, that sucks.. wel, dont think in samba system users. > Samba's system users (users from Samba usable on system side, >here the system it >the one hosting Samba, the server system), >Samba users (Samba internal users) and >client system users (system users which access to the share). You have "local" users/groups, per server/client (adduser username) You have "Domain" users/groups, per domain You have "mapped users" i call them. And last, you have "local system users". ( UID lower than 1000 ) Based on this example : ## map id's outside to domain to tdb files. idmap config * : backend = tdb idmap config * : range = 2000-9999 ## map ids from the domain and (*) the range may not overlap ! idmap config DOMAINNAME: backend = ad idmap config DOMAINNAME: schema_mode = rfc2307 idmap config DOMAINNAME: range = 10000-3999999 A local user, any user UID lower than 2000 A domain user idmap config DOMAINNAME : range = 10000-3999999 A mapped user, is a local user with its UID in the * range. (idmap config * : range = 2000-9999 ) if you want any local users to be mapped to samba, change : (idmap config * : range = 1000-9999 ) And i dont advice to map "local system users" to be mapped. Any can access shares, but all depending on your setup. I think you make an easy thing a hard one and probely due to the setup your having. I'm not saying you setup is bad or wrong, but maybe to complex or not well thought about. I spent about a year testing and configureing and testing for a good base setup, and here it all starts, i started at least 10 times over, because i forgot a "thing/process" running on a server and which users and/group should be able to access it. Its pretty simple, only use "domain users" when when you have a domain. And only use local users for local needs. I only have 1 user on my linux server for administring the server. And i gave also some of domain users access to a local server. You can add an domain user to a local group if you setup is working correct. System users are just to run processes/services on the server, and/or for Administering the server. So sorry, but i dont see the problem your having. I do the same in samba 4 as i did in samba 3 and more. And this all looks to me normal. But ... i do agree, there should be more examples how things work with these users. And some examples when you for example use a "mapped" user, of a local users etc. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens mathias dufresne > Verzonden: dinsdag 8 december 2015 14:56 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Samba4 ad dc with Centos7 > > That's what I thought, and why I told there is no enumeration for system > users. > wbinfo can get a whole list of all Samba users (I believe it can do that > with AD or NT4 or standalone). But wbinfo does not show system users, it > shows Samba users which can become system users once they are transformed > (with pam tools as winbind, sssd or nslcd). > > I insist because after months spent here and years with Samba I feel > confusion (for me and for some users of that mailing list) between Samba's > system users (users from Samba usable on system side, here the system it > the one hosting Samba, the server system), Samba users (Samba internal > users) and client system users (system users which access to the share). > With domains there is also system users built from the domain (Windows > system users SAMDOM\my-user or Linux user from AD/NT4 built with winbind > or > sssd or nslcd). > > Just my 2 cents, best regards, > > mathias > > > 2015-12-08 14:37 GMT+01:00 L.P.H. van Belle : > > > On the DC, when i run > > > > getent passwd i only see my linux users. > > > > getent passwd username shows the ad user. > > > > > > > > Same for the groups > > > > > > > > Greetz, > > > > > > > > Louis > > > > > > > > > > > > > > Van: Marcio Costa [mailto:marciofoz at gmail.com] > > Verzonden: dinsdag 8 december 2015 14:35 > > Aan: L.P.H. van Belle > > Onderwerp: Re: [Samba] Samba4 ad dc with Centos7 > > > > > > > > > > Hi! > > If you run 'getent passwd', do you see all the users (ad+local) or only > > local users ? > > > > > > > > > > 2015-12-08 11:15 GMT-02:00 L.P.H. van Belle : > > > > Wel, thats wrong, when i to the following. > > > > > > > > wbinfo –u i get all my users. > > > > wbinfo –g i get all my groups > > > > getent passwd username i get my user:UID:GID:NAME:homedir:shel > > > > id username gives also the correct info.. (uid= .. gid= ) groups = > etc.. > > > > > > > > And i use winbind on a DC. ( samba 4.2.5 sernet on debian wheezy ) > > > > > > > > > > > > Greetz, > > > > > > > > Louis > > > > > > > > > > > > > > > > > > > > > > Van: mathias dufresne [mailto:infractory at gmail.com] > > Verzonden: dinsdag 8 december 2015 14:11 > > Aan: L.P.H. van Belle > > CC: samba at lists.samba.org > > Onderwerp: Re: [Samba] Samba4 ad dc with Centos7 > > > > > > > > > > > > I believe there is no enumeration allowed by default whatever you use to > > generate system users from AD (winbind, sssd or nslcd). > > > > > > > > > > Cheers, > > > > > > > > > > > > mathias > > > > > > > > > > > > 2015-12-08 13:42 GMT+01:00 L.P.H. van Belle : > > > > Hai, > > > > Few things. > > > > > idmap gid = 1000-9999999 > > did you also change the start GID in the AD? > > > > > https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC > #Defining_the_next_UID.2FGID_to_use > > > > > "getent group" and "getent passwd" > > On a DC, use : getent group "domain users" > > shows only the group name + GID. > > > > You setup looks almost good, im only missing something like : > > > > ## map id's outside to domain to tdb files. > > ## map ids from the domain and (*) the range may not overlap ! > > idmap config * : backend = tdb > > idmap config * : range = 2000-9999 > > > > > > Greetz, > > > > Louis > > > > > > > -----Oorspronkelijk bericht----- > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marcio Costa > > > Verzonden: dinsdag 8 december 2015 13:28 > > > Aan: samba at lists.samba.org > > > Onderwerp: [Samba] Samba4 ad dc with Centos7 > > > > > > > > Hello, I may have a problem with winbind setup. > > > > > > -with wbinfo -g and wbinfo -u I get all group/user from AD/DC. > > > -with getent group "Domain Users" and getent passwd "remote_user" I > can > > > see > > > the info about the specific group and specific user. > > > -with getent group and getent passwd I only see my local group/users. > > > > > > -I believe that using "getent group" and "getent passwd" I must see > all > > > users, right ? > > > > > > > > > -I'm using the SerNetSamba Version 4.2.5-SerNet-RedHat-19.el7; > > > -ps auxf show me: > > > root 24519 0.0 4.5 578196 45700 ? Ss 09:59 0:00 > > > /usr/sbin/samba -D > > > root 24527 0.0 3.2 578196 32812 ? S 09:59 0:00 \_ > > > /usr/sbin/samba -D > > > root 24529 0.0 4.7 617856 48016 ? Ss 09:59 0:00 | > \_ > > > /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground > > > root 24546 0.0 3.2 617856 32936 ? S 09:59 0:00 | > > > \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes -- > foreground > > > > > > root 24536 0.0 3.2 578196 32788 ? S 09:59 0:00 \_ > > > /usr/sbin/samba -D > > > root 24541 0.0 4.5 587664 46480 ? Ss 09:59 0:00 | > \_ > > > /usr/sbin/winbindd -D --option=server role check:inhibit=yes -- > foreground > > > root 24545 0.0 3.5 605676 36492 ? S 09:59 0:00 | > > > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes -- > > > foreground > > > root 24555 0.0 3.6 605992 36680 ? S 10:00 0:00 | > > > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes -- > > > foreground > > > > > > -ls /lib64 > > > lrwxrwxrwx. 1 root root 19 Dez 3 11:09 /lib64/libnss_winbind.so -> > > > libnss_winbind.so.2 > > > -rwxr-xr-x. 1 root root 20K Out 28 07:44 /lib64/libnss_winbind.so.2 > > > > > > -/etc/nsswitch.conf > > > passwd: files winbind > > > shadow: files winbind > > > group: files winbind > > > > > > -smb.conf > > > [global] > > > workgroup = INTRANET > > > realm = INTRANET.UNV > > > netbios name = ITU > > > server role = active directory domain controller > > > dns forwarder = 10.2.3.4 > > > idmap_ldb:use rfc2307 = yes > > > > > > idmap config INTRANET:backend = ad > > > idmap config INTRANET:schema_mode = rfc2307 > > > idmap config INTRANET:range = 10000-9999999 > > > > > > idmap uid = 10000-9999999 > > > idmap gid = 1000-9999999 > > > > > > # Use settings from AD for login shell and home directory > > > winbind nss info = rfc2307 > > > > > > winbind use default domain = yes > > > winbind enum users = yes > > > winbind enum groups = yes > > > > > > I appreciate any help about this issue. > > > Thank you. > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > > > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > > > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From ole.traupe at tu-berlin.de Tue Dec 8 15:20:08 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Tue, 8 Dec 2015 16:20:08 +0100 Subject: [Samba] Permission Denied In-Reply-To: References: <5655A8AC.1010202@gmail.com> <5665B8FE.9050503@tu-berlin.de> <5665BDE5.1010702@samba.org> <5665D716.5090402@tu-berlin.de> <5665DB5C.3000902@tu-berlin.de> <5665DDEF.7090509@samba.org> <5665E13D.4080802@tu-berlin.de> <5665E3F3.5010100@samba.org> Message-ID: <5666F528.1040704@tu-berlin.de> You are right! I haven't configured PAM for winbind on the DCs, probably because I don't need this. Any reasons why I should, if I manage my domain from Windows ADUC and don't log-on to the DCs as Administrator locally? Ole Am 08.12.2015 um 14:39 schrieb mathias dufresne: > Ole, > > Did you configure PAM to use AD as a users source ? You need to have > Winbind or SSSD or nslcd configured to access your AD + configure PAM + > configure nsswitch.conf. Then you will system users from AD (ie "getent > passwd my-ad-account" would work). > > Cheers, > > mathias > > 2015-12-07 20:54 GMT+01:00 Rowland penny : > >> On 07/12/15 19:42, Ole Traupe wrote: >> >>> If I do this (rely on the user map file containing "!root = >>>>> BPN\Administrator BPN\administrator"), should I expect "id Administrator" >>>>> to give anything? >>>>> >>>>> Ole >>>>> >>>>> >>>> Only a Samba AD DC, you will not get anything from 'getent >>>> Administrator' on a Unix domain member, but remember, with the user map >>>> 'Administrator' becomes 'root' :-) >>>> >>> Yes, and I can manage share permissions via ADUC due to the user mapping. >>> >>> But on the DCs I still get "No such user" (although I don't have any >>> appearent problem). >>> >>> Ole >>> >>> >>> >>> >> Have you changed anything on the DCs ? Are the winbind nss links in place >> ? (not sure if this makes any difference, but I always create them) >> >> if I run 'id Administrator', I get: >> >> uid=0(root) gid=100(users) groups=0(root),100(users),3000004(SAMdom\Group >> Policy Creator Owners),3000006(SAMDOM\Enterprise >> Admins),3000008(SAMDOM\Domain Admins),3000007(SAMDOM\Schema Admins) >> >> 'getent password Administrator' returns: >> >> SAMDOM\Administrator:*:0:100::/home/Administrator:/bin/bash >> >> Rowland >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> From ole.traupe at tu-berlin.de Tue Dec 8 15:26:49 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Tue, 8 Dec 2015 16:26:49 +0100 Subject: [Samba] userid shows 4294967295 In-Reply-To: References: <5665A578.2070103@samba.org> <5665B386.4000506@samba.org> <5665D637.1040106@tu-berlin.de> <5665DB8F.20001@samba.org> <5665E06F.8070503@tu-berlin.de> Message-ID: <5666F6B9.1020000@tu-berlin.de> Thanks! Ole Am 08.12.2015 um 11:58 schrieb Jonathan Hunter: > Hi, > > On 8 December 2015 at 08:53, Nico De Ranter > wrote: > >> On Mon, Dec 7, 2015 at 8:39 PM, Ole Traupe >> wrote: >>> Can I ask something related? Once I had used '23456' as uid for some test >>> account, ADUC always wants to go that high, although I have plenty of >> space >>> below that. Is there a way to get rid of this behavior? > This is stored in AD & documented here. You can use adsiedit or similar to > change these values: > > https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC#Defining_the_next_UID.2FGID_to_use > > From rpenny at samba.org Tue Dec 8 15:28:29 2015 From: rpenny at samba.org (Rowland penny) Date: Tue, 08 Dec 2015 15:28:29 +0000 Subject: [Samba] Permission Denied In-Reply-To: <5666F528.1040704@tu-berlin.de> References: <5655A8AC.1010202@gmail.com> <5665B8FE.9050503@tu-berlin.de> <5665BDE5.1010702@samba.org> <5665D716.5090402@tu-berlin.de> <5665DB5C.3000902@tu-berlin.de> <5665DDEF.7090509@samba.org> <5665E13D.4080802@tu-berlin.de> <5665E3F3.5010100@samba.org> <5666F528.1040704@tu-berlin.de> Message-ID: <5666F71D.50409@samba.org> On 08/12/15 15:20, Ole Traupe wrote: > You are right! I haven't configured PAM for winbind on the DCs, > probably because I don't need this. > > Any reasons why I should, if I manage my domain from Windows ADUC and > don't log-on to the DCs as Administrator locally? > > Ole > > You only need to configure PAM on a DC if you intend to use the DC for anything other than Authentication. Rowland From ole.traupe at tu-berlin.de Tue Dec 8 15:54:25 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Tue, 8 Dec 2015 16:54:25 +0100 Subject: [Samba] Confusion about account locking policy (Samba AD/Windows 7 client) Message-ID: <5666FD31.9090308@tu-berlin.de> Hi, here on the wiki https://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_specific_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F I read this: "Is it possible to set user specific password policies in Samba4 (e. g. on a OU-base)? Samba can't handle GPO restrictions. You have to use 'samba-tool domain passwordsettings' to change password policies. But this only applies on domain level." So, I have set my account lockout policy on the Samba4 DC to '5' incorrect attempts. However, on a Windows 7 client it needs only 3 invalid attempts to get the account locked out (tested on 3 different machines). And on domain join it seems only to need 1 invalid attempt. What is the full story here? Ole From infractory at gmail.com Tue Dec 8 16:02:13 2015 From: infractory at gmail.com (mathias dufresne) Date: Tue, 8 Dec 2015 17:02:13 +0100 Subject: [Samba] Permission Denied In-Reply-To: <5666F528.1040704@tu-berlin.de> References: <5655A8AC.1010202@gmail.com> <5665B8FE.9050503@tu-berlin.de> <5665BDE5.1010702@samba.org> <5665D716.5090402@tu-berlin.de> <5665DB5C.3000902@tu-berlin.de> <5665DDEF.7090509@samba.org> <5665E13D.4080802@tu-berlin.de> <5665E3F3.5010100@samba.org> <5666F528.1040704@tu-berlin.de> Message-ID: On any Linux system where you want to be able to use AD users as system users you need to configure PAM. This because it is PAM which discuss with the tool you have chosen to retrieve users information from AD and then build system users with these information. I think you also need to configure PAM for file servers connected to some domain (AD or NT4) for the underlaying system knows which user (system user, ie uid, gid, groups...) access to some shared file, to grant or refuse this access. The short way to put it would be: to configure your system configure PAM, without PAM configured only applications are configured: kinit could work, net command too, wbinfo also... but not getent and so all application relying to system side won't work (example from your first post: "id" command rely on getent/PAM/nss/don't ask precisely and so won't work) This can't be completely true as frontier between system and application is more than fine (PAM is an app after all and a system could do what you want it does without PAM configured -> a Samba DC without PAM configured can be fully managed, just ACLs would lack beauty I expect). 2015-12-08 16:20 GMT+01:00 Ole Traupe : > You are right! I haven't configured PAM for winbind on the DCs, probably > because I don't need this. > > Any reasons why I should, if I manage my domain from Windows ADUC and > don't log-on to the DCs as Administrator locally? > > Ole > > > > Am 08.12.2015 um 14:39 schrieb mathias dufresne: > >> Ole, >> >> Did you configure PAM to use AD as a users source ? You need to have >> Winbind or SSSD or nslcd configured to access your AD + configure PAM + >> configure nsswitch.conf. Then you will system users from AD (ie "getent >> passwd my-ad-account" would work). >> >> Cheers, >> >> mathias >> >> 2015-12-07 20:54 GMT+01:00 Rowland penny : >> >> On 07/12/15 19:42, Ole Traupe wrote: >>> >>> If I do this (rely on the user map file containing "!root = >>>> >>>>> BPN\Administrator BPN\administrator"), should I expect "id >>>>>> Administrator" >>>>>> to give anything? >>>>>> >>>>>> Ole >>>>>> >>>>>> >>>>>> Only a Samba AD DC, you will not get anything from 'getent >>>>> Administrator' on a Unix domain member, but remember, with the user map >>>>> 'Administrator' becomes 'root' :-) >>>>> >>>>> Yes, and I can manage share permissions via ADUC due to the user >>>> mapping. >>>> >>>> But on the DCs I still get "No such user" (although I don't have any >>>> appearent problem). >>>> >>>> Ole >>>> >>>> >>>> >>>> >>>> Have you changed anything on the DCs ? Are the winbind nss links in >>> place >>> ? (not sure if this makes any difference, but I always create them) >>> >>> if I run 'id Administrator', I get: >>> >>> uid=0(root) gid=100(users) groups=0(root),100(users),3000004(SAMdom\Group >>> Policy Creator Owners),3000006(SAMDOM\Enterprise >>> Admins),3000008(SAMDOM\Domain Admins),3000007(SAMDOM\Schema Admins) >>> >>> 'getent password Administrator' returns: >>> >>> SAMDOM\Administrator:*:0:100::/home/Administrator:/bin/bash >>> >>> Rowland >>> >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From marciofoz at gmail.com Tue Dec 8 16:03:46 2015 From: marciofoz at gmail.com (Marcio Costa) Date: Tue, 8 Dec 2015 14:03:46 -0200 Subject: [Samba] Samba4 ad dc with Centos7 In-Reply-To: References: Message-ID: The "troubleshoot Note" in Samba Wiki ( https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#Using_domain_accounts.2Fgroups_in_OS_commands) must be performed only when setup Samba as an AD Member, not when setup as an AD/DC ?? 2015-12-08 12:54 GMT-02:00 L.P.H. van Belle : > I dont see the difference, i think its all how you interper it. > ( sorry about the spelling errors.. ) > > For example > > wbinfo can get a whole list of all Samba users (I believe it can do that > > with AD or NT4 or standalone > Which is exact what i want. > > > wbinfo does not show system users.. > which is also exact what i want. > > > wbinfo does not show system users, it > > shows Samba users which can become system users once they are transformed > > (with pam tools as winbind, sssd or nslcd). > Again exact what i want. > > > I feel > > confusion (for me and for some users of that mailing list) between > Samba's > > system users (users from Samba usable on system side, here the system it > > the one hosting Samba, the server system), Samba users (Samba internal > > users) and client system users (system users which access to the share). > > With domains there is also system users built from the domain (Windows > > system users SAMDOM\my-user or Linux user from AD/NT4 built with winbind > > Yeah, that sucks.. wel, dont think in samba system users. > > > Samba's system users (users from Samba usable on system side, > >here the system it > >the one hosting Samba, the server system), > >Samba users (Samba internal users) and > >client system users (system users which access to the share). > > You have "local" users/groups, per server/client (adduser username) > You have "Domain" users/groups, per domain > You have "mapped users" i call them. > And last, you have "local system users". ( UID lower than 1000 ) > > Based on this example : > > ## map id's outside to domain to tdb files. > idmap config * : backend = tdb > idmap config * : range = 2000-9999 > ## map ids from the domain and (*) the range may not overlap ! > idmap config DOMAINNAME: backend = ad > idmap config DOMAINNAME: schema_mode = rfc2307 > idmap config DOMAINNAME: range = 10000-3999999 > > > A local user, any user UID lower than 2000 > > A domain user > idmap config DOMAINNAME : range = 10000-3999999 > > A mapped user, is a local user with its UID in the * range. > (idmap config * : range = 2000-9999 ) > > if you want any local users to be mapped to samba, change : > (idmap config * : range = 1000-9999 ) > > And i dont advice to map "local system users" to be mapped. > > Any can access shares, but all depending on your setup. > I think you make an easy thing a hard one and probely due to the setup > your having. I'm not saying you setup is bad or wrong, but maybe to complex > or not well thought about. I spent about a year testing and configureing > and testing for a good base setup, and here it all starts, i started at > least 10 times over, because i forgot a "thing/process" running on a server > and which users and/group should be able to access it. > > Its pretty simple, only use "domain users" when when you have a domain. > And only use local users for local needs. > I only have 1 user on my linux server for administring the server. > And i gave also some of domain users access to a local server. > You can add an domain user to a local group if you setup is working > correct. > > System users are just to run processes/services on the server, and/or for > Administering the server. > > So sorry, but i dont see the problem your having. > > I do the same in samba 4 as i did in samba 3 and more. > And this all looks to me normal. > > But ... > i do agree, there should be more examples how things work with these users. > And some examples when you for example use a "mapped" user, of a local > users etc. > > > > Greetz, > > Louis > > > > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens mathias > dufresne > > Verzonden: dinsdag 8 december 2015 14:56 > > Aan: samba at lists.samba.org > > Onderwerp: Re: [Samba] Samba4 ad dc with Centos7 > > > > That's what I thought, and why I told there is no enumeration for system > > users. > > wbinfo can get a whole list of all Samba users (I believe it can do that > > with AD or NT4 or standalone). But wbinfo does not show system users, it > > shows Samba users which can become system users once they are transformed > > (with pam tools as winbind, sssd or nslcd). > > > > I insist because after months spent here and years with Samba I feel > > confusion (for me and for some users of that mailing list) between > Samba's > > system users (users from Samba usable on system side, here the system it > > the one hosting Samba, the server system), Samba users (Samba internal > > users) and client system users (system users which access to the share). > > With domains there is also system users built from the domain (Windows > > system users SAMDOM\my-user or Linux user from AD/NT4 built with winbind > > or > > sssd or nslcd). > > > > Just my 2 cents, best regards, > > > > mathias > > > > > > 2015-12-08 14:37 GMT+01:00 L.P.H. van Belle : > > > > > On the DC, when i run > > > > > > getent passwd i only see my linux users. > > > > > > getent passwd username shows the ad user. > > > > > > > > > > > > Same for the groups > > > > > > > > > > > > Greetz, > > > > > > > > > > > > Louis > > > > > > > > > > > > > > > > > > > > > Van: Marcio Costa [mailto:marciofoz at gmail.com] > > > Verzonden: dinsdag 8 december 2015 14:35 > > > Aan: L.P.H. van Belle > > > Onderwerp: Re: [Samba] Samba4 ad dc with Centos7 > > > > > > > > > > > > > > > Hi! > > > If you run 'getent passwd', do you see all the users (ad+local) or only > > > local users ? > > > > > > > > > > > > > > > 2015-12-08 11:15 GMT-02:00 L.P.H. van Belle : > > > > > > Wel, thats wrong, when i to the following. > > > > > > > > > > > > wbinfo –u i get all my users. > > > > > > wbinfo –g i get all my groups > > > > > > getent passwd username i get my user:UID:GID:NAME:homedir:shel > > > > > > id username gives also the correct info.. (uid= .. gid= ) groups = > > etc.. > > > > > > > > > > > > And i use winbind on a DC. ( samba 4.2.5 sernet on debian wheezy ) > > > > > > > > > > > > > > > > > > Greetz, > > > > > > > > > > > > Louis > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Van: mathias dufresne [mailto:infractory at gmail.com] > > > Verzonden: dinsdag 8 december 2015 14:11 > > > Aan: L.P.H. van Belle > > > CC: samba at lists.samba.org > > > Onderwerp: Re: [Samba] Samba4 ad dc with Centos7 > > > > > > > > > > > > > > > > > > I believe there is no enumeration allowed by default whatever you use > to > > > generate system users from AD (winbind, sssd or nslcd). > > > > > > > > > > > > > > > Cheers, > > > > > > > > > > > > > > > > > > mathias > > > > > > > > > > > > > > > > > > 2015-12-08 13:42 GMT+01:00 L.P.H. van Belle : > > > > > > Hai, > > > > > > Few things. > > > > > > > idmap gid = 1000-9999999 > > > did you also change the start GID in the AD? > > > > > > > > > https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC > > #Defining_the_next_UID.2FGID_to_use > > > > > > > "getent group" and "getent passwd" > > > On a DC, use : getent group "domain users" > > > shows only the group name + GID. > > > > > > You setup looks almost good, im only missing something like : > > > > > > ## map id's outside to domain to tdb files. > > > ## map ids from the domain and (*) the range may not overlap ! > > > idmap config * : backend = tdb > > > idmap config * : range = 2000-9999 > > > > > > > > > Greetz, > > > > > > Louis > > > > > > > > > > -----Oorspronkelijk bericht----- > > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marcio > Costa > > > > Verzonden: dinsdag 8 december 2015 13:28 > > > > Aan: samba at lists.samba.org > > > > Onderwerp: [Samba] Samba4 ad dc with Centos7 > > > > > > > > > > > Hello, I may have a problem with winbind setup. > > > > > > > > -with wbinfo -g and wbinfo -u I get all group/user from AD/DC. > > > > -with getent group "Domain Users" and getent passwd "remote_user" I > > can > > > > see > > > > the info about the specific group and specific user. > > > > -with getent group and getent passwd I only see my local group/users. > > > > > > > > -I believe that using "getent group" and "getent passwd" I must see > > all > > > > users, right ? > > > > > > > > > > > > -I'm using the SerNetSamba Version 4.2.5-SerNet-RedHat-19.el7; > > > > -ps auxf show me: > > > > root 24519 0.0 4.5 578196 45700 ? Ss 09:59 0:00 > > > > /usr/sbin/samba -D > > > > root 24527 0.0 3.2 578196 32812 ? S 09:59 0:00 \_ > > > > /usr/sbin/samba -D > > > > root 24529 0.0 4.7 617856 48016 ? Ss 09:59 0:00 | > > \_ > > > > /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground > > > > root 24546 0.0 3.2 617856 32936 ? S 09:59 0:00 | > > > > \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes -- > > foreground > > > > > > > > root 24536 0.0 3.2 578196 32788 ? S 09:59 0:00 \_ > > > > /usr/sbin/samba -D > > > > root 24541 0.0 4.5 587664 46480 ? Ss 09:59 0:00 | > > \_ > > > > /usr/sbin/winbindd -D --option=server role check:inhibit=yes -- > > foreground > > > > root 24545 0.0 3.5 605676 36492 ? S 09:59 0:00 | > > > > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes -- > > > > foreground > > > > root 24555 0.0 3.6 605992 36680 ? S 10:00 0:00 | > > > > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes -- > > > > foreground > > > > > > > > -ls /lib64 > > > > lrwxrwxrwx. 1 root root 19 Dez 3 11:09 /lib64/libnss_winbind.so -> > > > > libnss_winbind.so.2 > > > > -rwxr-xr-x. 1 root root 20K Out 28 07:44 /lib64/libnss_winbind.so.2 > > > > > > > > -/etc/nsswitch.conf > > > > passwd: files winbind > > > > shadow: files winbind > > > > group: files winbind > > > > > > > > -smb.conf > > > > [global] > > > > workgroup = INTRANET > > > > realm = INTRANET.UNV > > > > netbios name = ITU > > > > server role = active directory domain controller > > > > dns forwarder = 10.2.3.4 > > > > idmap_ldb:use rfc2307 = yes > > > > > > > > idmap config INTRANET:backend = ad > > > > idmap config INTRANET:schema_mode = rfc2307 > > > > idmap config INTRANET:range = 10000-9999999 > > > > > > > > idmap uid = 10000-9999999 > > > > idmap gid = 1000-9999999 > > > > > > > > # Use settings from AD for login shell and home directory > > > > winbind nss info = rfc2307 > > > > > > > > winbind use default domain = yes > > > > winbind enum users = yes > > > > winbind enum groups = yes > > > > > > > > I appreciate any help about this issue. > > > > Thank you. > > > > -- > > > > To unsubscribe from this list go to the following URL and read the > > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From ole.traupe at tu-berlin.de Tue Dec 8 16:05:35 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Tue, 8 Dec 2015 17:05:35 +0100 Subject: [Samba] Give users possibility to manage part of their AD account In-Reply-To: <5665EFC3.7000402@samba.org> References: <5665EFC3.7000402@samba.org> Message-ID: <5666FFCF.8070608@tu-berlin.de> You can configure OU delegation from ADUC. Ole Am 07.12.2015 um 21:44 schrieb Marc Muehlfeld: > Hello, > > Am 07.12.2015 um 13:36 schrieb mathias dufresne: >> Is there a way to give users (all AD users for a start) the possibility to >> manage themselves some of their user attributes (as loginShell for example)? > This sounds dangerous, but you can set directory ACLs for that. > > Two examples for delegation tasks, you can find in these doc: > https://wiki.samba.org/index.php/Delegation/Join_machines_to_a_domain > https://wiki.samba.org/index.php/Delegation/Account_management > > But be warned: Setting wrong ACLs in your directory can have serious > effects - from security issues to a broken AD. So make sure you have a > working backup and know exactly what you're doing! > > > Regards, > Marc > From infractory at gmail.com Tue Dec 8 16:06:17 2015 From: infractory at gmail.com (mathias dufresne) Date: Tue, 8 Dec 2015 17:06:17 +0100 Subject: [Samba] Confusion about account locking policy (Samba AD/Windows 7 client) In-Reply-To: <5666FD31.9090308@tu-berlin.de> References: <5666FD31.9090308@tu-berlin.de> Message-ID: I expect you already did that but in case of... did you rebooted your Windows client to apply new Computer's GPO (or use gpupdate MS tool)? 2015-12-08 16:54 GMT+01:00 Ole Traupe : > Hi, > > here on the wiki > > https://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_specific_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F > I read this: > > > "Is it possible to set user specific password policies in Samba4 (e. > g. on a OU-base)? > > Samba can't handle GPO restrictions. You have to use 'samba-tool domain > passwordsettings' to change password policies. But this only applies on > domain level." > > So, I have set my account lockout policy on the Samba4 DC to '5' incorrect > attempts. However, on a Windows 7 client it needs only 3 invalid attempts > to get the account locked out (tested on 3 different machines). And on > domain join it seems only to need 1 invalid attempt. > > What is the full story here? > > Ole > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From rpenny at samba.org Tue Dec 8 16:15:15 2015 From: rpenny at samba.org (Rowland penny) Date: Tue, 08 Dec 2015 16:15:15 +0000 Subject: [Samba] Permission Denied In-Reply-To: References: <5655A8AC.1010202@gmail.com> <5665B8FE.9050503@tu-berlin.de> <5665BDE5.1010702@samba.org> <5665D716.5090402@tu-berlin.de> <5665DB5C.3000902@tu-berlin.de> <5665DDEF.7090509@samba.org> <5665E13D.4080802@tu-berlin.de> <5665E3F3.5010100@samba.org> <5666F528.1040704@tu-berlin.de> Message-ID: <56670213.1020501@samba.org> On 08/12/15 16:02, mathias dufresne wrote: > On any Linux system where you want to be able to use AD users as system > users you need to configure PAM. This because it is PAM which discuss with > the tool you have chosen to retrieve users information from AD and then > build system users with these information. It may be better if you stop calling local Unix users 'system users', system users are something else, i.e. 'root' is a system user, as is 'www-data' > > I think you also need to configure PAM for file servers connected to some > domain (AD or NT4) for the underlaying system knows which user (system > user, ie uid, gid, groups...) access to some shared file, to grant or > refuse this access. Yes, if you need to connect to a Unix machine, the Unix OS needs to know whoever is trying to connect. > The short way to put it would be: to configure your system configure PAM, > without PAM configured only applications are configured: kinit could work, > net command too, wbinfo also... but not getent and so all application > relying to system side won't work (example from your first post: "id" > command rely on getent/PAM/nss/don't ask precisely and so won't work) > > This can't be completely true as frontier between system and application is > more than fine (PAM is an app after all and a system could do what you want > it does without PAM configured -> a Samba DC without PAM configured can be > fully managed, just ACLs would lack beauty I expect). PAM is just part of the system, in fact some systems don't use PAM, but the majority of Unix systems use it because it makes life easier. Rowland > 2015-12-08 16:20 GMT+01:00 Ole Traupe : > >> You are right! I haven't configured PAM for winbind on the DCs, probably >> because I don't need this. >> >> Any reasons why I should, if I manage my domain from Windows ADUC and >> don't log-on to the DCs as Administrator locally? >> >> Ole >> >> >> >> Am 08.12.2015 um 14:39 schrieb mathias dufresne: >> >>> Ole, >>> >>> Did you configure PAM to use AD as a users source ? You need to have >>> Winbind or SSSD or nslcd configured to access your AD + configure PAM + >>> configure nsswitch.conf. Then you will system users from AD (ie "getent >>> passwd my-ad-account" would work). >>> >>> Cheers, >>> >>> mathias >>> >>> 2015-12-07 20:54 GMT+01:00 Rowland penny : >>> >>> On 07/12/15 19:42, Ole Traupe wrote: >>>> If I do this (rely on the user map file containing "!root = >>>>>> BPN\Administrator BPN\administrator"), should I expect "id >>>>>>> Administrator" >>>>>>> to give anything? >>>>>>> >>>>>>> Ole >>>>>>> >>>>>>> >>>>>>> Only a Samba AD DC, you will not get anything from 'getent >>>>>> Administrator' on a Unix domain member, but remember, with the user map >>>>>> 'Administrator' becomes 'root' :-) >>>>>> >>>>>> Yes, and I can manage share permissions via ADUC due to the user >>>>> mapping. >>>>> >>>>> But on the DCs I still get "No such user" (although I don't have any >>>>> appearent problem). >>>>> >>>>> Ole >>>>> >>>>> >>>>> >>>>> >>>>> Have you changed anything on the DCs ? Are the winbind nss links in >>>> place >>>> ? (not sure if this makes any difference, but I always create them) >>>> >>>> if I run 'id Administrator', I get: >>>> >>>> uid=0(root) gid=100(users) groups=0(root),100(users),3000004(SAMdom\Group >>>> Policy Creator Owners),3000006(SAMDOM\Enterprise >>>> Admins),3000008(SAMDOM\Domain Admins),3000007(SAMDOM\Schema Admins) >>>> >>>> 'getent password Administrator' returns: >>>> >>>> SAMDOM\Administrator:*:0:100::/home/Administrator:/bin/bash >>>> >>>> Rowland >>>> >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> From ole.traupe at tu-berlin.de Tue Dec 8 16:22:54 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Tue, 8 Dec 2015 17:22:54 +0100 Subject: [Samba] Permission Denied In-Reply-To: References: <5655A8AC.1010202@gmail.com> <5665B8FE.9050503@tu-berlin.de> <5665BDE5.1010702@samba.org> <5665D716.5090402@tu-berlin.de> <5665DB5C.3000902@tu-berlin.de> <5665DDEF.7090509@samba.org> <5665E13D.4080802@tu-berlin.de> <5665E3F3.5010100@samba.org> <5666F528.1040704@tu-berlin.de> Message-ID: <566703DE.50709@tu-berlin.de> I see, thank you! Am 08.12.2015 um 17:02 schrieb mathias dufresne: > On any Linux system where you want to be able to use AD users as system > users you need to configure PAM. This because it is PAM which discuss with > the tool you have chosen to retrieve users information from AD and then > build system users with these information. > > I think you also need to configure PAM for file servers connected to some > domain (AD or NT4) for the underlaying system knows which user (system > user, ie uid, gid, groups...) access to some shared file, to grant or > refuse this access. > > The short way to put it would be: to configure your system configure PAM, > without PAM configured only applications are configured: kinit could work, > net command too, wbinfo also... but not getent and so all application > relying to system side won't work (example from your first post: "id" > command rely on getent/PAM/nss/don't ask precisely and so won't work) > > This can't be completely true as frontier between system and application is > more than fine (PAM is an app after all and a system could do what you want > it does without PAM configured -> a Samba DC without PAM configured can be > fully managed, just ACLs would lack beauty I expect). > > 2015-12-08 16:20 GMT+01:00 Ole Traupe : > >> You are right! I haven't configured PAM for winbind on the DCs, probably >> because I don't need this. >> >> Any reasons why I should, if I manage my domain from Windows ADUC and >> don't log-on to the DCs as Administrator locally? >> >> Ole >> >> >> >> Am 08.12.2015 um 14:39 schrieb mathias dufresne: >> >>> Ole, >>> >>> Did you configure PAM to use AD as a users source ? You need to have >>> Winbind or SSSD or nslcd configured to access your AD + configure PAM + >>> configure nsswitch.conf. Then you will system users from AD (ie "getent >>> passwd my-ad-account" would work). >>> >>> Cheers, >>> >>> mathias >>> >>> 2015-12-07 20:54 GMT+01:00 Rowland penny : >>> >>> On 07/12/15 19:42, Ole Traupe wrote: >>>> If I do this (rely on the user map file containing "!root = >>>>>> BPN\Administrator BPN\administrator"), should I expect "id >>>>>>> Administrator" >>>>>>> to give anything? >>>>>>> >>>>>>> Ole >>>>>>> >>>>>>> >>>>>>> Only a Samba AD DC, you will not get anything from 'getent >>>>>> Administrator' on a Unix domain member, but remember, with the user map >>>>>> 'Administrator' becomes 'root' :-) >>>>>> >>>>>> Yes, and I can manage share permissions via ADUC due to the user >>>>> mapping. >>>>> >>>>> But on the DCs I still get "No such user" (although I don't have any >>>>> appearent problem). >>>>> >>>>> Ole >>>>> >>>>> >>>>> >>>>> >>>>> Have you changed anything on the DCs ? Are the winbind nss links in >>>> place >>>> ? (not sure if this makes any difference, but I always create them) >>>> >>>> if I run 'id Administrator', I get: >>>> >>>> uid=0(root) gid=100(users) groups=0(root),100(users),3000004(SAMdom\Group >>>> Policy Creator Owners),3000006(SAMDOM\Enterprise >>>> Admins),3000008(SAMDOM\Domain Admins),3000007(SAMDOM\Schema Admins) >>>> >>>> 'getent password Administrator' returns: >>>> >>>> SAMDOM\Administrator:*:0:100::/home/Administrator:/bin/bash >>>> >>>> Rowland >>>> >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> From infractory at gmail.com Tue Dec 8 16:26:28 2015 From: infractory at gmail.com (mathias dufresne) Date: Tue, 8 Dec 2015 17:26:28 +0100 Subject: [Samba] Samba4 ad dc with Centos7 In-Reply-To: References: Message-ID: AD DC do not need AD users available from system side. Make "getent" able to retrieve AD users is to make AD users available from system side. By "make AD users available from system side" I mean you can use AD users as system users locally declared into /etc/passwd. AD DC can be fully managed using root account. When a Samba command need to authenticate (obviously with some AD user having access to Samba AD resource aimed) these commands should come with authentication switch (--user or -U or --kerberos...) to authenticate these commands with some AD user rather than local root account (which is unknown from AD, it's local). With my little experience of Samba AD I'd say the only bad point not having getent working on AD DC is ACLs in your Sysvol won't be showing user names and group names but UID and GID. 2015-12-08 17:03 GMT+01:00 Marcio Costa : > The "troubleshoot Note" in Samba Wiki ( > > https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#Using_domain_accounts.2Fgroups_in_OS_commands > ) > must be performed only when setup Samba as an AD Member, not when setup as > an AD/DC ?? > > > 2015-12-08 12:54 GMT-02:00 L.P.H. van Belle : > > > I dont see the difference, i think its all how you interper it. > > ( sorry about the spelling errors.. ) > > > > For example > > > wbinfo can get a whole list of all Samba users (I believe it can do > that > > > with AD or NT4 or standalone > > Which is exact what i want. > > > > > wbinfo does not show system users.. > > which is also exact what i want. > > > > > wbinfo does not show system users, it > > > shows Samba users which can become system users once they are > transformed > > > (with pam tools as winbind, sssd or nslcd). > > Again exact what i want. > > > > > I feel > > > confusion (for me and for some users of that mailing list) between > > Samba's > > > system users (users from Samba usable on system side, here the system > it > > > the one hosting Samba, the server system), Samba users (Samba internal > > > users) and client system users (system users which access to the > share). > > > With domains there is also system users built from the domain (Windows > > > system users SAMDOM\my-user or Linux user from AD/NT4 built with > winbind > > > > Yeah, that sucks.. wel, dont think in samba system users. > > > > > Samba's system users (users from Samba usable on system side, > > >here the system it > > >the one hosting Samba, the server system), > > >Samba users (Samba internal users) and > > >client system users (system users which access to the share). > > > > You have "local" users/groups, per server/client (adduser username) > > You have "Domain" users/groups, per domain > > You have "mapped users" i call them. > > And last, you have "local system users". ( UID lower than 1000 ) > > > > Based on this example : > > > > ## map id's outside to domain to tdb files. > > idmap config * : backend = tdb > > idmap config * : range = 2000-9999 > > ## map ids from the domain and (*) the range may not overlap ! > > idmap config DOMAINNAME: backend = ad > > idmap config DOMAINNAME: schema_mode = rfc2307 > > idmap config DOMAINNAME: range = 10000-3999999 > > > > > > A local user, any user UID lower than 2000 > > > > A domain user > > idmap config DOMAINNAME : range = 10000-3999999 > > > > A mapped user, is a local user with its UID in the * range. > > (idmap config * : range = 2000-9999 ) > > > > if you want any local users to be mapped to samba, change : > > (idmap config * : range = 1000-9999 ) > > > > And i dont advice to map "local system users" to be mapped. > > > > Any can access shares, but all depending on your setup. > > I think you make an easy thing a hard one and probely due to the setup > > your having. I'm not saying you setup is bad or wrong, but maybe to > complex > > or not well thought about. I spent about a year testing and configureing > > and testing for a good base setup, and here it all starts, i started at > > least 10 times over, because i forgot a "thing/process" running on a > server > > and which users and/group should be able to access it. > > > > Its pretty simple, only use "domain users" when when you have a domain. > > And only use local users for local needs. > > I only have 1 user on my linux server for administring the server. > > And i gave also some of domain users access to a local server. > > You can add an domain user to a local group if you setup is working > > correct. > > > > System users are just to run processes/services on the server, and/or for > > Administering the server. > > > > So sorry, but i dont see the problem your having. > > > > I do the same in samba 4 as i did in samba 3 and more. > > And this all looks to me normal. > > > > But ... > > i do agree, there should be more examples how things work with these > users. > > And some examples when you for example use a "mapped" user, of a local > > users etc. > > > > > > > > Greetz, > > > > Louis > > > > > > > > > > > > > -----Oorspronkelijk bericht----- > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens mathias > > dufresne > > > Verzonden: dinsdag 8 december 2015 14:56 > > > Aan: samba at lists.samba.org > > > Onderwerp: Re: [Samba] Samba4 ad dc with Centos7 > > > > > > That's what I thought, and why I told there is no enumeration for > system > > > users. > > > wbinfo can get a whole list of all Samba users (I believe it can do > that > > > with AD or NT4 or standalone). But wbinfo does not show system users, > it > > > shows Samba users which can become system users once they are > transformed > > > (with pam tools as winbind, sssd or nslcd). > > > > > > I insist because after months spent here and years with Samba I feel > > > confusion (for me and for some users of that mailing list) between > > Samba's > > > system users (users from Samba usable on system side, here the system > it > > > the one hosting Samba, the server system), Samba users (Samba internal > > > users) and client system users (system users which access to the > share). > > > With domains there is also system users built from the domain (Windows > > > system users SAMDOM\my-user or Linux user from AD/NT4 built with > winbind > > > or > > > sssd or nslcd). > > > > > > Just my 2 cents, best regards, > > > > > > mathias > > > > > > > > > 2015-12-08 14:37 GMT+01:00 L.P.H. van Belle : > > > > > > > On the DC, when i run > > > > > > > > getent passwd i only see my linux users. > > > > > > > > getent passwd username shows the ad user. > > > > > > > > > > > > > > > > Same for the groups > > > > > > > > > > > > > > > > Greetz, > > > > > > > > > > > > > > > > Louis > > > > > > > > > > > > > > > > > > > > > > > > > > > > Van: Marcio Costa [mailto:marciofoz at gmail.com] > > > > Verzonden: dinsdag 8 december 2015 14:35 > > > > Aan: L.P.H. van Belle > > > > Onderwerp: Re: [Samba] Samba4 ad dc with Centos7 > > > > > > > > > > > > > > > > > > > > Hi! > > > > If you run 'getent passwd', do you see all the users (ad+local) or > only > > > > local users ? > > > > > > > > > > > > > > > > > > > > 2015-12-08 11:15 GMT-02:00 L.P.H. van Belle : > > > > > > > > Wel, thats wrong, when i to the following. > > > > > > > > > > > > > > > > wbinfo –u i get all my users. > > > > > > > > wbinfo –g i get all my groups > > > > > > > > getent passwd username i get my user:UID:GID:NAME:homedir:shel > > > > > > > > id username gives also the correct info.. (uid= .. gid= ) groups = > > > etc.. > > > > > > > > > > > > > > > > And i use winbind on a DC. ( samba 4.2.5 sernet on debian wheezy ) > > > > > > > > > > > > > > > > > > > > > > > > Greetz, > > > > > > > > > > > > > > > > Louis > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Van: mathias dufresne [mailto:infractory at gmail.com] > > > > Verzonden: dinsdag 8 december 2015 14:11 > > > > Aan: L.P.H. van Belle > > > > CC: samba at lists.samba.org > > > > Onderwerp: Re: [Samba] Samba4 ad dc with Centos7 > > > > > > > > > > > > > > > > > > > > > > > > I believe there is no enumeration allowed by default whatever you use > > to > > > > generate system users from AD (winbind, sssd or nslcd). > > > > > > > > > > > > > > > > > > > > Cheers, > > > > > > > > > > > > > > > > > > > > > > > > mathias > > > > > > > > > > > > > > > > > > > > > > > > 2015-12-08 13:42 GMT+01:00 L.P.H. van Belle : > > > > > > > > Hai, > > > > > > > > Few things. > > > > > > > > > idmap gid = 1000-9999999 > > > > did you also change the start GID in the AD? > > > > > > > > > > > > > > https://wiki.samba.org/index.php/Administer_Unix_Attributes_in_AD_via_ADUC > > > #Defining_the_next_UID.2FGID_to_use > > > > > > > > > "getent group" and "getent passwd" > > > > On a DC, use : getent group "domain users" > > > > shows only the group name + GID. > > > > > > > > You setup looks almost good, im only missing something like : > > > > > > > > ## map id's outside to domain to tdb files. > > > > ## map ids from the domain and (*) the range may not overlap > ! > > > > idmap config * : backend = tdb > > > > idmap config * : range = 2000-9999 > > > > > > > > > > > > Greetz, > > > > > > > > Louis > > > > > > > > > > > > > -----Oorspronkelijk bericht----- > > > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marcio > > Costa > > > > > Verzonden: dinsdag 8 december 2015 13:28 > > > > > Aan: samba at lists.samba.org > > > > > Onderwerp: [Samba] Samba4 ad dc with Centos7 > > > > > > > > > > > > > > Hello, I may have a problem with winbind setup. > > > > > > > > > > -with wbinfo -g and wbinfo -u I get all group/user from AD/DC. > > > > > -with getent group "Domain Users" and getent passwd "remote_user" I > > > can > > > > > see > > > > > the info about the specific group and specific user. > > > > > -with getent group and getent passwd I only see my local > group/users. > > > > > > > > > > -I believe that using "getent group" and "getent passwd" I must see > > > all > > > > > users, right ? > > > > > > > > > > > > > > > -I'm using the SerNetSamba Version 4.2.5-SerNet-RedHat-19.el7; > > > > > -ps auxf show me: > > > > > root 24519 0.0 4.5 578196 45700 ? Ss 09:59 0:00 > > > > > /usr/sbin/samba -D > > > > > root 24527 0.0 3.2 578196 32812 ? S 09:59 0:00 > \_ > > > > > /usr/sbin/samba -D > > > > > root 24529 0.0 4.7 617856 48016 ? Ss 09:59 0:00 | > > > \_ > > > > > /usr/sbin/smbd -D --option=server role check:inhibit=yes > --foreground > > > > > root 24546 0.0 3.2 617856 32936 ? S 09:59 0:00 | > > > > > \_ /usr/sbin/smbd -D --option=server role check:inhibit=yes -- > > > foreground > > > > > > > > > > root 24536 0.0 3.2 578196 32788 ? S 09:59 0:00 > \_ > > > > > /usr/sbin/samba -D > > > > > root 24541 0.0 4.5 587664 46480 ? Ss 09:59 0:00 | > > > \_ > > > > > /usr/sbin/winbindd -D --option=server role check:inhibit=yes -- > > > foreground > > > > > root 24545 0.0 3.5 605676 36492 ? S 09:59 0:00 | > > > > > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes -- > > > > > foreground > > > > > root 24555 0.0 3.6 605992 36680 ? S 10:00 0:00 | > > > > > \_ /usr/sbin/winbindd -D --option=server role check:inhibit=yes -- > > > > > foreground > > > > > > > > > > -ls /lib64 > > > > > lrwxrwxrwx. 1 root root 19 Dez 3 11:09 /lib64/libnss_winbind.so > -> > > > > > libnss_winbind.so.2 > > > > > -rwxr-xr-x. 1 root root 20K Out 28 07:44 /lib64/libnss_winbind.so.2 > > > > > > > > > > -/etc/nsswitch.conf > > > > > passwd: files winbind > > > > > shadow: files winbind > > > > > group: files winbind > > > > > > > > > > -smb.conf > > > > > [global] > > > > > workgroup = INTRANET > > > > > realm = INTRANET.UNV > > > > > netbios name = ITU > > > > > server role = active directory domain controller > > > > > dns forwarder = 10.2.3.4 > > > > > idmap_ldb:use rfc2307 = yes > > > > > > > > > > idmap config INTRANET:backend = ad > > > > > idmap config INTRANET:schema_mode = rfc2307 > > > > > idmap config INTRANET:range = 10000-9999999 > > > > > > > > > > idmap uid = 10000-9999999 > > > > > idmap gid = 1000-9999999 > > > > > > > > > > # Use settings from AD for login shell and home directory > > > > > winbind nss info = rfc2307 > > > > > > > > > > winbind use default domain = yes > > > > > winbind enum users = yes > > > > > winbind enum groups = yes > > > > > > > > > > I appreciate any help about this issue. > > > > > Thank you. > > > > > -- > > > > > To unsubscribe from this list go to the following URL and read the > > > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > > > > > > > > -- > > > > To unsubscribe from this list go to the following URL and read the > > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > To unsubscribe from this list go to the following URL and read the > > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > To unsubscribe from this list go to the following URL and read the > > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From ole.traupe at tu-berlin.de Tue Dec 8 16:29:17 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Tue, 8 Dec 2015 17:29:17 +0100 Subject: [Samba] Confusion about account locking policy (Samba AD/Windows 7 client) In-Reply-To: References: <5666FD31.9090308@tu-berlin.de> Message-ID: <5667055D.30506@tu-berlin.de> As far as I understand Samba and the wiki in this regard, the Samba4 DC's password policy is no typical domain policy (no GPO). It can't be inherited by Windows clients. So I suspect the full story to be: - on the Unix side (DC and member server) the Samba password rules apply - on the Windows client side the inherited Windows POLICIES apply (as far as possible) In effect, if e.g. password lockout threshold is configured differently on Samba DC and Windows clients, the lower threshold of the two will determine the behavior of the domain (on Windows clients). Does that sound reasonable? Ole Am 08.12.2015 um 17:06 schrieb mathias dufresne: > I expect you already did that but in case of... did you rebooted your > Windows client to apply new Computer's GPO (or use gpupdate MS tool)? > > 2015-12-08 16:54 GMT+01:00 Ole Traupe : > >> Hi, >> >> here on the wiki >> >> https://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_specific_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F >> I read this: >> >> >> "Is it possible to set user specific password policies in Samba4 (e. >> g. on a OU-base)? >> >> Samba can't handle GPO restrictions. You have to use 'samba-tool domain >> passwordsettings' to change password policies. But this only applies on >> domain level." >> >> So, I have set my account lockout policy on the Samba4 DC to '5' incorrect >> attempts. However, on a Windows 7 client it needs only 3 invalid attempts >> to get the account locked out (tested on 3 different machines). And on >> domain join it seems only to need 1 invalid attempt. >> >> What is the full story here? >> >> Ole >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> From infractory at gmail.com Tue Dec 8 16:33:36 2015 From: infractory at gmail.com (mathias dufresne) Date: Tue, 8 Dec 2015 17:33:36 +0100 Subject: [Samba] Permission Denied In-Reply-To: <56670213.1020501@samba.org> References: <5655A8AC.1010202@gmail.com> <5665B8FE.9050503@tu-berlin.de> <5665BDE5.1010702@samba.org> <5665D716.5090402@tu-berlin.de> <5665DB5C.3000902@tu-berlin.de> <5665DDEF.7090509@samba.org> <5665E13D.4080802@tu-berlin.de> <5665E3F3.5010100@samba.org> <5666F528.1040704@tu-berlin.de> <56670213.1020501@samba.org> Message-ID: 2015-12-08 17:15 GMT+01:00 Rowland penny : > On 08/12/15 16:02, mathias dufresne wrote: > >> On any Linux system where you want to be able to use AD users as system >> users you need to configure PAM. This because it is PAM which discuss with >> the tool you have chosen to retrieve users information from AD and then >> build system users with these information. >> > > It may be better if you stop calling local Unix users 'system users', > system users are something else, i.e. 'root' is a system user, as is > 'www-data' System users are users available from system side. Local users are users declared in /etc/passwd. What is the point of your remark? > > > >> I think you also need to configure PAM for file servers connected to some >> domain (AD or NT4) for the underlaying system knows which user (system >> user, ie uid, gid, groups...) access to some shared file, to grant or >> refuse this access. >> > > Yes, if you need to connect to a Unix machine, the Unix OS needs to know > whoever is trying to connect. > > The short way to put it would be: to configure your system configure PAM, >> without PAM configured only applications are configured: kinit could work, >> net command too, wbinfo also... but not getent and so all application >> relying to system side won't work (example from your first post: "id" >> command rely on getent/PAM/nss/don't ask precisely and so won't work) >> >> This can't be completely true as frontier between system and application >> is >> more than fine (PAM is an app after all and a system could do what you >> want >> it does without PAM configured -> a Samba DC without PAM configured can be >> fully managed, just ACLs would lack beauty I expect). >> > > PAM is just part of the system, in fact some systems don't use PAM, but > the majority of Unix systems use it because it makes life easier. > > Rowland > > > 2015-12-08 16:20 GMT+01:00 Ole Traupe : >> >> You are right! I haven't configured PAM for winbind on the DCs, probably >>> because I don't need this. >>> >>> Any reasons why I should, if I manage my domain from Windows ADUC and >>> don't log-on to the DCs as Administrator locally? >>> >>> Ole >>> >>> >>> >>> Am 08.12.2015 um 14:39 schrieb mathias dufresne: >>> >>> Ole, >>>> >>>> Did you configure PAM to use AD as a users source ? You need to have >>>> Winbind or SSSD or nslcd configured to access your AD + configure PAM + >>>> configure nsswitch.conf. Then you will system users from AD (ie "getent >>>> passwd my-ad-account" would work). >>>> >>>> Cheers, >>>> >>>> mathias >>>> >>>> 2015-12-07 20:54 GMT+01:00 Rowland penny : >>>> >>>> On 07/12/15 19:42, Ole Traupe wrote: >>>> >>>>> If I do this (rely on the user map file containing "!root = >>>>> >>>>>> BPN\Administrator BPN\administrator"), should I expect "id >>>>>>> >>>>>>>> Administrator" >>>>>>>> to give anything? >>>>>>>> >>>>>>>> Ole >>>>>>>> >>>>>>>> >>>>>>>> Only a Samba AD DC, you will not get anything from 'getent >>>>>>>> >>>>>>> Administrator' on a Unix domain member, but remember, with the user >>>>>>> map >>>>>>> 'Administrator' becomes 'root' :-) >>>>>>> >>>>>>> Yes, and I can manage share permissions via ADUC due to the user >>>>>>> >>>>>> mapping. >>>>>> >>>>>> But on the DCs I still get "No such user" (although I don't have any >>>>>> appearent problem). >>>>>> >>>>>> Ole >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Have you changed anything on the DCs ? Are the winbind nss links in >>>>>> >>>>> place >>>>> ? (not sure if this makes any difference, but I always create them) >>>>> >>>>> if I run 'id Administrator', I get: >>>>> >>>>> uid=0(root) gid=100(users) >>>>> groups=0(root),100(users),3000004(SAMdom\Group >>>>> Policy Creator Owners),3000006(SAMDOM\Enterprise >>>>> Admins),3000008(SAMDOM\Domain Admins),3000007(SAMDOM\Schema Admins) >>>>> >>>>> 'getent password Administrator' returns: >>>>> >>>>> SAMDOM\Administrator:*:0:100::/home/Administrator:/bin/bash >>>>> >>>>> Rowland >>>>> >>>>> >>>>> >>>>> -- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>> >>>>> >>>>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From infractory at gmail.com Tue Dec 8 16:45:50 2015 From: infractory at gmail.com (mathias dufresne) Date: Tue, 8 Dec 2015 17:45:50 +0100 Subject: [Samba] Confusion about account locking policy (Samba AD/Windows 7 client) In-Reply-To: <5667055D.30506@tu-berlin.de> References: <5666FD31.9090308@tu-berlin.de> <5667055D.30506@tu-berlin.de> Message-ID: I just can't reply to your question as I have not this information. I don't know how Samba works, I've got feelings about how it works : ) And as my MS world knowledge is just worst, I can't rely on it to tell you how Windows generate its passwords policy. How I think it works is: you configure password policy using samba-tool samba modifies the default domain policy (not tested, even if it's easy enough) windows client get the new policy when gpupdate is launched or at boot time (because password policy is computer policy and this because there is nothing in Samba to manage that account by account) Just feelings... 2015-12-08 17:29 GMT+01:00 Ole Traupe : > As far as I understand Samba and the wiki in this regard, the Samba4 DC's > password policy is no typical domain policy (no GPO). It can't be inherited > by Windows clients. So I suspect the full story to be: > > - on the Unix side (DC and member server) the Samba password rules apply > - on the Windows client side the inherited Windows POLICIES apply (as far > as possible) > > In effect, if e.g. password lockout threshold is configured differently on > Samba DC and Windows clients, the lower threshold of the two will determine > the behavior of the domain (on Windows clients). > > Does that sound reasonable? > > Ole > > > > Am 08.12.2015 um 17:06 schrieb mathias dufresne: > >> I expect you already did that but in case of... did you rebooted your >> Windows client to apply new Computer's GPO (or use gpupdate MS tool)? >> >> 2015-12-08 16:54 GMT+01:00 Ole Traupe : >> >> Hi, >>> >>> here on the wiki >>> >>> >>> https://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_specific_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F >>> I read this: >>> >>> >>> "Is it possible to set user specific password policies in Samba4 (e. >>> g. on a OU-base)? >>> >>> Samba can't handle GPO restrictions. You have to use 'samba-tool domain >>> passwordsettings' to change password policies. But this only applies on >>> domain level." >>> >>> So, I have set my account lockout policy on the Samba4 DC to '5' >>> incorrect >>> attempts. However, on a Windows 7 client it needs only 3 invalid attempts >>> to get the account locked out (tested on 3 different machines). And on >>> domain join it seems only to need 1 invalid attempt. >>> >>> What is the full story here? >>> >>> Ole >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From rpenny at samba.org Tue Dec 8 16:54:13 2015 From: rpenny at samba.org (Rowland penny) Date: Tue, 08 Dec 2015 16:54:13 +0000 Subject: [Samba] Permission Denied In-Reply-To: References: <5655A8AC.1010202@gmail.com> <5665B8FE.9050503@tu-berlin.de> <5665BDE5.1010702@samba.org> <5665D716.5090402@tu-berlin.de> <5665DB5C.3000902@tu-berlin.de> <5665DDEF.7090509@samba.org> <5665E13D.4080802@tu-berlin.de> <5665E3F3.5010100@samba.org> <5666F528.1040704@tu-berlin.de> <56670213.1020501@samba.org> Message-ID: <56670B35.1060708@samba.org> On 08/12/15 16:33, mathias dufresne wrote: > 2015-12-08 17:15 GMT+01:00 Rowland penny : > >> On 08/12/15 16:02, mathias dufresne wrote: >> >>> On any Linux system where you want to be able to use AD users as system >>> users you need to configure PAM. This because it is PAM which discuss with >>> the tool you have chosen to retrieve users information from AD and then >>> build system users with these information. >>> >> It may be better if you stop calling local Unix users 'system users', >> system users are something else, i.e. 'root' is a system user, as is >> 'www-data' > > System users are users available from system side. > Local users are users declared in /etc/passwd. > > What is the point of your remark? The point is that 'Unix system users" != 'Unix local users' On a Unix system, low ID numbers are used for system users i.e. root, www-data, ntp etc, these numbers are all under 1000 (used to be 500 on redhat systems), but they all appear in /etc/passwd. A Unix local user is a user that has an ID number of 1000 and upwards that appears in /etc/passwd. You can have a user called fred on two different Unix machines, but they would not be the same user. This is where AD comes in, by creating the user 'fred' in AD and giving the user a uidNumber, this user could log into any domain joined computer and would be the same user. Rowland > > >> >> >> From mmuehlfeld at samba.org Tue Dec 8 18:42:05 2015 From: mmuehlfeld at samba.org (Marc Muehlfeld) Date: Tue, 8 Dec 2015 19:42:05 +0100 Subject: [Samba] joining to WinServer2012/2012R2 In-Reply-To: <1794215651.14966281.1449544512763.JavaMail.zimbra@estudiantes.uci.cu> References: <1794215651.14966281.1449544512763.JavaMail.zimbra@estudiantes.uci.cu> Message-ID: <5667247D.3000406@samba.org> Hello Phillip, Am 08.12.2015 um 04:15 schrieb Felipe_G0NZÁLEZ_SANTIAG0: > It is possible to join a Samba4 DC to a WindowsServer 2012/2012R2 ? https://wiki.samba.org/index.php/FAQ#Does_Samba_AD_allow_Windows_Server_2012_.2F_2012_R2_to_be_joined_as_DC.3F > Or just to join to previously versions of Windows Server (WS2000- > WS2003)? Samba supports AD schema versions up to 47 (2008R2) Regards, Marc From infractory at gmail.com Tue Dec 8 19:29:32 2015 From: infractory at gmail.com (mathias dufresne) Date: Tue, 8 Dec 2015 20:29:32 +0100 Subject: [Samba] [Not really Samba] Semantic was Permission Denied Message-ID: 2015-12-08 17:54 GMT+01:00 Rowland penny : > On 08/12/15 16:33, mathias dufresne wrote: > >> 2015-12-08 17:15 GMT+01:00 Rowland penny : >> >> On 08/12/15 16:02, mathias dufresne wrote: >>> >>> On any Linux system where you want to be able to use AD users as system >>>> users you need to configure PAM. This because it is PAM which discuss >>>> with >>>> the tool you have chosen to retrieve users information from AD and then >>>> build system users with these information. >>>> >>>> It may be better if you stop calling local Unix users 'system users', >>> system users are something else, i.e. 'root' is a system user, as is >>> 'www-data' >>> >> >> System users are users available from system side. >> Local users are users declared in /etc/passwd. >> >> What is the point of your remark? >> > > The point is that 'Unix system users" != 'Unix local users' > > On a Unix system, low ID numbers are used for system users i.e. root, > www-data, ntp etc, these numbers are all under 1000 (used to be 500 on > redhat systems), but they all appear in /etc/passwd. > A Unix local user is a user that has an ID number of 1000 and upwards that > appears in /etc/passwd. You can have a user called fred on two different > Unix machines, but they would not be the same user. This is where AD comes > in, by creating the user 'fred' in AD and giving the user a uidNumber, this > user could log into any domain joined computer and would be the same user. > You wrote: "A Unix local user is a user that has an ID number of 1000 and upwards that appears in /etc/passwd." How do you call a user declared in /etc/passwd with UID superior than 1000? I understand your point of view but you seem to me the one needing to find a new word, not me. Let's forget this "local user" - which does not release you to answer my previous question - and speak about "system users". For me a system is a user available on system side, for command as getent, id... A user which can interact with the system as a user. Still for me, "local users" are anything declared locally regardless of their UID. This because: - they are declared locally - we mainly speak about Samba, as Samba is bound to act as AD, as AD is designed to have an external user database which could be use on system side, we really need a way to describe the difference between all local users and users coming from AD. Here I'm still speaking about users which can interact with the system ("system users" is shorter indeed). This distinction is necessary for us to understand each other and it again more necessary for new comers in Samba or AD world. What for a user reading your mails where you told "A Unix local user is a user that has an ID number of 1000 and upwards that appears in /etc/passwd" and trust you? Should he remove all users in /etc/passwd with uid > 1000 because that's not how thing are nice or should he find a way to keep these users and find a workaround? In AD and any remote user DB there is two kinds of users: local users and remote users. Reuniting both kinds and you get system users. All users which can use the system as a system (shell if they are allowed, getent for lazy test). I really don't understand why you can't stop yourself complaining like that. I was merely trying to describe a not-so-simple concept. All I get was "It may be better if you stop "... Did you really write that to help the original poster? Or just to complain? Words are nothing more than words. They have meaning with context, only. Especially in IT world where all moves so fast, language included. I would end that with: Rowland, please, try to make effort to understand others, try to understand we are not all English native, try to be less rough, accept the idea we (most of us) have to translate. And finally try to understand the way you speak IT in your daily work is not necessarily the same way we speak IT there, or here. We all have to adapt to understand each other. You too. Thank you, with best regards, mathias From rpenny at samba.org Tue Dec 8 20:14:12 2015 From: rpenny at samba.org (Rowland penny) Date: Tue, 08 Dec 2015 20:14:12 +0000 Subject: [Samba] [Not really Samba] Semantic was Permission Denied In-Reply-To: References: Message-ID: <56673A14.4070002@samba.org> On 08/12/15 19:29, mathias dufresne wrote: > 2015-12-08 17:54 GMT+01:00 Rowland penny : > >> On 08/12/15 16:33, mathias dufresne wrote: >> >>> 2015-12-08 17:15 GMT+01:00 Rowland penny : >>> >>> On 08/12/15 16:02, mathias dufresne wrote: >>>> On any Linux system where you want to be able to use AD users as system >>>>> users you need to configure PAM. This because it is PAM which discuss >>>>> with >>>>> the tool you have chosen to retrieve users information from AD and then >>>>> build system users with these information. >>>>> >>>>> It may be better if you stop calling local Unix users 'system users', >>>> system users are something else, i.e. 'root' is a system user, as is >>>> 'www-data' >>>> >>> System users are users available from system side. >>> Local users are users declared in /etc/passwd. >>> >>> What is the point of your remark? >>> >> The point is that 'Unix system users" != 'Unix local users' >> >> On a Unix system, low ID numbers are used for system users i.e. root, >> www-data, ntp etc, these numbers are all under 1000 (used to be 500 on >> redhat systems), but they all appear in /etc/passwd. >> A Unix local user is a user that has an ID number of 1000 and upwards that >> appears in /etc/passwd. You can have a user called fred on two different >> Unix machines, but they would not be the same user. This is where AD comes >> in, by creating the user 'fred' in AD and giving the user a uidNumber, this >> user could log into any domain joined computer and would be the same user. >> > You wrote: > "A Unix local user is a user that has an ID number of 1000 and upwards that > appears in /etc/passwd." > How do you call a user declared in /etc/passwd with UID superior than 1000? > > I understand your point of view but you seem to me the one needing to find > a new word, not me. Have you tried reading 'man adduser' ? Add a system user If called with one non-option argument and the --system option, adduser will add a system user. adduser will choose the first available UID from the range specified for system users in the configuration file (FIRST_SYSTEM_UID and LAST_SYSTEM_UID). The configuration file is '/etc/adduser.conf' and from that: FIRST_SYSTEM_UID=100 LAST_SYSTEM_UID=999 > > Let's forget this "local user" - which does not release you to answer my > previous question - and speak about "system users". For me a system is a > user available on system side, for command as getent, id... A user which > can interact with the system as a user. Well it might mean that to you, but to me and a lot of others, it doesn't. A 'system user' is a user that controls something like apache, whilst a normal user is one that just logs into the computer and uses it as a workstation. Now this 'normal user' tag is meaningless in AD terms, hence 'local Unix user' or a local user on a Unix machine. Note that I didn't create this name, it is widely used, but not apparently by you > > Still for me, "local users" are anything declared locally regardless of > their UID. > This because: > - they are declared locally > - we mainly speak about Samba, as Samba is bound to act as AD, as AD is > designed to have an external user database which could be use on system > side, we really need a way to describe the difference between all local > users and users coming from AD. Here I'm still speaking about users which > can interact with the system ("system users" is shorter indeed). > This distinction is necessary for us to understand each other and it again > more necessary for new comers in Samba or AD world. > > What for a user reading your mails where you told "A Unix local user is a > user that has an ID number of 1000 and upwards that appears in /etc/passwd" > and trust you? Yes, because it is true. > Should he remove all users in /etc/passwd with uid > 1000 > because that's not how thing are nice or should he find a way to keep these > users and find a workaround? If you follow the wiki, any users with uid of less than 2000 will be ignored by samba. You normally need some 'local Unix users' and if you use 'adduser' to create them, their uids will start at 1000. This is not a problem, as long as the username doesn't exist in AD and smb.conf is setup correctly. > > In AD and any remote user DB there is two kinds of users: local users and > remote users. Reuniting both kinds and you get system users. All users > which can use the system as a system (shell if they are allowed, getent for > lazy test). No, there are AD users, AD users that also Unix users and local Unix users that are unknown to AD. > I really don't understand why you can't stop yourself complaining like > that. I was merely trying to describe a not-so-simple concept. All I get > was "It may be better if you stop "... Did you really write that to help > the original poster? Or just to complain? No, I didn't write that to complain, I was trying to help you understand that to Unix, 'system user' means something other than what you think it does. > Words are nothing more than words. They have meaning with context, only. > Especially in IT world where all moves so fast, language included. I agree with first part, not necessarily with the second, a Unix 'system user' has meant the same for as long as I have been dealing with Unix, which has been a very long time :-) > I would end that with: > Rowland, please, try to make effort to understand others, try to understand > we are not all English native, try to be less rough, accept the idea we > (most of us) have to translate. And finally try to understand the way you > speak IT in your daily work is not necessarily the same way we speak IT > there, or here. We all have to adapt to understand each other. You too. I understand where you are coming from, but English is my mother tongue and I call a spade a spade, not an earth moving device. You also want me to accept your terminology over the terminology I have been using for years, sorry but this isn't going to happen. Rowland > > Thank you, with best regards, > > mathias From jeff.sadowski at gmail.com Tue Dec 8 21:12:15 2015 From: jeff.sadowski at gmail.com (Jeff Sadowski) Date: Tue, 8 Dec 2015 14:12:15 -0700 Subject: [Samba] Adding an AD group to /etc/sudoers? In-Reply-To: References: Message-ID: "id" alone does not show my user in the it group "id username" does why would id alone give different results? which is odd because as my username I can get into a folder that has 0760 permissions with user as root and it as the group as for %it ALL=(ALL) ALL instead of: %it ALL=(ALL:ALL) ALL seems to work the same On Tue, Dec 8, 2015 at 1:29 PM, Mattias Zhabinskiy < mattiasz at thinklogical.com> wrote: > Jeff, > > After the ssh did you run "id" command to verify that your account belongs > to the "it" group on the remote system? > > Did you try: > %it ALL=(ALL) ALL > instead of: > %it ALL=(ALL:ALL) ALL > > Regards, > Matt > > ________________________________________ > From: samba on behalf of Jeff Sadowski < > jeff.sadowski at gmail.com> > Sent: Monday, December 7, 2015 2:56 PM > To: samba > Subject: [Samba] Adding an AD group to /etc/sudoers? > > I can't seem to get this working and here is what I have done so far. > I am using samba 4.1.6 > > my /etc/samba/smb.conf looks like so > > security = ads > realm = DOMAIN.LONG > workgroup = DOMAIN > idmap config * : backend = tdb > idmap config * : range = 2000-7999 > idmap config DOMAIN:backend = ad > idmap config DOMAIN:range = 8000-9999999 > idmap config DOMAIN:schema_mode = rfc2307 > winbind nss info = rfc2307 > winbind use default domain = yes > winbind nested groups=yes > # so that the users show up in getent > winbind enum users = Yes > # doesn't seem to do the same for groups :-/ > winbind enum groups = Yes > restrict anonymous = 2 > > In AD my group it has a gid 8001 > > #getent group it > it:x:8001:myusername,others > > > in /etc/sudoers is the line > %it ALL=(ALL:ALL) ALL > > when I ssh to said machine like so > > ssh myusername at problemhost > > then run a command like so > > > sudo echo > [sudo] password for myusername: > myusername is not in the sudoers file. This incident will be reported. > > I tried adding another line to /etc/sudoers as follows > %DOMAIN\\it ALL=(ALL:ALL) ALL > > and > > %DOMAIN\it ALL=(ALL:ALL) ALL > > but neither of them work either. > > I seem to be able to get into the nfs shares I have group permissions to > but I can not get sudo to work with my AD user group. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From jeff.sadowski at gmail.com Tue Dec 8 21:56:39 2015 From: jeff.sadowski at gmail.com (Jeff Sadowski) Date: Tue, 8 Dec 2015 14:56:39 -0700 Subject: [Samba] Adding an AD group to /etc/sudoers? In-Reply-To: References: Message-ID: wbinfo -r username shows the gid of it and a bunch of -1's id guess for groups without gid's my user belongs to 155 groups is there a problem with that many groups? On Tue, Dec 8, 2015 at 2:12 PM, Jeff Sadowski wrote: > "id" alone does not show my user in the it group > "id username" does > why would id alone give different results? > > which is odd because > as my username I can get into a folder that has 0760 permissions with user > as root and it as the group > > as for > %it ALL=(ALL) ALL > instead of: > %it ALL=(ALL:ALL) ALL > > seems to work the same > > > > On Tue, Dec 8, 2015 at 1:29 PM, Mattias Zhabinskiy < > mattiasz at thinklogical.com> wrote: > >> Jeff, >> >> After the ssh did you run "id" command to verify that your account >> belongs to the "it" group on the remote system? >> >> Did you try: >> %it ALL=(ALL) ALL >> instead of: >> %it ALL=(ALL:ALL) ALL >> >> Regards, >> Matt >> >> ________________________________________ >> From: samba on behalf of Jeff Sadowski < >> jeff.sadowski at gmail.com> >> Sent: Monday, December 7, 2015 2:56 PM >> To: samba >> Subject: [Samba] Adding an AD group to /etc/sudoers? >> >> I can't seem to get this working and here is what I have done so far. >> I am using samba 4.1.6 >> >> my /etc/samba/smb.conf looks like so >> >> security = ads >> realm = DOMAIN.LONG >> workgroup = DOMAIN >> idmap config * : backend = tdb >> idmap config * : range = 2000-7999 >> idmap config DOMAIN:backend = ad >> idmap config DOMAIN:range = 8000-9999999 >> idmap config DOMAIN:schema_mode = rfc2307 >> winbind nss info = rfc2307 >> winbind use default domain = yes >> winbind nested groups=yes >> # so that the users show up in getent >> winbind enum users = Yes >> # doesn't seem to do the same for groups :-/ >> winbind enum groups = Yes >> restrict anonymous = 2 >> >> In AD my group it has a gid 8001 >> >> #getent group it >> it:x:8001:myusername,others >> >> >> in /etc/sudoers is the line >> %it ALL=(ALL:ALL) ALL >> >> when I ssh to said machine like so >> >> ssh myusername at problemhost >> >> then run a command like so >> >> > sudo echo >> [sudo] password for myusername: >> myusername is not in the sudoers file. This incident will be reported. >> >> I tried adding another line to /etc/sudoers as follows >> %DOMAIN\\it ALL=(ALL:ALL) ALL >> >> and >> >> %DOMAIN\it ALL=(ALL:ALL) ALL >> >> but neither of them work either. >> >> I seem to be able to get into the nfs shares I have group permissions to >> but I can not get sudo to work with my AD user group. >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > > From jeff.sadowski at gmail.com Tue Dec 8 21:59:12 2015 From: jeff.sadowski at gmail.com (Jeff Sadowski) Date: Tue, 8 Dec 2015 14:59:12 -0700 Subject: [Samba] Adding an AD group to /etc/sudoers? In-Reply-To: References: Message-ID: # id username|sed "s/,/\n/g"|wc -l 155 # id|sed "s/,/\n/g"|wc -l 28 On Tue, Dec 8, 2015 at 2:56 PM, Jeff Sadowski wrote: > wbinfo -r username > shows the gid of it > and a bunch of -1's id guess for groups without gid's > my user belongs to 155 groups is there a problem with that many groups? > > On Tue, Dec 8, 2015 at 2:12 PM, Jeff Sadowski > wrote: > >> "id" alone does not show my user in the it group >> "id username" does >> why would id alone give different results? >> >> which is odd because >> as my username I can get into a folder that has 0760 permissions with >> user as root and it as the group >> >> as for >> %it ALL=(ALL) ALL >> instead of: >> %it ALL=(ALL:ALL) ALL >> >> seems to work the same >> >> >> >> On Tue, Dec 8, 2015 at 1:29 PM, Mattias Zhabinskiy < >> mattiasz at thinklogical.com> wrote: >> >>> Jeff, >>> >>> After the ssh did you run "id" command to verify that your account >>> belongs to the "it" group on the remote system? >>> >>> Did you try: >>> %it ALL=(ALL) ALL >>> instead of: >>> %it ALL=(ALL:ALL) ALL >>> >>> Regards, >>> Matt >>> >>> ________________________________________ >>> From: samba on behalf of Jeff Sadowski < >>> jeff.sadowski at gmail.com> >>> Sent: Monday, December 7, 2015 2:56 PM >>> To: samba >>> Subject: [Samba] Adding an AD group to /etc/sudoers? >>> >>> I can't seem to get this working and here is what I have done so far. >>> I am using samba 4.1.6 >>> >>> my /etc/samba/smb.conf looks like so >>> >>> security = ads >>> realm = DOMAIN.LONG >>> workgroup = DOMAIN >>> idmap config * : backend = tdb >>> idmap config * : range = 2000-7999 >>> idmap config DOMAIN:backend = ad >>> idmap config DOMAIN:range = 8000-9999999 >>> idmap config DOMAIN:schema_mode = rfc2307 >>> winbind nss info = rfc2307 >>> winbind use default domain = yes >>> winbind nested groups=yes >>> # so that the users show up in getent >>> winbind enum users = Yes >>> # doesn't seem to do the same for groups :-/ >>> winbind enum groups = Yes >>> restrict anonymous = 2 >>> >>> In AD my group it has a gid 8001 >>> >>> #getent group it >>> it:x:8001:myusername,others >>> >>> >>> in /etc/sudoers is the line >>> %it ALL=(ALL:ALL) ALL >>> >>> when I ssh to said machine like so >>> >>> ssh myusername at problemhost >>> >>> then run a command like so >>> >>> > sudo echo >>> [sudo] password for myusername: >>> myusername is not in the sudoers file. This incident will be reported. >>> >>> I tried adding another line to /etc/sudoers as follows >>> %DOMAIN\\it ALL=(ALL:ALL) ALL >>> >>> and >>> >>> %DOMAIN\it ALL=(ALL:ALL) ALL >>> >>> but neither of them work either. >>> >>> I seem to be able to get into the nfs shares I have group permissions to >>> but I can not get sudo to work with my AD user group. >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >> >> >> > From mattiasz at thinklogical.com Wed Dec 9 00:05:06 2015 From: mattiasz at thinklogical.com (Mattias Zhabinskiy) Date: Wed, 9 Dec 2015 00:05:06 +0000 Subject: [Samba] Adding an AD group to /etc/sudoers? In-Reply-To: References: , Message-ID: Jeff, To find out maximum number of groups allowed per user run: cat /proc/sys/kernel/ngroups_max or sysctl kernel.ngroups_max but AFAIK AUTH_SYS has a limit of 16, so I would try to either create a test account, add it to the "it" group and test it with sudo, or trim your account membership to 16 or less groups. Regards, Matt ________________________________ From: Jeff Sadowski Sent: Tuesday, December 8, 2015 4:59 PM To: Mattias Zhabinskiy; samba Subject: Re: [Samba] Adding an AD group to /etc/sudoers? # id username|sed "s/,/\n/g"|wc -l 155 # id|sed "s/,/\n/g"|wc -l 28 On Tue, Dec 8, 2015 at 2:56 PM, Jeff Sadowski > wrote: wbinfo -r username shows the gid of it and a bunch of -1's id guess for groups without gid's my user belongs to 155 groups is there a problem with that many groups? On Tue, Dec 8, 2015 at 2:12 PM, Jeff Sadowski > wrote: "id" alone does not show my user in the it group "id username" does why would id alone give different results? which is odd because as my username I can get into a folder that has 0760 permissions with user as root and it as the group as for %it ALL=(ALL) ALL instead of: %it ALL=(ALL:ALL) ALL seems to work the same On Tue, Dec 8, 2015 at 1:29 PM, Mattias Zhabinskiy > wrote: Jeff, After the ssh did you run "id" command to verify that your account belongs to the "it" group on the remote system? Did you try: %it ALL=(ALL) ALL instead of: %it ALL=(ALL:ALL) ALL Regards, Matt ________________________________________ From: samba > on behalf of Jeff Sadowski > Sent: Monday, December 7, 2015 2:56 PM To: samba Subject: [Samba] Adding an AD group to /etc/sudoers? I can't seem to get this working and here is what I have done so far. I am using samba 4.1.6 my /etc/samba/smb.conf looks like so security = ads realm = DOMAIN.LONG workgroup = DOMAIN idmap config * : backend = tdb idmap config * : range = 2000-7999 idmap config DOMAIN:backend = ad idmap config DOMAIN:range = 8000-9999999 idmap config DOMAIN:schema_mode = rfc2307 winbind nss info = rfc2307 winbind use default domain = yes winbind nested groups=yes # so that the users show up in getent winbind enum users = Yes # doesn't seem to do the same for groups :-/ winbind enum groups = Yes restrict anonymous = 2 In AD my group it has a gid 8001 #getent group it it:x:8001:myusername,others in /etc/sudoers is the line %it ALL=(ALL:ALL) ALL when I ssh to said machine like so ssh myusername at problemhost then run a command like so > sudo echo [sudo] password for myusername: myusername is not in the sudoers file. This incident will be reported. I tried adding another line to /etc/sudoers as follows %DOMAIN\\it ALL=(ALL:ALL) ALL and %DOMAIN\it ALL=(ALL:ALL) ALL but neither of them work either. I seem to be able to get into the nfs shares I have group permissions to but I can not get sudo to work with my AD user group. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba From abartlet at samba.org Wed Dec 9 06:32:29 2015 From: abartlet at samba.org (Andrew Bartlett) Date: Wed, 09 Dec 2015 19:32:29 +1300 Subject: [Samba] Confusion about account locking policy (Samba AD/Windows 7 client) In-Reply-To: <5666FD31.9090308@tu-berlin.de> References: <5666FD31.9090308@tu-berlin.de> Message-ID: <1449642749.15594.73.camel@samba.org> On Tue, 2015-12-08 at 16:54 +0100, Ole Traupe wrote: > Hi, > > here on the wiki > https://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_speci > fic_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F > I read this: > > > "Is it possible to set user specific password policies in Samba4 > (e. > g. on a OU-base)? > > Samba can't handle GPO restrictions. You have to use 'samba-tool > domain > passwordsettings' to change password policies. But this only applies > on > domain level." > > So, I have set my account lockout policy on the Samba4 DC to '5' > incorrect attempts. However, on a Windows 7 client it needs only 3 > invalid attempts to get the account locked out (tested on 3 different > machines). And on domain join it seems only to need 1 invalid > attempt. > > What is the full story here? We don't know why we lock out faster than we expect to. Some careful code tracing to follow the updates to the bad password count (and even better, a comparison with Windows) is needed. Sorry, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba From abartlet at samba.org Wed Dec 9 09:03:52 2015 From: abartlet at samba.org (Andrew Bartlett) Date: Wed, 09 Dec 2015 22:03:52 +1300 Subject: [Samba] Confusion about account locking policy (Samba AD/Windows 7 client) In-Reply-To: References: <5666FD31.9090308@tu-berlin.de> <5667055D.30506@tu-berlin.de> Message-ID: <1449651832.15594.81.camel@samba.org> On Tue, 2015-12-08 at 17:45 +0100, mathias dufresne wrote: > I just can't reply to your question as I have not this information. I > don't > know how Samba works, I've got feelings about how it works : ) > And as my MS world knowledge is just worst, I can't rely on it to > tell you > how Windows generate its passwords policy. > > How I think it works is: > you configure password policy using samba-tool > samba modifies the default domain policy (not tested, even if it's > easy > enough) No, Samba neither reads nor writes group policy files. > windows client get the new policy when gpupdate is launched or at > boot time > (because password policy is computer policy and this because there is > nothing in Samba to manage that account by account) No, the windows client doesn't know about domain controller policies, and wouldn't have the right to lock out accounts even if it did. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba From lancelot0501 at gmail.com Wed Dec 9 09:14:34 2015 From: lancelot0501 at gmail.com (Dave B) Date: Wed, 9 Dec 2015 10:14:34 +0100 Subject: [Samba] Replication issue In-Reply-To: References: Message-ID: Thanks for the tip! I'll try this out some time but it seems to me it's a DNS related problem. There are some computers with static addresses on the network but pinging them using NetBIOS names pings a different address. Also there's a core file in /var/cache/bind back from february. As far as I know, replication stopped working back then. 2015-12-07 13:21 GMT+01:00 mathias dufresne : > Before digging into the whole stack of what composed an AD, I would try to > replace this second DC (the one you called SDC). > > When joining a DC to a Samba AD domain,if this DC was already decalred as > DC, Samba first demote that DC to then start a the whole process to join > that DC to the domain. And that whole process includes re-creation of the > AD database locally with full synchronisation. > > Not sure that solves your issue, but it could. > > In fact I would first test using a third (virtual) machine to create a > third DC, just to check your AD is able to synchronize. Then, if it works, > I would re-join the broken DC. > > Cheers, > > mathias > From infractory at gmail.com Wed Dec 9 10:25:08 2015 From: infractory at gmail.com (mathias dufresne) Date: Wed, 9 Dec 2015 11:25:08 +0100 Subject: [Samba] Confusion about account locking policy (Samba AD/Windows 7 client) In-Reply-To: <1449651832.15594.81.camel@samba.org> References: <5666FD31.9090308@tu-berlin.de> <5667055D.30506@tu-berlin.de> <1449651832.15594.81.camel@samba.org> Message-ID: Thank you Andrew for these clarifications. 2015-12-09 10:03 GMT+01:00 Andrew Bartlett : > On Tue, 2015-12-08 at 17:45 +0100, mathias dufresne wrote: > > I just can't reply to your question as I have not this information. I > > don't > > know how Samba works, I've got feelings about how it works : ) > > And as my MS world knowledge is just worst, I can't rely on it to > > tell you > > how Windows generate its passwords policy. > > > > How I think it works is: > > you configure password policy using samba-tool > > samba modifies the default domain policy (not tested, even if it's > > easy > > enough) > > No, Samba neither reads nor writes group policy files. > > > windows client get the new policy when gpupdate is launched or at > > boot time > > (because password policy is computer policy and this because there is > > nothing in Samba to manage that account by account) > > No, the windows client doesn't know about domain controller policies, > and wouldn't have the right to lock out accounts even if it did. > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT > http://catalyst.net.nz/services/samba > > > > From ole.traupe at tu-berlin.de Wed Dec 9 10:32:05 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Wed, 9 Dec 2015 11:32:05 +0100 Subject: [Samba] Confusion about account locking policy (Samba AD/Windows 7 client) In-Reply-To: <1449642749.15594.73.camel@samba.org> References: <5666FD31.9090308@tu-berlin.de> <1449642749.15594.73.camel@samba.org> Message-ID: <56680325.90908@tu-berlin.de> I can do some playing around: a) I have set a GPO for lockout at '10' invalid attempts (the rest of the password options set as on Samba DC), forced the 'gpupdate', and left the Samba rules set to '5' (checked on both DCs). But still I get locked out after 3 invalid attempts. b) I have set the Samba rules to '10' (or '15') invalid attempts and get locked out after 6 (or 8) now. So: Setting '5': locked out after 3 Setting '10': locked out after 6 Setting '15': locked out after 8 Seems that Samba doubles the count and looses one. No big deal, however, was just curious as I had locked out myself once too early. Ole Am 09.12.2015 um 07:32 schrieb Andrew Bartlett: > On Tue, 2015-12-08 at 16:54 +0100, Ole Traupe wrote: >> Hi, >> >> here on the wiki >> https://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_speci >> fic_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F >> I read this: >> >> >> "Is it possible to set user specific password policies in Samba4 >> (e. >> g. on a OU-base)? >> >> Samba can't handle GPO restrictions. You have to use 'samba-tool >> domain >> passwordsettings' to change password policies. But this only applies >> on >> domain level." >> >> So, I have set my account lockout policy on the Samba4 DC to '5' >> incorrect attempts. However, on a Windows 7 client it needs only 3 >> invalid attempts to get the account locked out (tested on 3 different >> machines). And on domain join it seems only to need 1 invalid >> attempt. >> >> What is the full story here? > We don't know why we lock out faster than we expect to. Some careful > code tracing to follow the updates to the bad password count (and even > better, a comparison with Windows) is needed. > Sorry, > > Andrew Bartlett > From belle at bazuin.nl Wed Dec 9 10:43:21 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Wed, 9 Dec 2015 11:43:21 +0100 Subject: [Samba] wiki member server page erorr ? In-Reply-To: References: Message-ID: Hai, marcio, below pointed a thing ..    https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#Using_domain_accounts.2Fgroups_in_OS_commands   This looks wrong to me.   Using domain accounts/groups in OS commands administrator:*:10000:10000:Administrator:/home/Administrator:/bin/bash   We should not use administrator as example...  In this example we now have 2 ! administrators Administrator UID=0  ( on the DC ) Administrator UID=1000  ( on the Member  )   Very confusing.   Can anyone explain why administrator is abused here en mainwhile we are telling not to give Administrator a UID ?   What now happens, people do configure administrator with uid.. what if you now want to login and you have your home dir shared over nfs. =>> error...  inaccessable home dir.     Greetz,   Louis     Van: Marcio Costa [mailto:marciofoz at gmail.com] Verzonden: dinsdag 8 december 2015 17:04 Aan: L.P.H. van Belle CC: samba at lists.samba.org Onderwerp: Re: [Samba] Samba4 ad dc with Centos7   The "troubleshoot Note" in Samba Wiki (https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#Using_domain_accounts.2Fgroups_in_OS_commands) must be performed only when setup Samba as an AD Member, not when setup as an AD/DC ??   From rpenny at samba.org Wed Dec 9 11:17:13 2015 From: rpenny at samba.org (Rowland penny) Date: Wed, 09 Dec 2015 11:17:13 +0000 Subject: [Samba] wiki member server page erorr ? In-Reply-To: References: Message-ID: <56680DB9.6040402@samba.org> On 09/12/15 10:43, L.P.H. van Belle wrote: > Hai, marcio, below pointed a thing .. > > > > https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member#Using_domain_accounts.2Fgroups_in_OS_commands > > > > This looks wrong to me. > > > > Using domain accounts/groups in OS commands > > administrator:*:10000:10000:Administrator:/home/Administrator:/bin/bash > > > > We should not use administrator as example... > > In this example we now have 2 ! administrators > > Administrator UID=0 ( on the DC ) > > Administrator UID=1000 ( on the Member ) > > > > Very confusing. > > > > Can anyone explain why administrator is abused here en mainwhile we are telling not to give Administrator a UID ? The problem is that there are two ways to use the windows user 'Administrator' on a Unix machine, you can map 'Administrator' to the Unix user 'root' via a line in smb.conf and a mapping file, this is the easiest way. You can also give the 'Administrator' user a uidNumber, this turns it into a normal Unix user and further setup is required to allow this user to work as the root user, something that in essence gives you two 'root' users and is probably not a good idea. I will think how to edit the page, I do not think giving a uidNumber to 'Administrator' is a good idea and probably the wiki shouldn't show it. Rowland > > > What now happens, people do configure administrator with uid.. what if you now want to login and you have your home dir shared over nfs. > > =>> error... inaccessable home dir. > > > > > > > > From ole.traupe at tu-berlin.de Wed Dec 9 11:34:21 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Wed, 9 Dec 2015 12:34:21 +0100 Subject: [Samba] Backup Member Server In-Reply-To: <5666E885.3060800@tu-berlin.de> References: <565F06CE.5010804@gmail.com> <565F411A.6000205@samba.org> <5666E885.3060800@tu-berlin.de> Message-ID: <566811BD.5060307@tu-berlin.de> Ok, "sysvol" won't exist on member servers, of course. Besides that, are all relevant Samba databases located in "private"? -- Btw, regarding the use of the script for DCs: https://wiki.samba.org/index.php/Backup_and_restore_an_Samba_AD_DC I have to cron this as root: 0 2 * * * root /usr/sbin/samba_backup And I have to put the full path to "tdbbackup" in the script (or otherwise make sure the correct path is recognized via /etc/crontab). Would be nice to have this in the Wiki. Ole Am 08.12.2015 um 15:26 schrieb Ole Traupe: > Besides, obviously, the potential shared data on file servers, can't > you just use the script that is introduced for backing up DCs? At > least if the complete Samba installation is in "/usr/local/samba"... > > https://wiki.samba.org/index.php/Backup_and_restore_an_Samba_AD_DC > > > > Am 02.12.2015 um 20:06 schrieb Marc Muehlfeld: >> Hello James, >> >> Am 02.12.2015 um 15:57 schrieb James: >>> Can someone point me to documentation on how to best backup a >>> samba >>> member server? I see the wiki currently does not contain one. >>> >>> Is it as simple as backup all shared folders with rysnc or similar that >>> will preserve ACLS along with the smb.conf? I'm currently relying on a >>> raid solution. Thanks. >> >> Yes, I should finally write that doc. :-) >> >> >> What you should backup on a Domain Member: >> 1.) All files (share content and whatever else is important for you) >> 2.) Your smb.conf >> 3.) Your Samba databases (you can do a hotbackup with tdbbackup) >> >> >> >> Some notes about 3.: >> Depending on what your Domain Member is doing, some of the tdb files are >> important, while others are recreated and can get lost. There's nothing >> wrong if you backup all. :-) When I write the Wiki page, I might list >> which file is important for which case. >> >> >> Regards, >> Marc >> > > From rpenny at samba.org Wed Dec 9 11:55:18 2015 From: rpenny at samba.org (Rowland penny) Date: Wed, 09 Dec 2015 11:55:18 +0000 Subject: [Samba] Backup Member Server In-Reply-To: <566811BD.5060307@tu-berlin.de> References: <565F06CE.5010804@gmail.com> <565F411A.6000205@samba.org> <5666E885.3060800@tu-berlin.de> <566811BD.5060307@tu-berlin.de> Message-ID: <566816A6.7010905@samba.org> On 09/12/15 11:34, Ole Traupe wrote: > Ok, "sysvol" won't exist on member servers, of course. Besides that, > are all relevant Samba databases located in "private"? Well, no, on debian there are also .tdb files in /var/samba/cache/, but, on an domain member, you probably don't have to back them up anyway. You should backup any date stored in home directories and shares and the smb.conf. If you then re-create the domain member, the user uids and group gids will come from the AD DC and recreate the files in /var/lib/samba & /var/cache/samba. This is my understanding. Rowland > > -- > > Btw, regarding the use of the script for DCs: > https://wiki.samba.org/index.php/Backup_and_restore_an_Samba_AD_DC > > I have to cron this as root: > 0 2 * * * root /usr/sbin/samba_backup > > And I have to put the full path to "tdbbackup" in the script (or > otherwise make sure the correct path is recognized via /etc/crontab). > > Would be nice to have this in the Wiki. > > Ole > > > > Am 08.12.2015 um 15:26 schrieb Ole Traupe: >> Besides, obviously, the potential shared data on file servers, can't >> you just use the script that is introduced for backing up DCs? At >> least if the complete Samba installation is in "/usr/local/samba"... >> >> https://wiki.samba.org/index.php/Backup_and_restore_an_Samba_AD_DC >> >> >> >> Am 02.12.2015 um 20:06 schrieb Marc Muehlfeld: >>> Hello James, >>> >>> Am 02.12.2015 um 15:57 schrieb James: >>>> Can someone point me to documentation on how to best backup a >>>> samba >>>> member server? I see the wiki currently does not contain one. >>>> >>>> Is it as simple as backup all shared folders with rysnc or similar >>>> that >>>> will preserve ACLS along with the smb.conf? I'm currently relying on a >>>> raid solution. Thanks. >>> >>> Yes, I should finally write that doc. :-) >>> >>> >>> What you should backup on a Domain Member: >>> 1.) All files (share content and whatever else is important for you) >>> 2.) Your smb.conf >>> 3.) Your Samba databases (you can do a hotbackup with tdbbackup) >>> >>> >>> >>> Some notes about 3.: >>> Depending on what your Domain Member is doing, some of the tdb files >>> are >>> important, while others are recreated and can get lost. There's nothing >>> wrong if you backup all. :-) When I write the Wiki page, I might list >>> which file is important for which case. >>> >>> >>> Regards, >>> Marc >>> >> >> > > From carlos.hollow at gmail.com Wed Dec 9 12:12:37 2015 From: carlos.hollow at gmail.com (Carlos A. P. Cunha) Date: Wed, 9 Dec 2015 10:12:37 -0200 Subject: [Samba] NTLMSSP NTLM2 packet check failed due to invalid signature In-Reply-To: <566581ED.9040707@gmail.com> References: <566581ED.9040707@gmail.com> Message-ID: <56681AB5.20908@gmail.com> Hi! any ideas? Em 07-12-2015 10:56, Carlos A. P. Cunha escreveu: > HI! > My server Samba 4 version 4.3.0, running since August, do not is a > problem, but my i see this messages logs every 1 minutes, any ideas? > > Dec 7 10:40:24 dc-linux samba[4912]: [2015/12/07 10:40:24.260707, 0] > ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) > Dec 7 10:40:24 dc-linux samba[4912]: NTLMSSP NTLM2 packet check > failed due to invalid signature! > Dec 7 10:40:24 dc-linux samba[4912]: [2015/12/07 10:40:24.280740, 0] > ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) > Dec 7 10:40:24 dc-linux samba[4912]: NTLMSSP NTLM2 packet check > failed due to invalid signature! > > > Thanks! > From belle at bazuin.nl Wed Dec 9 12:27:04 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Wed, 9 Dec 2015 13:27:04 +0100 Subject: [Samba] Backup Member Server In-Reply-To: <566816A6.7010905@samba.org> References: <566811BD.5060307@tu-berlin.de> Message-ID: Hai, but dont forget that if you use samba also as print server you need to backup the /var/lib/samba/drivers en printing also. ( and in my case a different folder. ) In /var/cache/samba is the file printer_list.tdb I dont think that recreated, and if it is, you probely will loose the printer settings. I'll have to look that up. Maybe its an option to let the backup scrip detect if it running on a DC or Member server so it always backups what is needed. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny > Verzonden: woensdag 9 december 2015 12:55 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Backup Member Server > > On 09/12/15 11:34, Ole Traupe wrote: > > Ok, "sysvol" won't exist on member servers, of course. Besides that, > > are all relevant Samba databases located in "private"? > > Well, no, on debian there are also .tdb files in /var/samba/cache/, but, > on an domain member, you probably don't have to back them up anyway. You > should backup any date stored in home directories and shares and the > smb.conf. If you then re-create the domain member, the user uids and > group gids will come from the AD DC and recreate the files in > /var/lib/samba & /var/cache/samba. > > This is my understanding. > > Rowland > > > > > -- > > > > Btw, regarding the use of the script for DCs: > > https://wiki.samba.org/index.php/Backup_and_restore_an_Samba_AD_DC > > > > I have to cron this as root: > > 0 2 * * * root /usr/sbin/samba_backup > > > > And I have to put the full path to "tdbbackup" in the script (or > > otherwise make sure the correct path is recognized via /etc/crontab). > > > > Would be nice to have this in the Wiki. > > > > Ole > > > > > > > > Am 08.12.2015 um 15:26 schrieb Ole Traupe: > >> Besides, obviously, the potential shared data on file servers, can't > >> you just use the script that is introduced for backing up DCs? At > >> least if the complete Samba installation is in "/usr/local/samba"... > >> > >> https://wiki.samba.org/index.php/Backup_and_restore_an_Samba_AD_DC > >> > >> > >> > >> Am 02.12.2015 um 20:06 schrieb Marc Muehlfeld: > >>> Hello James, > >>> > >>> Am 02.12.2015 um 15:57 schrieb James: > >>>> Can someone point me to documentation on how to best backup a > >>>> samba > >>>> member server? I see the wiki currently does not contain one. > >>>> > >>>> Is it as simple as backup all shared folders with rysnc or similar > >>>> that > >>>> will preserve ACLS along with the smb.conf? I'm currently relying on > a > >>>> raid solution. Thanks. > >>> > >>> Yes, I should finally write that doc. :-) > >>> > >>> > >>> What you should backup on a Domain Member: > >>> 1.) All files (share content and whatever else is important for you) > >>> 2.) Your smb.conf > >>> 3.) Your Samba databases (you can do a hotbackup with tdbbackup) > >>> > >>> > >>> > >>> Some notes about 3.: > >>> Depending on what your Domain Member is doing, some of the tdb files > >>> are > >>> important, while others are recreated and can get lost. There's > nothing > >>> wrong if you backup all. :-) When I write the Wiki page, I might list > >>> which file is important for which case. > >>> > >>> > >>> Regards, > >>> Marc > >>> > >> > >> > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From belle at bazuin.nl Wed Dec 9 14:11:35 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Wed, 9 Dec 2015 15:11:35 +0100 Subject: [Samba] NTLMSSP NTLM2 packet check failed due to invalid signature In-Reply-To: <56681AB5.20908@gmail.com> References: <566581ED.9040707@gmail.com> Message-ID: Sorry none.. I suggest first upgrade to the latest 4.3.x If it is still there, post again, but with some more info about your setup. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Carlos A. P. > Cunha > Verzonden: woensdag 9 december 2015 13:13 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] NTLMSSP NTLM2 packet check failed due to invalid > signature > > Hi! > any ideas? > > > Em 07-12-2015 10:56, Carlos A. P. Cunha escreveu: > > HI! > > My server Samba 4 version 4.3.0, running since August, do not is a > > problem, but my i see this messages logs every 1 minutes, any ideas? > > > > Dec 7 10:40:24 dc-linux samba[4912]: [2015/12/07 10:40:24.260707, 0] > > ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) > > Dec 7 10:40:24 dc-linux samba[4912]: NTLMSSP NTLM2 packet check > > failed due to invalid signature! > > Dec 7 10:40:24 dc-linux samba[4912]: [2015/12/07 10:40:24.280740, 0] > > ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) > > Dec 7 10:40:24 dc-linux samba[4912]: NTLMSSP NTLM2 packet check > > failed due to invalid signature! > > > > > > Thanks! > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From jeff.sadowski at gmail.com Wed Dec 9 15:08:07 2015 From: jeff.sadowski at gmail.com (Jeff Sadowski) Date: Wed, 9 Dec 2015 08:08:07 -0700 Subject: [Samba] Adding an AD group to /etc/sudoers? In-Reply-To: References: Message-ID: # cat /proc/sys/kernel/ngroups_max 65536 # sysctl kernel.ngroups_max kernel.ngroups_max = 65536 Is there a way to change/look at AUTH_SYS? Seems I have 28 groups now as my user I tried created a test user with much less groups but it turns out it is on all those other groups. As such I tried winbind nested groups=no but this doesn't seem to change anything. On Tue, Dec 8, 2015 at 5:05 PM, Mattias Zhabinskiy < mattiasz at thinklogical.com> wrote: > Jeff, > > > To find out maximum number of groups allowed per user run: > > cat /proc/sys/kernel/ngroups_max > or > sysctl kernel.ngroups_max > but AFAIK AUTH_SYS has a limit of 16, so I would try to either create a > test account, add it to the "it" group and test it with sudo, or trim your > account membership to 16 or less groups. > > Regards, > > Matt > > ------------------------------ > *From:* Jeff Sadowski > *Sent:* Tuesday, December 8, 2015 4:59 PM > *To:* Mattias Zhabinskiy; samba > *Subject:* Re: [Samba] Adding an AD group to /etc/sudoers? > > # id username|sed "s/,/\n/g"|wc -l > 155 > > # id|sed "s/,/\n/g"|wc -l > 28 > > > On Tue, Dec 8, 2015 at 2:56 PM, Jeff Sadowski > wrote: > >> wbinfo -r username >> shows the gid of it >> and a bunch of -1's id guess for groups without gid's >> my user belongs to 155 groups is there a problem with that many groups? >> >> On Tue, Dec 8, 2015 at 2:12 PM, Jeff Sadowski >> wrote: >> >>> "id" alone does not show my user in the it group >>> "id username" does >>> why would id alone give different results? >>> >>> which is odd because >>> as my username I can get into a folder that has 0760 permissions with >>> user as root and it as the group >>> >>> as for >>> %it ALL=(ALL) ALL >>> instead of: >>> %it ALL=(ALL:ALL) ALL >>> >>> seems to work the same >>> >>> >>> >>> On Tue, Dec 8, 2015 at 1:29 PM, Mattias Zhabinskiy < >>> mattiasz at thinklogical.com> wrote: >>> >>>> Jeff, >>>> >>>> After the ssh did you run "id" command to verify that your account >>>> belongs to the "it" group on the remote system? >>>> >>>> Did you try: >>>> %it ALL=(ALL) ALL >>>> instead of: >>>> %it ALL=(ALL:ALL) ALL >>>> >>>> Regards, >>>> Matt >>>> >>>> ________________________________________ >>>> From: samba on behalf of Jeff Sadowski >>>> >>>> Sent: Monday, December 7, 2015 2:56 PM >>>> To: samba >>>> Subject: [Samba] Adding an AD group to /etc/sudoers? >>>> >>>> I can't seem to get this working and here is what I have done so far. >>>> I am using samba 4.1.6 >>>> >>>> my /etc/samba/smb.conf looks like so >>>> >>>> security = ads >>>> realm = DOMAIN.LONG >>>> workgroup = DOMAIN >>>> idmap config * : backend = tdb >>>> idmap config * : range = 2000-7999 >>>> idmap config DOMAIN:backend = ad >>>> idmap config DOMAIN:range = 8000-9999999 >>>> idmap config DOMAIN:schema_mode = rfc2307 >>>> winbind nss info = rfc2307 >>>> winbind use default domain = yes >>>> winbind nested groups=yes >>>> # so that the users show up in getent >>>> winbind enum users = Yes >>>> # doesn't seem to do the same for groups :-/ >>>> winbind enum groups = Yes >>>> restrict anonymous = 2 >>>> >>>> In AD my group it has a gid 8001 >>>> >>>> #getent group it >>>> it:x:8001:myusername,others >>>> >>>> >>>> in /etc/sudoers is the line >>>> %it ALL=(ALL:ALL) ALL >>>> >>>> when I ssh to said machine like so >>>> >>>> ssh myusername at problemhost >>>> >>>> then run a command like so >>>> >>>> > sudo echo >>>> [sudo] password for myusername: >>>> myusername is not in the sudoers file. This incident will be reported. >>>> >>>> I tried adding another line to /etc/sudoers as follows >>>> %DOMAIN\\it ALL=(ALL:ALL) ALL >>>> >>>> and >>>> >>>> %DOMAIN\it ALL=(ALL:ALL) ALL >>>> >>>> but neither of them work either. >>>> >>>> I seem to be able to get into the nfs shares I have group permissions to >>>> but I can not get sudo to work with my AD user group. >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >>> >> > From infractory at gmail.com Wed Dec 9 15:34:02 2015 From: infractory at gmail.com (mathias dufresne) Date: Wed, 9 Dec 2015 16:34:02 +0100 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: References: <566158BC.4020405@samba.org> <56615B07.4030204@tao.at> <56615E06.2030805@samba.org> Message-ID: Hi Jonathan, You wrote: domain windows.corp.springventuregroup.com search windows.corp.*pringventuregroupcom* nameserver 192.168.127.131 nameserver 192.168.112.4 Is this a typo error when copying the content or is it a content error in your resolv.conf? If you really have that "search" line in your resolv.conf it would be logical that rsetarting Samba services you get the error "unable to resolve host freeradius" as it will be extended in: freeradius.windows.corp.pringventuregroupcom rather than: freeradius.windows.corp.springventuregroup.com If this is not a typo error I would check the "resolvconf" configuration or remove the use of that tool (temporarily or not) on that box. If this is not a typo, I'm puzzled... Hoping for you to get a solution, mathias 2015-12-07 19:04 GMT+01:00 Jonathan S. Fisher < jonathan at springventuregroup.com>: > Hey Rowland, be kind and avoid passive aggressive comments. I'm just > looking to try and get this to work, thanks. If I knew everything already, > I wouldn't be here asking questions and trying to solve my own problem. I > appreciate your help so far, but if you don't have anything nice say, > please just ignore this thread. > > So: > jonathan.fisher at freeradius:~$ sudo hostname -y > hostname: Local domain name not set > jonathan.fisher at freeradius:~$ sudo hostname -d > windows.corp.springventuregroup.com > jonathan.fisher at freeradius:~$ sudo hostname -f > freeradius.windows.corp.springventuregroup.com > > Unfortunately, since this box is an LXC container, I can't run the syctl > command: > jonathan.fisher at freeradius:~$ sysctl -w kernel.domainname=" > windows.corp.XXX.com" > sysctl: permission denied on key 'kernel.domainname' > > We're good here: > jonathan.fisher at freeradius:~$ cat /etc/hostname > freeradiusjonathan.fisher at freeradius:~$ > > So I added > dns proxy = true > > No dice, same output as before. > > Made this change: > jonathan.fisher at freeradius:~$ cat /etc/resolv.conf > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by > resolvconf(8) > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN > domain windows.corp.springventuregroup.com > search windows.corp.pringventuregroupcom > nameserver 192.168.127.131 > nameserver 192.168.112.4 > > Also the same output, but this message popped up after restarting samba: > jonathan.fisher at freeradius:~$ sudo service sernet-samba-winbindd restart > && > sudo service sernet-samba-nmbd restart && sudo service sernet-samba-smbd > restart > sudo: unable to resolve host freeradius > Shutting down SAMBA winbindd : * > Starting SAMBA winbindd : * > sudo: unable to resolve host freeradius > Shutting down SAMBA nmbd : * > Starting SAMBA nmbd : * > sudo: unable to resolve host freeradius > Shutting down SAMBA smbd : * > Starting SAMBA smbd : * > > No idea if that's relevant... > > So I undid the resolv.conf change, and here's the output of testparam: > > jonathan.fisher at freeradius:~$ testparm -v | grep net > Load smb config files from /etc/samba/smb.conf > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > Loaded services file OK. > Server role: ROLE_DOMAIN_MEMBER > > Press enter to see a dump of your service definitions > > netbios name = FREERADIUS > netbios aliases = > netbios scope = > disable netbios = No > dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, > lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, > dnsserver > > Sigh... thanks. I'm appreciate your patience and your help. > > > On Fri, Dec 4, 2015 at 3:33 AM, Rowland penny wrote: > > > On 04/12/15 09:21, Sven Schwedas wrote: > > > >> On 2015-12-04 10:11, Rowland penny wrote: > >> > >>> I still think it is his weird dns setup, were he has a dnsmasq server > >>> replicating what the DCs know (or is supposed to). I think the sheer > >>> fact that he didn't know what lmhosts is, says a lot. > >>> > >> We're using such a setup in production without any problems. How about > >> less wild blind guessing and user shaming, and more actual help? > >> > >> > >> > >> > > Sven, you may be using a similar system, but it isn't recommended. The OP > > is having problems getting a Samba domain member working, I have tried to > > point him in the direction of a known working set up, once he has this > > working, what he does with it, is up to him. He may be able to use the > > dnsmasq server, I don't know, but if he has a working system and it stops > > working when he adds in the dnsmasq server, he will know where to look, > > won't he! > > > > > > Rowland > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > Email Confidentiality Notice: The information contained in this > transmission is confidential, proprietary or privileged and may be subject > to protection under the law, including the Health Insurance Portability and > Accountability Act (HIPAA). The message is intended for the sole use of the > individual or entity to whom it is addressed. If you are not the intended > recipient, you are notified that any use, distribution or copying of the > message is strictly prohibited and may subject you to criminal or civil > penalties. If you received this transmission in error, please contact the > sender immediately by replying to this email and delete the material from > any computer. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From mattiasz at thinklogical.com Wed Dec 9 15:20:22 2015 From: mattiasz at thinklogical.com (Mattias Zhabinskiy) Date: Wed, 9 Dec 2015 15:20:22 +0000 Subject: [Samba] Adding an AD group to /etc/sudoers? In-Reply-To: References: , Message-ID: Jeff, After ssh try to run: newgrp it and then sudo. See if it will work, then you'll have to figure out what's going on with the users groups membership. Regards, Matt ________________________________ From: Jeff Sadowski Sent: Wednesday, December 9, 2015 10:08 AM To: Mattias Zhabinskiy; samba Subject: Re: [Samba] Adding an AD group to /etc/sudoers? # cat /proc/sys/kernel/ngroups_max 65536 # sysctl kernel.ngroups_max kernel.ngroups_max = 65536 Is there a way to change/look at AUTH_SYS? Seems I have 28 groups now as my user I tried created a test user with much less groups but it turns out it is on all those other groups. As such I tried winbind nested groups=no but this doesn't seem to change anything. On Tue, Dec 8, 2015 at 5:05 PM, Mattias Zhabinskiy > wrote: Jeff, To find out maximum number of groups allowed per user run: cat /proc/sys/kernel/ngroups_max or sysctl kernel.ngroups_max but AFAIK AUTH_SYS has a limit of 16, so I would try to either create a test account, add it to the "it" group and test it with sudo, or trim your account membership to 16 or less groups. Regards, Matt ________________________________ From: Jeff Sadowski > Sent: Tuesday, December 8, 2015 4:59 PM To: Mattias Zhabinskiy; samba Subject: Re: [Samba] Adding an AD group to /etc/sudoers? # id username|sed "s/,/\n/g"|wc -l 155 # id|sed "s/,/\n/g"|wc -l 28 On Tue, Dec 8, 2015 at 2:56 PM, Jeff Sadowski > wrote: wbinfo -r username shows the gid of it and a bunch of -1's id guess for groups without gid's my user belongs to 155 groups is there a problem with that many groups? On Tue, Dec 8, 2015 at 2:12 PM, Jeff Sadowski > wrote: "id" alone does not show my user in the it group "id username" does why would id alone give different results? which is odd because as my username I can get into a folder that has 0760 permissions with user as root and it as the group as for %it ALL=(ALL) ALL instead of: %it ALL=(ALL:ALL) ALL seems to work the same On Tue, Dec 8, 2015 at 1:29 PM, Mattias Zhabinskiy > wrote: Jeff, After the ssh did you run "id" command to verify that your account belongs to the "it" group on the remote system? Did you try: %it ALL=(ALL) ALL instead of: %it ALL=(ALL:ALL) ALL Regards, Matt ________________________________________ From: samba > on behalf of Jeff Sadowski > Sent: Monday, December 7, 2015 2:56 PM To: samba Subject: [Samba] Adding an AD group to /etc/sudoers? I can't seem to get this working and here is what I have done so far. I am using samba 4.1.6 my /etc/samba/smb.conf looks like so security = ads realm = DOMAIN.LONG workgroup = DOMAIN idmap config * : backend = tdb idmap config * : range = 2000-7999 idmap config DOMAIN:backend = ad idmap config DOMAIN:range = 8000-9999999 idmap config DOMAIN:schema_mode = rfc2307 winbind nss info = rfc2307 winbind use default domain = yes winbind nested groups=yes # so that the users show up in getent winbind enum users = Yes # doesn't seem to do the same for groups :-/ winbind enum groups = Yes restrict anonymous = 2 In AD my group it has a gid 8001 #getent group it it:x:8001:myusername,others in /etc/sudoers is the line %it ALL=(ALL:ALL) ALL when I ssh to said machine like so ssh myusername at problemhost then run a command like so > sudo echo [sudo] password for myusername: myusername is not in the sudoers file. This incident will be reported. I tried adding another line to /etc/sudoers as follows %DOMAIN\\it ALL=(ALL:ALL) ALL and %DOMAIN\it ALL=(ALL:ALL) ALL but neither of them work either. I seem to be able to get into the nfs shares I have group permissions to but I can not get sudo to work with my AD user group. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba From carlos.hollow at gmail.com Wed Dec 9 15:41:05 2015 From: carlos.hollow at gmail.com (Carlos A. P. Cunha) Date: Wed, 9 Dec 2015 13:41:05 -0200 Subject: [Samba] NTLMSSP NTLM2 packet check failed due to invalid signature In-Reply-To: References: <566581ED.9040707@gmail.com> Message-ID: <56684B91.2070701@gmail.com> hehehe Thank you for your attention. Know if you have a more "easy" to update the 4.3.0 -> 4.3.2 not be presented here. https://wiki.samba.org/index.php/Updating_Samba Application patch, exemple.... Bye!! Em 09-12-2015 12:11, L.P.H. van Belle escreveu: > Sorry none.. > > I suggest first upgrade to the latest 4.3.x > If it is still there, post again, but with some more info about your setup. > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Carlos A. P. >> Cunha >> Verzonden: woensdag 9 december 2015 13:13 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] NTLMSSP NTLM2 packet check failed due to invalid >> signature >> >> Hi! >> any ideas? >> >> >> Em 07-12-2015 10:56, Carlos A. P. Cunha escreveu: >>> HI! >>> My server Samba 4 version 4.3.0, running since August, do not is a >>> problem, but my i see this messages logs every 1 minutes, any ideas? >>> >>> Dec 7 10:40:24 dc-linux samba[4912]: [2015/12/07 10:40:24.260707, 0] >>> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) >>> Dec 7 10:40:24 dc-linux samba[4912]: NTLMSSP NTLM2 packet check >>> failed due to invalid signature! >>> Dec 7 10:40:24 dc-linux samba[4912]: [2015/12/07 10:40:24.280740, 0] >>> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) >>> Dec 7 10:40:24 dc-linux samba[4912]: NTLMSSP NTLM2 packet check >>> failed due to invalid signature! >>> >>> >>> Thanks! >>> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > From h.reindl at thelounge.net Wed Dec 9 15:47:18 2015 From: h.reindl at thelounge.net (Reindl Harald) Date: Wed, 9 Dec 2015 16:47:18 +0100 Subject: [Samba] NTLMSSP NTLM2 packet check failed due to invalid signature In-Reply-To: <56684B91.2070701@gmail.com> References: <566581ED.9040707@gmail.com> <56684B91.2070701@gmail.com> Message-ID: <56684D06.6000207@thelounge.net> Am 09.12.2015 um 16:41 schrieb Carlos A. P. Cunha: > hehehe > Thank you for your attention. > Know if you have a more "easy" to update the 4.3.0 -> 4.3.2 not be > presented here. > > https://wiki.samba.org/index.php/Updating_Samba > > Application patch, exemple.... 4.3.0 -> 4.3.2 don't need any special examples becaus eit is a *bugfix only* minor update without any need to change configurations in production one should avoid x.0 releases in general > Em 09-12-2015 12:11, L.P.H. van Belle escreveu: >> Sorry none.. >> >> I suggest first upgrade to the latest 4.3.x >> If it is still there, post again, but with some more info about your >> setup. >> >> >>> -----Oorspronkelijk bericht----- >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Carlos A. P. >>> Cunha >>> Verzonden: woensdag 9 december 2015 13:13 >>> Aan: samba at lists.samba.org >>> Onderwerp: Re: [Samba] NTLMSSP NTLM2 packet check failed due to invalid >>> signature >>> >>> Hi! >>> any ideas? >>> >>> >>> Em 07-12-2015 10:56, Carlos A. P. Cunha escreveu: >>>> HI! >>>> My server Samba 4 version 4.3.0, running since August, do not is a >>>> problem, but my i see this messages logs every 1 minutes, any ideas? >>>> >>>> Dec 7 10:40:24 dc-linux samba[4912]: [2015/12/07 10:40:24.260707, 0] >>>> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) >>>> Dec 7 10:40:24 dc-linux samba[4912]: NTLMSSP NTLM2 packet check >>>> failed due to invalid signature! >>>> Dec 7 10:40:24 dc-linux samba[4912]: [2015/12/07 10:40:24.280740, 0] >>>> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) >>>> Dec 7 10:40:24 dc-linux samba[4912]: NTLMSSP NTLM2 packet check >>>> failed due to invalid signature! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: From david at digitaltransitions.ca Wed Dec 9 15:30:54 2015 From: david at digitaltransitions.ca (David Thompson) Date: Wed, 9 Dec 2015 10:30:54 -0500 Subject: [Samba] Naming Conventions Message-ID: <1441E464-FE22-47D5-B64A-D3EA9C91332B@digitaltransitions.ca> Hi all, I have looked but cannot find if there is a way on a file share to control the naming convention of files. I’d like if possible for a SAMBA file share to throw up an error if an end user tries to name any of their Word / Excel based files (or any files for that matter) with any of the following: Tilde Number sign Percent Ampersand Asterisk Braces Backslash Colon Angle brackets Question mark Slash Pipe Quotation mark I’m having an issue with Macs connecting to a file share and having an excel issues and opening files. I’d like to have the end file server add an error message when users try to name their files with any of the above characters if possible but I am unable to figure out where to do that. Is there a way to set this globally in smb.conf or even on a more granular share by share based configuration? Thank you, ----- dt David Thompson david at digitaltransitions.ca From carlos.hollow at gmail.com Wed Dec 9 16:00:54 2015 From: carlos.hollow at gmail.com (Carlos A. P. Cunha) Date: Wed, 9 Dec 2015 14:00:54 -0200 Subject: [Samba] NTLMSSP NTLM2 packet check failed due to invalid signature In-Reply-To: <56684D06.6000207@thelounge.net> References: <566581ED.9040707@gmail.com> <56684B91.2070701@gmail.com> <56684D06.6000207@thelounge.net> Message-ID: <56685036.8060905@gmail.com> Understood, then I follow what's in the Wiki? Thanks Em 09-12-2015 13:47, Reindl Harald escreveu: > > Am 09.12.2015 um 16:41 schrieb Carlos A. P. Cunha: >> hehehe >> Thank you for your attention. >> Know if you have a more "easy" to update the 4.3.0 -> 4.3.2 not be >> presented here. >> >> https://wiki.samba.org/index.php/Updating_Samba >> >> Application patch, exemple.... > > 4.3.0 -> 4.3.2 don't need any special examples becaus eit is a *bugfix > only* minor update without any need to change configurations > > in production one should avoid x.0 releases in general > >> Em 09-12-2015 12:11, L.P.H. van Belle escreveu: >>> Sorry none.. >>> >>> I suggest first upgrade to the latest 4.3.x >>> If it is still there, post again, but with some more info about your >>> setup. >>> >>> >>>> -----Oorspronkelijk bericht----- >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Carlos A. P. >>>> Cunha >>>> Verzonden: woensdag 9 december 2015 13:13 >>>> Aan: samba at lists.samba.org >>>> Onderwerp: Re: [Samba] NTLMSSP NTLM2 packet check failed due to >>>> invalid >>>> signature >>>> >>>> Hi! >>>> any ideas? >>>> >>>> >>>> Em 07-12-2015 10:56, Carlos A. P. Cunha escreveu: >>>>> HI! >>>>> My server Samba 4 version 4.3.0, running since August, do not is a >>>>> problem, but my i see this messages logs every 1 minutes, any ideas? >>>>> >>>>> Dec 7 10:40:24 dc-linux samba[4912]: [2015/12/07 10:40:24.260707, 0] >>>>> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) >>>>> Dec 7 10:40:24 dc-linux samba[4912]: NTLMSSP NTLM2 packet check >>>>> failed due to invalid signature! >>>>> Dec 7 10:40:24 dc-linux samba[4912]: [2015/12/07 10:40:24.280740, 0] >>>>> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) >>>>> Dec 7 10:40:24 dc-linux samba[4912]: NTLMSSP NTLM2 packet check >>>>> failed due to invalid signature! > > > From h.reindl at thelounge.net Wed Dec 9 16:07:09 2015 From: h.reindl at thelounge.net (Reindl Harald) Date: Wed, 9 Dec 2015 17:07:09 +0100 Subject: [Samba] NTLMSSP NTLM2 packet check failed due to invalid signature In-Reply-To: <56685036.8060905@gmail.com> References: <566581ED.9040707@gmail.com> <56684B91.2070701@gmail.com> <56684D06.6000207@thelounge.net> <56685036.8060905@gmail.com> Message-ID: <566851AD.6010107@thelounge.net> Am 09.12.2015 um 17:00 schrieb Carlos A. P. Cunha: > Understood, then I follow what's in the Wiki? Wiki? how did you install samba? if i installed from a package i would just write a bugreport when my distribution stays on a x.0 release and when i build my own packages, well, download tarball, edit the version number in the SPEC-file and just fire rpmbuild > Em 09-12-2015 13:47, Reindl Harald escreveu: >> >> Am 09.12.2015 um 16:41 schrieb Carlos A. P. Cunha: >>> hehehe >>> Thank you for your attention. >>> Know if you have a more "easy" to update the 4.3.0 -> 4.3.2 not be >>> presented here. >>> >>> https://wiki.samba.org/index.php/Updating_Samba >>> >>> Application patch, exemple.... >> >> 4.3.0 -> 4.3.2 don't need any special examples becaus eit is a *bugfix >> only* minor update without any need to change configurations >> >> in production one should avoid x.0 releases in general >> >>> Em 09-12-2015 12:11, L.P.H. van Belle escreveu: >>>> Sorry none.. >>>> >>>> I suggest first upgrade to the latest 4.3.x >>>> If it is still there, post again, but with some more info about your >>>> setup. >>>> >>>> >>>>> -----Oorspronkelijk bericht----- >>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Carlos A. P. >>>>> Cunha >>>>> Verzonden: woensdag 9 december 2015 13:13 >>>>> Aan: samba at lists.samba.org >>>>> Onderwerp: Re: [Samba] NTLMSSP NTLM2 packet check failed due to >>>>> invalid >>>>> signature >>>>> >>>>> Hi! >>>>> any ideas? >>>>> >>>>> >>>>> Em 07-12-2015 10:56, Carlos A. P. Cunha escreveu: >>>>>> HI! >>>>>> My server Samba 4 version 4.3.0, running since August, do not is a >>>>>> problem, but my i see this messages logs every 1 minutes, any ideas? >>>>>> >>>>>> Dec 7 10:40:24 dc-linux samba[4912]: [2015/12/07 10:40:24.260707, 0] >>>>>> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) >>>>>> Dec 7 10:40:24 dc-linux samba[4912]: NTLMSSP NTLM2 packet check >>>>>> failed due to invalid signature! >>>>>> Dec 7 10:40:24 dc-linux samba[4912]: [2015/12/07 10:40:24.280740, 0] >>>>>> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) >>>>>> Dec 7 10:40:24 dc-linux samba[4912]: NTLMSSP NTLM2 packet check >>>>>> failed due to invalid signature! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: From carlos.hollow at gmail.com Wed Dec 9 16:20:37 2015 From: carlos.hollow at gmail.com (Carlos A. P. Cunha) Date: Wed, 9 Dec 2015 14:20:37 -0200 Subject: [Samba] NTLMSSP NTLM2 packet check failed due to invalid signature In-Reply-To: <566851AD.6010107@thelounge.net> References: <566581ED.9040707@gmail.com> <56684B91.2070701@gmail.com> <56684D06.6000207@thelounge.net> <56685036.8060905@gmail.com> <566851AD.6010107@thelounge.net> Message-ID: <566854D5.4060701@gmail.com> Wiki I am referring to was the link I spent to update the samba, I use the method described it to upgrade my Samba 4.3.0 -> 4.3.2? https://wiki.samba.org/index.php/Updating_Samba Em 09-12-2015 14:07, Reindl Harald escreveu: > > > Am 09.12.2015 um 17:00 schrieb Carlos A. P. Cunha: >> Understood, then I follow what's in the Wiki? > > Wiki? > how did you install samba? > > if i installed from a package i would just write a bugreport when my > distribution stays on a x.0 release and when i build my own packages, > well, download tarball, edit the version number in the SPEC-file and > just fire rpmbuild > >> Em 09-12-2015 13:47, Reindl Harald escreveu: >>> >>> Am 09.12.2015 um 16:41 schrieb Carlos A. P. Cunha: >>>> hehehe >>>> Thank you for your attention. >>>> Know if you have a more "easy" to update the 4.3.0 -> 4.3.2 not be >>>> presented here. >>>> >>>> https://wiki.samba.org/index.php/Updating_Samba >>>> >>>> Application patch, exemple.... >>> >>> 4.3.0 -> 4.3.2 don't need any special examples becaus eit is a *bugfix >>> only* minor update without any need to change configurations >>> >>> in production one should avoid x.0 releases in general >>> >>>> Em 09-12-2015 12:11, L.P.H. van Belle escreveu: >>>>> Sorry none.. >>>>> >>>>> I suggest first upgrade to the latest 4.3.x >>>>> If it is still there, post again, but with some more info about your >>>>> setup. >>>>> >>>>> >>>>>> -----Oorspronkelijk bericht----- >>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Carlos >>>>>> A. P. >>>>>> Cunha >>>>>> Verzonden: woensdag 9 december 2015 13:13 >>>>>> Aan: samba at lists.samba.org >>>>>> Onderwerp: Re: [Samba] NTLMSSP NTLM2 packet check failed due to >>>>>> invalid >>>>>> signature >>>>>> >>>>>> Hi! >>>>>> any ideas? >>>>>> >>>>>> >>>>>> Em 07-12-2015 10:56, Carlos A. P. Cunha escreveu: >>>>>>> HI! >>>>>>> My server Samba 4 version 4.3.0, running since August, do not is a >>>>>>> problem, but my i see this messages logs every 1 minutes, any >>>>>>> ideas? >>>>>>> >>>>>>> Dec 7 10:40:24 dc-linux samba[4912]: [2015/12/07 >>>>>>> 10:40:24.260707, 0] >>>>>>> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) >>>>>>> Dec 7 10:40:24 dc-linux samba[4912]: NTLMSSP NTLM2 packet check >>>>>>> failed due to invalid signature! >>>>>>> Dec 7 10:40:24 dc-linux samba[4912]: [2015/12/07 >>>>>>> 10:40:24.280740, 0] >>>>>>> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) >>>>>>> Dec 7 10:40:24 dc-linux samba[4912]: NTLMSSP NTLM2 packet check >>>>>>> failed due to invalid signature! > > > From samba at kretz.net Wed Dec 9 16:24:29 2015 From: samba at kretz.net (Kevin K) Date: Wed, 9 Dec 2015 11:24:29 -0500 (EST) Subject: [Samba] samba4 internal DNS query logging? Message-ID: <160707185.4056.1449678269689.JavaMail.zimbra@kretz.net> Hi, I searched for a way to log client DNS queries to a samba4 internal DNS server but couldn't find anything. Is there a way to configure this? thanks Kevin From ole.traupe at tu-berlin.de Wed Dec 9 16:33:26 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Wed, 9 Dec 2015 17:33:26 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5661BD67.8000305@tu-berlin.de> References: <56435CD0.4090409@tu-berlin.de> <5643674F.3040308@gmail.com> <564398C5.90304@tu-berlin.de> <56439B48.8000902@gmail.com> <564C71F9.4030307@tu-berlin.de> <564C874C.5070604@gmail.com> <564C9BBE.7080403@tu-berlin.de> <564CDAF3.7070105@gmail.com> <5661B143.40502@tu-berlin.de> <5661B426.1060209@gmail.com> <5661BD67.8000305@tu-berlin.de> Message-ID: <566857D6.8070400@tu-berlin.de> > - But when I try to ssh to a member server, it still takes forever, > and a 'kinit' on a member server gives this: > "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while > getting initial credentials" > > > My /etc/krb5.conf looks like this (following your suggestions, > Rowland, as everything else are defaults): > > [libdefaults] > default_realm = MY.DOMAIN.TLD > > And my /etc/resolv.conf is this: > > search my.domain.tld > nameserver IP_of_1st_DC > nameserver IP_of_2nd_DC Any idea why I still get this when trying to log on to a member server while the first DC is down? # kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while getting initial credentials Ole From h.reindl at thelounge.net Wed Dec 9 16:33:59 2015 From: h.reindl at thelounge.net (Reindl Harald) Date: Wed, 9 Dec 2015 17:33:59 +0100 Subject: [Samba] NTLMSSP NTLM2 packet check failed due to invalid signature In-Reply-To: <566854D5.4060701@gmail.com> References: <566581ED.9040707@gmail.com> <56684B91.2070701@gmail.com> <56684D06.6000207@thelounge.net> <56685036.8060905@gmail.com> <566851AD.6010107@thelounge.net> <566854D5.4060701@gmail.com> Message-ID: <566857F7.2060606@thelounge.net> Am 09.12.2015 um 17:20 schrieb Carlos A. P. Cunha: > Wiki I am referring to was the link I spent to update the samba, I use > the method described it to upgrade my Samba 4.3.0 -> 4.3.2? > > https://wiki.samba.org/index.php/Updating_Samba damned - how did you install it? [ ] self compiled [ ] package [ ] package on what operating system THERE IS NOTHING to do besides update the package and restart the services and since you don't provide any informations about your setup what shoudl we tell you? > Em 09-12-2015 14:07, Reindl Harald escreveu: >> >> >> Am 09.12.2015 um 17:00 schrieb Carlos A. P. Cunha: >>> Understood, then I follow what's in the Wiki? >> >> Wiki? >> how did you install samba? >> >> if i installed from a package i would just write a bugreport when my >> distribution stays on a x.0 release and when i build my own packages, >> well, download tarball, edit the version number in the SPEC-file and >> just fire rpmbuild >> >>> Em 09-12-2015 13:47, Reindl Harald escreveu: >>>> >>>> Am 09.12.2015 um 16:41 schrieb Carlos A. P. Cunha: >>>>> hehehe >>>>> Thank you for your attention. >>>>> Know if you have a more "easy" to update the 4.3.0 -> 4.3.2 not be >>>>> presented here. >>>>> >>>>> https://wiki.samba.org/index.php/Updating_Samba >>>>> >>>>> Application patch, exemple.... >>>> >>>> 4.3.0 -> 4.3.2 don't need any special examples becaus eit is a *bugfix >>>> only* minor update without any need to change configurations >>>> >>>> in production one should avoid x.0 releases in general >>>> >>>>> Em 09-12-2015 12:11, L.P.H. van Belle escreveu: >>>>>> Sorry none.. >>>>>> >>>>>> I suggest first upgrade to the latest 4.3.x >>>>>> If it is still there, post again, but with some more info about your >>>>>> setup. >>>>>> >>>>>> >>>>>>> -----Oorspronkelijk bericht----- >>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Carlos >>>>>>> A. P. >>>>>>> Cunha >>>>>>> Verzonden: woensdag 9 december 2015 13:13 >>>>>>> Aan: samba at lists.samba.org >>>>>>> Onderwerp: Re: [Samba] NTLMSSP NTLM2 packet check failed due to >>>>>>> invalid >>>>>>> signature >>>>>>> >>>>>>> Hi! >>>>>>> any ideas? >>>>>>> >>>>>>> >>>>>>> Em 07-12-2015 10:56, Carlos A. P. Cunha escreveu: >>>>>>>> HI! >>>>>>>> My server Samba 4 version 4.3.0, running since August, do not is a >>>>>>>> problem, but my i see this messages logs every 1 minutes, any >>>>>>>> ideas? >>>>>>>> >>>>>>>> Dec 7 10:40:24 dc-linux samba[4912]: [2015/12/07 >>>>>>>> 10:40:24.260707, 0] >>>>>>>> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) >>>>>>>> Dec 7 10:40:24 dc-linux samba[4912]: NTLMSSP NTLM2 packet check >>>>>>>> failed due to invalid signature! >>>>>>>> Dec 7 10:40:24 dc-linux samba[4912]: [2015/12/07 >>>>>>>> 10:40:24.280740, 0] >>>>>>>> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) >>>>>>>> Dec 7 10:40:24 dc-linux samba[4912]: NTLMSSP NTLM2 packet check >>>>>>>> failed due to invalid signature! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: From carlos.hollow at gmail.com Wed Dec 9 16:41:39 2015 From: carlos.hollow at gmail.com (Carlos A. P. Cunha) Date: Wed, 9 Dec 2015 14:41:39 -0200 Subject: [Samba] NTLMSSP NTLM2 packet check failed due to invalid signature In-Reply-To: <566857F7.2060606@thelounge.net> References: <566581ED.9040707@gmail.com> <56684B91.2070701@gmail.com> <56684D06.6000207@thelounge.net> <56685036.8060905@gmail.com> <566851AD.6010107@thelounge.net> <566854D5.4060701@gmail.com> <566857F7.2060606@thelounge.net> Message-ID: <566859C3.5030104@gmail.com> Ok, my installation was build following the official wiki Samba using OS like Ubuntu 14:04. Still the question remains how do I update the package? Following the wiki (I spent in another email) or otherwise? Thanks Em 09-12-2015 14:33, Reindl Harald escreveu: > > > Am 09.12.2015 um 17:20 schrieb Carlos A. P. Cunha: >> Wiki I am referring to was the link I spent to update the samba, I use >> the method described it to upgrade my Samba 4.3.0 -> 4.3.2? >> >> https://wiki.samba.org/index.php/Updating_Samba > > damned - how did you install it? > > [ ] self compiled > [ ] package > [ ] package on what operating system > > THERE IS NOTHING to do besides update the package and restart the > services and since you don't provide any informations about your setup > what shoudl we tell you? > >> Em 09-12-2015 14:07, Reindl Harald escreveu: >>> >>> >>> Am 09.12.2015 um 17:00 schrieb Carlos A. P. Cunha: >>>> Understood, then I follow what's in the Wiki? >>> >>> Wiki? >>> how did you install samba? >>> >>> if i installed from a package i would just write a bugreport when my >>> distribution stays on a x.0 release and when i build my own packages, >>> well, download tarball, edit the version number in the SPEC-file and >>> just fire rpmbuild >>> >>>> Em 09-12-2015 13:47, Reindl Harald escreveu: >>>>> >>>>> Am 09.12.2015 um 16:41 schrieb Carlos A. P. Cunha: >>>>>> hehehe >>>>>> Thank you for your attention. >>>>>> Know if you have a more "easy" to update the 4.3.0 -> 4.3.2 not be >>>>>> presented here. >>>>>> >>>>>> https://wiki.samba.org/index.php/Updating_Samba >>>>>> >>>>>> Application patch, exemple.... >>>>> >>>>> 4.3.0 -> 4.3.2 don't need any special examples becaus eit is a >>>>> *bugfix >>>>> only* minor update without any need to change configurations >>>>> >>>>> in production one should avoid x.0 releases in general >>>>> >>>>>> Em 09-12-2015 12:11, L.P.H. van Belle escreveu: >>>>>>> Sorry none.. >>>>>>> >>>>>>> I suggest first upgrade to the latest 4.3.x >>>>>>> If it is still there, post again, but with some more info about >>>>>>> your >>>>>>> setup. >>>>>>> >>>>>>> >>>>>>>> -----Oorspronkelijk bericht----- >>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Carlos >>>>>>>> A. P. >>>>>>>> Cunha >>>>>>>> Verzonden: woensdag 9 december 2015 13:13 >>>>>>>> Aan: samba at lists.samba.org >>>>>>>> Onderwerp: Re: [Samba] NTLMSSP NTLM2 packet check failed due to >>>>>>>> invalid >>>>>>>> signature >>>>>>>> >>>>>>>> Hi! >>>>>>>> any ideas? >>>>>>>> >>>>>>>> >>>>>>>> Em 07-12-2015 10:56, Carlos A. P. Cunha escreveu: >>>>>>>>> HI! >>>>>>>>> My server Samba 4 version 4.3.0, running since August, do not >>>>>>>>> is a >>>>>>>>> problem, but my i see this messages logs every 1 minutes, any >>>>>>>>> ideas? >>>>>>>>> >>>>>>>>> Dec 7 10:40:24 dc-linux samba[4912]: [2015/12/07 >>>>>>>>> 10:40:24.260707, 0] >>>>>>>>> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) >>>>>>>>> Dec 7 10:40:24 dc-linux samba[4912]: NTLMSSP NTLM2 packet >>>>>>>>> check >>>>>>>>> failed due to invalid signature! >>>>>>>>> Dec 7 10:40:24 dc-linux samba[4912]: [2015/12/07 >>>>>>>>> 10:40:24.280740, 0] >>>>>>>>> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) >>>>>>>>> Dec 7 10:40:24 dc-linux samba[4912]: NTLMSSP NTLM2 packet >>>>>>>>> check >>>>>>>>> failed due to invalid signature! > > > From lingpanda101 at gmail.com Wed Dec 9 16:50:50 2015 From: lingpanda101 at gmail.com (James) Date: Wed, 9 Dec 2015 11:50:50 -0500 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <566857D6.8070400@tu-berlin.de> References: <56435CD0.4090409@tu-berlin.de> <5643674F.3040308@gmail.com> <564398C5.90304@tu-berlin.de> <56439B48.8000902@gmail.com> <564C71F9.4030307@tu-berlin.de> <564C874C.5070604@gmail.com> <564C9BBE.7080403@tu-berlin.de> <564CDAF3.7070105@gmail.com> <5661B143.40502@tu-berlin.de> <5661B426.1060209@gmail.com> <5661BD67.8000305@tu-berlin.de> <566857D6.8070400@tu-berlin.de> Message-ID: <56685BEA.7060206@gmail.com> On 12/9/2015 11:33 AM, Ole Traupe wrote: > >> - But when I try to ssh to a member server, it still takes forever, >> and a 'kinit' on a member server gives this: >> "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while >> getting initial credentials" >> >> >> My /etc/krb5.conf looks like this (following your suggestions, >> Rowland, as everything else are defaults): >> >> [libdefaults] >> default_realm = MY.DOMAIN.TLD >> >> And my /etc/resolv.conf is this: >> >> search my.domain.tld >> nameserver IP_of_1st_DC >> nameserver IP_of_2nd_DC > > Any idea why I still get this when trying to log on to a member server > while the first DC is down? > > # kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while > getting initial credentials > > Ole > > > Ole, Can you try a few things? All on your member server. What is the output of testparm | grep "name resolve order" kdestroy -A kinit administrator at MY.DOMAIN.TLD -V -- -James From belle at bazuin.nl Wed Dec 9 16:53:39 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Wed, 9 Dec 2015 17:53:39 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <566857D6.8070400@tu-berlin.de> References: <5661BD67.8000305@tu-berlin.de> Message-ID: Hai Ole, Can you run on the member where you logged in. host -t SRV _ldap._tcp.samdom.example.com. host -t SRV _kerberos._udp.samdom.example.com. host -t A dc1.samdom.example.com. host -t A dc2.samdom.example.com. and again with search my.domain.tld nameserver IP_of_2st_DC nameserver IP_of_1nd_DC looks ok to me sofare. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe > Verzonden: woensdag 9 december 2015 17:33 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller > initially fails when PDC is offline > > > > - But when I try to ssh to a member server, it still takes forever, > > and a 'kinit' on a member server gives this: > > "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while > > getting initial credentials" > > > > > > My /etc/krb5.conf looks like this (following your suggestions, > > Rowland, as everything else are defaults): > > > > [libdefaults] > > default_realm = MY.DOMAIN.TLD > > > > And my /etc/resolv.conf is this: > > > > search my.domain.tld > > nameserver IP_of_1st_DC > > nameserver IP_of_2nd_DC > > Any idea why I still get this when trying to log on to a member server > while the first DC is down? > > # kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while getting > initial credentials > > Ole > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From h.reindl at thelounge.net Wed Dec 9 17:01:08 2015 From: h.reindl at thelounge.net (Reindl Harald) Date: Wed, 9 Dec 2015 18:01:08 +0100 Subject: [Samba] NTLMSSP NTLM2 packet check failed due to invalid signature In-Reply-To: <566859C3.5030104@gmail.com> References: <566581ED.9040707@gmail.com> <56684B91.2070701@gmail.com> <56684D06.6000207@thelounge.net> <56685036.8060905@gmail.com> <566851AD.6010107@thelounge.net> <566854D5.4060701@gmail.com> <566857F7.2060606@thelounge.net> <566859C3.5030104@gmail.com> Message-ID: <56685E54.3090206@thelounge.net> Am 09.12.2015 um 17:41 schrieb Carlos A. P. Cunha: > Ok, my installation was build following the official wiki Samba using OS > like Ubuntu 14:04 since Ubuntu 14.04 hardly has Samba 4.3.0 [ x ] self compiled (most likely) if you used a package from a 3rd party repo -> update it from there > Still the question remains how do I update the package? compile the new version with *exactly* the same ./configure parameters as the old one - it's a *minor* update and so only files are replaced with the newer versions but "My server Samba 4 version 4.3.0, running since August" sounds impossible because "08 September 2015 Samba 4.3.0 Available for Download" > Em 09-12-2015 14:33, Reindl Harald escreveu: >> >> >> Am 09.12.2015 um 17:20 schrieb Carlos A. P. Cunha: >>> Wiki I am referring to was the link I spent to update the samba, I use >>> the method described it to upgrade my Samba 4.3.0 -> 4.3.2? >>> >>> https://wiki.samba.org/index.php/Updating_Samba >> >> damned - how did you install it? >> >> [ ] self compiled >> [ ] package >> [ ] package on what operating system >> >> THERE IS NOTHING to do besides update the package and restart the >> services and since you don't provide any informations about your setup >> what shoudl we tell you? >> >>> Em 09-12-2015 14:07, Reindl Harald escreveu: >>>> >>>> >>>> Am 09.12.2015 um 17:00 schrieb Carlos A. P. Cunha: >>>>> Understood, then I follow what's in the Wiki? >>>> >>>> Wiki? >>>> how did you install samba? >>>> >>>> if i installed from a package i would just write a bugreport when my >>>> distribution stays on a x.0 release and when i build my own packages, >>>> well, download tarball, edit the version number in the SPEC-file and >>>> just fire rpmbuild >>>> >>>>> Em 09-12-2015 13:47, Reindl Harald escreveu: >>>>>> >>>>>> Am 09.12.2015 um 16:41 schrieb Carlos A. P. Cunha: >>>>>>> hehehe >>>>>>> Thank you for your attention. >>>>>>> Know if you have a more "easy" to update the 4.3.0 -> 4.3.2 not be >>>>>>> presented here. >>>>>>> >>>>>>> https://wiki.samba.org/index.php/Updating_Samba >>>>>>> >>>>>>> Application patch, exemple.... >>>>>> >>>>>> 4.3.0 -> 4.3.2 don't need any special examples becaus eit is a >>>>>> *bugfix >>>>>> only* minor update without any need to change configurations >>>>>> >>>>>> in production one should avoid x.0 releases in general >>>>>> >>>>>>> Em 09-12-2015 12:11, L.P.H. van Belle escreveu: >>>>>>>> Sorry none.. >>>>>>>> >>>>>>>> I suggest first upgrade to the latest 4.3.x >>>>>>>> If it is still there, post again, but with some more info about >>>>>>>> your >>>>>>>> setup. >>>>>>>> >>>>>>>> >>>>>>>>> -----Oorspronkelijk bericht----- >>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Carlos >>>>>>>>> A. P. >>>>>>>>> Cunha >>>>>>>>> Verzonden: woensdag 9 december 2015 13:13 >>>>>>>>> Aan: samba at lists.samba.org >>>>>>>>> Onderwerp: Re: [Samba] NTLMSSP NTLM2 packet check failed due to >>>>>>>>> invalid >>>>>>>>> signature >>>>>>>>> >>>>>>>>> Hi! >>>>>>>>> any ideas? >>>>>>>>> >>>>>>>>> >>>>>>>>> Em 07-12-2015 10:56, Carlos A. P. Cunha escreveu: >>>>>>>>>> HI! >>>>>>>>>> My server Samba 4 version 4.3.0, running since August, do not >>>>>>>>>> is a >>>>>>>>>> problem, but my i see this messages logs every 1 minutes, any >>>>>>>>>> ideas? >>>>>>>>>> >>>>>>>>>> Dec 7 10:40:24 dc-linux samba[4912]: [2015/12/07 >>>>>>>>>> 10:40:24.260707, 0] >>>>>>>>>> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) >>>>>>>>>> Dec 7 10:40:24 dc-linux samba[4912]: NTLMSSP NTLM2 packet >>>>>>>>>> check >>>>>>>>>> failed due to invalid signature! >>>>>>>>>> Dec 7 10:40:24 dc-linux samba[4912]: [2015/12/07 >>>>>>>>>> 10:40:24.280740, 0] >>>>>>>>>> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) >>>>>>>>>> Dec 7 10:40:24 dc-linux samba[4912]: NTLMSSP NTLM2 packet >>>>>>>>>> check >>>>>>>>>> failed due to invalid signature! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: From lingpanda101 at gmail.com Wed Dec 9 17:03:50 2015 From: lingpanda101 at gmail.com (James) Date: Wed, 9 Dec 2015 12:03:50 -0500 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <566857D6.8070400@tu-berlin.de> References: <56435CD0.4090409@tu-berlin.de> <5643674F.3040308@gmail.com> <564398C5.90304@tu-berlin.de> <56439B48.8000902@gmail.com> <564C71F9.4030307@tu-berlin.de> <564C874C.5070604@gmail.com> <564C9BBE.7080403@tu-berlin.de> <564CDAF3.7070105@gmail.com> <5661B143.40502@tu-berlin.de> <5661B426.1060209@gmail.com> <5661BD67.8000305@tu-berlin.de> <566857D6.8070400@tu-berlin.de> Message-ID: <56685EF6.90809@gmail.com> On 12/9/2015 11:33 AM, Ole Traupe wrote: > >> - But when I try to ssh to a member server, it still takes forever, >> and a 'kinit' on a member server gives this: >> "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while >> getting initial credentials" >> >> >> My /etc/krb5.conf looks like this (following your suggestions, >> Rowland, as everything else are defaults): >> >> [libdefaults] >> default_realm = MY.DOMAIN.TLD >> >> And my /etc/resolv.conf is this: >> >> search my.domain.tld >> nameserver IP_of_1st_DC >> nameserver IP_of_2nd_DC > > Any idea why I still get this when trying to log on to a member server > while the first DC is down? > > # kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while > getting initial credentials > > Ole > > > Ole, I was trying to look back through your posts so excuse me if you have answered this. What was your original krb.conf file contents? A few things that may work is to specify the kdc and not rely on dns. for instance. [libdefaults] default_realm = MY.DOMAIN.TLD dns_lookup_kdc = false dns_lookup_realm = false [realms] MY.DOMAIN.TLD = { kdc = IP of First DC kdc = IP of Second DC } -- -James From rpenny at samba.org Wed Dec 9 17:16:41 2015 From: rpenny at samba.org (Rowland penny) Date: Wed, 09 Dec 2015 17:16:41 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <56685EF6.90809@gmail.com> References: <56435CD0.4090409@tu-berlin.de> <5643674F.3040308@gmail.com> <564398C5.90304@tu-berlin.de> <56439B48.8000902@gmail.com> <564C71F9.4030307@tu-berlin.de> <564C874C.5070604@gmail.com> <564C9BBE.7080403@tu-berlin.de> <564CDAF3.7070105@gmail.com> <5661B143.40502@tu-berlin.de> <5661B426.1060209@gmail.com> <5661BD67.8000305@tu-berlin.de> <566857D6.8070400@tu-berlin.de> <56685EF6.90809@gmail.com> Message-ID: <566861F9.3090502@samba.org> On 09/12/15 17:03, James wrote: > On 12/9/2015 11:33 AM, Ole Traupe wrote: >> >>> - But when I try to ssh to a member server, it still takes forever, >>> and a 'kinit' on a member server gives this: >>> "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while >>> getting initial credentials" >>> >>> >>> My /etc/krb5.conf looks like this (following your suggestions, >>> Rowland, as everything else are defaults): >>> >>> [libdefaults] >>> default_realm = MY.DOMAIN.TLD >>> >>> And my /etc/resolv.conf is this: >>> >>> search my.domain.tld >>> nameserver IP_of_1st_DC >>> nameserver IP_of_2nd_DC >> >> Any idea why I still get this when trying to log on to a member >> server while the first DC is down? >> >> # kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while >> getting initial credentials >> >> Ole >> >> >> > Ole, > > I was trying to look back through your posts so excuse me if you > have answered this. What was your original krb.conf file contents? A > few things that may work is to specify the kdc and not rely on dns. > for instance. > > [libdefaults] > default_realm = MY.DOMAIN.TLD > dns_lookup_kdc = false > dns_lookup_realm = false > > [realms] > MY.DOMAIN.TLD = { > kdc = IP of First DC > kdc = IP of Second DC > } > If you have to do that, then there is something wrong with your dns and you need to fix this, dns is an important part of AD and really needs to work correctly. I have been doing some testing with dns and with the internal dns server, even if you add another NS to the SOA record, you only have one NS. It seems the only way to get each DC to think it is a NS, is to use bind9. Rowland From lingpanda101 at gmail.com Wed Dec 9 17:32:04 2015 From: lingpanda101 at gmail.com (James) Date: Wed, 9 Dec 2015 12:32:04 -0500 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <566861F9.3090502@samba.org> References: <56435CD0.4090409@tu-berlin.de> <5643674F.3040308@gmail.com> <564398C5.90304@tu-berlin.de> <56439B48.8000902@gmail.com> <564C71F9.4030307@tu-berlin.de> <564C874C.5070604@gmail.com> <564C9BBE.7080403@tu-berlin.de> <564CDAF3.7070105@gmail.com> <5661B143.40502@tu-berlin.de> <5661B426.1060209@gmail.com> <5661BD67.8000305@tu-berlin.de> <566857D6.8070400@tu-berlin.de> <56685EF6.90809@gmail.com> <566861F9.3090502@samba.org> Message-ID: <56686594.9060405@gmail.com> On 12/9/2015 12:16 PM, Rowland penny wrote: > On 09/12/15 17:03, James wrote: >> On 12/9/2015 11:33 AM, Ole Traupe wrote: >>> >>>> - But when I try to ssh to a member server, it still takes forever, >>>> and a 'kinit' on a member server gives this: >>>> "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while >>>> getting initial credentials" >>>> >>>> >>>> My /etc/krb5.conf looks like this (following your suggestions, >>>> Rowland, as everything else are defaults): >>>> >>>> [libdefaults] >>>> default_realm = MY.DOMAIN.TLD >>>> >>>> And my /etc/resolv.conf is this: >>>> >>>> search my.domain.tld >>>> nameserver IP_of_1st_DC >>>> nameserver IP_of_2nd_DC >>> >>> Any idea why I still get this when trying to log on to a member >>> server while the first DC is down? >>> >>> # kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while >>> getting initial credentials >>> >>> Ole >>> >>> >>> >> Ole, >> >> I was trying to look back through your posts so excuse me if you >> have answered this. What was your original krb.conf file contents? A >> few things that may work is to specify the kdc and not rely on dns. >> for instance. >> >> [libdefaults] >> default_realm = MY.DOMAIN.TLD >> dns_lookup_kdc = false >> dns_lookup_realm = false >> >> [realms] >> MY.DOMAIN.TLD = { >> kdc = IP of First DC >> kdc = IP of Second DC >> } >> > > If you have to do that, then there is something wrong with your dns > and you need to fix this, dns is an important part of AD and really > needs to work correctly. > > I have been doing some testing with dns and with the internal dns > server, even if you add another NS to the SOA record, you only have > one NS. It seems the only way to get each DC to think it is a NS, is > to use bind9. > > Rowland > Rowland, I can understand that to be true. However it could apply in situations where DNS traffic would like to be kept to a minimum. At least that was my mind set when I researched using this config. -- -James From carlos.hollow at gmail.com Wed Dec 9 17:58:31 2015 From: carlos.hollow at gmail.com (Carlos A. P. Cunha) Date: Wed, 9 Dec 2015 15:58:31 -0200 Subject: [Samba] Fwd: Re: NTLMSSP NTLM2 packet check failed due to invalid signature In-Reply-To: <566863FD.8010207@gmail.com> References: <566863FD.8010207@gmail.com> Message-ID: <56686BC7.5090600@gmail.com> In short, I follow what ja think I was telling to UPGRADE follow the Wiki(which is was the same as you gave me) My samba has been updated from version 4.2 to 4.3(used wiki), so said he was running since August. Thank you very much for your attention. Bye Em 09-12-2015 15:01, Reindl Harald escreveu: > > > Am 09.12.2015 um 17:41 schrieb Carlos A. P. Cunha: >> Ok, my installation was build following the official wiki Samba using OS >> like Ubuntu 14:04 > > since Ubuntu 14.04 hardly has Samba 4.3.0 > > [ x ] self compiled (most likely) > > if you used a package from a 3rd party repo -> update it from there > >> Still the question remains how do I update the package? > > compile the new version with *exactly* the same ./configure parameters > as the old one - it's a *minor* update and so only files are replaced > with the newer versions > > but "My server Samba 4 version 4.3.0, running since August" sounds > impossible because "08 September 2015 Samba 4.3.0 Available for Download" > >> Em 09-12-2015 14:33, Reindl Harald escreveu: >>> >>> >>> Am 09.12.2015 um 17:20 schrieb Carlos A. P. Cunha: >>>> Wiki I am referring to was the link I spent to update the samba, I use >>>> the method described it to upgrade my Samba 4.3.0 -> 4.3.2? >>>> >>>> https://wiki.samba.org/index.php/Updating_Samba >>> >>> damned - how did you install it? >>> >>> [ ] self compiled >>> [ ] package >>> [ ] package on what operating system >>> >>> THERE IS NOTHING to do besides update the package and restart the >>> services and since you don't provide any informations about your setup >>> what shoudl we tell you? >>> >>>> Em 09-12-2015 14:07, Reindl Harald escreveu: >>>>> >>>>> >>>>> Am 09.12.2015 um 17:00 schrieb Carlos A. P. Cunha: >>>>>> Understood, then I follow what's in the Wiki? >>>>> >>>>> Wiki? >>>>> how did you install samba? >>>>> >>>>> if i installed from a package i would just write a bugreport when my >>>>> distribution stays on a x.0 release and when i build my own packages, >>>>> well, download tarball, edit the version number in the SPEC-file and >>>>> just fire rpmbuild >>>>> >>>>>> Em 09-12-2015 13:47, Reindl Harald escreveu: >>>>>>> >>>>>>> Am 09.12.2015 um 16:41 schrieb Carlos A. P. Cunha: >>>>>>>> hehehe >>>>>>>> Thank you for your attention. >>>>>>>> Know if you have a more "easy" to update the 4.3.0 -> 4.3.2 not be >>>>>>>> presented here. >>>>>>>> >>>>>>>> https://wiki.samba.org/index.php/Updating_Samba >>>>>>>> >>>>>>>> Application patch, exemple.... >>>>>>> >>>>>>> 4.3.0 -> 4.3.2 don't need any special examples becaus eit is a >>>>>>> *bugfix >>>>>>> only* minor update without any need to change configurations >>>>>>> >>>>>>> in production one should avoid x.0 releases in general >>>>>>> >>>>>>>> Em 09-12-2015 12:11, L.P.H. van Belle escreveu: >>>>>>>>> Sorry none.. >>>>>>>>> >>>>>>>>> I suggest first upgrade to the latest 4.3.x >>>>>>>>> If it is still there, post again, but with some more info about >>>>>>>>> your >>>>>>>>> setup. >>>>>>>>> >>>>>>>>> >>>>>>>>>> -----Oorspronkelijk bericht----- >>>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Carlos >>>>>>>>>> A. P. >>>>>>>>>> Cunha >>>>>>>>>> Verzonden: woensdag 9 december 2015 13:13 >>>>>>>>>> Aan: samba at lists.samba.org >>>>>>>>>> Onderwerp: Re: [Samba] NTLMSSP NTLM2 packet check failed due to >>>>>>>>>> invalid >>>>>>>>>> signature >>>>>>>>>> >>>>>>>>>> Hi! >>>>>>>>>> any ideas? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Em 07-12-2015 10:56, Carlos A. P. Cunha escreveu: >>>>>>>>>>> HI! >>>>>>>>>>> My server Samba 4 version 4.3.0, running since August, do not >>>>>>>>>>> is a >>>>>>>>>>> problem, but my i see this messages logs every 1 minutes, any >>>>>>>>>>> ideas? >>>>>>>>>>> >>>>>>>>>>> Dec 7 10:40:24 dc-linux samba[4912]: [2015/12/07 >>>>>>>>>>> 10:40:24.260707, 0] >>>>>>>>>>> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) >>>>>>>>>>> Dec 7 10:40:24 dc-linux samba[4912]: NTLMSSP NTLM2 packet >>>>>>>>>>> check >>>>>>>>>>> failed due to invalid signature! >>>>>>>>>>> Dec 7 10:40:24 dc-linux samba[4912]: [2015/12/07 >>>>>>>>>>> 10:40:24.280740, 0] >>>>>>>>>>> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) >>>>>>>>>>> Dec 7 10:40:24 dc-linux samba[4912]: NTLMSSP NTLM2 packet >>>>>>>>>>> check >>>>>>>>>>> failed due to invalid signature! > > > From carlos.hollow at gmail.com Wed Dec 9 18:06:52 2015 From: carlos.hollow at gmail.com (Carlos A. P. Cunha) Date: Wed, 9 Dec 2015 16:06:52 -0200 Subject: [Samba] NTLMSSP NTLM2 packet check failed due to invalid signature In-Reply-To: <56686BC7.5090600@gmail.com> References: <56686BC7.5090600@gmail.com> Message-ID: <56686DBC.2010101@gmail.com> In short, I follow what ja think I was telling to UPGRADE follow the Wiki(which is was the same as you gave me) My samba has been updated from version 4.2 to 4.3(used wiki), so said he was running since August. Thank you very much for your attention. Bye Sorry e-mail repet :-) Em 09-12-2015 15:01, Reindl Harald escreveu: > > > Am 09.12.2015 um 17:41 schrieb Carlos A. P. Cunha: >> Ok, my installation was build following the official wiki Samba using OS >> like Ubuntu 14:04 > > since Ubuntu 14.04 hardly has Samba 4.3.0 > > [ x ] self compiled (most likely) > > if you used a package from a 3rd party repo -> update it from there > >> Still the question remains how do I update the package? > > compile the new version with *exactly* the same ./configure parameters > as the old one - it's a *minor* update and so only files are replaced > with the newer versions > > but "My server Samba 4 version 4.3.0, running since August" sounds > impossible because "08 September 2015 Samba 4.3.0 Available for Download" > >> Em 09-12-2015 14:33, Reindl Harald escreveu: >>> >>> >>> Am 09.12.2015 um 17:20 schrieb Carlos A. P. Cunha: >>>> Wiki I am referring to was the link I spent to update the samba, I use >>>> the method described it to upgrade my Samba 4.3.0 -> 4.3.2? >>>> >>>> https://wiki.samba.org/index.php/Updating_Samba >>> >>> damned - how did you install it? >>> >>> [ ] self compiled >>> [ ] package >>> [ ] package on what operating system >>> >>> THERE IS NOTHING to do besides update the package and restart the >>> services and since you don't provide any informations about your setup >>> what shoudl we tell you? >>> >>>> Em 09-12-2015 14:07, Reindl Harald escreveu: >>>>> >>>>> >>>>> Am 09.12.2015 um 17:00 schrieb Carlos A. P. Cunha: >>>>>> Understood, then I follow what's in the Wiki? >>>>> >>>>> Wiki? >>>>> how did you install samba? >>>>> >>>>> if i installed from a package i would just write a bugreport when my >>>>> distribution stays on a x.0 release and when i build my own packages, >>>>> well, download tarball, edit the version number in the SPEC-file and >>>>> just fire rpmbuild >>>>> >>>>>> Em 09-12-2015 13:47, Reindl Harald escreveu: >>>>>>> >>>>>>> Am 09.12.2015 um 16:41 schrieb Carlos A. P. Cunha: >>>>>>>> hehehe >>>>>>>> Thank you for your attention. >>>>>>>> Know if you have a more "easy" to update the 4.3.0 -> 4.3.2 not be >>>>>>>> presented here. >>>>>>>> >>>>>>>> https://wiki.samba.org/index.php/Updating_Samba >>>>>>>> >>>>>>>> Application patch, exemple.... >>>>>>> >>>>>>> 4.3.0 -> 4.3.2 don't need any special examples becaus eit is a >>>>>>> *bugfix >>>>>>> only* minor update without any need to change configurations >>>>>>> >>>>>>> in production one should avoid x.0 releases in general >>>>>>> >>>>>>>> Em 09-12-2015 12:11, L.P.H. van Belle escreveu: >>>>>>>>> Sorry none.. >>>>>>>>> >>>>>>>>> I suggest first upgrade to the latest 4.3.x >>>>>>>>> If it is still there, post again, but with some more info about >>>>>>>>> your >>>>>>>>> setup. >>>>>>>>> >>>>>>>>> >>>>>>>>>> -----Oorspronkelijk bericht----- >>>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Carlos >>>>>>>>>> A. P. >>>>>>>>>> Cunha >>>>>>>>>> Verzonden: woensdag 9 december 2015 13:13 >>>>>>>>>> Aan: samba at lists.samba.org >>>>>>>>>> Onderwerp: Re: [Samba] NTLMSSP NTLM2 packet check failed due to >>>>>>>>>> invalid >>>>>>>>>> signature >>>>>>>>>> >>>>>>>>>> Hi! >>>>>>>>>> any ideas? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Em 07-12-2015 10:56, Carlos A. P. Cunha escreveu: >>>>>>>>>>> HI! >>>>>>>>>>> My server Samba 4 version 4.3.0, running since August, do not >>>>>>>>>>> is a >>>>>>>>>>> problem, but my i see this messages logs every 1 minutes, any >>>>>>>>>>> ideas? >>>>>>>>>>> >>>>>>>>>>> Dec 7 10:40:24 dc-linux samba[4912]: [2015/12/07 >>>>>>>>>>> 10:40:24.260707, 0] >>>>>>>>>>> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) >>>>>>>>>>> Dec 7 10:40:24 dc-linux samba[4912]: NTLMSSP NTLM2 packet >>>>>>>>>>> check >>>>>>>>>>> failed due to invalid signature! >>>>>>>>>>> Dec 7 10:40:24 dc-linux samba[4912]: [2015/12/07 >>>>>>>>>>> 10:40:24.280740, 0] >>>>>>>>>>> ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) >>>>>>>>>>> Dec 7 10:40:24 dc-linux samba[4912]: NTLMSSP NTLM2 packet >>>>>>>>>>> check >>>>>>>>>>> failed due to invalid signature! > > > From jonathan at springventuregroup.com Wed Dec 9 19:03:36 2015 From: jonathan at springventuregroup.com (Jonathan S. Fisher) Date: Wed, 9 Dec 2015 13:03:36 -0600 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: References: <566158BC.4020405@samba.org> <56615B07.4030204@tao.at> <56615E06.2030805@samba.org> Message-ID: Here's a random question... would it matter if our domain has trust relationships setup? *Jonathan S. Fisher* *VP - Information Technology* *Spring Venture Group* On Wed, Dec 9, 2015 at 9:34 AM, mathias dufresne wrote: > Hi Jonathan, > > You wrote: > domain windows.corp.springventuregroup.com > search windows.corp.*pringventuregroupcom* > nameserver 192.168.127.131 > nameserver 192.168.112.4 > > Is this a typo error when copying the content or is it a content error in > your resolv.conf? > > If you really have that "search" line in your resolv.conf it would be > logical that rsetarting Samba services you get the error "unable to resolve > host freeradius" as it will be extended in: > freeradius.windows.corp.pringventuregroupcom > rather than: > freeradius.windows.corp.springventuregroup.com > > If this is not a typo error I would check the "resolvconf" configuration > or remove the use of that tool (temporarily or not) on that box. > > If this is not a typo, I'm puzzled... > > Hoping for you to get a solution, > > mathias > > 2015-12-07 19:04 GMT+01:00 Jonathan S. Fisher < > jonathan at springventuregroup.com>: > >> Hey Rowland, be kind and avoid passive aggressive comments. I'm just >> looking to try and get this to work, thanks. If I knew everything already, >> I wouldn't be here asking questions and trying to solve my own problem. I >> appreciate your help so far, but if you don't have anything nice say, >> please just ignore this thread. >> >> So: >> jonathan.fisher at freeradius:~$ sudo hostname -y >> hostname: Local domain name not set >> jonathan.fisher at freeradius:~$ sudo hostname -d >> windows.corp.springventuregroup.com >> jonathan.fisher at freeradius:~$ sudo hostname -f >> freeradius.windows.corp.springventuregroup.com >> >> Unfortunately, since this box is an LXC container, I can't run the syctl >> command: >> jonathan.fisher at freeradius:~$ sysctl -w kernel.domainname=" >> windows.corp.XXX.com" >> sysctl: permission denied on key 'kernel.domainname' >> >> We're good here: >> jonathan.fisher at freeradius:~$ cat /etc/hostname >> freeradiusjonathan.fisher at freeradius:~$ >> >> So I added >> dns proxy = true >> >> No dice, same output as before. >> >> Made this change: >> jonathan.fisher at freeradius:~$ cat /etc/resolv.conf >> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by >> resolvconf(8) >> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN >> domain windows.corp.springventuregroup.com >> search windows.corp.pringventuregroupcom >> nameserver 192.168.127.131 >> nameserver 192.168.112.4 >> >> Also the same output, but this message popped up after restarting samba: >> jonathan.fisher at freeradius:~$ sudo service sernet-samba-winbindd restart >> && >> sudo service sernet-samba-nmbd restart && sudo service sernet-samba-smbd >> restart >> sudo: unable to resolve host freeradius >> Shutting down SAMBA winbindd : * >> Starting SAMBA winbindd : * >> sudo: unable to resolve host freeradius >> Shutting down SAMBA nmbd : * >> Starting SAMBA nmbd : * >> sudo: unable to resolve host freeradius >> Shutting down SAMBA smbd : * >> Starting SAMBA smbd : * >> >> No idea if that's relevant... >> >> So I undid the resolv.conf change, and here's the output of testparam: >> >> jonathan.fisher at freeradius:~$ testparm -v | grep net >> Load smb config files from /etc/samba/smb.conf >> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) >> Loaded services file OK. >> Server role: ROLE_DOMAIN_MEMBER >> >> Press enter to see a dump of your service definitions >> >> netbios name = FREERADIUS >> netbios aliases = >> netbios scope = >> disable netbios = No >> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, >> lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, >> backupkey, >> dnsserver >> >> Sigh... thanks. I'm appreciate your patience and your help. >> >> >> On Fri, Dec 4, 2015 at 3:33 AM, Rowland penny wrote: >> >> > On 04/12/15 09:21, Sven Schwedas wrote: >> > >> >> On 2015-12-04 10:11, Rowland penny wrote: >> >> >> >>> I still think it is his weird dns setup, were he has a dnsmasq server >> >>> replicating what the DCs know (or is supposed to). I think the sheer >> >>> fact that he didn't know what lmhosts is, says a lot. >> >>> >> >> We're using such a setup in production without any problems. How about >> >> less wild blind guessing and user shaming, and more actual help? >> >> >> >> >> >> >> >> >> > Sven, you may be using a similar system, but it isn't recommended. The >> OP >> > is having problems getting a Samba domain member working, I have tried >> to >> > point him in the direction of a known working set up, once he has this >> > working, what he does with it, is up to him. He may be able to use the >> > dnsmasq server, I don't know, but if he has a working system and it >> stops >> > working when he adds in the dnsmasq server, he will know where to look, >> > won't he! >> > >> > >> > Rowland >> > >> > -- >> > To unsubscribe from this list go to the following URL and read the >> > instructions: https://lists.samba.org/mailman/options/samba >> > >> >> -- >> Email Confidentiality Notice: The information contained in this >> transmission is confidential, proprietary or privileged and may be subject >> to protection under the law, including the Health Insurance Portability >> and >> Accountability Act (HIPAA). The message is intended for the sole use of >> the >> individual or entity to whom it is addressed. If you are not the intended >> recipient, you are notified that any use, distribution or copying of the >> message is strictly prohibited and may subject you to criminal or civil >> penalties. If you received this transmission in error, please contact the >> sender immediately by replying to this email and delete the material from >> any computer. >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > -- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer. From jeff.sadowski at gmail.com Wed Dec 9 19:32:54 2015 From: jeff.sadowski at gmail.com (Jeff Sadowski) Date: Wed, 9 Dec 2015 12:32:54 -0700 Subject: [Samba] Adding an AD group to /etc/sudoers? In-Reply-To: References: Message-ID: ok after fighting to get my groups sorted out for my test user I created an "sudoer" group and added "jefftest" to "sudoer" > id jefftest uid=11507(jefftest) gid=8513(domain users) groups=8513(domain users),31020(sudoer) and added "sudoer" to /etc/sudoers like so %sudoer ALL=(ALL) ALL now when I login as jefftest I can run commands using sudo back to my other user who I also added to sudoer I still can not run commands using sudo but as you suggested I do the "newgrp it" or "newgrp sudoer" and then I can run commands using sudo On Wed, Dec 9, 2015 at 8:20 AM, Mattias Zhabinskiy < mattiasz at thinklogical.com> wrote: > Jeff, > > > After ssh try to run: > > > newgrp it > > > and then sudo. See if it will work, then you'll have to figure out what's > going on with the users groups membership. > > > Regards, > > Matt > > > ------------------------------ > *From:* Jeff Sadowski > *Sent:* Wednesday, December 9, 2015 10:08 AM > > *To:* Mattias Zhabinskiy; samba > *Subject:* Re: [Samba] Adding an AD group to /etc/sudoers? > > # cat /proc/sys/kernel/ngroups_max > 65536 > # sysctl kernel.ngroups_max > kernel.ngroups_max = 65536 > > Is there a way to change/look at AUTH_SYS? > Seems I have 28 groups now as my user > I tried created a test user with much less groups > but it turns out it is on all those other groups. > As such I tried > > winbind nested groups=no > > but this doesn't seem to change anything. > > > > On Tue, Dec 8, 2015 at 5:05 PM, Mattias Zhabinskiy < > mattiasz at thinklogical.com> wrote: > >> Jeff, >> >> >> To find out maximum number of groups allowed per user run: >> >> cat /proc/sys/kernel/ngroups_max >> or >> sysctl kernel.ngroups_max >> but AFAIK AUTH_SYS has a limit of 16, so I would try to either create a >> test account, add it to the "it" group and test it with sudo, or trim your >> account membership to 16 or less groups. >> >> Regards, >> >> Matt >> >> ------------------------------ >> *From:* Jeff Sadowski >> *Sent:* Tuesday, December 8, 2015 4:59 PM >> *To:* Mattias Zhabinskiy; samba >> *Subject:* Re: [Samba] Adding an AD group to /etc/sudoers? >> >> # id username|sed "s/,/\n/g"|wc -l >> 155 >> >> # id|sed "s/,/\n/g"|wc -l >> 28 >> >> >> On Tue, Dec 8, 2015 at 2:56 PM, Jeff Sadowski >> wrote: >> >>> wbinfo -r username >>> shows the gid of it >>> and a bunch of -1's id guess for groups without gid's >>> my user belongs to 155 groups is there a problem with that many groups? >>> >>> On Tue, Dec 8, 2015 at 2:12 PM, Jeff Sadowski >>> wrote: >>> >>>> "id" alone does not show my user in the it group >>>> "id username" does >>>> why would id alone give different results? >>>> >>>> which is odd because >>>> as my username I can get into a folder that has 0760 permissions with >>>> user as root and it as the group >>>> >>>> as for >>>> %it ALL=(ALL) ALL >>>> instead of: >>>> %it ALL=(ALL:ALL) ALL >>>> >>>> seems to work the same >>>> >>>> >>>> >>>> On Tue, Dec 8, 2015 at 1:29 PM, Mattias Zhabinskiy < >>>> mattiasz at thinklogical.com> wrote: >>>> >>>>> Jeff, >>>>> >>>>> After the ssh did you run "id" command to verify that your account >>>>> belongs to the "it" group on the remote system? >>>>> >>>>> Did you try: >>>>> %it ALL=(ALL) ALL >>>>> instead of: >>>>> %it ALL=(ALL:ALL) ALL >>>>> >>>>> Regards, >>>>> Matt >>>>> >>>>> ________________________________________ >>>>> From: samba on behalf of Jeff >>>>> Sadowski >>>>> Sent: Monday, December 7, 2015 2:56 PM >>>>> To: samba >>>>> Subject: [Samba] Adding an AD group to /etc/sudoers? >>>>> >>>>> I can't seem to get this working and here is what I have done so far. >>>>> I am using samba 4.1.6 >>>>> >>>>> my /etc/samba/smb.conf looks like so >>>>> >>>>> security = ads >>>>> realm = DOMAIN.LONG >>>>> workgroup = DOMAIN >>>>> idmap config * : backend = tdb >>>>> idmap config * : range = 2000-7999 >>>>> idmap config DOMAIN:backend = ad >>>>> idmap config DOMAIN:range = 8000-9999999 >>>>> idmap config DOMAIN:schema_mode = rfc2307 >>>>> winbind nss info = rfc2307 >>>>> winbind use default domain = yes >>>>> winbind nested groups=yes >>>>> # so that the users show up in getent >>>>> winbind enum users = Yes >>>>> # doesn't seem to do the same for groups :-/ >>>>> winbind enum groups = Yes >>>>> restrict anonymous = 2 >>>>> >>>>> In AD my group it has a gid 8001 >>>>> >>>>> #getent group it >>>>> it:x:8001:myusername,others >>>>> >>>>> >>>>> in /etc/sudoers is the line >>>>> %it ALL=(ALL:ALL) ALL >>>>> >>>>> when I ssh to said machine like so >>>>> >>>>> ssh myusername at problemhost >>>>> >>>>> then run a command like so >>>>> >>>>> > sudo echo >>>>> [sudo] password for myusername: >>>>> myusername is not in the sudoers file. This incident will be reported. >>>>> >>>>> I tried adding another line to /etc/sudoers as follows >>>>> %DOMAIN\\it ALL=(ALL:ALL) ALL >>>>> >>>>> and >>>>> >>>>> %DOMAIN\it ALL=(ALL:ALL) ALL >>>>> >>>>> but neither of them work either. >>>>> >>>>> I seem to be able to get into the nfs shares I have group permissions >>>>> to >>>>> but I can not get sudo to work with my AD user group. >>>>> -- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> >>>> >>> >> > From bwyatt_sub at comcast.net Wed Dec 9 23:07:58 2015 From: bwyatt_sub at comcast.net (Bob Wyatt) Date: Wed, 9 Dec 2015 18:07:58 -0500 Subject: [Samba] AIX 7.1, Windows Server 2012, Samba 3.6.23 or? Message-ID: <001101d132d6$71fc8620$55f59260$@comcast.net> Our system was upgraded several months ago to Samba 3.6.23 on AIX 7.1 using the IBM-delivered samba packages (not rpm's). We use it for file sharing only, and sharing is authenticated against an older Windows Server domain (NT-style). We are switching to a Windows Server 2012 domain. Do I need to upgrade Samba to 4.2 or 4.3 (currently-supported releases)? Or will 3.6.23 still authenticate against the Windows Server 2012 domain? Does it require an smb.conf file adjustment? Since Samba isn't used as an Active Directory server, I'm hoping to avoid the upgrade due to the massive dependency list, uninstalling the currently working installation, etc.. IBM is still distributing Samba 3.6.25, so I don't expect much help there. Any help would be greatly appreciated! From belle at bazuin.nl Thu Dec 10 07:32:09 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Thu, 10 Dec 2015 08:32:09 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <566861F9.3090502@samba.org> References: <56685EF6.90809@gmail.com> Message-ID: > I have been doing some testing with dns and with the internal dns > server, even if you add another NS to the SOA record, you only have one > NS. It seems the only way to get each DC to think it is a NS, is to use > bind9. > Hai A good to know, some versions of samba, i dont know which do have this problem also if u use bind9_dlz. So, my question to the readers, if you use samba4 DC with bind9_DLZ and you have 2 or more DC's, check all you zones of you have also the same number of NS servers. I know from my install, i had only 1 DC as NS record, i manualy added the second the zones. Greetz, Louis From vigneshdhanraj.g at gmail.com Thu Dec 10 07:49:57 2015 From: vigneshdhanraj.g at gmail.com (VigneshDhanraj G) Date: Thu, 10 Dec 2015 13:19:57 +0530 Subject: [Samba] Pam-logon failure for AD users In-Reply-To: <5638B13D.8000108@gmail.com> References: <5638B13D.8000108@gmail.com> Message-ID: Hi, This issue not solved, ftp and cifs using same way of authentication. but when trying to access cifs it always shows the same ACCESS_DENIED error. Regards, Vigneshdhanraj G On Tue, Nov 3, 2015 at 6:36 PM, Rowland Penny wrote: > On 03/11/15 12:25, VigneshDhanraj G wrote: > >> Hi Team, >> >> when i am running this command i am getting the following error >> /usr/local/samba/bin/wbinfo --pam-logon="DOMAIN\testusr1" >> >> Enter DOMAIN\testusr1's password: >> plaintext password authentication failed >> error code was NT_STATUS_ACCESS_DENIED (0xc0000022) >> error message was: Access denied >> pam_logon failed for DOMAIN\testusr1 >> >> FTP and Cifs uses pam. Ftp authentication using domain working fine. But, >> Cifs showing ACCESS_DENIED error. >> >> Samba version : 4.1.17 >> >> In winbindd.log i could see >> [2015/11/03 11:59:46.377088, 10, pid=435, effective(0, 0), real(0, 0), >> class=winbind] ../source3/winbindd/winbindd.c:755(wb_request_done) >> wb_request_done[559:PAM_AUTH_CRAP]: NT_STATUS_ACCESS_DENIED >> >> My smb.conf is >> >> available= yes >> restrict anonymous= 0 >> server string= LenovoEMC™ px6-300d >> Workgroup= DOMAIN >> netbios name= Debian >> realm= DOMAIN.LOCAL >> password server= 192.168.1.100, * >> idmap backend= tdb >> idmap uid= 5000-9999999 >> idmap gid= 5000-9999999 >> security= ADS >> name resolve order= wins host bcast lmhosts >> client use spnego= yes >> dns proxy= no >> winbind use default domain= no >> winbind nested groups= yes >> inherit acls= yes >> winbind enum users= yes >> winbind enum groups= yes >> winbind separator= \\ >> winbind cache time= 300 >> winbind offline logon= true >> template shell= /bin/sh >> map to guest= Bad User >> host msdfs= yes >> strict allocate= yes >> encrypt passwords= yes >> passdb backend= smbpasswd >> printcap name= lpstat >> printable= no >> load printers= yes >> max smbd processes= 500 >> getwd cache= yes >> syslog= 0 >> use sendfile= yes >> log level= 0 >> max log size= 50 >> unix extensions= no >> dos charset= ascii >> state directory= /mnt/system/samba/system >> >> >> Windows client from which i am trying to access cifs is also connected to >> the domain. >> >> >> Could anybody help me regarding this issue. Ftp and cifs both uses samba >> authentication but cifs authentication alone showing authentication error. >> >> >> >> Regards, >> >> Vigneshdhanraj G >> -- To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > You seem to be connecting to an AD domain, it might help if you setup your > smb.conf a bit differently, I would have a look here: > > https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member > > adjust your smb.conf with reference to the above page and then follow the > various links. > > Rowland > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From rpenny at samba.org Thu Dec 10 09:09:48 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 10 Dec 2015 09:09:48 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: References: <56685EF6.90809@gmail.com> Message-ID: <5669415C.2040904@samba.org> On 10/12/15 07:32, L.P.H. van Belle wrote: >> I have been doing some testing with dns and with the internal dns >> server, even if you add another NS to the SOA record, you only have one >> NS. It seems the only way to get each DC to think it is a NS, is to use >> bind9. >> > Hai > > A good to know, some versions of samba, i dont know which do have this problem also if u use bind9_dlz. > > So, my question to the readers, if you use samba4 DC with bind9_DLZ and you have 2 or more DC's, check all you zones of you have also the same number of NS servers. > > I know from my install, i had only 1 DC as NS record, i manualy added the second the zones. > > Greetz, > > Louis > > > > You will only have 1 DC as NS, nothing adds the second (or any other subsequent DCs) NS record to the SOA records. Rowland From rpenny at samba.org Thu Dec 10 09:11:33 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 10 Dec 2015 09:11:33 +0000 Subject: [Samba] Pam-logon failure for AD users In-Reply-To: References: <5638B13D.8000108@gmail.com> Message-ID: <566941C5.7000701@samba.org> On 10/12/15 07:49, VigneshDhanraj G wrote: > Hi, > > This issue not solved, ftp and cifs using same way of authentication. but > when trying to access cifs it always shows the same ACCESS_DENIED error. > > Regards, > > Vigneshdhanraj G > > > On Tue, Nov 3, 2015 at 6:36 PM, Rowland Penny > wrote: > >> On 03/11/15 12:25, VigneshDhanraj G wrote: >> >>> Hi Team, >>> >>> when i am running this command i am getting the following error >>> /usr/local/samba/bin/wbinfo --pam-logon="DOMAIN\testusr1" >>> >>> Enter DOMAIN\testusr1's password: >>> plaintext password authentication failed >>> error code was NT_STATUS_ACCESS_DENIED (0xc0000022) >>> error message was: Access denied >>> pam_logon failed for DOMAIN\testusr1 >>> >>> FTP and Cifs uses pam. Ftp authentication using domain working fine. But, >>> Cifs showing ACCESS_DENIED error. >>> >>> Samba version : 4.1.17 >>> >>> In winbindd.log i could see >>> [2015/11/03 11:59:46.377088, 10, pid=435, effective(0, 0), real(0, 0), >>> class=winbind] ../source3/winbindd/winbindd.c:755(wb_request_done) >>> wb_request_done[559:PAM_AUTH_CRAP]: NT_STATUS_ACCESS_DENIED >>> >>> My smb.conf is >>> >>> available= yes >>> restrict anonymous= 0 >>> server string= LenovoEMC™ px6-300d >>> Workgroup= DOMAIN >>> netbios name= Debian >>> realm= DOMAIN.LOCAL >>> password server= 192.168.1.100, * >>> idmap backend= tdb >>> idmap uid= 5000-9999999 >>> idmap gid= 5000-9999999 >>> security= ADS >>> name resolve order= wins host bcast lmhosts >>> client use spnego= yes >>> dns proxy= no >>> winbind use default domain= no >>> winbind nested groups= yes >>> inherit acls= yes >>> winbind enum users= yes >>> winbind enum groups= yes >>> winbind separator= \\ >>> winbind cache time= 300 >>> winbind offline logon= true >>> template shell= /bin/sh >>> map to guest= Bad User >>> host msdfs= yes >>> strict allocate= yes >>> encrypt passwords= yes >>> passdb backend= smbpasswd >>> printcap name= lpstat >>> printable= no >>> load printers= yes >>> max smbd processes= 500 >>> getwd cache= yes >>> syslog= 0 >>> use sendfile= yes >>> log level= 0 >>> max log size= 50 >>> unix extensions= no >>> dos charset= ascii >>> state directory= /mnt/system/samba/system >>> >>> >>> Windows client from which i am trying to access cifs is also connected to >>> the domain. >>> >>> >>> Could anybody help me regarding this issue. Ftp and cifs both uses samba >>> authentication but cifs authentication alone showing authentication error. >>> >>> >>> >>> Regards, >>> >>> Vigneshdhanraj G >>> -- To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >> You seem to be connecting to an AD domain, it might help if you setup your >> smb.conf a bit differently, I would have a look here: >> >> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member >> >> adjust your smb.conf with reference to the above page and then follow the >> various links. >> >> Rowland >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> Please post your new smb.conf Rowland From abartlet at samba.org Thu Dec 10 09:20:41 2015 From: abartlet at samba.org (Andrew Bartlett) Date: Thu, 10 Dec 2015 22:20:41 +1300 Subject: [Samba] Confusion about account locking policy (Samba AD/Windows 7 client) In-Reply-To: <56680325.90908@tu-berlin.de> References: <5666FD31.9090308@tu-berlin.de> <1449642749.15594.73.camel@samba.org> <56680325.90908@tu-berlin.de> Message-ID: <1449739241.15594.89.camel@samba.org> On Wed, 2015-12-09 at 11:32 +0100, Ole Traupe wrote: > I can do some playing around: > > a) I have set a GPO for lockout at '10' invalid attempts (the rest of > the password options set as on Samba DC), forced the 'gpupdate', and > left the Samba rules set to '5' (checked on both DCs). But still I > get > locked out after 3 invalid attempts. > > b) I have set the Samba rules to '10' (or '15') invalid attempts and > get > locked out after 6 (or 8) now. So: > > Setting '5': locked out after 3 > Setting '10': locked out after 6 > Setting '15': locked out after 8 > > Seems that Samba doubles the count and looses one. > > No big deal, however, was just curious as I had locked out myself > once > too early. Yes, we haven't understood why that happens. The tests (except when we update Heimdal, which causes double-counting) work as expected, so my suspicion is that the client does something that triggers multiple lockouts. I would love someone to dig into this and isolate it for us. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba From belle at bazuin.nl Thu Dec 10 09:23:14 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Thu, 10 Dec 2015 10:23:14 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5669415C.2040904@samba.org> References: Message-ID: I was wondering why because in a full windows domain, every DC has an NS record. > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny > Verzonden: donderdag 10 december 2015 10:10 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller > initially fails when PDC is offline > > On 10/12/15 07:32, L.P.H. van Belle wrote: > >> I have been doing some testing with dns and with the internal dns > >> server, even if you add another NS to the SOA record, you only have one > >> NS. It seems the only way to get each DC to think it is a NS, is to use > >> bind9. > >> > > Hai > > > > A good to know, some versions of samba, i dont know which do have this > problem also if u use bind9_dlz. > > > > So, my question to the readers, if you use samba4 DC with bind9_DLZ and > you have 2 or more DC's, check all you zones of you have also the same > number of NS servers. > > > > I know from my install, i had only 1 DC as NS record, i manualy added > the second the zones. > > > > Greetz, > > > > Louis > > > > > > > > > > You will only have 1 DC as NS, nothing adds the second (or any other > subsequent DCs) NS record to the SOA records. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From rpenny at samba.org Thu Dec 10 09:41:07 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 10 Dec 2015 09:41:07 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: References: Message-ID: <566948B3.7090600@samba.org> On 10/12/15 09:23, L.P.H. van Belle wrote: > I was wondering why because in a full windows domain, every DC has an NS record. > > When you join a DC, the basic info is added to AD and then when the samba deamon is started, samba_dnsupdate is run, this uses the file dns_update_list to add (if required) various dns records. Guess what dns records are not in that file? However, even if you add the missing NS records to the SOA records, if you use the internal dns server, you will still only have one NS, this appears to be your first DC. I am beginning to think that if you have more than one DC, you should forget the internal DNS server and use BIND_DLZ instead. Rowland From belle at bazuin.nl Thu Dec 10 10:44:35 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Thu, 10 Dec 2015 11:44:35 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <566948B3.7090600@samba.org> References: Message-ID: Hai, Ah, ok, wel, yeah, i was missing the NS on the SOA. This is imo a bug, i dont know it this is by design for samba, so maybe a samba dev can answere this since every joined DC should have a NS record on the SOA as far as i know, but thats my opinion and i can be wrong here. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny > Verzonden: donderdag 10 december 2015 10:41 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller > initially fails when PDC is offline > > On 10/12/15 09:23, L.P.H. van Belle wrote: > > I was wondering why because in a full windows domain, every DC has an NS > record. > > > > > > When you join a DC, the basic info is added to AD and then when the > samba deamon is started, samba_dnsupdate is run, this uses the file > dns_update_list to add (if required) various dns records. Guess what dns > records are not in that file? > > However, even if you add the missing NS records to the SOA records, if > you use the internal dns server, you will still only have one NS, this > appears to be your first DC. I am beginning to think that if you have > more than one DC, you should forget the internal DNS server and use > BIND_DLZ instead. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From rpenny at samba.org Thu Dec 10 10:54:27 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 10 Dec 2015 10:54:27 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: References: Message-ID: <566959E3.1040302@samba.org> On 10/12/15 10:44, L.P.H. van Belle wrote: > Hai, > > Ah, ok, wel, yeah, i was missing the NS on the SOA. > > This is imo a bug, i dont know it this is by design for samba, > so maybe a samba dev can answere this since every joined DC should have a NS record on the SOA as far as i know, but thats my opinion and i can be wrong here. > > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny >> Verzonden: donderdag 10 december 2015 10:41 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller >> initially fails when PDC is offline >> >> On 10/12/15 09:23, L.P.H. van Belle wrote: >>> I was wondering why because in a full windows domain, every DC has an NS >> record. >>> >> When you join a DC, the basic info is added to AD and then when the >> samba deamon is started, samba_dnsupdate is run, this uses the file >> dns_update_list to add (if required) various dns records. Guess what dns >> records are not in that file? >> >> However, even if you add the missing NS records to the SOA records, if >> you use the internal dns server, you will still only have one NS, this >> appears to be your first DC. I am beginning to think that if you have >> more than one DC, you should forget the internal DNS server and use >> BIND_DLZ instead. >> >> Rowland >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > When I can figure how to get into the new GitHub setup, I will be proposing a patch for this, it just needs three line adding to dns_update_list. Rowland From rpenny at samba.org Thu Dec 10 11:55:55 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 10 Dec 2015 11:55:55 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <566959E3.1040302@samba.org> References: <566959E3.1040302@samba.org> Message-ID: <5669684B.3010905@samba.org> On 10/12/15 10:54, Rowland penny wrote: > On 10/12/15 10:44, L.P.H. van Belle wrote: >> Hai, >> >> Ah, ok, wel, yeah, i was missing the NS on the SOA. >> >> This is imo a bug, i dont know it this is by design for samba, >> so maybe a samba dev can answere this since every joined DC should >> have a NS record on the SOA as far as i know, but thats my opinion >> and i can be wrong here. >> >> >> Greetz, >> >> Louis >> >> >>> -----Oorspronkelijk bericht----- >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny >>> Verzonden: donderdag 10 december 2015 10:41 >>> Aan: samba at lists.samba.org >>> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller >>> initially fails when PDC is offline >>> >>> On 10/12/15 09:23, L.P.H. van Belle wrote: >>>> I was wondering why because in a full windows domain, every DC has >>>> an NS >>> record. >>>> >>> When you join a DC, the basic info is added to AD and then when the >>> samba deamon is started, samba_dnsupdate is run, this uses the file >>> dns_update_list to add (if required) various dns records. Guess what >>> dns >>> records are not in that file? >>> >>> However, even if you add the missing NS records to the SOA records, if >>> you use the internal dns server, you will still only have one NS, this >>> appears to be your first DC. I am beginning to think that if you have >>> more than one DC, you should forget the internal DNS server and use >>> BIND_DLZ instead. >>> >>> Rowland >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >> >> > > When I can figure how to get into the new GitHub setup, I will be > proposing a patch for this, it just needs three line adding to > dns_update_list. > > Rowland > If anybody is interested, this is the results of my testing, first here are the results of adding an NS record to the dns domain SOA record for the second DC on a domain using the internal dns server: root at testdc1:~# dig SOA +multiline home.lan ; <<>> DiG 9.9.5-4~bpo70+1-Debian <<>> SOA +multiline home.lan ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10153 ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;home.lan. IN SOA ;; ANSWER SECTION: home.lan. 3600 IN SOA testdc1.home.lan. hostmaster.home.lan. ( 1 ; serial 900 ; refresh (15 minutes) 600 ; retry (10 minutes) 86400 ; expire (1 day) 3600 ; minimum (1 hour) ) ;; Query time: 28 msec ;; SERVER: 192.168.0.241#53(192.168.0.241) ;; WHEN: Thu Dec 10 11:35:46 GMT 2015 ;; MSG SIZE rcvd: 81 root at testdc2:~# dig SOA +multiline home.lan ; <<>> DiG 9.9.5-4~bpo70+1-Debian <<>> SOA +multiline home.lan ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23755 ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;home.lan. IN SOA ;; ANSWER SECTION: home.lan. 3600 IN SOA testdc1.home.lan. hostmaster.home.lan. ( 1 ; serial 900 ; refresh (15 minutes) 600 ; retry (10 minutes) 86400 ; expire (1 day) 3600 ; minimum (1 hour) ) ;; Query time: 56 msec ;; SERVER: 192.168.0.240#53(192.168.0.240) ;; WHEN: Thu Dec 10 11:36:14 GMT 2015 ;; MSG SIZE rcvd: 81 As you can see, even though each DC is using the other DC as its nameserver in /etc/resolv.conf, they both return the same info, now compare that with the info from a domain that uses bind9 as the dns server: root at dc1:~# dig SOA +multiline samdom.example.com ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA +multiline samdom.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59426 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;samdom.example.com. IN SOA ;; ANSWER SECTION: samdom.example.com. 3600 IN SOA dc2.samdom.example.com. hostmaster.samdom.example.com. ( 101 ; serial 900 ; refresh (15 minutes) 600 ; retry (10 minutes) 86400 ; expire (1 day) 3600 ; minimum (1 hour) ) ;; AUTHORITY SECTION: samdom.example.com. 900 IN NS dc1.samdom.example.com. samdom.example.com. 900 IN NS dc2.samdom.example.com. ;; ADDITIONAL SECTION: dc1.samdom.example.com. 900 IN A 192.168.0.5 dc2.samdom.example.com. 900 IN A 192.168.0.6 ;; Query time: 7 msec ;; SERVER: 192.168.0.6#53(192.168.0.6) ;; WHEN: Thu Dec 10 11:41:22 GMT 2015 ;; MSG SIZE rcvd: 162 root at dc2:~# dig SOA +multiline samdom.example.com ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA +multiline samdom.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16889 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;samdom.example.com. IN SOA ;; ANSWER SECTION: samdom.example.com. 3600 IN SOA dc1.samdom.example.com. hostmaster.samdom.example.com. ( 101 ; serial 900 ; refresh (15 minutes) 600 ; retry (10 minutes) 86400 ; expire (1 day) 3600 ; minimum (1 hour) ) ;; AUTHORITY SECTION: samdom.example.com. 900 IN NS dc1.samdom.example.com. samdom.example.com. 900 IN NS dc2.samdom.example.com. ;; ADDITIONAL SECTION: dc1.samdom.example.com. 900 IN A 192.168.0.5 dc2.samdom.example.com. 900 IN A 192.168.0.6 ;; Query time: 2 msec ;; SERVER: 192.168.0.5#53(192.168.0.5) ;; WHEN: Thu Dec 10 11:41:29 GMT 2015 ;; MSG SIZE rcvd: 162 You get a lot more info and each DC is show as being authoritative for the dns domain Now, I am no expert when it comes to dns, but using bind9 looks a better idea to me :-) Rowland From ole.traupe at tu-berlin.de Thu Dec 10 12:01:28 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Thu, 10 Dec 2015 13:01:28 +0100 Subject: [Samba] Backup Member Server In-Reply-To: References: <566811BD.5060307@tu-berlin.de> Message-ID: <56696998.5050703@tu-berlin.de> Wanted to add that I am using STAR for incremental backups of ZFS snapshots on a member server while preserving ACLs with the -xattr parameter. It is pretty fast (uncompressed, of course). http://linuxcommand.org/man_pages/star1.html Ole Am 09.12.2015 um 13:27 schrieb L.P.H. van Belle: > Hai, > > but dont forget that if you use samba also as print server > you need to backup the /var/lib/samba/drivers en printing also. > ( and in my case a different folder. ) > > In /var/cache/samba is the file printer_list.tdb > I dont think that recreated, and if it is, you probely will loose the printer settings. I'll have to look that up. > > Maybe its an option to let the backup scrip detect if it running on a > DC or Member server so it always backups what is needed. > > > Greetz, > > Louis > > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny >> Verzonden: woensdag 9 december 2015 12:55 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Backup Member Server >> >> On 09/12/15 11:34, Ole Traupe wrote: >>> Ok, "sysvol" won't exist on member servers, of course. Besides that, >>> are all relevant Samba databases located in "private"? >> Well, no, on debian there are also .tdb files in /var/samba/cache/, but, >> on an domain member, you probably don't have to back them up anyway. You >> should backup any date stored in home directories and shares and the >> smb.conf. If you then re-create the domain member, the user uids and >> group gids will come from the AD DC and recreate the files in >> /var/lib/samba & /var/cache/samba. >> >> This is my understanding. >> >> Rowland >> >>> -- >>> >>> Btw, regarding the use of the script for DCs: >>> https://wiki.samba.org/index.php/Backup_and_restore_an_Samba_AD_DC >>> >>> I have to cron this as root: >>> 0 2 * * * root /usr/sbin/samba_backup >>> >>> And I have to put the full path to "tdbbackup" in the script (or >>> otherwise make sure the correct path is recognized via /etc/crontab). >>> >>> Would be nice to have this in the Wiki. >>> >>> Ole >>> >>> >>> >>> Am 08.12.2015 um 15:26 schrieb Ole Traupe: >>>> Besides, obviously, the potential shared data on file servers, can't >>>> you just use the script that is introduced for backing up DCs? At >>>> least if the complete Samba installation is in "/usr/local/samba"... >>>> >>>> https://wiki.samba.org/index.php/Backup_and_restore_an_Samba_AD_DC >>>> >>>> >>>> >>>> Am 02.12.2015 um 20:06 schrieb Marc Muehlfeld: >>>>> Hello James, >>>>> >>>>> Am 02.12.2015 um 15:57 schrieb James: >>>>>> Can someone point me to documentation on how to best backup a >>>>>> samba >>>>>> member server? I see the wiki currently does not contain one. >>>>>> >>>>>> Is it as simple as backup all shared folders with rysnc or similar >>>>>> that >>>>>> will preserve ACLS along with the smb.conf? I'm currently relying on >> a >>>>>> raid solution. Thanks. >>>>> Yes, I should finally write that doc. :-) >>>>> >>>>> >>>>> What you should backup on a Domain Member: >>>>> 1.) All files (share content and whatever else is important for you) >>>>> 2.) Your smb.conf >>>>> 3.) Your Samba databases (you can do a hotbackup with tdbbackup) >>>>> >>>>> >>>>> >>>>> Some notes about 3.: >>>>> Depending on what your Domain Member is doing, some of the tdb files >>>>> are >>>>> important, while others are recreated and can get lost. There's >> nothing >>>>> wrong if you backup all. :-) When I write the Wiki page, I might list >>>>> which file is important for which case. >>>>> >>>>> >>>>> Regards, >>>>> Marc >>>>> >>>> >>> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > From lingpanda101 at gmail.com Thu Dec 10 12:58:23 2015 From: lingpanda101 at gmail.com (James) Date: Thu, 10 Dec 2015 07:58:23 -0500 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5669684B.3010905@samba.org> References: <566959E3.1040302@samba.org> <5669684B.3010905@samba.org> Message-ID: <566976EF.3040901@gmail.com> On 12/10/2015 6:55 AM, Rowland penny wrote: > On 10/12/15 10:54, Rowland penny wrote: >> On 10/12/15 10:44, L.P.H. van Belle wrote: >>> Hai, >>> >>> Ah, ok, wel, yeah, i was missing the NS on the SOA. >>> >>> This is imo a bug, i dont know it this is by design for samba, >>> so maybe a samba dev can answere this since every joined DC should >>> have a NS record on the SOA as far as i know, but thats my opinion >>> and i can be wrong here. >>> >>> >>> Greetz, >>> >>> Louis >>> >>> >>>> -----Oorspronkelijk bericht----- >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny >>>> Verzonden: donderdag 10 december 2015 10:41 >>>> Aan: samba at lists.samba.org >>>> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller >>>> initially fails when PDC is offline >>>> >>>> On 10/12/15 09:23, L.P.H. van Belle wrote: >>>>> I was wondering why because in a full windows domain, every DC has >>>>> an NS >>>> record. >>>>> >>>> When you join a DC, the basic info is added to AD and then when the >>>> samba deamon is started, samba_dnsupdate is run, this uses the file >>>> dns_update_list to add (if required) various dns records. Guess >>>> what dns >>>> records are not in that file? >>>> >>>> However, even if you add the missing NS records to the SOA records, if >>>> you use the internal dns server, you will still only have one NS, this >>>> appears to be your first DC. I am beginning to think that if you have >>>> more than one DC, you should forget the internal DNS server and use >>>> BIND_DLZ instead. >>>> >>>> Rowland >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >> >> When I can figure how to get into the new GitHub setup, I will be >> proposing a patch for this, it just needs three line adding to >> dns_update_list. >> >> Rowland >> > > If anybody is interested, this is the results of my testing, first > here are the results of adding an NS record to the dns domain SOA > record for the second DC on a domain using the internal dns server: > > root at testdc1:~# dig SOA +multiline home.lan > > ; <<>> DiG 9.9.5-4~bpo70+1-Debian <<>> SOA +multiline home.lan > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10153 > ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, > ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;home.lan. IN SOA > > ;; ANSWER SECTION: > home.lan. 3600 IN SOA testdc1.home.lan. hostmaster.home.lan. ( > 1 ; serial > 900 ; refresh (15 minutes) > 600 ; retry (10 minutes) > 86400 ; expire (1 day) > 3600 ; minimum (1 hour) > ) > > ;; Query time: 28 msec > ;; SERVER: 192.168.0.241#53(192.168.0.241) > ;; WHEN: Thu Dec 10 11:35:46 GMT 2015 > ;; MSG SIZE rcvd: 81 > > root at testdc2:~# dig SOA +multiline home.lan > > ; <<>> DiG 9.9.5-4~bpo70+1-Debian <<>> SOA +multiline home.lan > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23755 > ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, > ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;home.lan. IN SOA > > ;; ANSWER SECTION: > home.lan. 3600 IN SOA testdc1.home.lan. hostmaster.home.lan. ( > 1 ; serial > 900 ; refresh (15 minutes) > 600 ; retry (10 minutes) > 86400 ; expire (1 day) > 3600 ; minimum (1 hour) > ) > > ;; Query time: 56 msec > ;; SERVER: 192.168.0.240#53(192.168.0.240) > ;; WHEN: Thu Dec 10 11:36:14 GMT 2015 > ;; MSG SIZE rcvd: 81 > > As you can see, even though each DC is using the other DC as its > nameserver in /etc/resolv.conf, they both return the same info, now > compare that with the info from a domain that uses bind9 as the dns > server: > > root at dc1:~# dig SOA +multiline samdom.example.com > > ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA +multiline samdom.example.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59426 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;samdom.example.com. IN SOA > > ;; ANSWER SECTION: > samdom.example.com. 3600 IN SOA dc2.samdom.example.com. > hostmaster.samdom.example.com. ( > 101 ; serial > 900 ; refresh (15 minutes) > 600 ; retry (10 minutes) > 86400 ; expire (1 day) > 3600 ; minimum (1 hour) > ) > > ;; AUTHORITY SECTION: > samdom.example.com. 900 IN NS dc1.samdom.example.com. > samdom.example.com. 900 IN NS dc2.samdom.example.com. > > ;; ADDITIONAL SECTION: > dc1.samdom.example.com. 900 IN A 192.168.0.5 > dc2.samdom.example.com. 900 IN A 192.168.0.6 > > ;; Query time: 7 msec > ;; SERVER: 192.168.0.6#53(192.168.0.6) > ;; WHEN: Thu Dec 10 11:41:22 GMT 2015 > ;; MSG SIZE rcvd: 162 > > root at dc2:~# dig SOA +multiline samdom.example.com > > ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA +multiline samdom.example.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16889 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;samdom.example.com. IN SOA > > ;; ANSWER SECTION: > samdom.example.com. 3600 IN SOA dc1.samdom.example.com. > hostmaster.samdom.example.com. ( > 101 ; serial > 900 ; refresh (15 minutes) > 600 ; retry (10 minutes) > 86400 ; expire (1 day) > 3600 ; minimum (1 hour) > ) > > ;; AUTHORITY SECTION: > samdom.example.com. 900 IN NS dc1.samdom.example.com. > samdom.example.com. 900 IN NS dc2.samdom.example.com. > > ;; ADDITIONAL SECTION: > dc1.samdom.example.com. 900 IN A 192.168.0.5 > dc2.samdom.example.com. 900 IN A 192.168.0.6 > > ;; Query time: 2 msec > ;; SERVER: 192.168.0.5#53(192.168.0.5) > ;; WHEN: Thu Dec 10 11:41:29 GMT 2015 > ;; MSG SIZE rcvd: 162 > > You get a lot more info and each DC is show as being authoritative for > the dns domain > > Now, I am no expert when it comes to dns, but using bind9 looks a > better idea to me :-) > > Rowland > Rowland, If I remember correctly you swapped the order of the DC's in your resolv.conf to get these results? Can you see what happens if you were to leave the resolv.conf order alone and temporally bring one of the DC's down? -- -James From lingpanda101 at gmail.com Thu Dec 10 12:59:14 2015 From: lingpanda101 at gmail.com (James) Date: Thu, 10 Dec 2015 07:59:14 -0500 Subject: [Samba] Backup Member Server In-Reply-To: <56696998.5050703@tu-berlin.de> References: <566811BD.5060307@tu-berlin.de> <56696998.5050703@tu-berlin.de> Message-ID: <56697722.7090601@gmail.com> On 12/10/2015 7:01 AM, Ole Traupe wrote: > Wanted to add that I am using STAR for incremental backups of ZFS > snapshots on a member server while preserving ACLs with the -xattr > parameter. It is pretty fast (uncompressed, of course). > > http://linuxcommand.org/man_pages/star1.html > > Ole > > > > Am 09.12.2015 um 13:27 schrieb L.P.H. van Belle: >> Hai, >> >> but dont forget that if you use samba also as print server >> you need to backup the /var/lib/samba/drivers en printing also. >> ( and in my case a different folder. ) >> >> In /var/cache/samba is the file printer_list.tdb >> I dont think that recreated, and if it is, you probely will loose the >> printer settings. I'll have to look that up. >> >> Maybe its an option to let the backup scrip detect if it running on a >> DC or Member server so it always backups what is needed. >> >> >> Greetz, >> >> Louis >> >> >> >> >>> -----Oorspronkelijk bericht----- >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny >>> Verzonden: woensdag 9 december 2015 12:55 >>> Aan: samba at lists.samba.org >>> Onderwerp: Re: [Samba] Backup Member Server >>> >>> On 09/12/15 11:34, Ole Traupe wrote: >>>> Ok, "sysvol" won't exist on member servers, of course. Besides that, >>>> are all relevant Samba databases located in "private"? >>> Well, no, on debian there are also .tdb files in /var/samba/cache/, >>> but, >>> on an domain member, you probably don't have to back them up anyway. >>> You >>> should backup any date stored in home directories and shares and the >>> smb.conf. If you then re-create the domain member, the user uids and >>> group gids will come from the AD DC and recreate the files in >>> /var/lib/samba & /var/cache/samba. >>> >>> This is my understanding. >>> >>> Rowland >>> >>>> -- >>>> >>>> Btw, regarding the use of the script for DCs: >>>> https://wiki.samba.org/index.php/Backup_and_restore_an_Samba_AD_DC >>>> >>>> I have to cron this as root: >>>> 0 2 * * * root /usr/sbin/samba_backup >>>> >>>> And I have to put the full path to "tdbbackup" in the script (or >>>> otherwise make sure the correct path is recognized via /etc/crontab). >>>> >>>> Would be nice to have this in the Wiki. >>>> >>>> Ole >>>> >>>> >>>> >>>> Am 08.12.2015 um 15:26 schrieb Ole Traupe: >>>>> Besides, obviously, the potential shared data on file servers, can't >>>>> you just use the script that is introduced for backing up DCs? At >>>>> least if the complete Samba installation is in "/usr/local/samba"... >>>>> >>>>> https://wiki.samba.org/index.php/Backup_and_restore_an_Samba_AD_DC >>>>> >>>>> >>>>> >>>>> Am 02.12.2015 um 20:06 schrieb Marc Muehlfeld: >>>>>> Hello James, >>>>>> >>>>>> Am 02.12.2015 um 15:57 schrieb James: >>>>>>> Can someone point me to documentation on how to best backup a >>>>>>> samba >>>>>>> member server? I see the wiki currently does not contain one. >>>>>>> >>>>>>> Is it as simple as backup all shared folders with rysnc or similar >>>>>>> that >>>>>>> will preserve ACLS along with the smb.conf? I'm currently >>>>>>> relying on >>> a >>>>>>> raid solution. Thanks. >>>>>> Yes, I should finally write that doc. :-) >>>>>> >>>>>> >>>>>> What you should backup on a Domain Member: >>>>>> 1.) All files (share content and whatever else is important for you) >>>>>> 2.) Your smb.conf >>>>>> 3.) Your Samba databases (you can do a hotbackup with tdbbackup) >>>>>> >>>>>> >>>>>> >>>>>> Some notes about 3.: >>>>>> Depending on what your Domain Member is doing, some of the tdb files >>>>>> are >>>>>> important, while others are recreated and can get lost. There's >>> nothing >>>>>> wrong if you backup all. :-) When I write the Wiki page, I might >>>>>> list >>>>>> which file is important for which case. >>>>>> >>>>>> >>>>>> Regards, >>>>>> Marc >>>>>> >>>>> >>>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >> >> > > Thanks for all the responses. I'm taking note of all feedback and assessing my current setup. -- -James From ole.traupe at tu-berlin.de Thu Dec 10 13:05:51 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Thu, 10 Dec 2015 14:05:51 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <56685BEA.7060206@gmail.com> References: <56435CD0.4090409@tu-berlin.de> <5643674F.3040308@gmail.com> <564398C5.90304@tu-berlin.de> <56439B48.8000902@gmail.com> <564C71F9.4030307@tu-berlin.de> <564C874C.5070604@gmail.com> <564C9BBE.7080403@tu-berlin.de> <564CDAF3.7070105@gmail.com> <5661B143.40502@tu-berlin.de> <5661B426.1060209@gmail.com> <5661BD67.8000305@tu-berlin.de> <566857D6.8070400@tu-berlin.de> <56685BEA.7060206@gmail.com> Message-ID: <566978AF.2020902@tu-berlin.de> >> Any idea why I still get this when trying to log on to a member >> server while the first DC is down? >> >> # kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while >> getting initial credentials >> >> Ole >> >> >> > Ole, > > Can you try a few things? All on your member server. What is the > output of > > testparm | grep "name resolve order" There is no such line. > > kdestroy -A > > kinit administrator at MY.DOMAIN.TLD -V Using default cache: /tmp/krb5cc_0 Using principal: administrator at MY.DOMAIN.TLD Password for administrator at MY.DOMAIN.TLD: Authenticated to Kerberos v5 From ole.traupe at tu-berlin.de Thu Dec 10 13:08:33 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Thu, 10 Dec 2015 14:08:33 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: References: <5661BD67.8000305@tu-berlin.de> Message-ID: <56697951.1040903@tu-berlin.de> Am 09.12.2015 um 17:53 schrieb L.P.H. van Belle: > Hai Ole, > > Can you run on the member where you logged in. > > host -t SRV _ldap._tcp.samdom.example.com. > host -t SRV _kerberos._udp.samdom.example.com. > > host -t A dc1.samdom.example.com. > host -t A dc2.samdom.example.com. > > and again with > search my.domain.tld > nameserver IP_of_2st_DC > nameserver IP_of_1nd_DC > Both times the same: [root at server me]# host -t SRV _ldap._tcp.my.domain.tld. _ldap._tcp.my.domain.tld has SRV record 0 100 389 dc1.my.domain.tld. [root at server me]# host -t SRV _kerberos._udp.my.domain.tld. _kerberos._udp.my.domain.tld has SRV record 0 100 88 dc1.my.domain.tld. [root at server me]# host -t A dc1.my.domain.tld. dc1.my.domain.tld has address IP_of_FirstDC [root at server me]# host -t A dc2.my.domain.tld. dc2.my.domain.tld has address IP_of_SecondDC There is no need to restart network service after altering resolv.conf, right? From rpenny at samba.org Thu Dec 10 13:11:21 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 10 Dec 2015 13:11:21 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <566976EF.3040901@gmail.com> References: <566959E3.1040302@samba.org> <5669684B.3010905@samba.org> <566976EF.3040901@gmail.com> Message-ID: <566979F9.9000805@samba.org> On 10/12/15 12:58, James wrote: > On 12/10/2015 6:55 AM, Rowland penny wrote: >> On 10/12/15 10:54, Rowland penny wrote: >>> On 10/12/15 10:44, L.P.H. van Belle wrote: >>>> Hai, >>>> >>>> Ah, ok, wel, yeah, i was missing the NS on the SOA. >>>> >>>> This is imo a bug, i dont know it this is by design for samba, >>>> so maybe a samba dev can answere this since every joined DC should >>>> have a NS record on the SOA as far as i know, but thats my opinion >>>> and i can be wrong here. >>>> >>>> >>>> Greetz, >>>> >>>> Louis >>>> >>>> >>>>> -----Oorspronkelijk bericht----- >>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland >>>>> penny >>>>> Verzonden: donderdag 10 december 2015 10:41 >>>>> Aan: samba at lists.samba.org >>>>> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller >>>>> initially fails when PDC is offline >>>>> >>>>> On 10/12/15 09:23, L.P.H. van Belle wrote: >>>>>> I was wondering why because in a full windows domain, every DC >>>>>> has an NS >>>>> record. >>>>>> >>>>> When you join a DC, the basic info is added to AD and then when the >>>>> samba deamon is started, samba_dnsupdate is run, this uses the file >>>>> dns_update_list to add (if required) various dns records. Guess >>>>> what dns >>>>> records are not in that file? >>>>> >>>>> However, even if you add the missing NS records to the SOA >>>>> records, if >>>>> you use the internal dns server, you will still only have one NS, >>>>> this >>>>> appears to be your first DC. I am beginning to think that if you have >>>>> more than one DC, you should forget the internal DNS server and use >>>>> BIND_DLZ instead. >>>>> >>>>> Rowland >>>>> >>>>> >>>>> -- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> >>> >>> When I can figure how to get into the new GitHub setup, I will be >>> proposing a patch for this, it just needs three line adding to >>> dns_update_list. >>> >>> Rowland >>> >> >> If anybody is interested, this is the results of my testing, first >> here are the results of adding an NS record to the dns domain SOA >> record for the second DC on a domain using the internal dns server: >> >> root at testdc1:~# dig SOA +multiline home.lan >> >> ; <<>> DiG 9.9.5-4~bpo70+1-Debian <<>> SOA +multiline home.lan >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10153 >> ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, >> ADDITIONAL: 0 >> >> ;; QUESTION SECTION: >> ;home.lan. IN SOA >> >> ;; ANSWER SECTION: >> home.lan. 3600 IN SOA testdc1.home.lan. hostmaster.home.lan. ( >> 1 ; serial >> 900 ; refresh (15 minutes) >> 600 ; retry (10 minutes) >> 86400 ; expire (1 day) >> 3600 ; minimum (1 hour) >> ) >> >> ;; Query time: 28 msec >> ;; SERVER: 192.168.0.241#53(192.168.0.241) >> ;; WHEN: Thu Dec 10 11:35:46 GMT 2015 >> ;; MSG SIZE rcvd: 81 >> >> root at testdc2:~# dig SOA +multiline home.lan >> >> ; <<>> DiG 9.9.5-4~bpo70+1-Debian <<>> SOA +multiline home.lan >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23755 >> ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, >> ADDITIONAL: 0 >> >> ;; QUESTION SECTION: >> ;home.lan. IN SOA >> >> ;; ANSWER SECTION: >> home.lan. 3600 IN SOA testdc1.home.lan. hostmaster.home.lan. ( >> 1 ; serial >> 900 ; refresh (15 minutes) >> 600 ; retry (10 minutes) >> 86400 ; expire (1 day) >> 3600 ; minimum (1 hour) >> ) >> >> ;; Query time: 56 msec >> ;; SERVER: 192.168.0.240#53(192.168.0.240) >> ;; WHEN: Thu Dec 10 11:36:14 GMT 2015 >> ;; MSG SIZE rcvd: 81 >> >> As you can see, even though each DC is using the other DC as its >> nameserver in /etc/resolv.conf, they both return the same info, now >> compare that with the info from a domain that uses bind9 as the dns >> server: >> >> root at dc1:~# dig SOA +multiline samdom.example.com >> >> ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA +multiline samdom.example.com >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59426 >> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags:; udp: 4096 >> ;; QUESTION SECTION: >> ;samdom.example.com. IN SOA >> >> ;; ANSWER SECTION: >> samdom.example.com. 3600 IN SOA dc2.samdom.example.com. >> hostmaster.samdom.example.com. ( >> 101 ; serial >> 900 ; refresh (15 minutes) >> 600 ; retry (10 minutes) >> 86400 ; expire (1 day) >> 3600 ; minimum (1 hour) >> ) >> >> ;; AUTHORITY SECTION: >> samdom.example.com. 900 IN NS dc1.samdom.example.com. >> samdom.example.com. 900 IN NS dc2.samdom.example.com. >> >> ;; ADDITIONAL SECTION: >> dc1.samdom.example.com. 900 IN A 192.168.0.5 >> dc2.samdom.example.com. 900 IN A 192.168.0.6 >> >> ;; Query time: 7 msec >> ;; SERVER: 192.168.0.6#53(192.168.0.6) >> ;; WHEN: Thu Dec 10 11:41:22 GMT 2015 >> ;; MSG SIZE rcvd: 162 >> >> root at dc2:~# dig SOA +multiline samdom.example.com >> >> ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA +multiline samdom.example.com >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16889 >> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags:; udp: 4096 >> ;; QUESTION SECTION: >> ;samdom.example.com. IN SOA >> >> ;; ANSWER SECTION: >> samdom.example.com. 3600 IN SOA dc1.samdom.example.com. >> hostmaster.samdom.example.com. ( >> 101 ; serial >> 900 ; refresh (15 minutes) >> 600 ; retry (10 minutes) >> 86400 ; expire (1 day) >> 3600 ; minimum (1 hour) >> ) >> >> ;; AUTHORITY SECTION: >> samdom.example.com. 900 IN NS dc1.samdom.example.com. >> samdom.example.com. 900 IN NS dc2.samdom.example.com. >> >> ;; ADDITIONAL SECTION: >> dc1.samdom.example.com. 900 IN A 192.168.0.5 >> dc2.samdom.example.com. 900 IN A 192.168.0.6 >> >> ;; Query time: 2 msec >> ;; SERVER: 192.168.0.5#53(192.168.0.5) >> ;; WHEN: Thu Dec 10 11:41:29 GMT 2015 >> ;; MSG SIZE rcvd: 162 >> >> You get a lot more info and each DC is show as being authoritative >> for the dns domain >> >> Now, I am no expert when it comes to dns, but using bind9 looks a >> better idea to me :-) >> >> Rowland >> > Rowland, > > If I remember correctly you swapped the order of the DC's in your > resolv.conf to get these results? Can you see what happens if you were > to leave the resolv.conf order alone and temporally bring one of the > DC's down? > OK, stopped samba on dc1 root at dc2:~# dig SOA +multiline samdom.example.com ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA +multiline samdom.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7191 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;samdom.example.com. IN SOA ;; ANSWER SECTION: samdom.example.com. 3600 IN SOA dc1.samdom.example.com. hostmaster.samdom.example.com. ( 101 ; serial 900 ; refresh (15 minutes) 600 ; retry (10 minutes) 86400 ; expire (1 day) 3600 ; minimum (1 hour) ) ;; AUTHORITY SECTION: samdom.example.com. 900 IN NS dc2.samdom.example.com. samdom.example.com. 900 IN NS dc1.samdom.example.com. ;; ADDITIONAL SECTION: dc1.samdom.example.com. 900 IN A 192.168.0.5 dc2.samdom.example.com. 900 IN A 192.168.0.6 ;; Query time: 2 msec ;; SERVER: 192.168.0.5#53(192.168.0.5) ;; WHEN: Thu Dec 10 13:05:20 GMT 2015 ;; MSG SIZE rcvd: 162 Hmm, still using bind on dc1, back to dc1 and stopped bind9: root at dc2:~# dig SOA +multiline samdom.example.com ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA +multiline samdom.example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60862 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;samdom.example.com. IN SOA ;; ANSWER SECTION: samdom.example.com. 3600 IN SOA dc2.samdom.example.com. hostmaster.samdom.example.com. ( 101 ; serial 900 ; refresh (15 minutes) 600 ; retry (10 minutes) 86400 ; expire (1 day) 3600 ; minimum (1 hour) ) ;; AUTHORITY SECTION: samdom.example.com. 900 IN NS dc2.samdom.example.com. samdom.example.com. 900 IN NS dc1.samdom.example.com. ;; ADDITIONAL SECTION: dc1.samdom.example.com. 900 IN A 192.168.0.5 dc2.samdom.example.com. 900 IN A 192.168.0.6 ;; Query time: 7 msec ;; SERVER: 192.168.0.6#53(192.168.0.6) ;; WHEN: Thu Dec 10 13:06:24 GMT 2015 ;; MSG SIZE rcvd: 162 It is now using itself as the NS Rowland From rpenny at samba.org Thu Dec 10 13:13:45 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 10 Dec 2015 13:13:45 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <566978AF.2020902@tu-berlin.de> References: <56435CD0.4090409@tu-berlin.de> <5643674F.3040308@gmail.com> <564398C5.90304@tu-berlin.de> <56439B48.8000902@gmail.com> <564C71F9.4030307@tu-berlin.de> <564C874C.5070604@gmail.com> <564C9BBE.7080403@tu-berlin.de> <564CDAF3.7070105@gmail.com> <5661B143.40502@tu-berlin.de> <5661B426.1060209@gmail.com> <5661BD67.8000305@tu-berlin.de> <566857D6.8070400@tu-berlin.de> <56685BEA.7060206@gmail.com> <566978AF.2020902@tu-berlin.de> Message-ID: <56697A89.2050700@samba.org> On 10/12/15 13:05, Ole Traupe wrote: > >>> Any idea why I still get this when trying to log on to a member >>> server while the first DC is down? >>> >>> # kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while >>> getting initial credentials >>> >>> Ole >>> >>> >>> >> Ole, >> >> Can you try a few things? All on your member server. What is the >> output of >> >> testparm | grep "name resolve order" > > There is no such line. Try it like this: testparm -v | grep "name resolve order" Rowland > > >> >> kdestroy -A >> >> kinit administrator at MY.DOMAIN.TLD -V > > Using default cache: /tmp/krb5cc_0 > Using principal: administrator at MY.DOMAIN.TLD > Password for administrator at MY.DOMAIN.TLD: > Authenticated to Kerberos v5 > > From ole.traupe at tu-berlin.de Thu Dec 10 13:15:19 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Thu, 10 Dec 2015 14:15:19 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <56685EF6.90809@gmail.com> References: <56435CD0.4090409@tu-berlin.de> <5643674F.3040308@gmail.com> <564398C5.90304@tu-berlin.de> <56439B48.8000902@gmail.com> <564C71F9.4030307@tu-berlin.de> <564C874C.5070604@gmail.com> <564C9BBE.7080403@tu-berlin.de> <564CDAF3.7070105@gmail.com> <5661B143.40502@tu-berlin.de> <5661B426.1060209@gmail.com> <5661BD67.8000305@tu-berlin.de> <566857D6.8070400@tu-berlin.de> <56685EF6.90809@gmail.com> Message-ID: <56697AE7.6070908@tu-berlin.de> >> > Ole, > > I was trying to look back through your posts so excuse me if you > have answered this. What was your original krb.conf file contents? A > few things that may work is to specify the kdc and not rely on dns. > for instance. > > [libdefaults] > default_realm = MY.DOMAIN.TLD > dns_lookup_kdc = false > dns_lookup_realm = false > > [realms] > MY.DOMAIN.TLD = { > kdc = IP of First DC > kdc = IP of Second DC > } > Here is the content of /etc/krb5.conf (commented sections were all effective, initially): [root at server me]# cat /etc/krb5.conf #[logging] # default = FILE:/var/log/krb5libs.log # kdc = FILE:/var/log/krb5kdc.log # admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MY.DOMAIN.TLD # dns_lookup_realm = false # dns_lookup_kdc = true # ticket_lifetime = 24h # renew_lifetime = 7d # forwardable = true #[realms] # MY.DOMAIN.TLD = { # kdc = dc1.my.domain.tld # kdc = dc2.my.domain.tld # admin_server = dc1.my.domain.tld # default_domain = my.domain.tld # } #[domain_realm] # my.domain.tld = MY.DOMAIN.TLD # .my.domain.tld = MY.DOMAIN.TLD Initially, when the First_DC was offline and I swapped the 'kdc' server lines in [realms] in krb5.conf and the 'nameserver' lines in resolv.conf (and restarted the network service; not sure whether the latter was actually needed), I could kinit on the member server. From ole.traupe at tu-berlin.de Thu Dec 10 13:18:07 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Thu, 10 Dec 2015 14:18:07 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <566861F9.3090502@samba.org> References: <56435CD0.4090409@tu-berlin.de> <5643674F.3040308@gmail.com> <564398C5.90304@tu-berlin.de> <56439B48.8000902@gmail.com> <564C71F9.4030307@tu-berlin.de> <564C874C.5070604@gmail.com> <564C9BBE.7080403@tu-berlin.de> <564CDAF3.7070105@gmail.com> <5661B143.40502@tu-berlin.de> <5661B426.1060209@gmail.com> <5661BD67.8000305@tu-berlin.de> <566857D6.8070400@tu-berlin.de> <56685EF6.90809@gmail.com> <566861F9.3090502@samba.org> Message-ID: <56697B8F.1090207@tu-berlin.de> Am 09.12.2015 um 18:16 schrieb Rowland penny: > On 09/12/15 17:03, James wrote: >> On 12/9/2015 11:33 AM, Ole Traupe wrote: >>> >>>> - But when I try to ssh to a member server, it still takes forever, >>>> and a 'kinit' on a member server gives this: >>>> "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while >>>> getting initial credentials" >>>> >>>> >>>> My /etc/krb5.conf looks like this (following your suggestions, >>>> Rowland, as everything else are defaults): >>>> >>>> [libdefaults] >>>> default_realm = MY.DOMAIN.TLD >>>> >>>> And my /etc/resolv.conf is this: >>>> >>>> search my.domain.tld >>>> nameserver IP_of_1st_DC >>>> nameserver IP_of_2nd_DC >>> >>> Any idea why I still get this when trying to log on to a member >>> server while the first DC is down? >>> >>> # kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while >>> getting initial credentials >>> >>> Ole >>> >>> >>> >> Ole, >> >> I was trying to look back through your posts so excuse me if you >> have answered this. What was your original krb.conf file contents? A >> few things that may work is to specify the kdc and not rely on dns. >> for instance. >> >> [libdefaults] >> default_realm = MY.DOMAIN.TLD >> dns_lookup_kdc = false >> dns_lookup_realm = false >> >> [realms] >> MY.DOMAIN.TLD = { >> kdc = IP of First DC >> kdc = IP of Second DC >> } >> > > If you have to do that, then there is something wrong with your dns > and you need to fix this, dns is an important part of AD and really > needs to work correctly. > > I have been doing some testing with dns and with the internal dns > server, even if you add another NS to the SOA record, you only have > one NS. It seems the only way to get each DC to think it is a NS, is > to use bind9. > > Rowland Hm, as I said: swapping kdc and nameserver entries on the member server (and restarting the network service) was able to solve the problem, if I remember correctly. From rpenny at samba.org Thu Dec 10 13:18:19 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 10 Dec 2015 13:18:19 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <56697951.1040903@tu-berlin.de> References: <5661BD67.8000305@tu-berlin.de> <56697951.1040903@tu-berlin.de> Message-ID: <56697B9B.4070508@samba.org> On 10/12/15 13:08, Ole Traupe wrote: > > > Am 09.12.2015 um 17:53 schrieb L.P.H. van Belle: >> Hai Ole, >> >> Can you run on the member where you logged in. >> >> host -t SRV _ldap._tcp.samdom.example.com. >> host -t SRV _kerberos._udp.samdom.example.com. >> >> host -t A dc1.samdom.example.com. >> host -t A dc2.samdom.example.com. >> >> and again with >> search my.domain.tld >> nameserver IP_of_2st_DC >> nameserver IP_of_1nd_DC >> > > Both times the same: > > > [root at server me]# host -t SRV _ldap._tcp.my.domain.tld. > _ldap._tcp.my.domain.tld has SRV record 0 100 389 dc1.my.domain.tld. > > [root at server me]# host -t SRV _kerberos._udp.my.domain.tld. > _kerberos._udp.my.domain.tld has SRV record 0 100 88 dc1.my.domain.tld. You have problems, if you have two DCs, you should get something like this: root at dc1:~# host -t SRV _ldap._tcp.samdom.example.com _ldap._tcp.samdom.example.com has SRV record 0 100 389 dc2.samdom.example.com. _ldap._tcp.samdom.example.com has SRV record 0 100 389 dc1.samdom.example.com. root at dc1:~# host -t SRV _kerberos._udp.samdom.example.com _kerberos._udp.samdom.example.com has SRV record 0 100 88 dc1.samdom.example.com. _kerberos._udp.samdom.example.com has SRV record 0 100 88 dc2.samdom.example.com. Rowland > > [root at server me]# host -t A dc1.my.domain.tld. > dc1.my.domain.tld has address IP_of_FirstDC > > [root at server me]# host -t A dc2.my.domain.tld. > dc2.my.domain.tld has address IP_of_SecondDC > > There is no need to restart network service after altering > resolv.conf, right? > > From lingpanda101 at gmail.com Thu Dec 10 13:19:23 2015 From: lingpanda101 at gmail.com (James) Date: Thu, 10 Dec 2015 08:19:23 -0500 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <566979F9.9000805@samba.org> References: <566959E3.1040302@samba.org> <5669684B.3010905@samba.org> <566976EF.3040901@gmail.com> <566979F9.9000805@samba.org> Message-ID: <56697BDB.60409@gmail.com> On 12/10/2015 8:11 AM, Rowland penny wrote: > > > Hmm, still using bind on dc1, back to dc1 and stopped bind9: > > root at dc2:~# dig SOA +multiline samdom.example.com > > ; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> SOA +multiline samdom.example.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60862 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;samdom.example.com. IN SOA > > ;; ANSWER SECTION: > samdom.example.com. 3600 IN SOA dc2.samdom.example.com. > hostmaster.samdom.example.com. ( > 101 ; serial > 900 ; refresh (15 minutes) > 600 ; retry (10 minutes) > 86400 ; expire (1 day) > 3600 ; minimum (1 hour) > ) > > ;; AUTHORITY SECTION: > samdom.example.com. 900 IN NS dc2.samdom.example.com. > samdom.example.com. 900 IN NS dc1.samdom.example.com. > > ;; ADDITIONAL SECTION: > dc1.samdom.example.com. 900 IN A 192.168.0.5 > dc2.samdom.example.com. 900 IN A 192.168.0.6 > > ;; Query time: 7 msec > ;; SERVER: 192.168.0.6#53(192.168.0.6) > ;; WHEN: Thu Dec 10 13:06:24 GMT 2015 > ;; MSG SIZE rcvd: 162 > > It is now using itself as the NS > > Rowland > This is the behavior I would expect to see. -- -James From belle at bazuin.nl Thu Dec 10 13:20:17 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Thu, 10 Dec 2015 14:20:17 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5669793E.1010706@tu-berlin.de> References: Message-ID: Hai Ole, Ok, so there is your problem. If you have 2 DC's, then with the command : host -t SRV _ldap._tcp.my.domain.tld. you should see : _ldap._tcp.my.domain.tld has SRV record 0 100 389 dc1.my.domain.tld. _ldap._tcp.my.domain.tld has SRV record 0 100 389 dc2.my.domain.tld. Have a look here https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins so you have seen bug 10928 in action ;-) https://bugzilla.samba.org/show_bug.cgi?id=10928 Greetz, Louis > -----Oorspronkelijk bericht----- > Van: Ole Traupe [mailto:ole.traupe at tu-berlin.de] > Verzonden: donderdag 10 december 2015 14:08 > Aan: L.P.H. van Belle > Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller > initially fails when PDC is offline > > > > Am 09.12.2015 um 17:53 schrieb L.P.H. van Belle: > > Hai Ole, > > > > Can you run on the member where you logged in. > > > > host -t SRV _ldap._tcp.samdom.example.com. > > host -t SRV _kerberos._udp.samdom.example.com. > > > > host -t A dc1.samdom.example.com. > > host -t A dc2.samdom.example.com. > > > > and again with > > search my.domain.tld > > nameserver IP_of_2st_DC > > nameserver IP_of_1nd_DC > > > > Both times the same: > > > [root at server me]# host -t SRV _ldap._tcp.my.domain.tld. > _ldap._tcp.my.domain.tld has SRV record 0 100 389 dc1.my.domain.tld. > > [root at server me]# host -t SRV _kerberos._udp.my.domain.tld. > _kerberos._udp.my.domain.tld has SRV record 0 100 88 dc1.my.domain.tld. > > [root at server me]# host -t A dc1.my.domain.tld. > dc1.my.domain.tld has address IP_of_FirstDC > > [root at server me]# host -t A dc2.my.domain.tld. > dc2.my.domain.tld has address IP_of_SecondDC > > There is no need to restart network service after altering resolv.conf, > right? > From ole.traupe at tu-berlin.de Thu Dec 10 13:25:29 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Thu, 10 Dec 2015 14:25:29 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <566861F9.3090502@samba.org> References: <56435CD0.4090409@tu-berlin.de> <5643674F.3040308@gmail.com> <564398C5.90304@tu-berlin.de> <56439B48.8000902@gmail.com> <564C71F9.4030307@tu-berlin.de> <564C874C.5070604@gmail.com> <564C9BBE.7080403@tu-berlin.de> <564CDAF3.7070105@gmail.com> <5661B143.40502@tu-berlin.de> <5661B426.1060209@gmail.com> <5661BD67.8000305@tu-berlin.de> <566857D6.8070400@tu-berlin.de> <56685EF6.90809@gmail.com> <566861F9.3090502@samba.org> Message-ID: <56697D49.8040301@tu-berlin.de> Is it possible that kdc server is always the SOA, at least if derived from DNS and not specified *explicitly* in the krb5.conf? In my DNS-Manager console I find that _tcp.dc._msdcs.bpn.tu-berlin.de contains only 1 "_kerberos" record, and that one points to my First_DC. Ole Am 09.12.2015 um 18:16 schrieb Rowland penny: > On 09/12/15 17:03, James wrote: >> On 12/9/2015 11:33 AM, Ole Traupe wrote: >>> >>>> - But when I try to ssh to a member server, it still takes forever, >>>> and a 'kinit' on a member server gives this: >>>> "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while >>>> getting initial credentials" >>>> >>>> >>>> My /etc/krb5.conf looks like this (following your suggestions, >>>> Rowland, as everything else are defaults): >>>> >>>> [libdefaults] >>>> default_realm = MY.DOMAIN.TLD >>>> >>>> And my /etc/resolv.conf is this: >>>> >>>> search my.domain.tld >>>> nameserver IP_of_1st_DC >>>> nameserver IP_of_2nd_DC >>> >>> Any idea why I still get this when trying to log on to a member >>> server while the first DC is down? >>> >>> # kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while >>> getting initial credentials >>> >>> Ole >>> >>> >>> >> Ole, >> >> I was trying to look back through your posts so excuse me if you >> have answered this. What was your original krb.conf file contents? A >> few things that may work is to specify the kdc and not rely on dns. >> for instance. >> >> [libdefaults] >> default_realm = MY.DOMAIN.TLD >> dns_lookup_kdc = false >> dns_lookup_realm = false >> >> [realms] >> MY.DOMAIN.TLD = { >> kdc = IP of First DC >> kdc = IP of Second DC >> } >> > > If you have to do that, then there is something wrong with your dns > and you need to fix this, dns is an important part of AD and really > needs to work correctly. > > I have been doing some testing with dns and with the internal dns > server, even if you add another NS to the SOA record, you only have > one NS. It seems the only way to get each DC to think it is a NS, is > to use bind9. > > Rowland > From rpenny at samba.org Thu Dec 10 13:29:02 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 10 Dec 2015 13:29:02 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <56697B8F.1090207@tu-berlin.de> References: <56435CD0.4090409@tu-berlin.de> <5643674F.3040308@gmail.com> <564398C5.90304@tu-berlin.de> <56439B48.8000902@gmail.com> <564C71F9.4030307@tu-berlin.de> <564C874C.5070604@gmail.com> <564C9BBE.7080403@tu-berlin.de> <564CDAF3.7070105@gmail.com> <5661B143.40502@tu-berlin.de> <5661B426.1060209@gmail.com> <5661BD67.8000305@tu-berlin.de> <566857D6.8070400@tu-berlin.de> <56685EF6.90809@gmail.com> <566861F9.3090502@samba.org> <56697B8F.1090207@tu-berlin.de> Message-ID: <56697E1E.2090000@samba.org> On 10/12/15 13:18, Ole Traupe wrote: > > > Am 09.12.2015 um 18:16 schrieb Rowland penny: >> On 09/12/15 17:03, James wrote: >>> On 12/9/2015 11:33 AM, Ole Traupe wrote: >>>> >>>>> - But when I try to ssh to a member server, it still takes >>>>> forever, and a 'kinit' on a member server gives this: >>>>> "kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while >>>>> getting initial credentials" >>>>> >>>>> >>>>> My /etc/krb5.conf looks like this (following your suggestions, >>>>> Rowland, as everything else are defaults): >>>>> >>>>> [libdefaults] >>>>> default_realm = MY.DOMAIN.TLD >>>>> >>>>> And my /etc/resolv.conf is this: >>>>> >>>>> search my.domain.tld >>>>> nameserver IP_of_1st_DC >>>>> nameserver IP_of_2nd_DC >>>> >>>> Any idea why I still get this when trying to log on to a member >>>> server while the first DC is down? >>>> >>>> # kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while >>>> getting initial credentials >>>> >>>> Ole >>>> >>>> >>>> >>> Ole, >>> >>> I was trying to look back through your posts so excuse me if you >>> have answered this. What was your original krb.conf file contents? A >>> few things that may work is to specify the kdc and not rely on dns. >>> for instance. >>> >>> [libdefaults] >>> default_realm = MY.DOMAIN.TLD >>> dns_lookup_kdc = false >>> dns_lookup_realm = false >>> >>> [realms] >>> MY.DOMAIN.TLD = { >>> kdc = IP of First DC >>> kdc = IP of Second DC >>> } >>> >> >> If you have to do that, then there is something wrong with your dns >> and you need to fix this, dns is an important part of AD and really >> needs to work correctly. >> >> I have been doing some testing with dns and with the internal dns >> server, even if you add another NS to the SOA record, you only have >> one NS. It seems the only way to get each DC to think it is a NS, is >> to use bind9. >> >> Rowland > > Hm, as I said: swapping kdc and nameserver entries on the member > server (and restarting the network service) was able to solve the > problem, if I remember correctly. > > > > This is what is in resolv.conf on each DC: root at dc1:~# nano /etc/resolv.conf search samdom.example.com nameserver 192.168.0.6 nameserver 192.168.0.5 root at dc2:~# nano /etc/resolv.conf search samdom.example.com nameserver 192.168.0.5 nameserver 192.168.0.6 dc1.samdom.example.com is 192.168.0.5 dc2.samdom.example.com is 192.168.0.6 Both have just this in /etc/krb5.conf [libdefaults] default_realm = SAMDOM.EXAMPLE.COM Everything is working correctly. Rowland From ole.traupe at tu-berlin.de Thu Dec 10 13:33:32 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Thu, 10 Dec 2015 14:33:32 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5669789E.2070800@gmail.com> References: <56435CD0.4090409@tu-berlin.de> <5643674F.3040308@gmail.com> <564398C5.90304@tu-berlin.de> <56439B48.8000902@gmail.com> <564C71F9.4030307@tu-berlin.de> <564C874C.5070604@gmail.com> <564C9BBE.7080403@tu-berlin.de> <564CDAF3.7070105@gmail.com> <5661B143.40502@tu-berlin.de> <5661B426.1060209@gmail.com> <5661BD67.8000305@tu-berlin.de> <566857D6.8070400@tu-berlin.de> <56685BEA.7060206@gmail.com> <56697674.1050902@tu-berlin.de> <5669789E.2070800@gmail.com> Message-ID: <56697F2C.7080307@tu-berlin.de> Am 10.12.2015 um 14:05 schrieb James: > On 12/10/2015 7:56 AM, Ole Traupe wrote: >> >>>> Any idea why I still get this when trying to log on to a member >>>> server while the first DC is down? >>>> >>>> # kinit: Cannot contact any KDC for realm 'MY.DOMAIN.TLD' while >>>> getting initial credentials >>>> >>>> Ole >>>> >>>> >>>> >>> Ole, >>> >>> Can you try a few things? All on your member server. What is the >>> output of >>> >>> testparm | grep "name resolve order" >> >> There is no such line. >> >> >>> >>> kdestroy -A >>> >>> kinit administrator at MY.DOMAIN.TLD -V >> >> Using default cache: /tmp/krb5cc_0 >> Using principal: administrator at MY.DOMAIN.TLD >> Password for administrator at MY.DOMAIN.TLD: >> Authenticated to Kerberos v5 >> >> > Sorry. The command is testparm -v | grep "name resolve order". name resolve order = lmhosts wins host bcast > > It looks like your kinit succeed? > yes From rpenny at samba.org Thu Dec 10 13:38:35 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 10 Dec 2015 13:38:35 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <56697D49.8040301@tu-berlin.de> References: <56435CD0.4090409@tu-berlin.de> <5643674F.3040308@gmail.com> <564398C5.90304@tu-berlin.de> <56439B48.8000902@gmail.com> <564C71F9.4030307@tu-berlin.de> <564C874C.5070604@gmail.com> <564C9BBE.7080403@tu-berlin.de> <564CDAF3.7070105@gmail.com> <5661B143.40502@tu-berlin.de> <5661B426.1060209@gmail.com> <5661BD67.8000305@tu-berlin.de> <566857D6.8070400@tu-berlin.de> <56685EF6.90809@gmail.com> <566861F9.3090502@samba.org> <56697D49.8040301@tu-berlin.de> Message-ID: <5669805B.8050109@samba.org> On 10/12/15 13:25, Ole Traupe wrote: > Is it possible that kdc server is always the SOA, at least if derived > from DNS and not specified *explicitly* in the krb5.conf? > > In my DNS-Manager console I find that > > _tcp.dc._msdcs.bpn.tu-berlin.de > > contains only 1 "_kerberos" record, and that one points to my First_DC. > > Ole > > > Your problem doesn't seem to be a dns problem, you should have two 'kerberos' records and no matter how good your dns is, it cannot obtain something that isn't there :-) See Louis's earlier post for how to attempt to fix this, but before you do anything, restart samba on the second DC and then check the logs, samba_dnsupdate should add the records you are missing. Rowland From ole.traupe at tu-berlin.de Thu Dec 10 13:40:19 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Thu, 10 Dec 2015 14:40:19 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <56697B9B.4070508@samba.org> References: <5661BD67.8000305@tu-berlin.de> <56697951.1040903@tu-berlin.de> <56697B9B.4070508@samba.org> Message-ID: <566980C3.4040303@tu-berlin.de> > You have problems, if you have two DCs, you should get something like > this: > > root at dc1:~# host -t SRV _ldap._tcp.samdom.example.com > _ldap._tcp.samdom.example.com has SRV record 0 100 389 > dc2.samdom.example.com. > _ldap._tcp.samdom.example.com has SRV record 0 100 389 > dc1.samdom.example.com. > root at dc1:~# host -t SRV _kerberos._udp.samdom.example.com > _kerberos._udp.samdom.example.com has SRV record 0 100 88 > dc1.samdom.example.com. > _kerberos._udp.samdom.example.com has SRV record 0 100 88 > dc2.samdom.example.com. > > Rowland Definitely, good! :) However, I have been there, done that: https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins This page says nothing about ldap or kerberos... why?! Ole From rpenny at samba.org Thu Dec 10 13:49:57 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 10 Dec 2015 13:49:57 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <566980C3.4040303@tu-berlin.de> References: <5661BD67.8000305@tu-berlin.de> <56697951.1040903@tu-berlin.de> <56697B9B.4070508@samba.org> <566980C3.4040303@tu-berlin.de> Message-ID: <56698305.70108@samba.org> On 10/12/15 13:40, Ole Traupe wrote: > >> You have problems, if you have two DCs, you should get something like >> this: >> >> root at dc1:~# host -t SRV _ldap._tcp.samdom.example.com >> _ldap._tcp.samdom.example.com has SRV record 0 100 389 >> dc2.samdom.example.com. >> _ldap._tcp.samdom.example.com has SRV record 0 100 389 >> dc1.samdom.example.com. >> root at dc1:~# host -t SRV _kerberos._udp.samdom.example.com >> _kerberos._udp.samdom.example.com has SRV record 0 100 88 >> dc1.samdom.example.com. >> _kerberos._udp.samdom.example.com has SRV record 0 100 88 >> dc2.samdom.example.com. >> >> Rowland > > Definitely, good! :) > > However, I have been there, done that: > https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins > > This page says nothing about ldap or kerberos... why?! > > Ole > > > Probably because either nobody has noticed the problem or the problem hasn't been reported before. Rowland From belle at bazuin.nl Thu Dec 10 13:53:02 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Thu, 10 Dec 2015 14:53:02 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <56698305.70108@samba.org> References: <566980C3.4040303@tu-berlin.de> Message-ID: ( sorry ) I know about this sinds 28-may-2015 :-/ thats when i noticed this problem. Give me a few min, i'll get some more info. > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny > Verzonden: donderdag 10 december 2015 14:50 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller > initially fails when PDC is offline > > On 10/12/15 13:40, Ole Traupe wrote: > > > >> You have problems, if you have two DCs, you should get something like > >> this: > >> > >> root at dc1:~# host -t SRV _ldap._tcp.samdom.example.com > >> _ldap._tcp.samdom.example.com has SRV record 0 100 389 > >> dc2.samdom.example.com. > >> _ldap._tcp.samdom.example.com has SRV record 0 100 389 > >> dc1.samdom.example.com. > >> root at dc1:~# host -t SRV _kerberos._udp.samdom.example.com > >> _kerberos._udp.samdom.example.com has SRV record 0 100 88 > >> dc1.samdom.example.com. > >> _kerberos._udp.samdom.example.com has SRV record 0 100 88 > >> dc2.samdom.example.com. > >> > >> Rowland > > > > Definitely, good! :) > > > > However, I have been there, done that: > > https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins > > > > This page says nothing about ldap or kerberos... why?! > > > > Ole > > > > > > > > Probably because either nobody has noticed the problem or the problem > hasn't been reported before. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From ole.traupe at tu-berlin.de Thu Dec 10 14:00:20 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Thu, 10 Dec 2015 15:00:20 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5669805B.8050109@samba.org> References: <56435CD0.4090409@tu-berlin.de> <5643674F.3040308@gmail.com> <564398C5.90304@tu-berlin.de> <56439B48.8000902@gmail.com> <564C71F9.4030307@tu-berlin.de> <564C874C.5070604@gmail.com> <564C9BBE.7080403@tu-berlin.de> <564CDAF3.7070105@gmail.com> <5661B143.40502@tu-berlin.de> <5661B426.1060209@gmail.com> <5661BD67.8000305@tu-berlin.de> <566857D6.8070400@tu-berlin.de> <56685EF6.90809@gmail.com> <566861F9.3090502@samba.org> <56697D49.8040301@tu-berlin.de> <5669805B.8050109@samba.org> Message-ID: <56698574.5080103@tu-berlin.de> Am 10.12.2015 um 14:38 schrieb Rowland penny: > On 10/12/15 13:25, Ole Traupe wrote: >> Is it possible that kdc server is always the SOA, at least if >> derived from DNS and not specified *explicitly* in the krb5.conf? >> >> In my DNS-Manager console I find that >> >> _tcp.dc._msdcs.bpn.tu-berlin.de >> >> contains only 1 "_kerberos" record, and that one points to my First_DC. >> >> Ole >> >> >> > > Your problem doesn't seem to be a dns problem, you should have two > 'kerberos' records and no matter how good your dns is, it cannot > obtain something that isn't there :-) That's basically what I just wrote... > > See Louis's earlier post for how to attempt to fix this, but before > you do anything, restart samba on the second DC and then check the > logs, samba_dnsupdate should add the records you are missing. > > Rowland > > However, my 2nd DC is not that new, I restarted it many times, just again (samba service). No DNS records are created anywhere. If I go through the DNS console, in each and every container there is some entry for the 1st DC, but none for the 2nd (except on the top levels: FQDN and _msdcs.FQDN). Could this have to do with... a) I demoted my initial 1st DC (seized FSMO roles) and got rid of DNS entries via this script on the wiki? b) set up the *new* 2nd DC on the hardware of the prior 1st DC (with the same IP address)? From ole.traupe at tu-berlin.de Thu Dec 10 14:02:31 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Thu, 10 Dec 2015 15:02:31 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <56698305.70108@samba.org> References: <5661BD67.8000305@tu-berlin.de> <56697951.1040903@tu-berlin.de> <56697B9B.4070508@samba.org> <566980C3.4040303@tu-berlin.de> <56698305.70108@samba.org> Message-ID: <566985F7.6080400@tu-berlin.de> Am 10.12.2015 um 14:49 schrieb Rowland penny: > On 10/12/15 13:40, Ole Traupe wrote: >> >>> You have problems, if you have two DCs, you should get something >>> like this: >>> >>> root at dc1:~# host -t SRV _ldap._tcp.samdom.example.com >>> _ldap._tcp.samdom.example.com has SRV record 0 100 389 >>> dc2.samdom.example.com. >>> _ldap._tcp.samdom.example.com has SRV record 0 100 389 >>> dc1.samdom.example.com. >>> root at dc1:~# host -t SRV _kerberos._udp.samdom.example.com >>> _kerberos._udp.samdom.example.com has SRV record 0 100 88 >>> dc1.samdom.example.com. >>> _kerberos._udp.samdom.example.com has SRV record 0 100 88 >>> dc2.samdom.example.com. >>> >>> Rowland >> >> Definitely, good! :) >> >> However, I have been there, done that: >> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins >> >> This page says nothing about ldap or kerberos... why?! >> >> Ole >> >> >> > > Probably because either nobody has noticed the problem or the problem > hasn't been reported before. > > Rowland > > Sounds plausible. ;) From belle at bazuin.nl Thu Dec 10 14:04:37 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Thu, 10 Dec 2015 15:04:37 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <56698305.70108@samba.org> References: <566980C3.4040303@tu-berlin.de> Message-ID: Ok, im using the RSAT tools so howto get more info and fix this. Start Active Directory Sites and Services Klik on Sites, Default-First-Site-Name - Server. Your should see you second DC also, if not, you can add it manualy. I dont know the samba-tools commands for this one. In the DNS admin. Go to _msdcs.YOURDOMAIN. Look at the aliasses. These are the names you need in Active Directory Sites and Services You should see also 2 ! aliasses, if you seeing one, this must be fixed first. And ! VERY IMPORTANT !! Under the _msdcs.DOMAINS.. In pdc _tcp here should be ONLY THE PRIMARY DC ! Walk throug the _msdcs for what your missing. I guest, all the second DC entries. Have a look als in zone YOURDOMAIN and looin in the _XXX Here you should have also 1 entry per DC. Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny > Verzonden: donderdag 10 december 2015 14:50 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller > initially fails when PDC is offline > > On 10/12/15 13:40, Ole Traupe wrote: > > > >> You have problems, if you have two DCs, you should get something like > >> this: > >> > >> root at dc1:~# host -t SRV _ldap._tcp.samdom.example.com > >> _ldap._tcp.samdom.example.com has SRV record 0 100 389 > >> dc2.samdom.example.com. > >> _ldap._tcp.samdom.example.com has SRV record 0 100 389 > >> dc1.samdom.example.com. > >> root at dc1:~# host -t SRV _kerberos._udp.samdom.example.com > >> _kerberos._udp.samdom.example.com has SRV record 0 100 88 > >> dc1.samdom.example.com. > >> _kerberos._udp.samdom.example.com has SRV record 0 100 88 > >> dc2.samdom.example.com. > >> > >> Rowland > > > > Definitely, good! :) > > > > However, I have been there, done that: > > https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins > > > > This page says nothing about ldap or kerberos... why?! > > > > Ole > > > > > > > > Probably because either nobody has noticed the problem or the problem > hasn't been reported before. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From ole.traupe at tu-berlin.de Thu Dec 10 14:13:23 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Thu, 10 Dec 2015 15:13:23 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: References: <566980C3.4040303@tu-berlin.de> Message-ID: <56698883.2060901@tu-berlin.de> Am 10.12.2015 um 14:53 schrieb L.P.H. van Belle: > ( sorry ) > I know about this sinds 28-may-2015 :-/ thats when i noticed this problem. > > Give me a few min, i'll get some more info. I appreciate your honesty. :) Would be good to know which records I need for the stable operating of my domain, and how to create them (both in FQDN and _msdcs.FQDN). > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny >> Verzonden: donderdag 10 december 2015 14:50 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller >> initially fails when PDC is offline >> >> On 10/12/15 13:40, Ole Traupe wrote: >>>> You have problems, if you have two DCs, you should get something like >>>> this: >>>> >>>> root at dc1:~# host -t SRV _ldap._tcp.samdom.example.com >>>> _ldap._tcp.samdom.example.com has SRV record 0 100 389 >>>> dc2.samdom.example.com. >>>> _ldap._tcp.samdom.example.com has SRV record 0 100 389 >>>> dc1.samdom.example.com. >>>> root at dc1:~# host -t SRV _kerberos._udp.samdom.example.com >>>> _kerberos._udp.samdom.example.com has SRV record 0 100 88 >>>> dc1.samdom.example.com. >>>> _kerberos._udp.samdom.example.com has SRV record 0 100 88 >>>> dc2.samdom.example.com. >>>> >>>> Rowland >>> Definitely, good! :) >>> >>> However, I have been there, done that: >>> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins >>> >>> This page says nothing about ldap or kerberos... why?! >>> >>> Ole >>> >>> >>> >> Probably because either nobody has noticed the problem or the problem >> hasn't been reported before. >> >> Rowland >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > From mots at nepu.moe Thu Dec 10 13:57:06 2015 From: mots at nepu.moe (=?utf-8?Q?mots?=) Date: Thu, 10 Dec 2015 14:57:06 +0100 Subject: [Samba] Unable to convert SID at index 3 in user token to a GID. Message-ID: Hello, Since today no users except Administrator can access any shares or log into a RDS-host. Trying to access a share returns "The security ID structure is invalid". Logging into WIndows and authenticating to other services with the domain credentials works. I have lots of these messages in the log: [2015/12/10 14:11:44.400918, 0] ../source4/auth/unix_token.c:107(security_token_to_unix_token) Unable to convert SID (S-1-5-21-2973170849-3284262837-3971445600-1120) at index 3 in user token to a GID. Conversion was returned as type 1, full token: [2015/12/10 14:11:44.491517, 0] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (10): SID[ 0]: S-1-5-21-2973170849-3284262837-3971445600-1106 SID[ 1]: S-1-5-21-2973170849-3284262837-3971445600-513 SID[ 2]: S-1-5-21-2973170849-3284262837-3971445600-1121 SID[ 3]: S-1-5-21-2973170849-3284262837-3971445600-1120 SID[ 4]: S-1-1-0 SID[ 5]: S-1-5-2 SID[ 6]: S-1-5-11 SID[ 7]: S-1-5-32-555 SID[ 8]: S-1-5-32-545 SID[ 9]: S-1-5-32-554 Privileges (0x 800000): Privilege[ 0]: SeChangeNotifyPrivilege Rights (0x 400): Right[ 0]: SeRemoteInteractiveLogonRight [2015/12/10 14:11:44.530004, 0] ../source4/auth/unix_token.c:107(security_token_to_unix_token) Unable to convert SID (S-1-5-21-2973170849-3284262837-3971445600-1120) at index 3 in user token to a GID. Conversion was returned as type 1, full token: [2015/12/10 14:11:44.530230, 0] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (10): SID[ 0]: S-1-5-21-2973170849-3284262837-3971445600-1106 SID[ 1]: S-1-5-21-2973170849-3284262837-3971445600-513 SID[ 2]: S-1-5-21-2973170849-3284262837-3971445600-1121 SID[ 3]: S-1-5-21-2973170849-3284262837-3971445600-1120 SID[ 4]: S-1-1-0 SID[ 5]: S-1-5-2 SID[ 6]: S-1-5-11 SID[ 7]: S-1-5-32-555 SID[ 8]: S-1-5-32-545 SID[ 9]: S-1-5-32-554 Privileges (0x 800000): Privilege[ 0]: SeChangeNotifyPrivilege Rights (0x 400): Right[ 0]: SeRemoteInteractiveLogonRight How can I fix this? Best regards, mots -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 831 bytes Desc: OpenPGP digital signature URL: From rpenny at samba.org Thu Dec 10 14:15:09 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 10 Dec 2015 14:15:09 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <56698574.5080103@tu-berlin.de> References: <56435CD0.4090409@tu-berlin.de> <5643674F.3040308@gmail.com> <564398C5.90304@tu-berlin.de> <56439B48.8000902@gmail.com> <564C71F9.4030307@tu-berlin.de> <564C874C.5070604@gmail.com> <564C9BBE.7080403@tu-berlin.de> <564CDAF3.7070105@gmail.com> <5661B143.40502@tu-berlin.de> <5661B426.1060209@gmail.com> <5661BD67.8000305@tu-berlin.de> <566857D6.8070400@tu-berlin.de> <56685EF6.90809@gmail.com> <566861F9.3090502@samba.org> <56697D49.8040301@tu-berlin.de> <5669805B.8050109@samba.org> <56698574.5080103@tu-berlin.de> Message-ID: <566988ED.7080903@samba.org> On 10/12/15 14:00, Ole Traupe wrote: > > > Am 10.12.2015 um 14:38 schrieb Rowland penny: >> On 10/12/15 13:25, Ole Traupe wrote: >>> Is it possible that kdc server is always the SOA, at least if >>> derived from DNS and not specified *explicitly* in the krb5.conf? >>> >>> In my DNS-Manager console I find that >>> >>> _tcp.dc._msdcs.bpn.tu-berlin.de >>> >>> contains only 1 "_kerberos" record, and that one points to my First_DC. >>> >>> Ole >>> >>> >>> >> >> Your problem doesn't seem to be a dns problem, you should have two >> 'kerberos' records and no matter how good your dns is, it cannot >> obtain something that isn't there :-) > > That's basically what I just wrote... > >> >> See Louis's earlier post for how to attempt to fix this, but before >> you do anything, restart samba on the second DC and then check the >> logs, samba_dnsupdate should add the records you are missing. >> >> Rowland >> >> > > However, my 2nd DC is not that new, I restarted it many times, just > again (samba service). No DNS records are created anywhere. > > If I go through the DNS console, in each and every container there is > some entry for the 1st DC, but none for the 2nd (except on the top > levels: FQDN and _msdcs.FQDN). > > Could this have to do with... > a) I demoted my initial 1st DC (seized FSMO roles) and got rid of DNS > entries via this script on the wiki? > b) set up the *new* 2nd DC on the hardware of the prior 1st DC (with > the same IP address)? > > > Possibly, but can you try this on your second DC, run 'samba_dnsupdate --verbose' Rowland From ole.traupe at tu-berlin.de Thu Dec 10 14:22:15 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Thu, 10 Dec 2015 15:22:15 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: References: <566980C3.4040303@tu-berlin.de> Message-ID: <56698A97.20909@tu-berlin.de> Am 10.12.2015 um 15:04 schrieb L.P.H. van Belle: > Ok, im using the RSAT tools so howto get more info and fix this. > > Start Active Directory Sites and Services > Klik on Sites, Default-First-Site-Name - Server. > Your should see you second DC also, if not, you can add it manualy. > I dont know the samba-tools commands for this one. It is there. > > In the DNS admin. > Go to _msdcs.YOURDOMAIN. > Look at the aliasses. > These are the names you need in Active Directory Sites and Services > You should see also 2 ! aliasses, if you seeing one, this must be fixed first. Both are there. > > And ! VERY IMPORTANT !! > Under the _msdcs.DOMAINS.. > In pdc _tcp here should be ONLY THE PRIMARY DC ! Yes, only 1st DC is there. > > Walk throug the _msdcs for what your missing. > I guest, all the second DC entries. Which are? > > Have a look als in zone YOURDOMAIN and looin in the _XXX > Here you should have also 1 entry per DC. Everywhere? > > Louis > > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny >> Verzonden: donderdag 10 december 2015 14:50 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller >> initially fails when PDC is offline >> >> On 10/12/15 13:40, Ole Traupe wrote: >>>> You have problems, if you have two DCs, you should get something like >>>> this: >>>> >>>> root at dc1:~# host -t SRV _ldap._tcp.samdom.example.com >>>> _ldap._tcp.samdom.example.com has SRV record 0 100 389 >>>> dc2.samdom.example.com. >>>> _ldap._tcp.samdom.example.com has SRV record 0 100 389 >>>> dc1.samdom.example.com. >>>> root at dc1:~# host -t SRV _kerberos._udp.samdom.example.com >>>> _kerberos._udp.samdom.example.com has SRV record 0 100 88 >>>> dc1.samdom.example.com. >>>> _kerberos._udp.samdom.example.com has SRV record 0 100 88 >>>> dc2.samdom.example.com. >>>> >>>> Rowland >>> Definitely, good! :) >>> >>> However, I have been there, done that: >>> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins >>> >>> This page says nothing about ldap or kerberos... why?! >>> >>> Ole >>> >>> >>> >> Probably because either nobody has noticed the problem or the problem >> hasn't been reported before. >> >> Rowland >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > From belle at bazuin.nl Thu Dec 10 14:29:18 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Thu, 10 Dec 2015 15:29:18 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <56698A97.20909@tu-berlin.de> References: Message-ID: > > > > Possibly, but can you try this on your second DC, run 'samba_dnsupdate > --verbose' > > Rowland > Yeah, should fix it. But do run it on both your dc.s And compair the output a bit. For example, look at the first five lines. Per server diffent. Looking for DNS entry SRV _ldap._tcp.xxx-xxx-xxx-xxx-xx.domain._msdcs.domain Should give 2 server on both outputs. After you did this on both servers, reboot the PRIMARY DC, when up, reboot the second DC. Check again with : host -t SRV _ldap._tcp.YOURDOMAIN.TLD And in reply to... > > Walk throug the _msdcs for what your missing. > I guest, all the second DC entries. Which are? The A CNAME NS > > Have a look als in zone YOURDOMAIN and look in the _XXX > > Here you should have also 1 entry per DC. > > Everywhere? Yeah, all _ entries. But ! As i recall samba_dnsupdate --verbose should fix this. So first try with the commands and let samba fix it. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe > Verzonden: donderdag 10 december 2015 15:22 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller > initially fails when PDC is offline > > > > Am 10.12.2015 um 15:04 schrieb L.P.H. van Belle: > > Ok, im using the RSAT tools so howto get more info and fix this. > > > > Start Active Directory Sites and Services > > Klik on Sites, Default-First-Site-Name - Server. > > Your should see you second DC also, if not, you can add it manualy. > > I dont know the samba-tools commands for this one. > > It is there. > > > > > In the DNS admin. > > Go to _msdcs.YOURDOMAIN. > > Look at the aliasses. > > These are the names you need in Active Directory Sites and Services > > You should see also 2 ! aliasses, if you seeing one, this must be fixed > first. > > Both are there. > > > > > And ! VERY IMPORTANT !! > > Under the _msdcs.DOMAINS.. > > In pdc _tcp here should be ONLY THE PRIMARY DC ! > > Yes, only 1st DC is there. > > > > > Walk throug the _msdcs for what your missing. > > I guest, all the second DC entries. > > Which are? > > > > > Have a look als in zone YOURDOMAIN and looin in the _XXX > > Here you should have also 1 entry per DC. > > Everywhere? > > > > > Louis > > > > > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny > >> Verzonden: donderdag 10 december 2015 14:50 > >> Aan: samba at lists.samba.org > >> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller > >> initially fails when PDC is offline > >> > >> On 10/12/15 13:40, Ole Traupe wrote: > >>>> You have problems, if you have two DCs, you should get something like > >>>> this: > >>>> > >>>> root at dc1:~# host -t SRV _ldap._tcp.samdom.example.com > >>>> _ldap._tcp.samdom.example.com has SRV record 0 100 389 > >>>> dc2.samdom.example.com. > >>>> _ldap._tcp.samdom.example.com has SRV record 0 100 389 > >>>> dc1.samdom.example.com. > >>>> root at dc1:~# host -t SRV _kerberos._udp.samdom.example.com > >>>> _kerberos._udp.samdom.example.com has SRV record 0 100 88 > >>>> dc1.samdom.example.com. > >>>> _kerberos._udp.samdom.example.com has SRV record 0 100 88 > >>>> dc2.samdom.example.com. > >>>> > >>>> Rowland > >>> Definitely, good! :) > >>> > >>> However, I have been there, done that: > >>> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins > >>> > >>> This page says nothing about ldap or kerberos... why?! > >>> > >>> Ole > >>> > >>> > >>> > >> Probably because either nobody has noticed the problem or the problem > >> hasn't been reported before. > >> > >> Rowland > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From ole.traupe at tu-berlin.de Thu Dec 10 14:40:45 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Thu, 10 Dec 2015 15:40:45 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <566988ED.7080903@samba.org> References: <56435CD0.4090409@tu-berlin.de> <5643674F.3040308@gmail.com> <564398C5.90304@tu-berlin.de> <56439B48.8000902@gmail.com> <564C71F9.4030307@tu-berlin.de> <564C874C.5070604@gmail.com> <564C9BBE.7080403@tu-berlin.de> <564CDAF3.7070105@gmail.com> <5661B143.40502@tu-berlin.de> <5661B426.1060209@gmail.com> <5661BD67.8000305@tu-berlin.de> <566857D6.8070400@tu-berlin.de> <56685EF6.90809@gmail.com> <566861F9.3090502@samba.org> <56697D49.8040301@tu-berlin.de> <5669805B.8050109@samba.org> <56698574.5080103@tu-berlin.de> <566988ED.7080903@samba.org> Message-ID: <56698EED.5020308@tu-berlin.de> >> However, my 2nd DC is not that new, I restarted it many times, just >> again (samba service). No DNS records are created anywhere. >> >> If I go through the DNS console, in each and every container there is >> some entry for the 1st DC, but none for the 2nd (except on the top >> levels: FQDN and _msdcs.FQDN). >> >> Could this have to do with... >> a) I demoted my initial 1st DC (seized FSMO roles) and got rid of DNS >> entries via this script on the wiki? >> b) set up the *new* 2nd DC on the hardware of the prior 1st DC (with >> the same IP address)? >> >> >> > > Possibly, but can you try this on your second DC, run 'samba_dnsupdate > --verbose' > > Rowland > Doesn't look too good to me: [root at DC2 me]# samba_dnsupdate --verbose IPs: ['IP_of_2nd_DC'] Looking for DNS entry A DC2.my.domain.tld IP_of_2nd_DC as DC2.my.domain.tld. Looking for DNS entry A my.domain.tld IP_of_2nd_DC as my.domain.tld. Failed to find matching DNS entry A my.domain.tld IP_of_2nd_DC Looking for DNS entry SRV _ldap._tcp.my.domain.tld DC2.my.domain.tld 389 as _ldap._tcp.my.domain.tld. Checking 0 100 389 DC1.my.domain.tld. against SRV _ldap._tcp.my.domain.tld DC2.my.domain.tld 389 Failed to find matching DNS entry SRV _ldap._tcp.my.domain.tld DC2.my.domain.tld 389 Looking for DNS entry SRV _ldap._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 389 as _ldap._tcp.dc._msdcs.my.domain.tld. Checking 0 100 389 DC1.my.domain.tld. against SRV _ldap._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 389 Failed to find matching DNS entry SRV _ldap._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 389 Looking for DNS entry SRV _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld DC2.my.domain.tld 389 as _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld. Checking 0 100 389 DC1.my.domain.tld. against SRV _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld DC2.my.domain.tld 389 Failed to find matching DNS entry SRV _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld DC2.my.domain.tld 389 Looking for DNS entry SRV _kerberos._tcp.my.domain.tld DC2.my.domain.tld 88 as _kerberos._tcp.my.domain.tld. Checking 0 100 88 DC1.my.domain.tld. against SRV _kerberos._tcp.my.domain.tld DC2.my.domain.tld 88 Failed to find matching DNS entry SRV _kerberos._tcp.my.domain.tld DC2.my.domain.tld 88 Looking for DNS entry SRV _kerberos._udp.my.domain.tld DC2.my.domain.tld 88 as _kerberos._udp.my.domain.tld. Checking 0 100 88 DC1.my.domain.tld. against SRV _kerberos._udp.my.domain.tld DC2.my.domain.tld 88 Failed to find matching DNS entry SRV _kerberos._udp.my.domain.tld DC2.my.domain.tld 88 Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 88 as _kerberos._tcp.dc._msdcs.my.domain.tld. Checking 0 100 88 DC1.my.domain.tld. against SRV _kerberos._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 88 Failed to find matching DNS entry SRV _kerberos._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 88 Looking for DNS entry SRV _kpasswd._tcp.my.domain.tld DC2.my.domain.tld 464 as _kpasswd._tcp.my.domain.tld. Checking 0 100 464 DC1.my.domain.tld. against SRV _kpasswd._tcp.my.domain.tld DC2.my.domain.tld 464 Failed to find matching DNS entry SRV _kpasswd._tcp.my.domain.tld DC2.my.domain.tld 464 Looking for DNS entry SRV _kpasswd._udp.my.domain.tld DC2.my.domain.tld 464 as _kpasswd._udp.my.domain.tld. Checking 0 100 464 DC1.my.domain.tld. against SRV _kpasswd._udp.my.domain.tld DC2.my.domain.tld 464 Failed to find matching DNS entry SRV _kpasswd._udp.my.domain.tld DC2.my.domain.tld 464 Looking for DNS entry CNAME d1df6d3d-7fd1-45f4-b613-74c7825d9208._msdcs.my.domain.tld DC2.my.domain.tld as d1df6d3d-7fd1-45f4-b613-74c7825d9208._msdcs.my.domain.tld. Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld DC2.my.domain.tld 389 as _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld. Checking 0 100 389 DC1.my.domain.tld. against SRV _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld DC2.my.domain.tld 389 Failed to find matching DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld DC2.my.domain.tld 389 Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld DC2.my.domain.tld 389 as _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld. Checking 0 100 389 DC1.my.domain.tld. against SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld DC2.my.domain.tld 389 Failed to find matching DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld DC2.my.domain.tld 389 Looking for DNS entry SRV _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld DC2.my.domain.tld 88 as _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld. Checking 0 100 88 DC1.my.domain.tld. against SRV _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld DC2.my.domain.tld 88 Failed to find matching DNS entry SRV _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld DC2.my.domain.tld 88 Looking for DNS entry SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld DC2.my.domain.tld 88 as _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld. Checking 0 100 88 DC1.my.domain.tld. against SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld DC2.my.domain.tld 88 Failed to find matching DNS entry SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld DC2.my.domain.tld 88 Looking for DNS entry A gc._msdcs.my.domain.tld IP_of_2nd_DC as gc._msdcs.my.domain.tld. Failed to find matching DNS entry A gc._msdcs.my.domain.tld IP_of_2nd_DC Looking for DNS entry SRV _gc._tcp.my.domain.tld DC2.my.domain.tld 3268 as _gc._tcp.my.domain.tld. Checking 0 100 3268 DC1.my.domain.tld. against SRV _gc._tcp.my.domain.tld DC2.my.domain.tld 3268 Failed to find matching DNS entry SRV _gc._tcp.my.domain.tld DC2.my.domain.tld 3268 Looking for DNS entry SRV _ldap._tcp.gc._msdcs.my.domain.tld DC2.my.domain.tld 3268 as _ldap._tcp.gc._msdcs.my.domain.tld. Checking 0 100 3268 DC1.my.domain.tld. against SRV _ldap._tcp.gc._msdcs.my.domain.tld DC2.my.domain.tld 3268 Failed to find matching DNS entry SRV _ldap._tcp.gc._msdcs.my.domain.tld DC2.my.domain.tld 3268 Looking for DNS entry SRV _gc._tcp.Default-First-Site-Name._sites.my.domain.tld DC2.my.domain.tld 3268 as _gc._tcp.Default-First-Site-Name._sites.my.domain.tld. Checking 0 100 3268 DC1.my.domain.tld. against SRV _gc._tcp.Default-First-Site-Name._sites.my.domain.tld DC2.my.domain.tld 3268 Failed to find matching DNS entry SRV _gc._tcp.Default-First-Site-Name._sites.my.domain.tld DC2.my.domain.tld 3268 Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld DC2.my.domain.tld 3268 as _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld. Checking 0 100 3268 DC1.my.domain.tld. against SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld DC2.my.domain.tld 3268 Failed to find matching DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld DC2.my.domain.tld 3268 Looking for DNS entry A DomainDnsZones.my.domain.tld IP_of_2nd_DC as DomainDnsZones.my.domain.tld. Failed to find matching DNS entry A DomainDnsZones.my.domain.tld IP_of_2nd_DC Looking for DNS entry SRV _ldap._tcp.DomainDnsZones.my.domain.tld DC2.my.domain.tld 389 as _ldap._tcp.DomainDnsZones.my.domain.tld. Checking 0 100 389 DC1.my.domain.tld. against SRV _ldap._tcp.DomainDnsZones.my.domain.tld DC2.my.domain.tld 389 Failed to find matching DNS entry SRV _ldap._tcp.DomainDnsZones.my.domain.tld DC2.my.domain.tld 389 Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld DC2.my.domain.tld 389 as _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld. Checking 0 100 389 DC1.my.domain.tld. against SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld DC2.my.domain.tld 389 Failed to find matching DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld DC2.my.domain.tld 389 Looking for DNS entry A ForestDnsZones.my.domain.tld IP_of_2nd_DC as ForestDnsZones.my.domain.tld. Failed to find matching DNS entry A ForestDnsZones.my.domain.tld IP_of_2nd_DC Looking for DNS entry SRV _ldap._tcp.ForestDnsZones.my.domain.tld DC2.my.domain.tld 389 as _ldap._tcp.ForestDnsZones.my.domain.tld. Checking 0 100 389 DC1.my.domain.tld. against SRV _ldap._tcp.ForestDnsZones.my.domain.tld DC2.my.domain.tld 389 Failed to find matching DNS entry SRV _ldap._tcp.ForestDnsZones.my.domain.tld DC2.my.domain.tld 389 Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld DC2.my.domain.tld 389 as _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld. Checking 0 100 389 DC1.my.domain.tld. against SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld DC2.my.domain.tld 389 Failed to find matching DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld DC2.my.domain.tld 389 Calling nsupdate for A my.domain.tld IP_of_2nd_DC (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: my.domain.tld. 900 IN A IP_of_2nd_DC ; TSIG error with server: tsig verify failure update failed: FORMERR Failed nsupdate: 2 Calling nsupdate for SRV _ldap._tcp.my.domain.tld DC2.my.domain.tld 389 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.my.domain.tld. 900 IN SRV 0 100 389 DC2.my.domain.tld. ; TSIG error with server: tsig verify failure update failed: FORMERR Failed nsupdate: 2 Calling nsupdate for SRV _ldap._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 389 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.dc._msdcs.my.domain.tld. 900 IN SRV 0 100 389 DC2.my.domain.tld. ; TSIG error with server: tsig verify failure update failed: FORMERR Failed nsupdate: 2 Calling nsupdate for SRV _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld DC2.my.domain.tld 389 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld. 900 IN SRV 0 100 389 DC2.my.domain.tld. ; TSIG error with server: tsig verify failure update failed: FORMERR Failed nsupdate: 2 Calling nsupdate for SRV _kerberos._tcp.my.domain.tld DC2.my.domain.tld 88 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._tcp.my.domain.tld. 900 IN SRV 0 100 88 DC2.my.domain.tld. ; TSIG error with server: tsig verify failure update failed: FORMERR Failed nsupdate: 2 Calling nsupdate for SRV _kerberos._udp.my.domain.tld DC2.my.domain.tld 88 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._udp.my.domain.tld. 900 IN SRV 0 100 88 DC2.my.domain.tld. ; TSIG error with server: tsig verify failure update failed: FORMERR Failed nsupdate: 2 Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 88 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._tcp.dc._msdcs.my.domain.tld. 900 IN SRV 0 100 88 DC2.my.domain.tld. ; TSIG error with server: tsig verify failure update failed: FORMERR Failed nsupdate: 2 Calling nsupdate for SRV _kpasswd._tcp.my.domain.tld DC2.my.domain.tld 464 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kpasswd._tcp.my.domain.tld. 900 IN SRV 0 100 464 DC2.my.domain.tld. ; TSIG error with server: tsig verify failure update failed: FORMERR Failed nsupdate: 2 Calling nsupdate for SRV _kpasswd._udp.my.domain.tld DC2.my.domain.tld 464 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kpasswd._udp.my.domain.tld. 900 IN SRV 0 100 464 DC2.my.domain.tld. ; TSIG error with server: tsig verify failure update failed: FORMERR Failed nsupdate: 2 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld DC2.my.domain.tld 389 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN SRV 0 100 389 DC2.my.domain.tld. ; TSIG error with server: tsig verify failure update failed: FORMERR Failed nsupdate: 2 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld DC2.my.domain.tld 389 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld. 900 IN SRV 0 100 389 DC2.my.domain.tld. ; TSIG error with server: tsig verify failure update failed: FORMERR Failed nsupdate: 2 Calling nsupdate for SRV _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld DC2.my.domain.tld 88 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN SRV 0 100 88 DC2.my.domain.tld. ; TSIG error with server: tsig verify failure update failed: FORMERR Failed nsupdate: 2 Calling nsupdate for SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld DC2.my.domain.tld 88 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld. 900 IN SRV 0 100 88 DC2.my.domain.tld. ; TSIG error with server: tsig verify failure update failed: FORMERR Failed nsupdate: 2 Calling nsupdate for A gc._msdcs.my.domain.tld IP_of_2nd_DC (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: gc._msdcs.my.domain.tld. 900 IN A IP_of_2nd_DC ; TSIG error with server: tsig verify failure update failed: FORMERR Failed nsupdate: 2 Calling nsupdate for SRV _gc._tcp.my.domain.tld DC2.my.domain.tld 3268 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _gc._tcp.my.domain.tld. 900 IN SRV 0 100 3268 DC2.my.domain.tld. ; TSIG error with server: tsig verify failure update failed: FORMERR Failed nsupdate: 2 Calling nsupdate for SRV _ldap._tcp.gc._msdcs.my.domain.tld DC2.my.domain.tld 3268 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.gc._msdcs.my.domain.tld. 900 IN SRV 0 100 3268 DC2.my.domain.tld. ; TSIG error with server: tsig verify failure update failed: FORMERR Failed nsupdate: 2 Calling nsupdate for SRV _gc._tcp.Default-First-Site-Name._sites.my.domain.tld DC2.my.domain.tld 3268 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _gc._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN SRV 0 100 3268 DC2.my.domain.tld. ; TSIG error with server: tsig verify failure update failed: FORMERR Failed nsupdate: 2 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld DC2.my.domain.tld 3268 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld. 900 IN SRV 0 100 3268 DC2.my.domain.tld. ; TSIG error with server: tsig verify failure update failed: FORMERR Failed nsupdate: 2 Calling nsupdate for A DomainDnsZones.my.domain.tld IP_of_2nd_DC (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: DomainDnsZones.my.domain.tld. 900 IN A IP_of_2nd_DC ; TSIG error with server: tsig verify failure update failed: FORMERR Failed nsupdate: 2 Calling nsupdate for SRV _ldap._tcp.DomainDnsZones.my.domain.tld DC2.my.domain.tld 389 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.DomainDnsZones.my.domain.tld. 900 IN SRV 0 100 389 DC2.my.domain.tld. ; TSIG error with server: tsig verify failure update failed: FORMERR Failed nsupdate: 2 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld DC2.my.domain.tld 389 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld. 900 IN SRV 0 100 389 DC2.my.domain.tld. ; TSIG error with server: tsig verify failure update failed: FORMERR Failed nsupdate: 2 Calling nsupdate for A ForestDnsZones.my.domain.tld IP_of_2nd_DC (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: ForestDnsZones.my.domain.tld. 900 IN A IP_of_2nd_DC ; TSIG error with server: tsig verify failure update failed: FORMERR Failed nsupdate: 2 Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.my.domain.tld DC2.my.domain.tld 389 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.ForestDnsZones.my.domain.tld. 900 IN SRV 0 100 389 DC2.my.domain.tld. ; TSIG error with server: tsig verify failure update failed: FORMERR Failed nsupdate: 2 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld DC2.my.domain.tld 389 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld. 900 IN SRV 0 100 389 DC2.my.domain.tld. ; TSIG error with server: tsig verify failure update failed: FORMERR Failed nsupdate: 2 Failed update of 24 entries From rpenny at samba.org Thu Dec 10 14:49:59 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 10 Dec 2015 14:49:59 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <56698EED.5020308@tu-berlin.de> References: <56435CD0.4090409@tu-berlin.de> <5643674F.3040308@gmail.com> <564398C5.90304@tu-berlin.de> <56439B48.8000902@gmail.com> <564C71F9.4030307@tu-berlin.de> <564C874C.5070604@gmail.com> <564C9BBE.7080403@tu-berlin.de> <564CDAF3.7070105@gmail.com> <5661B143.40502@tu-berlin.de> <5661B426.1060209@gmail.com> <5661BD67.8000305@tu-berlin.de> <566857D6.8070400@tu-berlin.de> <56685EF6.90809@gmail.com> <566861F9.3090502@samba.org> <56697D49.8040301@tu-berlin.de> <5669805B.8050109@samba.org> <56698574.5080103@tu-berlin.de> <566988ED.7080903@samba.org> <56698EED.5020308@tu-berlin.de> Message-ID: <56699117.7070303@samba.org> On 10/12/15 14:40, Ole Traupe wrote: > >>> However, my 2nd DC is not that new, I restarted it many times, just >>> again (samba service). No DNS records are created anywhere. >>> >>> If I go through the DNS console, in each and every container there >>> is some entry for the 1st DC, but none for the 2nd (except on the >>> top levels: FQDN and _msdcs.FQDN). >>> >>> Could this have to do with... >>> a) I demoted my initial 1st DC (seized FSMO roles) and got rid of >>> DNS entries via this script on the wiki? >>> b) set up the *new* 2nd DC on the hardware of the prior 1st DC (with >>> the same IP address)? >>> >>> >>> >> >> Possibly, but can you try this on your second DC, run >> 'samba_dnsupdate --verbose' >> >> Rowland >> > > Doesn't look too good to me: > > > [root at DC2 me]# samba_dnsupdate --verbose > IPs: ['IP_of_2nd_DC'] > Looking for DNS entry A DC2.my.domain.tld IP_of_2nd_DC as > DC2.my.domain.tld. > Looking for DNS entry A my.domain.tld IP_of_2nd_DC as my.domain.tld. > Failed to find matching DNS entry A my.domain.tld IP_of_2nd_DC > Looking for DNS entry SRV _ldap._tcp.my.domain.tld DC2.my.domain.tld > 389 as _ldap._tcp.my.domain.tld. > Checking 0 100 389 DC1.my.domain.tld. against SRV > _ldap._tcp.my.domain.tld DC2.my.domain.tld 389 > Failed to find matching DNS entry SRV _ldap._tcp.my.domain.tld > DC2.my.domain.tld 389 > Looking for DNS entry SRV _ldap._tcp.dc._msdcs.my.domain.tld > DC2.my.domain.tld 389 as _ldap._tcp.dc._msdcs.my.domain.tld. > Checking 0 100 389 DC1.my.domain.tld. against SRV > _ldap._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 389 > Failed to find matching DNS entry SRV > _ldap._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 389 > Looking for DNS entry SRV > _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld > DC2.my.domain.tld 389 as > _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld. > Checking 0 100 389 DC1.my.domain.tld. against SRV > _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld > DC2.my.domain.tld 389 > Failed to find matching DNS entry SRV > _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld > DC2.my.domain.tld 389 > Looking for DNS entry SRV _kerberos._tcp.my.domain.tld > DC2.my.domain.tld 88 as _kerberos._tcp.my.domain.tld. > Checking 0 100 88 DC1.my.domain.tld. against SRV > _kerberos._tcp.my.domain.tld DC2.my.domain.tld 88 > Failed to find matching DNS entry SRV _kerberos._tcp.my.domain.tld > DC2.my.domain.tld 88 > Looking for DNS entry SRV _kerberos._udp.my.domain.tld > DC2.my.domain.tld 88 as _kerberos._udp.my.domain.tld. > Checking 0 100 88 DC1.my.domain.tld. against SRV > _kerberos._udp.my.domain.tld DC2.my.domain.tld 88 > Failed to find matching DNS entry SRV _kerberos._udp.my.domain.tld > DC2.my.domain.tld 88 > Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.my.domain.tld > DC2.my.domain.tld 88 as _kerberos._tcp.dc._msdcs.my.domain.tld. > Checking 0 100 88 DC1.my.domain.tld. against SRV > _kerberos._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 88 > Failed to find matching DNS entry SRV > _kerberos._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 88 > Looking for DNS entry SRV _kpasswd._tcp.my.domain.tld > DC2.my.domain.tld 464 as _kpasswd._tcp.my.domain.tld. > Checking 0 100 464 DC1.my.domain.tld. against SRV > _kpasswd._tcp.my.domain.tld DC2.my.domain.tld 464 > Failed to find matching DNS entry SRV _kpasswd._tcp.my.domain.tld > DC2.my.domain.tld 464 > Looking for DNS entry SRV _kpasswd._udp.my.domain.tld > DC2.my.domain.tld 464 as _kpasswd._udp.my.domain.tld. > Checking 0 100 464 DC1.my.domain.tld. against SRV > _kpasswd._udp.my.domain.tld DC2.my.domain.tld 464 > Failed to find matching DNS entry SRV _kpasswd._udp.my.domain.tld > DC2.my.domain.tld 464 > Looking for DNS entry CNAME > d1df6d3d-7fd1-45f4-b613-74c7825d9208._msdcs.my.domain.tld > DC2.my.domain.tld as > d1df6d3d-7fd1-45f4-b613-74c7825d9208._msdcs.my.domain.tld. > Looking for DNS entry SRV > _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld > DC2.my.domain.tld 389 as > _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld. > Checking 0 100 389 DC1.my.domain.tld. against SRV > _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld > DC2.my.domain.tld 389 > Failed to find matching DNS entry SRV > _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld > DC2.my.domain.tld 389 > Looking for DNS entry SRV > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld > DC2.my.domain.tld 389 as > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld. > Checking 0 100 389 DC1.my.domain.tld. against SRV > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld > DC2.my.domain.tld 389 > Failed to find matching DNS entry SRV > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld > DC2.my.domain.tld 389 > Looking for DNS entry SRV > _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld > DC2.my.domain.tld 88 as > _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld. > Checking 0 100 88 DC1.my.domain.tld. against SRV > _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld > DC2.my.domain.tld 88 > Failed to find matching DNS entry SRV > _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld > DC2.my.domain.tld 88 > Looking for DNS entry SRV > _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld > DC2.my.domain.tld 88 as > _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld. > Checking 0 100 88 DC1.my.domain.tld. against SRV > _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld > DC2.my.domain.tld 88 > Failed to find matching DNS entry SRV > _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld > DC2.my.domain.tld 88 > Looking for DNS entry A gc._msdcs.my.domain.tld IP_of_2nd_DC as > gc._msdcs.my.domain.tld. > Failed to find matching DNS entry A gc._msdcs.my.domain.tld IP_of_2nd_DC > Looking for DNS entry SRV _gc._tcp.my.domain.tld DC2.my.domain.tld > 3268 as _gc._tcp.my.domain.tld. > Checking 0 100 3268 DC1.my.domain.tld. against SRV > _gc._tcp.my.domain.tld DC2.my.domain.tld 3268 > Failed to find matching DNS entry SRV _gc._tcp.my.domain.tld > DC2.my.domain.tld 3268 > Looking for DNS entry SRV _ldap._tcp.gc._msdcs.my.domain.tld > DC2.my.domain.tld 3268 as _ldap._tcp.gc._msdcs.my.domain.tld. > Checking 0 100 3268 DC1.my.domain.tld. against SRV > _ldap._tcp.gc._msdcs.my.domain.tld DC2.my.domain.tld 3268 > Failed to find matching DNS entry SRV > _ldap._tcp.gc._msdcs.my.domain.tld DC2.my.domain.tld 3268 > Looking for DNS entry SRV > _gc._tcp.Default-First-Site-Name._sites.my.domain.tld > DC2.my.domain.tld 3268 as > _gc._tcp.Default-First-Site-Name._sites.my.domain.tld. > Checking 0 100 3268 DC1.my.domain.tld. against SRV > _gc._tcp.Default-First-Site-Name._sites.my.domain.tld > DC2.my.domain.tld 3268 > Failed to find matching DNS entry SRV > _gc._tcp.Default-First-Site-Name._sites.my.domain.tld > DC2.my.domain.tld 3268 > Looking for DNS entry SRV > _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld > DC2.my.domain.tld 3268 as > _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld. > Checking 0 100 3268 DC1.my.domain.tld. against SRV > _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld > DC2.my.domain.tld 3268 > Failed to find matching DNS entry SRV > _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld > DC2.my.domain.tld 3268 > Looking for DNS entry A DomainDnsZones.my.domain.tld IP_of_2nd_DC as > DomainDnsZones.my.domain.tld. > Failed to find matching DNS entry A DomainDnsZones.my.domain.tld > IP_of_2nd_DC > Looking for DNS entry SRV _ldap._tcp.DomainDnsZones.my.domain.tld > DC2.my.domain.tld 389 as _ldap._tcp.DomainDnsZones.my.domain.tld. > Checking 0 100 389 DC1.my.domain.tld. against SRV > _ldap._tcp.DomainDnsZones.my.domain.tld DC2.my.domain.tld 389 > Failed to find matching DNS entry SRV > _ldap._tcp.DomainDnsZones.my.domain.tld DC2.my.domain.tld 389 > Looking for DNS entry SRV > _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld > DC2.my.domain.tld 389 as > _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld. > Checking 0 100 389 DC1.my.domain.tld. against SRV > _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld > DC2.my.domain.tld 389 > Failed to find matching DNS entry SRV > _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld > DC2.my.domain.tld 389 > Looking for DNS entry A ForestDnsZones.my.domain.tld IP_of_2nd_DC as > ForestDnsZones.my.domain.tld. > Failed to find matching DNS entry A ForestDnsZones.my.domain.tld > IP_of_2nd_DC > Looking for DNS entry SRV _ldap._tcp.ForestDnsZones.my.domain.tld > DC2.my.domain.tld 389 as _ldap._tcp.ForestDnsZones.my.domain.tld. > Checking 0 100 389 DC1.my.domain.tld. against SRV > _ldap._tcp.ForestDnsZones.my.domain.tld DC2.my.domain.tld 389 > Failed to find matching DNS entry SRV > _ldap._tcp.ForestDnsZones.my.domain.tld DC2.my.domain.tld 389 > Looking for DNS entry SRV > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld > DC2.my.domain.tld 389 as > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld. > Checking 0 100 389 DC1.my.domain.tld. against SRV > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld > DC2.my.domain.tld 389 > Failed to find matching DNS entry SRV > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld > DC2.my.domain.tld 389 > Calling nsupdate for A my.domain.tld IP_of_2nd_DC (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > my.domain.tld. 900 IN A IP_of_2nd_DC > > ; TSIG error with server: tsig verify failure > update failed: FORMERR > Failed nsupdate: 2 > Calling nsupdate for SRV _ldap._tcp.my.domain.tld DC2.my.domain.tld > 389 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.my.domain.tld. 900 IN SRV 0 100 389 DC2.my.domain.tld. > > ; TSIG error with server: tsig verify failure > update failed: FORMERR > Failed nsupdate: 2 > Calling nsupdate for SRV _ldap._tcp.dc._msdcs.my.domain.tld > DC2.my.domain.tld 389 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.dc._msdcs.my.domain.tld. 900 IN SRV 0 100 389 > DC2.my.domain.tld. > > ; TSIG error with server: tsig verify failure > update failed: FORMERR > Failed nsupdate: 2 > Calling nsupdate for SRV > _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld > DC2.my.domain.tld 389 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld. > 900 IN SRV 0 100 389 DC2.my.domain.tld. > > ; TSIG error with server: tsig verify failure > update failed: FORMERR > Failed nsupdate: 2 > Calling nsupdate for SRV _kerberos._tcp.my.domain.tld > DC2.my.domain.tld 88 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _kerberos._tcp.my.domain.tld. 900 IN SRV 0 100 88 DC2.my.domain.tld. > > ; TSIG error with server: tsig verify failure > update failed: FORMERR > Failed nsupdate: 2 > Calling nsupdate for SRV _kerberos._udp.my.domain.tld > DC2.my.domain.tld 88 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _kerberos._udp.my.domain.tld. 900 IN SRV 0 100 88 DC2.my.domain.tld. > > ; TSIG error with server: tsig verify failure > update failed: FORMERR > Failed nsupdate: 2 > Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.my.domain.tld > DC2.my.domain.tld 88 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _kerberos._tcp.dc._msdcs.my.domain.tld. 900 IN SRV 0 100 88 > DC2.my.domain.tld. > > ; TSIG error with server: tsig verify failure > update failed: FORMERR > Failed nsupdate: 2 > Calling nsupdate for SRV _kpasswd._tcp.my.domain.tld DC2.my.domain.tld > 464 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _kpasswd._tcp.my.domain.tld. 900 IN SRV 0 100 464 DC2.my.domain.tld. > > ; TSIG error with server: tsig verify failure > update failed: FORMERR > Failed nsupdate: 2 > Calling nsupdate for SRV _kpasswd._udp.my.domain.tld DC2.my.domain.tld > 464 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _kpasswd._udp.my.domain.tld. 900 IN SRV 0 100 464 DC2.my.domain.tld. > > ; TSIG error with server: tsig verify failure > update failed: FORMERR > Failed nsupdate: 2 > Calling nsupdate for SRV > _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld > DC2.my.domain.tld 389 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN SRV 0 > 100 389 DC2.my.domain.tld. > > ; TSIG error with server: tsig verify failure > update failed: FORMERR > Failed nsupdate: 2 > Calling nsupdate for SRV > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld > DC2.my.domain.tld 389 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld. 900 > IN SRV 0 100 389 DC2.my.domain.tld. > > ; TSIG error with server: tsig verify failure > update failed: FORMERR > Failed nsupdate: 2 > Calling nsupdate for SRV > _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld > DC2.my.domain.tld 88 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN > SRV 0 100 88 DC2.my.domain.tld. > > ; TSIG error with server: tsig verify failure > update failed: FORMERR > Failed nsupdate: 2 > Calling nsupdate for SRV > _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld > DC2.my.domain.tld 88 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld. > 900 IN SRV 0 100 88 DC2.my.domain.tld. > > ; TSIG error with server: tsig verify failure > update failed: FORMERR > Failed nsupdate: 2 > Calling nsupdate for A gc._msdcs.my.domain.tld IP_of_2nd_DC (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > gc._msdcs.my.domain.tld. 900 IN A IP_of_2nd_DC > > ; TSIG error with server: tsig verify failure > update failed: FORMERR > Failed nsupdate: 2 > Calling nsupdate for SRV _gc._tcp.my.domain.tld DC2.my.domain.tld 3268 > (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _gc._tcp.my.domain.tld. 900 IN SRV 0 100 3268 > DC2.my.domain.tld. > > ; TSIG error with server: tsig verify failure > update failed: FORMERR > Failed nsupdate: 2 > Calling nsupdate for SRV _ldap._tcp.gc._msdcs.my.domain.tld > DC2.my.domain.tld 3268 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.gc._msdcs.my.domain.tld. 900 IN SRV 0 100 3268 > DC2.my.domain.tld. > > ; TSIG error with server: tsig verify failure > update failed: FORMERR > Failed nsupdate: 2 > Calling nsupdate for SRV > _gc._tcp.Default-First-Site-Name._sites.my.domain.tld > DC2.my.domain.tld 3268 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _gc._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN SRV 0 > 100 3268 DC2.my.domain.tld. > > ; TSIG error with server: tsig verify failure > update failed: FORMERR > Failed nsupdate: 2 > Calling nsupdate for SRV > _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld > DC2.my.domain.tld 3268 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld. 900 > IN SRV 0 100 3268 DC2.my.domain.tld. > > ; TSIG error with server: tsig verify failure > update failed: FORMERR > Failed nsupdate: 2 > Calling nsupdate for A DomainDnsZones.my.domain.tld IP_of_2nd_DC (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > DomainDnsZones.my.domain.tld. 900 IN A IP_of_2nd_DC > > ; TSIG error with server: tsig verify failure > update failed: FORMERR > Failed nsupdate: 2 > Calling nsupdate for SRV _ldap._tcp.DomainDnsZones.my.domain.tld > DC2.my.domain.tld 389 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.DomainDnsZones.my.domain.tld. 900 IN SRV 0 100 389 > DC2.my.domain.tld. > > ; TSIG error with server: tsig verify failure > update failed: FORMERR > Failed nsupdate: 2 > Calling nsupdate for SRV > _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld > DC2.my.domain.tld 389 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld. 900 > IN SRV 0 100 389 DC2.my.domain.tld. > > ; TSIG error with server: tsig verify failure > update failed: FORMERR > Failed nsupdate: 2 > Calling nsupdate for A ForestDnsZones.my.domain.tld IP_of_2nd_DC (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > ForestDnsZones.my.domain.tld. 900 IN A IP_of_2nd_DC > > ; TSIG error with server: tsig verify failure > update failed: FORMERR > Failed nsupdate: 2 > Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.my.domain.tld > DC2.my.domain.tld 389 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.ForestDnsZones.my.domain.tld. 900 IN SRV 0 100 389 > DC2.my.domain.tld. > > ; TSIG error with server: tsig verify failure > update failed: FORMERR > Failed nsupdate: 2 > Calling nsupdate for SRV > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld > DC2.my.domain.tld 389 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld. 900 > IN SRV 0 100 389 DC2.my.domain.tld. > > ; TSIG error with server: tsig verify failure > update failed: FORMERR > Failed nsupdate: 2 > Failed update of 24 entries > > > There is a known problem, even though the updates print '; TSIG error with server: tsig verify failure', it still works. Try running 'host -t SRV _kerberos._udp.my.domain.tld.' again. Rowland From ole.traupe at tu-berlin.de Thu Dec 10 15:13:38 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Thu, 10 Dec 2015 16:13:38 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <56699117.7070303@samba.org> References: <56435CD0.4090409@tu-berlin.de> <5643674F.3040308@gmail.com> <564398C5.90304@tu-berlin.de> <56439B48.8000902@gmail.com> <564C71F9.4030307@tu-berlin.de> <564C874C.5070604@gmail.com> <564C9BBE.7080403@tu-berlin.de> <564CDAF3.7070105@gmail.com> <5661B143.40502@tu-berlin.de> <5661B426.1060209@gmail.com> <5661BD67.8000305@tu-berlin.de> <566857D6.8070400@tu-berlin.de> <56685EF6.90809@gmail.com> <566861F9.3090502@samba.org> <56697D49.8040301@tu-berlin.de> <5669805B.8050109@samba.org> <56698574.5080103@tu-berlin.de> <566988ED.7080903@samba.org> <56698EED.5020308@tu-berlin.de> <56699117.7070303@samba.org> Message-ID: <566996A2.6040409@tu-berlin.de> Am 10.12.2015 um 15:49 schrieb Rowland penny: > On 10/12/15 14:40, Ole Traupe wrote: >> >>>> However, my 2nd DC is not that new, I restarted it many times, just >>>> again (samba service). No DNS records are created anywhere. >>>> >>>> If I go through the DNS console, in each and every container there >>>> is some entry for the 1st DC, but none for the 2nd (except on the >>>> top levels: FQDN and _msdcs.FQDN). >>>> >>>> Could this have to do with... >>>> a) I demoted my initial 1st DC (seized FSMO roles) and got rid of >>>> DNS entries via this script on the wiki? >>>> b) set up the *new* 2nd DC on the hardware of the prior 1st DC >>>> (with the same IP address)? >>>> >>>> >>>> >>> >>> Possibly, but can you try this on your second DC, run >>> 'samba_dnsupdate --verbose' >>> >>> Rowland >>> >> >> Doesn't look too good to me: >> >> >> [root at DC2 me]# samba_dnsupdate --verbose >> IPs: ['IP_of_2nd_DC'] >> Looking for DNS entry A DC2.my.domain.tld IP_of_2nd_DC as >> DC2.my.domain.tld. >> Looking for DNS entry A my.domain.tld IP_of_2nd_DC as my.domain.tld. >> Failed to find matching DNS entry A my.domain.tld IP_of_2nd_DC >> Looking for DNS entry SRV _ldap._tcp.my.domain.tld DC2.my.domain.tld >> 389 as _ldap._tcp.my.domain.tld. >> Checking 0 100 389 DC1.my.domain.tld. against SRV >> _ldap._tcp.my.domain.tld DC2.my.domain.tld 389 >> Failed to find matching DNS entry SRV _ldap._tcp.my.domain.tld >> DC2.my.domain.tld 389 >> Looking for DNS entry SRV _ldap._tcp.dc._msdcs.my.domain.tld >> DC2.my.domain.tld 389 as _ldap._tcp.dc._msdcs.my.domain.tld. >> Checking 0 100 389 DC1.my.domain.tld. against SRV >> _ldap._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 389 >> Failed to find matching DNS entry SRV >> _ldap._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 389 >> Looking for DNS entry SRV >> _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld >> DC2.my.domain.tld 389 as >> _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld. >> Checking 0 100 389 DC1.my.domain.tld. against SRV >> _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld >> DC2.my.domain.tld 389 >> Failed to find matching DNS entry SRV >> _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld >> DC2.my.domain.tld 389 >> Looking for DNS entry SRV _kerberos._tcp.my.domain.tld >> DC2.my.domain.tld 88 as _kerberos._tcp.my.domain.tld. >> Checking 0 100 88 DC1.my.domain.tld. against SRV >> _kerberos._tcp.my.domain.tld DC2.my.domain.tld 88 >> Failed to find matching DNS entry SRV _kerberos._tcp.my.domain.tld >> DC2.my.domain.tld 88 >> Looking for DNS entry SRV _kerberos._udp.my.domain.tld >> DC2.my.domain.tld 88 as _kerberos._udp.my.domain.tld. >> Checking 0 100 88 DC1.my.domain.tld. against SRV >> _kerberos._udp.my.domain.tld DC2.my.domain.tld 88 >> Failed to find matching DNS entry SRV _kerberos._udp.my.domain.tld >> DC2.my.domain.tld 88 >> Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.my.domain.tld >> DC2.my.domain.tld 88 as _kerberos._tcp.dc._msdcs.my.domain.tld. >> Checking 0 100 88 DC1.my.domain.tld. against SRV >> _kerberos._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 88 >> Failed to find matching DNS entry SRV >> _kerberos._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 88 >> Looking for DNS entry SRV _kpasswd._tcp.my.domain.tld >> DC2.my.domain.tld 464 as _kpasswd._tcp.my.domain.tld. >> Checking 0 100 464 DC1.my.domain.tld. against SRV >> _kpasswd._tcp.my.domain.tld DC2.my.domain.tld 464 >> Failed to find matching DNS entry SRV _kpasswd._tcp.my.domain.tld >> DC2.my.domain.tld 464 >> Looking for DNS entry SRV _kpasswd._udp.my.domain.tld >> DC2.my.domain.tld 464 as _kpasswd._udp.my.domain.tld. >> Checking 0 100 464 DC1.my.domain.tld. against SRV >> _kpasswd._udp.my.domain.tld DC2.my.domain.tld 464 >> Failed to find matching DNS entry SRV _kpasswd._udp.my.domain.tld >> DC2.my.domain.tld 464 >> Looking for DNS entry CNAME >> d1df6d3d-7fd1-45f4-b613-74c7825d9208._msdcs.my.domain.tld >> DC2.my.domain.tld as >> d1df6d3d-7fd1-45f4-b613-74c7825d9208._msdcs.my.domain.tld. >> Looking for DNS entry SRV >> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld >> DC2.my.domain.tld 389 as >> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld. >> Checking 0 100 389 DC1.my.domain.tld. against SRV >> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld >> DC2.my.domain.tld 389 >> Failed to find matching DNS entry SRV >> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld >> DC2.my.domain.tld 389 >> Looking for DNS entry SRV >> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld >> DC2.my.domain.tld 389 as >> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld. >> Checking 0 100 389 DC1.my.domain.tld. against SRV >> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld >> DC2.my.domain.tld 389 >> Failed to find matching DNS entry SRV >> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld >> DC2.my.domain.tld 389 >> Looking for DNS entry SRV >> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld >> DC2.my.domain.tld 88 as >> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld. >> Checking 0 100 88 DC1.my.domain.tld. against SRV >> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld >> DC2.my.domain.tld 88 >> Failed to find matching DNS entry SRV >> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld >> DC2.my.domain.tld 88 >> Looking for DNS entry SRV >> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld >> DC2.my.domain.tld 88 as >> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld. >> Checking 0 100 88 DC1.my.domain.tld. against SRV >> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld >> DC2.my.domain.tld 88 >> Failed to find matching DNS entry SRV >> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld >> DC2.my.domain.tld 88 >> Looking for DNS entry A gc._msdcs.my.domain.tld IP_of_2nd_DC as >> gc._msdcs.my.domain.tld. >> Failed to find matching DNS entry A gc._msdcs.my.domain.tld IP_of_2nd_DC >> Looking for DNS entry SRV _gc._tcp.my.domain.tld DC2.my.domain.tld >> 3268 as _gc._tcp.my.domain.tld. >> Checking 0 100 3268 DC1.my.domain.tld. against SRV >> _gc._tcp.my.domain.tld DC2.my.domain.tld 3268 >> Failed to find matching DNS entry SRV _gc._tcp.my.domain.tld >> DC2.my.domain.tld 3268 >> Looking for DNS entry SRV _ldap._tcp.gc._msdcs.my.domain.tld >> DC2.my.domain.tld 3268 as _ldap._tcp.gc._msdcs.my.domain.tld. >> Checking 0 100 3268 DC1.my.domain.tld. against SRV >> _ldap._tcp.gc._msdcs.my.domain.tld DC2.my.domain.tld 3268 >> Failed to find matching DNS entry SRV >> _ldap._tcp.gc._msdcs.my.domain.tld DC2.my.domain.tld 3268 >> Looking for DNS entry SRV >> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld >> DC2.my.domain.tld 3268 as >> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld. >> Checking 0 100 3268 DC1.my.domain.tld. against SRV >> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld >> DC2.my.domain.tld 3268 >> Failed to find matching DNS entry SRV >> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld >> DC2.my.domain.tld 3268 >> Looking for DNS entry SRV >> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld >> DC2.my.domain.tld 3268 as >> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld. >> Checking 0 100 3268 DC1.my.domain.tld. against SRV >> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld >> DC2.my.domain.tld 3268 >> Failed to find matching DNS entry SRV >> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld >> DC2.my.domain.tld 3268 >> Looking for DNS entry A DomainDnsZones.my.domain.tld IP_of_2nd_DC as >> DomainDnsZones.my.domain.tld. >> Failed to find matching DNS entry A DomainDnsZones.my.domain.tld >> IP_of_2nd_DC >> Looking for DNS entry SRV _ldap._tcp.DomainDnsZones.my.domain.tld >> DC2.my.domain.tld 389 as _ldap._tcp.DomainDnsZones.my.domain.tld. >> Checking 0 100 389 DC1.my.domain.tld. against SRV >> _ldap._tcp.DomainDnsZones.my.domain.tld DC2.my.domain.tld 389 >> Failed to find matching DNS entry SRV >> _ldap._tcp.DomainDnsZones.my.domain.tld DC2.my.domain.tld 389 >> Looking for DNS entry SRV >> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld DC2.my.domain.tld >> 389 as >> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld. >> Checking 0 100 389 DC1.my.domain.tld. against SRV >> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld DC2.my.domain.tld >> 389 >> Failed to find matching DNS entry SRV >> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld DC2.my.domain.tld >> 389 >> Looking for DNS entry A ForestDnsZones.my.domain.tld IP_of_2nd_DC as >> ForestDnsZones.my.domain.tld. >> Failed to find matching DNS entry A ForestDnsZones.my.domain.tld >> IP_of_2nd_DC >> Looking for DNS entry SRV _ldap._tcp.ForestDnsZones.my.domain.tld >> DC2.my.domain.tld 389 as _ldap._tcp.ForestDnsZones.my.domain.tld. >> Checking 0 100 389 DC1.my.domain.tld. against SRV >> _ldap._tcp.ForestDnsZones.my.domain.tld DC2.my.domain.tld 389 >> Failed to find matching DNS entry SRV >> _ldap._tcp.ForestDnsZones.my.domain.tld DC2.my.domain.tld 389 >> Looking for DNS entry SRV >> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld DC2.my.domain.tld >> 389 as >> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld. >> Checking 0 100 389 DC1.my.domain.tld. against SRV >> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld DC2.my.domain.tld >> 389 >> Failed to find matching DNS entry SRV >> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld DC2.my.domain.tld >> 389 >> Calling nsupdate for A my.domain.tld IP_of_2nd_DC (add) >> Outgoing update query: >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >> ;; UPDATE SECTION: >> my.domain.tld. 900 IN A IP_of_2nd_DC >> >> ; TSIG error with server: tsig verify failure >> update failed: FORMERR >> Failed nsupdate: 2 >> Calling nsupdate for SRV _ldap._tcp.my.domain.tld DC2.my.domain.tld >> 389 (add) >> Outgoing update query: >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >> ;; UPDATE SECTION: >> _ldap._tcp.my.domain.tld. 900 IN SRV 0 100 389 >> DC2.my.domain.tld. >> >> ; TSIG error with server: tsig verify failure >> update failed: FORMERR >> Failed nsupdate: 2 >> Calling nsupdate for SRV _ldap._tcp.dc._msdcs.my.domain.tld >> DC2.my.domain.tld 389 (add) >> Outgoing update query: >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >> ;; UPDATE SECTION: >> _ldap._tcp.dc._msdcs.my.domain.tld. 900 IN SRV 0 100 389 >> DC2.my.domain.tld. >> >> ; TSIG error with server: tsig verify failure >> update failed: FORMERR >> Failed nsupdate: 2 >> Calling nsupdate for SRV >> _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld >> DC2.my.domain.tld 389 (add) >> Outgoing update query: >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >> ;; UPDATE SECTION: >> _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld. >> 900 IN SRV 0 100 389 DC2.my.domain.tld. >> >> ; TSIG error with server: tsig verify failure >> update failed: FORMERR >> Failed nsupdate: 2 >> Calling nsupdate for SRV _kerberos._tcp.my.domain.tld >> DC2.my.domain.tld 88 (add) >> Outgoing update query: >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >> ;; UPDATE SECTION: >> _kerberos._tcp.my.domain.tld. 900 IN SRV 0 100 88 DC2.my.domain.tld. >> >> ; TSIG error with server: tsig verify failure >> update failed: FORMERR >> Failed nsupdate: 2 >> Calling nsupdate for SRV _kerberos._udp.my.domain.tld >> DC2.my.domain.tld 88 (add) >> Outgoing update query: >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >> ;; UPDATE SECTION: >> _kerberos._udp.my.domain.tld. 900 IN SRV 0 100 88 DC2.my.domain.tld. >> >> ; TSIG error with server: tsig verify failure >> update failed: FORMERR >> Failed nsupdate: 2 >> Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.my.domain.tld >> DC2.my.domain.tld 88 (add) >> Outgoing update query: >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >> ;; UPDATE SECTION: >> _kerberos._tcp.dc._msdcs.my.domain.tld. 900 IN SRV 0 100 88 >> DC2.my.domain.tld. >> >> ; TSIG error with server: tsig verify failure >> update failed: FORMERR >> Failed nsupdate: 2 >> Calling nsupdate for SRV _kpasswd._tcp.my.domain.tld >> DC2.my.domain.tld 464 (add) >> Outgoing update query: >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >> ;; UPDATE SECTION: >> _kpasswd._tcp.my.domain.tld. 900 IN SRV 0 100 464 >> DC2.my.domain.tld. >> >> ; TSIG error with server: tsig verify failure >> update failed: FORMERR >> Failed nsupdate: 2 >> Calling nsupdate for SRV _kpasswd._udp.my.domain.tld >> DC2.my.domain.tld 464 (add) >> Outgoing update query: >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >> ;; UPDATE SECTION: >> _kpasswd._udp.my.domain.tld. 900 IN SRV 0 100 464 >> DC2.my.domain.tld. >> >> ; TSIG error with server: tsig verify failure >> update failed: FORMERR >> Failed nsupdate: 2 >> Calling nsupdate for SRV >> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld >> DC2.my.domain.tld 389 (add) >> Outgoing update query: >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >> ;; UPDATE SECTION: >> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN SRV 0 >> 100 389 DC2.my.domain.tld. >> >> ; TSIG error with server: tsig verify failure >> update failed: FORMERR >> Failed nsupdate: 2 >> Calling nsupdate for SRV >> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld >> DC2.my.domain.tld 389 (add) >> Outgoing update query: >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >> ;; UPDATE SECTION: >> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld. >> 900 IN SRV 0 100 389 DC2.my.domain.tld. >> >> ; TSIG error with server: tsig verify failure >> update failed: FORMERR >> Failed nsupdate: 2 >> Calling nsupdate for SRV >> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld >> DC2.my.domain.tld 88 (add) >> Outgoing update query: >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >> ;; UPDATE SECTION: >> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN >> SRV 0 100 88 DC2.my.domain.tld. >> >> ; TSIG error with server: tsig verify failure >> update failed: FORMERR >> Failed nsupdate: 2 >> Calling nsupdate for SRV >> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld >> DC2.my.domain.tld 88 (add) >> Outgoing update query: >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >> ;; UPDATE SECTION: >> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld. 900 >> IN SRV 0 100 88 DC2.my.domain.tld. >> >> ; TSIG error with server: tsig verify failure >> update failed: FORMERR >> Failed nsupdate: 2 >> Calling nsupdate for A gc._msdcs.my.domain.tld IP_of_2nd_DC (add) >> Outgoing update query: >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >> ;; UPDATE SECTION: >> gc._msdcs.my.domain.tld. 900 IN A IP_of_2nd_DC >> >> ; TSIG error with server: tsig verify failure >> update failed: FORMERR >> Failed nsupdate: 2 >> Calling nsupdate for SRV _gc._tcp.my.domain.tld DC2.my.domain.tld >> 3268 (add) >> Outgoing update query: >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >> ;; UPDATE SECTION: >> _gc._tcp.my.domain.tld. 900 IN SRV 0 100 3268 >> DC2.my.domain.tld. >> >> ; TSIG error with server: tsig verify failure >> update failed: FORMERR >> Failed nsupdate: 2 >> Calling nsupdate for SRV _ldap._tcp.gc._msdcs.my.domain.tld >> DC2.my.domain.tld 3268 (add) >> Outgoing update query: >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >> ;; UPDATE SECTION: >> _ldap._tcp.gc._msdcs.my.domain.tld. 900 IN SRV 0 100 3268 >> DC2.my.domain.tld. >> >> ; TSIG error with server: tsig verify failure >> update failed: FORMERR >> Failed nsupdate: 2 >> Calling nsupdate for SRV >> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld >> DC2.my.domain.tld 3268 (add) >> Outgoing update query: >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >> ;; UPDATE SECTION: >> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN SRV 0 >> 100 3268 DC2.my.domain.tld. >> >> ; TSIG error with server: tsig verify failure >> update failed: FORMERR >> Failed nsupdate: 2 >> Calling nsupdate for SRV >> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld >> DC2.my.domain.tld 3268 (add) >> Outgoing update query: >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >> ;; UPDATE SECTION: >> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld. >> 900 IN SRV 0 100 3268 DC2.my.domain.tld. >> >> ; TSIG error with server: tsig verify failure >> update failed: FORMERR >> Failed nsupdate: 2 >> Calling nsupdate for A DomainDnsZones.my.domain.tld IP_of_2nd_DC (add) >> Outgoing update query: >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >> ;; UPDATE SECTION: >> DomainDnsZones.my.domain.tld. 900 IN A IP_of_2nd_DC >> >> ; TSIG error with server: tsig verify failure >> update failed: FORMERR >> Failed nsupdate: 2 >> Calling nsupdate for SRV _ldap._tcp.DomainDnsZones.my.domain.tld >> DC2.my.domain.tld 389 (add) >> Outgoing update query: >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >> ;; UPDATE SECTION: >> _ldap._tcp.DomainDnsZones.my.domain.tld. 900 IN SRV 0 100 389 >> DC2.my.domain.tld. >> >> ; TSIG error with server: tsig verify failure >> update failed: FORMERR >> Failed nsupdate: 2 >> Calling nsupdate for SRV >> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld DC2.my.domain.tld >> 389 (add) >> Outgoing update query: >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >> ;; UPDATE SECTION: >> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld. >> 900 IN SRV 0 100 389 DC2.my.domain.tld. >> >> ; TSIG error with server: tsig verify failure >> update failed: FORMERR >> Failed nsupdate: 2 >> Calling nsupdate for A ForestDnsZones.my.domain.tld IP_of_2nd_DC (add) >> Outgoing update query: >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >> ;; UPDATE SECTION: >> ForestDnsZones.my.domain.tld. 900 IN A IP_of_2nd_DC >> >> ; TSIG error with server: tsig verify failure >> update failed: FORMERR >> Failed nsupdate: 2 >> Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.my.domain.tld >> DC2.my.domain.tld 389 (add) >> Outgoing update query: >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >> ;; UPDATE SECTION: >> _ldap._tcp.ForestDnsZones.my.domain.tld. 900 IN SRV 0 100 389 >> DC2.my.domain.tld. >> >> ; TSIG error with server: tsig verify failure >> update failed: FORMERR >> Failed nsupdate: 2 >> Calling nsupdate for SRV >> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld DC2.my.domain.tld >> 389 (add) >> Outgoing update query: >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >> ;; UPDATE SECTION: >> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld. >> 900 IN SRV 0 100 389 DC2.my.domain.tld. >> >> ; TSIG error with server: tsig verify failure >> update failed: FORMERR >> Failed nsupdate: 2 >> Failed update of 24 entries >> >> >> > > There is a known problem, even though the updates print '; TSIG error > with server: tsig verify failure', it still works. Try running 'host > -t SRV _kerberos._udp.my.domain.tld.' again. > > Rowland Nope, still one record. From jeff.sadowski at gmail.com Thu Dec 10 15:25:43 2015 From: jeff.sadowski at gmail.com (Jeff Sadowski) Date: Thu, 10 Dec 2015 08:25:43 -0700 Subject: [Samba] Adding an AD group to /etc/sudoers? In-Reply-To: References: Message-ID: Thank you very much at least I have a temporary workaround. On Wed, Dec 9, 2015 at 12:32 PM, Jeff Sadowski wrote: > ok after fighting to get my groups sorted out for my test user I created > an "sudoer" group and added "jefftest" to "sudoer" > > > id jefftest > uid=11507(jefftest) gid=8513(domain users) groups=8513(domain > users),31020(sudoer) > > and added "sudoer" to /etc/sudoers like so > > %sudoer ALL=(ALL) ALL > > now when I login as jefftest I can run commands using sudo > > back to my other user who I also added to sudoer > I still can not run commands using sudo > but as you suggested I do the "newgrp it" or "newgrp sudoer" > and then I can run commands using sudo > > On Wed, Dec 9, 2015 at 8:20 AM, Mattias Zhabinskiy < > mattiasz at thinklogical.com> wrote: > >> Jeff, >> >> >> After ssh try to run: >> >> >> newgrp it >> >> >> and then sudo. See if it will work, then you'll have to figure out what's >> going on with the users groups membership. >> >> >> Regards, >> >> Matt >> >> >> ------------------------------ >> *From:* Jeff Sadowski >> *Sent:* Wednesday, December 9, 2015 10:08 AM >> >> *To:* Mattias Zhabinskiy; samba >> *Subject:* Re: [Samba] Adding an AD group to /etc/sudoers? >> >> # cat /proc/sys/kernel/ngroups_max >> 65536 >> # sysctl kernel.ngroups_max >> kernel.ngroups_max = 65536 >> >> Is there a way to change/look at AUTH_SYS? >> Seems I have 28 groups now as my user >> I tried created a test user with much less groups >> but it turns out it is on all those other groups. >> As such I tried >> >> winbind nested groups=no >> >> but this doesn't seem to change anything. >> >> >> >> On Tue, Dec 8, 2015 at 5:05 PM, Mattias Zhabinskiy < >> mattiasz at thinklogical.com> wrote: >> >>> Jeff, >>> >>> >>> To find out maximum number of groups allowed per user run: >>> >>> cat /proc/sys/kernel/ngroups_max >>> or >>> sysctl kernel.ngroups_max >>> but AFAIK AUTH_SYS has a limit of 16, so I would try to either create a >>> test account, add it to the "it" group and test it with sudo, or trim your >>> account membership to 16 or less groups. >>> >>> Regards, >>> >>> Matt >>> >>> ------------------------------ >>> *From:* Jeff Sadowski >>> *Sent:* Tuesday, December 8, 2015 4:59 PM >>> *To:* Mattias Zhabinskiy; samba >>> *Subject:* Re: [Samba] Adding an AD group to /etc/sudoers? >>> >>> # id username|sed "s/,/\n/g"|wc -l >>> 155 >>> >>> # id|sed "s/,/\n/g"|wc -l >>> 28 >>> >>> >>> On Tue, Dec 8, 2015 at 2:56 PM, Jeff Sadowski >>> wrote: >>> >>>> wbinfo -r username >>>> shows the gid of it >>>> and a bunch of -1's id guess for groups without gid's >>>> my user belongs to 155 groups is there a problem with that many groups? >>>> >>>> On Tue, Dec 8, 2015 at 2:12 PM, Jeff Sadowski >>>> wrote: >>>> >>>>> "id" alone does not show my user in the it group >>>>> "id username" does >>>>> why would id alone give different results? >>>>> >>>>> which is odd because >>>>> as my username I can get into a folder that has 0760 permissions with >>>>> user as root and it as the group >>>>> >>>>> as for >>>>> %it ALL=(ALL) ALL >>>>> instead of: >>>>> %it ALL=(ALL:ALL) ALL >>>>> >>>>> seems to work the same >>>>> >>>>> >>>>> >>>>> On Tue, Dec 8, 2015 at 1:29 PM, Mattias Zhabinskiy < >>>>> mattiasz at thinklogical.com> wrote: >>>>> >>>>>> Jeff, >>>>>> >>>>>> After the ssh did you run "id" command to verify that your account >>>>>> belongs to the "it" group on the remote system? >>>>>> >>>>>> Did you try: >>>>>> %it ALL=(ALL) ALL >>>>>> instead of: >>>>>> %it ALL=(ALL:ALL) ALL >>>>>> >>>>>> Regards, >>>>>> Matt >>>>>> >>>>>> ________________________________________ >>>>>> From: samba on behalf of Jeff >>>>>> Sadowski >>>>>> Sent: Monday, December 7, 2015 2:56 PM >>>>>> To: samba >>>>>> Subject: [Samba] Adding an AD group to /etc/sudoers? >>>>>> >>>>>> I can't seem to get this working and here is what I have done so far. >>>>>> I am using samba 4.1.6 >>>>>> >>>>>> my /etc/samba/smb.conf looks like so >>>>>> >>>>>> security = ads >>>>>> realm = DOMAIN.LONG >>>>>> workgroup = DOMAIN >>>>>> idmap config * : backend = tdb >>>>>> idmap config * : range = 2000-7999 >>>>>> idmap config DOMAIN:backend = ad >>>>>> idmap config DOMAIN:range = 8000-9999999 >>>>>> idmap config DOMAIN:schema_mode = rfc2307 >>>>>> winbind nss info = rfc2307 >>>>>> winbind use default domain = yes >>>>>> winbind nested groups=yes >>>>>> # so that the users show up in getent >>>>>> winbind enum users = Yes >>>>>> # doesn't seem to do the same for groups :-/ >>>>>> winbind enum groups = Yes >>>>>> restrict anonymous = 2 >>>>>> >>>>>> In AD my group it has a gid 8001 >>>>>> >>>>>> #getent group it >>>>>> it:x:8001:myusername,others >>>>>> >>>>>> >>>>>> in /etc/sudoers is the line >>>>>> %it ALL=(ALL:ALL) ALL >>>>>> >>>>>> when I ssh to said machine like so >>>>>> >>>>>> ssh myusername at problemhost >>>>>> >>>>>> then run a command like so >>>>>> >>>>>> > sudo echo >>>>>> [sudo] password for myusername: >>>>>> myusername is not in the sudoers file. This incident will be >>>>>> reported. >>>>>> >>>>>> I tried adding another line to /etc/sudoers as follows >>>>>> %DOMAIN\\it ALL=(ALL:ALL) ALL >>>>>> >>>>>> and >>>>>> >>>>>> %DOMAIN\it ALL=(ALL:ALL) ALL >>>>>> >>>>>> but neither of them work either. >>>>>> >>>>>> I seem to be able to get into the nfs shares I have group permissions >>>>>> to >>>>>> but I can not get sudo to work with my AD user group. >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL and read the >>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>> >>>>> >>>>> >>>> >>> >> > From jeff.sadowski at gmail.com Thu Dec 10 15:25:50 2015 From: jeff.sadowski at gmail.com (Jeff Sadowski) Date: Thu, 10 Dec 2015 08:25:50 -0700 Subject: [Samba] Where is the limit on active groups? Message-ID: # samba --version Version 4.1.6-Ubuntu # cat /proc/sys/kernel/ngroups_max 65536 # sysctl kernel.ngroups_max kernel.ngroups_max = 65536 /etc/samba/smb.conf security = ads realm = MYDOMAIN.LOCAL workgroup = MYDOMAIN idmap config * : backend = tdb idmap config * : range = 2000-7999 idmap config MYDOMAIN:backend = ad idmap config MYDOMAIN:schema_mode = rfc2307 idmap config MYDOMAIN:range = 8000-9999999 winbind nss info = rfc2307 winbind use default domain = yes winbind nested groups=yes # so that the users show up in getent winbind enum users = Yes # doesn't seem to do the same for groups :-/ winbind enum groups = Yes restrict anonymous = 2 65536 is fine, more than enough for me but something else is limiting my active groups if I login as a user and run > id|sed "s/,/\n/g"|grep -v 4294967295|wc -l 28 > id $USER|sed "s/,/\n/g"|grep -v 4294967295|wc -l 143 what is blocking my other 115 groups? As Mattias Zhabinskiy pointed out to me I can use other groups but I have to set them like so > newgrp myothergroup then I am in the other group, but I'd like for them to show in "id" From rpenny at samba.org Thu Dec 10 15:32:38 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 10 Dec 2015 15:32:38 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <566996A2.6040409@tu-berlin.de> References: <56435CD0.4090409@tu-berlin.de> <5643674F.3040308@gmail.com> <564398C5.90304@tu-berlin.de> <56439B48.8000902@gmail.com> <564C71F9.4030307@tu-berlin.de> <564C874C.5070604@gmail.com> <564C9BBE.7080403@tu-berlin.de> <564CDAF3.7070105@gmail.com> <5661B143.40502@tu-berlin.de> <5661B426.1060209@gmail.com> <5661BD67.8000305@tu-berlin.de> <566857D6.8070400@tu-berlin.de> <56685EF6.90809@gmail.com> <566861F9.3090502@samba.org> <56697D49.8040301@tu-berlin.de> <5669805B.8050109@samba.org> <56698574.5080103@tu-berlin.de> <566988ED.7080903@samba.org> <56698EED.5020308@tu-berlin.de> <56699117.7070303@samba.org> <566996A2.6040409@tu-berlin.de> Message-ID: <56699B16.2020302@samba.org> On 10/12/15 15:13, Ole Traupe wrote: > > > Am 10.12.2015 um 15:49 schrieb Rowland penny: >> On 10/12/15 14:40, Ole Traupe wrote: >>> >>>>> However, my 2nd DC is not that new, I restarted it many times, >>>>> just again (samba service). No DNS records are created anywhere. >>>>> >>>>> If I go through the DNS console, in each and every container there >>>>> is some entry for the 1st DC, but none for the 2nd (except on the >>>>> top levels: FQDN and _msdcs.FQDN). >>>>> >>>>> Could this have to do with... >>>>> a) I demoted my initial 1st DC (seized FSMO roles) and got rid of >>>>> DNS entries via this script on the wiki? >>>>> b) set up the *new* 2nd DC on the hardware of the prior 1st DC >>>>> (with the same IP address)? >>>>> >>>>> >>>>> >>>> >>>> Possibly, but can you try this on your second DC, run >>>> 'samba_dnsupdate --verbose' >>>> >>>> Rowland >>>> >>> >>> Doesn't look too good to me: >>> >>> >>> [root at DC2 me]# samba_dnsupdate --verbose >>> IPs: ['IP_of_2nd_DC'] >>> Looking for DNS entry A DC2.my.domain.tld IP_of_2nd_DC as >>> DC2.my.domain.tld. >>> Looking for DNS entry A my.domain.tld IP_of_2nd_DC as my.domain.tld. >>> Failed to find matching DNS entry A my.domain.tld IP_of_2nd_DC >>> Looking for DNS entry SRV _ldap._tcp.my.domain.tld DC2.my.domain.tld >>> 389 as _ldap._tcp.my.domain.tld. >>> Checking 0 100 389 DC1.my.domain.tld. against SRV >>> _ldap._tcp.my.domain.tld DC2.my.domain.tld 389 >>> Failed to find matching DNS entry SRV _ldap._tcp.my.domain.tld >>> DC2.my.domain.tld 389 >>> Looking for DNS entry SRV _ldap._tcp.dc._msdcs.my.domain.tld >>> DC2.my.domain.tld 389 as _ldap._tcp.dc._msdcs.my.domain.tld. >>> Checking 0 100 389 DC1.my.domain.tld. against SRV >>> _ldap._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 389 >>> Failed to find matching DNS entry SRV >>> _ldap._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 389 >>> Looking for DNS entry SRV >>> _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld >>> DC2.my.domain.tld 389 as >>> _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld. >>> Checking 0 100 389 DC1.my.domain.tld. against SRV >>> _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld >>> DC2.my.domain.tld 389 >>> Failed to find matching DNS entry SRV >>> _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld >>> DC2.my.domain.tld 389 >>> Looking for DNS entry SRV _kerberos._tcp.my.domain.tld >>> DC2.my.domain.tld 88 as _kerberos._tcp.my.domain.tld. >>> Checking 0 100 88 DC1.my.domain.tld. against SRV >>> _kerberos._tcp.my.domain.tld DC2.my.domain.tld 88 >>> Failed to find matching DNS entry SRV _kerberos._tcp.my.domain.tld >>> DC2.my.domain.tld 88 >>> Looking for DNS entry SRV _kerberos._udp.my.domain.tld >>> DC2.my.domain.tld 88 as _kerberos._udp.my.domain.tld. >>> Checking 0 100 88 DC1.my.domain.tld. against SRV >>> _kerberos._udp.my.domain.tld DC2.my.domain.tld 88 >>> Failed to find matching DNS entry SRV _kerberos._udp.my.domain.tld >>> DC2.my.domain.tld 88 >>> Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.my.domain.tld >>> DC2.my.domain.tld 88 as _kerberos._tcp.dc._msdcs.my.domain.tld. >>> Checking 0 100 88 DC1.my.domain.tld. against SRV >>> _kerberos._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 88 >>> Failed to find matching DNS entry SRV >>> _kerberos._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 88 >>> Looking for DNS entry SRV _kpasswd._tcp.my.domain.tld >>> DC2.my.domain.tld 464 as _kpasswd._tcp.my.domain.tld. >>> Checking 0 100 464 DC1.my.domain.tld. against SRV >>> _kpasswd._tcp.my.domain.tld DC2.my.domain.tld 464 >>> Failed to find matching DNS entry SRV _kpasswd._tcp.my.domain.tld >>> DC2.my.domain.tld 464 >>> Looking for DNS entry SRV _kpasswd._udp.my.domain.tld >>> DC2.my.domain.tld 464 as _kpasswd._udp.my.domain.tld. >>> Checking 0 100 464 DC1.my.domain.tld. against SRV >>> _kpasswd._udp.my.domain.tld DC2.my.domain.tld 464 >>> Failed to find matching DNS entry SRV _kpasswd._udp.my.domain.tld >>> DC2.my.domain.tld 464 >>> Looking for DNS entry CNAME >>> d1df6d3d-7fd1-45f4-b613-74c7825d9208._msdcs.my.domain.tld >>> DC2.my.domain.tld as >>> d1df6d3d-7fd1-45f4-b613-74c7825d9208._msdcs.my.domain.tld. >>> Looking for DNS entry SRV >>> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld >>> DC2.my.domain.tld 389 as >>> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld. >>> Checking 0 100 389 DC1.my.domain.tld. against SRV >>> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld >>> DC2.my.domain.tld 389 >>> Failed to find matching DNS entry SRV >>> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld >>> DC2.my.domain.tld 389 >>> Looking for DNS entry SRV >>> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld >>> DC2.my.domain.tld 389 as >>> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld. >>> Checking 0 100 389 DC1.my.domain.tld. against SRV >>> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld >>> DC2.my.domain.tld 389 >>> Failed to find matching DNS entry SRV >>> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld >>> DC2.my.domain.tld 389 >>> Looking for DNS entry SRV >>> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld >>> DC2.my.domain.tld 88 as >>> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld. >>> Checking 0 100 88 DC1.my.domain.tld. against SRV >>> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld >>> DC2.my.domain.tld 88 >>> Failed to find matching DNS entry SRV >>> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld >>> DC2.my.domain.tld 88 >>> Looking for DNS entry SRV >>> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld DC2.my.domain.tld >>> 88 as >>> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld. >>> Checking 0 100 88 DC1.my.domain.tld. against SRV >>> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld DC2.my.domain.tld >>> 88 >>> Failed to find matching DNS entry SRV >>> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld DC2.my.domain.tld >>> 88 >>> Looking for DNS entry A gc._msdcs.my.domain.tld IP_of_2nd_DC as >>> gc._msdcs.my.domain.tld. >>> Failed to find matching DNS entry A gc._msdcs.my.domain.tld >>> IP_of_2nd_DC >>> Looking for DNS entry SRV _gc._tcp.my.domain.tld DC2.my.domain.tld >>> 3268 as _gc._tcp.my.domain.tld. >>> Checking 0 100 3268 DC1.my.domain.tld. against SRV >>> _gc._tcp.my.domain.tld DC2.my.domain.tld 3268 >>> Failed to find matching DNS entry SRV _gc._tcp.my.domain.tld >>> DC2.my.domain.tld 3268 >>> Looking for DNS entry SRV _ldap._tcp.gc._msdcs.my.domain.tld >>> DC2.my.domain.tld 3268 as _ldap._tcp.gc._msdcs.my.domain.tld. >>> Checking 0 100 3268 DC1.my.domain.tld. against SRV >>> _ldap._tcp.gc._msdcs.my.domain.tld DC2.my.domain.tld 3268 >>> Failed to find matching DNS entry SRV >>> _ldap._tcp.gc._msdcs.my.domain.tld DC2.my.domain.tld 3268 >>> Looking for DNS entry SRV >>> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld >>> DC2.my.domain.tld 3268 as >>> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld. >>> Checking 0 100 3268 DC1.my.domain.tld. against SRV >>> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld >>> DC2.my.domain.tld 3268 >>> Failed to find matching DNS entry SRV >>> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld >>> DC2.my.domain.tld 3268 >>> Looking for DNS entry SRV >>> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld >>> DC2.my.domain.tld 3268 as >>> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld. >>> Checking 0 100 3268 DC1.my.domain.tld. against SRV >>> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld >>> DC2.my.domain.tld 3268 >>> Failed to find matching DNS entry SRV >>> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld >>> DC2.my.domain.tld 3268 >>> Looking for DNS entry A DomainDnsZones.my.domain.tld IP_of_2nd_DC as >>> DomainDnsZones.my.domain.tld. >>> Failed to find matching DNS entry A DomainDnsZones.my.domain.tld >>> IP_of_2nd_DC >>> Looking for DNS entry SRV _ldap._tcp.DomainDnsZones.my.domain.tld >>> DC2.my.domain.tld 389 as _ldap._tcp.DomainDnsZones.my.domain.tld. >>> Checking 0 100 389 DC1.my.domain.tld. against SRV >>> _ldap._tcp.DomainDnsZones.my.domain.tld DC2.my.domain.tld 389 >>> Failed to find matching DNS entry SRV >>> _ldap._tcp.DomainDnsZones.my.domain.tld DC2.my.domain.tld 389 >>> Looking for DNS entry SRV >>> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld >>> DC2.my.domain.tld 389 as >>> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld. >>> Checking 0 100 389 DC1.my.domain.tld. against SRV >>> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld >>> DC2.my.domain.tld 389 >>> Failed to find matching DNS entry SRV >>> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld >>> DC2.my.domain.tld 389 >>> Looking for DNS entry A ForestDnsZones.my.domain.tld IP_of_2nd_DC as >>> ForestDnsZones.my.domain.tld. >>> Failed to find matching DNS entry A ForestDnsZones.my.domain.tld >>> IP_of_2nd_DC >>> Looking for DNS entry SRV _ldap._tcp.ForestDnsZones.my.domain.tld >>> DC2.my.domain.tld 389 as _ldap._tcp.ForestDnsZones.my.domain.tld. >>> Checking 0 100 389 DC1.my.domain.tld. against SRV >>> _ldap._tcp.ForestDnsZones.my.domain.tld DC2.my.domain.tld 389 >>> Failed to find matching DNS entry SRV >>> _ldap._tcp.ForestDnsZones.my.domain.tld DC2.my.domain.tld 389 >>> Looking for DNS entry SRV >>> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld >>> DC2.my.domain.tld 389 as >>> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld. >>> Checking 0 100 389 DC1.my.domain.tld. against SRV >>> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld >>> DC2.my.domain.tld 389 >>> Failed to find matching DNS entry SRV >>> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld >>> DC2.my.domain.tld 389 >>> Calling nsupdate for A my.domain.tld IP_of_2nd_DC (add) >>> Outgoing update query: >>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >>> ;; UPDATE SECTION: >>> my.domain.tld. 900 IN A IP_of_2nd_DC >>> >>> ; TSIG error with server: tsig verify failure >>> update failed: FORMERR >>> Failed nsupdate: 2 >>> Calling nsupdate for SRV _ldap._tcp.my.domain.tld DC2.my.domain.tld >>> 389 (add) >>> Outgoing update query: >>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >>> ;; UPDATE SECTION: >>> _ldap._tcp.my.domain.tld. 900 IN SRV 0 100 389 >>> DC2.my.domain.tld. >>> >>> ; TSIG error with server: tsig verify failure >>> update failed: FORMERR >>> Failed nsupdate: 2 >>> Calling nsupdate for SRV _ldap._tcp.dc._msdcs.my.domain.tld >>> DC2.my.domain.tld 389 (add) >>> Outgoing update query: >>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >>> ;; UPDATE SECTION: >>> _ldap._tcp.dc._msdcs.my.domain.tld. 900 IN SRV 0 100 389 >>> DC2.my.domain.tld. >>> >>> ; TSIG error with server: tsig verify failure >>> update failed: FORMERR >>> Failed nsupdate: 2 >>> Calling nsupdate for SRV >>> _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld >>> DC2.my.domain.tld 389 (add) >>> Outgoing update query: >>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >>> ;; UPDATE SECTION: >>> _ldap._tcp.c2e92ed0-e889-40a0-a272-7375f90de91d.domains._msdcs.my.domain.tld. >>> 900 IN SRV 0 100 389 DC2.my.domain.tld. >>> >>> ; TSIG error with server: tsig verify failure >>> update failed: FORMERR >>> Failed nsupdate: 2 >>> Calling nsupdate for SRV _kerberos._tcp.my.domain.tld >>> DC2.my.domain.tld 88 (add) >>> Outgoing update query: >>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >>> ;; UPDATE SECTION: >>> _kerberos._tcp.my.domain.tld. 900 IN SRV 0 100 88 >>> DC2.my.domain.tld. >>> >>> ; TSIG error with server: tsig verify failure >>> update failed: FORMERR >>> Failed nsupdate: 2 >>> Calling nsupdate for SRV _kerberos._udp.my.domain.tld >>> DC2.my.domain.tld 88 (add) >>> Outgoing update query: >>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >>> ;; UPDATE SECTION: >>> _kerberos._udp.my.domain.tld. 900 IN SRV 0 100 88 >>> DC2.my.domain.tld. >>> >>> ; TSIG error with server: tsig verify failure >>> update failed: FORMERR >>> Failed nsupdate: 2 >>> Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.my.domain.tld >>> DC2.my.domain.tld 88 (add) >>> Outgoing update query: >>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >>> ;; UPDATE SECTION: >>> _kerberos._tcp.dc._msdcs.my.domain.tld. 900 IN SRV 0 100 88 >>> DC2.my.domain.tld. >>> >>> ; TSIG error with server: tsig verify failure >>> update failed: FORMERR >>> Failed nsupdate: 2 >>> Calling nsupdate for SRV _kpasswd._tcp.my.domain.tld >>> DC2.my.domain.tld 464 (add) >>> Outgoing update query: >>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >>> ;; UPDATE SECTION: >>> _kpasswd._tcp.my.domain.tld. 900 IN SRV 0 100 464 >>> DC2.my.domain.tld. >>> >>> ; TSIG error with server: tsig verify failure >>> update failed: FORMERR >>> Failed nsupdate: 2 >>> Calling nsupdate for SRV _kpasswd._udp.my.domain.tld >>> DC2.my.domain.tld 464 (add) >>> Outgoing update query: >>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >>> ;; UPDATE SECTION: >>> _kpasswd._udp.my.domain.tld. 900 IN SRV 0 100 464 >>> DC2.my.domain.tld. >>> >>> ; TSIG error with server: tsig verify failure >>> update failed: FORMERR >>> Failed nsupdate: 2 >>> Calling nsupdate for SRV >>> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld >>> DC2.my.domain.tld 389 (add) >>> Outgoing update query: >>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >>> ;; UPDATE SECTION: >>> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN SRV >>> 0 100 389 DC2.my.domain.tld. >>> >>> ; TSIG error with server: tsig verify failure >>> update failed: FORMERR >>> Failed nsupdate: 2 >>> Calling nsupdate for SRV >>> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld >>> DC2.my.domain.tld 389 (add) >>> Outgoing update query: >>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >>> ;; UPDATE SECTION: >>> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld. >>> 900 IN SRV 0 100 389 DC2.my.domain.tld. >>> >>> ; TSIG error with server: tsig verify failure >>> update failed: FORMERR >>> Failed nsupdate: 2 >>> Calling nsupdate for SRV >>> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld >>> DC2.my.domain.tld 88 (add) >>> Outgoing update query: >>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >>> ;; UPDATE SECTION: >>> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN >>> SRV 0 100 88 DC2.my.domain.tld. >>> >>> ; TSIG error with server: tsig verify failure >>> update failed: FORMERR >>> Failed nsupdate: 2 >>> Calling nsupdate for SRV >>> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld DC2.my.domain.tld >>> 88 (add) >>> Outgoing update query: >>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >>> ;; UPDATE SECTION: >>> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld. >>> 900 IN SRV 0 100 88 DC2.my.domain.tld. >>> >>> ; TSIG error with server: tsig verify failure >>> update failed: FORMERR >>> Failed nsupdate: 2 >>> Calling nsupdate for A gc._msdcs.my.domain.tld IP_of_2nd_DC (add) >>> Outgoing update query: >>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >>> ;; UPDATE SECTION: >>> gc._msdcs.my.domain.tld. 900 IN A IP_of_2nd_DC >>> >>> ; TSIG error with server: tsig verify failure >>> update failed: FORMERR >>> Failed nsupdate: 2 >>> Calling nsupdate for SRV _gc._tcp.my.domain.tld DC2.my.domain.tld >>> 3268 (add) >>> Outgoing update query: >>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >>> ;; UPDATE SECTION: >>> _gc._tcp.my.domain.tld. 900 IN SRV 0 100 3268 >>> DC2.my.domain.tld. >>> >>> ; TSIG error with server: tsig verify failure >>> update failed: FORMERR >>> Failed nsupdate: 2 >>> Calling nsupdate for SRV _ldap._tcp.gc._msdcs.my.domain.tld >>> DC2.my.domain.tld 3268 (add) >>> Outgoing update query: >>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >>> ;; UPDATE SECTION: >>> _ldap._tcp.gc._msdcs.my.domain.tld. 900 IN SRV 0 100 3268 >>> DC2.my.domain.tld. >>> >>> ; TSIG error with server: tsig verify failure >>> update failed: FORMERR >>> Failed nsupdate: 2 >>> Calling nsupdate for SRV >>> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld >>> DC2.my.domain.tld 3268 (add) >>> Outgoing update query: >>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >>> ;; UPDATE SECTION: >>> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN SRV 0 >>> 100 3268 DC2.my.domain.tld. >>> >>> ; TSIG error with server: tsig verify failure >>> update failed: FORMERR >>> Failed nsupdate: 2 >>> Calling nsupdate for SRV >>> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld >>> DC2.my.domain.tld 3268 (add) >>> Outgoing update query: >>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >>> ;; UPDATE SECTION: >>> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld. >>> 900 IN SRV 0 100 3268 DC2.my.domain.tld. >>> >>> ; TSIG error with server: tsig verify failure >>> update failed: FORMERR >>> Failed nsupdate: 2 >>> Calling nsupdate for A DomainDnsZones.my.domain.tld IP_of_2nd_DC (add) >>> Outgoing update query: >>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >>> ;; UPDATE SECTION: >>> DomainDnsZones.my.domain.tld. 900 IN A IP_of_2nd_DC >>> >>> ; TSIG error with server: tsig verify failure >>> update failed: FORMERR >>> Failed nsupdate: 2 >>> Calling nsupdate for SRV _ldap._tcp.DomainDnsZones.my.domain.tld >>> DC2.my.domain.tld 389 (add) >>> Outgoing update query: >>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >>> ;; UPDATE SECTION: >>> _ldap._tcp.DomainDnsZones.my.domain.tld. 900 IN SRV 0 100 389 >>> DC2.my.domain.tld. >>> >>> ; TSIG error with server: tsig verify failure >>> update failed: FORMERR >>> Failed nsupdate: 2 >>> Calling nsupdate for SRV >>> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld >>> DC2.my.domain.tld 389 (add) >>> Outgoing update query: >>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >>> ;; UPDATE SECTION: >>> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld. >>> 900 IN SRV 0 100 389 DC2.my.domain.tld. >>> >>> ; TSIG error with server: tsig verify failure >>> update failed: FORMERR >>> Failed nsupdate: 2 >>> Calling nsupdate for A ForestDnsZones.my.domain.tld IP_of_2nd_DC (add) >>> Outgoing update query: >>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >>> ;; UPDATE SECTION: >>> ForestDnsZones.my.domain.tld. 900 IN A IP_of_2nd_DC >>> >>> ; TSIG error with server: tsig verify failure >>> update failed: FORMERR >>> Failed nsupdate: 2 >>> Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.my.domain.tld >>> DC2.my.domain.tld 389 (add) >>> Outgoing update query: >>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >>> ;; UPDATE SECTION: >>> _ldap._tcp.ForestDnsZones.my.domain.tld. 900 IN SRV 0 100 389 >>> DC2.my.domain.tld. >>> >>> ; TSIG error with server: tsig verify failure >>> update failed: FORMERR >>> Failed nsupdate: 2 >>> Calling nsupdate for SRV >>> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld >>> DC2.my.domain.tld 389 (add) >>> Outgoing update query: >>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >>> ;; UPDATE SECTION: >>> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld. >>> 900 IN SRV 0 100 389 DC2.my.domain.tld. >>> >>> ; TSIG error with server: tsig verify failure >>> update failed: FORMERR >>> Failed nsupdate: 2 >>> Failed update of 24 entries >>> >>> >>> >> >> There is a known problem, even though the updates print '; TSIG error >> with server: tsig verify failure', it still works. Try running 'host >> -t SRV _kerberos._udp.my.domain.tld.' again. >> >> Rowland > > Nope, still one record. > > OK, lets just double check that, try running this: ldbsearch -H /var/lib/samba/private/sam.ldb -b 'DC=my.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=my,DC=domain,DC=tld' -s sub '(dc=_kerberos._udp)' --cross-ncs --show-binary That should all be one line and replace 'my.domain.tld' and 'DC=my,DC=domain,DC=tld' with the correct details This should show you the dns record. Rowland From belle at bazuin.nl Thu Dec 10 16:07:15 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Thu, 10 Dec 2015 17:07:15 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <566996A2.6040409@tu-berlin.de> References: <56699117.7070303@samba.org> Message-ID: Hmm.. > >>>> Could this have to do with... > >>>> a) I demoted my initial 1st DC (seized FSMO roles) and got rid of > >>>> DNS entries via this script on the wiki? > >>>> b) set up the *new* 2nd DC on the hardware of the prior 1st DC > >>>> (with the same IP address)? This can be a problem yes, depending on the order of what and how you did it. i think you forgot to remove the "old" entry in the AD (with user tool) I suggest you try the following, why, it safes time and then your sure thing are going ok. and remember BACKUPS ! sysvol things like that. ( this is why my DC are only DC ) A) install a new DC. *(any hardware, this is a temparairy server ) B) check if all needed dns records are available on the new DC. C) dont use the same ip or hostname ! Check, check check, see previous e-mails for checkups and the dns updates. If its all ok, then, D) transfer the FSMO roles to this DC and check again. E) If ok, remove the wrong server. F) check and remove remaining entries from the dns AND OU=Computers in the RSAT user tool. G) install the a new DC again, on the "DC" hardware. If your sure now you can use the original hostname and ip. H) transfer the FSMO roles to this DC back and check again. This should be about 30min-120min work and you end up with a good dns and AD database. If you use virtuals, this is about 20 min work, (for me, but i've scripted my installs.) i'v done this now about 4-5 times, works very well for me. Very importent is that "old" entries are gone before you join the new But again above is a suggestion, i think you save time by doing a new correct install. And a tip, dont use any ip anyware for accessing server services. For example, ntp1.domain.tld CNAME DC1.domain.tld ntp2.domain.tld CNAME DC2.domain.tld ns1.domain.tld CNAME DC1.domain.tld ns2.domain.tld CNAME DC2.domain.tld ldap1.domain.tld CNAME DC1.domain.tld ldap2.domain.tld CNAME DC2.domain.tld now for an easy switch, also add ntp.domain.tld CNAME ntp1.domain.tld ldap.domain.tld CNAME ldap1.domain.tld so if you set your server to ntp.domain.tld and you remove the server. Just change the cname, wait out the ttl, and your done. I do the same with my ldap and proxy and web servers. If i need to maintain them, i change the cname, down the servers, do my work, up the again, and change it back when done. Keeps my users happy.. i do down server etc. during worktime.. nobody notices it. :-) and a setup like above make you very flexible to move things around, if you slit up a server in 2 different servers(with services), I only change cnames for the services. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe > Verzonden: donderdag 10 december 2015 16:14 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller > initially fails when PDC is offline > > > > Am 10.12.2015 um 15:49 schrieb Rowland penny: > > On 10/12/15 14:40, Ole Traupe wrote: > >> > >>>> However, my 2nd DC is not that new, I restarted it many times, just > >>>> again (samba service). No DNS records are created anywhere. > >>>> > >>>> If I go through the DNS console, in each and every container there > >>>> is some entry for the 1st DC, but none for the 2nd (except on the > >>>> top levels: FQDN and _msdcs.FQDN). > >>>> > >>>> Could this have to do with... > >>>> a) I demoted my initial 1st DC (seized FSMO roles) and got rid of > >>>> DNS entries via this script on the wiki? > >>>> b) set up the *new* 2nd DC on the hardware of the prior 1st DC > >>>> (with the same IP address)? > >>>> > >>>> > >>>> > >>> > >>> Possibly, but can you try this on your second DC, run > >>> 'samba_dnsupdate --verbose' > >>> > >>> Rowland > >>> > >> > >> Doesn't look too good to me: > >> > >> > >> [root at DC2 me]# samba_dnsupdate --verbose > >> IPs: ['IP_of_2nd_DC'] > >> Looking for DNS entry A DC2.my.domain.tld IP_of_2nd_DC as > >> DC2.my.domain.tld. > >> Looking for DNS entry A my.domain.tld IP_of_2nd_DC as my.domain.tld. > >> Failed to find matching DNS entry A my.domain.tld IP_of_2nd_DC > >> Looking for DNS entry SRV _ldap._tcp.my.domain.tld DC2.my.domain.tld > >> 389 as _ldap._tcp.my.domain.tld. > >> Checking 0 100 389 DC1.my.domain.tld. against SRV > >> _ldap._tcp.my.domain.tld DC2.my.domain.tld 389 > >> Failed to find matching DNS entry SRV _ldap._tcp.my.domain.tld > >> DC2.my.domain.tld 389 > >> Looking for DNS entry SRV _ldap._tcp.dc._msdcs.my.domain.tld > >> DC2.my.domain.tld 389 as _ldap._tcp.dc._msdcs.my.domain.tld. > >> Checking 0 100 389 DC1.my.domain.tld. against SRV > >> _ldap._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 389 > >> Failed to find matching DNS entry SRV > >> _ldap._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 389 > >> Looking for DNS entry SRV > >> _ldap._tcp.c2e92ed0-e889-40a0-a272- > 7375f90de91d.domains._msdcs.my.domain.tld > >> DC2.my.domain.tld 389 as > >> _ldap._tcp.c2e92ed0-e889-40a0-a272- > 7375f90de91d.domains._msdcs.my.domain.tld. > >> Checking 0 100 389 DC1.my.domain.tld. against SRV > >> _ldap._tcp.c2e92ed0-e889-40a0-a272- > 7375f90de91d.domains._msdcs.my.domain.tld > >> DC2.my.domain.tld 389 > >> Failed to find matching DNS entry SRV > >> _ldap._tcp.c2e92ed0-e889-40a0-a272- > 7375f90de91d.domains._msdcs.my.domain.tld > >> DC2.my.domain.tld 389 > >> Looking for DNS entry SRV _kerberos._tcp.my.domain.tld > >> DC2.my.domain.tld 88 as _kerberos._tcp.my.domain.tld. > >> Checking 0 100 88 DC1.my.domain.tld. against SRV > >> _kerberos._tcp.my.domain.tld DC2.my.domain.tld 88 > >> Failed to find matching DNS entry SRV _kerberos._tcp.my.domain.tld > >> DC2.my.domain.tld 88 > >> Looking for DNS entry SRV _kerberos._udp.my.domain.tld > >> DC2.my.domain.tld 88 as _kerberos._udp.my.domain.tld. > >> Checking 0 100 88 DC1.my.domain.tld. against SRV > >> _kerberos._udp.my.domain.tld DC2.my.domain.tld 88 > >> Failed to find matching DNS entry SRV _kerberos._udp.my.domain.tld > >> DC2.my.domain.tld 88 > >> Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.my.domain.tld > >> DC2.my.domain.tld 88 as _kerberos._tcp.dc._msdcs.my.domain.tld. > >> Checking 0 100 88 DC1.my.domain.tld. against SRV > >> _kerberos._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 88 > >> Failed to find matching DNS entry SRV > >> _kerberos._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 88 > >> Looking for DNS entry SRV _kpasswd._tcp.my.domain.tld > >> DC2.my.domain.tld 464 as _kpasswd._tcp.my.domain.tld. > >> Checking 0 100 464 DC1.my.domain.tld. against SRV > >> _kpasswd._tcp.my.domain.tld DC2.my.domain.tld 464 > >> Failed to find matching DNS entry SRV _kpasswd._tcp.my.domain.tld > >> DC2.my.domain.tld 464 > >> Looking for DNS entry SRV _kpasswd._udp.my.domain.tld > >> DC2.my.domain.tld 464 as _kpasswd._udp.my.domain.tld. > >> Checking 0 100 464 DC1.my.domain.tld. against SRV > >> _kpasswd._udp.my.domain.tld DC2.my.domain.tld 464 > >> Failed to find matching DNS entry SRV _kpasswd._udp.my.domain.tld > >> DC2.my.domain.tld 464 > >> Looking for DNS entry CNAME > >> d1df6d3d-7fd1-45f4-b613-74c7825d9208._msdcs.my.domain.tld > >> DC2.my.domain.tld as > >> d1df6d3d-7fd1-45f4-b613-74c7825d9208._msdcs.my.domain.tld. > >> Looking for DNS entry SRV > >> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld > >> DC2.my.domain.tld 389 as > >> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld. > >> Checking 0 100 389 DC1.my.domain.tld. against SRV > >> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld > >> DC2.my.domain.tld 389 > >> Failed to find matching DNS entry SRV > >> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld > >> DC2.my.domain.tld 389 > >> Looking for DNS entry SRV > >> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld > >> DC2.my.domain.tld 389 as > >> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld. > >> Checking 0 100 389 DC1.my.domain.tld. against SRV > >> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld > >> DC2.my.domain.tld 389 > >> Failed to find matching DNS entry SRV > >> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld > >> DC2.my.domain.tld 389 > >> Looking for DNS entry SRV > >> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld > >> DC2.my.domain.tld 88 as > >> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld. > >> Checking 0 100 88 DC1.my.domain.tld. against SRV > >> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld > >> DC2.my.domain.tld 88 > >> Failed to find matching DNS entry SRV > >> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld > >> DC2.my.domain.tld 88 > >> Looking for DNS entry SRV > >> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld > >> DC2.my.domain.tld 88 as > >> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld. > >> Checking 0 100 88 DC1.my.domain.tld. against SRV > >> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld > >> DC2.my.domain.tld 88 > >> Failed to find matching DNS entry SRV > >> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld > >> DC2.my.domain.tld 88 > >> Looking for DNS entry A gc._msdcs.my.domain.tld IP_of_2nd_DC as > >> gc._msdcs.my.domain.tld. > >> Failed to find matching DNS entry A gc._msdcs.my.domain.tld > IP_of_2nd_DC > >> Looking for DNS entry SRV _gc._tcp.my.domain.tld DC2.my.domain.tld > >> 3268 as _gc._tcp.my.domain.tld. > >> Checking 0 100 3268 DC1.my.domain.tld. against SRV > >> _gc._tcp.my.domain.tld DC2.my.domain.tld 3268 > >> Failed to find matching DNS entry SRV _gc._tcp.my.domain.tld > >> DC2.my.domain.tld 3268 > >> Looking for DNS entry SRV _ldap._tcp.gc._msdcs.my.domain.tld > >> DC2.my.domain.tld 3268 as _ldap._tcp.gc._msdcs.my.domain.tld. > >> Checking 0 100 3268 DC1.my.domain.tld. against SRV > >> _ldap._tcp.gc._msdcs.my.domain.tld DC2.my.domain.tld 3268 > >> Failed to find matching DNS entry SRV > >> _ldap._tcp.gc._msdcs.my.domain.tld DC2.my.domain.tld 3268 > >> Looking for DNS entry SRV > >> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld > >> DC2.my.domain.tld 3268 as > >> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld. > >> Checking 0 100 3268 DC1.my.domain.tld. against SRV > >> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld > >> DC2.my.domain.tld 3268 > >> Failed to find matching DNS entry SRV > >> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld > >> DC2.my.domain.tld 3268 > >> Looking for DNS entry SRV > >> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld > >> DC2.my.domain.tld 3268 as > >> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld. > >> Checking 0 100 3268 DC1.my.domain.tld. against SRV > >> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld > >> DC2.my.domain.tld 3268 > >> Failed to find matching DNS entry SRV > >> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld > >> DC2.my.domain.tld 3268 > >> Looking for DNS entry A DomainDnsZones.my.domain.tld IP_of_2nd_DC as > >> DomainDnsZones.my.domain.tld. > >> Failed to find matching DNS entry A DomainDnsZones.my.domain.tld > >> IP_of_2nd_DC > >> Looking for DNS entry SRV _ldap._tcp.DomainDnsZones.my.domain.tld > >> DC2.my.domain.tld 389 as _ldap._tcp.DomainDnsZones.my.domain.tld. > >> Checking 0 100 389 DC1.my.domain.tld. against SRV > >> _ldap._tcp.DomainDnsZones.my.domain.tld DC2.my.domain.tld 389 > >> Failed to find matching DNS entry SRV > >> _ldap._tcp.DomainDnsZones.my.domain.tld DC2.my.domain.tld 389 > >> Looking for DNS entry SRV > >> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld > DC2.my.domain.tld > >> 389 as > >> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld. > >> Checking 0 100 389 DC1.my.domain.tld. against SRV > >> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld > DC2.my.domain.tld > >> 389 > >> Failed to find matching DNS entry SRV > >> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld > DC2.my.domain.tld > >> 389 > >> Looking for DNS entry A ForestDnsZones.my.domain.tld IP_of_2nd_DC as > >> ForestDnsZones.my.domain.tld. > >> Failed to find matching DNS entry A ForestDnsZones.my.domain.tld > >> IP_of_2nd_DC > >> Looking for DNS entry SRV _ldap._tcp.ForestDnsZones.my.domain.tld > >> DC2.my.domain.tld 389 as _ldap._tcp.ForestDnsZones.my.domain.tld. > >> Checking 0 100 389 DC1.my.domain.tld. against SRV > >> _ldap._tcp.ForestDnsZones.my.domain.tld DC2.my.domain.tld 389 > >> Failed to find matching DNS entry SRV > >> _ldap._tcp.ForestDnsZones.my.domain.tld DC2.my.domain.tld 389 > >> Looking for DNS entry SRV > >> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld > DC2.my.domain.tld > >> 389 as > >> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld. > >> Checking 0 100 389 DC1.my.domain.tld. against SRV > >> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld > DC2.my.domain.tld > >> 389 > >> Failed to find matching DNS entry SRV > >> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld > DC2.my.domain.tld > >> 389 > >> Calling nsupdate for A my.domain.tld IP_of_2nd_DC (add) > >> Outgoing update query: > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > >> ;; UPDATE SECTION: > >> my.domain.tld. 900 IN A IP_of_2nd_DC > >> > >> ; TSIG error with server: tsig verify failure > >> update failed: FORMERR > >> Failed nsupdate: 2 > >> Calling nsupdate for SRV _ldap._tcp.my.domain.tld DC2.my.domain.tld > >> 389 (add) > >> Outgoing update query: > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > >> ;; UPDATE SECTION: > >> _ldap._tcp.my.domain.tld. 900 IN SRV 0 100 389 > >> DC2.my.domain.tld. > >> > >> ; TSIG error with server: tsig verify failure > >> update failed: FORMERR > >> Failed nsupdate: 2 > >> Calling nsupdate for SRV _ldap._tcp.dc._msdcs.my.domain.tld > >> DC2.my.domain.tld 389 (add) > >> Outgoing update query: > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > >> ;; UPDATE SECTION: > >> _ldap._tcp.dc._msdcs.my.domain.tld. 900 IN SRV 0 100 389 > >> DC2.my.domain.tld. > >> > >> ; TSIG error with server: tsig verify failure > >> update failed: FORMERR > >> Failed nsupdate: 2 > >> Calling nsupdate for SRV > >> _ldap._tcp.c2e92ed0-e889-40a0-a272- > 7375f90de91d.domains._msdcs.my.domain.tld > >> DC2.my.domain.tld 389 (add) > >> Outgoing update query: > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > >> ;; UPDATE SECTION: > >> _ldap._tcp.c2e92ed0-e889-40a0-a272- > 7375f90de91d.domains._msdcs.my.domain.tld. > >> 900 IN SRV 0 100 389 DC2.my.domain.tld. > >> > >> ; TSIG error with server: tsig verify failure > >> update failed: FORMERR > >> Failed nsupdate: 2 > >> Calling nsupdate for SRV _kerberos._tcp.my.domain.tld > >> DC2.my.domain.tld 88 (add) > >> Outgoing update query: > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > >> ;; UPDATE SECTION: > >> _kerberos._tcp.my.domain.tld. 900 IN SRV 0 100 88 > DC2.my.domain.tld. > >> > >> ; TSIG error with server: tsig verify failure > >> update failed: FORMERR > >> Failed nsupdate: 2 > >> Calling nsupdate for SRV _kerberos._udp.my.domain.tld > >> DC2.my.domain.tld 88 (add) > >> Outgoing update query: > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > >> ;; UPDATE SECTION: > >> _kerberos._udp.my.domain.tld. 900 IN SRV 0 100 88 > DC2.my.domain.tld. > >> > >> ; TSIG error with server: tsig verify failure > >> update failed: FORMERR > >> Failed nsupdate: 2 > >> Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.my.domain.tld > >> DC2.my.domain.tld 88 (add) > >> Outgoing update query: > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > >> ;; UPDATE SECTION: > >> _kerberos._tcp.dc._msdcs.my.domain.tld. 900 IN SRV 0 100 88 > >> DC2.my.domain.tld. > >> > >> ; TSIG error with server: tsig verify failure > >> update failed: FORMERR > >> Failed nsupdate: 2 > >> Calling nsupdate for SRV _kpasswd._tcp.my.domain.tld > >> DC2.my.domain.tld 464 (add) > >> Outgoing update query: > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > >> ;; UPDATE SECTION: > >> _kpasswd._tcp.my.domain.tld. 900 IN SRV 0 100 464 > >> DC2.my.domain.tld. > >> > >> ; TSIG error with server: tsig verify failure > >> update failed: FORMERR > >> Failed nsupdate: 2 > >> Calling nsupdate for SRV _kpasswd._udp.my.domain.tld > >> DC2.my.domain.tld 464 (add) > >> Outgoing update query: > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > >> ;; UPDATE SECTION: > >> _kpasswd._udp.my.domain.tld. 900 IN SRV 0 100 464 > >> DC2.my.domain.tld. > >> > >> ; TSIG error with server: tsig verify failure > >> update failed: FORMERR > >> Failed nsupdate: 2 > >> Calling nsupdate for SRV > >> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld > >> DC2.my.domain.tld 389 (add) > >> Outgoing update query: > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > >> ;; UPDATE SECTION: > >> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN SRV 0 > >> 100 389 DC2.my.domain.tld. > >> > >> ; TSIG error with server: tsig verify failure > >> update failed: FORMERR > >> Failed nsupdate: 2 > >> Calling nsupdate for SRV > >> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld > >> DC2.my.domain.tld 389 (add) > >> Outgoing update query: > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > >> ;; UPDATE SECTION: > >> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld. > >> 900 IN SRV 0 100 389 DC2.my.domain.tld. > >> > >> ; TSIG error with server: tsig verify failure > >> update failed: FORMERR > >> Failed nsupdate: 2 > >> Calling nsupdate for SRV > >> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld > >> DC2.my.domain.tld 88 (add) > >> Outgoing update query: > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > >> ;; UPDATE SECTION: > >> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN > >> SRV 0 100 88 DC2.my.domain.tld. > >> > >> ; TSIG error with server: tsig verify failure > >> update failed: FORMERR > >> Failed nsupdate: 2 > >> Calling nsupdate for SRV > >> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld > >> DC2.my.domain.tld 88 (add) > >> Outgoing update query: > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > >> ;; UPDATE SECTION: > >> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld. > 900 > >> IN SRV 0 100 88 DC2.my.domain.tld. > >> > >> ; TSIG error with server: tsig verify failure > >> update failed: FORMERR > >> Failed nsupdate: 2 > >> Calling nsupdate for A gc._msdcs.my.domain.tld IP_of_2nd_DC (add) > >> Outgoing update query: > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > >> ;; UPDATE SECTION: > >> gc._msdcs.my.domain.tld. 900 IN A IP_of_2nd_DC > >> > >> ; TSIG error with server: tsig verify failure > >> update failed: FORMERR > >> Failed nsupdate: 2 > >> Calling nsupdate for SRV _gc._tcp.my.domain.tld DC2.my.domain.tld > >> 3268 (add) > >> Outgoing update query: > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > >> ;; UPDATE SECTION: > >> _gc._tcp.my.domain.tld. 900 IN SRV 0 100 3268 > >> DC2.my.domain.tld. > >> > >> ; TSIG error with server: tsig verify failure > >> update failed: FORMERR > >> Failed nsupdate: 2 > >> Calling nsupdate for SRV _ldap._tcp.gc._msdcs.my.domain.tld > >> DC2.my.domain.tld 3268 (add) > >> Outgoing update query: > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > >> ;; UPDATE SECTION: > >> _ldap._tcp.gc._msdcs.my.domain.tld. 900 IN SRV 0 100 3268 > >> DC2.my.domain.tld. > >> > >> ; TSIG error with server: tsig verify failure > >> update failed: FORMERR > >> Failed nsupdate: 2 > >> Calling nsupdate for SRV > >> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld > >> DC2.my.domain.tld 3268 (add) > >> Outgoing update query: > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > >> ;; UPDATE SECTION: > >> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN SRV 0 > >> 100 3268 DC2.my.domain.tld. > >> > >> ; TSIG error with server: tsig verify failure > >> update failed: FORMERR > >> Failed nsupdate: 2 > >> Calling nsupdate for SRV > >> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld > >> DC2.my.domain.tld 3268 (add) > >> Outgoing update query: > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > >> ;; UPDATE SECTION: > >> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld. > >> 900 IN SRV 0 100 3268 DC2.my.domain.tld. > >> > >> ; TSIG error with server: tsig verify failure > >> update failed: FORMERR > >> Failed nsupdate: 2 > >> Calling nsupdate for A DomainDnsZones.my.domain.tld IP_of_2nd_DC (add) > >> Outgoing update query: > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > >> ;; UPDATE SECTION: > >> DomainDnsZones.my.domain.tld. 900 IN A IP_of_2nd_DC > >> > >> ; TSIG error with server: tsig verify failure > >> update failed: FORMERR > >> Failed nsupdate: 2 > >> Calling nsupdate for SRV _ldap._tcp.DomainDnsZones.my.domain.tld > >> DC2.my.domain.tld 389 (add) > >> Outgoing update query: > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > >> ;; UPDATE SECTION: > >> _ldap._tcp.DomainDnsZones.my.domain.tld. 900 IN SRV 0 100 389 > >> DC2.my.domain.tld. > >> > >> ; TSIG error with server: tsig verify failure > >> update failed: FORMERR > >> Failed nsupdate: 2 > >> Calling nsupdate for SRV > >> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld > DC2.my.domain.tld > >> 389 (add) > >> Outgoing update query: > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > >> ;; UPDATE SECTION: > >> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld. > >> 900 IN SRV 0 100 389 DC2.my.domain.tld. > >> > >> ; TSIG error with server: tsig verify failure > >> update failed: FORMERR > >> Failed nsupdate: 2 > >> Calling nsupdate for A ForestDnsZones.my.domain.tld IP_of_2nd_DC (add) > >> Outgoing update query: > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > >> ;; UPDATE SECTION: > >> ForestDnsZones.my.domain.tld. 900 IN A IP_of_2nd_DC > >> > >> ; TSIG error with server: tsig verify failure > >> update failed: FORMERR > >> Failed nsupdate: 2 > >> Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.my.domain.tld > >> DC2.my.domain.tld 389 (add) > >> Outgoing update query: > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > >> ;; UPDATE SECTION: > >> _ldap._tcp.ForestDnsZones.my.domain.tld. 900 IN SRV 0 100 389 > >> DC2.my.domain.tld. > >> > >> ; TSIG error with server: tsig verify failure > >> update failed: FORMERR > >> Failed nsupdate: 2 > >> Calling nsupdate for SRV > >> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld > DC2.my.domain.tld > >> 389 (add) > >> Outgoing update query: > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > >> ;; UPDATE SECTION: > >> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld. > >> 900 IN SRV 0 100 389 DC2.my.domain.tld. > >> > >> ; TSIG error with server: tsig verify failure > >> update failed: FORMERR > >> Failed nsupdate: 2 > >> Failed update of 24 entries > >> > >> > >> > > > > There is a known problem, even though the updates print '; TSIG error > > with server: tsig verify failure', it still works. Try running 'host > > -t SRV _kerberos._udp.my.domain.tld.' again. > > > > Rowland > > Nope, still one record. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From jmcd at samba.org Thu Dec 10 19:59:55 2015 From: jmcd at samba.org (Jim McDonough) Date: Thu, 10 Dec 2015 14:59:55 -0500 Subject: [Samba] Samba Team encourages supporting the Software Freedom Conservancy Message-ID: <5669D9BB.8010900@samba.org> For a number of years now, the Samba Team has been a member of the Software Freedom Conservancy. They handle quite a bit of administration for our project as well as pursuing GPL compliance. If you'd like to see more about what they do, please check: https://sfconservancy.org/about/ We urge you to support the Conservancy. Here is a message from our own Jeremy Allison: https://sfconservancy.org/blog/2015/dec/09/jra-supporter-video/ Jim McDonough Samba Team -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: From dan at shragmir.com Thu Dec 10 20:59:59 2015 From: dan at shragmir.com (Daniel Menes) Date: Thu, 10 Dec 2015 15:59:59 -0500 Subject: [Samba] Fix for Windows 8.1 RSAT error when creating users Message-ID: <5669E7CF.8050102@shragmir.com> I created a new Samba4 AD DC, and attempted to add users and groups from a Windows 8.1 computer using the Remote Server Administration Tools. While I was able to create groups just fine, attempting to create a user failed with the message "An Error Occurred. Contact your System Administrator." A quick Google shows that others on this list have had this and similar problems, but I was unable to find a satisfactory solution here. I thought you might be interested in what worked for me. According to Microsoft, there is a known issue with a Windows Update which may appear as KB3000850 or KB2992611. Others have suggested removing this update, which may or may not be practical. However if you look at http://support.microsoft.com/en-us/kb/3000850 in the "Known issues in this update" gives a registry hack fix. In regedit, under the key " HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb", create a DWORD entry with name "ProtectionPolicy" and value "1". After a reboot, this fixed the problem for me. --Dan Menes From h.Tediger at gmx-topmail.de Thu Dec 10 22:32:55 2015 From: h.Tediger at gmx-topmail.de (Hans Tediger) Date: Thu, 10 Dec 2015 23:32:55 +0100 Subject: [Samba] dfree command does not use actual directory Message-ID: <015f01d1339a$b76eff20$264cfd60$@gmx-topmail.de> I have 8 disks. Instead of having a share for each of them, I use a share to my home directory, where I have a symbolic link to a directory with links to the disks. This works since many years. Since my home FS is almost full, I cannot copy large amounts to my disks, as the disk full shows disk full for the share (home) FS. I setup "dfree command", but noticed before the script gets called a cd to the root of the share is done and "$1" is the share path. Using PPID (available in the script) and smbstatus is not an option, when having more filepointers open 8586 1000 DENY_NONE 0x100081 RDONLY NONE /home/hans links/disks/disk6/recordings Thu Dec 10 22:13:56 2015 8586 1000 DENY_NONE 0x100081 RDONLY NONE /home/hans dev/samba/source3/modules/smbd Thu Dec 10 22:59:02 2015 8586 1000 DENY_NONE 0x100081 RDONLY NONE /home/hans . Thu Dec 10 22:17:50 2015 Is there another option to have the df from the actual directory? I would like to change the source to use the actual directory. Any pointers what/where to change would be helpful. Thanks in Advance Hans From thomas.rosenstein at itdata.at Fri Dec 11 07:05:52 2015 From: thomas.rosenstein at itdata.at (Thomas Rosenstein) Date: Fri, 11 Dec 2015 08:05:52 +0100 Subject: [Samba] Windows File Share - Slow / Connection distrubtion Message-ID: <9AF68D53-0777-42E2-B1B3-68289AC4C92F@itdata.at> Hello, I've installed Samba 4.3.0 and added a Server 2012 R2 as a File Share into the Domain. Sometimes (I can't reproduce when) the share just stops reacting from a specific computer, it still works for others. It looks like the Share is super slow and it would be a hard disk issue, but since it's working from other PCs I would rule that out. I then turned up the log level to 10 and the only thing that showed up is that: [2015/12/10 13:31:42.264442, 5, pid=31468, effective(0, 0), real(0, 0)] ../auth/gensec/gensec_start.c:672(gensec_start_mech) Starting GENSEC mechanism schannel [2015/12/10 13:31:42.264501, 10, pid=31468, effective(0, 0), real(0, 0)] ../libcli/auth/schannel_state_tdb.c:166(schannel_fetch_session_key_tdb) schannel_fetch_session_key_tdb: Failed to find entry with key SECRETS/SCHANNEL/CZ-DC-01 [2015/12/10 13:31:42.264514, 3, pid=31468, effective(0, 0), real(0, 0)] ../auth/gensec/schannel.c:563(schannel_update) Could not find session key for attempted schannel connection from CZ-DC-01: NT_STATUS_NOT_FOUND [2015/12/10 13:31:42.264527, 4, pid=31468, effective(0, 0), real(0, 0)] ../source4/rpc_server/dcesrv_auth.c:185(dcesrv_auth_bind_ack) GENSEC mech rejected the incoming authentication at bind_ack: NT_STATUS_NOT_FOUND [2015/12/10 13:31:42.264935, 3, pid=31468, effective(0, 0), real(0, 0)] ../source4/smbd/service_stream.c:66(stream_terminate_connection) Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED' [2015/12/10 13:31:42.264956, 3, pid=31468, effective(0, 0), real(0, 0)] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED] So it looks like it can't find a session key, now I'm not sure if this is normal behaviour or an issue! Could somebody chime in if this are expected log messages or if there's an issue / point me into the right direction to solve this? Thanks BR Thomas Rosenstein From Luchko.D at digdes.com Fri Dec 11 08:39:16 2015 From: Luchko.D at digdes.com (Luchko Dmitriy) Date: Fri, 11 Dec 2015 08:39:16 +0000 Subject: [Samba] DRS_The specified I/O operation on %hs was not completed before the time-out period expired.' In-Reply-To: References: Message-ID: does somebody know is that network problem, LDAP db error or something else? -----Original Message----- From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Luchko Dmitriy Sent: Thursday, December 03, 2015 11:03 AM To: samba at lists.samba.org Subject: [Samba] DRS_The specified I/O operation on %hs was not completed before the time-out period expired.' Hi, When we try replicate domain tree from Win DC to Samba DC we have timeout error: ERROR(): DsReplicaSync failed - drsException: DsReplicaSync failed (-1073741643, '{Device Timeout} The specified I/O operation on %hs was not completed before the time-out period expired.') File "/usr/lib64/python2.7/site-packages/samba/netcmd/drs.py", line 345, in run drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle, source_dsa_guid, NC, req_options) File "/usr/lib64/python2.7/site-packages/samba/drs_utils.py", line 83, in sendDsReplicaSync raise drsException("DsReplicaSync failed %s" % estr) Best regards,   DMITRIY LUCHKO -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba From infractory at gmail.com Fri Dec 11 10:29:11 2015 From: infractory at gmail.com (mathias dufresne) Date: Fri, 11 Dec 2015 11:29:11 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: References: <56699117.7070303@samba.org> <566996A2.6040409@tu-berlin.de> Message-ID: Hi Ole, Using internal DNS samba_dnsupdate does not work correctly, at least not every time. Someone modified this samba_dnsupdate tool commenting this line: os.unlink(tmpfile) which should line 413. Doing that he was able to get files generated by samba_dnsupdate to use them as argument of nsupdate command (without -g switch and with "allow dns updates = nonsecure" in smb.conf). I was not able to make that process work here but I did not tried hard. As this process was sent directly to me I share it. The process I use to generate all DNS records is to run samba_dnsupdate --all-names --verbose and send output of that command to attached awk script. The awk script get information from samba_dnsupdate for each record and launch samba-tool to create DNS record. This script is not clever: it tries to create all mentioned DNS record, generating warnings when record already exists. You will have to modify this awk script as the BEGIN section contains fake information related to AD domain: BEGIN { ad_zone = "YOUR.DOMAIN.TLD" msdcs_zone = "_msdcs." ad_zone dns_server = "YOUR-DC" } You must change "YOUR.DOMAIN.TLD" and "YOUR-DC" to match your domain configuration. The awk script uses kerberos authentication when running samba-tool so you will need to generate a kerberos ticket for some AD admin before: 1°) kinit administrator 2°) samba_dnsupdate | awk -f dnsupdate.awk As it is not an issue to try create an entry which already exists you can run it that script on each DC to assure you all entries are correctly created on all DC. Best regards, mathias dufresne 2015-12-10 17:07 GMT+01:00 L.P.H. van Belle : > Hmm.. > > > >>>> Could this have to do with... > > >>>> a) I demoted my initial 1st DC (seized FSMO roles) and got rid of > > >>>> DNS entries via this script on the wiki? > > >>>> b) set up the *new* 2nd DC on the hardware of the prior 1st DC > > >>>> (with the same IP address)? > > This can be a problem yes, depending on the order of what and how you did > it. i think you forgot to remove the "old" entry in the AD (with user tool) > > I suggest you try the following, why, it safes time and then your sure > thing are going ok. > > and remember BACKUPS ! sysvol things like that. > ( this is why my DC are only DC ) > > A) install a new DC. *(any hardware, this is a temparairy server ) > B) check if all needed dns records are available on the new DC. > C) dont use the same ip or hostname ! > > Check, check check, see previous e-mails for checkups and the dns updates. > > If its all ok, then, > D) transfer the FSMO roles to this DC and check again. > E) If ok, remove the wrong server. > F) check and remove remaining entries from the dns AND OU=Computers in the > RSAT user tool. > G) install the a new DC again, on the "DC" hardware. > If your sure now you can use the original hostname and ip. > H) transfer the FSMO roles to this DC back and check again. > > This should be about 30min-120min work and you end up with a good dns and > AD database. > > If you use virtuals, this is about 20 min work, (for me, but i've scripted > my installs.) i'v done this now about 4-5 times, works very well for me. > Very importent is that "old" entries are gone before you join the new > > But again above is a suggestion, i think you save time by doing a new > correct install. > > And a tip, dont use any ip anyware for accessing server services. > For example, > ntp1.domain.tld CNAME DC1.domain.tld > ntp2.domain.tld CNAME DC2.domain.tld > ns1.domain.tld CNAME DC1.domain.tld > ns2.domain.tld CNAME DC2.domain.tld > ldap1.domain.tld CNAME DC1.domain.tld > ldap2.domain.tld CNAME DC2.domain.tld > > now for an easy switch, also add > ntp.domain.tld CNAME ntp1.domain.tld > ldap.domain.tld CNAME ldap1.domain.tld > > so if you set your server to ntp.domain.tld and you remove the server. > Just change the cname, wait out the ttl, and your done. > I do the same with my ldap and proxy and web servers. > If i need to maintain them, i change the cname, down the servers, > do my work, up the again, and change it back when done. > Keeps my users happy.. i do down server etc. during worktime.. > nobody notices it. :-) > and a setup like above make you very flexible to move things around, > if you slit up a server in 2 different servers(with services), I only > change cnames for the services. > > > > Greetz, > > Louis > > > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe > > Verzonden: donderdag 10 december 2015 16:14 > > Aan: samba at lists.samba.org > > Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller > > initially fails when PDC is offline > > > > > > > > Am 10.12.2015 um 15:49 schrieb Rowland penny: > > > On 10/12/15 14:40, Ole Traupe wrote: > > >> > > >>>> However, my 2nd DC is not that new, I restarted it many times, just > > >>>> again (samba service). No DNS records are created anywhere. > > >>>> > > >>>> If I go through the DNS console, in each and every container there > > >>>> is some entry for the 1st DC, but none for the 2nd (except on the > > >>>> top levels: FQDN and _msdcs.FQDN). > > >>>> > > >>>> Could this have to do with... > > >>>> a) I demoted my initial 1st DC (seized FSMO roles) and got rid of > > >>>> DNS entries via this script on the wiki? > > >>>> b) set up the *new* 2nd DC on the hardware of the prior 1st DC > > >>>> (with the same IP address)? > > >>>> > > >>>> > > >>>> > > >>> > > >>> Possibly, but can you try this on your second DC, run > > >>> 'samba_dnsupdate --verbose' > > >>> > > >>> Rowland > > >>> > > >> > > >> Doesn't look too good to me: > > >> > > >> > > >> [root at DC2 me]# samba_dnsupdate --verbose > > >> IPs: ['IP_of_2nd_DC'] > > >> Looking for DNS entry A DC2.my.domain.tld IP_of_2nd_DC as > > >> DC2.my.domain.tld. > > >> Looking for DNS entry A my.domain.tld IP_of_2nd_DC as my.domain.tld. > > >> Failed to find matching DNS entry A my.domain.tld IP_of_2nd_DC > > >> Looking for DNS entry SRV _ldap._tcp.my.domain.tld DC2.my.domain.tld > > >> 389 as _ldap._tcp.my.domain.tld. > > >> Checking 0 100 389 DC1.my.domain.tld. against SRV > > >> _ldap._tcp.my.domain.tld DC2.my.domain.tld 389 > > >> Failed to find matching DNS entry SRV _ldap._tcp.my.domain.tld > > >> DC2.my.domain.tld 389 > > >> Looking for DNS entry SRV _ldap._tcp.dc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 389 as _ldap._tcp.dc._msdcs.my.domain.tld. > > >> Checking 0 100 389 DC1.my.domain.tld. against SRV > > >> _ldap._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 389 > > >> Failed to find matching DNS entry SRV > > >> _ldap._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 389 > > >> Looking for DNS entry SRV > > >> _ldap._tcp.c2e92ed0-e889-40a0-a272- > > 7375f90de91d.domains._msdcs.my.domain.tld > > >> DC2.my.domain.tld 389 as > > >> _ldap._tcp.c2e92ed0-e889-40a0-a272- > > 7375f90de91d.domains._msdcs.my.domain.tld. > > >> Checking 0 100 389 DC1.my.domain.tld. against SRV > > >> _ldap._tcp.c2e92ed0-e889-40a0-a272- > > 7375f90de91d.domains._msdcs.my.domain.tld > > >> DC2.my.domain.tld 389 > > >> Failed to find matching DNS entry SRV > > >> _ldap._tcp.c2e92ed0-e889-40a0-a272- > > 7375f90de91d.domains._msdcs.my.domain.tld > > >> DC2.my.domain.tld 389 > > >> Looking for DNS entry SRV _kerberos._tcp.my.domain.tld > > >> DC2.my.domain.tld 88 as _kerberos._tcp.my.domain.tld. > > >> Checking 0 100 88 DC1.my.domain.tld. against SRV > > >> _kerberos._tcp.my.domain.tld DC2.my.domain.tld 88 > > >> Failed to find matching DNS entry SRV _kerberos._tcp.my.domain.tld > > >> DC2.my.domain.tld 88 > > >> Looking for DNS entry SRV _kerberos._udp.my.domain.tld > > >> DC2.my.domain.tld 88 as _kerberos._udp.my.domain.tld. > > >> Checking 0 100 88 DC1.my.domain.tld. against SRV > > >> _kerberos._udp.my.domain.tld DC2.my.domain.tld 88 > > >> Failed to find matching DNS entry SRV _kerberos._udp.my.domain.tld > > >> DC2.my.domain.tld 88 > > >> Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 88 as _kerberos._tcp.dc._msdcs.my.domain.tld. > > >> Checking 0 100 88 DC1.my.domain.tld. against SRV > > >> _kerberos._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 88 > > >> Failed to find matching DNS entry SRV > > >> _kerberos._tcp.dc._msdcs.my.domain.tld DC2.my.domain.tld 88 > > >> Looking for DNS entry SRV _kpasswd._tcp.my.domain.tld > > >> DC2.my.domain.tld 464 as _kpasswd._tcp.my.domain.tld. > > >> Checking 0 100 464 DC1.my.domain.tld. against SRV > > >> _kpasswd._tcp.my.domain.tld DC2.my.domain.tld 464 > > >> Failed to find matching DNS entry SRV _kpasswd._tcp.my.domain.tld > > >> DC2.my.domain.tld 464 > > >> Looking for DNS entry SRV _kpasswd._udp.my.domain.tld > > >> DC2.my.domain.tld 464 as _kpasswd._udp.my.domain.tld. > > >> Checking 0 100 464 DC1.my.domain.tld. against SRV > > >> _kpasswd._udp.my.domain.tld DC2.my.domain.tld 464 > > >> Failed to find matching DNS entry SRV _kpasswd._udp.my.domain.tld > > >> DC2.my.domain.tld 464 > > >> Looking for DNS entry CNAME > > >> d1df6d3d-7fd1-45f4-b613-74c7825d9208._msdcs.my.domain.tld > > >> DC2.my.domain.tld as > > >> d1df6d3d-7fd1-45f4-b613-74c7825d9208._msdcs.my.domain.tld. > > >> Looking for DNS entry SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld > > >> DC2.my.domain.tld 389 as > > >> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld. > > >> Checking 0 100 389 DC1.my.domain.tld. against SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld > > >> DC2.my.domain.tld 389 > > >> Failed to find matching DNS entry SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld > > >> DC2.my.domain.tld 389 > > >> Looking for DNS entry SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 389 as > > >> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld. > > >> Checking 0 100 389 DC1.my.domain.tld. against SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 389 > > >> Failed to find matching DNS entry SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 389 > > >> Looking for DNS entry SRV > > >> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld > > >> DC2.my.domain.tld 88 as > > >> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld. > > >> Checking 0 100 88 DC1.my.domain.tld. against SRV > > >> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld > > >> DC2.my.domain.tld 88 > > >> Failed to find matching DNS entry SRV > > >> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld > > >> DC2.my.domain.tld 88 > > >> Looking for DNS entry SRV > > >> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 88 as > > >> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld. > > >> Checking 0 100 88 DC1.my.domain.tld. against SRV > > >> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 88 > > >> Failed to find matching DNS entry SRV > > >> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 88 > > >> Looking for DNS entry A gc._msdcs.my.domain.tld IP_of_2nd_DC as > > >> gc._msdcs.my.domain.tld. > > >> Failed to find matching DNS entry A gc._msdcs.my.domain.tld > > IP_of_2nd_DC > > >> Looking for DNS entry SRV _gc._tcp.my.domain.tld DC2.my.domain.tld > > >> 3268 as _gc._tcp.my.domain.tld. > > >> Checking 0 100 3268 DC1.my.domain.tld. against SRV > > >> _gc._tcp.my.domain.tld DC2.my.domain.tld 3268 > > >> Failed to find matching DNS entry SRV _gc._tcp.my.domain.tld > > >> DC2.my.domain.tld 3268 > > >> Looking for DNS entry SRV _ldap._tcp.gc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 3268 as _ldap._tcp.gc._msdcs.my.domain.tld. > > >> Checking 0 100 3268 DC1.my.domain.tld. against SRV > > >> _ldap._tcp.gc._msdcs.my.domain.tld DC2.my.domain.tld 3268 > > >> Failed to find matching DNS entry SRV > > >> _ldap._tcp.gc._msdcs.my.domain.tld DC2.my.domain.tld 3268 > > >> Looking for DNS entry SRV > > >> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld > > >> DC2.my.domain.tld 3268 as > > >> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld. > > >> Checking 0 100 3268 DC1.my.domain.tld. against SRV > > >> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld > > >> DC2.my.domain.tld 3268 > > >> Failed to find matching DNS entry SRV > > >> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld > > >> DC2.my.domain.tld 3268 > > >> Looking for DNS entry SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 3268 as > > >> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld. > > >> Checking 0 100 3268 DC1.my.domain.tld. against SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 3268 > > >> Failed to find matching DNS entry SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 3268 > > >> Looking for DNS entry A DomainDnsZones.my.domain.tld IP_of_2nd_DC as > > >> DomainDnsZones.my.domain.tld. > > >> Failed to find matching DNS entry A DomainDnsZones.my.domain.tld > > >> IP_of_2nd_DC > > >> Looking for DNS entry SRV _ldap._tcp.DomainDnsZones.my.domain.tld > > >> DC2.my.domain.tld 389 as _ldap._tcp.DomainDnsZones.my.domain.tld. > > >> Checking 0 100 389 DC1.my.domain.tld. against SRV > > >> _ldap._tcp.DomainDnsZones.my.domain.tld DC2.my.domain.tld 389 > > >> Failed to find matching DNS entry SRV > > >> _ldap._tcp.DomainDnsZones.my.domain.tld DC2.my.domain.tld 389 > > >> Looking for DNS entry SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld > > DC2.my.domain.tld > > >> 389 as > > >> > _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld. > > >> Checking 0 100 389 DC1.my.domain.tld. against SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld > > DC2.my.domain.tld > > >> 389 > > >> Failed to find matching DNS entry SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld > > DC2.my.domain.tld > > >> 389 > > >> Looking for DNS entry A ForestDnsZones.my.domain.tld IP_of_2nd_DC as > > >> ForestDnsZones.my.domain.tld. > > >> Failed to find matching DNS entry A ForestDnsZones.my.domain.tld > > >> IP_of_2nd_DC > > >> Looking for DNS entry SRV _ldap._tcp.ForestDnsZones.my.domain.tld > > >> DC2.my.domain.tld 389 as _ldap._tcp.ForestDnsZones.my.domain.tld. > > >> Checking 0 100 389 DC1.my.domain.tld. against SRV > > >> _ldap._tcp.ForestDnsZones.my.domain.tld DC2.my.domain.tld 389 > > >> Failed to find matching DNS entry SRV > > >> _ldap._tcp.ForestDnsZones.my.domain.tld DC2.my.domain.tld 389 > > >> Looking for DNS entry SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld > > DC2.my.domain.tld > > >> 389 as > > >> > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld. > > >> Checking 0 100 389 DC1.my.domain.tld. against SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld > > DC2.my.domain.tld > > >> 389 > > >> Failed to find matching DNS entry SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld > > DC2.my.domain.tld > > >> 389 > > >> Calling nsupdate for A my.domain.tld IP_of_2nd_DC (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> my.domain.tld. 900 IN A IP_of_2nd_DC > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV _ldap._tcp.my.domain.tld DC2.my.domain.tld > > >> 389 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _ldap._tcp.my.domain.tld. 900 IN SRV 0 100 389 > > >> DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV _ldap._tcp.dc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 389 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _ldap._tcp.dc._msdcs.my.domain.tld. 900 IN SRV 0 100 389 > > >> DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV > > >> _ldap._tcp.c2e92ed0-e889-40a0-a272- > > 7375f90de91d.domains._msdcs.my.domain.tld > > >> DC2.my.domain.tld 389 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _ldap._tcp.c2e92ed0-e889-40a0-a272- > > 7375f90de91d.domains._msdcs.my.domain.tld. > > >> 900 IN SRV 0 100 389 DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV _kerberos._tcp.my.domain.tld > > >> DC2.my.domain.tld 88 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _kerberos._tcp.my.domain.tld. 900 IN SRV 0 100 88 > > DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV _kerberos._udp.my.domain.tld > > >> DC2.my.domain.tld 88 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _kerberos._udp.my.domain.tld. 900 IN SRV 0 100 88 > > DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 88 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _kerberos._tcp.dc._msdcs.my.domain.tld. 900 IN SRV 0 100 88 > > >> DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV _kpasswd._tcp.my.domain.tld > > >> DC2.my.domain.tld 464 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _kpasswd._tcp.my.domain.tld. 900 IN SRV 0 100 464 > > >> DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV _kpasswd._udp.my.domain.tld > > >> DC2.my.domain.tld 464 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _kpasswd._udp.my.domain.tld. 900 IN SRV 0 100 464 > > >> DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld > > >> DC2.my.domain.tld 389 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _ldap._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN SRV 0 > > >> 100 389 DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 389 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld. > > >> 900 IN SRV 0 100 389 DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV > > >> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld > > >> DC2.my.domain.tld 88 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN > > >> SRV 0 100 88 DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV > > >> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 88 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.tld. > > 900 > > >> IN SRV 0 100 88 DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for A gc._msdcs.my.domain.tld IP_of_2nd_DC (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> gc._msdcs.my.domain.tld. 900 IN A IP_of_2nd_DC > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV _gc._tcp.my.domain.tld DC2.my.domain.tld > > >> 3268 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _gc._tcp.my.domain.tld. 900 IN SRV 0 100 3268 > > >> DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV _ldap._tcp.gc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 3268 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _ldap._tcp.gc._msdcs.my.domain.tld. 900 IN SRV 0 100 3268 > > >> DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV > > >> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld > > >> DC2.my.domain.tld 3268 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _gc._tcp.Default-First-Site-Name._sites.my.domain.tld. 900 IN SRV 0 > > >> 100 3268 DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld > > >> DC2.my.domain.tld 3268 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.tld. > > >> 900 IN SRV 0 100 3268 DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for A DomainDnsZones.my.domain.tld IP_of_2nd_DC (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> DomainDnsZones.my.domain.tld. 900 IN A IP_of_2nd_DC > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV _ldap._tcp.DomainDnsZones.my.domain.tld > > >> DC2.my.domain.tld 389 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _ldap._tcp.DomainDnsZones.my.domain.tld. 900 IN SRV 0 100 389 > > >> DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld > > DC2.my.domain.tld > > >> 389 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> > _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.tld. > > >> 900 IN SRV 0 100 389 DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for A ForestDnsZones.my.domain.tld IP_of_2nd_DC (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> ForestDnsZones.my.domain.tld. 900 IN A IP_of_2nd_DC > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.my.domain.tld > > >> DC2.my.domain.tld 389 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> _ldap._tcp.ForestDnsZones.my.domain.tld. 900 IN SRV 0 100 389 > > >> DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Calling nsupdate for SRV > > >> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld > > DC2.my.domain.tld > > >> 389 (add) > > >> Outgoing update query: > > >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > > >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > > >> ;; UPDATE SECTION: > > >> > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.tld. > > >> 900 IN SRV 0 100 389 DC2.my.domain.tld. > > >> > > >> ; TSIG error with server: tsig verify failure > > >> update failed: FORMERR > > >> Failed nsupdate: 2 > > >> Failed update of 24 entries > > >> > > >> > > >> > > > > > > There is a known problem, even though the updates print '; TSIG error > > > with server: tsig verify failure', it still works. Try running 'host > > > -t SRV _kerberos._udp.my.domain.tld.' again. > > > > > > Rowland > > > > Nope, still one record. > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From rpenny at samba.org Fri Dec 11 11:07:08 2015 From: rpenny at samba.org (Rowland penny) Date: Fri, 11 Dec 2015 11:07:08 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: References: <56699117.7070303@samba.org> <566996A2.6040409@tu-berlin.de> Message-ID: <566AAE5C.8060206@samba.org> On 11/12/15 10:29, mathias dufresne wrote: > Hi Ole, > > Using internal DNS samba_dnsupdate does not work correctly, at least not > every time. > > Someone modified this samba_dnsupdate tool commenting this line: > os.unlink(tmpfile) > which should line 413. > > Doing that he was able to get files generated by samba_dnsupdate to use > them as argument of nsupdate command (without -g switch and with "allow dns > updates = nonsecure" in smb.conf). > > I was not able to make that process work here but I did not tried hard. As > this process was sent directly to me I share it. > > The process I use to generate all DNS records is to run samba_dnsupdate > --all-names --verbose and send output of that command to attached awk > script. > The awk script get information from samba_dnsupdate for each record and > launch samba-tool to create DNS record. This script is not clever: it tries > to create all mentioned DNS record, generating warnings when record already > exists. > > You will have to modify this awk script as the BEGIN section contains fake > information related to AD domain: > > BEGIN { > ad_zone = "YOUR.DOMAIN.TLD" > msdcs_zone = "_msdcs." ad_zone > dns_server = "YOUR-DC" > } > > You must change "YOUR.DOMAIN.TLD" and "YOUR-DC" to match your domain > configuration. > > The awk script uses kerberos authentication when running samba-tool so you > will need to generate a kerberos ticket for some AD admin before: > 1°) kinit administrator > 2°) samba_dnsupdate | awk -f dnsupdate.awk > > As it is not an issue to try create an entry which already exists you can > run it that script on each DC to assure you all entries are correctly > created on all DC. > > Best regards, > > mathias dufresne > > There is a flaw with your script! This mailing list strips off attachments, you are going to have to paste it into post. :-) Rowland From infractory at gmail.com Fri Dec 11 12:33:15 2015 From: infractory at gmail.com (mathias dufresne) Date: Fri, 11 Dec 2015 13:33:15 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <566AAE5C.8060206@samba.org> References: <56699117.7070303@samba.org> <566996A2.6040409@tu-berlin.de> <566AAE5C.8060206@samba.org> Message-ID: Thank you Rowland to noticed that. Here it is: ------------------------------------------------------------------ #!/usr/bin/awk BEGIN { ad_zone = "YOUR.DOMAIN.TLD" msdcs_zone = "_msdcs." ad_zone dns_server = "YOUR-DC" } { if ($0 ~ /UPDATE SECTION:/) { getline print NF, $0 if ($4 == "A") { if($1 ~ /_msdcs/) { zone = msdcs_zone } else { zone = ad_zone } record = $1 regexp = "." zone "." sub(regexp, "", record) cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record " A " $5 " --kerberos=yes" #cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record " A " $5 " " $2 print cmd cmd | getline close(cmd) } if ($4 == "SRV") { if($1 ~ /_msdcs/) { zone = msdcs_zone } else { zone = ad_zone } record = $1 regexp = "." zone "." sub(regexp, "", record) cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record " SRV \'" $8 " " $7 " " $5 " " $6 "\' --kerberos=yes" #cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record " SRV \'" $8 " " $7 " " $5 " " $6 "\' " $2 print cmd cmd | getline close(cmd) } } } ------------------------------------------------------------------ This script does not take in account missing NS records as samba_dnsupdate does not try to create them. 2015-12-11 12:07 GMT+01:00 Rowland penny : > On 11/12/15 10:29, mathias dufresne wrote: > >> Hi Ole, >> >> Using internal DNS samba_dnsupdate does not work correctly, at least not >> every time. >> >> Someone modified this samba_dnsupdate tool commenting this line: >> os.unlink(tmpfile) >> which should line 413. >> >> Doing that he was able to get files generated by samba_dnsupdate to use >> them as argument of nsupdate command (without -g switch and with "allow >> dns >> updates = nonsecure" in smb.conf). >> >> I was not able to make that process work here but I did not tried hard. As >> this process was sent directly to me I share it. >> >> The process I use to generate all DNS records is to run samba_dnsupdate >> --all-names --verbose and send output of that command to attached awk >> script. >> The awk script get information from samba_dnsupdate for each record and >> launch samba-tool to create DNS record. This script is not clever: it >> tries >> to create all mentioned DNS record, generating warnings when record >> already >> exists. >> >> You will have to modify this awk script as the BEGIN section contains fake >> information related to AD domain: >> >> BEGIN { >> ad_zone = "YOUR.DOMAIN.TLD" >> msdcs_zone = "_msdcs." ad_zone >> dns_server = "YOUR-DC" >> } >> >> You must change "YOUR.DOMAIN.TLD" and "YOUR-DC" to match your domain >> configuration. >> >> The awk script uses kerberos authentication when running samba-tool so you >> will need to generate a kerberos ticket for some AD admin before: >> 1°) kinit administrator >> 2°) samba_dnsupdate | awk -f dnsupdate.awk >> >> As it is not an issue to try create an entry which already exists you can >> run it that script on each DC to assure you all entries are correctly >> created on all DC. >> >> Best regards, >> >> mathias dufresne >> >> >> > There is a flaw with your script! > > > > > > This mailing list strips off attachments, you are going to have to paste > it into post. :-) > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From lucia_barrales at yahoo.com Fri Dec 11 12:17:01 2015 From: lucia_barrales at yahoo.com (Lucia Barrales) Date: Fri, 11 Dec 2015 12:17:01 +0000 (UTC) Subject: [Samba] Install Samba on Solaris (help please) References: <1018408055.1261203.1449836221743.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <1018408055.1261203.1449836221743.JavaMail.yahoo@mail.yahoo.com>  Hi, When I try to install Samba 4.3.0 on Solaris 10 (64bits), the configure command fails:./configure..Checking if size of bool == 1                                : not found Checking if size of bool == 2                                : not found Checking if size of bool == 4                                : not found Checking if size of bool == 8                                : not found Checking if size of bool == 16                               : not found Checking if size of bool == 32                               : not found Couldn't determine size of 'bool' I´ve changed the file: /usr/local/samba/samba-4.3.0/buildtools/wafsamba/samba_autoconf.pyand I´ve added 64 to the next senetence:    for size in list((1, 2, 4, 8, 16, 32, 64)): It fails with the same error:... Checking if size of bool == 1                                : not found Checking if size of bool == 2                                : not found Checking if size of bool == 4                                : not found Checking if size of bool == 8                                : not found Checking if size of bool == 16                               : not found Checking if size of bool == 32                               : not found Checking if size of bool == 64                               : no Couldn't determine size of 'bool' The environment variables are: LD_LIBRARY_PATH_64=/usr/lib/64 PATH=/usr/local/lib:/usr/sbin:/usr/bin:/usr/sfw/bin:/usr/lib/sparcv9:/usr/ccs/bin Please any help is wellcome. Thanks in advance From alanhughes at e2eservices.co.uk Fri Dec 11 13:00:10 2015 From: alanhughes at e2eservices.co.uk (=?utf-8?Q?Alan_Hughes?=) Date: Fri, 11 Dec 2015 13:00:10 +0000 Subject: [Samba] Samba-4 DNS issue Message-ID: Folks   I've managed (due to me being fat-fingered that morning) to get a DNS zone in a Samba-4 DNS setup screwed up.   Basically I was trying to add a new A record to an internal domain "e2eservices.co.uk" using the MS administration tools (not the samba-tool CLI). However instead of adding the entry "styx" to the domain, I accidently added "styx.e2eservices.co.uk"; this basically generated a child entry called "uk" under the "e2eservices.co.uk" zone that appears to replicate all entries that where originally in the zone (so for example I now have "styx.e2eservices.co.uk.e2eservices.co.uk", "foobar.e2eservices.co.uk.e2eservices.co.uk", etc.   I'd rather lke to clean this up by deleting all of the records under "e2eservices.co.uk.e2eservices.co.uk"(including the child entries rooted at "uk.e2eservices.co.uk") without deleting any records under "e2eservices.co.uk" but cannot work out how to do this. I guess if absolutely necessary I could drop the domain and recreate it, but I'd prefer not to do this if at all possible. Does anyone have any suggestions on how I can go about doing this?   Thanks in advance   Alan This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please notify the sender immediately and then delete the email from your system. Internet communications are not secure and therefore e2E Services Ltd does not accept any liability for the contents of this message. Any views or opinions presented are solely those of the author and do not necessarily represent those of e2E Services Ltd. Although this email and any attachments have been scanned for viruses, the success of scanning products is not guaranteed. The recipient(s) should therefore carry out any checks that they believe to be appropriate in this respect. e2E Services Ltd. is a limited company registered in the UK, No. 3878701. Registered Office: e2E Services Ltd, George Court, Bartholomews Walk, Ely, Cambridgeshire, CB7 4JW From rpenny at samba.org Fri Dec 11 13:14:07 2015 From: rpenny at samba.org (Rowland penny) Date: Fri, 11 Dec 2015 13:14:07 +0000 Subject: [Samba] Samba-4 DNS issue In-Reply-To: References: Message-ID: <566ACC1F.1070802@samba.org> On 11/12/15 13:00, Alan Hughes wrote: > Folks > > > I've managed (due to me being fat-fingered that morning) to get a DNS zone in a Samba-4 DNS setup screwed up. > > > Basically I was trying to add a new A record to an internal domain "e2eservices.co.uk" using the MS administration tools (not the samba-tool CLI). However instead of adding the entry "styx" to the domain, I accidently added "styx.e2eservices.co.uk"; this basically generated a child entry called "uk" under the "e2eservices.co.uk" zone that appears to replicate all entries that where originally in the zone (so for example I now have "styx.e2eservices.co.uk.e2eservices.co.uk", "foobar.e2eservices.co.uk.e2eservices.co.uk", etc. > > > I'd rather lke to clean this up by deleting all of the records under "e2eservices.co.uk.e2eservices.co.uk"(including the child entries rooted at "uk.e2eservices.co.uk") without deleting any records under "e2eservices.co.uk" but cannot work out how to do this. I guess if absolutely necessary I could drop the domain and recreate it, but I'd prefer not to do this if at all possible. Does anyone have any suggestions on how I can go about doing this? > > > Thanks in advance > > > Alan > > > You could try samba-tool on the DC, 'samba-tool dns zonelist 127.0.0.1 -UAdministrator' will list all the zones, so if it is a separate zone, you should be able to delete it with 'samba-tool dns zonedelete 127.0.0.1 -UAdministrator' Rowland From alanhughes at e2eservices.co.uk Fri Dec 11 13:31:34 2015 From: alanhughes at e2eservices.co.uk (=?utf-8?Q?Alan_Hughes?=) Date: Fri, 11 Dec 2015 13:31:34 +0000 Subject: [Samba] Samba-4 DNS issue In-Reply-To: <566ACC1F.1070802@samba.org> References: <566ACC1F.1070802@samba.org> Message-ID: Thanks for the suggestion, however it is not a seperate zone, i.e. it appears to be a part of the "e2eservices.co.uk" zone with child objects (analogous to "_tcp" and "_udp" in a domain zone).   Alan   -----Original message----- From:Rowland penny Sent:Fri 11-12-2015 13:16 Subject:Re: [Samba] Samba-4 DNS issue To:samba at lists.samba.org; On 11/12/15 13:00, Alan Hughes wrote: > Folks > >   > I've managed (due to me being fat-fingered that morning) to get a DNS zone in a Samba-4 DNS setup screwed up. > >   > Basically I was trying to add a new A record to an internal domain "e2eservices.co.uk" using the MS administration tools (not the samba-tool CLI). However instead of adding the entry "styx" to the domain, I accidently added "styx.e2eservices.co.uk"; this basically generated a child entry called "uk" under the "e2eservices.co.uk" zone that appears to replicate all entries that where originally in the zone (so for example I now have "styx.e2eservices.co.uk.e2eservices.co.uk", "foobar.e2eservices.co.uk.e2eservices.co.uk", etc. > >   > I'd rather lke to clean this up by deleting all of the records under "e2eservices.co.uk.e2eservices.co.uk"(including the child entries rooted at "uk.e2eservices.co.uk") without deleting any records under "e2eservices.co.uk" but cannot work out how to do this. I guess if absolutely necessary I could drop the domain and recreate it, but I'd prefer not to do this if at all possible. Does anyone have any suggestions on how I can go about doing this? > >   > Thanks in advance > >   > Alan > > > You could try samba-tool on the DC, 'samba-tool dns zonelist 127.0.0.1 -UAdministrator' will list all the zones, so if it is a separate zone, you should be able to delete it with 'samba-tool dns zonedelete 127.0.0.1 -UAdministrator' Rowland -- To unsubscribe from this list go to the following URL and read the instructions:  https://lists.samba.org/mailman/options/samba From rpenny at samba.org Fri Dec 11 13:54:54 2015 From: rpenny at samba.org (Rowland penny) Date: Fri, 11 Dec 2015 13:54:54 +0000 Subject: [Samba] Samba-4 DNS issue In-Reply-To: References: <566ACC1F.1070802@samba.org> Message-ID: <566AD5AE.4080304@samba.org> On 11/12/15 13:31, Alan Hughes wrote: > Thanks for the suggestion, however it is not a seperate zone, i.e. it appears to be a part of the "e2eservices.co.uk" zone with child objects (analogous to "_tcp" and "_udp" in a domain zone). > > > Alan > > -----Original message----- > From:Rowland penny > Sent:Fri 11-12-2015 13:16 > Subject:Re: [Samba] Samba-4 DNS issue > To:samba at lists.samba.org; > On 11/12/15 13:00, Alan Hughes wrote: >> Folks >> >> >> I've managed (due to me being fat-fingered that morning) to get a DNS zone in a Samba-4 DNS setup screwed up. >> >> >> Basically I was trying to add a new A record to an internal domain "e2eservices.co.uk" using the MS administration tools (not the samba-tool CLI). However instead of adding the entry "styx" to the domain, I accidently added "styx.e2eservices.co.uk"; this basically generated a child entry called "uk" under the "e2eservices.co.uk" zone that appears to replicate all entries that where originally in the zone (so for example I now have "styx.e2eservices.co.uk.e2eservices.co.uk", "foobar.e2eservices.co.uk.e2eservices.co.uk", etc. >> >> >> I'd rather lke to clean this up by deleting all of the records under "e2eservices.co.uk.e2eservices.co.uk"(including the child entries rooted at "uk.e2eservices.co.uk") without deleting any records under "e2eservices.co.uk" but cannot work out how to do this. I guess if absolutely necessary I could drop the domain and recreate it, but I'd prefer not to do this if at all possible. Does anyone have any suggestions on how I can go about doing this? >> >> >> Thanks in advance >> >> >> Alan >> >> >> > You could try samba-tool on the DC, 'samba-tool dns zonelist 127.0.0.1 > -UAdministrator' will list all the zones, so if it is a separate zone, > you should be able to delete it with 'samba-tool dns zonedelete > 127.0.0.1 -UAdministrator' > > Rowland > > You will probably have to delete the dns records, one by one, try investigating 'samba-tool dns --help' Rowland From ole.traupe at tu-berlin.de Fri Dec 11 13:59:19 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Fri, 11 Dec 2015 14:59:19 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: References: <56699117.7070303@samba.org> <566996A2.6040409@tu-berlin.de> <566AAE5C.8060206@samba.org> Message-ID: <566AD6B7.2010704@tu-berlin.de> Hi folks, a) thank you all for your help, I highly appreciate you time and effort, and I am sure I can resolve this issue very soon! b) I have to delay this until early next week, as I have to attend to other matters for now. All I can say, Louis, is that I won't set up a new DC to resolve this - at least not for now. This seems to be another problem of Samba4 not being able to deal with multiple DCs properly. And this has to be able to be resolved on an otherwise working domain without changing its architecture or other more drastic measures. This is my point of view at the moment. Your suggestion reminds me a bit of some typical forum replies to "Reinstall the OS" in case of any problems that can't be solved in an instant. If necessary, I will just create the missing DNS entries of my 2nd DC by hand. Although I would prefer a working script supplied by a professional (which I am not). At least I would like to know which DNS entries for my 2nd DC are essential for logins to work. I wouldn't very much like to try this out. However, I am aware that your time is as limited as mine (of not even more so), and you are in no obligation in any way. Besides, I didn't forget do delete anything. I used the script from the wiki to get rid of old records pertaining to my former 1st DC after I had created the records of my *new* 1st DC. I checked the results: everything related to my former first DC was gone. Also I documented/discussed this process here on the list. And nobody pointed me to things I forgot or was leaving out. I know that use of this script was totally "on my own risk". But the results were as they should have been, at least as far I am able to tell. That said, I will go through your responses and get back to you with results. Best, have a good weekend! Ole Am 11.12.2015 um 13:33 schrieb mathias dufresne: > Thank you Rowland to noticed that. > > Here it is: > ------------------------------------------------------------------ > #!/usr/bin/awk > > BEGIN { > ad_zone = "YOUR.DOMAIN.TLD" > msdcs_zone = "_msdcs." ad_zone > dns_server = "YOUR-DC" > } > { > if ($0 ~ /UPDATE SECTION:/) { > getline > print NF, $0 > if ($4 == "A") { > if($1 ~ /_msdcs/) { > zone = msdcs_zone > } else { > zone = ad_zone > } > record = $1 > regexp = "." zone "." > sub(regexp, "", record) > cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record " A > " $5 " --kerberos=yes" > #cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record " A > " $5 " " $2 > print cmd > cmd | getline > close(cmd) > } > if ($4 == "SRV") { > if($1 ~ /_msdcs/) { > zone = msdcs_zone > } else { > zone = ad_zone > } > record = $1 > regexp = "." zone "." > sub(regexp, "", record) > cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record " > SRV \'" $8 " " $7 " " $5 " " $6 "\' --kerberos=yes" > #cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record " > SRV \'" $8 " " $7 " " $5 " " $6 "\' " $2 > print cmd > cmd | getline > close(cmd) > } > } > } > ------------------------------------------------------------------ > > This script does not take in account missing NS records as samba_dnsupdate > does not try to create them. > > > 2015-12-11 12:07 GMT+01:00 Rowland penny : > >> On 11/12/15 10:29, mathias dufresne wrote: >> >>> Hi Ole, >>> >>> Using internal DNS samba_dnsupdate does not work correctly, at least not >>> every time. >>> >>> Someone modified this samba_dnsupdate tool commenting this line: >>> os.unlink(tmpfile) >>> which should line 413. >>> >>> Doing that he was able to get files generated by samba_dnsupdate to use >>> them as argument of nsupdate command (without -g switch and with "allow >>> dns >>> updates = nonsecure" in smb.conf). >>> >>> I was not able to make that process work here but I did not tried hard. As >>> this process was sent directly to me I share it. >>> >>> The process I use to generate all DNS records is to run samba_dnsupdate >>> --all-names --verbose and send output of that command to attached awk >>> script. >>> The awk script get information from samba_dnsupdate for each record and >>> launch samba-tool to create DNS record. This script is not clever: it >>> tries >>> to create all mentioned DNS record, generating warnings when record >>> already >>> exists. >>> >>> You will have to modify this awk script as the BEGIN section contains fake >>> information related to AD domain: >>> >>> BEGIN { >>> ad_zone = "YOUR.DOMAIN.TLD" >>> msdcs_zone = "_msdcs." ad_zone >>> dns_server = "YOUR-DC" >>> } >>> >>> You must change "YOUR.DOMAIN.TLD" and "YOUR-DC" to match your domain >>> configuration. >>> >>> The awk script uses kerberos authentication when running samba-tool so you >>> will need to generate a kerberos ticket for some AD admin before: >>> 1°) kinit administrator >>> 2°) samba_dnsupdate | awk -f dnsupdate.awk >>> >>> As it is not an issue to try create an entry which already exists you can >>> run it that script on each DC to assure you all entries are correctly >>> created on all DC. >>> >>> Best regards, >>> >>> mathias dufresne >>> >>> >>> >> There is a flaw with your script! >> >> >> >> >> >> This mailing list strips off attachments, you are going to have to paste >> it into post. :-) >> >> Rowland >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> From belle at bazuin.nl Fri Dec 11 14:04:53 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Fri, 11 Dec 2015 15:04:53 +0100 Subject: [Samba] Samba-4 DNS issue In-Reply-To: References: Message-ID: Its should not be needed to drop and recreate. Try the following. Delete the created records in the "wrong" zone(s) Try to delete the "wrong" zone. ( ignore the error) Restart bind Restart samba. Pray and check again. Are the "empty zones gone and are your dns records there again? Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Alan Hughes > Verzonden: vrijdag 11 december 2015 14:00 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Samba-4 DNS issue > > Folks > > > I've managed (due to me being fat-fingered that morning) to get a DNS zone > in a Samba-4 DNS setup screwed up. > > > Basically I was trying to add a new A record to an internal domain > "e2eservices.co.uk" using the MS administration tools (not the samba-tool > CLI). However instead of adding the entry "styx" to the domain, I > accidently added "styx.e2eservices.co.uk"; this basically generated a > child entry called "uk" under the "e2eservices.co.uk" zone that appears to > replicate all entries that where originally in the zone (so for example I > now have "styx.e2eservices.co.uk.e2eservices.co.uk", > "foobar.e2eservices.co.uk.e2eservices.co.uk", etc. > > > I'd rather lke to clean this up by deleting all of the records under > "e2eservices.co.uk.e2eservices.co.uk"(including the child entries rooted > at "uk.e2eservices.co.uk") without deleting any records under > "e2eservices.co.uk" but cannot work out how to do this. I guess if > absolutely necessary I could drop the domain and recreate it, but I'd > prefer not to do this if at all possible. Does anyone have any suggestions > on how I can go about doing this? > > > Thanks in advance > > > Alan > > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to which they are > addressed. If you have received this email in error please notify the > sender immediately and then delete the email from your system. > > Internet communications are not secure and therefore e2E Services Ltd does > not accept any liability for the contents of this message. Any views or > opinions presented are solely those of the author and do not necessarily > represent those of e2E Services Ltd. > > Although this email and any attachments have been scanned for viruses, the > success of scanning products is not guaranteed. The recipient(s) should > therefore carry out any checks that they believe to be appropriate in this > respect. > > e2E Services Ltd. is a limited company registered in the UK, No. 3878701. > Registered Office: e2E Services Ltd, George Court, Bartholomews Walk, > Ely, Cambridgeshire, CB7 4JW > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From rpenny at samba.org Fri Dec 11 14:24:52 2015 From: rpenny at samba.org (Rowland penny) Date: Fri, 11 Dec 2015 14:24:52 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <566AD6B7.2010704@tu-berlin.de> References: <56699117.7070303@samba.org> <566996A2.6040409@tu-berlin.de> <566AAE5C.8060206@samba.org> <566AD6B7.2010704@tu-berlin.de> Message-ID: <566ADCB4.3010202@samba.org> On 11/12/15 13:59, Ole Traupe wrote: > Hi folks, > > a) thank you all for your help, I highly appreciate you time and > effort, and I am sure I can resolve this issue very soon! > b) I have to delay this until early next week, as I have to attend to > other matters for now. > > All I can say, Louis, is that I won't set up a new DC to resolve this > - at least not for now. This seems to be another problem of Samba4 not > being able to deal with multiple DCs properly. And this has to be able > to be resolved on an otherwise working domain without changing its > architecture or other more drastic measures. This is my point of view > at the moment. Your suggestion reminds me a bit of some typical forum > replies to "Reinstall the OS" in case of any problems that can't be > solved in an instant. > > If necessary, I will just create the missing DNS entries of my 2nd DC > by hand. Although I would prefer a working script supplied by a > professional (which I am not). At least I would like to know which DNS > entries for my 2nd DC are essential for logins to work. I wouldn't > very much like to try this out. However, I am aware that your time is > as limited as mine (of not even more so), and you are in no obligation > in any way. > > Besides, I didn't forget do delete anything. I used the script from > the wiki to get rid of old records pertaining to my former 1st DC > after I had created the records of my *new* 1st DC. I checked the > results: everything related to my former first DC was gone. Also I > documented/discussed this process here on the list. And nobody pointed > me to things I forgot or was leaving out. I know that use of this > script was totally "on my own risk". But the results were as they > should have been, at least as far I am able to tell. > > That said, I will go through your responses and get back to you with > results. > > Best, have a good weekend! > Ole > > Ole, when you provision a domain, all the required records are created, but when you join another DC, most of the dns records are not created until the samba deamon is started and samba_dnsupdate is run automatically, see 'dns_update_list' for what is added (this is in /usr/share/samba/setup & /var/lib/samba/private on debian) If you want to add the missing NS records, add these lines to 'dns_update_list' : # RW DNS servers ${IF_RWDNS_DOMAIN}A ${DNSDOMAIN} $IP ${IF_RWDNS_DOMAIN}NS ${DNSDOMAIN} ${HOSTNAME} # RW DNS servers ${IF_RWDNS_FOREST}NS _msdcs.${DNSFOREST} ${HOSTNAME} You should be aware that even if you add these lines, they will not do you any good at the moment if you use the internal dns server. There is a problem, it looks like the records do not get added when samba_dnsupdate is first run, but they are. What you could do is this, copy the 'dns_update_list', replace all the variables with your info (${DNSDOMAIN} etc), then use this to check what you are missing and then add what isn't there. Rowland From belle at bazuin.nl Fri Dec 11 14:31:28 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Fri, 11 Dec 2015 15:31:28 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <566AD6B7.2010704@tu-berlin.de> References: Message-ID: Commented inbetween. > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe > Verzonden: vrijdag 11 december 2015 14:59 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller > initially fails when PDC is offline > > Hi folks, > > a) thank you all for your help, I highly appreciate you time and effort, > and I am sure I can resolve this issue very soon! > b) I have to delay this until early next week, as I have to attend to > other matters for now. > > All I can say, Louis, is that I won't set up a new DC to resolve this - > at least not for now. This seems to be another problem of Samba4 not > being able to deal with multiple DCs properly. And this has to be able > to be resolved on an otherwise working domain without changing its > architecture or other more drastic measures. This is my point of view at > the moment. Your suggestion reminds me a bit of some typical forum > replies to "Reinstall the OS" in case of any problems that can't be > solved in an instant. [L.P.H. van Belle] I dont think this is another problem of samba4, but this is a problem which started in the begining of your install, at least thats what i suppect based on all your info on the list. I suspect that, then you "installed" the new DC with the old name/ip. You forgot somewhere to remove old entries in AD and/or DNS. And this is why i suggested it, normaly i dont suggest something like this, but i do think that if you setup clean you wil have a better running server with less problems , but what you choose is all up to you. Do what you thinks is best for you. > > If necessary, I will just create the missing DNS entries of my 2nd DC by > hand. Although I would prefer a working script supplied by a > professional (which I am not). At least I would like to know which DNS > entries for my 2nd DC are essential for logins to work. I wouldn't very > much like to try this out. However, I am aware that your time is as > limited as mine (of not even more so), and you are in no obligation in > any way. [L.P.H. van Belle] >). At least I would like to know which DNS > entries for my 2nd DC are essential for logins to work. And what you ask here is already answered few times imo. Again, your quicker with a clean install, and you learn more from it. And with clean, i dont mean dropping your AD, just add new "DC Join" to hold the AD data so you can remove the faulty server and then you can install that server again, but now as it should. AND when you join a DC your login problem is fixed also. ;-) > Besides, I didn't forget do delete anything. I used the script from the > wiki to get rid of old records pertaining to my former 1st DC after I > had created the records of my *new* 1st DC. I checked the results: > everything related to my former first DC was gone. Also I > documented/discussed this process here on the list. And nobody pointed > me to things I forgot or was leaving out. I know that use of this script > was totally "on my own risk". But the results were as they should have > been, at least as far I am able to tell.[L.P.H. van Belle] [L.P.H. van Belle] which script ? can anyone point that one for me, cant find it. I only know about https://bugzilla.samba.org/show_bug.cgi?id=10595 > > That said, I will go through your responses and get back to you with > results. > > Best, have a good weekend! > Ole [L.P.H. van Belle] Thank you, and have a very good weekend also, i hope your problem is fixed soon. > > > Am 11.12.2015 um 13:33 schrieb mathias dufresne: > > Thank you Rowland to noticed that. > > > > Here it is: > > ------------------------------------------------------------------ > > #!/usr/bin/awk > > > > BEGIN { > > ad_zone = "YOUR.DOMAIN.TLD" > > msdcs_zone = "_msdcs." ad_zone > > dns_server = "YOUR-DC" > > } > > { > > if ($0 ~ /UPDATE SECTION:/) { > > getline > > print NF, $0 > > if ($4 == "A") { > > if($1 ~ /_msdcs/) { > > zone = msdcs_zone > > } else { > > zone = ad_zone > > } > > record = $1 > > regexp = "." zone "." > > sub(regexp, "", record) > > cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record > " A > > " $5 " --kerberos=yes" > > #cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record > " A > > " $5 " " $2 > > print cmd > > cmd | getline > > close(cmd) > > } > > if ($4 == "SRV") { > > if($1 ~ /_msdcs/) { > > zone = msdcs_zone > > } else { > > zone = ad_zone > > } > > record = $1 > > regexp = "." zone "." > > sub(regexp, "", record) > > cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record > " > > SRV \'" $8 " " $7 " " $5 " " $6 "\' --kerberos=yes" > > #cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record > " > > SRV \'" $8 " " $7 " " $5 " " $6 "\' " $2 > > print cmd > > cmd | getline > > close(cmd) > > } > > } > > } > > ------------------------------------------------------------------ > > > > This script does not take in account missing NS records as > samba_dnsupdate > > does not try to create them. > > > > > > 2015-12-11 12:07 GMT+01:00 Rowland penny : > > > >> On 11/12/15 10:29, mathias dufresne wrote: > >> > >>> Hi Ole, > >>> > >>> Using internal DNS samba_dnsupdate does not work correctly, at least > not > >>> every time. > >>> > >>> Someone modified this samba_dnsupdate tool commenting this line: > >>> os.unlink(tmpfile) > >>> which should line 413. > >>> > >>> Doing that he was able to get files generated by samba_dnsupdate to > use > >>> them as argument of nsupdate command (without -g switch and with > "allow > >>> dns > >>> updates = nonsecure" in smb.conf). > >>> > >>> I was not able to make that process work here but I did not tried > hard. As > >>> this process was sent directly to me I share it. > >>> > >>> The process I use to generate all DNS records is to run > samba_dnsupdate > >>> --all-names --verbose and send output of that command to attached awk > >>> script. > >>> The awk script get information from samba_dnsupdate for each record > and > >>> launch samba-tool to create DNS record. This script is not clever: it > >>> tries > >>> to create all mentioned DNS record, generating warnings when record > >>> already > >>> exists. > >>> > >>> You will have to modify this awk script as the BEGIN section contains > fake > >>> information related to AD domain: > >>> > >>> BEGIN { > >>> ad_zone = "YOUR.DOMAIN.TLD" > >>> msdcs_zone = "_msdcs." ad_zone > >>> dns_server = "YOUR-DC" > >>> } > >>> > >>> You must change "YOUR.DOMAIN.TLD" and "YOUR-DC" to match your domain > >>> configuration. > >>> > >>> The awk script uses kerberos authentication when running samba-tool so > you > >>> will need to generate a kerberos ticket for some AD admin before: > >>> 1°) kinit administrator > >>> 2°) samba_dnsupdate | awk -f dnsupdate.awk > >>> > >>> As it is not an issue to try create an entry which already exists you > can > >>> run it that script on each DC to assure you all entries are correctly > >>> created on all DC. > >>> > >>> Best regards, > >>> > >>> mathias dufresne > >>> > >>> > >>> > >> There is a flaw with your script! > >> > >> > >> > >> > >> > >> This mailing list strips off attachments, you are going to have to > paste > >> it into post. :-) > >> > >> Rowland > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From alanhughes at e2eservices.co.uk Fri Dec 11 14:54:52 2015 From: alanhughes at e2eservices.co.uk (=?utf-8?Q?Alan_Hughes?=) Date: Fri, 11 Dec 2015 14:54:52 +0000 Subject: [Samba] Samba-4 DNS issue In-Reply-To: References: Message-ID: OK, not certain what has happened by the additional entries seem to have disappeared now.   Alan   -----Original message----- From:L.P.H. van Belle Sent:Fri 11-12-2015 14:07 Subject:Re: [Samba] Samba-4 DNS issue To:samba at lists.samba.org; Its should not be needed to drop and recreate. Try the following. Delete the created records in the "wrong" zone(s) Try to delete the "wrong" zone. ( ignore the error) Restart bind Restart samba. Pray and check again. Are the "empty zones gone and are your dns records there again? Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Alan Hughes > Verzonden: vrijdag 11 december 2015 14:00 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Samba-4 DNS issue > > Folks > > > I've managed (due to me being fat-fingered that morning) to get a DNS zone > in a Samba-4 DNS setup screwed up. > > > Basically I was trying to add a new A record to an internal domain > "e2eservices.co.uk" using the MS administration tools (not the samba-tool > CLI). However instead of adding the entry "styx" to the domain, I > accidently added "styx.e2eservices.co.uk"; this basically generated a > child entry called "uk" under the "e2eservices.co.uk" zone that appears to > replicate all entries that where originally in the zone (so for example I > now have "styx.e2eservices.co.uk.e2eservices.co.uk", > "foobar.e2eservices.co.uk.e2eservices.co.uk", etc. > > > I'd rather lke to clean this up by deleting all of the records under > "e2eservices.co.uk.e2eservices.co.uk"(including the child entries rooted > at "uk.e2eservices.co.uk") without deleting any records under > "e2eservices.co.uk" but cannot work out how to do this. I guess if > absolutely necessary I could drop the domain and recreate it, but I'd > prefer not to do this if at all possible. Does anyone have any suggestions > on how I can go about doing this? > > > Thanks in advance > > > Alan > > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to which they are > addressed. If you have received this email in error please notify the > sender immediately and then delete the email from your system. > > Internet communications are not secure and therefore e2E Services Ltd does > not accept any liability for the contents of this message. Any views or > opinions presented are solely those of the author and do not necessarily > represent those of e2E Services Ltd. > > Although this email and any attachments have been scanned for viruses, the > success of scanning products is not guaranteed.  The recipient(s) should > therefore carry out any checks that they believe to be appropriate in this > respect. > > e2E Services Ltd. is a limited company registered in the UK, No. 3878701. > Registered Office: e2E Services Ltd, George Court, Bartholomews Walk, > Ely, Cambridgeshire, CB7 4JW > > -- > To unsubscribe from this list go to the following URL and read the > instructions:  https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions:  https://lists.samba.org/mailman/options/samba This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please notify the sender immediately and then delete the email from your system. Internet communications are not secure and therefore e2E Services Ltd does not accept any liability for the contents of this message. Any views or opinions presented are solely those of the author and do not necessarily represent those of e2E Services Ltd. Although this email and any attachments have been scanned for viruses, the success of scanning products is not guaranteed. The recipient(s) should therefore carry out any checks that they believe to be appropriate in this respect. e2E Services Ltd. is a limited company registered in the UK, No. 3878701. Registered Office: e2E Services Ltd, George Court, Bartholomews Walk, Ely, Cambridgeshire, CB7 4JW From belle at bazuin.nl Fri Dec 11 14:58:52 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Fri, 11 Dec 2015 15:58:52 +0100 Subject: [Samba] Samba-4 DNS issue In-Reply-To: References: Message-ID: Hai,    I dont know also.. but this worked for me when i had this problem   :-)  Ow and i forgot to mention, restart bind and samba on all your DC’s     Greetz,   Louis       Van: Alan Hughes [mailto:alanhughes at e2eservices.co.uk] Verzonden: vrijdag 11 december 2015 15:55 Aan: samba at lists.samba.org; L.P.H. van Belle Onderwerp: RE: [Samba] Samba-4 DNS issue   OK, not certain what has happened by the additional entries seem to have disappeared now.   Alan   -----Original message----- From: L.P.H. van Belle Sent: Fri 11-12-2015 14:07 Subject: Re: [Samba] Samba-4 DNS issue To: samba at lists.samba.org; Its should not be needed to drop and recreate. Try the following. Delete the created records in the "wrong" zone(s) Try to delete the "wrong" zone. ( ignore the error) Restart bind Restart samba. Pray and check again. Are the "empty zones gone and are your dns records there again? Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Alan Hughes > Verzonden: vrijdag 11 december 2015 14:00 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Samba-4 DNS issue > > Folks > > > I've managed (due to me being fat-fingered that morning) to get a DNS zone > in a Samba-4 DNS setup screwed up. > > > Basically I was trying to add a new A record to an internal domain > "e2eservices.co.uk" using the MS administration tools (not the samba-tool > CLI). However instead of adding the entry "styx" to the domain, I > accidently added "styx.e2eservices.co.uk"; this basically generated a > child entry called "uk" under the "e2eservices.co.uk" zone that appears to > replicate all entries that where originally in the zone (so for example I > now have "styx.e2eservices.co.uk.e2eservices.co.uk", > "foobar.e2eservices.co.uk.e2eservices.co.uk", etc. > > > I'd rather lke to clean this up by deleting all of the records under > "e2eservices.co.uk.e2eservices.co.uk"(including the child entries rooted > at "uk.e2eservices.co.uk") without deleting any records under > "e2eservices.co.uk" but cannot work out how to do this. I guess if > absolutely necessary I could drop the domain and recreate it, but I'd > prefer not to do this if at all possible. Does anyone have any suggestions > on how I can go about doing this? > > > Thanks in advance > > > Alan > > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to which they are > addressed. If you have received this email in error please notify the > sender immediately and then delete the email from your system. > > Internet communications are not secure and therefore e2E Services Ltd does > not accept any liability for the contents of this message. Any views or > opinions presented are solely those of the author and do not necessarily > represent those of e2E Services Ltd. > > Although this email and any attachments have been scanned for viruses, the > success of scanning products is not guaranteed.  The recipient(s) should > therefore carry out any checks that they believe to be appropriate in this > respect. > > e2E Services Ltd. is a limited company registered in the UK, No. 3878701. > Registered Office: e2E Services Ltd, George Court, Bartholomews Walk, > Ely, Cambridgeshire, CB7 4JW > > -- > To unsubscribe from this list go to the following URL and read the > instructions:  https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions:  https://lists.samba.org/mailman/options/samba This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this email in error please notify the sender immediately and then delete the email from your system. Internet communications are not secure and therefore e2E Services Ltd does not accept any liability for the contents of this message. Any views or opinions presented are solely those of the author and do not necessarily represent those of e2E Services Ltd. Although this email and any attachments have been scanned for viruses, the success of scanning products is not guaranteed. The recipient(s) should therefore carry out any checks that they believe to be appropriate in this respect. e2E Services Ltd. is a limited company re gistered in the UK, No. 3878701. Registered Office: e2E Services Ltd, George Court, Bartholomews Walk, Ely, Cambridgeshire, CB7 4JW   From bthomas at cybernetics.com Fri Dec 11 15:41:06 2015 From: bthomas at cybernetics.com (Bob Thomas) Date: Fri, 11 Dec 2015 10:41:06 -0500 Subject: [Samba] Create Domain Trust Help Samba-4.3.2 Message-ID: <566AEE92.80808@cybernetics.com> First, Thank you all for this forum, as I am fairly new at both Ubuntu and Samba I have found most the answers to my issues here. Now correct me if I am wrong but Samba 4.3.2 should be able to support Domain Trusts. If so maybe you can help me, here is what I have: NT4 Domain: adc.com (Holds are production servers and user accounts for that domain) Controller = enterprise.abc.com Samba Domain: cy.abc.biz Two Controllers both Ubuntu 14.04 with Samba 4.3.2 running well (I think): Controllers = pdc.cy.abc.biz & sdc.cy.abc.biz I can ping "enterprise" from both samba controllers and I can ping "pdc" and "sdc" from enterprise. The two problems I have are first I am unable to create an Inter-domain Trust Account: #### root at PDC:/etc# net rpc trustdom add ABC password -U bthomas Enter bthomas's password: Could not set trust account password: NT_STATUS_ACCESS_DENIED ### and second with samba-tool I get: ##### root at PDC:~# samba-tool domain trust create ABC -U bthomas LocalDomain Netbios[CY] DNS[cy.abc.biz] SID[S-1-5-21-3303530046-412607057-2209094731] ERROR: Failed to find a writeable DC for domain 'ABC' ##### Here is may smb.conf file: # Global parameters [global] workgroup = CY realm = CY.ABC.BIZ server role = active directory domain controller security = USER passdb backend = samba_dsdb os level = 65 preferred master = Yes domain master = Yes wins support = Yes winbind nss info = rfc2307 allow dns updates = nonsecure and secure dns forwarder = 10.157.1.178 server services = dns, s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate rpc_server:tcpip = no rpc_daemon:spoolssd = embedded rpc_server:spoolss = embedded rpc_server:winreg = embedded rpc_server:ntsvcs = embedded rpc_server:eventlog = embedded rpc_server:srvsvc = embedded rpc_server:svcctl = embedded rpc_server:default = external winbindd:use external pipes = true idmap config cy:range = 10000-29999 idmap config cy:schema_mode = rfc2307 idmap config cy:backend = ad idmap config *:range = 5000-9999 kccsrv:samba_kcc = false idmap_ldb:use rfc2307 = yes idmap config * : backend = tdb map archive = No map readonly = no store dos attributes = Yes vfs objects = dfs_samba4 acl_xattr [netlogon] path = /var/lib/samba/sysvol/cy.abc.biz/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No ## My ultimate goal is to move totally off the NT Domain and onto the Samba-AD-DC but I need the trust established first so I can go step by test moving 18 productions servers one at a time so it can be tested. I feel it would be too risky to move everything at once. Any help to get me going in the right direction would be greatly appreciated. Bob Thomas From rpenny at samba.org Fri Dec 11 16:33:17 2015 From: rpenny at samba.org (Rowland penny) Date: Fri, 11 Dec 2015 16:33:17 +0000 Subject: [Samba] Create Domain Trust Help Samba-4.3.2 In-Reply-To: <566AEE92.80808@cybernetics.com> References: <566AEE92.80808@cybernetics.com> Message-ID: <566AFACD.3060105@samba.org> On 11/12/15 15:41, Bob Thomas wrote: > First, Thank you all for this forum, as I am fairly new at both Ubuntu > and Samba I have found most the answers to my issues here. > > Now correct me if I am wrong but Samba 4.3.2 should be able to support > Domain Trusts. If so maybe you can help me, here is what I have: > > NT4 Domain: adc.com (Holds are production servers and user accounts > for that domain) > > Controller = enterprise.abc.com > > Samba Domain: cy.abc.biz > Two Controllers both Ubuntu 14.04 with Samba 4.3.2 running well (I > think): > > Controllers = pdc.cy.abc.biz & sdc.cy.abc.biz > > I can ping "enterprise" from both samba controllers and I can ping > "pdc" and "sdc" from enterprise. > > The two problems I have are first I am unable to create an > Inter-domain Trust Account: > > #### > root at PDC:/etc# net rpc trustdom add ABC password -U bthomas > Enter bthomas's password: > Could not set trust account password: NT_STATUS_ACCESS_DENIED > ### > > and second with samba-tool I get: > > ##### > root at PDC:~# samba-tool domain trust create ABC -U bthomas > LocalDomain Netbios[CY] DNS[cy.abc.biz] > SID[S-1-5-21-3303530046-412607057-2209094731] > ERROR: Failed to find a writeable DC for domain 'ABC' > ##### > > Here is may smb.conf file: > > # Global parameters > [global] > workgroup = CY > realm = CY.ABC.BIZ > server role = active directory domain controller > security = USER > passdb backend = samba_dsdb > os level = 65 > preferred master = Yes > domain master = Yes > wins support = Yes > winbind nss info = rfc2307 > allow dns updates = nonsecure and secure > dns forwarder = 10.157.1.178 > server services = dns, s3fs, rpc, nbt, wrepl, ldap, cldap, > kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > rpc_server:tcpip = no > rpc_daemon:spoolssd = embedded > rpc_server:spoolss = embedded > rpc_server:winreg = embedded > rpc_server:ntsvcs = embedded > rpc_server:eventlog = embedded > rpc_server:srvsvc = embedded > rpc_server:svcctl = embedded > rpc_server:default = external > winbindd:use external pipes = true > idmap config cy:range = 10000-29999 > idmap config cy:schema_mode = rfc2307 > idmap config cy:backend = ad > idmap config *:range = 5000-9999 > kccsrv:samba_kcc = false > idmap_ldb:use rfc2307 = yes > idmap config * : backend = tdb > map archive = No > map readonly = no > store dos attributes = Yes > vfs objects = dfs_samba4 acl_xattr > > > [netlogon] > path = /var/lib/samba/sysvol/cy.abc.biz/scripts > read only = No > > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > ## > > My ultimate goal is to move totally off the NT Domain and onto the > Samba-AD-DC but I need the trust established first so I can go step by > test moving 18 productions servers one at a time so it can be tested. > I feel it would be too risky to move everything at once. > > Any help to get me going in the right direction would be greatly > appreciated. > > Bob Thomas > I think you are going about this the wrong way, you are trying to create a new AD domain and then set up trusts between your old NT4 domain and your new AD domain, correct? I think you should be going down the classic-upgrade path instead i.e. upgrade your original domain to an AD one. I take it all your users are in the NT domain, if so and their computers see the new AD, they *will* not go back to the original NT P/BDC, without a complete re-install. See here for info about the classic-upgrade: https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_%28classic_upgrade%29 Also, quite a lot of what you have added to your DCs smb.conf shouldn't be there, I would suggest that you put it back to what it was after the provision. I hope you are doing this in a test environment. Rowland From gimili17 at gmail.com Fri Dec 11 16:52:28 2015 From: gimili17 at gmail.com (gimili) Date: Fri, 11 Dec 2015 11:52:28 -0500 Subject: [Samba] domain authentication issue after rebooting Debian Jessie - need to restart samba each time Message-ID: <566AFF4C.5000606@gmail.com> I followed the instructions here: https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller.' Everything works find except when I reboot I have to restart samba or I added a pause and then restart to /etc/rc.local otherwise the windows machines can't authenticate. I googled this problem but have not been able to figure out the solution. My OS is debian Jessie. Many thanks for any help/advice. -- gimili From rpenny at samba.org Fri Dec 11 17:27:49 2015 From: rpenny at samba.org (Rowland penny) Date: Fri, 11 Dec 2015 17:27:49 +0000 Subject: [Samba] domain authentication issue after rebooting Debian Jessie - need to restart samba each time In-Reply-To: <566AFF4C.5000606@gmail.com> References: <566AFF4C.5000606@gmail.com> Message-ID: <566B0795.5090401@samba.org> On 11/12/15 16:52, gimili wrote: > I followed the instructions here: > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller.' > > Everything works find except when I reboot I have to restart samba or > I added a pause and then restart to /etc/rc.local otherwise the > windows machines can't authenticate. > > I googled this problem but have not been able to figure out the solution. > > My OS is debian Jessie. > > Many thanks for any help/advice. > OK, I understand that you followed the wiki and you are using debian jessie, but just how did you install Samba, from distro packages or Sernet, or self compiled ? Rowland From abartlet at samba.org Fri Dec 11 19:08:13 2015 From: abartlet at samba.org (Andrew Bartlett) Date: Sat, 12 Dec 2015 08:08:13 +1300 Subject: [Samba] Fix for Windows 8.1 RSAT error when creating users In-Reply-To: <5669E7CF.8050102@shragmir.com> References: <5669E7CF.8050102@shragmir.com> Message-ID: <1449860893.15594.133.camel@samba.org> On Thu, 2015-12-10 at 15:59 -0500, Daniel Menes wrote: > I created a new Samba4 AD DC, and attempted to add users and groups > from > a Windows 8.1 computer using the Remote Server Administration Tools. > While I was able to create groups just fine, attempting to create a > user > failed with the message "An Error Occurred. Contact your System > Administrator." > > A quick Google shows that others on this list have had this and > similar > problems, but I was unable to find a satisfactory solution here. I > thought you might be interested in what worked for me. Samba 4.2 should fix this for you. If that doens't, then remove the pointer to the preferred backupkey (so we regenerate one correctly with a 2048 bit key), per the ldbdel suggestion here: https://lists.samba.org/archive/samba/2014-November/187205.html > According to Microsoft, there is a known issue with a Windows Update > which may appear as KB3000850 or KB2992611. Others have suggested > removing this update, which may or may not be practical. However if > you > look at http://support.microsoft.com/en-us/kb/3000850 in the "Known > issues in this update" gives a registry hack fix. > > In regedit, under the key " > HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Protect\Providers\ > df9d8cd0-1501-11d1-8c7a-00c04fc297eb", > create a DWORD entry with name "ProtectionPolicy" and value "1". > > After a reboot, this fixed the problem for me. > > --Dan Menes -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba From vigneshdhanraj.g at gmail.com Sat Dec 12 08:53:05 2015 From: vigneshdhanraj.g at gmail.com (VigneshDhanraj G) Date: Sat, 12 Dec 2015 14:23:05 +0530 Subject: [Samba] Pam-logon failure for AD users In-Reply-To: <566941C5.7000701@samba.org> References: <5638B13D.8000108@gmail.com> <566941C5.7000701@samba.org> Message-ID: sorry for the late response Rowland, I didn't change the smb.conf with the same smb.conf, i configured new AD that works fine. Do you need to change the smb.conf could you please tell me what i need to change specifically. And i also suspect that problem with my AD server. But i am not able to find the exact problem, The confusion is Ftp works with same pam working fine but cifs always shows access denied. if password is wrong it shows Wrong password. Regards, Vigneshdhanraj G On Thu, Dec 10, 2015 at 2:41 PM, Rowland penny wrote: > On 10/12/15 07:49, VigneshDhanraj G wrote: > >> Hi, >> >> This issue not solved, ftp and cifs using same way of authentication. but >> when trying to access cifs it always shows the same ACCESS_DENIED error. >> >> Regards, >> >> Vigneshdhanraj G >> >> >> On Tue, Nov 3, 2015 at 6:36 PM, Rowland Penny < >> rowlandpenny241155 at gmail.com> >> wrote: >> >> On 03/11/15 12:25, VigneshDhanraj G wrote: >>> >>> Hi Team, >>>> >>>> when i am running this command i am getting the following error >>>> /usr/local/samba/bin/wbinfo --pam-logon="DOMAIN\testusr1" >>>> >>>> Enter DOMAIN\testusr1's password: >>>> plaintext password authentication failed >>>> error code was NT_STATUS_ACCESS_DENIED (0xc0000022) >>>> error message was: Access denied >>>> pam_logon failed for DOMAIN\testusr1 >>>> >>>> FTP and Cifs uses pam. Ftp authentication using domain working fine. >>>> But, >>>> Cifs showing ACCESS_DENIED error. >>>> >>>> Samba version : 4.1.17 >>>> >>>> In winbindd.log i could see >>>> [2015/11/03 11:59:46.377088, 10, pid=435, effective(0, 0), real(0, 0), >>>> class=winbind] ../source3/winbindd/winbindd.c:755(wb_request_done) >>>> wb_request_done[559:PAM_AUTH_CRAP]: NT_STATUS_ACCESS_DENIED >>>> >>>> My smb.conf is >>>> >>>> available= yes >>>> restrict anonymous= 0 >>>> server string= LenovoEMC™ px6-300d >>>> Workgroup= DOMAIN >>>> netbios name= Debian >>>> realm= DOMAIN.LOCAL >>>> password server= 192.168.1.100, * >>>> idmap backend= tdb >>>> idmap uid= 5000-9999999 >>>> idmap gid= 5000-9999999 >>>> security= ADS >>>> name resolve order= wins host bcast lmhosts >>>> client use spnego= yes >>>> dns proxy= no >>>> winbind use default domain= no >>>> winbind nested groups= yes >>>> inherit acls= yes >>>> winbind enum users= yes >>>> winbind enum groups= yes >>>> winbind separator= \\ >>>> winbind cache time= 300 >>>> winbind offline logon= true >>>> template shell= /bin/sh >>>> map to guest= Bad User >>>> host msdfs= yes >>>> strict allocate= yes >>>> encrypt passwords= yes >>>> passdb backend= smbpasswd >>>> printcap name= lpstat >>>> printable= no >>>> load printers= yes >>>> max smbd processes= 500 >>>> getwd cache= yes >>>> syslog= 0 >>>> use sendfile= yes >>>> log level= 0 >>>> max log size= 50 >>>> unix extensions= no >>>> dos charset= ascii >>>> state directory= /mnt/system/samba/system >>>> >>>> >>>> Windows client from which i am trying to access cifs is also connected >>>> to >>>> the domain. >>>> >>>> >>>> Could anybody help me regarding this issue. Ftp and cifs both uses samba >>>> authentication but cifs authentication alone showing authentication >>>> error. >>>> >>>> >>>> >>>> Regards, >>>> >>>> Vigneshdhanraj G >>>> -- To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> You seem to be connecting to an AD domain, it might help if you setup >>> your >>> smb.conf a bit differently, I would have a look here: >>> >>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member >>> >>> adjust your smb.conf with reference to the above page and then follow the >>> various links. >>> >>> Rowland >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> > Please post your new smb.conf > > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From rpenny at samba.org Sat Dec 12 09:35:21 2015 From: rpenny at samba.org (Rowland penny) Date: Sat, 12 Dec 2015 09:35:21 +0000 Subject: [Samba] Pam-logon failure for AD users In-Reply-To: References: <5638B13D.8000108@gmail.com> <566941C5.7000701@samba.org> Message-ID: <566BEA59.4050402@samba.org> On 12/12/15 08:53, VigneshDhanraj G wrote: > sorry for the late response Rowland, > > I didn't change the smb.conf with the same smb.conf, i configured new > AD that works fine. Do you need to change the smb.conf could you > please tell me what i need to change specifically. And i also suspect > that problem with my AD server. But i am not able to find the exact > problem, The confusion is Ftp works with same pam working fine but > cifs always shows access denied. if password is wrong it shows Wrong > password. > > Regards, > > Vigneshdhanraj G > > On Thu, Dec 10, 2015 at 2:41 PM, Rowland penny > wrote: > > On 10/12/15 07:49, VigneshDhanraj G wrote: > > Hi, > > This issue not solved, ftp and cifs using same way of > authentication. but > when trying to access cifs it always shows the same > ACCESS_DENIED error. > > Regards, > > Vigneshdhanraj G > > > On Tue, Nov 3, 2015 at 6:36 PM, Rowland Penny > > > wrote: > > On 03/11/15 12:25, VigneshDhanraj G wrote: > > Hi Team, > > when i am running this command i am getting the > following error > /usr/local/samba/bin/wbinfo --pam-logon="DOMAIN\testusr1" > > Enter DOMAIN\testusr1's password: > plaintext password authentication failed > error code was NT_STATUS_ACCESS_DENIED (0xc0000022) > error message was: Access denied > pam_logon failed for DOMAIN\testusr1 > > FTP and Cifs uses pam. Ftp authentication using domain > working fine. But, > Cifs showing ACCESS_DENIED error. > > Samba version : 4.1.17 > > In winbindd.log i could see > [2015/11/03 11:59:46.377088, 10, pid=435, effective(0, > 0), real(0, 0), > class=winbind] > ../source3/winbindd/winbindd.c:755(wb_request_done) > wb_request_done[559:PAM_AUTH_CRAP]: > NT_STATUS_ACCESS_DENIED > > My smb.conf is > > available= yes > restrict anonymous= 0 > server string= LenovoEMC™ px6-300d > Workgroup= DOMAIN > netbios name= Debian > realm= DOMAIN.LOCAL > password server= 192.168.1.100, * > idmap backend= tdb > idmap uid= 5000-9999999 > idmap gid= 5000-9999999 > security= ADS > name resolve order= wins host bcast lmhosts > client use spnego= yes > dns proxy= no > winbind use default domain= no > winbind nested groups= yes > inherit acls= yes > winbind enum users= yes > winbind enum groups= yes > winbind separator= \\ > winbind cache time= 300 > winbind offline logon= true > template shell= /bin/sh > map to guest= Bad User > host msdfs= yes > strict allocate= yes > encrypt passwords= yes > passdb backend= smbpasswd > printcap name= lpstat > printable= no > load printers= yes > max smbd processes= 500 > getwd cache= yes > syslog= 0 > use sendfile= yes > log level= 0 > max log size= 50 > unix extensions= no > dos charset= ascii > state directory= /mnt/system/samba/system > > > Windows client from which i am trying to access cifs > is also connected to > the domain. > > Lets be honest, your original smb.conf was a mess, it uses a lot of default settings and a lot of settings that really shouldn't be there, this is what it really should have looked like: [global] Workgroup= DOMAIN security= ADS realm= DOMAIN.LOCAL netbios name= Debian server string= LenovoEMC™ px6-300d dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab idmap config *:backend = tdb idmap config *:range = 2000-4999 idmap config DOMAIN:backend = rid idmap config DOMAIN:range = 5000-9999999 winbind nss info = template winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes winbind offline logon= true dns proxy= no template shell= /bin/sh map to guest= Bad User strict allocate= yes # really meant to be used in a share printcap name = lpstat max smbd processes= 500 syslog= 0 max log size= 50 use sendfile= yes unix extensions= no state directory= /mnt/system/samba/system # why are you moving this to what I presume is a share on another system????? vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes The 'tabbed' lines are yours, the others are what I would add. Rowland From gimili17 at gmail.com Sat Dec 12 15:04:48 2015 From: gimili17 at gmail.com (Gimili) Date: Sat, 12 Dec 2015 10:04:48 -0500 Subject: [Samba] domain authentication issue after rebooting Debian Jessie - need to restart samba each time In-Reply-To: <566B0795.5090401@samba.org> References: <566AFF4C.5000606@gmail.com> <566B0795.5090401@samba.org> Message-ID: > On Dec 11, 2015, at 12:27 PM, Rowland penny wrote: > >> On 11/12/15 16:52, gimili wrote: >> I followed the instructions here: https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller.' >> >> Everything works find except when I reboot I have to restart samba or I added a pause and then restart to /etc/rc.local otherwise the windows machines can't authenticate. >> >> I googled this problem but have not been able to figure out the solution. >> >> My OS is debian Jessie. >> >> Many thanks for any help/advice. >> > > OK, I understand that you followed the wiki and you are using debian jessie, but just how did you install Samba, from distro packages or Sernet, or self compiled ? > > Rowland From the distro packages. From rpenny at samba.org Sat Dec 12 16:19:55 2015 From: rpenny at samba.org (Rowland penny) Date: Sat, 12 Dec 2015 16:19:55 +0000 Subject: [Samba] domain authentication issue after rebooting Debian Jessie - need to restart samba each time In-Reply-To: References: <566AFF4C.5000606@gmail.com> <566B0795.5090401@samba.org> Message-ID: <566C492B.6070205@samba.org> On 12/12/15 15:04, Gimili wrote: > >> On Dec 11, 2015, at 12:27 PM, Rowland penny wrote: >> >>> On 11/12/15 16:52, gimili wrote: >>> I followed the instructions here: https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller.' >>> >>> Everything works find except when I reboot I have to restart samba or I added a pause and then restart to /etc/rc.local otherwise the windows machines can't authenticate. >>> >>> I googled this problem but have not been able to figure out the solution. >>> >>> My OS is debian Jessie. >>> >>> Many thanks for any help/advice. >>> >> OK, I understand that you followed the wiki and you are using debian jessie, but just how did you install Samba, from distro packages or Sernet, or self compiled ? >> >> Rowland > From the distro packages. OK, this means that you are running 4.1.17 and I think this is what is happening: When you install the samba package on jessie it installs the following files in /etc/init.d nmbd samba samba-ad-dc smbd It then runs 'update-rc.d xxxx defaults' and 'invoke-rc.d xxxx start' where 'xxxx' is one of the filenames above, it does this for all the 4 files. You then setup Samba as an active directory controller and so you only need the 'samba-ad-dc' init file, this will start smbd. You do not need the others, but they will still try to start at boot, so what I suggest you do (and what I did) is to remove the ones you do not need. update-rc.d -f nmbd remove update-rc.d -f smbd remove update-rc.d -f samba remove You should check if the winbind package is installed, if it is, you should also stop this being started at boot. Reboot the DC, it should now just start the samba deamon via /etc/init.d/samba-ad-dc, this will then start smbd. Hopefully this should fix your problem, if it does, you can then remove the unwanted init files: rm -f /etc/init.d/ nmbd rm -f /etc/init.d/ smbd rm -f /etc/init.d/ samba Note, if do this, you do it at your risk, it shouldn't damage anything (well it didn't for me), you should also backup everything just in case. Rowland From jonathan at springventuregroup.com Sat Dec 12 16:25:26 2015 From: jonathan at springventuregroup.com (Jonathan S. Fisher) Date: Sat, 12 Dec 2015 10:25:26 -0600 Subject: [Samba] Nested Group control doesn't work Message-ID: Hey guys, We can perform this LDAP query against Windows Server 2012 no problem, but against samba it's failing: (&(sAMAccountName={0})(memberOf:1.2.840.113556.1.4.1941:=CN=graylog_users,OU=Applications,OU=Groups,DC=ad,DC=corp,DC=xxx,DC=com)) Is that "nested group" tree control (memberOf:1.2.840.113556.1.4.1941:) supported? If not, is there a better way to design this ldap search so it supports nested groups? -- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer. From jonathan at springventuregroup.com Sat Dec 12 16:26:05 2015 From: jonathan at springventuregroup.com (Jonathan S. Fisher) Date: Sat, 12 Dec 2015 10:26:05 -0600 Subject: [Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command In-Reply-To: References: <566158BC.4020405@samba.org> <56615B07.4030204@tao.at> <56615E06.2030805@samba.org> Message-ID: FYI, we never got this working. Oddly enough, when we used Zentyal to join, it works just fine. Some mysteries.... On Wed, Dec 9, 2015 at 1:03 PM, Jonathan S. Fisher < jonathan at springventuregroup.com> wrote: > Here's a random question... would it matter if our domain has trust > relationships setup? > > *Jonathan S. Fisher* > *VP - Information Technology* > *Spring Venture Group* > > On Wed, Dec 9, 2015 at 9:34 AM, mathias dufresne > wrote: > >> Hi Jonathan, >> >> You wrote: >> domain windows.corp.springventuregroup.com >> search windows.corp.*pringventuregroupcom* >> nameserver 192.168.127.131 >> nameserver 192.168.112.4 >> >> Is this a typo error when copying the content or is it a content error in >> your resolv.conf? >> >> If you really have that "search" line in your resolv.conf it would be >> logical that rsetarting Samba services you get the error "unable to resolve >> host freeradius" as it will be extended in: >> freeradius.windows.corp.pringventuregroupcom >> rather than: >> freeradius.windows.corp.springventuregroup.com >> >> If this is not a typo error I would check the "resolvconf" configuration >> or remove the use of that tool (temporarily or not) on that box. >> >> If this is not a typo, I'm puzzled... >> >> Hoping for you to get a solution, >> >> mathias >> >> 2015-12-07 19:04 GMT+01:00 Jonathan S. Fisher < >> jonathan at springventuregroup.com>: >> >>> Hey Rowland, be kind and avoid passive aggressive comments. I'm just >>> looking to try and get this to work, thanks. If I knew everything >>> already, >>> I wouldn't be here asking questions and trying to solve my own problem. I >>> appreciate your help so far, but if you don't have anything nice say, >>> please just ignore this thread. >>> >>> So: >>> jonathan.fisher at freeradius:~$ sudo hostname -y >>> hostname: Local domain name not set >>> jonathan.fisher at freeradius:~$ sudo hostname -d >>> windows.corp.springventuregroup.com >>> jonathan.fisher at freeradius:~$ sudo hostname -f >>> freeradius.windows.corp.springventuregroup.com >>> >>> Unfortunately, since this box is an LXC container, I can't run the syctl >>> command: >>> jonathan.fisher at freeradius:~$ sysctl -w kernel.domainname=" >>> windows.corp.XXX.com" >>> sysctl: permission denied on key 'kernel.domainname' >>> >>> We're good here: >>> jonathan.fisher at freeradius:~$ cat /etc/hostname >>> freeradiusjonathan.fisher at freeradius:~$ >>> >>> So I added >>> dns proxy = true >>> >>> No dice, same output as before. >>> >>> Made this change: >>> jonathan.fisher at freeradius:~$ cat /etc/resolv.conf >>> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by >>> resolvconf(8) >>> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN >>> domain windows.corp.springventuregroup.com >>> search windows.corp.pringventuregroupcom >>> nameserver 192.168.127.131 >>> nameserver 192.168.112.4 >>> >>> Also the same output, but this message popped up after restarting samba: >>> jonathan.fisher at freeradius:~$ sudo service sernet-samba-winbindd >>> restart && >>> sudo service sernet-samba-nmbd restart && sudo service sernet-samba-smbd >>> restart >>> sudo: unable to resolve host freeradius >>> Shutting down SAMBA winbindd : * >>> Starting SAMBA winbindd : * >>> sudo: unable to resolve host freeradius >>> Shutting down SAMBA nmbd : * >>> Starting SAMBA nmbd : * >>> sudo: unable to resolve host freeradius >>> Shutting down SAMBA smbd : * >>> Starting SAMBA smbd : * >>> >>> No idea if that's relevant... >>> >>> So I undid the resolv.conf change, and here's the output of testparam: >>> >>> jonathan.fisher at freeradius:~$ testparm -v | grep net >>> Load smb config files from /etc/samba/smb.conf >>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) >>> Loaded services file OK. >>> Server role: ROLE_DOMAIN_MEMBER >>> >>> Press enter to see a dump of your service definitions >>> >>> netbios name = FREERADIUS >>> netbios aliases = >>> netbios scope = >>> disable netbios = No >>> dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, >>> lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, >>> backupkey, >>> dnsserver >>> >>> Sigh... thanks. I'm appreciate your patience and your help. >>> >>> >>> On Fri, Dec 4, 2015 at 3:33 AM, Rowland penny wrote: >>> >>> > On 04/12/15 09:21, Sven Schwedas wrote: >>> > >>> >> On 2015-12-04 10:11, Rowland penny wrote: >>> >> >>> >>> I still think it is his weird dns setup, were he has a dnsmasq server >>> >>> replicating what the DCs know (or is supposed to). I think the sheer >>> >>> fact that he didn't know what lmhosts is, says a lot. >>> >>> >>> >> We're using such a setup in production without any problems. How about >>> >> less wild blind guessing and user shaming, and more actual help? >>> >> >>> >> >>> >> >>> >> >>> > Sven, you may be using a similar system, but it isn't recommended. The >>> OP >>> > is having problems getting a Samba domain member working, I have tried >>> to >>> > point him in the direction of a known working set up, once he has this >>> > working, what he does with it, is up to him. He may be able to use the >>> > dnsmasq server, I don't know, but if he has a working system and it >>> stops >>> > working when he adds in the dnsmasq server, he will know where to look, >>> > won't he! >>> > >>> > >>> > Rowland >>> > >>> > -- >>> > To unsubscribe from this list go to the following URL and read the >>> > instructions: https://lists.samba.org/mailman/options/samba >>> > >>> >>> -- >>> Email Confidentiality Notice: The information contained in this >>> transmission is confidential, proprietary or privileged and may be >>> subject >>> to protection under the law, including the Health Insurance Portability >>> and >>> Accountability Act (HIPAA). The message is intended for the sole use of >>> the >>> individual or entity to whom it is addressed. If you are not the intended >>> recipient, you are notified that any use, distribution or copying of the >>> message is strictly prohibited and may subject you to criminal or civil >>> penalties. If you received this transmission in error, please contact the >>> sender immediately by replying to this email and delete the material from >>> any computer. >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >> >> > -- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer. From dandbnews2 at talktalk.net Sat Dec 12 18:37:02 2015 From: dandbnews2 at talktalk.net (DavidA) Date: Sat, 12 Dec 2015 18:37:02 -0000 Subject: [Samba] Windows 7 can't see Pi Samba server Message-ID: Hi I have configured a Raspberry Pi (running Raspbian o/s) to act as a Samba server to share files with my home Windows workgroup. One of my Windows 7 laptops can see the share fine, but the other WIndows 7 laptop refuses to see the Pi server at all. I have checked all the obvious things (Workgroup name, password etc) and don't know what else to do. I would welcome any suggestions. In case it helps, below is the active content of my smb.conf file. Best regards David smb.conf: [global] usershare allow guests = yes workgroup = wins support = true map to guest = bad user dns proxy = no passwd program = /usr/bin/passwd %u panic action = /usr/share/samba/panic-action %d max log size = 1000 os level = 20 passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . log file = /var/log/samba/log.%m passdb backend = tdbsam pam password change = yes server role = standalone server obey pam restrictions = yes syslog = 0 unix password sync = yes [homes] comment = Home Directories browseable = no read only = yes create mask = 0700 directory mask = 0700 valid users = %S [printers] comment = All Printers browseable = no path = /var/spool/samba printable = yes guest ok = no read only = yes create mask = 0700 [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no [Data] path = /mnt/data writeable = yes public = yes From rpenny at samba.org Sat Dec 12 19:15:02 2015 From: rpenny at samba.org (Rowland penny) Date: Sat, 12 Dec 2015 19:15:02 +0000 Subject: [Samba] Windows 7 can't see Pi Samba server In-Reply-To: References: Message-ID: <566C7236.7030000@samba.org> On 12/12/15 18:37, DavidA wrote: > Hi > > I have configured a Raspberry Pi (running Raspbian o/s) to act as a Samba > server to share files with my home Windows workgroup. One of my Windows 7 > laptops can see the share fine, but the other WIndows 7 laptop refuses to > see the Pi server at all. I have checked all the obvious things > (Workgroup > name, password etc) and don't know what else to do. I would welcome any > suggestions. In case it helps, below is the active content of my smb.conf > file. > > Best regards > > David > > smb.conf: > > [global] > usershare allow guests = yes > workgroup = > wins support = true > map to guest = bad user > dns proxy = no > passwd program = /usr/bin/passwd %u > panic action = /usr/share/samba/panic-action %d > max log size = 1000 > os level = 20 > passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* > %n\n *password\supdated\ssuccessfully* . > log file = /var/log/samba/log.%m > passdb backend = tdbsam > pam password change = yes > server role = standalone server > obey pam restrictions = yes > syslog = 0 > unix password sync = yes > > [homes] > comment = Home Directories > browseable = no > read only = yes > create mask = 0700 > directory mask = 0700 > valid users = %S > > [printers] > comment = All Printers > browseable = no > path = /var/spool/samba > printable = yes > guest ok = no > read only = yes > create mask = 0700 > > [print$] > comment = Printer Drivers > path = /var/lib/samba/printers > browseable = yes > read only = yes > guest ok = no > > [Data] > path = /mnt/data > writeable = yes > public = yes > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba Possibly a firewall problem, temporarily turn off the firewall on the win7 laptop that cannot see your rpi, if this works, you know where to look. Rowland From dandbnews2 at talktalk.net Sat Dec 12 20:55:10 2015 From: dandbnews2 at talktalk.net (DavidA) Date: Sat, 12 Dec 2015 20:55:10 -0000 Subject: [Samba] Windows 7 can't see Pi Samba server In-Reply-To: <566C7236.7030000@samba.org> References: <566C7236.7030000@samba.org> Message-ID: Hi Rowland > Possibly a firewall problem, temporarily turn off the firewall on the win7 > laptop that cannot see your rpi, if this works, you know where to look. Thanks for the suggestion. I disabled Kaspersky Internet Security Firewall and Windows Firewall but still can't see the rpi. I can, however, see the other Windows laptops (with firewall on or off). Any other thoughts please? David From abartlet at samba.org Sun Dec 13 04:06:22 2015 From: abartlet at samba.org (Andrew Bartlett) Date: Sun, 13 Dec 2015 17:06:22 +1300 Subject: [Samba] Nested Group control doesn't work In-Reply-To: References: Message-ID: <1449979582.15594.150.camel@samba.org> On Sat, 2015-12-12 at 10:25 -0600, Jonathan S. Fisher wrote: > Hey guys, > > We can perform this LDAP query against Windows Server 2012 no > problem, but > against samba it's failing: > > (&(sAMAccountName={0})(memberOf:1.2.840.113556.1.4.1941:=CN=graylog_u > sers,OU=Applications,OU=Groups,DC=ad,DC=corp,DC=xxx,DC=com)) > > Is that "nested group" tree control > (memberOf:1.2.840.113556.1.4.1941:) > supported? If not, is there a better way to design this ldap search > so it > supports nested groups? No, it is not currently supported. It made it into Samba master, but was reverted due to a crash bug pointed out on: https://bugzilla.samba.org/show_bug.cgi?id=10493 We hope to return it for 4.4. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba From jorgito1412 at gmail.com Sun Dec 13 05:07:55 2015 From: jorgito1412 at gmail.com (George) Date: Sun, 13 Dec 2015 02:07:55 -0300 Subject: [Samba] Winbindd on 4.2+ full functionality? Message-ID: Hi, I recently upgraded from 4.1.17 to 4.3.1. I thought that the winbindd daemon for AD included since 4.2 would allow proper and complete winbind operation as in member servers, but that doesn't seem to be the case. In particular, I want consistent UIDs on DCs for files created within Windows (so I can avoid the "somehow keep idmap.ldb in sync between DCs" hell). I made several tests but winbindd on the DC doesn't seem to be honouring the idmap directives on smb.conf and still relies on the XIDs provided by idmap.ldb Am I missing something? Is this by design? Best regards, George From jorgito1412 at gmail.com Sun Dec 13 05:31:06 2015 From: jorgito1412 at gmail.com (George) Date: Sun, 13 Dec 2015 02:31:06 -0300 Subject: [Samba] FSMO commands not working on 4.3.1 Message-ID: Hi guys! I am currently running 4.3.1 on Debian Jessie (compiled from the experimental repo). Pretty much everything seems to be working fine, but the FSMO functions: --------- root at dc2:~# samba-tool fsmo show ERROR(): uncaught exception - 'No such element' File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 395, in run domaindnszonesMaster = get_fsmo_roleowner(samdb, domaindns_dn) File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 42, in get_fsmo_roleowner master_owner = res[0]["fSMORoleOwner"][0] --------- Transfering or seizing the roles one by one, I can see that any operation involving the two "new" roles (domaindns and forestdns) is what actually breaks it. I don't think this is an upstream bug (is it?) Any ideas? Best regards, George From rpenny at samba.org Sun Dec 13 09:05:46 2015 From: rpenny at samba.org (Rowland penny) Date: Sun, 13 Dec 2015 09:05:46 +0000 Subject: [Samba] Winbindd on 4.2+ full functionality? In-Reply-To: References: Message-ID: <566D34EA.60302@samba.org> On 13/12/15 05:07, George wrote: > Hi, > > I recently upgraded from 4.1.17 to 4.3.1. > > I thought that the winbindd daemon for AD included since 4.2 would allow > proper and complete winbind operation as in member servers, but that > doesn't seem to be the case. > > In particular, I want consistent UIDs on DCs for files created within > Windows (so I can avoid the "somehow keep idmap.ldb in sync between DCs" > hell). I made several tests but winbindd on the DC doesn't seem to be > honouring the idmap directives on smb.conf and still relies on the XIDs > provided by idmap.ldb > > Am I missing something? Is this by design? > > Best regards, > George Yes, this is how it works at the moment, if you want your users & groups to have the same IDs everywhere, you will have to add uidNumber & gidNumber attributes to your users & groups. Adding the member server 'idmap config' lines to a DC smb.conf will have no effect. Rowland From rpenny at samba.org Sun Dec 13 09:08:07 2015 From: rpenny at samba.org (Rowland penny) Date: Sun, 13 Dec 2015 09:08:07 +0000 Subject: [Samba] FSMO commands not working on 4.3.1 In-Reply-To: References: Message-ID: <566D3577.3080600@samba.org> On 13/12/15 05:31, George wrote: > Hi guys! > I am currently running 4.3.1 on Debian Jessie (compiled from the > experimental repo). > > Pretty much everything seems to be working fine, but the FSMO functions: > > --------- > root at dc2:~# samba-tool fsmo show > ERROR(): uncaught exception - 'No such element' > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 175, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 395, > in run > domaindnszonesMaster = get_fsmo_roleowner(samdb, domaindns_dn) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 42, in > get_fsmo_roleowner > master_owner = res[0]["fSMORoleOwner"][0] > --------- > > Transfering or seizing the roles one by one, I can see that any operation > involving the two "new" roles (domaindns and forestdns) is what actually > breaks it. > > I don't think this is an upstream bug (is it?) Any ideas? > > Best regards, > George Are you using an admin user and password ? Rowland From dandbnews2 at talktalk.net Sun Dec 13 09:36:14 2015 From: dandbnews2 at talktalk.net (DavidA) Date: Sun, 13 Dec 2015 09:36:14 -0000 Subject: [Samba] Windows 7 can't see Pi Samba server In-Reply-To: References: <566C7236.7030000@samba.org> Message-ID: <8AE7A8AAD3BC416B951A72A863F15B56@DavidPC> Hi Here's some more info about my problem: ========================================== log.nmbd contains: Samba name server RPHS is now a local master browser for workgroup HOME on subnet 192.168.2.8 ***** [2015/12/12 20:48:19.709456, 0] ../source3/nmbd/nmbd_browsesync.c:354(find_domain_master_name_query_fail) find_domain_master_name_query_fail: Unable to find the Domain Master Browser name HOME<1b> for the workgroup HOME. Unable to sync browse lists in this workgroup. [2015/12/12 20:48:28.490472, 0] ../source3/nmbd/nmbd_incomingdgrams.c:311(process_local_master_announce) process_local_master_announce: Server BELSIE-PC at IP 192.168.2.5 is announcing itself as a local master browser for workgroup HOME and we think we are master. Forcing election. [2015/12/12 20:48:28.491628, 0] ../source3/nmbd/nmbd_become_lmb.c:150(unbecome_local_master_success) ***** Samba name server RPHS has stopped being a local master browser for workgroup HOME on subnet 192.168.2.8 ========================================== RPHS is the rpi. BELSIE-PC is the pc which does not show the rpi. The Domain Master Browser seems to change frequently. Is this significant? Best regards David -----Original Message----- From: DavidA Sent: Saturday, December 12, 2015 8:55 PM To: Rowland penny ; samba at lists.samba.org Subject: Re: [Samba] Windows 7 can't see Pi Samba server Hi Rowland > Possibly a firewall problem, temporarily turn off the firewall on the win7 > laptop that cannot see your rpi, if this works, you know where to look. Thanks for the suggestion. I disabled Kaspersky Internet Security Firewall and Windows Firewall but still can't see the rpi. I can, however, see the other Windows laptops (with firewall on or off). Any other thoughts please? David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba From rpenny at samba.org Sun Dec 13 09:59:31 2015 From: rpenny at samba.org (Rowland penny) Date: Sun, 13 Dec 2015 09:59:31 +0000 Subject: [Samba] Windows 7 can't see Pi Samba server In-Reply-To: <8AE7A8AAD3BC416B951A72A863F15B56@DavidPC> References: <566C7236.7030000@samba.org> <8AE7A8AAD3BC416B951A72A863F15B56@DavidPC> Message-ID: <566D4183.5010803@samba.org> On 13/12/15 09:36, DavidA wrote: > Hi > > Here's some more info about my problem: > > ========================================== > > log.nmbd contains: > > Samba name server RPHS is now a local master browser for workgroup > HOME on subnet 192.168.2.8 > > ***** > [2015/12/12 20:48:19.709456, 0] > ../source3/nmbd/nmbd_browsesync.c:354(find_domain_master_name_query_fail) > find_domain_master_name_query_fail: > Unable to find the Domain Master Browser name HOME<1b> for the > workgroup HOME. > Unable to sync browse lists in this workgroup. > [2015/12/12 20:48:28.490472, 0] > ../source3/nmbd/nmbd_incomingdgrams.c:311(process_local_master_announce) > process_local_master_announce: Server BELSIE-PC at IP 192.168.2.5 is > announcing itself as a local master browser for workgroup HOME and we > think we are master. Forcing election. > [2015/12/12 20:48:28.491628, 0] > ../source3/nmbd/nmbd_become_lmb.c:150(unbecome_local_master_success) > ***** > > Samba name server RPHS has stopped being a local master browser for > workgroup HOME on subnet 192.168.2.8 > > ========================================== > > > RPHS is the rpi. BELSIE-PC is the pc which does not show the rpi. > > The Domain Master Browser seems to change frequently. Is this > significant? > > Best regards > > David > No, it isn't significant, the elections go on all the time. As you can browse from one windows 7 client, but not from the other, this tends to suggest that the Samba machine is working correctly. You need to compare the two windows 7 machines, there must be a difference between them, I am fairly sure that this is a windows problem. Rowland From monyo at monyo.com Sun Dec 13 11:41:15 2015 From: monyo at monyo.com (TAKAHASHI Motonobu) Date: Sun, 13 Dec 2015 20:41:15 +0900 (JST) Subject: [Samba] Naming Conventions In-Reply-To: <1441E464-FE22-47D5-B64A-D3EA9C91332B@digitaltransitions.ca> References: <1441E464-FE22-47D5-B64A-D3EA9C91332B@digitaltransitions.ca> Message-ID: <20151213.204115.1568838937885775372.monyo@monyo.com> From: David Thompson Date: Wed, 9 Dec 2015 10:30:54 -0500 > I have looked but cannot find if there is a way on a file share to control the naming convention of files. > > I’d like if possible for a SAMBA file share to throw up an error if an end user tries to name any of their Word / Excel based files (or any files for that matter) with any of the following: > > Tilde > Number sign > Percent > Ampersand > Asterisk > Braces > Backslash > Colon > Angle brackets > Question mark > Slash > Pipe > Quotation mark Can you try with "veto files"? You can specify chars that cannnot be included in your filenames. --- TAKAHASHI Motonobu / @damemonyo facebook.com/takahashi.motonobu From viktor at troja.ch Mon Dec 14 02:15:21 2015 From: viktor at troja.ch (Viktor Trojanovic) Date: Mon, 14 Dec 2015 03:15:21 +0100 Subject: [Samba] Permission question (AD) Message-ID: I'm using the AD ID mapping, so I manually give all my users and groups their respective uidNumbers and gidNumbers. I created a group of the type "security" with the scope "global" and added some users to it, then I gave full control permission to said group to certain files on a member server. However, the members from this group still can only read those files. Which is weird, since if I check the effective permissions from within Windows, it is being confirmed that there should be full control. So, windows believes that I should have full permission but it's not true. So there must be something weird going on the Linux side, and I'm a bit lost right now. First of all, I gave this particular group the gidNumber 10004, but when I type "getent group groupname" on the DC, I get some high number such as 3000049. The same happens for "domain admins" while "domain users" shows the correct gidNumber. I might know the reason for this: I created the former two groups a while ago without giving them an ID - I did so only later, when I noticed that I forgot to give them an ID. Is this problematic? I didn't notice any problems with the domain admins group, though there's only one Admin. But the other group is clearly showing this issue. What can I do to solve this? Secondly, does it matter that "getent passwd username" will return just the domain users group in the group field, but not the additional group the user is part of? Should I maybe just delete the group, then recreate it and give it the correct attributes from the start? What kind of impact will this have on the shares where the deleted group had permissions, will those be automatically deleted too and, if not, is it necessary to first remove all permissions this group has? Any good advice appreciated. From rpenny at samba.org Mon Dec 14 09:27:46 2015 From: rpenny at samba.org (Rowland penny) Date: Mon, 14 Dec 2015 09:27:46 +0000 Subject: [Samba] Permission question (AD) In-Reply-To: References: Message-ID: <566E8B92.3090800@samba.org> On 14/12/15 02:15, Viktor Trojanovic wrote: > I'm using the AD ID mapping, so I manually give all my users and > groups their respective uidNumbers and gidNumbers. > > I created a group of the type "security" with the scope "global" and > added some users to it, then I gave full control permission to said > group to certain files on a member server. > > However, the members from this group still can only read those files. > Which is weird, since if I check the effective permissions from within > Windows, it is being confirmed that there should be full control. So, > windows believes that I should have full permission but it's not true. > > So there must be something weird going on the Linux side, and I'm a > bit lost right now. > > First of all, I gave this particular group the gidNumber 10004, but > when I type "getent group groupname" on the DC, I get some high number > such as 3000049. The same happens for "domain admins" while "domain > users" shows the correct gidNumber. Is this on a DC ? > > I might know the reason for this: I created the former two groups a > while ago without giving them an ID - I did so only later, when I > noticed that I forgot to give them an ID. Is this problematic? I > didn't notice any problems with the domain admins group, though > there's only one Admin. But the other group is clearly showing this > issue. What can I do to solve this? What do you mean by 'I created the former two groups a while ago' , the two groups should already exist in AD. > > Secondly, does it matter that "getent passwd username" will return > just the domain users group in the group field, but not the additional > group the user is part of? No, winbind returns the users primary group and this is always Domain Users, unless you change it, not that I recommend doing this. > > Should I maybe just delete the group, then recreate it and give it the > correct attributes from the start? What kind of impact will this have > on the shares where the deleted group had permissions, will those be > automatically deleted too and, if not, is it necessary to first remove > all permissions this group has? What group are you suggesting deleting ? If Domain Users/Admins, then don't, if it is a group you created (and no you didn't create domain users) then it probably won't help. Can you post a bit more info, What OS, your smb.conf etc. Rowland > > Any good advice appreciated. > From bthomas at cybernetics.com Mon Dec 14 15:36:43 2015 From: bthomas at cybernetics.com (Bob Thomas) Date: Mon, 14 Dec 2015 10:36:43 -0500 Subject: [Samba] Create Domain Trust Help Samba-4.3.2 Message-ID: <566EE20B.6080906@cybernetics.com> On 11/12/15 15:41, Bob Thomas wrote: >/First, Thank you all for this forum, as I am fairly new at both Ubuntu />/and Samba I have found most the answers to my issues here. />//>/Now correct me if I am wrong but Samba 4.3.2 should be able to support />/Domain Trusts. If so maybe you can help me, here is what I have: />//>/NT4 Domain: adc.com (Holds are production servers and user accounts />/for that domain) />//>/Controller = enterprise.abc.com />//>/Samba Domain: cy.abc.biz />/Two Controllers both Ubuntu 14.04 with Samba 4.3.2 running well (I />/think): />//>/Controllers = pdc.cy.abc.biz & sdc.cy.abc.biz />//>/I can ping "enterprise" from both samba controllers and I can ping />/"pdc" and "sdc" from enterprise. />//>/The two problems I have are first I am unable to create an />/Inter-domain Trust Account: />//>/#### />/root at PDC :/etc# net rpc trustdom add ABC password -U bthomas />/Enter bthomas's password: />/Could not set trust account password: NT_STATUS_ACCESS_DENIED />/### />//>/and second with samba-tool I get: />//>/##### />/root at PDC :~# samba-tool domain trust create ABC -U bthomas />/LocalDomain Netbios[CY] DNS[cy.abc.biz] />/SID[S-1-5-21-3303530046-412607057-2209094731] />/ERROR: Failed to find a writeable DC for domain 'ABC' />/##### />//>/Here is may smb.conf file: />//>/# Global parameters />/[global] />/workgroup = CY />/realm = CY.ABC.BIZ />/server role = active directory domain controller />/security = USER />/passdb backend = samba_dsdb />/os level = 65 />/preferred master = Yes />/domain master = Yes />/wins support = Yes />/winbind nss info = rfc2307 />/allow dns updates = nonsecure and secure />/dns forwarder = 10.157.1.178 />/server services = dns, s3fs, rpc, nbt, wrepl, ldap, cldap, />/kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate />/rpc_server:tcpip = no />/rpc_daemon:spoolssd = embedded />/rpc_server:spoolss = embedded />/rpc_server:winreg = embedded />/rpc_server:ntsvcs = embedded />/rpc_server:eventlog = embedded />/rpc_server:srvsvc = embedded />/rpc_server:svcctl = embedded />/rpc_server:default = external />/winbindd:use external pipes = true />/idmap config cy:range = 10000-29999 />/idmap config cy:schema_mode = rfc2307 />/idmap config cy:backend = ad />/idmap config *:range = 5000-9999 />/kccsrv:samba_kcc = false />/idmap_ldb:use rfc2307 = yes />/idmap config * : backend = tdb />/map archive = No />/map readonly = no />/store dos attributes = Yes />/vfs objects = dfs_samba4 acl_xattr />//>//>/[netlogon] />/path = /var/lib/samba/sysvol/cy.abc.biz/scripts />/read only = No />//>//>/[sysvol] />/path = /var/lib/samba/sysvol />/read only = No />//>/## />//>/My ultimate goal is to move totally off the NT Domain and onto the />/Samba-AD-DC but I need the trust established first so I can go step by />/test moving 18 productions servers one at a time so it can be tested. />/I feel it would be too risky to move everything at once. />//>/Any help to get me going in the right direction would be greatly />/appreciated. />//>/Bob Thomas />// I think you are going about this the wrong way, you are trying to create a new AD domain and then set up trusts between your old NT4 domain and your new AD domain, correct? I think you should be going down the classic-upgrade path instead i.e. upgrade your original domain to an AD one. I take it all your users are in the NT domain, if so and their computers see the new AD, they *will* not go back to the original NT P/BDC, without a complete re-install. See here for info about the classic-upgrade: https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_%28classic_upgrade%29 Also, quite a lot of what you have added to your DCs smb.conf shouldn't be there, I would suggest that you put it back to what it was after the provision. I hope you are doing this in a test environment. Rowland ___________ Rowland, Thank You for the quick response. I am not sure how to post added info or answers here, I tried twice posting a reply at http://www.eenyhelp.com Friday on the subject and verified it. I got the notice that the update would be posted in about a hour but -- nothing. I tried again this morning and still nothing. It that the correct place to post updates? As for my Issue, You are correct, I am trying to create a new AD domain and then set up trusts between your old NT4 domain and your new AD domain. I have looked into the classic-upgrade but not sure it will work for me because my old domain is a MS NT4 domain not Samba. Not to mention, the accounts have been neglected for years and I really don't want to transfer the mess into AD. As for my smb.conf, my mistake - I posted the output of testparm and not the actual config which is below, If you have any recommended changes please advise: [global] workgroup = CY realm = CY.ABC.BIZ netbios name = SDC server role = active directory domain controller server services = dns, s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes allow dns updates = nonsecure dns forwarder = 10.157.1.178 security = user kccsrv:samba_kcc = false wins support = true idmap config *:backend = tdb idmap config *:range = 5000-9999 idmap config CY:backend = ad idmap config CY:schema_mode = rfc2307 idmap config CY:range = 10000-29999 # Use home directory and shell information from AD winbind nss info = rfc2307 [netlogon] path = /var/lib/samba/sysvol/cy.abc.biz/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No As for the test environment, I have been testing for over two months with the Ubuntu repository Samba version 4.1.6, but just recently upgraded to 4.3.2 hoping I could get the trust relationship working. The MS NT4 domain is our production domain and not sure I could duplicate it in a test environment. So I would like to gradually move Samba into production - Using the domain trust so I can test things as they are moved over. So back to my original question, Is it possible to create the trust between Samba-AD 4.1.6 and a MS NT4 domain. If so how? Thank again, Bob From rpenny at samba.org Mon Dec 14 16:00:12 2015 From: rpenny at samba.org (Rowland penny) Date: Mon, 14 Dec 2015 16:00:12 +0000 Subject: [Samba] Create Domain Trust Help Samba-4.3.2 In-Reply-To: <566EE20B.6080906@cybernetics.com> References: <566EE20B.6080906@cybernetics.com> Message-ID: <566EE78C.2070801@samba.org> On 14/12/15 15:36, Bob Thomas wrote: > On 11/12/15 15:41, Bob Thomas wrote: >> /First, Thank you all for this forum, as I am fairly new at both >> Ubuntu />/and Samba I have found most the answers to my issues here. >> />//>/Now correct me if I am wrong but Samba 4.3.2 should be able to >> support />/Domain Trusts. If so maybe you can help me, here is what I >> have: />//>/NT4 Domain: adc.com (Holds are production servers and >> user accounts />/for that domain) />//>/Controller = >> enterprise.abc.com />//>/Samba Domain: cy.abc.biz />/Two Controllers >> both Ubuntu 14.04 with Samba 4.3.2 running well (I />/think): >> />//>/Controllers = pdc.cy.abc.biz & sdc.cy.abc.biz />//>/I can ping >> "enterprise" from both samba controllers and I can ping />/"pdc" and >> "sdc" from enterprise. />//>/The two problems I have are first I am >> unable to create an />/Inter-domain Trust Account: />//>/#### />/root >> at PDC :/etc# net > rpc trustdom add ABC password -U bthomas />/Enter bthomas's password: > />/Could not set trust account password: NT_STATUS_ACCESS_DENIED > />/### />//>/and second with samba-tool I get: />//>/##### />/root at > PDC :~# samba-tool > domain trust create ABC -U bthomas />/LocalDomain Netbios[CY] > DNS[cy.abc.biz] />/SID[S-1-5-21-3303530046-412607057-2209094731] > />/ERROR: Failed to find a writeable DC for domain 'ABC' />/##### > />//>/Here is may smb.conf file: />//>/# Global parameters />/[global] > />/workgroup = CY />/realm = CY.ABC.BIZ />/server role = active > directory domain controller />/security = USER />/passdb backend = > samba_dsdb />/os level = 65 />/preferred master = Yes />/domain master > = Yes />/wins support = Yes />/winbind nss info = rfc2307 />/allow dns > updates = nonsecure and secure />/dns forwarder = 10.157.1.178 > />/server services = dns, s3fs, rpc, nbt, wrepl, ldap, cldap, />/kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate />/rpc_server:tcpip = no > />/rpc_daemon:spoolssd = embedded />/rpc_server:spoolss = embedded > />/rpc_server:winreg = embedded />/rpc_server:ntsvcs = embedded > />/rpc_server:eventlog = embedded />/rpc_server:srvsvc = embedded > />/rpc_server:svcctl = embedded />/rpc_server:default = external > />/winbindd:use external pipes = true />/idmap config cy:range = > 10000-29999 />/idmap config cy:schema_mode = rfc2307 />/idmap config > cy:backend = ad />/idmap config *:range = 5000-9999 > />/kccsrv:samba_kcc = false />/idmap_ldb:use rfc2307 = yes />/idmap > config * : backend = tdb />/map archive = No />/map readonly = no > />/store dos attributes = Yes />/vfs objects = dfs_samba4 acl_xattr > />//>//>/[netlogon] />/path = /var/lib/samba/sysvol/cy.abc.biz/scripts > />/read only = No />//>//>/[sysvol] />/path = /var/lib/samba/sysvol > />/read only = No />//>/## />//>/My ultimate goal is to move totally > off the NT Domain and onto the />/Samba-AD-DC but I need the trust > established first so I can go step by />/test moving 18 productions > servers one at a time so it can be tested. />/I feel it would be too > risky to move everything at once. />//>/Any help to get me going in > the right direction would be greatly />/appreciated. />//>/Bob Thomas > />// > I think you are going about this the wrong way, you are trying to create > a new AD domain and then set up trusts between your old NT4 domain and > your new AD domain, correct? > > I think you should be going down the classic-upgrade path instead i.e. > upgrade your original domain to an AD one. I take it all your users are > in the NT domain, if so and their computers see the new AD, they *will* > not go back to the original NT P/BDC, without a complete re-install. > > See here for info about the classic-upgrade: > https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_%28classic_upgrade%29 > > > Also, quite a lot of what you have added to your DCs smb.conf shouldn't > be there, I would suggest that you put it back to what it was after the > provision. > > I hope you are doing this in a test environment. > > Rowland > > ___________ > > Rowland, > > Thank You for the quick response. I am not sure how to post added info > or answers here, I tried twice posting a reply at > http://www.eenyhelp.com Friday on the subject and verified it. I got > the notice that the update would be posted in about a hour but -- > nothing. I tried again this morning and still nothing. It that the > correct place to post updates? > > As for my Issue, > > You are correct, I am trying to create a new AD domain and then set up > trusts between your old NT4 domain and your new AD domain. > > I have looked into the classic-upgrade but not sure it will work for > me because my old domain is a MS NT4 domain not Samba. Not to > mention, the accounts have been neglected for years and I really don't > want to transfer the mess into AD. > > As for my smb.conf, my mistake - I posted the output of testparm and > not the actual config which is below, If you have any recommended > changes please advise: > > [global] > workgroup = CY > realm = CY.ABC.BIZ > netbios name = SDC > server role = active directory domain controller > server services = dns, s3fs, rpc, nbt, wrepl, ldap, cldap, > kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > idmap_ldb:use rfc2307 = yes > allow dns updates = nonsecure > dns forwarder = 10.157.1.178 > > security = user > > kccsrv:samba_kcc = false > > wins support = true > > idmap config *:backend = tdb > idmap config *:range = 5000-9999 > idmap config CY:backend = ad > idmap config CY:schema_mode = rfc2307 > idmap config CY:range = 10000-29999 > > # Use home directory and shell information from AD > winbind nss info = rfc2307 > > [netlogon] > path = /var/lib/samba/sysvol/cy.abc.biz/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > As for the test environment, I have been testing for over two months > with the Ubuntu repository Samba version 4.1.6, but just recently > upgraded to 4.3.2 hoping I could get the trust relationship working. > The MS NT4 domain is our production domain and not sure I could > duplicate it in a test environment. So I would like to gradually move > Samba into production - Using the domain trust so I can test things as > they are moved over. > > So back to my original question, Is it possible to create the trust > between Samba-AD 4.1.6 and a MS NT4 domain. If so how? > > Thank again, > > Bob > > I think it should be possible now, but I have never tried doing it, a quick google seems to suggest it is a known AD problem, see here: https://support.microsoft.com/en-us/kb/889030 I still think you would be better off going down the classic-upgrade path. If your ultimate aim is to remove all your NT servers, you will still have to get your users, groups and computers etc into the new domain from the old domain, this is something that the classic-upgrade will do for you. Rowland From jonathan at springventuregroup.com Mon Dec 14 16:07:41 2015 From: jonathan at springventuregroup.com (Jonathan S. Fisher) Date: Mon, 14 Dec 2015 10:07:41 -0600 Subject: [Samba] Nested Group control doesn't work In-Reply-To: <1449979582.15594.150.camel@samba.org> References: <1449979582.15594.150.camel@samba.org> Message-ID: Thanks, that's extremely helpful. I searched but wasn't able to find that bug report.... Just to clarify, there are no known workarounds, correct? *Jonathan S. Fisher* *VP - Information Technology* *Spring Venture Group* On Sat, Dec 12, 2015 at 10:06 PM, Andrew Bartlett wrote: > On Sat, 2015-12-12 at 10:25 -0600, Jonathan S. Fisher wrote: > > Hey guys, > > > > We can perform this LDAP query against Windows Server 2012 no > > problem, but > > against samba it's failing: > > > > (&(sAMAccountName={0})(memberOf:1.2.840.113556.1.4.1941:=CN=graylog_u > > sers,OU=Applications,OU=Groups,DC=ad,DC=corp,DC=xxx,DC=com)) > > > > Is that "nested group" tree control > > (memberOf:1.2.840.113556.1.4.1941:) > > supported? If not, is there a better way to design this ldap search > > so it > > supports nested groups? > > No, it is not currently supported. It made it into Samba master, but > was reverted due to a crash bug pointed out on: > https://bugzilla.samba.org/show_bug.cgi?id=10493 > > We hope to return it for 4.4. > > Andrew Bartlett > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT > http://catalyst.net.nz/services/samba > > > > -- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer. From rpenny at samba.org Mon Dec 14 16:25:52 2015 From: rpenny at samba.org (Rowland penny) Date: Mon, 14 Dec 2015 16:25:52 +0000 Subject: [Samba] Create Domain Trust Help Samba-4.3.2 In-Reply-To: <566EE20B.6080906@cybernetics.com> References: <566EE20B.6080906@cybernetics.com> Message-ID: <566EED90.4010105@samba.org> OOPs, I really must get a new pair of glasses, I totally missed this lot in the mess that appeared in my email client :-D On 14/12/15 15:36, Bob Thomas wrote: > > Rowland, > > Thank You for the quick response. I am not sure how to post added info > or answers here, I tried twice posting a reply at > http://www.eenyhelp.com Friday on the subject and verified it. I got > the notice that the update would be posted in about a hour but -- > nothing. I tried again this morning and still nothing. It that the > correct place to post updates? Just reply to the sambalist, it will do the rest. > > As for my Issue, > > You are correct, I am trying to create a new AD domain and then set up > trusts between your old NT4 domain and your new AD domain. > > I have looked into the classic-upgrade but not sure it will work for > me because my old domain is a MS NT4 domain not Samba. Not to > mention, the accounts have been neglected for years and I really don't > want to transfer the mess into AD. > OK, I understand it better now, you want to lose the NT domain and move to AD. Not sure if I would do it the way you are trying, how many computers and users? > As for my smb.conf, my mistake - I posted the output of testparm and > not the actual config which is below, If you have any recommended > changes please advise: > > [global] > workgroup = CY > realm = CY.ABC.BIZ > netbios name = SDC > server role = active directory domain controller > server services = dns, s3fs, rpc, nbt, wrepl, ldap, cldap, > kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > idmap_ldb:use rfc2307 = yes > allow dns updates = nonsecure > dns forwarder = 10.157.1.178 > > security = user > > kccsrv:samba_kcc = false > > wins support = true > > idmap config *:backend = tdb > idmap config *:range = 5000-9999 > idmap config CY:backend = ad > idmap config CY:schema_mode = rfc2307 > idmap config CY:range = 10000-29999 > > # Use home directory and shell information from AD > winbind nss info = rfc2307 > > [netlogon] > path = /var/lib/samba/sysvol/cy.abc.biz/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > Yes, as I said before, put it back to what it was before you started adding things to it. > As for the test environment, I have been testing for over two months > with the Ubuntu repository Samba version 4.1.6, but just recently > upgraded to 4.3.2 hoping I could get the trust relationship working. > The MS NT4 domain is our production domain and not sure I could > duplicate it in a test environment. So I would like to gradually move > Samba into production - Using the domain trust so I can test things as > they are moved over. I would setup a new domain, extract your users & groups etc from your old domain, remove anything you no longer require and then create them in your new domain. Then start adding your computers to the new domain a few at a time. > > So back to my original question, Is it possible to create the trust > between Samba-AD 4.1.6 and a MS NT4 domain. If so how? > > See my earlier incorrect post. Rowland From jorgito1412 at gmail.com Mon Dec 14 20:31:41 2015 From: jorgito1412 at gmail.com (George) Date: Mon, 14 Dec 2015 17:31:41 -0300 Subject: [Samba] FSMO commands not working on 4.3.1 In-Reply-To: <566D3577.3080600@samba.org> References: <566D3577.3080600@samba.org> Message-ID: On Sun, Dec 13, 2015 at 6:08 AM, Rowland penny wrote: > On 13/12/15 05:31, George wrote: > >> Hi guys! >> I am currently running 4.3.1 on Debian Jessie (compiled from the >> experimental repo). >> >> Pretty much everything seems to be working fine, but the FSMO functions: >> >> --------- >> root at dc2:~# samba-tool fsmo show >> ERROR(): uncaught exception - 'No such >> element' >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line >> 175, in _run >> return self.run(*args, **kwargs) >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 395, >> in run >> domaindnszonesMaster = get_fsmo_roleowner(samdb, domaindns_dn) >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 42, >> in >> get_fsmo_roleowner >> master_owner = res[0]["fSMORoleOwner"][0] >> --------- >> >> Transfering or seizing the roles one by one, I can see that any operation >> involving the two "new" roles (domaindns and forestdns) is what actually >> breaks it. >> >> I don't think this is an upstream bug (is it?) Any ideas? >> >> Best regards, >> George >> > > Are you using an admin user and password ? > > Rowland > > Even if I do (with the domain administrator user and pass) the same error comes up From jorgito1412 at gmail.com Mon Dec 14 20:33:50 2015 From: jorgito1412 at gmail.com (George) Date: Mon, 14 Dec 2015 17:33:50 -0300 Subject: [Samba] Winbindd on 4.2+ full functionality? In-Reply-To: <566D34EA.60302@samba.org> References: <566D34EA.60302@samba.org> Message-ID: On Sun, Dec 13, 2015 at 6:05 AM, Rowland penny wrote: > On 13/12/15 05:07, George wrote: > >> Hi, >> >> I recently upgraded from 4.1.17 to 4.3.1. >> >> I thought that the winbindd daemon for AD included since 4.2 would allow >> proper and complete winbind operation as in member servers, but that >> doesn't seem to be the case. >> >> In particular, I want consistent UIDs on DCs for files created within >> Windows (so I can avoid the "somehow keep idmap.ldb in sync between DCs" >> hell). I made several tests but winbindd on the DC doesn't seem to be >> honouring the idmap directives on smb.conf and still relies on the XIDs >> provided by idmap.ldb >> >> Am I missing something? Is this by design? >> >> Best regards, >> George >> > > Yes, this is how it works at the moment, if you want your users & groups > to have the same IDs everywhere, you will have to add uidNumber & gidNumber > attributes to your users & groups. > > Adding the member server 'idmap config' lines to a DC smb.conf will have > no effect. > > Rowland > > Thanks for the clarification. Do you know if this is planned for some future release? Best regards From abartlet at samba.org Mon Dec 14 20:48:50 2015 From: abartlet at samba.org (Andrew Bartlett) Date: Tue, 15 Dec 2015 09:48:50 +1300 Subject: [Samba] Nested Group control doesn't work In-Reply-To: References: <1449979582.15594.150.camel@samba.org> Message-ID: <1450126130.12299.38.camel@samba.org> On Mon, 2015-12-14 at 10:07 -0600, Jonathan S. Fisher wrote: > Thanks, that's extremely helpful. I searched but wasn't able to find > that > bug report.... Just to clarify, there are no known workarounds, > correct? Only applying the patch, once we fix it. Sorry, Andrew Bartlett --  Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba From rpenny at samba.org Mon Dec 14 20:58:22 2015 From: rpenny at samba.org (Rowland penny) Date: Mon, 14 Dec 2015 20:58:22 +0000 Subject: [Samba] FSMO commands not working on 4.3.1 In-Reply-To: References: <566D3577.3080600@samba.org> Message-ID: <566F2D6E.6020300@samba.org> On 14/12/15 20:31, George wrote: > On Sun, Dec 13, 2015 at 6:08 AM, Rowland penny wrote: > >> On 13/12/15 05:31, George wrote: >> >>> Hi guys! >>> I am currently running 4.3.1 on Debian Jessie (compiled from the >>> experimental repo). >>> >>> Pretty much everything seems to be working fine, but the FSMO functions: >>> >>> --------- >>> root at dc2:~# samba-tool fsmo show >>> ERROR(): uncaught exception - 'No such >>> element' >>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line >>> 175, in _run >>> return self.run(*args, **kwargs) >>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 395, >>> in run >>> domaindnszonesMaster = get_fsmo_roleowner(samdb, domaindns_dn) >>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 42, >>> in >>> get_fsmo_roleowner >>> master_owner = res[0]["fSMORoleOwner"][0] >>> --------- >>> >>> Transfering or seizing the roles one by one, I can see that any operation >>> involving the two "new" roles (domaindns and forestdns) is what actually >>> breaks it. >>> >>> I don't think this is an upstream bug (is it?) Any ideas? >>> >>> Best regards, >>> George >>> >> Are you using an admin user and password ? >> >> Rowland >> >> > Even if I do (with the domain administrator user and pass) the same error > comes up OK, I use 4.3.1 root at dc1:~# samba -V Version 4.3.1 Probably the only difference is I installed into /usr/local instead of /var/lib When I try samba-tool, I get this: root at dc1:~# samba-tool fsmo show SchemaMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com InfrastructureMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com RidAllocationMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com PdcEmulationMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com DomainNamingMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=example,DC=com Do you actually have all 7 FSMO roles? Try this: ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb '(fsmoroleowner=*)' | grep 'dn:' | sed 's|dn: ||' It should return something like this: CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com CN=Partitions,CN=Configuration,DC=samdom,DC=example,DC=com CN=Infrastructure,DC=DomainDnsZones,DC=samdom,DC=example,DC=com CN=Infrastructure,DC=ForestDnsZones,DC=samdom,DC=example,DC=com CN=Infrastructure,DC=samdom,DC=example,DC=com DC=samdom,DC=example,DC=com CN=RID Manager$,CN=System,DC=samdom,DC=example,DC=com How did you provision? Rowland From bbogaert at wikimedia.org Mon Dec 14 22:47:08 2015 From: bbogaert at wikimedia.org (Byron Bogaert) Date: Mon, 14 Dec 2015 14:47:08 -0800 Subject: [Samba] How can I change the localSID for a SAMBA Server? Message-ID: I am trying to change the localSID for a SAMBA server, however I am unable to. I have tried the command "net setlocalsid" to no avail. To troubleshoot I have also stopped the smbd and nmbd services, but this did not help. Any help would be great! root at TheWiggle:~# net getlocalsid SID for domain THEWIGGLE is: S-1-5-21-748580849-194208185-3916830000 root at TheWiggle:~# net getdomainsid SID for local machine THEWIGGLE is: S-1-5-21-748580849-194208185-3916830000 SID for domain THISDOMAIN is: S-1-5-21-748580849-194208185-3916830000 root at TheWiggle:~# net setlocalsid S-1-5-21-33300351-1172445578-3061011111 root at TheWiggle:~# net getlocalsid SID for domain THEWIGGLE is: S-1-5-21-748580849-194208185-3916830000 root at TheWiggle:~# net getdomainsid SID for local machine THEWIGGLE is: S-1-5-21-748580849-194208185-3916830000 SID for domain THISDOMAIN is: S-1-5-21-748580849-194208185-3916830000 root at TheWiggle:~# net setdomainsid S-1-5-21-33300351-1172445578-3061011111 root at TheWiggle:~# net getdomainsid SID for local machine THEWIGGLE is: S-1-5-21-748580849-194208185-3916830000 SID for domain THISDOMAIN is: S-1-5-21-33300351-1172445578-3061011111 root at TheWiggle:~# net setlocalsid S-1-5-21-33300351-1172445578-3061011111 root at TheWiggle:~# net getlocalsid SID for domain THEWIGGLE is: S-1-5-21-748580849-194208185-3916830000 root at TheWiggle:~# service smbd stop && service nmbd stop smbd stop/waiting nmbd stop/waiting root at TheWiggle:~# net setlocalsid S-1-5-21-33300351-1172445578-3061011111 root at TheWiggle:~# net getlocalsid SID for domain THEWIGGLE is: S-1-5-21-748580849-194208185-3916830000 root at TheWiggle:~# net setdomainsid S-1-5-21-33300351-1172445578-3061011111 -- *Byron Bogaert* *IT System Administrator* Wikimedia Foundation Imagine a world in which every single human being can freely share in the sum of all knowledge. Help us make it a reality! https://donate.wikimedia.org From viktor at troja.ch Mon Dec 14 23:32:03 2015 From: viktor at troja.ch (Viktor Trojanovic) Date: Tue, 15 Dec 2015 00:32:03 +0100 Subject: [Samba] Permission question (AD) In-Reply-To: <566E8B92.3090800@samba.org> References: <566E8B92.3090800@samba.org> Message-ID: <566F5173.2070004@troja.ch> On 14.12.2015 10:27, Rowland penny wrote: > On 14/12/15 02:15, Viktor Trojanovic wrote: >> I'm using the AD ID mapping, so I manually give all my users and >> groups their respective uidNumbers and gidNumbers. >> >> I created a group of the type "security" with the scope "global" and >> added some users to it, then I gave full control permission to said >> group to certain files on a member server. >> >> However, the members from this group still can only read those files. >> Which is weird, since if I check the effective permissions from within >> Windows, it is being confirmed that there should be full control. So, >> windows believes that I should have full permission but it's not true. >> >> So there must be something weird going on the Linux side, and I'm a >> bit lost right now. >> >> First of all, I gave this particular group the gidNumber 10004, but >> when I type "getent group groupname" on the DC, I get some high number >> such as 3000049. The same happens for "domain admins" while "domain >> users" shows the correct gidNumber. > > Is this on a DC ? > Yes. But I get the same result on the file server. >> >> I might know the reason for this: I created the former two groups a >> while ago without giving them an ID - I did so only later, when I >> noticed that I forgot to give them an ID. Is this problematic? I >> didn't notice any problems with the domain admins group, though >> there's only one Admin. But the other group is clearly showing this >> issue. What can I do to solve this? > > What do you mean by 'I created the former two groups a while ago' , > the two groups should already exist in AD. > I meant the one security group I created manually. With domain admins, I meant that I didn't give it a gidNumber for a long time. >> >> Secondly, does it matter that "getent passwd username" will return >> just the domain users group in the group field, but not the additional >> group the user is part of? > > No, winbind returns the users primary group and this is always Domain > Users, unless you change it, not that I recommend doing this. > OK, understood. >> >> Should I maybe just delete the group, then recreate it and give it the >> correct attributes from the start? What kind of impact will this have >> on the shares where the deleted group had permissions, will those be >> automatically deleted too and, if not, is it necessary to first remove >> all permissions this group has? > > What group are you suggesting deleting ? If Domain Users/Admins, then > don't, if it is a group you created (and no you didn't create domain > users) then it probably won't help. > > Can you post a bit more info, What OS, your smb.conf etc. > > Rowland > I solved the problem in the meantime. It seems that the issue wasn't with the group but somehow, and I really wish to understand how though that's hardly a Samba topic, the computer account seems to have become "rogue". After I reset the computer account from ADUC and rejoined the domain, all worked fine again. Having said that, I'm still wondering if it can become a problem down the road that getent returns the wrong group number. Specifically, what happens if I, from Windows, give permission to a user or group to a Samba share without having created uidNumber and gidNumber attributes, and then create them after the fact? Can this create inconsistencies? From dwbear75 at gmail.com Tue Dec 15 01:26:16 2015 From: dwbear75 at gmail.com (David Bear) Date: Mon, 14 Dec 2015 18:26:16 -0700 Subject: [Samba] using supervisor to start samba ad-dc Message-ID: Is anyone using python's supervisor product to start and keep samba running as an AD-DC? I think supervisor can be cron'ed as well to restart daemons it manages. I think supervisor is still python 2.x. Does that impact samba? -- David Bear mobile: (602) 903-6476 From jgardeniers at objectmastery.com Tue Dec 15 03:48:21 2015 From: jgardeniers at objectmastery.com (John Gardeniers) Date: Tue, 15 Dec 2015 14:48:21 +1100 Subject: [Samba] The case of the disconnecting network shares Message-ID: <566F8D85.6080409@objectmastery.com> We recently completed our Samba 3 to Samba 4 transition without too many serious problems but one rather annoying issue has cropped up since the migration. Network shares on our file server become disconnected overnight, whether idle or not. This was never a problem with Samba 3 but since upgrading Samba on the server to version 4 and joining it to the Samba 4 AD domain this problem is happening most, but not all, nights. This is merely a minor nuisance for most of our staff but is a serious problem for those who need to run overnight jobs over those shares. The inconsistency makes it even more puzzling. We have set the auto disconnect time to -1 to disable it on all clients but that has made absolutely no difference. Samba itself shows nothing in the logs that suggests there was any sort of problem during the night and I have not been able to ascertain whether all clients get disconnected at the same time or whether it occurs at various times. Can anyone shed any light on this and suggest possible reasons and/or solutions? regards, John From jra at samba.org Tue Dec 15 04:55:27 2015 From: jra at samba.org (Jeremy Allison) Date: Mon, 14 Dec 2015 20:55:27 -0800 Subject: [Samba] The case of the disconnecting network shares In-Reply-To: <566F8D85.6080409@objectmastery.com> References: <566F8D85.6080409@objectmastery.com> Message-ID: <20151215045527.GA12896@jeremy-HP> On Tue, Dec 15, 2015 at 02:48:21PM +1100, John Gardeniers wrote: > We recently completed our Samba 3 to Samba 4 transition without too > many serious problems but one rather annoying issue has cropped up > since the migration. Network shares on our file server become > disconnected overnight, whether idle or not. This was never a > problem with Samba 3 but since upgrading Samba on the server to > version 4 and joining it to the Samba 4 AD domain this problem is > happening most, but not all, nights. This is merely a minor nuisance > for most of our staff but is a serious problem for those who need to > run overnight jobs over those shares. The inconsistency makes it > even more puzzling. > > We have set the auto disconnect time to -1 to disable it on all > clients but that has made absolutely no difference. Samba itself > shows nothing in the logs that suggests there was any sort of > problem during the night and I have not been able to ascertain > whether all clients get disconnected at the same time or whether it > occurs at various times. > > Can anyone shed any light on this and suggest possible reasons > and/or solutions? If you mean "deadtime" the default is zero, and that means don't disconnect. Try getting a wireshark trace around the disconnect, if that's possible. That should tell you if it's the client or server initiating the disconnect. From jgardeniers at objectmastery.com Tue Dec 15 05:07:55 2015 From: jgardeniers at objectmastery.com (John Gardeniers) Date: Tue, 15 Dec 2015 16:07:55 +1100 Subject: [Samba] The case of the disconnecting network shares In-Reply-To: <20151215045527.GA12896@jeremy-HP> References: <566F8D85.6080409@objectmastery.com> <20151215045527.GA12896@jeremy-HP> Message-ID: <566FA02B.1040904@objectmastery.com> Hi Jeremy, No, I don't mean "deadtime". I mean auto disconnect. Specifically, the command "net config server /autodisconnect:-1" was run on each client machine. If deadtime is a server configuration item perhaps you could point me in the direction of some documentation where that is covered. The documentation for smb.conf is, to put it very mildly, incomplete. Wireshark would be impractical in this case because I can't predict when the disconnects will occur, or even if they will occur for any given client, and this is a very busy file server, even during the night. Therefore, the logs would be far too immense to be useful without first knowing exactly what event(s) I'm looking for. regards, John On 15/12/15 15:55, Jeremy Allison wrote: > On Tue, Dec 15, 2015 at 02:48:21PM +1100, John Gardeniers wrote: >> We recently completed our Samba 3 to Samba 4 transition without too >> many serious problems but one rather annoying issue has cropped up >> since the migration. Network shares on our file server become >> disconnected overnight, whether idle or not. This was never a >> problem with Samba 3 but since upgrading Samba on the server to >> version 4 and joining it to the Samba 4 AD domain this problem is >> happening most, but not all, nights. This is merely a minor nuisance >> for most of our staff but is a serious problem for those who need to >> run overnight jobs over those shares. The inconsistency makes it >> even more puzzling. >> >> We have set the auto disconnect time to -1 to disable it on all >> clients but that has made absolutely no difference. Samba itself >> shows nothing in the logs that suggests there was any sort of >> problem during the night and I have not been able to ascertain >> whether all clients get disconnected at the same time or whether it >> occurs at various times. >> >> Can anyone shed any light on this and suggest possible reasons >> and/or solutions? > If you mean "deadtime" the default is zero, and that > means don't disconnect. > > Try getting a wireshark trace around the disconnect, > if that's possible. That should tell you if it's the > client or server initiating the disconnect. > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud service. > For more information please visit http://www.symanteccloud.com > ______________________________________________________________________ From jra at samba.org Tue Dec 15 05:35:57 2015 From: jra at samba.org (Jeremy Allison) Date: Mon, 14 Dec 2015 21:35:57 -0800 Subject: [Samba] The case of the disconnecting network shares In-Reply-To: <566FA02B.1040904@objectmastery.com> References: <566F8D85.6080409@objectmastery.com> <20151215045527.GA12896@jeremy-HP> <566FA02B.1040904@objectmastery.com> Message-ID: <20151215053557.GA13035@jeremy-HP> On Tue, Dec 15, 2015 at 04:07:55PM +1100, John Gardeniers wrote: > Hi Jeremy, > > No, I don't mean "deadtime". I mean auto disconnect. Specifically, > the command "net config server /autodisconnect:-1" was run on each > client machine. Ah - didn't know auto disconnect was a client feature, but then again I don't use Windows :-). > If deadtime is a server configuration item perhaps > you could point me in the direction of some documentation where that > is covered. The documentation for smb.conf is, to put it very > mildly, incomplete. That's not true. smb.conf documentation is certainly complete, as we generate the config parameters that go into the Samba code from the xml docs for each parameter. man smb.conf Search for deadtime. From Volker.Lendecke at SerNet.DE Tue Dec 15 06:01:45 2015 From: Volker.Lendecke at SerNet.DE (Volker Lendecke) Date: Tue, 15 Dec 2015 07:01:45 +0100 Subject: [Samba] The case of the disconnecting network shares In-Reply-To: <566FA02B.1040904@objectmastery.com> References: <566F8D85.6080409@objectmastery.com> <20151215045527.GA12896@jeremy-HP> <566FA02B.1040904@objectmastery.com> Message-ID: <20151215060145.GA3218@sernet.de> On Tue, Dec 15, 2015 at 04:07:55PM +1100, John Gardeniers wrote: > Wireshark would be impractical in this case because I can't predict > when the disconnects will occur, or even if they will occur for any > given client, and this is a very busy file server, even during the > night. Therefore, the logs would be far too immense to be useful > without first knowing exactly what event(s) I'm looking for. You can limit tcpdump to a single client with "host ". And multi-gigabyte traces can be split up. I'm used to that :-) Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kontakt at sernet.de From mmuehlfeld at samba.org Tue Dec 15 13:11:51 2015 From: mmuehlfeld at samba.org (Marc Muehlfeld) Date: Tue, 15 Dec 2015 14:11:51 +0100 Subject: [Samba] How can I change the localSID for a SAMBA Server? In-Reply-To: References: Message-ID: <56701197.1060902@samba.org> Hello Byron, Am 14.12.2015 um 23:47 schrieb Byron Bogaert: > I am trying to change the localSID for a SAMBA server, however I am unable > to. I have tried the command "net setlocalsid" to no avail. To troubleshoot > I have also stopped the smbd and nmbd services, but this did not help. Any > help would be great! What kind of Samba server are you talking about? PDC? AD DC, Domain Member, Standalone? Regards, Marc From nicolas.boisse at univ-lemans.fr Tue Dec 15 12:49:43 2015 From: nicolas.boisse at univ-lemans.fr (Nico) Date: Tue, 15 Dec 2015 04:49:43 -0800 (PST) Subject: [Samba] Samba 4.0.21 and Windows 10 Message-ID: <1450183783573-4695846.post@n4.nabble.com> Hi, I've got a problem with Windows 10 Education (last build) and my Samba PDC (under Fedora). All machines with Windows 7 can join domain successfully. But with Windows 10, I've got "network path not found" error. I've changed all registry keys that we need to change, but no way (DomainCompatibilityMode, DNSNameResolutionRequired, AllowInsecureGuestAuth) My PDC is in NT4 style domain mode. No Active Directory. I've searched with Wireshark any trace of a problem, and I could see that Windows 10 send some LDAP requests to my PDC when I try to join it in the domain. As if he wanted to connect to a PDC with an AD. I don't want upgrade my PDC to Samba AD because I'm not ready to do this. Is there a solution to configure W10 to join a Samba NT4 style domain ? Thanks in advance. (sorry for my english, I'm French) -- View this message in context: http://samba.2283325.n4.nabble.com/Samba-4-0-21-and-Windows-10-tp4695846.html Sent from the Samba - General mailing list archive at Nabble.com. From belle at bazuin.nl Tue Dec 15 14:01:44 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Tue, 15 Dec 2015 15:01:44 +0100 Subject: [Samba] Samba 4.0.21 and Windows 10 In-Reply-To: <1450183783573-4695846.post@n4.nabble.com> References: <1450183783573-4695846.post@n4.nabble.com> Message-ID: You have seen : https://wiki.samba.org/index.php/Required_settings_for_NT4-style_domains and you rebooted after the registry changes? And you have (optionaly) set max protocol = NT1 in smb.conf Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Nico > Verzonden: dinsdag 15 december 2015 13:50 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Samba 4.0.21 and Windows 10 > > Hi, > > I've got a problem with Windows 10 Education (last build) and my Samba PDC > (under Fedora). > All machines with Windows 7 can join domain successfully. But with Windows > 10, I've got "network path not found" error. > I've changed all registry keys that we need to change, but no way > (DomainCompatibilityMode, > DNSNameResolutionRequired, AllowInsecureGuestAuth) > > My PDC is in NT4 style domain mode. No Active Directory. I've searched > with > Wireshark any trace of a problem, and I could see that Windows 10 send > some > LDAP requests to my PDC when I try to join it in the domain. As if he > wanted > to connect to a PDC with an AD. > I don't want upgrade my PDC to Samba AD because I'm not ready to do this. > Is > there a solution to configure W10 to join a Samba NT4 style domain ? > > Thanks in advance. > > (sorry for my english, I'm French) > > > > -- > View this message in context: http://samba.2283325.n4.nabble.com/Samba-4- > 0-21-and-Windows-10-tp4695846.html > Sent from the Samba - General mailing list archive at Nabble.com. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From sameerhussain194 at gmail.com Tue Dec 15 14:18:51 2015 From: sameerhussain194 at gmail.com (sameer hussain) Date: Tue, 15 Dec 2015 19:48:51 +0530 Subject: [Samba] Samba Torture Message-ID: Hi, Can any one explain me the real need of samba torture. I need a bit detailed explanation though. Thanks and regards, Sameer. ====================== Make things simple, not simpler. From gimili17 at gmail.com Tue Dec 15 15:31:33 2015 From: gimili17 at gmail.com (gimili) Date: Tue, 15 Dec 2015 10:31:33 -0500 Subject: [Samba] domain authentication issue after rebooting Debian Jessie - need to restart samba each time In-Reply-To: <566C492B.6070205@samba.org> References: <566AFF4C.5000606@gmail.com> <566B0795.5090401@samba.org> <566C492B.6070205@samba.org> Message-ID: <56703255.1000108@gmail.com> On 12/12/2015 11:19 AM, Rowland penny wrote: > On 12/12/15 15:04, Gimili wrote: >> >>> On Dec 11, 2015, at 12:27 PM, Rowland penny wrote: >>> >>>> On 11/12/15 16:52, gimili wrote: >>>> I followed the instructions here: >>>> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller.' >>>> >>>> Everything works find except when I reboot I have to restart samba >>>> or I added a pause and then restart to /etc/rc.local otherwise the >>>> windows machines can't authenticate. >>>> >>>> I googled this problem but have not been able to figure out the >>>> solution. >>>> >>>> My OS is debian Jessie. >>>> >>>> Many thanks for any help/advice. >>>> >>> OK, I understand that you followed the wiki and you are using debian >>> jessie, but just how did you install Samba, from distro packages or >>> Sernet, or self compiled ? >>> >>> Rowland >> From the distro packages. > > OK, this means that you are running 4.1.17 and I think this is what is > happening: > > When you install the samba package on jessie it installs the following > files in /etc/init.d > > nmbd > samba > samba-ad-dc > smbd > > It then runs 'update-rc.d xxxx defaults' and 'invoke-rc.d xxxx start' > where 'xxxx' is one of the filenames above, it does this for all the 4 > files. > > You then setup Samba as an active directory controller and so you only > need the 'samba-ad-dc' init file, this will start smbd. You do not > need the others, but they will still try to start at boot, so what I > suggest you do (and what I did) is to remove the ones you do not need. > > update-rc.d -f nmbd remove > update-rc.d -f smbd remove > update-rc.d -f samba remove > > You should check if the winbind package is installed, if it is, you > should also stop this being started at boot. > > Reboot the DC, it should now just start the samba deamon via > /etc/init.d/samba-ad-dc, this will then start smbd. > > Hopefully this should fix your problem, if it does, you can then > remove the unwanted init files: > > rm -f /etc/init.d/ nmbd > rm -f /etc/init.d/ smbd > rm -f /etc/init.d/ samba > > Note, if do this, you do it at your risk, it shouldn't damage anything > (well it didn't for me), you should also backup everything just in case. > > Rowland > Thank you kindly for the advice. I gave it a whirl and still no luck on reboot. I now have to manually start /etc/init.d/samba-ad-dc. Any other suggestions please and thanks. -- gimili From belle at bazuin.nl Tue Dec 15 17:13:43 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Tue, 15 Dec 2015 18:13:43 +0100 Subject: [Samba] domain authentication issue after rebooting Debian Jessie - need to restart samba each time In-Reply-To: <56703255.1000108@gmail.com> References: <566C492B.6070205@samba.org> Message-ID: Hai, If not, well, very stange, i have about 7 Jessie's here with samba and i dont have any problems. I think systemd is blocking your startup of samba due to multple errors on startups previously. Few questions? Do you have samba with shares over nfs? If so, create te following folder : /etc/systemd/system/nfs-common.service.d/ Add the following file with content to the file : remote-fs-pre.conf [Unit] Before=remote-fs-pre.target Wants=remote-fs-pre.target What is the output of ? systemctl status samba-ad-dc if its masked.. then type :' systemctl unmask samba-ad-dc and systemctl restart samba-ad-dc reboot and see if its all started. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens gimili > Verzonden: dinsdag 15 december 2015 16:32 > Aan: Rowland penny > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] domain authentication issue after rebooting Debian > Jessie - need to restart samba each time > > On 12/12/2015 11:19 AM, Rowland penny wrote: > > On 12/12/15 15:04, Gimili wrote: > >> > >>> On Dec 11, 2015, at 12:27 PM, Rowland penny wrote: > >>> > >>>> On 11/12/15 16:52, gimili wrote: > >>>> I followed the instructions here: > >>>> > https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Con > troller.' > >>>> > >>>> Everything works find except when I reboot I have to restart samba > >>>> or I added a pause and then restart to /etc/rc.local otherwise the > >>>> windows machines can't authenticate. > >>>> > >>>> I googled this problem but have not been able to figure out the > >>>> solution. > >>>> > >>>> My OS is debian Jessie. > >>>> > >>>> Many thanks for any help/advice. > >>>> > >>> OK, I understand that you followed the wiki and you are using debian > >>> jessie, but just how did you install Samba, from distro packages or > >>> Sernet, or self compiled ? > >>> > >>> Rowland > >> From the distro packages. > > > > OK, this means that you are running 4.1.17 and I think this is what is > > happening: > > > > When you install the samba package on jessie it installs the following > > files in /etc/init.d > > > > nmbd > > samba > > samba-ad-dc > > smbd > > > > It then runs 'update-rc.d xxxx defaults' and 'invoke-rc.d xxxx start' > > where 'xxxx' is one of the filenames above, it does this for all the 4 > > files. > > > > You then setup Samba as an active directory controller and so you only > > need the 'samba-ad-dc' init file, this will start smbd. You do not > > need the others, but they will still try to start at boot, so what I > > suggest you do (and what I did) is to remove the ones you do not need. > > > > update-rc.d -f nmbd remove > > update-rc.d -f smbd remove > > update-rc.d -f samba remove > > > > You should check if the winbind package is installed, if it is, you > > should also stop this being started at boot. > > > > Reboot the DC, it should now just start the samba deamon via > > /etc/init.d/samba-ad-dc, this will then start smbd. > > > > Hopefully this should fix your problem, if it does, you can then > > remove the unwanted init files: > > > > rm -f /etc/init.d/ nmbd > > rm -f /etc/init.d/ smbd > > rm -f /etc/init.d/ samba > > > > Note, if do this, you do it at your risk, it shouldn't damage anything > > (well it didn't for me), you should also backup everything just in case. > > > > Rowland > > > Thank you kindly for the advice. I gave it a whirl and still no luck on > reboot. I now have to manually start /etc/init.d/samba-ad-dc. Any > other suggestions please and thanks. > -- > gimili > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From rpenny at samba.org Tue Dec 15 17:41:44 2015 From: rpenny at samba.org (Rowland penny) Date: Tue, 15 Dec 2015 17:41:44 +0000 Subject: [Samba] domain authentication issue after rebooting Debian Jessie - need to restart samba each time In-Reply-To: References: <566C492B.6070205@samba.org> Message-ID: <567050D8.7060002@samba.org> On 15/12/15 17:13, L.P.H. van Belle wrote: > Hai, > > If not, well, very stange, i have about 7 Jessie's here with samba and > i dont have any problems. > I think systemd is blocking your startup of samba due to multple errors on startups previously. And people wonder why I won't use systemd :-D Why, oh why, is systemd allowed to stop something starting up, without displaying an obvious message at boot? or is this another one of those famous systemd features??? Easy cure for this, upgrade to Devuan. Rowland > > Few questions? > > Do you have samba with shares over nfs? > If so, create te following folder : > /etc/systemd/system/nfs-common.service.d/ > > Add the following file with content to the file : remote-fs-pre.conf > [Unit] > Before=remote-fs-pre.target > Wants=remote-fs-pre.target > > > What is the output of ? > systemctl status samba-ad-dc > > if its masked.. then type :' > systemctl unmask samba-ad-dc > and > systemctl restart samba-ad-dc > > reboot and see if its all started. > > > > Greetz, > > Louis > > > > > From post at rolandgruber.de Tue Dec 15 18:06:38 2015 From: post at rolandgruber.de (Roland Gruber) Date: Tue, 15 Dec 2015 19:06:38 +0100 Subject: [Samba] LDAP Account Manager 5.2 with extended Windows support and more password expiration jobs Message-ID: <567056AE.9020408@rolandgruber.de> LDAP Account Manager (LAM) 5.2 - December 15th, 2015 ==================================================== LAM is a web frontend for managing accounts stored in an LDAP directory. Announcement: ------------- The Windows module supports a lot more attributes and new IMAP mailboxes can have a default folder structure. There are two new jobs for Shadow and Windows password expiration notification. Self Service supports to specify the time zone. Full changelog: https://www.ldap-account-manager.org/lamcms/changelog Download: https://www.ldap-account-manager.org/lamcms/releases Features: --------- * management of various account types * Unix * Samba 3/4 * Kolab 2/3 * Asterisk * Zarafa * DHCP * SSH keys * profiles for account creation * account creation via file upload * automatic creation/deletion of home directories * setting quotas * PDF output for all accounts * editor for organizational units * schema browser * tree view * multiple configuration files * multi-language support: Catalan, Chinese (Traditional + Simplified), Czech, Dutch, English, French, German, Hungarian, Italian, Japanese, Polish, Portuguese, Russian, Slovak, Spanish and Turkish * support for LDAP+SSL/TLS Demo installation: ------------------ You can try our demo installation online. https://www.ldap-account-manager.org/lamcms/liveDemo Support: -------- If you find a bug please file a bug report. For questions or implementing new features please use the mailinglist and feature request tracker at our homepage https://www.ldap-account-manager.org. Authors & Copyright: -------------------- Copyright (C) 2003 - 2015: Roland Gruber LAM is published under the GNU General Public License. The complete list of licenses can be found in the copyright file. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature URL: From gimili17 at gmail.com Tue Dec 15 18:31:28 2015 From: gimili17 at gmail.com (gimili) Date: Tue, 15 Dec 2015 13:31:28 -0500 Subject: [Samba] domain authentication issue after rebooting Debian Jessie - need to restart samba each time In-Reply-To: References: <566C492B.6070205@samba.org> Message-ID: <56705C80.9010909@gmail.com> On 12/15/2015 12:13 PM, L.P.H. van Belle wrote: > Hai, > > If not, well, very stange, i have about 7 Jessie's here with samba and > i dont have any problems. > I think systemd is blocking your startup of samba due to multple errors on startups previously. > > Few questions? > > Do you have samba with shares over nfs? > If so, create te following folder : > /etc/systemd/system/nfs-common.service.d/ > > Add the following file with content to the file : remote-fs-pre.conf > [Unit] > Before=remote-fs-pre.target > Wants=remote-fs-pre.target > > > What is the output of ? > systemctl status samba-ad-dc > > if its masked.. then type :' > systemctl unmask samba-ad-dc > and > systemctl restart samba-ad-dc > reboot and see if its all started. > Greetz, > > Louis > Still no luck. Maybe I am back to a delayed start using /etc/rc.local. Good to know it is working for someone. I must have done something wrong. Perhaps I will start from scratch. >systemctl status samba-ad-dc â samba-ad-dc.service - LSB: start Samba daemons for the AD DC Loaded: loaded (/etc/init.d/samba-ad-dc) Active: active (running) since Tue 2015-12-15 13:14:43 EST; 11min ago CGroup: /system.slice/samba-ad-dc.service ââ846 /usr/sbin/samba -D ââ900 /usr/sbin/samba -D ââ901 /usr/sbin/samba -D ââ902 /usr/sbin/samba -D ââ903 /usr/sbin/samba -D ââ904 /usr/sbin/samba -D ââ905 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground ââ906 /usr/sbin/samba -D ââ907 /usr/sbin/samba -D ââ908 /usr/sbin/samba -D ââ909 /usr/sbin/samba -D ââ910 /usr/sbin/samba -D ââ911 /usr/sbin/samba -D ââ912 /usr/sbin/samba -D ââ913 /usr/sbin/samba -D ââ938 /usr/sbin/smbd -D --option=server role check:inhibit=yes --foreground Dec 15 13:14:43 bob.ad.test.org samba[841]: [2015/12/15 13:14:43.398943, 0] ../source4/smbd/server.c:370(binary_smbd_main) Dec 15 13:14:43 bob.ad.test.org samba[841]: samba version 4.1.17-Debian started. Dec 15 13:14:43 bob.ad.test.org samba[841]: Copyright Andrew Tridgell and the Samba Team 1992-2013 Dec 15 13:14:43 bob.ad.test.org samba-ad-dc[471]: Starting Samba AD DC daemon: samba. Dec 15 13:14:43 bob.ad.test.org samba[846]: [2015/12/15 13:14:43.782455, 0] ../source4/smbd/server.c:488(binary_smbd_main) Dec 15 13:14:43 bob.ad.test.org samba[846]: samba: using 'standard' process model Dec 15 13:14:43 bob.ad.test.org samba[846]: [2015/12/15 13:14:43.829676, 0] ../lib/util/become_daemon.c:136(daemon_ready) Dec 15 13:14:44 bob.ad.test.org smbd[905]: [2015/12/15 13:14:44.332073, 0] ../lib/util/become_daemon.c:136(daemon_ready) Dec 15 13:25:03 bob.ad.test.org samba[912]: [2015/12/15 13:25:03.932432, 0] ../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done) Dec 15 13:25:03 bob.ad.test.org samba[912]: ../source4/dsdb/dns/dns_update.c:294: Failed DNS update - NT_STATUS_IO_TIMEOUT - gimili From rpenny at samba.org Tue Dec 15 19:21:02 2015 From: rpenny at samba.org (Rowland penny) Date: Tue, 15 Dec 2015 19:21:02 +0000 Subject: [Samba] domain authentication issue after rebooting Debian Jessie - need to restart samba each time In-Reply-To: <56705C80.9010909@gmail.com> References: <566C492B.6070205@samba.org> <56705C80.9010909@gmail.com> Message-ID: <5670681E.1020208@samba.org> On 15/12/15 18:31, gimili wrote: > On 12/15/2015 12:13 PM, L.P.H. van Belle wrote: >> Hai, >> >> If not, well, very stange, i have about 7 Jessie's here with samba and >> i dont have any problems. >> I think systemd is blocking your startup of samba due to multple >> errors on startups previously. >> >> Few questions? >> >> Do you have samba with shares over nfs? >> If so, create te following folder : >> /etc/systemd/system/nfs-common.service.d/ >> >> Add the following file with content to the file : remote-fs-pre.conf >> [Unit] >> Before=remote-fs-pre.target >> Wants=remote-fs-pre.target >> >> >> What is the output of ? >> systemctl status samba-ad-dc >> >> if its masked.. then type :' >> systemctl unmask samba-ad-dc >> and >> systemctl restart samba-ad-dc >> reboot and see if its all started. >> Greetz, >> >> Louis >> > > Still no luck. Maybe I am back to a delayed start using > /etc/rc.local. Good to know it is working for someone. I must have > done something wrong. Perhaps I will start from scratch. > > >systemctl status samba-ad-dc > > â samba-ad-dc.service - LSB: start Samba daemons for the AD DC > Loaded: loaded (/etc/init.d/samba-ad-dc) > Active: active (running) since Tue 2015-12-15 13:14:43 EST; 11min ago > CGroup: /system.slice/samba-ad-dc.service > ââ846 /usr/sbin/samba -D > ââ900 /usr/sbin/samba -D > ââ901 /usr/sbin/samba -D > ââ902 /usr/sbin/samba -D > ââ903 /usr/sbin/samba -D > ââ904 /usr/sbin/samba -D > ââ905 /usr/sbin/smbd -D --option=server role > check:inhibit=yes --foreground > ââ906 /usr/sbin/samba -D > ââ907 /usr/sbin/samba -D > ââ908 /usr/sbin/samba -D > ââ909 /usr/sbin/samba -D > ââ910 /usr/sbin/samba -D > ââ911 /usr/sbin/samba -D > ââ912 /usr/sbin/samba -D > ââ913 /usr/sbin/samba -D > ââ938 /usr/sbin/smbd -D --option=server role > check:inhibit=yes --foreground > > Dec 15 13:14:43 bob.ad.test.org samba[841]: [2015/12/15 > 13:14:43.398943, 0] ../source4/smbd/server.c:370(binary_smbd_main) > Dec 15 13:14:43 bob.ad.test.org samba[841]: samba version > 4.1.17-Debian started. > Dec 15 13:14:43 bob.ad.test.org samba[841]: Copyright Andrew Tridgell > and the Samba Team 1992-2013 > Dec 15 13:14:43 bob.ad.test.org samba-ad-dc[471]: Starting Samba AD DC > daemon: samba. > Dec 15 13:14:43 bob.ad.test.org samba[846]: [2015/12/15 > 13:14:43.782455, 0] ../source4/smbd/server.c:488(binary_smbd_main) > Dec 15 13:14:43 bob.ad.test.org samba[846]: samba: using 'standard' > process model > Dec 15 13:14:43 bob.ad.test.org samba[846]: [2015/12/15 > 13:14:43.829676, 0] ../lib/util/become_daemon.c:136(daemon_ready) > Dec 15 13:14:44 bob.ad.test.org smbd[905]: [2015/12/15 > 13:14:44.332073, 0] ../lib/util/become_daemon.c:136(daemon_ready) > Dec 15 13:25:03 bob.ad.test.org samba[912]: [2015/12/15 > 13:25:03.932432, 0] > ../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done) > Dec 15 13:25:03 bob.ad.test.org samba[912]: > ../source4/dsdb/dns/dns_update.c:294: Failed DNS update - > NT_STATUS_IO_TIMEOUT > > - > gimili > I wonder if systemd doesn't like the DNS update failing?? you could try adding 'allow dns updates = nonsecure' to the smb.conf on the DC. It should work, Louis uses debian jessie and he doesn't have problems, I definitely don't have problems, but then again, I use devuan jessie on my DCs. Could you post the smb.conf from the DC? Rowland From sebastien-samba at orniz.org Tue Dec 15 19:56:30 2015 From: sebastien-samba at orniz.org (=?UTF-8?Q?S=c3=a9bastien_Le_Ray?=) Date: Tue, 15 Dec 2015 20:56:30 +0100 Subject: [Samba] domain authentication issue after rebooting Debian Jessie - need to restart samba each time In-Reply-To: <5670703C.5020107@orniz.org> References: <566C492B.6070205@samba.org> <56705C80.9010909@gmail.com> <5670681E.1020208@samba.org> <5670703C.5020107@orniz.org> Message-ID: <5670706E.20806@orniz.org> Le 15/12/2015 20:55, Sébastien Le Ray a écrit : > > > Le 15/12/2015 20:21, Rowland penny a écrit : >> On 15/12/15 18:31, gimili wrote: >>> >>> >>> >systemctl status samba-ad-dc >>> >>> â samba-ad-dc.service - LSB: start Samba daemons for the AD DC >>> Loaded: loaded (/etc/init.d/samba-ad-dc) >>> Active: active (running) since Tue 2015-12-15 13:14:43 EST; 11min >>> ago >>> [snip] >>> Dec 15 13:14:43 bob.ad.test.org samba[841]: [2015/12/15 >>> 13:14:43.398943, 0] ../source4/smbd/server.c:370(binary_smbd_main) >>> Dec 15 13:14:43 bob.ad.test.org samba[841]: samba version >>> 4.1.17-Debian started. >>> Dec 15 13:14:43 bob.ad.test.org samba[841]: Copyright Andrew >>> Tridgell and the Samba Team 1992-2013 >>> Dec 15 13:14:43 bob.ad.test.org samba-ad-dc[471]: Starting Samba AD >>> DC daemon: samba. >>> Dec 15 13:14:43 bob.ad.test.org samba[846]: [2015/12/15 >>> 13:14:43.782455, 0] ../source4/smbd/server.c:488(binary_smbd_main) >>> Dec 15 13:14:43 bob.ad.test.org samba[846]: samba: using 'standard' >>> process model >>> Dec 15 13:14:43 bob.ad.test.org samba[846]: [2015/12/15 >>> 13:14:43.829676, 0] ../lib/util/become_daemon.c:136(daemon_ready) >>> Dec 15 13:14:44 bob.ad.test.org smbd[905]: [2015/12/15 >>> 13:14:44.332073, 0] ../lib/util/become_daemon.c:136(daemon_ready) >>> Dec 15 13:25:03 bob.ad.test.org samba[912]: [2015/12/15 >>> 13:25:03.932432, 0] >>> ../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done) >>> Dec 15 13:25:03 bob.ad.test.org samba[912]: >>> ../source4/dsdb/dns/dns_update.c:294: Failed DNS update - >>> NT_STATUS_IO_TIMEOUT >>> >> >> I wonder if systemd doesn't like the DNS update failing?? > > "Active: active (running)" so there's nothing it doesn't like > > Is this status right after boot or after restart? > > From bbogaert at wikimedia.org Tue Dec 15 20:29:36 2015 From: bbogaert at wikimedia.org (Byron Bogaert) Date: Tue, 15 Dec 2015 12:29:36 -0800 Subject: [Samba] How can I change the localSID for a SAMBA Server? In-Reply-To: <56701197.1060902@samba.org> References: <56701197.1060902@samba.org> Message-ID: Hi Marc, We are working on building a Standalone Samba server on Ubuntu 14.04 LTS. Thanks, Byron On Dec 15, 2015 5:12 AM, "Marc Muehlfeld" wrote: > Hello Byron, > > Am 14.12.2015 um 23:47 schrieb Byron Bogaert: > > I am trying to change the localSID for a SAMBA server, however I am > unable > > to. I have tried the command "net setlocalsid" to no avail. To > troubleshoot > > I have also stopped the smbd and nmbd services, but this did not help. > Any > > help would be great! > > > What kind of Samba server are you talking about? PDC? AD DC, Domain > Member, Standalone? > > > Regards, > Marc > From mmuehlfeld at samba.org Tue Dec 15 20:53:48 2015 From: mmuehlfeld at samba.org (Marc Muehlfeld) Date: Tue, 15 Dec 2015 21:53:48 +0100 Subject: [Samba] How can I change the localSID for a SAMBA Server? In-Reply-To: References: <56701197.1060902@samba.org> Message-ID: <56707DDC.9050600@samba.org> Hello Byron, Am 15.12.2015 um 21:29 schrieb Byron Bogaert: > We are working on building a Standalone Samba server on Ubuntu 14.04 LTS. On my standalone host (Fedora 23, Samba 4.3.1), it's working: # net getlocalsid SID for domain DEMO is: S-1-5-21-3979603266-3590286814-3507847034 # net setlocalsid S-1-5-21-3979603266-3590286814-999999999 # net getlocalsid SID for domain DEMO is: S-1-5-21-3979603266-3590286814-999999999 # net setlocalsid S-1-5-21-3979603266-3590286814-3507847034 # net getlocalsid SID for domain DEMO is: S-1-5-21-3979603266-3590286814-3507847034 Can you give some more information about your environment? Regards, Marc From jgardeniers at objectmastery.com Tue Dec 15 20:54:58 2015 From: jgardeniers at objectmastery.com (John Gardeniers) Date: Wed, 16 Dec 2015 07:54:58 +1100 Subject: [Samba] The case of the disconnecting network shares In-Reply-To: <20151215053557.GA13035@jeremy-HP> References: <566F8D85.6080409@objectmastery.com> <20151215045527.GA12896@jeremy-HP> <566FA02B.1040904@objectmastery.com> <20151215053557.GA13035@jeremy-HP> Message-ID: <56707E22.2030509@objectmastery.com> Hi Jeremy, Using Samba without Windows seems rather pointless, as no other OS needs it, nor can test it to any truly useful extent. Thanks for point out the man page, which I've always taken as be referring to Samba 3, not Samba 4. I can only wonder why there's a site dedicated to Samba 4 documentation and this information isn't there. If the default deadtime = 0 and we haven't changed it then that's obviously not the culprit and I need to keep looking for a cause. regards, John On 15/12/15 16:35, Jeremy Allison wrote: > On Tue, Dec 15, 2015 at 04:07:55PM +1100, John Gardeniers wrote: >> Hi Jeremy, >> >> No, I don't mean "deadtime". I mean auto disconnect. Specifically, >> the command "net config server /autodisconnect:-1" was run on each >> client machine. > Ah - didn't know auto disconnect was a client feature, > but then again I don't use Windows :-). > >> If deadtime is a server configuration item perhaps >> you could point me in the direction of some documentation where that >> is covered. The documentation for smb.conf is, to put it very >> mildly, incomplete. > That's not true. smb.conf documentation is certainly > complete, as we generate the config parameters that > go into the Samba code from the xml docs for each > parameter. > > man smb.conf > > Search for deadtime. > From bbogaert at wikimedia.org Tue Dec 15 20:58:48 2015 From: bbogaert at wikimedia.org (Byron Bogaert) Date: Tue, 15 Dec 2015 12:58:48 -0800 Subject: [Samba] How can I change the localSID for a SAMBA Server? In-Reply-To: <56707DDC.9050600@samba.org> References: <56701197.1060902@samba.org> <56707DDC.9050600@samba.org> Message-ID: Hi Marc, We are running Samba Version 4.1.6-Ubuntu on Ubuntu 14.04 LTS. Is there any other specific information you need? Thanks, Byron -- *Byron Bogaert* *IT System Administrator* Wikimedia Foundation Imagine a world in which every single human being can freely share in the sum of all knowledge. Help us make it a reality! https://donate.wikimedia.org On Tue, Dec 15, 2015 at 12:53 PM, Marc Muehlfeld wrote: > Hello Byron, > > Am 15.12.2015 um 21:29 schrieb Byron Bogaert: > > We are working on building a Standalone Samba server on Ubuntu 14.04 LTS. > > On my standalone host (Fedora 23, Samba 4.3.1), it's working: > > # net getlocalsid > SID for domain DEMO is: S-1-5-21-3979603266-3590286814-3507847034 > > # net setlocalsid S-1-5-21-3979603266-3590286814-999999999 > > # net getlocalsid > SID for domain DEMO is: S-1-5-21-3979603266-3590286814-999999999 > > # net setlocalsid S-1-5-21-3979603266-3590286814-3507847034 > > # net getlocalsid > SID for domain DEMO is: S-1-5-21-3979603266-3590286814-3507847034 > > > Can you give some more information about your environment? > > > Regards, > Marc > From mmuehlfeld at samba.org Tue Dec 15 21:04:14 2015 From: mmuehlfeld at samba.org (Marc Muehlfeld) Date: Tue, 15 Dec 2015 22:04:14 +0100 Subject: [Samba] How can I change the localSID for a SAMBA Server? In-Reply-To: References: <56701197.1060902@samba.org> <56707DDC.9050600@samba.org> Message-ID: <5670804E.9090207@samba.org> Am 15.12.2015 um 21:58 schrieb Byron Bogaert: > We are running Samba Version 4.1.6-Ubuntu on Ubuntu 14.04 LTS. Is there any > other specific information you need? Do you have a change to try it with a recent version (4.3.x)? I don't have an old version here at the moment and can't say if there was a bug in that area that time. And can you show the [global] part of your smb.conf? Regards, Marc From rpenny at samba.org Tue Dec 15 21:05:18 2015 From: rpenny at samba.org (Rowland penny) Date: Tue, 15 Dec 2015 21:05:18 +0000 Subject: [Samba] How can I change the localSID for a SAMBA Server? In-Reply-To: References: <56701197.1060902@samba.org> <56707DDC.9050600@samba.org> Message-ID: <5670808E.4070804@samba.org> On 15/12/15 20:58, Byron Bogaert wrote: > Hi Marc, > > We are running Samba Version 4.1.6-Ubuntu on Ubuntu 14.04 LTS. Is there any > other specific information you need? > > Thanks, > Byron > I can think of at least two things, what is in your smb.conf and why do you need to change the SID on a standalone server. Rowland From jra at samba.org Tue Dec 15 21:12:57 2015 From: jra at samba.org (Jeremy Allison) Date: Tue, 15 Dec 2015 13:12:57 -0800 Subject: [Samba] The case of the disconnecting network shares In-Reply-To: <56707E22.2030509@objectmastery.com> References: <566F8D85.6080409@objectmastery.com> <20151215045527.GA12896@jeremy-HP> <566FA02B.1040904@objectmastery.com> <20151215053557.GA13035@jeremy-HP> <56707E22.2030509@objectmastery.com> Message-ID: <20151215211257.GA2874@jeremy-acer> On Wed, Dec 16, 2015 at 07:54:58AM +1100, John Gardeniers wrote: > Hi Jeremy, > > Using Samba without Windows seems rather pointless, as no other OS needs it, > nor can test it to any truly useful extent. Oh, not true ! Linux cifsfs needs it - it's used by SONOS, SageTV, and many other embedded clients, and our own torture tests are *extremely* good at testing SMB1/2/3 features. > Thanks for point out the man page, which I've always taken as be referring > to Samba 3, not Samba 4. Why would you think that ? > I can only wonder why there's a site dedicated to > Samba 4 documentation and this information isn't there. The man pages are current for all releases. As I said, we generate the code for smbd from them. The web pages are a bonus. The man pages for parameters should always be correct. > If the default deadtime = 0 and we haven't changed it then that's obviously > not the culprit and I need to keep looking for a cause. OK, then you'll need to do what Volker suggested and try and isolate a capture trace to catch it in the act from a specific client. From bbogaert at wikimedia.org Tue Dec 15 21:16:32 2015 From: bbogaert at wikimedia.org (Byron Bogaert) Date: Tue, 15 Dec 2015 13:16:32 -0800 Subject: [Samba] How can I change the localSID for a SAMBA Server? In-Reply-To: <5670808E.4070804@samba.org> References: <56701197.1060902@samba.org> <56707DDC.9050600@samba.org> <5670808E.4070804@samba.org> Message-ID: Hi Rowland, We need to change the SID on a standalone server because it needs to also act as a File Server. The authentication comes from LDAP, and we have existing entries in LDAP for SID of the domain. Instead of change all the SID in ldap, we would like to be able to change it on the server. Hope this helps. Thanks, Byron -- *Byron Bogaert* *IT System Administrator* Wikimedia Foundation Imagine a world in which every single human being can freely share in the sum of all knowledge. Help us make it a reality! https://donate.wikimedia.org On Tue, Dec 15, 2015 at 1:05 PM, Rowland penny wrote: > On 15/12/15 20:58, Byron Bogaert wrote: > >> Hi Marc, >> >> We are running Samba Version 4.1.6-Ubuntu on Ubuntu 14.04 LTS. Is there >> any >> other specific information you need? >> >> Thanks, >> Byron >> >> > I can think of at least two things, what is in your smb.conf and why do > you need to change the SID on a standalone server. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From rpenny at samba.org Tue Dec 15 21:20:35 2015 From: rpenny at samba.org (Rowland penny) Date: Tue, 15 Dec 2015 21:20:35 +0000 Subject: [Samba] How can I change the localSID for a SAMBA Server? In-Reply-To: References: <56701197.1060902@samba.org> <56707DDC.9050600@samba.org> <5670808E.4070804@samba.org> Message-ID: <56708423.3070109@samba.org> On 15/12/15 21:16, Byron Bogaert wrote: > Hi Rowland, > > We need to change the SID on a standalone server because it needs to > also act as a File Server. The authentication comes from LDAP, and we > have existing entries in LDAP for SID of the domain. Instead of change > all the SID in ldap, we would like to be able to change it on the server. > > Hope this helps. > > Thanks, > Byron > > -- > */Byron Bogaert/* > *IT System Administrator > * > Wikimedia Foundation > > Imagine a world in which every single human being can freely share > in the sum of all knowledge. Help us make it a reality! > https://donate.wikimedia.org > > On Tue, Dec 15, 2015 at 1:05 PM, Rowland penny > wrote: > > On 15/12/15 20:58, Byron Bogaert wrote: > > Hi Marc, > > We are running Samba Version 4.1.6-Ubuntu on Ubuntu 14.04 LTS. > Is there any > other specific information you need? > > Thanks, > Byron > > > I can think of at least two things, what is in your smb.conf and > why do you need to change the SID on a standalone server. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > Ah, that explains it then, you do not seem to be setting up a standalone server, please post your smb.conf Rowland From bbogaert at wikimedia.org Tue Dec 15 21:25:13 2015 From: bbogaert at wikimedia.org (Byron Bogaert) Date: Tue, 15 Dec 2015 13:25:13 -0800 Subject: [Samba] How can I change the localSID for a SAMBA Server? In-Reply-To: <56708423.3070109@samba.org> References: <56701197.1060902@samba.org> <56707DDC.9050600@samba.org> <5670808E.4070804@samba.org> <56708423.3070109@samba.org> Message-ID: Our Global Configuration is as follows: #======================= Global Settings ======================= [global] workgroup = WIKIMEDIA netbios name = THEWIGGLE server string = %h server (Samba, Ubuntu) security = user dns proxy = no #### Debugging/Accounting #### log level = 2 log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d ####### Authentication ####### server role = standalone server passdb backend = ldapsam:ldap://somehost.wikimedia.org ldap suffix = dc=wikimedia,dc=org ldap user suffix = ou=people ldap group suffix = ou=groups ldap machinesuffix = ou=computers ldap idmap suffix = ou=Idmap ldap ssl = start tls ldap admin dn = ldap password sync = yes obey pam restrictions = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user ############ Misc ############ usershare allow guests = yes -- *Byron Bogaert* *IT System Administrator* Wikimedia Foundation Imagine a world in which every single human being can freely share in the sum of all knowledge. Help us make it a reality! https://donate.wikimedia.org On Tue, Dec 15, 2015 at 1:20 PM, Rowland penny wrote: > On 15/12/15 21:16, Byron Bogaert wrote: > >> Hi Rowland, >> >> We need to change the SID on a standalone server because it needs to also >> act as a File Server. The authentication comes from LDAP, and we have >> existing entries in LDAP for SID of the domain. Instead of change all the >> SID in ldap, we would like to be able to change it on the server. >> >> Hope this helps. >> >> Thanks, >> Byron >> >> -- >> */Byron Bogaert/* >> *IT System Administrator >> * >> Wikimedia Foundation >> >> Imagine a world in which every single human being can freely share in the >> sum of all knowledge. Help us make it a reality! >> https://donate.wikimedia.org >> >> On Tue, Dec 15, 2015 at 1:05 PM, Rowland penny > rpenny at samba.org>> wrote: >> >> On 15/12/15 20:58, Byron Bogaert wrote: >> >> Hi Marc, >> >> We are running Samba Version 4.1.6-Ubuntu on Ubuntu 14.04 LTS. >> Is there any >> other specific information you need? >> >> Thanks, >> Byron >> >> >> I can think of at least two things, what is in your smb.conf and >> why do you need to change the SID on a standalone server. >> >> Rowland >> >> >> -- To unsubscribe from this list go to the following URL and read >> the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> > Ah, that explains it then, you do not seem to be setting up a standalone > server, please post your smb.conf > > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From rpenny at samba.org Tue Dec 15 22:11:20 2015 From: rpenny at samba.org (Rowland penny) Date: Tue, 15 Dec 2015 22:11:20 +0000 Subject: [Samba] How can I change the localSID for a SAMBA Server? In-Reply-To: References: <56701197.1060902@samba.org> <56707DDC.9050600@samba.org> <5670808E.4070804@samba.org> <56708423.3070109@samba.org> Message-ID: <56709008.1000708@samba.org> On 15/12/15 21:25, Byron Bogaert wrote: > Our Global Configuration is as follows: > > #======================= Global Settings ======================= > > [global] > workgroup = WIKIMEDIA > netbios name = THEWIGGLE > server string = %h server (Samba, Ubuntu) > security = user > dns proxy = no > > #### Debugging/Accounting #### > log level = 2 > log file = /var/log/samba/log.%m > max log size = 1000 > syslog = 0 > panic action = /usr/share/samba/panic-action %d > > ####### Authentication ####### > server role = standalone server > passdb backend = ldapsam:ldap://somehost.wikimedia.org > > ldap suffix = dc=wikimedia,dc=org > ldap user suffix = ou=people > ldap group suffix = ou=groups > ldap machinesuffix = ou=computers > ldap idmap suffix = ou=Idmap > ldap ssl = start tls > ldap admin dn = > ldap password sync = yes > obey pam restrictions = yes > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > pam password change = yes > map to guest = bad user > > ############ Misc ############ > > usershare allow guests = yes > > > I think (baring in mind that it has been quite sometime since I had anything to do with samba & ldap) you do not need to change the SID on your standalone server if you are using ldap from another machine just for authentication. You will need to setup nlscd to use the info from the ldap server. Rowland From terjet-list at funcom.com Tue Dec 15 22:27:12 2015 From: terjet-list at funcom.com (Tetra) Date: Tue, 15 Dec 2015 23:27:12 +0100 Subject: [Samba] How can I change the localSID for a SAMBA Server? In-Reply-To: References: <56701197.1060902@samba.org> <56707DDC.9050600@samba.org> <5670808E.4070804@samba.org> Message-ID: On 15.12.2015 22:16, Byron Bogaert wrote: > We need to change the SID on a standalone server because it needs to also > act as a File Server. The authentication comes from LDAP, and we have > existing entries in LDAP for SID of the domain. Instead of change all the > SID in ldap, we would like to be able to change it on the server. I noticed something similar (though while testing on some older samba-3 standalone servers, where I wanted to see if I could use ldap instead of a rsync replicated smbpasswd file by setting the same SID on all servers.) The SID is locally stored in secure.tdb and you can see it with tdbtool (though in hex, and need to know that the last three 10-digit numbers in the SID are 32-bits or 4-Byte each) Seems net setlocalsid changed the sid in secrets.tdb, but the server finds its SID in LDAP after that is set up in smb.conf, and there it was not changed. I solved it by also changing it manually on the LDAP server, or made sure that the sid was changed locally before starting up smbd with LDAP configured, or deleted the LDAP entry for the server and restarted smbd so it was generated anew. YMMV. From rpenny at samba.org Tue Dec 15 22:40:26 2015 From: rpenny at samba.org (Rowland penny) Date: Tue, 15 Dec 2015 22:40:26 +0000 Subject: [Samba] How can I change the localSID for a SAMBA Server? In-Reply-To: References: <56701197.1060902@samba.org> <56707DDC.9050600@samba.org> <5670808E.4070804@samba.org> Message-ID: <567096DA.1040209@samba.org> On 15/12/15 22:27, Tetra wrote: > On 15.12.2015 22:16, Byron Bogaert wrote: >> We need to change the SID on a standalone server because it needs to >> also >> act as a File Server. The authentication comes from LDAP, and we have >> existing entries in LDAP for SID of the domain. Instead of change all >> the >> SID in ldap, we would like to be able to change it on the server. > > I noticed something similar (though while testing on some older > samba-3 standalone servers, where I wanted to see if I could use ldap > instead of a rsync replicated smbpasswd file by setting the same SID on > all servers.) > > The SID is locally stored in secure.tdb and you can see it with tdbtool > (though in hex, and need to know that the last three 10-digit numbers > in the SID are 32-bits or 4-Byte each) > > Seems net setlocalsid changed the sid in secrets.tdb, but the server > finds its SID in LDAP after that is set up in smb.conf, and there it > was not changed. > > I solved it by also changing it manually on the LDAP server, or made > sure that the sid was changed locally before starting up smbd with LDAP > configured, or deleted the LDAP entry for the server and restarted smbd > so it was generated anew. > > YMMV. > > The problem is that the machine is supposed to be a standalone server and how can it be one, if it has the same SID as another machine, or am I missing something? Surely, if it does have the same SID, you are talking a basic domain. As long as the computer can get the users details from ldap and the underlying OS can see this info, it shouldn't make any difference what its SID is i.e. as long as 'getent passwd ' returns the required info. Rowland From terjet-list at funcom.com Wed Dec 16 00:35:01 2015 From: terjet-list at funcom.com (Tetra) Date: Wed, 16 Dec 2015 01:35:01 +0100 Subject: [Samba] How can I change the localSID for a SAMBA Server? In-Reply-To: <567096DA.1040209@samba.org> References: <56701197.1060902@samba.org> <56707DDC.9050600@samba.org> <5670808E.4070804@samba.org> <567096DA.1040209@samba.org> Message-ID: On 15.12.2015 23:40, Rowland penny wrote: > The problem is that the machine is supposed to be a standalone server > and how can it be one, if it has the same SID as another machine, or am > I missing something?Surely, if it does have the same SID, you are > talking a basic domain. No, if it is a standalone server, it doesn't really care about what SID itself has (localsid), but the test I did showed that it did care about what SID a user had. ... > As long as the computer can get the users details from ldap and the > underlying OS can see this info, it shouldn't make any difference what > its SID is i.e. as long as 'getent passwd ' returns the > required info. If the server has a sid of S-1-5-21-x-y-z the user must have a SID + rid (relative id) that matches, e.g. S-1-5-21-x-y-z-1000. If not I couldn't log on to the share. So I decided on an easy to remember SID and a generic domain name of SAMBA and added all users to LDAP with this as sambaSID and sambaDomainName (using the tool LDAP Account Manager Pro from Roland Gruber). When I then add all servers with same SID, I manage to log on to the fileshares. This was for testing how I in a simple way could replace a system with standalone servers with a smbpasswd file where all the users were created on one of them, then the smbpasswd file was rsynced to the others. (The unix/linux users and groups were the same on all servers thanks to NIS, now being replaced with LDAP.) We don't need a domain for this system. The PCs used are currently not in a domain at all, the Linux PCs will not, the Macs like not, and there are even some Windows Home PCs that cannot join a domain. The Samba servers are just for providing file shares in a way Windows recognizes. We don't want it to be possible to make users or change password locally on the samba servers, all that should be done in the LDAP Account Manager (It can update linux and samba password at the same time.) I haven't concluded yet, if this is how to do it, but it seems it is a possible way of doing it. From bbogaert at wikimedia.org Wed Dec 16 00:46:09 2015 From: bbogaert at wikimedia.org (Byron Bogaert) Date: Tue, 15 Dec 2015 16:46:09 -0800 Subject: [Samba] How can I change the localSID for a SAMBA Server? In-Reply-To: References: <56701197.1060902@samba.org> <56707DDC.9050600@samba.org> <5670808E.4070804@samba.org> <567096DA.1040209@samba.org> Message-ID: Hi Tetra, This is the way we are currently looking at building our SAMBA file server. The reason why we would like to change the SID on the SAMBA server is so we do not need to change all the existing entries in ldap to be SID + rid. -Byron -- *Byron Bogaert* *IT System Administrator* Wikimedia Foundation Imagine a world in which every single human being can freely share in the sum of all knowledge. Help us make it a reality! https://donate.wikimedia.org On Tue, Dec 15, 2015 at 4:35 PM, Tetra wrote: > On 15.12.2015 23:40, Rowland penny wrote: > >> The problem is that the machine is supposed to be a standalone server >> and how can it be one, if it has the same SID as another machine, or am >> I missing something?Surely, if it does have the same SID, you are >> talking a basic domain. >> > > No, if it is a standalone server, it doesn't really care about what SID > itself has (localsid), but the test I did showed that it did care about > what SID a user had. ... > > As long as the computer can get the users details from ldap and the >> underlying OS can see this info, it shouldn't make any difference what >> its SID is i.e. as long as 'getent passwd ' returns the >> required info. >> > > If the server has a sid of S-1-5-21-x-y-z the user must have a SID + rid > (relative id) that matches, e.g. S-1-5-21-x-y-z-1000. If not I couldn't log > on to the share. So I decided on an easy to remember SID and a generic > domain name of SAMBA and added all users to LDAP with this as sambaSID and > sambaDomainName (using the tool LDAP Account Manager Pro from Roland > Gruber). When I then add all servers with same SID, I manage to log on to > the fileshares. > > This was for testing how I in a simple way could replace a system with > standalone servers with a smbpasswd file where all the users were created > on one of them, then the smbpasswd file was rsynced to the others. (The > unix/linux users and groups were the same on all servers thanks to NIS, now > being replaced with LDAP.) > > We don't need a domain for this system. The PCs used are currently not in > a domain at all, the Linux PCs will not, the Macs like not, and there are > even some Windows Home PCs that cannot join a domain. The Samba servers are > just for providing file shares in a way Windows recognizes. We don't want > it to be possible to make users or change password locally on the samba > servers, all that should be done in the LDAP Account Manager (It can update > linux and samba password at the same time.) > > I haven't concluded yet, if this is how to do it, but it seems it is a > possible way of doing it. > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From abartlet at samba.org Wed Dec 16 07:44:19 2015 From: abartlet at samba.org (Andrew Bartlett) Date: Wed, 16 Dec 2015 20:44:19 +1300 Subject: [Samba] How can I change the localSID for a SAMBA Server? In-Reply-To: References: <56701197.1060902@samba.org> <56707DDC.9050600@samba.org> <5670808E.4070804@samba.org> <567096DA.1040209@samba.org> Message-ID: <1450251859.15594.163.camel@samba.org> On Wed, 2015-12-16 at 01:35 +0100, Tetra wrote: > We don't need a domain for this system. The PCs used are currently > not > in a domain at all, the Linux PCs will not, the Macs like not, and > there > are even some Windows Home PCs that cannot join a domain. The Samba > servers are just for providing file shares in a way Windows > recognizes. > We don't want it to be possible to make users or change password > locally > on the samba servers, all that should be done in the LDAP Account > Manager (It can update linux and samba password at the same time.) > > I haven't concluded yet, if this is how to do it, but it seems it is > a > possible way of doing it. > Even if you don't think of the various Samba servers offering file shares as being in a domain, if they share a password database, the only supported way of doing so is if they are domain controllers. If you have nothing joined to the domain, it is harmless for the severs to also be a PDC or BDC of an NT4-like domain, and by doing so you step back inside the supported envelope, rather than hacking a currently -mostly working solution outside it. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba From abartlet at samba.org Wed Dec 16 07:45:10 2015 From: abartlet at samba.org (Andrew Bartlett) Date: Wed, 16 Dec 2015 20:45:10 +1300 Subject: [Samba] How can I change the localSID for a SAMBA Server? In-Reply-To: References: <56701197.1060902@samba.org> <56707DDC.9050600@samba.org> <5670808E.4070804@samba.org> <567096DA.1040209@samba.org> Message-ID: <1450251910.15594.165.camel@samba.org> On Tue, 2015-12-15 at 16:46 -0800, Byron Bogaert wrote: > Hi Tetra, > > This is the way we are currently looking at building our SAMBA file > server. > The reason why we would like to change the SID on the SAMBA server is > so we > do not need to change all the existing entries in ldap to be SID + > rid. When you promote your Samba server to be a BDC, and point it as the LDAP server, it will auto-sync the SID from that domain to also be the local sid. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba From rpenny at samba.org Wed Dec 16 08:42:47 2015 From: rpenny at samba.org (Rowland penny) Date: Wed, 16 Dec 2015 08:42:47 +0000 Subject: [Samba] How can I change the localSID for a SAMBA Server? In-Reply-To: <1450251859.15594.163.camel@samba.org> References: <56701197.1060902@samba.org> <56707DDC.9050600@samba.org> <5670808E.4070804@samba.org> <567096DA.1040209@samba.org> <1450251859.15594.163.camel@samba.org> Message-ID: <56712407.5020405@samba.org> On 16/12/15 07:44, Andrew Bartlett wrote: > On Wed, 2015-12-16 at 01:35 +0100, Tetra wrote: > >> We don't need a domain for this system. The PCs used are currently >> not >> in a domain at all, the Linux PCs will not, the Macs like not, and >> there >> are even some Windows Home PCs that cannot join a domain. The Samba >> servers are just for providing file shares in a way Windows >> recognizes. >> We don't want it to be possible to make users or change password >> locally >> on the samba servers, all that should be done in the LDAP Account >> Manager (It can update linux and samba password at the same time.) >> >> I haven't concluded yet, if this is how to do it, but it seems it is >> a >> possible way of doing it. >> > Even if you don't think of the various Samba servers offering file > shares as being in a domain, if they share a password database, the > only supported way of doing so is if they are domain controllers. > > If you have nothing joined to the domain, it is harmless for the severs > to also be a PDC or BDC of an NT4-like domain, and by doing so you step > back inside the supported envelope, rather than hacking a currently > -mostly working solution outside it. > > Andrew Bartlett > Thanks for confirming what I thought, a standalone server is a server that holds its own user & group database, if it connects to something else for the users & groups, it isn't a standalone server. Rowland From belle at bazuin.nl Wed Dec 16 08:44:50 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Wed, 16 Dec 2015 09:44:50 +0100 Subject: [Samba] domain authentication issue after rebooting Debian Jessie - need to restart samba each time In-Reply-To: <56705C80.9010909@gmail.com> References: Message-ID: Devuan.. a thing im going to have a look into. I do get why debian is swithching to systemd.. really much better control of the startup process, but yeah, lots harder to configure... Besides that... This is a samba using internal DNS? Can you also post the output of systemctl list-dependencies samba-ad-dc or systemctl list-dependencies and post systemctl show samba-ad-dc.service | egrep "After|ExecS" as already requested the content of smb.conf Greez, Louis > -----Oorspronkelijk bericht----- > Van: gimili [mailto:gimili17 at gmail.com] > Verzonden: dinsdag 15 december 2015 19:31 > Aan: L.P.H. van Belle; samba at lists.samba.org > Onderwerp: Re: [Samba] domain authentication issue after rebooting Debian > Jessie - need to restart samba each time > > On 12/15/2015 12:13 PM, L.P.H. van Belle wrote: > > Hai, > > > > If not, well, very stange, i have about 7 Jessie's here with samba and > > i dont have any problems. > > I think systemd is blocking your startup of samba due to multple errors > on startups previously. > > > > Few questions? > > > > Do you have samba with shares over nfs? > > If so, create te following folder : > > /etc/systemd/system/nfs-common.service.d/ > > > > Add the following file with content to the file : remote-fs-pre.conf > > [Unit] > > Before=remote-fs-pre.target > > Wants=remote-fs-pre.target > > > > > > What is the output of ? > > systemctl status samba-ad-dc > > > > if its masked.. then type :' > > systemctl unmask samba-ad-dc > > and > > systemctl restart samba-ad-dc > > reboot and see if its all started. > > Greetz, > > > > Louis > > > > Still no luck. Maybe I am back to a delayed start using /etc/rc.local. > Good to know it is working for someone. I must have done something > wrong. Perhaps I will start from scratch. > > >systemctl status samba-ad-dc > > â samba-ad-dc.service - LSB: start Samba daemons for the AD DC > Loaded: loaded (/etc/init.d/samba-ad-dc) > Active: active (running) since Tue 2015-12-15 13:14:43 EST; 11min ago > CGroup: /system.slice/samba-ad-dc.service > ââ846 /usr/sbin/samba -D > ââ900 /usr/sbin/samba -D > ââ901 /usr/sbin/samba -D > ââ902 /usr/sbin/samba -D > ââ903 /usr/sbin/samba -D > ââ904 /usr/sbin/samba -D > ââ905 /usr/sbin/smbd -D --option=server role > check:inhibit=yes --foreground > ââ906 /usr/sbin/samba -D > ââ907 /usr/sbin/samba -D > ââ908 /usr/sbin/samba -D > ââ909 /usr/sbin/samba -D > ââ910 /usr/sbin/samba -D > ââ911 /usr/sbin/samba -D > ââ912 /usr/sbin/samba -D > ââ913 /usr/sbin/samba -D > ââ938 /usr/sbin/smbd -D --option=server role > check:inhibit=yes --foreground > > Dec 15 13:14:43 bob.ad.test.org samba[841]: [2015/12/15 > 13:14:43.398943, 0] ../source4/smbd/server.c:370(binary_smbd_main) > Dec 15 13:14:43 bob.ad.test.org samba[841]: samba version 4.1.17-Debian > started. > Dec 15 13:14:43 bob.ad.test.org samba[841]: Copyright Andrew Tridgell > and the Samba Team 1992-2013 > Dec 15 13:14:43 bob.ad.test.org samba-ad-dc[471]: Starting Samba AD DC > daemon: samba. > Dec 15 13:14:43 bob.ad.test.org samba[846]: [2015/12/15 > 13:14:43.782455, 0] ../source4/smbd/server.c:488(binary_smbd_main) > Dec 15 13:14:43 bob.ad.test.org samba[846]: samba: using 'standard' > process model > Dec 15 13:14:43 bob.ad.test.org samba[846]: [2015/12/15 > 13:14:43.829676, 0] ../lib/util/become_daemon.c:136(daemon_ready) > Dec 15 13:14:44 bob.ad.test.org smbd[905]: [2015/12/15 13:14:44.332073, > 0] ../lib/util/become_daemon.c:136(daemon_ready) > Dec 15 13:25:03 bob.ad.test.org samba[912]: [2015/12/15 > 13:25:03.932432, 0] > ../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done) > Dec 15 13:25:03 bob.ad.test.org samba[912]: > ../source4/dsdb/dns/dns_update.c:294: Failed DNS update - > NT_STATUS_IO_TIMEOUT > > - > gimili From danielmadrid19 at gmail.com Wed Dec 16 09:25:43 2015 From: danielmadrid19 at gmail.com (=?UTF-8?Q?Daniel_Carrasco_Mar=c3=adn?=) Date: Wed, 16 Dec 2015 10:25:43 +0100 Subject: [Samba] domain authentication issue after rebooting Debian Jessie - need to restart samba each time In-Reply-To: References: Message-ID: <56712E17.5000208@gmail.com> Hi again, i've restarted my server to check if fails and is working fine. My specifications are: - Debian 8u6 jessie 3.16.0-4-amd64 - Samba version 4.2.5-SerNet-Debian-8.jessie - DNS Backend Bind ¡Greetings! El 16/12/15 a las 09:44, L.P.H. van Belle escribió: > Devuan.. a thing im going to have a look into. > I do get why debian is swithching to systemd.. really much better control of the startup process, but yeah, lots harder to configure... > > > Besides that... > This is a samba using internal DNS? > > Can you also post the output of > systemctl list-dependencies samba-ad-dc > or > systemctl list-dependencies > > and post > systemctl show samba-ad-dc.service | egrep "After|ExecS" > > as already requested the content of smb.conf > > > > Greez, > > Louis > >> -----Oorspronkelijk bericht----- >> Van: gimili [mailto:gimili17 at gmail.com] >> Verzonden: dinsdag 15 december 2015 19:31 >> Aan: L.P.H. van Belle; samba at lists.samba.org >> Onderwerp: Re: [Samba] domain authentication issue after rebooting Debian >> Jessie - need to restart samba each time >> >> On 12/15/2015 12:13 PM, L.P.H. van Belle wrote: >>> Hai, >>> >>> If not, well, very stange, i have about 7 Jessie's here with samba and >>> i dont have any problems. >>> I think systemd is blocking your startup of samba due to multple errors >> on startups previously. >>> Few questions? >>> >>> Do you have samba with shares over nfs? >>> If so, create te following folder : >>> /etc/systemd/system/nfs-common.service.d/ >>> >>> Add the following file with content to the file : remote-fs-pre.conf >>> [Unit] >>> Before=remote-fs-pre.target >>> Wants=remote-fs-pre.target >>> >>> >>> What is the output of ? >>> systemctl status samba-ad-dc >>> >>> if its masked.. then type :' >>> systemctl unmask samba-ad-dc >>> and >>> systemctl restart samba-ad-dc >>> reboot and see if its all started. >>> Greetz, >>> >>> Louis >>> >> Still no luck. Maybe I am back to a delayed start using /etc/rc.local. >> Good to know it is working for someone. I must have done something >> wrong. Perhaps I will start from scratch. >> >> >systemctl status samba-ad-dc >> >> â samba-ad-dc.service - LSB: start Samba daemons for the AD DC >> Loaded: loaded (/etc/init.d/samba-ad-dc) >> Active: active (running) since Tue 2015-12-15 13:14:43 EST; 11min ago >> CGroup: /system.slice/samba-ad-dc.service >> ââ846 /usr/sbin/samba -D >> ââ900 /usr/sbin/samba -D >> ââ901 /usr/sbin/samba -D >> ââ902 /usr/sbin/samba -D >> ââ903 /usr/sbin/samba -D >> ââ904 /usr/sbin/samba -D >> ââ905 /usr/sbin/smbd -D --option=server role >> check:inhibit=yes --foreground >> ââ906 /usr/sbin/samba -D >> ââ907 /usr/sbin/samba -D >> ââ908 /usr/sbin/samba -D >> ââ909 /usr/sbin/samba -D >> ââ910 /usr/sbin/samba -D >> ââ911 /usr/sbin/samba -D >> ââ912 /usr/sbin/samba -D >> ââ913 /usr/sbin/samba -D >> ââ938 /usr/sbin/smbd -D --option=server role >> check:inhibit=yes --foreground >> >> Dec 15 13:14:43 bob.ad.test.org samba[841]: [2015/12/15 >> 13:14:43.398943, 0] ../source4/smbd/server.c:370(binary_smbd_main) >> Dec 15 13:14:43 bob.ad.test.org samba[841]: samba version 4.1.17-Debian >> started. >> Dec 15 13:14:43 bob.ad.test.org samba[841]: Copyright Andrew Tridgell >> and the Samba Team 1992-2013 >> Dec 15 13:14:43 bob.ad.test.org samba-ad-dc[471]: Starting Samba AD DC >> daemon: samba. >> Dec 15 13:14:43 bob.ad.test.org samba[846]: [2015/12/15 >> 13:14:43.782455, 0] ../source4/smbd/server.c:488(binary_smbd_main) >> Dec 15 13:14:43 bob.ad.test.org samba[846]: samba: using 'standard' >> process model >> Dec 15 13:14:43 bob.ad.test.org samba[846]: [2015/12/15 >> 13:14:43.829676, 0] ../lib/util/become_daemon.c:136(daemon_ready) >> Dec 15 13:14:44 bob.ad.test.org smbd[905]: [2015/12/15 13:14:44.332073, >> 0] ../lib/util/become_daemon.c:136(daemon_ready) >> Dec 15 13:25:03 bob.ad.test.org samba[912]: [2015/12/15 >> 13:25:03.932432, 0] >> ../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done) >> Dec 15 13:25:03 bob.ad.test.org samba[912]: >> ../source4/dsdb/dns/dns_update.c:294: Failed DNS update - >> NT_STATUS_IO_TIMEOUT >> >> - >> gimili > > From kseeger at samba.org Wed Dec 16 11:21:35 2015 From: kseeger at samba.org (Karolin Seeger) Date: Wed, 16 Dec 2015 12:21:35 +0100 Subject: [Samba] [Announce] Samba 4.3.3, 4.2.7, 4.1.22 and ldb 1.1.24 Security Releases Available for Download Message-ID: <20151216112133.GA7581@carrie> Release Announcements --------------------- This is a security release in order to address the following CVEs: o CVE-2015-7540 (Remote DoS in Samba (AD) LDAP server) o CVE-2015-3223 (Denial of service in Samba Active Directory server) o CVE-2015-5252 (Insufficient symlink verification in smbd) o CVE-2015-5299 (Missing access control check in shadow copy code) o CVE-2015-5296 (Samba client requesting encryption vulnerable to downgrade attack) o CVE-2015-8467 (Denial of service attack against Windows Active Directory server) o CVE-2015-5330 (Remote memory read in Samba LDAP server) Please note that if building against a system libldb, the required version has been bumped to ldb-1.1.24. This is needed to ensure we build against a system ldb library that contains the fixes for CVE-2015-5330 and CVE-2015-3223. ======= Details ======= o CVE-2015-7540: All versions of Samba from 4.0.0 to 4.1.21 inclusive are vulnerable to an anonymous memory exhaustion attack in the samba daemon LDAP server. A malicious client can send packets that cause the LDAP server provided by the AD DC in the samba daemon process to consume unlimited memory and be terminated. o CVE-2015-3223: All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all ldb versions up to 1.1.23 inclusive) are vulnerable to a denial of service attack in the samba daemon LDAP server. A malicious client can send packets that cause the LDAP server in the samba daemon process to become unresponsive, preventing the server from servicing any other requests. This flaw is not exploitable beyond causing the code to loop expending CPU resources. o CVE-2015-5252: All versions of Samba from 3.0.0 to 4.3.2 inclusive are vulnerable to a bug in symlink verification, which under certain circumstances could allow client access to files outside the exported share path. If a Samba share is configured with a path that shares a common path prefix with another directory on the file system, the smbd daemon may allow the client to follow a symlink pointing to a file or directory in that other directory, even if the share parameter "wide links" is set to "no" (the default). o CVE-2015-5299: All versions of Samba from 3.2.0 to 4.3.2 inclusive are vulnerable to a missing access control check in the vfs_shadow_copy2 module. When looking for the shadow copy directory under the share path the current accessing user should have DIRECTORY_LIST access rights in order to view the current snapshots. This was not being checked in the affected versions of Samba. o CVE-2015-5296: Versions of Samba from 3.2.0 to 4.3.2 inclusive do not ensure that signing is negotiated when creating an encrypted client connection to a server. Without this a man-in-the-middle attack could downgrade the connection and connect using the supplied credentials as an unsigned, unencrypted connection. o CVE-2015-8467: Samba, operating as an AD DC, is sometimes operated in a domain with a mix of Samba and Windows Active Directory Domain Controllers. All versions of Samba from 4.0.0 to 4.3.2 inclusive, when deployed as an AD DC in the same domain with Windows DCs, could be used to override the protection against the MS15-096 / CVE-2015-2535 security issue in Windows. Prior to MS16-096 it was possible to bypass the quota of machine accounts a non-administrative user could create. Pure Samba domains are not impacted, as Samba does not implement the SeMachineAccountPrivilege functionality to allow non-administrator users to create new computer objects. o CVE-2015-5330: All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all ldb versions up to 1.1.23 inclusive) are vulnerable to a remote memory read attack in the samba daemon LDAP server. A malicious client can send packets that cause the LDAP server in the samba daemon process to return heap memory beyond the length of the requested value. This memory may contain data that the client should not be allowed to see, allowing compromise of the server. The memory may either be returned to the client in an error string, or stored in the database by a suitabily privileged user. If untrusted users can create objects in your database, please confirm that all DN and name attributes are reasonable. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ================ Download Details ================ The uncompressed tarballs and patch files have been signed using GnuPG (ID 6568B7EA). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ Patches addressing this defect have been posted to https://www.samba.org/samba/history/security.html The release notes are available online at: https://www.samba.org/samba/history/samba-4.3.3.html https://www.samba.org/samba/history/samba-4.2.7.html https://www.samba.org/samba/history/samba-4.1.22.html The uncompressed ldb tarball has been signed using GnuPG (ID 13084025). The ldb-1.1.24 source code can be downloaded from: https://download.samba.org/pub/ldb/ldb-1.1.24.tar.gz Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: Digital signature URL: From vigneshdhanraj.g at gmail.com Wed Dec 16 12:24:49 2015 From: vigneshdhanraj.g at gmail.com (VigneshDhanraj G) Date: Wed, 16 Dec 2015 17:54:49 +0530 Subject: [Samba] Pam-logon failure for AD users In-Reply-To: <566BEA59.4050402@samba.org> References: <5638B13D.8000108@gmail.com> <566941C5.7000701@samba.org> <566BEA59.4050402@samba.org> Message-ID: Thanks rowland, I understand that there was a mess. and now i changed the smb.conf with the above as you instructed to be. But still i found same issue. I have two systems which connect to same AD. i found to different winbind logs. One uses pam_auth and other one which is not working uses pam_auth_crap while using pam logon. I browsed on this but unfortunately i am not able to find anything useful. May i know please, whats the difference between pam_auth and pam_auth_crap. may this would be the problem? could you please help me regarding this. Regards, Vigneshdhanraj G On Sat, Dec 12, 2015 at 3:05 PM, Rowland penny wrote: > On 12/12/15 08:53, VigneshDhanraj G wrote: > >> sorry for the late response Rowland, >> >> I didn't change the smb.conf with the same smb.conf, i configured new AD >> that works fine. Do you need to change the smb.conf could you please tell >> me what i need to change specifically. And i also suspect that problem with >> my AD server. But i am not able to find the exact problem, The confusion is >> Ftp works with same pam working fine but cifs always shows access denied. >> if password is wrong it shows Wrong password. >> >> Regards, >> >> Vigneshdhanraj G >> >> On Thu, Dec 10, 2015 at 2:41 PM, Rowland penny > rpenny at samba.org>> wrote: >> >> On 10/12/15 07:49, VigneshDhanraj G wrote: >> >> Hi, >> >> This issue not solved, ftp and cifs using same way of >> authentication. but >> when trying to access cifs it always shows the same >> ACCESS_DENIED error. >> >> Regards, >> >> Vigneshdhanraj G >> >> >> On Tue, Nov 3, 2015 at 6:36 PM, Rowland Penny >> > > >> >> wrote: >> >> On 03/11/15 12:25, VigneshDhanraj G wrote: >> >> Hi Team, >> >> when i am running this command i am getting the >> following error >> /usr/local/samba/bin/wbinfo --pam-logon="DOMAIN\testusr1" >> >> Enter DOMAIN\testusr1's password: >> plaintext password authentication failed >> error code was NT_STATUS_ACCESS_DENIED (0xc0000022) >> error message was: Access denied >> pam_logon failed for DOMAIN\testusr1 >> >> FTP and Cifs uses pam. Ftp authentication using domain >> working fine. But, >> Cifs showing ACCESS_DENIED error. >> >> Samba version : 4.1.17 >> >> In winbindd.log i could see >> [2015/11/03 11:59:46.377088, 10, pid=435, effective(0, >> 0), real(0, 0), >> class=winbind] >> ../source3/winbindd/winbindd.c:755(wb_request_done) >> wb_request_done[559:PAM_AUTH_CRAP]: >> NT_STATUS_ACCESS_DENIED >> >> My smb.conf is >> >> available= yes >> restrict anonymous= 0 >> server string= LenovoEMC™ px6-300d >> Workgroup= DOMAIN >> netbios name= Debian >> realm= DOMAIN.LOCAL >> password server= 192.168.1.100, * >> idmap backend= tdb >> idmap uid= 5000-9999999 >> idmap gid= 5000-9999999 >> security= ADS >> name resolve order= wins host bcast lmhosts >> client use spnego= yes >> dns proxy= no >> winbind use default domain= no >> winbind nested groups= yes >> inherit acls= yes >> winbind enum users= yes >> winbind enum groups= yes >> winbind separator= \\ >> winbind cache time= 300 >> winbind offline logon= true >> template shell= /bin/sh >> map to guest= Bad User >> host msdfs= yes >> strict allocate= yes >> encrypt passwords= yes >> passdb backend= smbpasswd >> printcap name= lpstat >> printable= no >> load printers= yes >> max smbd processes= 500 >> getwd cache= yes >> syslog= 0 >> use sendfile= yes >> log level= 0 >> max log size= 50 >> unix extensions= no >> dos charset= ascii >> state directory= /mnt/system/samba/system >> >> >> Windows client from which i am trying to access cifs >> is also connected to >> the domain. >> >> >> > Lets be honest, your original smb.conf was a mess, it uses a lot of > default settings and a lot of settings that really shouldn't be there, this > is what it really should have looked like: > > [global] > Workgroup= DOMAIN > security= ADS > realm= DOMAIN.LOCAL > netbios name= Debian > server string= LenovoEMC™ px6-300d > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > idmap config *:backend = tdb > idmap config *:range = 2000-4999 > idmap config DOMAIN:backend = rid > idmap config DOMAIN:range = 5000-9999999 > winbind nss info = template > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = Yes > winbind offline logon= true > dns proxy= no > template shell= /bin/sh > map to guest= Bad User > strict allocate= yes # really meant to be used in a share > printcap name = lpstat > max smbd processes= 500 > syslog= 0 > max log size= 50 > use sendfile= yes > unix extensions= no > state directory= /mnt/system/samba/system # why are you moving this to > what I presume is a share > on another system????? > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > The 'tabbed' lines are yours, the others are what I would add. > > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From rpenny at samba.org Wed Dec 16 13:05:21 2015 From: rpenny at samba.org (Rowland penny) Date: Wed, 16 Dec 2015 13:05:21 +0000 Subject: [Samba] Pam-logon failure for AD users In-Reply-To: References: <5638B13D.8000108@gmail.com> <566941C5.7000701@samba.org> <566BEA59.4050402@samba.org> Message-ID: <56716191.7040108@samba.org> On 16/12/15 12:24, VigneshDhanraj G wrote: > Thanks rowland, I understand that there was a mess. and now i changed > the smb.conf with the above as you instructed to be. But still i found > same issue. I have two systems which connect to same AD. i found to > different winbind logs. One uses pam_auth and other one which is not > working uses pam_auth_crap while using pam logon. I browsed on this > but unfortunately i am not able to find anything useful. > > May i know please, whats the difference between pam_auth and > pam_auth_crap. may this would be the problem? > > could you please help me regarding this. > > Regards, > > Vigneshdhanraj G > Are you using debian ? if so what does 'pam-auth-update' show? mine shows this: Kerberos authentication Unix authentication Winbind NT/Active Directory authentication GNOME Keyring Daemon - Login keyring management ConsoleKit Session Management Inheritable Capabilities Management Rowland From belle at bazuin.nl Wed Dec 16 13:15:02 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Wed, 16 Dec 2015 14:15:02 +0100 Subject: [Samba] Pam-logon failure for AD users In-Reply-To: References: <566BEA59.4050402@samba.org> Message-ID: I see 2 things here which are strange. Self compiled samba > >> /usr/local/samba/bin/wbinfo --pam-logon="DOMAIN\testusr1" Debian samba ? or older version installed and not latest. > >> Samba version : 4.1.17 Which is it? self compiled or debian samba? Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens VigneshDhanraj G > Verzonden: woensdag 16 december 2015 13:25 > Aan: Rowland penny > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] Pam-logon failure for AD users > > Thanks rowland, I understand that there was a mess. and now i changed the > smb.conf with the above as you instructed to be. But still i found same > issue. I have two systems which connect to same AD. i found to different > winbind logs. One uses pam_auth and other one which is not working uses > pam_auth_crap while using pam logon. I browsed on this but unfortunately i > am not able to find anything useful. > > May i know please, whats the difference between pam_auth and > pam_auth_crap. > may this would be the problem? > > could you please help me regarding this. > > Regards, > > Vigneshdhanraj G > > On Sat, Dec 12, 2015 at 3:05 PM, Rowland penny wrote: > > > On 12/12/15 08:53, VigneshDhanraj G wrote: > > > >> sorry for the late response Rowland, > >> > >> I didn't change the smb.conf with the same smb.conf, i configured new > AD > >> that works fine. Do you need to change the smb.conf could you please > tell > >> me what i need to change specifically. And i also suspect that problem > with > >> my AD server. But i am not able to find the exact problem, The > confusion is > >> Ftp works with same pam working fine but cifs always shows access > denied. > >> if password is wrong it shows Wrong password. > >> > >> Regards, > >> > >> Vigneshdhanraj G > >> > >> On Thu, Dec 10, 2015 at 2:41 PM, Rowland penny >> rpenny at samba.org>> wrote: > >> > >> On 10/12/15 07:49, VigneshDhanraj G wrote: > >> > >> Hi, > >> > >> This issue not solved, ftp and cifs using same way of > >> authentication. but > >> when trying to access cifs it always shows the same > >> ACCESS_DENIED error. > >> > >> Regards, > >> > >> Vigneshdhanraj G > >> > >> > >> On Tue, Nov 3, 2015 at 6:36 PM, Rowland Penny > >> >> > > >> > >> wrote: > >> > >> On 03/11/15 12:25, VigneshDhanraj G wrote: > >> > >> Hi Team, > >> > >> when i am running this command i am getting the > >> following error > >> /usr/local/samba/bin/wbinfo --pam- > logon="DOMAIN\testusr1" > >> > >> Enter DOMAIN\testusr1's password: > >> plaintext password authentication failed > >> error code was NT_STATUS_ACCESS_DENIED (0xc0000022) > >> error message was: Access denied > >> pam_logon failed for DOMAIN\testusr1 > >> > >> FTP and Cifs uses pam. Ftp authentication using domain > >> working fine. But, > >> Cifs showing ACCESS_DENIED error. > >> > >> Samba version : 4.1.17 > >> > >> In winbindd.log i could see > >> [2015/11/03 11:59:46.377088, 10, pid=435, effective(0, > >> 0), real(0, 0), > >> class=winbind] > >> ../source3/winbindd/winbindd.c:755(wb_request_done) > >> wb_request_done[559:PAM_AUTH_CRAP]: > >> NT_STATUS_ACCESS_DENIED > >> > >> My smb.conf is > >> > >> available= yes > >> restrict anonymous= 0 > >> server string= LenovoEMC™ px6-300d > >> Workgroup= DOMAIN > >> netbios name= Debian > >> realm= DOMAIN.LOCAL > >> password server= 192.168.1.100, * > >> idmap backend= tdb > >> idmap uid= 5000-9999999 > >> idmap gid= 5000-9999999 > >> security= ADS > >> name resolve order= wins host bcast lmhosts > >> client use spnego= yes > >> dns proxy= no > >> winbind use default domain= no > >> winbind nested groups= yes > >> inherit acls= yes > >> winbind enum users= yes > >> winbind enum groups= yes > >> winbind separator= \\ > >> winbind cache time= 300 > >> winbind offline logon= true > >> template shell= /bin/sh > >> map to guest= Bad User > >> host msdfs= yes > >> strict allocate= yes > >> encrypt passwords= yes > >> passdb backend= smbpasswd > >> printcap name= lpstat > >> printable= no > >> load printers= yes > >> max smbd processes= 500 > >> getwd cache= yes > >> syslog= 0 > >> use sendfile= yes > >> log level= 0 > >> max log size= 50 > >> unix extensions= no > >> dos charset= ascii > >> state directory= /mnt/system/samba/system > >> > >> > >> Windows client from which i am trying to access cifs > >> is also connected to > >> the domain. > >> > >> > >> > > Lets be honest, your original smb.conf was a mess, it uses a lot of > > default settings and a lot of settings that really shouldn't be there, > this > > is what it really should have looked like: > > > > [global] > > Workgroup= DOMAIN > > security= ADS > > realm= DOMAIN.LOCAL > > netbios name= Debian > > server string= LenovoEMC™ px6-300d > > dedicated keytab file = /etc/krb5.keytab > > kerberos method = secrets and keytab > > idmap config *:backend = tdb > > idmap config *:range = 2000-4999 > > idmap config DOMAIN:backend = rid > > idmap config DOMAIN:range = 5000-9999999 > > winbind nss info = template > > winbind enum users = yes > > winbind enum groups = yes > > winbind refresh tickets = Yes > > winbind offline logon= true > > dns proxy= no > > template shell= /bin/sh > > map to guest= Bad User > > strict allocate= yes # really meant to be used in a share > > printcap name = lpstat > > max smbd processes= 500 > > syslog= 0 > > max log size= 50 > > use sendfile= yes > > unix extensions= no > > state directory= /mnt/system/samba/system # why are you moving this > to > > what I presume is a share > > on another system????? > > vfs objects = acl_xattr > > map acl inherit = yes > > store dos attributes = yes > > > > The 'tabbed' lines are yours, the others are what I would add. > > > > > > Rowland > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From rpenny at samba.org Wed Dec 16 13:55:16 2015 From: rpenny at samba.org (Rowland penny) Date: Wed, 16 Dec 2015 13:55:16 +0000 Subject: [Samba] How can I change the localSID for a SAMBA Server? In-Reply-To: <567157FB.8090009@funcom.com> References: <56701197.1060902@samba.org> <56707DDC.9050600@samba.org> <5670808E.4070804@samba.org> <567096DA.1040209@samba.org> <1450251859.15594.163.camel@samba.org> <56712407.5020405@samba.org> <56713879.3050401@funcom.com> <5671504F.5010302@samba.org> <567157FB.8090009@funcom.com> Message-ID: <56716D44.2050108@samba.org> On 16/12/15 12:24, Terje Trane wrote: > On 16.12.2015 12:51, Rowland penny wrote: >> Once you start using just one machine to store the user & group >> database, you have a prototype domain. Running a workgroup with a lot >> of users is a pain, I know, I have been there, done that. Why is it a >> pain? because if a user wants to use a machine (even if just to use >> the shared printer), that user has to exist on the computer that >> holds the share. When a new user needs adding, the sysadmin has to go >> round every PC that the new user will connect to, in my case, this >> entailed a round trip of almost 200miles, going to 3 depots. > > Yes, having to do that is a pain. But since the linux users are > already in NIS or LDAP, that problem should have been solved, and it > is for normal linux command line login, and NFS etc. > > The pain now is to have to go to each server and set up the samba > servers in a NT4 domain instead of just letting each server use what > already is provided. I understand that this is because Windows is > using its own hashing scheme(?), but I would love to see a supported > mode where a samba server could use a central password database in > LDAP, maybe even read only. Compare to the "well-known method" of > keeping a smbpasswd file updated on one server and just rsyncing it to > the others. (Inspired by the way NIS works, maybe?) There is a supported mode, it is called 'active directory' > > PS: > Isn't it an idea to keep the discussion on the list, or is it too > off-topic? Probably wise to keep it on list, but I just replied to an email you sent directly to me, you didn't send it to the list! Rowland From nico.deranter at esaturnus.com Wed Dec 16 14:26:08 2015 From: nico.deranter at esaturnus.com (Nico De Ranter) Date: Wed, 16 Dec 2015 15:26:08 +0100 Subject: [Samba] Cannot export all my users using pdbedit Message-ID: Hello again, I'm trying to move all my users from an old Samba server to a new Samba AD server. When I try to do a 'classicupgrade' the process crashes after a while without giving me a clear indication of what is going wrong. When I try to export the users using pdbedit -e smbpasswd , some of the accounts simply fail. If I look at the output I see something like: Processing account myfailinguser Home server: storage Home server: storage getsmbfilepwent: returning passwd entry for user someuser, uid 1013 ... getsmbfilepwent: returning passwd entry for user sshd, uid 10 getsmbfilepwent: end of file reached. endsmbfilepwent_internal: closed password file. build_sam_pass: Failing attempt to store user with non-uid based user RID. (Note: I changed the username to protect the innocent) What could be the reason why 'getsmbfilepwent' cannot find that user, but it can find other users. In total 15 accounts out of 60 fail. All users exist in NIS on that server. Thanks in advance, Nico -- Nico De Ranter Operations Engineer T. +32 16 40 12 82 M. +32 497 91 53 78 From terjet-list at funcom.com Wed Dec 16 15:08:04 2015 From: terjet-list at funcom.com (Tetra) Date: Wed, 16 Dec 2015 16:08:04 +0100 Subject: [Samba] How can I change the localSID for a SAMBA Server? In-Reply-To: <56716D44.2050108@samba.org> References: <56701197.1060902@samba.org> <56707DDC.9050600@samba.org> <5670808E.4070804@samba.org> <567096DA.1040209@samba.org> <1450251859.15594.163.camel@samba.org> <56712407.5020405@samba.org> <56713879.3050401@funcom.com> <5671504F.5010302@samba.org> <567157FB.8090009@funcom.com> <56716D44.2050108@samba.org> Message-ID: On 16.12.2015 14:55, Rowland penny wrote: > > Probably wise to keep it on list, but I just replied to an email you > sent directly to me, you didn't send it to the list! Ah, sorry. Seems I'm both reading this both as a newsgroup and a mailinglist, and the client behaves differently. Must pay more attention to what buttons I click on. From rpenny at samba.org Wed Dec 16 15:34:28 2015 From: rpenny at samba.org (Rowland penny) Date: Wed, 16 Dec 2015 15:34:28 +0000 Subject: [Samba] Cannot export all my users using pdbedit In-Reply-To: References: Message-ID: <56718484.90705@samba.org> On 16/12/15 14:26, Nico De Ranter wrote: > Hello again, > > I'm trying to move all my users from an old Samba server to a new Samba AD > server. When I try to do a 'classicupgrade' the process crashes after a > while without giving me a clear indication of what is going wrong. When I > try to export the users using pdbedit -e smbpasswd , some of the accounts > simply fail. If I look at the output I see something like: > > Processing account myfailinguser > Home server: storage > Home server: storage > getsmbfilepwent: returning passwd entry for user someuser, uid 1013 > ... > getsmbfilepwent: returning passwd entry for user sshd, uid 10 > getsmbfilepwent: end of file reached. > endsmbfilepwent_internal: closed password file. > build_sam_pass: Failing attempt to store user with non-uid based user RID. > > (Note: I changed the username to protect the innocent) > > What could be the reason why 'getsmbfilepwent' cannot find that user, but > it can find other users. In total 15 accounts out of 60 fail. All users > exist in NIS on that server. > > Thanks in advance, > > Nico > Could it be that they all have a UID of less than 1000? i.e. sshd is a Unix system user, but on your samba machine, it appears to have a samba UID of 10 Any chance of see more of that log file? Rowland From tabolin at speechpro.com Wed Dec 16 19:02:04 2015 From: tabolin at speechpro.com (=?UTF-8?B?0KLQsNCx0L7Qu9C40L0g0K7RgNC40Lk=?=) Date: Wed, 16 Dec 2015 22:02:04 +0300 Subject: [Samba] samba4 schema for openldap Message-ID: <5671B52C.9000804@speechpro.com> Hi all. I have samba 4.2.3 on freebsd 10.1 server. There are three DC and about 350 PC on domain. I wrote earlier that samba4 ldap performance is not enough for me. Now I want to try a server in the middle with openldap pcache - ldap cache proxy function. But it only works with appropriate openldap schema. Where I can find samba4 openldap schema? I'm going to cache simple queries such as (&(objectClass=user)(sAMAccountName=username)) I will have enough and the simplified schema. Thanks! -- With best regards, Tabolin Yuriy System administrator Speech Technology Center From rpenny at samba.org Wed Dec 16 19:35:22 2015 From: rpenny at samba.org (Rowland penny) Date: Wed, 16 Dec 2015 19:35:22 +0000 Subject: [Samba] samba4 schema for openldap In-Reply-To: <5671B52C.9000804@speechpro.com> References: <5671B52C.9000804@speechpro.com> Message-ID: <5671BCFA.2020001@samba.org> On 16/12/15 19:02, Таболин Юрий wrote: > Hi all. > > I have samba 4.2.3 on freebsd 10.1 server. There are three DC and > about 350 PC on domain. I wrote earlier that samba4 ldap performance > is not enough for me. Now I want to try a server in the middle with > openldap pcache - ldap cache proxy function. But it only works with > appropriate openldap schema. Where I can find samba4 openldap schema? > I'm going to cache simple queries such as > > (&(objectClass=user)(sAMAccountName=username)) > > I will have enough and the simplified schema. Thanks! > > Not sure there is one, there is some work going on to get samba4 working with LDAP instead of the builtin ldap server, but it has gone quiet lately, not this means anything really. I understand that initially, Samba tried to use LDAP but could not get it to work, so had to go with their own built in ldap server. If you want to attempt something, you could do worse than looking in the setup directory that samba installs. Rowland From tabolin at speechpro.com Wed Dec 16 19:43:35 2015 From: tabolin at speechpro.com (=?UTF-8?B?0KLQsNCx0L7Qu9C40L0g0K7RgNC40Lk=?=) Date: Wed, 16 Dec 2015 22:43:35 +0300 Subject: [Samba] samba4 schema for openldap In-Reply-To: <5671BCFA.2020001@samba.org> References: <5671B52C.9000804@speechpro.com> <5671BCFA.2020001@samba.org> Message-ID: <5671BEE7.30508@speechpro.com> 16.12.2015 22:35, Rowland penny пишет: > On 16/12/15 19:02, Таболин Юрий wrote: >> Hi all. >> >> I have samba 4.2.3 on freebsd 10.1 server. There are three DC and >> about 350 PC on domain. I wrote earlier that samba4 ldap performance >> is not enough for me. Now I want to try a server in the middle with >> openldap pcache - ldap cache proxy function. But it only works with >> appropriate openldap schema. Where I can find samba4 openldap schema? >> I'm going to cache simple queries such as >> >> (&(objectClass=user)(sAMAccountName=username)) >> >> I will have enough and the simplified schema. Thanks! >> >> > > Not sure there is one, there is some work going on to get samba4 > working with LDAP instead of the builtin ldap server, but it has gone > quiet lately, not this means anything really. I understand that > initially, Samba tried to use LDAP but could not get it to work, so > had to go with their own built in ldap server. If you want to attempt > something, you could do worse than looking in the setup directory that > samba installs. > > I looked at samba/setup/ad-schema, but there are Microsoft description schema files, but not openldap schema format. Or is there a way to convert them to openldap schema files? -- With best regards, Tabolin Yuriy System administrator Speech Technology Center From rpenny at samba.org Wed Dec 16 19:47:20 2015 From: rpenny at samba.org (Rowland penny) Date: Wed, 16 Dec 2015 19:47:20 +0000 Subject: [Samba] samba4 schema for openldap In-Reply-To: <5671BCFA.2020001@samba.org> References: <5671B52C.9000804@speechpro.com> <5671BCFA.2020001@samba.org> Message-ID: <5671BFC8.4090509@samba.org> On 16/12/15 19:35, Rowland penny wrote: > On 16/12/15 19:02, Таболин Юрий wrote: >> Hi all. >> >> I have samba 4.2.3 on freebsd 10.1 server. There are three DC and >> about 350 PC on domain. I wrote earlier that samba4 ldap performance >> is not enough for me. Now I want to try a server in the middle with >> openldap pcache - ldap cache proxy function. But it only works with >> appropriate openldap schema. Where I can find samba4 openldap schema? >> I'm going to cache simple queries such as >> >> (&(objectClass=user)(sAMAccountName=username)) >> >> I will have enough and the simplified schema. Thanks! >> >> > > Not sure there is one, there is some work going on to get samba4 > working with LDAP instead of the builtin ldap server, but it has gone > quiet lately, not this means anything really. I understand that > initially, Samba tried to use LDAP but could not get it to work, so > had to go with their own built in ldap server. If you want to attempt > something, you could do worse than looking in the setup directory that > samba installs. > > Rowland > And then after I posted. I thought, I wonder if he didn't actually mean the AD schema, so did a quick google and within 10 seconds I found this: https://haroonferoze.wordpress.com/2012/11/26/openldap/ Rowland From jeff.sadowski at gmail.com Wed Dec 16 20:25:38 2015 From: jeff.sadowski at gmail.com (Jeff Sadowski) Date: Wed, 16 Dec 2015 13:25:38 -0700 Subject: [Samba] Active Directory Object, Operating System tab Message-ID: Is there a way to populate this tab when I join a computer to the domain using samba? using this command net ads join -U administrator creates the AD Object. I don't see an option to net when reading the man page to include the OS specs Maybe use --config-file option? I don't see anything in the smb.conf file that would set any of that information. # net --version Version 4.1.6-Ubuntu From jeff.sadowski at gmail.com Wed Dec 16 20:27:59 2015 From: jeff.sadowski at gmail.com (Jeff Sadowski) Date: Wed, 16 Dec 2015 13:27:59 -0700 Subject: [Samba] Active Directory Object, Operating System tab In-Reply-To: References: Message-ID: Never mind I'm blind [osName=string osVer=string] On Wed, Dec 16, 2015 at 1:25 PM, Jeff Sadowski wrote: > Is there a way to populate this tab when I join a computer to the domain > using samba? > > using this command > > net ads join -U administrator > > creates the AD Object. > I don't see an option to net when reading the man page to include the OS > specs > Maybe use > --config-file option? > > I don't see anything in the smb.conf file that would set any of that > information. > > # net --version > Version 4.1.6-Ubuntu > > From tabolin at speechpro.com Wed Dec 16 20:40:24 2015 From: tabolin at speechpro.com (=?UTF-8?B?0KLQsNCx0L7Qu9C40L0g0K7RgNC40Lk=?=) Date: Wed, 16 Dec 2015 23:40:24 +0300 Subject: [Samba] samba4 schema for openldap In-Reply-To: <5671BFC8.4090509@samba.org> References: <5671B52C.9000804@speechpro.com> <5671BCFA.2020001@samba.org> <5671BFC8.4090509@samba.org> Message-ID: <5671CC38.5050200@speechpro.com> 16.12.2015 22:47, Rowland penny пишет: > On 16/12/15 19:35, Rowland penny wrote: >> On 16/12/15 19:02, Таболин Юрий wrote: >>> Hi all. >>> >>> I have samba 4.2.3 on freebsd 10.1 server. There are three DC and >>> about 350 PC on domain. I wrote earlier that samba4 ldap performance >>> is not enough for me. Now I want to try a server in the middle with >>> openldap pcache - ldap cache proxy function. But it only works with >>> appropriate openldap schema. Where I can find samba4 openldap >>> schema? I'm going to cache simple queries such as >>> >>> (&(objectClass=user)(sAMAccountName=username)) >>> >>> I will have enough and the simplified schema. Thanks! >>> >>> >> >> Not sure there is one, there is some work going on to get samba4 >> working with LDAP instead of the builtin ldap server, but it has gone >> quiet lately, not this means anything really. I understand that >> initially, Samba tried to use LDAP but could not get it to work, so >> had to go with their own built in ldap server. If you want to attempt >> something, you could do worse than looking in the setup directory >> that samba installs. >> >> Rowland >> > > And then after I posted. I thought, I wonder if he didn't actually > mean the AD schema, so did a quick google and within 10 seconds I > found this: https://haroonferoze.wordpress.com/2012/11/26/openldap/ > > Rowland > > I have seen this article earlier, but there is setup only proxy without cache. Similarinstructionshere https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD . That's not whatI need. -- With best regards, Tabolin Yuriy System administrator Speech Technology Center From leeb at ratnaling.org Wed Dec 16 20:54:52 2015 From: leeb at ratnaling.org (Lee Brown) Date: Wed, 16 Dec 2015 12:54:52 -0800 Subject: [Samba] samba4 schema for openldap In-Reply-To: <5671CC38.5050200@speechpro.com> References: <5671B52C.9000804@speechpro.com> <5671BCFA.2020001@samba.org> <5671BFC8.4090509@samba.org> <5671CC38.5050200@speechpro.com> Message-ID: On Wed, Dec 16, 2015 at 12:40 PM, Таболин Юрий wrote: > 16.12.2015 22:47, Rowland penny пишет: > >> On 16/12/15 19:35, Rowland penny wrote: >> >>> On 16/12/15 19:02, Таболин Юрий wrote: >>> >>>> Hi all. >>>> >>>> I have samba 4.2.3 on freebsd 10.1 server. There are three DC and about >>>> 350 PC on domain. I wrote earlier that samba4 ldap performance is not >>>> enough for me. Now I want to try a server in the middle with openldap >>>> pcache - ldap cache proxy function. But it only works with appropriate >>>> openldap schema. Where I can find samba4 openldap schema? I'm going to >>>> cache simple queries such as >>>> >>>> (&(objectClass=user)(sAMAccountName=username)) >>>> >>>> I will have enough and the simplified schema. Thanks! >>>> >>>> >>>> >>> Not sure there is one, there is some work going on to get samba4 working >>> with LDAP instead of the builtin ldap server, but it has gone quiet lately, >>> not this means anything really. I understand that initially, Samba tried to >>> use LDAP but could not get it to work, so had to go with their own built in >>> ldap server. If you want to attempt something, you could do worse than >>> looking in the setup directory that samba installs. >>> >>> Rowland >>> >>> >> And then after I posted. I thought, I wonder if he didn't actually mean >> the AD schema, so did a quick google and within 10 seconds I found this: >> https://haroonferoze.wordpress.com/2012/11/26/openldap/ >> >> Rowland >> >> >> I have seen this article earlier, but there is setup only proxy without > cache. Similarinstructionshere > https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD . That's not > whatI need. > > > Would using HAProxy to spread the load across the 3 DC's help at all? From rpenny at samba.org Wed Dec 16 21:27:32 2015 From: rpenny at samba.org (Rowland penny) Date: Wed, 16 Dec 2015 21:27:32 +0000 Subject: [Samba] samba4 schema for openldap In-Reply-To: <5671CC38.5050200@speechpro.com> References: <5671B52C.9000804@speechpro.com> <5671BCFA.2020001@samba.org> <5671BFC8.4090509@samba.org> <5671CC38.5050200@speechpro.com> Message-ID: <5671D744.5030401@samba.org> On 16/12/15 20:40, Таболин Юрий wrote: > 16.12.2015 22:47, Rowland penny пишет: >> On 16/12/15 19:35, Rowland penny wrote: >>> On 16/12/15 19:02, Таболин Юрий wrote: >>>> Hi all. >>>> >>>> I have samba 4.2.3 on freebsd 10.1 server. There are three DC and >>>> about 350 PC on domain. I wrote earlier that samba4 ldap >>>> performance is not enough for me. Now I want to try a server in the >>>> middle with openldap pcache - ldap cache proxy function. But it >>>> only works with appropriate openldap schema. Where I can find >>>> samba4 openldap schema? I'm going to cache simple queries such as >>>> >>>> (&(objectClass=user)(sAMAccountName=username)) >>>> >>>> I will have enough and the simplified schema. Thanks! >>>> >>>> >>> >>> Not sure there is one, there is some work going on to get samba4 >>> working with LDAP instead of the builtin ldap server, but it has >>> gone quiet lately, not this means anything really. I understand that >>> initially, Samba tried to use LDAP but could not get it to work, so >>> had to go with their own built in ldap server. If you want to >>> attempt something, you could do worse than looking in the setup >>> directory that samba installs. >>> >>> Rowland >>> >> >> And then after I posted. I thought, I wonder if he didn't actually >> mean the AD schema, so did a quick google and within 10 seconds I >> found this: https://haroonferoze.wordpress.com/2012/11/26/openldap/ >> >> Rowland >> >> > I have seen this article earlier, but there is setup only proxy > without cache. Similarinstructionshere > https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD . That's not > whatI need. > > > > -- > With best regards, > > Tabolin Yuriy > System administrator > Speech Technology Center OK, a bit more googling, turned this up, but it in japanese: http://www.hanabusa.net/intra/ldapcache.html Rowland From nigel.w at nosun.ca Wed Dec 16 21:28:38 2015 From: nigel.w at nosun.ca (Nigel W) Date: Wed, 16 Dec 2015 14:28:38 -0700 Subject: [Samba] samba4 schema for openldap In-Reply-To: References: <5671B52C.9000804@speechpro.com> <5671BCFA.2020001@samba.org> <5671BFC8.4090509@samba.org> <5671CC38.5050200@speechpro.com> Message-ID: Assuming the DNS for the site is setup correctly, the srv records should be evenly spreading the load among the servers on the site that the client is on. With Windows based domain the answer to this question is either fix your ldap client to use the SRV records and not use only the DC with the PDC Emulator role, or add more DCs to the site. I would assume the answer is the same for a Samba domain. Though I would be interested in understanding how the OP came to the conclusion that they need to cache the LDAP queries. Thanks, On Wed, Dec 16, 2015 at 1:54 PM, Lee Brown wrote: > On Wed, Dec 16, 2015 at 12:40 PM, Таболин Юрий > wrote: > > > 16.12.2015 22:47, Rowland penny пишет: > > > >> On 16/12/15 19:35, Rowland penny wrote: > >> > >>> On 16/12/15 19:02, Таболин Юрий wrote: > >>> > >>>> Hi all. > >>>> > >>>> I have samba 4.2.3 on freebsd 10.1 server. There are three DC and > about > >>>> 350 PC on domain. I wrote earlier that samba4 ldap performance is not > >>>> enough for me. Now I want to try a server in the middle with openldap > >>>> pcache - ldap cache proxy function. But it only works with appropriate > >>>> openldap schema. Where I can find samba4 openldap schema? I'm going to > >>>> cache simple queries such as > >>>> > >>>> (&(objectClass=user)(sAMAccountName=username)) > >>>> > >>>> I will have enough and the simplified schema. Thanks! > >>>> > >>>> > >>>> > >>> Not sure there is one, there is some work going on to get samba4 > working > >>> with LDAP instead of the builtin ldap server, but it has gone quiet > lately, > >>> not this means anything really. I understand that initially, Samba > tried to > >>> use LDAP but could not get it to work, so had to go with their own > built in > >>> ldap server. If you want to attempt something, you could do worse than > >>> looking in the setup directory that samba installs. > >>> > >>> Rowland > >>> > >>> > >> And then after I posted. I thought, I wonder if he didn't actually mean > >> the AD schema, so did a quick google and within 10 seconds I found this: > >> https://haroonferoze.wordpress.com/2012/11/26/openldap/ > >> > >> Rowland > >> > >> > >> I have seen this article earlier, but there is setup only proxy without > > cache. Similarinstructionshere > > https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD . That's not > > whatI need. > > > > > > Would using HAProxy to spread the load across the 3 DC's help at all? > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From viktor at troja.ch Thu Dec 17 00:35:56 2015 From: viktor at troja.ch (Viktor Trojanovic) Date: Thu, 17 Dec 2015 01:35:56 +0100 Subject: [Samba] Samba AD - 2-factor authentication best practice 2016 Message-ID: <5672036C.6000903@troja.ch> Hi list, I'm wondering about some best practices when it comes to 2-factor authentication on a Samba AD DC. Though I'm not fixed on them, I'd preferably use Yubikeys. I did find a corresponding project on Github called yubikey-ldap/samba4-schema, but the last update was made 3 years ago. So, would be glad to hear how some of you handle it, which tokens you use and how you set it up. Thanks, Viktor From bbogaert at wikimedia.org Thu Dec 17 02:19:58 2015 From: bbogaert at wikimedia.org (Byron Bogaert) Date: Wed, 16 Dec 2015 18:19:58 -0800 Subject: [Samba] How can I change the localSID for a SAMBA Server? In-Reply-To: <5670804E.9090207@samba.org> References: <56701197.1060902@samba.org> <56707DDC.9050600@samba.org> <5670804E.9090207@samba.org> Message-ID: Hi Marc, I tried using Samba version 4.3 without much success. I still was not able to control what the local sid of the machine was. To install 4.3 on Ubuntu 14.04 LTS I needed to use the following ppa: https://launchpad.net/~bnd-acc/+archive/ubuntu/samba43 I also tried changing to the smb.conf to "SERVER ROLE = CLASSIC PRIMARY DOMAIN CONTROLLER on my 4.1.6 and 4.3 version. This also did not help me control what the local sid was. I feel like I'm some important fundamental elements of how the domain sid, and local sid are created, used and modified. Perhaps you or someone here can elaborate on this? Thanks, -- *Byron Bogaert* *IT System Administrator* Wikimedia Foundation Imagine a world in which every single human being can freely share in the sum of all knowledge. Help us make it a reality! https://donate.wikimedia.org On Tue, Dec 15, 2015 at 1:04 PM, Marc Muehlfeld wrote: > Am 15.12.2015 um 21:58 schrieb Byron Bogaert: > > We are running Samba Version 4.1.6-Ubuntu on Ubuntu 14.04 LTS. Is there > any > > other specific information you need? > > Do you have a change to try it with a recent version (4.3.x)? I don't > have an old version here at the moment and can't say if there was a bug > in that area that time. > > And can you show the [global] part of your smb.conf? > > > Regards, > Marc > From vigneshdhanraj.g at gmail.com Thu Dec 17 06:58:36 2015 From: vigneshdhanraj.g at gmail.com (VigneshDhanraj G) Date: Thu, 17 Dec 2015 12:28:36 +0530 Subject: [Samba] Pam-logon failure for AD users In-Reply-To: References: <566BEA59.4050402@samba.org> Message-ID: Hi, I complied samba from source and i am using pam from debian. But, i confused why pam uses pam_auth_crap instead of pam_auth. may i know the basic difference between pam_auth and pam_auth_crap. Regards, Vigneshdhanraj G On Wed, Dec 16, 2015 at 6:45 PM, L.P.H. van Belle wrote: > I see 2 things here which are strange. > > Self compiled samba > > >> /usr/local/samba/bin/wbinfo --pam-logon="DOMAIN\testusr1" > > Debian samba ? or older version installed and not latest. > > >> Samba version : 4.1.17 > > Which is it? self compiled or debian samba? > > Greetz, > > Louis > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens VigneshDhanraj > G > > Verzonden: woensdag 16 december 2015 13:25 > > Aan: Rowland penny > > CC: samba at lists.samba.org > > Onderwerp: Re: [Samba] Pam-logon failure for AD users > > > > Thanks rowland, I understand that there was a mess. and now i changed the > > smb.conf with the above as you instructed to be. But still i found same > > issue. I have two systems which connect to same AD. i found to different > > winbind logs. One uses pam_auth and other one which is not working uses > > pam_auth_crap while using pam logon. I browsed on this but unfortunately > i > > am not able to find anything useful. > > > > May i know please, whats the difference between pam_auth and > > pam_auth_crap. > > may this would be the problem? > > > > could you please help me regarding this. > > > > Regards, > > > > Vigneshdhanraj G > > > > On Sat, Dec 12, 2015 at 3:05 PM, Rowland penny wrote: > > > > > On 12/12/15 08:53, VigneshDhanraj G wrote: > > > > > >> sorry for the late response Rowland, > > >> > > >> I didn't change the smb.conf with the same smb.conf, i configured new > > AD > > >> that works fine. Do you need to change the smb.conf could you please > > tell > > >> me what i need to change specifically. And i also suspect that problem > > with > > >> my AD server. But i am not able to find the exact problem, The > > confusion is > > >> Ftp works with same pam working fine but cifs always shows access > > denied. > > >> if password is wrong it shows Wrong password. > > >> > > >> Regards, > > >> > > >> Vigneshdhanraj G > > >> > > >> On Thu, Dec 10, 2015 at 2:41 PM, Rowland penny > > >> rpenny at samba.org>> wrote: > > >> > > >> On 10/12/15 07:49, VigneshDhanraj G wrote: > > >> > > >> Hi, > > >> > > >> This issue not solved, ftp and cifs using same way of > > >> authentication. but > > >> when trying to access cifs it always shows the same > > >> ACCESS_DENIED error. > > >> > > >> Regards, > > >> > > >> Vigneshdhanraj G > > >> > > >> > > >> On Tue, Nov 3, 2015 at 6:36 PM, Rowland Penny > > >> > >> > > > >> > > >> wrote: > > >> > > >> On 03/11/15 12:25, VigneshDhanraj G wrote: > > >> > > >> Hi Team, > > >> > > >> when i am running this command i am getting the > > >> following error > > >> /usr/local/samba/bin/wbinfo --pam- > > logon="DOMAIN\testusr1" > > >> > > >> Enter DOMAIN\testusr1's password: > > >> plaintext password authentication failed > > >> error code was NT_STATUS_ACCESS_DENIED (0xc0000022) > > >> error message was: Access denied > > >> pam_logon failed for DOMAIN\testusr1 > > >> > > >> FTP and Cifs uses pam. Ftp authentication using domain > > >> working fine. But, > > >> Cifs showing ACCESS_DENIED error. > > >> > > >> Samba version : 4.1.17 > > >> > > >> In winbindd.log i could see > > >> [2015/11/03 11:59:46.377088, 10, pid=435, effective(0, > > >> 0), real(0, 0), > > >> class=winbind] > > >> ../source3/winbindd/winbindd.c:755(wb_request_done) > > >> wb_request_done[559:PAM_AUTH_CRAP]: > > >> NT_STATUS_ACCESS_DENIED > > >> > > >> My smb.conf is > > >> > > >> available= yes > > >> restrict anonymous= 0 > > >> server string= LenovoEMC™ px6-300d > > >> Workgroup= DOMAIN > > >> netbios name= Debian > > >> realm= DOMAIN.LOCAL > > >> password server= 192.168.1.100, * > > >> idmap backend= tdb > > >> idmap uid= 5000-9999999 > > >> idmap gid= 5000-9999999 > > >> security= ADS > > >> name resolve order= wins host bcast lmhosts > > >> client use spnego= yes > > >> dns proxy= no > > >> winbind use default domain= no > > >> winbind nested groups= yes > > >> inherit acls= yes > > >> winbind enum users= yes > > >> winbind enum groups= yes > > >> winbind separator= \\ > > >> winbind cache time= 300 > > >> winbind offline logon= true > > >> template shell= /bin/sh > > >> map to guest= Bad User > > >> host msdfs= yes > > >> strict allocate= yes > > >> encrypt passwords= yes > > >> passdb backend= smbpasswd > > >> printcap name= lpstat > > >> printable= no > > >> load printers= yes > > >> max smbd processes= 500 > > >> getwd cache= yes > > >> syslog= 0 > > >> use sendfile= yes > > >> log level= 0 > > >> max log size= 50 > > >> unix extensions= no > > >> dos charset= ascii > > >> state directory= /mnt/system/samba/system > > >> > > >> > > >> Windows client from which i am trying to access cifs > > >> is also connected to > > >> the domain. > > >> > > >> > > >> > > > Lets be honest, your original smb.conf was a mess, it uses a lot of > > > default settings and a lot of settings that really shouldn't be there, > > this > > > is what it really should have looked like: > > > > > > [global] > > > Workgroup= DOMAIN > > > security= ADS > > > realm= DOMAIN.LOCAL > > > netbios name= Debian > > > server string= LenovoEMC™ px6-300d > > > dedicated keytab file = /etc/krb5.keytab > > > kerberos method = secrets and keytab > > > idmap config *:backend = tdb > > > idmap config *:range = 2000-4999 > > > idmap config DOMAIN:backend = rid > > > idmap config DOMAIN:range = 5000-9999999 > > > winbind nss info = template > > > winbind enum users = yes > > > winbind enum groups = yes > > > winbind refresh tickets = Yes > > > winbind offline logon= true > > > dns proxy= no > > > template shell= /bin/sh > > > map to guest= Bad User > > > strict allocate= yes # really meant to be used in a share > > > printcap name = lpstat > > > max smbd processes= 500 > > > syslog= 0 > > > max log size= 50 > > > use sendfile= yes > > > unix extensions= no > > > state directory= /mnt/system/samba/system # why are you moving this > > to > > > what I presume is a share > > > on another system????? > > > vfs objects = acl_xattr > > > map acl inherit = yes > > > store dos attributes = yes > > > > > > The 'tabbed' lines are yours, the others are what I would add. > > > > > > > > > Rowland > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From belle at bazuin.nl Thu Dec 17 09:21:30 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Thu, 17 Dec 2015 10:21:30 +0100 Subject: [Samba] How can I change the localSID for a SAMBA Server? In-Reply-To: References: <5670804E.9090207@samba.org> Message-ID: And net getlocalsid net setlocalsid does not work ? > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Byron Bogaert > Verzonden: donderdag 17 december 2015 3:20 > Aan: Marc Muehlfeld > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] How can I change the localSID for a SAMBA Server? > > Hi Marc, > > I tried using Samba version 4.3 without much success. I still was not able > to control what the local sid of the machine was. > > To install 4.3 on Ubuntu 14.04 LTS I needed to use the following ppa: > https://launchpad.net/~bnd-acc/+archive/ubuntu/samba43 > > I also tried changing to the smb.conf to "SERVER ROLE = CLASSIC PRIMARY > DOMAIN CONTROLLER on my 4.1.6 and 4.3 version. This also did not help me > control what the local sid was. > > I feel like I'm some important fundamental elements of how the domain sid, > and local sid are created, used and modified. Perhaps you or someone here > can elaborate on this? > > Thanks, > > -- > *Byron Bogaert* > > *IT System Administrator* > Wikimedia Foundation > > Imagine a world in which every single human being can freely share in the > sum of all knowledge. Help us make it a reality! > https://donate.wikimedia.org > > On Tue, Dec 15, 2015 at 1:04 PM, Marc Muehlfeld > wrote: > > > Am 15.12.2015 um 21:58 schrieb Byron Bogaert: > > > We are running Samba Version 4.1.6-Ubuntu on Ubuntu 14.04 LTS. Is > there > > any > > > other specific information you need? > > > > Do you have a change to try it with a recent version (4.3.x)? I don't > > have an old version here at the moment and can't say if there was a bug > > in that area that time. > > > > And can you show the [global] part of your smb.conf? > > > > > > Regards, > > Marc > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From rpenny at samba.org Thu Dec 17 10:32:49 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 17 Dec 2015 10:32:49 +0000 Subject: [Samba] Pam-logon failure for AD users In-Reply-To: References: <566BEA59.4050402@samba.org> Message-ID: <56728F51.40309@samba.org> On 17/12/15 06:58, VigneshDhanraj G wrote: > Hi, > > I complied samba from source and i am using pam from debian. But, i > confused why pam uses pam_auth_crap instead of pam_auth. > > may i know the basic difference between pam_auth and pam_auth_crap. > > Regards, > > Vigneshdhanraj G > > > > When you find out, please let me know :-D or putting it another way, I do not know, never heard of it until you mentioned it. If you are using a self compiled version of Samba and you haven't created the libnss_winbind links, this may be your problem, but until you tell us what 'pam-auth-update' says you are using, we will not know. Rowland From rpenny at samba.org Thu Dec 17 10:42:05 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 17 Dec 2015 10:42:05 +0000 Subject: [Samba] How can I change the localSID for a SAMBA Server? In-Reply-To: References: <56701197.1060902@samba.org> <56707DDC.9050600@samba.org> <5670804E.9090207@samba.org> Message-ID: <5672917D.8080909@samba.org> On 17/12/15 02:19, Byron Bogaert wrote: > Hi Marc, > > I tried using Samba version 4.3 without much success. I still was not able > to control what the local sid of the machine was. > > To install 4.3 on Ubuntu 14.04 LTS I needed to use the following ppa: > https://launchpad.net/~bnd-acc/+archive/ubuntu/samba43 > > I also tried changing to the smb.conf to "SERVER ROLE = CLASSIC PRIMARY > DOMAIN CONTROLLER on my 4.1.6 and 4.3 version. This also did not help me > control what the local sid was. > > I feel like I'm some important fundamental elements of how the domain sid, > and local sid are created, used and modified. Perhaps you or someone here > can elaborate on this? > > Thanks, > Andrew Bartlett told you what to do, if I were you I would follow his advice. upgrade your your machine to be a BDC and join it to the other machine. If you are unsure just who Andrew Bartlett is, I suggest you google his name with the word 'samba' What I think is happening: Samba is flat out refusing to change the local SID to the SID of the other machine simply because then there would be two workgroups with the same SID, how would it then be able to tell which machine was which? Rowland From ole.traupe at tu-berlin.de Thu Dec 17 12:40:13 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Thu, 17 Dec 2015 13:40:13 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <56699B16.2020302@samba.org> References: <56435CD0.4090409@tu-berlin.de> <5643674F.3040308@gmail.com> <564398C5.90304@tu-berlin.de> <56439B48.8000902@gmail.com> <564C71F9.4030307@tu-berlin.de> <564C874C.5070604@gmail.com> <564C9BBE.7080403@tu-berlin.de> <564CDAF3.7070105@gmail.com> <5661B143.40502@tu-berlin.de> <5661B426.1060209@gmail.com> <5661BD67.8000305@tu-berlin.de> <566857D6.8070400@tu-berlin.de> <56685EF6.90809@gmail.com> <566861F9.3090502@samba.org> <56697D49.8040301@tu-berlin.de> <5669805B.8050109@samba.org> <56698574.5080103@tu-berlin.de> <566988ED.7080903@samba.org> <56698EED.5020308@tu-berlin.de> <56699117.7070303@samba.org> <566996A2.6040409@tu-berlin.de> <56699B16.2020302@samba.org> Message-ID: <5672AD2D.6090202@tu-berlin.de> >>> There is a known problem, even though the updates print '; TSIG >>> error with server: tsig verify failure', it still works. Try running >>> 'host -t SRV _kerberos._udp.my.domain.tld.' again. >>> >>> Rowland >> >> Nope, still one record. >> >> > > OK, lets just double check that, try running this: > > ldbsearch -H /var/lib/samba/private/sam.ldb -b > 'DC=my.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=my,DC=domain,DC=tld' > -s sub '(dc=_kerberos._udp)' --cross-ncs --show-binary > > That should all be one line and replace 'my.domain.tld' and > 'DC=my,DC=domain,DC=tld' with the correct details > > This should show you the dns record. > > Rowland > Ok, I have manually added "_ldap", "_kerberos", and "_kpasswd" records for my 2nd DC in all places where the 1st DC had such records. Thanks for the script mathias, but I try to keep it simple for the moment. I have another problem now: I accidentally created a record with a false port. I then updated the port but was afraid of any consequences. So I deleted that record again and wanted to re-create it. But I can't: "The record already exists." Although I can't see it in the gui. And I also can't delete it: # samba-tool dns delete DC1 _msdcs.my.domain.tld _ldap._tcp.gc._msdcs.my.domain.tld SRV "dc2.my.domain.tld 3268 0 100" ERROR: Record does not exist But it can be found with dig: # dig @DC1 _ldap._tcp.gc._msdcs.my.domain.tld SRV ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> @DC1 _ldap._tcp.gc._msdcs.my.domain.tld SRV ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28612 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;_ldap._tcp.gc._msdcs.my.domain.tld. IN SRV ;; ANSWER SECTION: _ldap._tcp.gc._msdcs.my.domain.tld. 180 IN SRV 0 100 3268 dc1.my.domain.tld. _ldap._tcp.gc._msdcs.my.domain.tld. 180 IN SRV 0 100 3268 dc2.my.domain.tld. ;; Query time: 1 msec ;; SERVER: IP_of_1stDC#53(IP_of_1stDC) ;; WHEN: Thu Dec 17 13:28:06 2015 ;; MSG SIZE rcvd: 103 How do I get rid of this problematic record for dc2? I also added the 2nd DC's NS record in the _msdcs zone, which was still missing. Rowland, now your suggested above line gives this: # record 1 dn: DC=_kerberos._udp,DC=my.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=my,DC=domain,DC=tld objectClass: top objectClass: dnsNode instanceType: 4 whenCreated: 20150616170602.0Z uSNCreated: 3500 showInAdvancedViewOnly: TRUE name: _kerberos._udp objectGUID: c1a4f1b9-a02d-4fba-9221-2b95ec9b34fc objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=my,DC=domain,DC=tld dc: _kerberos._udp dnsRecord: NDR: struct dnsp_DnssrvRpcRecord wDataLength : 0x001e (30) wType : DNS_TYPE_SRV (33) version : 0x05 (5) rank : DNS_RANK_ZONE (240) flags : 0x0000 (0) dwSerial : 0x0000006e (110) dwTtlSeconds : 0x00000384 (900) dwReserved : 0x00000000 (0) dwTimeStamp : 0x00000000 (0) data : union dnsRecordData(case 33) srv: struct dnsp_srv wPriority : 0x0000 (0) wWeight : 0x0064 (100) wPort : 0x0058 (88) nameTarget : dc1.my.domain.tld dnsRecord: NDR: struct dnsp_DnssrvRpcRecord wDataLength : 0x001e (30) wType : DNS_TYPE_SRV (33) version : 0x05 (5) rank : DNS_RANK_ZONE (240) flags : 0x0000 (0) dwSerial : 0x0000002b (43) dwTtlSeconds : 0x000000b4 (180) dwReserved : 0x00000000 (0) dwTimeStamp : 0x003780ca (3637450) data : union dnsRecordData(case 33) srv: struct dnsp_srv wPriority : 0x0000 (0) wWeight : 0x0064 (100) wPort : 0x0058 (88) nameTarget : dc2.my.domain.tld whenChanged: 20151217103443.0Z uSNChanged: 7315 distinguishedName: DC=_kerberos._udp,DC=my.domain.tld,CN=MicrosoftDNS,DC=DomainDnsZones,DC=my,DC=domain,DC=tld # returned 1 records # 1 entries # 0 referrals Status of original problem (no log-on when 1st DC is down): - log on to Windows possible - kinit on member servers works with a *long* timeout - ssh logon to member server (with domain account) works with an *even longer* timeout - logon to member server with some remote desktop solution works not, likely due to timeouts Ole From ole.traupe at tu-berlin.de Thu Dec 17 12:44:15 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Thu, 17 Dec 2015 13:44:15 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <566ADCB4.3010202@samba.org> References: <56699117.7070303@samba.org> <566996A2.6040409@tu-berlin.de> <566AAE5C.8060206@samba.org> <566AD6B7.2010704@tu-berlin.de> <566ADCB4.3010202@samba.org> Message-ID: <5672AE1F.6080406@tu-berlin.de> Am 11.12.2015 um 15:24 schrieb Rowland penny: > On 11/12/15 13:59, Ole Traupe wrote: >> Hi folks, >> >> a) thank you all for your help, I highly appreciate you time and >> effort, and I am sure I can resolve this issue very soon! >> b) I have to delay this until early next week, as I have to attend to >> other matters for now. >> >> All I can say, Louis, is that I won't set up a new DC to resolve this >> - at least not for now. This seems to be another problem of Samba4 >> not being able to deal with multiple DCs properly. And this has to be >> able to be resolved on an otherwise working domain without changing >> its architecture or other more drastic measures. This is my point of >> view at the moment. Your suggestion reminds me a bit of some typical >> forum replies to "Reinstall the OS" in case of any problems that >> can't be solved in an instant. >> >> If necessary, I will just create the missing DNS entries of my 2nd DC >> by hand. Although I would prefer a working script supplied by a >> professional (which I am not). At least I would like to know which >> DNS entries for my 2nd DC are essential for logins to work. I >> wouldn't very much like to try this out. However, I am aware that >> your time is as limited as mine (of not even more so), and you are in >> no obligation in any way. >> >> Besides, I didn't forget do delete anything. I used the script from >> the wiki to get rid of old records pertaining to my former 1st DC >> after I had created the records of my *new* 1st DC. I checked the >> results: everything related to my former first DC was gone. Also I >> documented/discussed this process here on the list. And nobody >> pointed me to things I forgot or was leaving out. I know that use of >> this script was totally "on my own risk". But the results were as >> they should have been, at least as far I am able to tell. >> >> That said, I will go through your responses and get back to you with >> results. >> >> Best, have a good weekend! >> Ole >> >> > > Ole, when you provision a domain, all the required records are > created, but when you join another DC, most of the dns records are not > created until the samba deamon is started and samba_dnsupdate is run > automatically, see 'dns_update_list' for what is added (this is in > /usr/share/samba/setup & /var/lib/samba/private on debian) > > If you want to add the missing NS records, add these lines to > 'dns_update_list' : > > # RW DNS servers > ${IF_RWDNS_DOMAIN}A > ${DNSDOMAIN} $IP > ${IF_RWDNS_DOMAIN}NS > ${DNSDOMAIN} ${HOSTNAME} > > # RW DNS servers > ${IF_RWDNS_FOREST}NS > _msdcs.${DNSFOREST} ${HOSTNAME} > > You should be aware that even if you add these lines, they will not do > you any good at the moment if you use the internal dns server. > > There is a problem, it looks like the records do not get added when > samba_dnsupdate is first run, but they are. Rowland, I do not understand you in this point. Does or doesn't this help me with the internal DNS? > > What you could do is this, copy the 'dns_update_list', replace all the > variables with your info (${DNSDOMAIN} etc), then use this to check > what you are missing and then add what isn't there. > > Rowland > From ole.traupe at tu-berlin.de Thu Dec 17 12:50:32 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Thu, 17 Dec 2015 13:50:32 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: References: Message-ID: <5672AF98.3050705@tu-berlin.de> Am 11.12.2015 um 15:31 schrieb L.P.H. van Belle: > Commented inbetween. > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe >> Verzonden: vrijdag 11 december 2015 14:59 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller >> initially fails when PDC is offline >> >> Hi folks, >> >> a) thank you all for your help, I highly appreciate you time and effort, >> and I am sure I can resolve this issue very soon! >> b) I have to delay this until early next week, as I have to attend to >> other matters for now. >> >> All I can say, Louis, is that I won't set up a new DC to resolve this - >> at least not for now. This seems to be another problem of Samba4 not >> being able to deal with multiple DCs properly. And this has to be able >> to be resolved on an otherwise working domain without changing its >> architecture or other more drastic measures. This is my point of view at >> the moment. Your suggestion reminds me a bit of some typical forum >> replies to "Reinstall the OS" in case of any problems that can't be >> solved in an instant. > [L.P.H. van Belle] > I dont think this is another problem of samba4, but this is a problem which started in the begining of your install, at least thats what i suppect based on all your info on the list. > I suspect that, then you "installed" the new DC with the old name/ip. Yes, maybe, but why/how? > You forgot somewhere to remove old entries in AD and/or DNS. Not that I know of. This is pure speculation. My domain is not that large and I can go through all DNS records in 5 min. There wasn't anything left pointing to the demoted DC. > And this is why i suggested it, normaly i dont suggest something like this, but i do think that if you setup clean you wil have a better running server with less problems , but what you choose is all up to you. > Do what you thinks is best for you. I am still considering this as a last resort. > >> If necessary, I will just create the missing DNS entries of my 2nd DC by >> hand. Although I would prefer a working script supplied by a >> professional (which I am not). At least I would like to know which DNS >> entries for my 2nd DC are essential for logins to work. I wouldn't very >> much like to try this out. However, I am aware that your time is as >> limited as mine (of not even more so), and you are in no obligation in >> any way. > [L.P.H. van Belle] > >> ). At least I would like to know which DNS >> entries for my 2nd DC are essential for logins to work. > And what you ask here is already answered few times imo. Where? Point me to it, please! > > Again, your quicker with a clean install, and you learn more from it. > And with clean, i dont mean dropping your AD, just add new "DC Join" to hold the AD data so you can remove the faulty server and then you can install that server again, but now as it should. > AND when you join a DC your login problem is fixed also. ;-) I somehow doubt that. Still it seems that no one here has an idea of why log-on from member servers isn't working properly (for me). However, in the meantime I have created all the necessary DNS records. This can't be the issue anymore. > > >> Besides, I didn't forget do delete anything. I used the script from the >> wiki to get rid of old records pertaining to my former 1st DC after I >> had created the records of my *new* 1st DC. I checked the results: >> everything related to my former first DC was gone. Also I >> documented/discussed this process here on the list. And nobody pointed >> me to things I forgot or was leaving out. I know that use of this script >> was totally "on my own risk". But the results were as they should have >> been, at least as far I am able to tell.[L.P.H. van Belle] > [L.P.H. van Belle] which script ? can anyone point that one for me, cant find it. I only know about > https://bugzilla.samba.org/show_bug.cgi?id=10595 It is this one: https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3#content > >> That said, I will go through your responses and get back to you with >> results. >> >> Best, have a good weekend! >> Ole > [L.P.H. van Belle] > Thank you, and have a very good weekend also, i hope your problem is fixed soon. Thanks, me too. Ole > >> >> Am 11.12.2015 um 13:33 schrieb mathias dufresne: >>> Thank you Rowland to noticed that. >>> >>> Here it is: >>> ------------------------------------------------------------------ >>> #!/usr/bin/awk >>> >>> BEGIN { >>> ad_zone = "YOUR.DOMAIN.TLD" >>> msdcs_zone = "_msdcs." ad_zone >>> dns_server = "YOUR-DC" >>> } >>> { >>> if ($0 ~ /UPDATE SECTION:/) { >>> getline >>> print NF, $0 >>> if ($4 == "A") { >>> if($1 ~ /_msdcs/) { >>> zone = msdcs_zone >>> } else { >>> zone = ad_zone >>> } >>> record = $1 >>> regexp = "." zone "." >>> sub(regexp, "", record) >>> cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record >> " A >>> " $5 " --kerberos=yes" >>> #cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record >> " A >>> " $5 " " $2 >>> print cmd >>> cmd | getline >>> close(cmd) >>> } >>> if ($4 == "SRV") { >>> if($1 ~ /_msdcs/) { >>> zone = msdcs_zone >>> } else { >>> zone = ad_zone >>> } >>> record = $1 >>> regexp = "." zone "." >>> sub(regexp, "", record) >>> cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record >> " >>> SRV \'" $8 " " $7 " " $5 " " $6 "\' --kerberos=yes" >>> #cmd = "samba-tool dns add " dns_server " " msdcs_zone " " record >> " >>> SRV \'" $8 " " $7 " " $5 " " $6 "\' " $2 >>> print cmd >>> cmd | getline >>> close(cmd) >>> } >>> } >>> } >>> ------------------------------------------------------------------ >>> >>> This script does not take in account missing NS records as >> samba_dnsupdate >>> does not try to create them. >>> >>> >>> 2015-12-11 12:07 GMT+01:00 Rowland penny : >>> >>>> On 11/12/15 10:29, mathias dufresne wrote: >>>> >>>>> Hi Ole, >>>>> >>>>> Using internal DNS samba_dnsupdate does not work correctly, at least >> not >>>>> every time. >>>>> >>>>> Someone modified this samba_dnsupdate tool commenting this line: >>>>> os.unlink(tmpfile) >>>>> which should line 413. >>>>> >>>>> Doing that he was able to get files generated by samba_dnsupdate to >> use >>>>> them as argument of nsupdate command (without -g switch and with >> "allow >>>>> dns >>>>> updates = nonsecure" in smb.conf). >>>>> >>>>> I was not able to make that process work here but I did not tried >> hard. As >>>>> this process was sent directly to me I share it. >>>>> >>>>> The process I use to generate all DNS records is to run >> samba_dnsupdate >>>>> --all-names --verbose and send output of that command to attached awk >>>>> script. >>>>> The awk script get information from samba_dnsupdate for each record >> and >>>>> launch samba-tool to create DNS record. This script is not clever: it >>>>> tries >>>>> to create all mentioned DNS record, generating warnings when record >>>>> already >>>>> exists. >>>>> >>>>> You will have to modify this awk script as the BEGIN section contains >> fake >>>>> information related to AD domain: >>>>> >>>>> BEGIN { >>>>> ad_zone = "YOUR.DOMAIN.TLD" >>>>> msdcs_zone = "_msdcs." ad_zone >>>>> dns_server = "YOUR-DC" >>>>> } >>>>> >>>>> You must change "YOUR.DOMAIN.TLD" and "YOUR-DC" to match your domain >>>>> configuration. >>>>> >>>>> The awk script uses kerberos authentication when running samba-tool so >> you >>>>> will need to generate a kerberos ticket for some AD admin before: >>>>> 1°) kinit administrator >>>>> 2°) samba_dnsupdate | awk -f dnsupdate.awk >>>>> >>>>> As it is not an issue to try create an entry which already exists you >> can >>>>> run it that script on each DC to assure you all entries are correctly >>>>> created on all DC. >>>>> >>>>> Best regards, >>>>> >>>>> mathias dufresne >>>>> >>>>> >>>>> >>>> There is a flaw with your script! >>>> >>>> >>>> >>>> >>>> >>>> This mailing list strips off attachments, you are going to have to >> paste >>>> it into post. :-) >>>> >>>> Rowland >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > From infractory at gmail.com Thu Dec 17 12:55:09 2015 From: infractory at gmail.com (mathias dufresne) Date: Thu, 17 Dec 2015 13:55:09 +0100 Subject: [Samba] Active Directory Object, Operating System tab In-Reply-To: References: Message-ID: Hi, There are three fields on that tab. You'll find these fields in Samba database with the following names: operatingSystem operatingSystemVersion operatingSystemServicePack And you can extract them with ldbsearch: ldbsearch -H $sam objectcategory=computer operatingSystem operatingSystemVersion operatingSystemServicePack Where $sam variable contains the path to sam.ldb file. 2015-12-16 21:27 GMT+01:00 Jeff Sadowski : > Never mind I'm blind > > [osName=string osVer=string] > > On Wed, Dec 16, 2015 at 1:25 PM, Jeff Sadowski > wrote: > > > Is there a way to populate this tab when I join a computer to the domain > > using samba? > > > > using this command > > > > net ads join -U administrator > > > > creates the AD Object. > > I don't see an option to net when reading the man page to include the OS > > specs > > Maybe use > > --config-file option? > > > > I don't see anything in the smb.conf file that would set any of that > > information. > > > > # net --version > > Version 4.1.6-Ubuntu > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From johabfr at tuxbrasil.com.br Thu Dec 17 13:09:21 2015 From: johabfr at tuxbrasil.com.br (Johab Freitas) Date: Thu, 17 Dec 2015 10:09:21 -0300 Subject: [Samba] Audit in Samba4 Message-ID: Hello, I need to set up an audit in Samba 4, can you help me? Thanks, From rpenny at samba.org Thu Dec 17 13:11:13 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 17 Dec 2015 13:11:13 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5672AE1F.6080406@tu-berlin.de> References: <56699117.7070303@samba.org> <566996A2.6040409@tu-berlin.de> <566AAE5C.8060206@samba.org> <566AD6B7.2010704@tu-berlin.de> <566ADCB4.3010202@samba.org> <5672AE1F.6080406@tu-berlin.de> Message-ID: <5672B471.3070309@samba.org> On 17/12/15 12:44, Ole Traupe wrote: > > > Am 11.12.2015 um 15:24 schrieb Rowland penny: >> On 11/12/15 13:59, Ole Traupe wrote: >>> Hi folks, >>> >>> a) thank you all for your help, I highly appreciate you time and >>> effort, and I am sure I can resolve this issue very soon! >>> b) I have to delay this until early next week, as I have to attend >>> to other matters for now. >>> >>> All I can say, Louis, is that I won't set up a new DC to resolve >>> this - at least not for now. This seems to be another problem of >>> Samba4 not being able to deal with multiple DCs properly. And this >>> has to be able to be resolved on an otherwise working domain without >>> changing its architecture or other more drastic measures. This is my >>> point of view at the moment. Your suggestion reminds me a bit of >>> some typical forum replies to "Reinstall the OS" in case of any >>> problems that can't be solved in an instant. >>> >>> If necessary, I will just create the missing DNS entries of my 2nd >>> DC by hand. Although I would prefer a working script supplied by a >>> professional (which I am not). At least I would like to know which >>> DNS entries for my 2nd DC are essential for logins to work. I >>> wouldn't very much like to try this out. However, I am aware that >>> your time is as limited as mine (of not even more so), and you are >>> in no obligation in any way. >>> >>> Besides, I didn't forget do delete anything. I used the script from >>> the wiki to get rid of old records pertaining to my former 1st DC >>> after I had created the records of my *new* 1st DC. I checked the >>> results: everything related to my former first DC was gone. Also I >>> documented/discussed this process here on the list. And nobody >>> pointed me to things I forgot or was leaving out. I know that use of >>> this script was totally "on my own risk". But the results were as >>> they should have been, at least as far I am able to tell. >>> >>> That said, I will go through your responses and get back to you with >>> results. >>> >>> Best, have a good weekend! >>> Ole >>> >>> >> >> Ole, when you provision a domain, all the required records are >> created, but when you join another DC, most of the dns records are >> not created until the samba deamon is started and samba_dnsupdate is >> run automatically, see 'dns_update_list' for what is added (this is >> in /usr/share/samba/setup & /var/lib/samba/private on debian) >> >> If you want to add the missing NS records, add these lines to >> 'dns_update_list' : >> >> # RW DNS servers >> ${IF_RWDNS_DOMAIN}A >> ${DNSDOMAIN} $IP >> ${IF_RWDNS_DOMAIN}NS ${DNSDOMAIN} ${HOSTNAME} >> >> # RW DNS servers >> ${IF_RWDNS_FOREST}NS _msdcs.${DNSFOREST} ${HOSTNAME} >> >> You should be aware that even if you add these lines, they will not >> do you any good at the moment if you use the internal dns server. >> >> There is a problem, it looks like the records do not get added when >> samba_dnsupdate is first run, but they are. > > Rowland, I do not understand you in this point. Does or doesn't this > help me with the internal DNS? Hi Ole, from my testing, if you are using the Samba internal DNS server, you only have the one NS record pointing to your first DC, even if you do add the NS record for the second DC. If you use Bind9 instead, you do get two NS records. Rowland From belle at bazuin.nl Thu Dec 17 13:22:53 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Thu, 17 Dec 2015 14:22:53 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5672AF98.3050705@tu-berlin.de> References: Message-ID: Commented inbetween. > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe > Verzonden: donderdag 17 december 2015 13:51 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller > initially fails when PDC is offline > > > > Am 11.12.2015 um 15:31 schrieb L.P.H. van Belle: > > Commented inbetween. > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe > >> Verzonden: vrijdag 11 december 2015 14:59 > >> Aan: samba at lists.samba.org > >> Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller > >> initially fails when PDC is offline > >> > >> Hi folks, > >> > >> a) thank you all for your help, I highly appreciate you time and > effort, > >> and I am sure I can resolve this issue very soon! > >> b) I have to delay this until early next week, as I have to attend to > >> other matters for now. > >> > >> All I can say, Louis, is that I won't set up a new DC to resolve this - > >> at least not for now. This seems to be another problem of Samba4 not > >> being able to deal with multiple DCs properly. And this has to be able > >> to be resolved on an otherwise working domain without changing its > >> architecture or other more drastic measures. This is my point of view > at > >> the moment. Your suggestion reminds me a bit of some typical forum > >> replies to "Reinstall the OS" in case of any problems that can't be > >> solved in an instant. > > [L.P.H. van Belle] > > I dont think this is another problem of samba4, but this is a problem > which started in the begining of your install, at least thats what i > suppect based on all your info on the list. > > I suspect that, then you "installed" the new DC with the old name/ip. > > Yes, maybe, but why/how? [L.P.H. van Belle] I could answere that i would, but i dont know how you exactly installed. I'v scripted my installs, so it always the same. I have no problems with my config, or on all my servers. So one fix fixes all in my case. > > > You forgot somewhere to remove old entries in AD and/or DNS. > > Not that I know of. This is pure speculation. My domain is not that > large and I can go through all DNS records in 5 min. There wasn't > anything left pointing to the demoted DC. > > > And this is why i suggested it, normaly i dont suggest something like > this, but i do think that if you setup clean you wil have a better running > server with less problems , but what you choose is all up to you. > > Do what you thinks is best for you. > > I am still considering this as a last resort. [L.P.H. van Belle] from a learning point this is always good. fist installs are always hard, i've tested my setup/configs for about 6-8 month before production, and i screwed also things up, so i reinstalled and learned also the hard way. And thankfully there is the samba list, which helped me a lot. > > > > >> If necessary, I will just create the missing DNS entries of my 2nd DC > by > >> hand. Although I would prefer a working script supplied by a > >> professional (which I am not). At least I would like to know which DNS > >> entries for my 2nd DC are essential for logins to work. I wouldn't very > >> much like to try this out. However, I am aware that your time is as > >> limited as mine (of not even more so), and you are in no obligation in > >> any way. > > [L.P.H. van Belle] > > > >> ). At least I would like to know which DNS > >> entries for my 2nd DC are essential for logins to work. > > And what you ask here is already answered few times imo. > > Where? Point me to it, please! Uhh, somehere in the emails of 10-dec, see whats in the samba_dnsupdate --verbose that are the needed dns records. [L.P.H. van Belle] in the AD and dns, open the user managment tool ( the AD user manager ) klik on view, enable advanced.. now klik through the complete ad and find old entries. Dont forget the "computers" OU and do the same in the DNS manager. also, make sure you DNS zone (SOA) record contains the PRIMARY DC. Above can be done also with ldapsearch. > > > > > Again, your quicker with a clean install, and you learn more from it. > > And with clean, i dont mean dropping your AD, just add new "DC Join" to > hold the AD data so you can remove the faulty server and then you can > install that server again, but now as it should. > > AND when you join a DC your login problem is fixed also. ;-) > > I somehow doubt that. Still it seems that no one here has an idea of why > log-on from member servers isn't working properly (for me). However, in > the meantime I have created all the necessary DNS records. This can't be > the issue anymore. [L.P.H. van Belle] a delay for the login when one dns is done is normal, it needs to timeout first. when you type : dig a internal.domain.tld you should see 2 responses, and the results are your 2 DC's. > > > > > > >> Besides, I didn't forget do delete anything. I used the script from the > >> wiki to get rid of old records pertaining to my former 1st DC after I > >> had created the records of my *new* 1st DC. I checked the results: > >> everything related to my former first DC was gone. Also I > >> documented/discussed this process here on the list. And nobody pointed > >> me to things I forgot or was leaving out. I know that use of this > script > >> was totally "on my own risk". But the results were as they should have > >> been, at least as far I am able to tell.[L.P.H. van Belle] > > [L.P.H. van Belle] which script ? can anyone point that one for me, cant > find it. I only know about > > https://bugzilla.samba.org/show_bug.cgi?id=10595 > > It is this one: > https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede- > 9f97-0e1cc4d577f3#content > > > > >> That said, I will go through your responses and get back to you with > >> results. > >> > >> Best, have a good weekend! > >> Ole > > [L.P.H. van Belle] > > Thank you, and have a very good weekend also, i hope your problem is > fixed soon. > > Thanks, me too. > > Ole > > > > >> > >> Am 11.12.2015 um 13:33 schrieb mathias dufresne: > >>> Thank you Rowland to noticed that. > >>> > >>> Here it is: > >>> ------------------------------------------------------------------ > >>> #!/usr/bin/awk > >>> > >>> BEGIN { > >>> ad_zone = "YOUR.DOMAIN.TLD" > >>> msdcs_zone = "_msdcs." ad_zone > >>> dns_server = "YOUR-DC" > >>> } > >>> { > >>> if ($0 ~ /UPDATE SECTION:/) { > >>> getline > >>> print NF, $0 > >>> if ($4 == "A") { > >>> if($1 ~ /_msdcs/) { > >>> zone = msdcs_zone > >>> } else { > >>> zone = ad_zone > >>> } > >>> record = $1 > >>> regexp = "." zone "." > >>> sub(regexp, "", record) > >>> cmd = "samba-tool dns add " dns_server " " msdcs_zone " " > record > >> " A > >>> " $5 " --kerberos=yes" > >>> #cmd = "samba-tool dns add " dns_server " " msdcs_zone " " > record > >> " A > >>> " $5 " " $2 > >>> print cmd > >>> cmd | getline > >>> close(cmd) > >>> } > >>> if ($4 == "SRV") { > >>> if($1 ~ /_msdcs/) { > >>> zone = msdcs_zone > >>> } else { > >>> zone = ad_zone > >>> } > >>> record = $1 > >>> regexp = "." zone "." > >>> sub(regexp, "", record) > >>> cmd = "samba-tool dns add " dns_server " " msdcs_zone " " > record > >> " > >>> SRV \'" $8 " " $7 " " $5 " " $6 "\' --kerberos=yes" > >>> #cmd = "samba-tool dns add " dns_server " " msdcs_zone " " > record > >> " > >>> SRV \'" $8 " " $7 " " $5 " " $6 "\' " $2 > >>> print cmd > >>> cmd | getline > >>> close(cmd) > >>> } > >>> } > >>> } > >>> ------------------------------------------------------------------ > >>> > >>> This script does not take in account missing NS records as > >> samba_dnsupdate > >>> does not try to create them. > >>> > >>> > >>> 2015-12-11 12:07 GMT+01:00 Rowland penny : > >>> > >>>> On 11/12/15 10:29, mathias dufresne wrote: > >>>> > >>>>> Hi Ole, > >>>>> > >>>>> Using internal DNS samba_dnsupdate does not work correctly, at least > >> not > >>>>> every time. > >>>>> > >>>>> Someone modified this samba_dnsupdate tool commenting this line: > >>>>> os.unlink(tmpfile) > >>>>> which should line 413. > >>>>> > >>>>> Doing that he was able to get files generated by samba_dnsupdate to > >> use > >>>>> them as argument of nsupdate command (without -g switch and with > >> "allow > >>>>> dns > >>>>> updates = nonsecure" in smb.conf). > >>>>> > >>>>> I was not able to make that process work here but I did not tried > >> hard. As > >>>>> this process was sent directly to me I share it. > >>>>> > >>>>> The process I use to generate all DNS records is to run > >> samba_dnsupdate > >>>>> --all-names --verbose and send output of that command to attached > awk > >>>>> script. > >>>>> The awk script get information from samba_dnsupdate for each record > >> and > >>>>> launch samba-tool to create DNS record. This script is not clever: > it > >>>>> tries > >>>>> to create all mentioned DNS record, generating warnings when record > >>>>> already > >>>>> exists. > >>>>> > >>>>> You will have to modify this awk script as the BEGIN section > contains > >> fake > >>>>> information related to AD domain: > >>>>> > >>>>> BEGIN { > >>>>> ad_zone = "YOUR.DOMAIN.TLD" > >>>>> msdcs_zone = "_msdcs." ad_zone > >>>>> dns_server = "YOUR-DC" > >>>>> } > >>>>> > >>>>> You must change "YOUR.DOMAIN.TLD" and "YOUR-DC" to match your domain > >>>>> configuration. > >>>>> > >>>>> The awk script uses kerberos authentication when running samba-tool > so > >> you > >>>>> will need to generate a kerberos ticket for some AD admin before: > >>>>> 1°) kinit administrator > >>>>> 2°) samba_dnsupdate | awk -f dnsupdate.awk > >>>>> > >>>>> As it is not an issue to try create an entry which already exists > you > >> can > >>>>> run it that script on each DC to assure you all entries are > correctly > >>>>> created on all DC. > >>>>> > >>>>> Best regards, > >>>>> > >>>>> mathias dufresne > >>>>> > >>>>> > >>>>> > >>>> There is a flaw with your script! > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> This mailing list strips off attachments, you are going to have to > >> paste > >>>> it into post. :-) > >>>> > >>>> Rowland > >>>> > >>>> > >>>> -- > >>>> To unsubscribe from this list go to the following URL and read the > >>>> instructions: https://lists.samba.org/mailman/options/samba > >>>> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From belle at bazuin.nl Thu Dec 17 13:25:17 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Thu, 17 Dec 2015 14:25:17 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5672B471.3070309@samba.org> References: <5672AE1F.6080406@tu-berlin.de> Message-ID: > Hi Ole, from my testing, if you are using the Samba internal DNS server, > you only have the one NS record pointing to your first DC, even if you > do add the NS record for the second DC. If you use Bind9 instead, you do > get two NS records. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba [L.P.H. van Belle] Good info.. So one thing for the wiki... internal dns => 1 NS record. Bind9 dns => 2 NS records. so single DC, internal DNS is sufficient. Multiple DC,s always go for bind9 dns. Greetz, Louis From rpenny at samba.org Thu Dec 17 13:32:19 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 17 Dec 2015 13:32:19 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5672AF98.3050705@tu-berlin.de> References: <5672AF98.3050705@tu-berlin.de> Message-ID: <5672B963.40301@samba.org> On 17/12/15 12:50, Ole Traupe wrote: > > I somehow doubt that. Still it seems that no one here has an idea of > why log-on from member servers isn't working properly (for me). > However, in the meantime I have created all the necessary DNS records. > This can't be the issue anymore. > > If you are sure that you now have all the dns records for both DCs in AD, then I would agree that this is probably not the issue (there is just the 0.1% chance you are still missing something) Can your domain members find the DCs ? Do your domain members have a FQDN ? Are they joined to the domain ? What have got in smb.conf on the domain members ? You may have posted all or some of this before, but lets start again. Rowland From rpenny at samba.org Thu Dec 17 13:43:03 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 17 Dec 2015 13:43:03 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: References: <5672AE1F.6080406@tu-berlin.de> Message-ID: <5672BBE7.9080803@samba.org> On 17/12/15 13:25, L.P.H. van Belle wrote: >> Hi Ole, from my testing, if you are using the Samba internal DNS server, >> you only have the one NS record pointing to your first DC, even if you >> do add the NS record for the second DC. If you use Bind9 instead, you do >> get two NS records. >> >> Rowland >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > [L.P.H. van Belle] > > Good info.. > > So one thing for the wiki... > internal dns => 1 NS record. > Bind9 dns => 2 NS records. > > so single DC, internal DNS is sufficient. > Multiple DC,s always go for bind9 dns. > Well, not yet, I need to get a patch added that will add the relevant info to dns_update_list, so that samba_dnsupdate can add all the required dns info when a new secondary DC is started for the first time. I seem to have a problem getting patches past, I was advised that it might be quicker using the new Github method, but this doesn't seem to be true, I have seen faster glaciers. :-D Rowland From ole.traupe at tu-berlin.de Thu Dec 17 13:51:20 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Thu, 17 Dec 2015 14:51:20 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: References: Message-ID: <5672BDD8.7000602@tu-berlin.de> >> Where? Point me to it, please! > Uhh, somehere in the emails of 10-dec, see whats in the > samba_dnsupdate --verbose that are the needed dns records. Ok, thank you! Interesting: this reaveals that there *should* be a "gc" record for the 2nd DC, although someone here said before, that I should definitely *not* create that one. > > > [L.P.H. van Belle] in the AD and dns, open the user managment tool ( the AD user manager ) > klik on view, enable advanced.. > now klik through the complete ad and find old entries. > Dont forget the "computers" OU As I said, there are and were no old entries. > > > and do the same in the DNS manager. Dito. > also, make sure you DNS zone (SOA) record contains the PRIMARY DC. Of course. > > Above can be done also with ldapsearch. > > >>> Again, your quicker with a clean install, and you learn more from it. >>> And with clean, i dont mean dropping your AD, just add new "DC Join" to >> hold the AD data so you can remove the faulty server and then you can >> install that server again, but now as it should. >>> AND when you join a DC your login problem is fixed also. ;-) >> I somehow doubt that. Still it seems that no one here has an idea of why >> log-on from member servers isn't working properly (for me). However, in >> the meantime I have created all the necessary DNS records. This can't be >> the issue anymore. > [L.P.H. van Belle] > a delay for the login when one dns is done is normal, it needs to timeout first. How long? Like 60+ seconds in case of ssh login? > when you type : > dig a internal.domain.tld > you should see 2 responses, and the results are your 2 DC's. ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> a internal.domain.tld ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48671 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;internal.domain.tld. IN A ;; AUTHORITY SECTION: . 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2015121700 1800 900 604800 86400 > > >>> >>>> Besides, I didn't forget do delete anything. I used the script from the >>>> wiki to get rid of old records pertaining to my former 1st DC after I >>>> had created the records of my *new* 1st DC. I checked the results: >>>> everything related to my former first DC was gone. Also I >>>> documented/discussed this process here on the list. And nobody pointed >>>> me to things I forgot or was leaving out. I know that use of this >> script >>>> was totally "on my own risk". But the results were as they should have >>>> been, at least as far I am able to tell.[L.P.H. van Belle] >>> [L.P.H. van Belle] which script ? can anyone point that one for me, cant >> find it. I only know about >>> https://bugzilla.samba.org/show_bug.cgi?id=10595 >> It is this one: >> https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede- >> 9f97-0e1cc4d577f3#content >> >>>> That said, I will go through your responses and get back to you with >>>> results. >>>> >>>> Best, have a good weekend! >>>> Ole >>> [L.P.H. van Belle] >>> Thank you, and have a very good weekend also, i hope your problem is >> fixed soon. >> >> Thanks, me too. >> >> Ole >> >>>> Am 11.12.2015 um 13:33 schrieb mathias dufresne: >>>>> Thank you Rowland to noticed that. >>>>> >>>>> Here it is: >>>>> ------------------------------------------------------------------ >>>>> #!/usr/bin/awk >>>>> >>>>> BEGIN { >>>>> ad_zone = "YOUR.DOMAIN.TLD" >>>>> msdcs_zone = "_msdcs." ad_zone >>>>> dns_server = "YOUR-DC" >>>>> } >>>>> { >>>>> if ($0 ~ /UPDATE SECTION:/) { >>>>> getline >>>>> print NF, $0 >>>>> if ($4 == "A") { >>>>> if($1 ~ /_msdcs/) { >>>>> zone = msdcs_zone >>>>> } else { >>>>> zone = ad_zone >>>>> } >>>>> record = $1 >>>>> regexp = "." zone "." >>>>> sub(regexp, "", record) >>>>> cmd = "samba-tool dns add " dns_server " " msdcs_zone " " >> record >>>> " A >>>>> " $5 " --kerberos=yes" >>>>> #cmd = "samba-tool dns add " dns_server " " msdcs_zone " " >> record >>>> " A >>>>> " $5 " " $2 >>>>> print cmd >>>>> cmd | getline >>>>> close(cmd) >>>>> } >>>>> if ($4 == "SRV") { >>>>> if($1 ~ /_msdcs/) { >>>>> zone = msdcs_zone >>>>> } else { >>>>> zone = ad_zone >>>>> } >>>>> record = $1 >>>>> regexp = "." zone "." >>>>> sub(regexp, "", record) >>>>> cmd = "samba-tool dns add " dns_server " " msdcs_zone " " >> record >>>> " >>>>> SRV \'" $8 " " $7 " " $5 " " $6 "\' --kerberos=yes" >>>>> #cmd = "samba-tool dns add " dns_server " " msdcs_zone " " >> record >>>> " >>>>> SRV \'" $8 " " $7 " " $5 " " $6 "\' " $2 >>>>> print cmd >>>>> cmd | getline >>>>> close(cmd) >>>>> } >>>>> } >>>>> } >>>>> ------------------------------------------------------------------ >>>>> >>>>> This script does not take in account missing NS records as >>>> samba_dnsupdate >>>>> does not try to create them. >>>>> >>>>> >>>>> 2015-12-11 12:07 GMT+01:00 Rowland penny : >>>>> >>>>>> On 11/12/15 10:29, mathias dufresne wrote: >>>>>> >>>>>>> Hi Ole, >>>>>>> >>>>>>> Using internal DNS samba_dnsupdate does not work correctly, at least >>>> not >>>>>>> every time. >>>>>>> >>>>>>> Someone modified this samba_dnsupdate tool commenting this line: >>>>>>> os.unlink(tmpfile) >>>>>>> which should line 413. >>>>>>> >>>>>>> Doing that he was able to get files generated by samba_dnsupdate to >>>> use >>>>>>> them as argument of nsupdate command (without -g switch and with >>>> "allow >>>>>>> dns >>>>>>> updates = nonsecure" in smb.conf). >>>>>>> >>>>>>> I was not able to make that process work here but I did not tried >>>> hard. As >>>>>>> this process was sent directly to me I share it. >>>>>>> >>>>>>> The process I use to generate all DNS records is to run >>>> samba_dnsupdate >>>>>>> --all-names --verbose and send output of that command to attached >> awk >>>>>>> script. >>>>>>> The awk script get information from samba_dnsupdate for each record >>>> and >>>>>>> launch samba-tool to create DNS record. This script is not clever: >> it >>>>>>> tries >>>>>>> to create all mentioned DNS record, generating warnings when record >>>>>>> already >>>>>>> exists. >>>>>>> >>>>>>> You will have to modify this awk script as the BEGIN section >> contains >>>> fake >>>>>>> information related to AD domain: >>>>>>> >>>>>>> BEGIN { >>>>>>> ad_zone = "YOUR.DOMAIN.TLD" >>>>>>> msdcs_zone = "_msdcs." ad_zone >>>>>>> dns_server = "YOUR-DC" >>>>>>> } >>>>>>> >>>>>>> You must change "YOUR.DOMAIN.TLD" and "YOUR-DC" to match your domain >>>>>>> configuration. >>>>>>> >>>>>>> The awk script uses kerberos authentication when running samba-tool >> so >>>> you >>>>>>> will need to generate a kerberos ticket for some AD admin before: >>>>>>> 1°) kinit administrator >>>>>>> 2°) samba_dnsupdate | awk -f dnsupdate.awk >>>>>>> >>>>>>> As it is not an issue to try create an entry which already exists >> you >>>> can >>>>>>> run it that script on each DC to assure you all entries are >> correctly >>>>>>> created on all DC. >>>>>>> >>>>>>> Best regards, >>>>>>> >>>>>>> mathias dufresne >>>>>>> >>>>>>> >>>>>>> >>>>>> There is a flaw with your script! >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> This mailing list strips off attachments, you are going to have to >>>> paste >>>>>> it into post. :-) >>>>>> >>>>>> Rowland >>>>>> >>>>>> >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL and read the >>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > From ole.traupe at tu-berlin.de Thu Dec 17 13:54:03 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Thu, 17 Dec 2015 14:54:03 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5672B963.40301@samba.org> References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> Message-ID: <5672BE7B.5060802@tu-berlin.de> Rowland, thank you, but before we do that: - what now with the 'gc' record? 2nd DC yes or no? - if you say that the internal DNS is not compatible with a multi-DC setting, than we can stop here, no? Ole Am 17.12.2015 um 14:32 schrieb Rowland penny: > On 17/12/15 12:50, Ole Traupe wrote: >> >> I somehow doubt that. Still it seems that no one here has an idea of >> why log-on from member servers isn't working properly (for me). >> However, in the meantime I have created all the necessary DNS >> records. This can't be the issue anymore. >> >> > > If you are sure that you now have all the dns records for both DCs in > AD, then I would agree that this is probably not the issue (there is > just the 0.1% chance you are still missing something) > > Can your domain members find the DCs ? > Do your domain members have a FQDN ? > Are they joined to the domain ? > What have got in smb.conf on the domain members ? > > You may have posted all or some of this before, but lets start again. > > Rowland > From rpenny at samba.org Thu Dec 17 14:33:00 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 17 Dec 2015 14:33:00 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5672BE7B.5060802@tu-berlin.de> References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> <5672BE7B.5060802@tu-berlin.de> Message-ID: <5672C79C.9060408@samba.org> On 17/12/15 13:54, Ole Traupe wrote: > Rowland, thank you, but before we do that: > > - what now with the 'gc' record? 2nd DC yes or no? Which one ? I have these: dn: DC=_gc._tcp.Default-First-Site-Name._sites,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com dn: DC=_gc._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com dn: DC=_ldap._tcp.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com dn: DC=_ldap._tcp.Default-First-Site-Name._sites.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com dn: DC=gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com They all contain two dnsrecords, one from each DC > - if you say that the internal DNS is not compatible with a multi-DC > setting, than we can stop here, no? > Please stop putting words in my mouth :-) All I said was that you will only get one NS record if you use the internal DNS server, everything else seems to work though, although I haven't tried turning the first DC off yet. Rowland > Ole > > > Am 17.12.2015 um 14:32 schrieb Rowland penny: >> On 17/12/15 12:50, Ole Traupe wrote: >>> >>> I somehow doubt that. Still it seems that no one here has an idea of >>> why log-on from member servers isn't working properly (for me). >>> However, in the meantime I have created all the necessary DNS >>> records. This can't be the issue anymore. >>> >>> >> >> If you are sure that you now have all the dns records for both DCs in >> AD, then I would agree that this is probably not the issue (there is >> just the 0.1% chance you are still missing something) >> >> Can your domain members find the DCs ? >> Do your domain members have a FQDN ? >> Are they joined to the domain ? >> What have got in smb.conf on the domain members ? >> >> You may have posted all or some of this before, but lets start again. >> >> Rowland >> > > From belle at bazuin.nl Thu Dec 17 14:45:58 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Thu, 17 Dec 2015 15:45:58 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5672BDD8.7000602@tu-berlin.de> References: Message-ID: No GC !! Ai.. thats a problem.. Read this, create a new GC record. https://support.microsoft.com/en-us/kb/313994 > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe > Verzonden: donderdag 17 december 2015 14:51 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller > initially fails when PDC is offline > > >> Where? Point me to it, please! > > Uhh, somehere in the emails of 10-dec, see whats in the > > samba_dnsupdate --verbose that are the needed dns records. > > Ok, thank you! Interesting: this reaveals that there *should* be a "gc" > record for the 2nd DC, although someone here said before, that I should > definitely *not* create that one. > > > > > > > [L.P.H. van Belle] in the AD and dns, open the user managment tool ( > the AD user manager ) > > klik on view, enable advanced.. > > now klik through the complete ad and find old entries. > > Dont forget the "computers" OU > > As I said, there are and were no old entries. > > > > > > > and do the same in the DNS manager. > > Dito. > > > also, make sure you DNS zone (SOA) record contains the PRIMARY DC. > > Of course. > > > > > Above can be done also with ldapsearch. > > > > > >>> Again, your quicker with a clean install, and you learn more from it. > >>> And with clean, i dont mean dropping your AD, just add new "DC Join" > to > >> hold the AD data so you can remove the faulty server and then you can > >> install that server again, but now as it should. > >>> AND when you join a DC your login problem is fixed also. ;-) > >> I somehow doubt that. Still it seems that no one here has an idea of > why > >> log-on from member servers isn't working properly (for me). However, in > >> the meantime I have created all the necessary DNS records. This can't > be > >> the issue anymore. > > [L.P.H. van Belle] > > a delay for the login when one dns is done is normal, it needs to > timeout first. > > How long? Like 60+ seconds in case of ssh login? > > > when you type : > > dig a internal.domain.tld > > you should see 2 responses, and the results are your 2 DC's. > > ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> a > internal.domain.tld > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48671 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;internal.domain.tld. IN A > > ;; AUTHORITY SECTION: > . 10800 IN SOA a.root-servers.net. > nstld.verisign-grs.com. 2015121700 1800 900 604800 86400 > > > > > > > > >>> > >>>> Besides, I didn't forget do delete anything. I used the script from > the > >>>> wiki to get rid of old records pertaining to my former 1st DC after I > >>>> had created the records of my *new* 1st DC. I checked the results: > >>>> everything related to my former first DC was gone. Also I > >>>> documented/discussed this process here on the list. And nobody > pointed > >>>> me to things I forgot or was leaving out. I know that use of this > >> script > >>>> was totally "on my own risk". But the results were as they should > have > >>>> been, at least as far I am able to tell.[L.P.H. van Belle] > >>> [L.P.H. van Belle] which script ? can anyone point that one for me, > cant > >> find it. I only know about > >>> https://bugzilla.samba.org/show_bug.cgi?id=10595 > >> It is this one: > >> https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede- > >> 9f97-0e1cc4d577f3#content > >> > >>>> That said, I will go through your responses and get back to you with > >>>> results. > >>>> > >>>> Best, have a good weekend! > >>>> Ole > >>> [L.P.H. van Belle] > >>> Thank you, and have a very good weekend also, i hope your problem is > >> fixed soon. > >> > >> Thanks, me too. > >> > >> Ole > >> > >>>> Am 11.12.2015 um 13:33 schrieb mathias dufresne: > >>>>> Thank you Rowland to noticed that. > >>>>> > >>>>> Here it is: > >>>>> ------------------------------------------------------------------ > >>>>> #!/usr/bin/awk > >>>>> > >>>>> BEGIN { > >>>>> ad_zone = "YOUR.DOMAIN.TLD" > >>>>> msdcs_zone = "_msdcs." ad_zone > >>>>> dns_server = "YOUR-DC" > >>>>> } > >>>>> { > >>>>> if ($0 ~ /UPDATE SECTION:/) { > >>>>> getline > >>>>> print NF, $0 > >>>>> if ($4 == "A") { > >>>>> if($1 ~ /_msdcs/) { > >>>>> zone = msdcs_zone > >>>>> } else { > >>>>> zone = ad_zone > >>>>> } > >>>>> record = $1 > >>>>> regexp = "." zone "." > >>>>> sub(regexp, "", record) > >>>>> cmd = "samba-tool dns add " dns_server " " msdcs_zone " " > >> record > >>>> " A > >>>>> " $5 " --kerberos=yes" > >>>>> #cmd = "samba-tool dns add " dns_server " " msdcs_zone " " > >> record > >>>> " A > >>>>> " $5 " " $2 > >>>>> print cmd > >>>>> cmd | getline > >>>>> close(cmd) > >>>>> } > >>>>> if ($4 == "SRV") { > >>>>> if($1 ~ /_msdcs/) { > >>>>> zone = msdcs_zone > >>>>> } else { > >>>>> zone = ad_zone > >>>>> } > >>>>> record = $1 > >>>>> regexp = "." zone "." > >>>>> sub(regexp, "", record) > >>>>> cmd = "samba-tool dns add " dns_server " " msdcs_zone " " > >> record > >>>> " > >>>>> SRV \'" $8 " " $7 " " $5 " " $6 "\' --kerberos=yes" > >>>>> #cmd = "samba-tool dns add " dns_server " " msdcs_zone " " > >> record > >>>> " > >>>>> SRV \'" $8 " " $7 " " $5 " " $6 "\' " $2 > >>>>> print cmd > >>>>> cmd | getline > >>>>> close(cmd) > >>>>> } > >>>>> } > >>>>> } > >>>>> ------------------------------------------------------------------ > >>>>> > >>>>> This script does not take in account missing NS records as > >>>> samba_dnsupdate > >>>>> does not try to create them. > >>>>> > >>>>> > >>>>> 2015-12-11 12:07 GMT+01:00 Rowland penny : > >>>>> > >>>>>> On 11/12/15 10:29, mathias dufresne wrote: > >>>>>> > >>>>>>> Hi Ole, > >>>>>>> > >>>>>>> Using internal DNS samba_dnsupdate does not work correctly, at > least > >>>> not > >>>>>>> every time. > >>>>>>> > >>>>>>> Someone modified this samba_dnsupdate tool commenting this line: > >>>>>>> os.unlink(tmpfile) > >>>>>>> which should line 413. > >>>>>>> > >>>>>>> Doing that he was able to get files generated by samba_dnsupdate > to > >>>> use > >>>>>>> them as argument of nsupdate command (without -g switch and with > >>>> "allow > >>>>>>> dns > >>>>>>> updates = nonsecure" in smb.conf). > >>>>>>> > >>>>>>> I was not able to make that process work here but I did not tried > >>>> hard. As > >>>>>>> this process was sent directly to me I share it. > >>>>>>> > >>>>>>> The process I use to generate all DNS records is to run > >>>> samba_dnsupdate > >>>>>>> --all-names --verbose and send output of that command to attached > >> awk > >>>>>>> script. > >>>>>>> The awk script get information from samba_dnsupdate for each > record > >>>> and > >>>>>>> launch samba-tool to create DNS record. This script is not clever: > >> it > >>>>>>> tries > >>>>>>> to create all mentioned DNS record, generating warnings when > record > >>>>>>> already > >>>>>>> exists. > >>>>>>> > >>>>>>> You will have to modify this awk script as the BEGIN section > >> contains > >>>> fake > >>>>>>> information related to AD domain: > >>>>>>> > >>>>>>> BEGIN { > >>>>>>> ad_zone = "YOUR.DOMAIN.TLD" > >>>>>>> msdcs_zone = "_msdcs." ad_zone > >>>>>>> dns_server = "YOUR-DC" > >>>>>>> } > >>>>>>> > >>>>>>> You must change "YOUR.DOMAIN.TLD" and "YOUR-DC" to match your > domain > >>>>>>> configuration. > >>>>>>> > >>>>>>> The awk script uses kerberos authentication when running samba- > tool > >> so > >>>> you > >>>>>>> will need to generate a kerberos ticket for some AD admin before: > >>>>>>> 1°) kinit administrator > >>>>>>> 2°) samba_dnsupdate | awk -f dnsupdate.awk > >>>>>>> > >>>>>>> As it is not an issue to try create an entry which already exists > >> you > >>>> can > >>>>>>> run it that script on each DC to assure you all entries are > >> correctly > >>>>>>> created on all DC. > >>>>>>> > >>>>>>> Best regards, > >>>>>>> > >>>>>>> mathias dufresne > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> There is a flaw with your script! > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> This mailing list strips off attachments, you are going to have to > >>>> paste > >>>>>> it into post. :-) > >>>>>> > >>>>>> Rowland > >>>>>> > >>>>>> > >>>>>> -- > >>>>>> To unsubscribe from this list go to the following URL and read the > >>>>>> instructions: https://lists.samba.org/mailman/options/samba > >>>>>> > >>>> -- > >>>> To unsubscribe from this list go to the following URL and read the > >>>> instructions: https://lists.samba.org/mailman/options/samba > >>> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From ole.traupe at tu-berlin.de Thu Dec 17 14:46:12 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Thu, 17 Dec 2015 15:46:12 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5672B963.40301@samba.org> References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> Message-ID: <5672CAB4.6000003@tu-berlin.de> Am 17.12.2015 um 14:32 schrieb Rowland penny: > On 17/12/15 12:50, Ole Traupe wrote: >> >> I somehow doubt that. Still it seems that no one here has an idea of >> why log-on from member servers isn't working properly (for me). >> However, in the meantime I have created all the necessary DNS >> records. This can't be the issue anymore. >> >> > > If you are sure that you now have all the dns records for both DCs in > AD, then I would agree that this is probably not the issue (there is > just the 0.1% chance you are still missing something) > > Can your domain members find the DCs ? > Do your domain members have a FQDN ? > Are they joined to the domain ? > What have got in smb.conf on the domain members ? > > You may have posted all or some of this before, but lets start again. > > Rowland > Ok, there were still records missing (according to "samba_dnsupdate --verbose"). I added them manually, and now I get "No DNS updates needed" on both my DCs. Still/again: "kinit" takes more than a minute on member servers, and login via ssh is impossible now (times out eventually). Some questions: - what about that corrupted record I mentioned earlier, how can I get rid if it? - why does "samba_dnsupdate --verbose" on DC1 check records only against 1 instance (record from DC1), while the same command issued on DC2 checks records against both existing instances (records from DC1 and DC2)? - why does the dns update fail in the first place? will I have the same problem again with the next DC I set up? - why do I still have the login problems? Ole From ole.traupe at tu-berlin.de Thu Dec 17 14:56:44 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Thu, 17 Dec 2015 15:56:44 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5672C79C.9060408@samba.org> References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> <5672BE7B.5060802@tu-berlin.de> <5672C79C.9060408@samba.org> Message-ID: <5672CD2C.2010305@tu-berlin.de> Am 17.12.2015 um 15:33 schrieb Rowland penny: > On 17/12/15 13:54, Ole Traupe wrote: >> Rowland, thank you, but before we do that: >> >> - what now with the 'gc' record? 2nd DC yes or no? > > Which one ? I have these: > > dn: > DC=_gc._tcp.Default-First-Site-Name._sites,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com > > dn: > DC=_gc._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com > > dn: > DC=_ldap._tcp.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com > > dn: > DC=_ldap._tcp.Default-First-Site-Name._sites.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com > > dn: > DC=gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com > > They all contain two dnsrecords, one from each DC > >> - if you say that the internal DNS is not compatible with a multi-DC >> setting, than we can stop here, no? >> > > Please stop putting words in my mouth :-) > > All I said was that you will only get one NS record if you use the > internal DNS server, Ok. And do you *need* both? > everything else seems to work though, although I haven't tried turning > the first DC off yet. Why? I mean, could you perhaps? Please? > > Rowland > >> Ole >> >> >> Am 17.12.2015 um 14:32 schrieb Rowland penny: >>> On 17/12/15 12:50, Ole Traupe wrote: >>>> >>>> I somehow doubt that. Still it seems that no one here has an idea >>>> of why log-on from member servers isn't working properly (for me). >>>> However, in the meantime I have created all the necessary DNS >>>> records. This can't be the issue anymore. >>>> >>>> >>> >>> If you are sure that you now have all the dns records for both DCs >>> in AD, then I would agree that this is probably not the issue (there >>> is just the 0.1% chance you are still missing something) >>> >>> Can your domain members find the DCs ? >>> Do your domain members have a FQDN ? >>> Are they joined to the domain ? >>> What have got in smb.conf on the domain members ? >>> >>> You may have posted all or some of this before, but lets start again. >>> >>> Rowland >>> >> >> > > From rpenny at samba.org Thu Dec 17 15:10:42 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 17 Dec 2015 15:10:42 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5672CD2C.2010305@tu-berlin.de> References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> <5672BE7B.5060802@tu-berlin.de> <5672C79C.9060408@samba.org> <5672CD2C.2010305@tu-berlin.de> Message-ID: <5672D072.9010901@samba.org> On 17/12/15 14:56, Ole Traupe wrote: > > > Am 17.12.2015 um 15:33 schrieb Rowland penny: >> On 17/12/15 13:54, Ole Traupe wrote: >>> Rowland, thank you, but before we do that: >>> >>> - what now with the 'gc' record? 2nd DC yes or no? >> >> Which one ? I have these: >> >> dn: >> DC=_gc._tcp.Default-First-Site-Name._sites,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >> >> dn: >> DC=_gc._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >> >> dn: >> DC=_ldap._tcp.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >> >> dn: >> DC=_ldap._tcp.Default-First-Site-Name._sites.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >> >> dn: >> DC=gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >> >> They all contain two dnsrecords, one from each DC >> >>> - if you say that the internal DNS is not compatible with a multi-DC >>> setting, than we can stop here, no? >>> >> >> Please stop putting words in my mouth :-) >> >> All I said was that you will only get one NS record if you use the >> internal DNS server, > > Ok. And do you *need* both? Not sure , but microsoft says you should have a SOA record for each DC that runs DNS. > > > >> everything else seems to work though, although I haven't tried >> turning the first DC off yet. > > Why? I mean, could you perhaps? Please? > Probably, but not today, will do it as soon as possible. Rowland From ole.traupe at tu-berlin.de Thu Dec 17 15:13:56 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Thu, 17 Dec 2015 16:13:56 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5672CD2C.2010305@tu-berlin.de> References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> <5672BE7B.5060802@tu-berlin.de> <5672C79C.9060408@samba.org> <5672CD2C.2010305@tu-berlin.de> Message-ID: <5672D134.4010006@tu-berlin.de> Can *anyone* report that he/she has a fail-safe domain in the sense that the first DC (FSMO role holder) can be offline and login still works on Windows clients AND Linux member servers? Samba 4.2.5 (from source) Internal DNS Ole Am 17.12.2015 um 15:56 schrieb Ole Traupe: > > > Am 17.12.2015 um 15:33 schrieb Rowland penny: >> On 17/12/15 13:54, Ole Traupe wrote: >>> Rowland, thank you, but before we do that: >>> >>> - what now with the 'gc' record? 2nd DC yes or no? >> >> Which one ? I have these: >> >> dn: >> DC=_gc._tcp.Default-First-Site-Name._sites,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >> >> dn: >> DC=_gc._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >> >> dn: >> DC=_ldap._tcp.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >> >> dn: >> DC=_ldap._tcp.Default-First-Site-Name._sites.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >> >> dn: >> DC=gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >> >> They all contain two dnsrecords, one from each DC >> >>> - if you say that the internal DNS is not compatible with a multi-DC >>> setting, than we can stop here, no? >>> >> >> Please stop putting words in my mouth :-) >> >> All I said was that you will only get one NS record if you use the >> internal DNS server, > > Ok. And do you *need* both? > > >> everything else seems to work though, although I haven't tried >> turning the first DC off yet. > > Why? I mean, could you perhaps? Please? > >> >> Rowland >> >>> Ole >>> >>> >>> Am 17.12.2015 um 14:32 schrieb Rowland penny: >>>> On 17/12/15 12:50, Ole Traupe wrote: >>>>> >>>>> I somehow doubt that. Still it seems that no one here has an idea >>>>> of why log-on from member servers isn't working properly (for me). >>>>> However, in the meantime I have created all the necessary DNS >>>>> records. This can't be the issue anymore. >>>>> >>>>> >>>> >>>> If you are sure that you now have all the dns records for both DCs >>>> in AD, then I would agree that this is probably not the issue >>>> (there is just the 0.1% chance you are still missing something) >>>> >>>> Can your domain members find the DCs ? >>>> Do your domain members have a FQDN ? >>>> Are they joined to the domain ? >>>> What have got in smb.conf on the domain members ? >>>> >>>> You may have posted all or some of this before, but lets start again. >>>> >>>> Rowland >>>> >>> >>> >> >> > > From lingpanda101 at gmail.com Thu Dec 17 15:20:59 2015 From: lingpanda101 at gmail.com (James) Date: Thu, 17 Dec 2015 10:20:59 -0500 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5672CD2C.2010305@tu-berlin.de> References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> <5672BE7B.5060802@tu-berlin.de> <5672C79C.9060408@samba.org> <5672CD2C.2010305@tu-berlin.de> Message-ID: <5672D2DB.1010802@gmail.com> On 12/17/2015 9:56 AM, Ole Traupe wrote: > > > Am 17.12.2015 um 15:33 schrieb Rowland penny: >> On 17/12/15 13:54, Ole Traupe wrote: >>> Rowland, thank you, but before we do that: >>> >>> - what now with the 'gc' record? 2nd DC yes or no? >> >> Which one ? I have these: >> >> dn: >> DC=_gc._tcp.Default-First-Site-Name._sites,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >> >> dn: >> DC=_gc._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >> >> dn: >> DC=_ldap._tcp.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >> >> dn: >> DC=_ldap._tcp.Default-First-Site-Name._sites.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >> >> dn: >> DC=gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >> >> They all contain two dnsrecords, one from each DC >> >>> - if you say that the internal DNS is not compatible with a multi-DC >>> setting, than we can stop here, no? >>> >> >> Please stop putting words in my mouth :-) >> >> All I said was that you will only get one NS record if you use the >> internal DNS server, > > Ok. And do you *need* both? > > >> everything else seems to work though, although I haven't tried >> turning the first DC off yet. > > Why? I mean, could you perhaps? Please? > >> >> Rowland >> >>> Ole >>> >>> >>> Am 17.12.2015 um 14:32 schrieb Rowland penny: >>>> On 17/12/15 12:50, Ole Traupe wrote: >>>>> >>>>> I somehow doubt that. Still it seems that no one here has an idea >>>>> of why log-on from member servers isn't working properly (for me). >>>>> However, in the meantime I have created all the necessary DNS >>>>> records. This can't be the issue anymore. >>>>> >>>>> >>>> >>>> If you are sure that you now have all the dns records for both DCs >>>> in AD, then I would agree that this is probably not the issue >>>> (there is just the 0.1% chance you are still missing something) >>>> >>>> Can your domain members find the DCs ? >>>> Do your domain members have a FQDN ? >>>> Are they joined to the domain ? >>>> What have got in smb.conf on the domain members ? >>>> >>>> You may have posted all or some of this before, but lets start again. >>>> >>>> Rowland >>>> >>> >>> >> >> > > I just disabled my DC that is listed as SOA in a production environment. I'm using the internal DNS. I have 6 DC's in total across 3 sites. Around 200+ users and 140+ workstations. Everything appears to be working as normal aside from my monitoring tools going crazy. No issues so far. I am not authenticating local users to my member server however. I will monitor for a awhile and see if anything creeps up or I start to get phone calls.. -- -James From rpenny at samba.org Thu Dec 17 15:21:57 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 17 Dec 2015 15:21:57 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5672CAB4.6000003@tu-berlin.de> References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> <5672CAB4.6000003@tu-berlin.de> Message-ID: <5672D315.4050501@samba.org> On 17/12/15 14:46, Ole Traupe wrote: > > > Am 17.12.2015 um 14:32 schrieb Rowland penny: >> On 17/12/15 12:50, Ole Traupe wrote: >>> >>> I somehow doubt that. Still it seems that no one here has an idea of >>> why log-on from member servers isn't working properly (for me). >>> However, in the meantime I have created all the necessary DNS >>> records. This can't be the issue anymore. >>> >>> >> >> If you are sure that you now have all the dns records for both DCs in >> AD, then I would agree that this is probably not the issue (there is >> just the 0.1% chance you are still missing something) >> >> Can your domain members find the DCs ? >> Do your domain members have a FQDN ? >> Are they joined to the domain ? >> What have got in smb.conf on the domain members ? >> >> You may have posted all or some of this before, but lets start again. >> >> Rowland >> > > Ok, there were still records missing (according to "samba_dnsupdate > --verbose"). I added them manually, and now I get "No DNS updates > needed" on both my DCs. > > Still/again: "kinit" takes more than a minute on member servers, and > login via ssh is impossible now (times out eventually). > > Some questions: > > - what about that corrupted record I mentioned earlier, how can I get > rid if it? Have you tried using samba-tool ? > - why does "samba_dnsupdate --verbose" on DC1 check records only > against 1 instance (record from DC1), while the same command issued on > DC2 checks records against both existing instances (records from DC1 > and DC2)? Don't know, if you understand python, you could try looking at the script. > > - why does the dns update fail in the first place? I am not sure that it does fail. When you provision the first DC, all the required dns entries are added by the provision, but when you join a DC, a lot of the dns entries are only added by the samba_dnsupdate script and this is only run when you start samba on the newly joined DC. It does print a lot of error messages, but it seems to work anyway. If you check the dns on the first DC before starting the second, you will find missing dns entries, but these should be filled once the samba_dnsupdate script is run. > will I have the same problem again with the next DC I set up? Again, I am unsure why you are having the problems, so I do not know if you will have the same problems. If you have done some thing incorrectly and do this again when you join another DC, then you are likely to again have problems. > - why do I still have the login problems? > Don't know, can you answer the questions I asked earlier. Rowland > Ole > > From ole.traupe at tu-berlin.de Thu Dec 17 15:37:14 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Thu, 17 Dec 2015 16:37:14 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5672D072.9010901@samba.org> References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> <5672BE7B.5060802@tu-berlin.de> <5672C79C.9060408@samba.org> <5672CD2C.2010305@tu-berlin.de> <5672D072.9010901@samba.org> Message-ID: <5672D6AA.4070907@tu-berlin.de> Am 17.12.2015 um 16:10 schrieb Rowland penny: > On 17/12/15 14:56, Ole Traupe wrote: >> >> >> Am 17.12.2015 um 15:33 schrieb Rowland penny: >>> On 17/12/15 13:54, Ole Traupe wrote: >>>> Rowland, thank you, but before we do that: >>>> >>>> - what now with the 'gc' record? 2nd DC yes or no? >>> >>> Which one ? I have these: >>> >>> dn: >>> DC=_gc._tcp.Default-First-Site-Name._sites,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >>> >>> dn: >>> DC=_gc._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >>> >>> dn: >>> DC=_ldap._tcp.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >>> >>> dn: >>> DC=_ldap._tcp.Default-First-Site-Name._sites.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >>> >>> dn: >>> DC=gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >>> >>> They all contain two dnsrecords, one from each DC >>> >>>> - if you say that the internal DNS is not compatible with a >>>> multi-DC setting, than we can stop here, no? >>>> >>> >>> Please stop putting words in my mouth :-) >>> >>> All I said was that you will only get one NS record if you use the >>> internal DNS server, >> >> Ok. And do you *need* both? > > Not sure , but microsoft says you should have a SOA record for each DC > that runs DNS. SOA or NS? NS I have, SOA seems not possible. > >> >> >> >>> everything else seems to work though, although I haven't tried >>> turning the first DC off yet. >> >> Why? I mean, could you perhaps? Please? >> > > Probably, but not today, will do it as soon as possible. I would be more than happy about that! > > Rowland > > > > > From ole.traupe at tu-berlin.de Thu Dec 17 15:40:19 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Thu, 17 Dec 2015 16:40:19 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5672D2DB.1010802@gmail.com> References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> <5672BE7B.5060802@tu-berlin.de> <5672C79C.9060408@samba.org> <5672CD2C.2010305@tu-berlin.de> <5672D2DB.1010802@gmail.com> Message-ID: <5672D763.3000601@tu-berlin.de> >>> >> >> > I just disabled my DC that is listed as SOA in a production > environment. I'm using the internal DNS. I have 6 DC's in total > across 3 sites. Around 200+ users and 140+ workstations. Everything > appears to be working as normal aside from my monitoring tools going > crazy. No issues so far. I am not authenticating local users to my > member server however. What exactly do you mean by that last sentence? > I will monitor for a awhile and see if anything creeps up or I start > to get phone calls.. > Thanks for the feedback! From rpenny at samba.org Thu Dec 17 15:48:50 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 17 Dec 2015 15:48:50 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5672D6AA.4070907@tu-berlin.de> References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> <5672BE7B.5060802@tu-berlin.de> <5672C79C.9060408@samba.org> <5672CD2C.2010305@tu-berlin.de> <5672D072.9010901@samba.org> <5672D6AA.4070907@tu-berlin.de> Message-ID: <5672D962.6090308@samba.org> On 17/12/15 15:37, Ole Traupe wrote: > > > Am 17.12.2015 um 16:10 schrieb Rowland penny: >> On 17/12/15 14:56, Ole Traupe wrote: >>> >>> >>> Am 17.12.2015 um 15:33 schrieb Rowland penny: >>>> On 17/12/15 13:54, Ole Traupe wrote: >>>>> Rowland, thank you, but before we do that: >>>>> >>>>> - what now with the 'gc' record? 2nd DC yes or no? >>>> >>>> Which one ? I have these: >>>> >>>> dn: >>>> DC=_gc._tcp.Default-First-Site-Name._sites,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >>>> >>>> dn: >>>> DC=_gc._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >>>> >>>> dn: >>>> DC=_ldap._tcp.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >>>> >>>> dn: >>>> DC=_ldap._tcp.Default-First-Site-Name._sites.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >>>> >>>> dn: >>>> DC=gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >>>> >>>> They all contain two dnsrecords, one from each DC >>>> >>>>> - if you say that the internal DNS is not compatible with a >>>>> multi-DC setting, than we can stop here, no? >>>>> >>>> >>>> Please stop putting words in my mouth :-) >>>> >>>> All I said was that you will only get one NS record if you use the >>>> internal DNS server, >>> >>> Ok. And do you *need* both? >> >> Not sure , but microsoft says you should have a SOA record for each >> DC that runs DNS. > > SOA or NS? > > NS I have, SOA seems not possible. There is one SOA record in Samba AD, but it can hold the NS & A records for each DC (not sure about AAAA, I don't use ipv6). If you use the internal dns server, you only get one NS record returned and this is for the first DC. If you use Bind9, you get a different NS record from each DC i.e. each DC acts as if it is authoritative for the domain. > >> >>> >>> >>> >>>> everything else seems to work though, although I haven't tried >>>> turning the first DC off yet. >>> >>> Why? I mean, could you perhaps? Please? >>> >> >> Probably, but not today, will do it as soon as possible. > > I would be more than happy about that! > > Will try it asap Rowland From ole.traupe at tu-berlin.de Thu Dec 17 15:48:40 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Thu, 17 Dec 2015 16:48:40 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5672D315.4050501@samba.org> References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> <5672CAB4.6000003@tu-berlin.de> <5672D315.4050501@samba.org> Message-ID: <5672D958.6080903@tu-berlin.de> Am 17.12.2015 um 16:21 schrieb Rowland penny: > On 17/12/15 14:46, Ole Traupe wrote: >> >> >> Am 17.12.2015 um 14:32 schrieb Rowland penny: >>> On 17/12/15 12:50, Ole Traupe wrote: >>>> >>>> I somehow doubt that. Still it seems that no one here has an idea >>>> of why log-on from member servers isn't working properly (for me). >>>> However, in the meantime I have created all the necessary DNS >>>> records. This can't be the issue anymore. >>>> >>>> >>> >>> If you are sure that you now have all the dns records for both DCs >>> in AD, then I would agree that this is probably not the issue (there >>> is just the 0.1% chance you are still missing something) >>> >>> Can your domain members find the DCs ? >>> Do your domain members have a FQDN ? >>> Are they joined to the domain ? >>> What have got in smb.conf on the domain members ? >>> >>> You may have posted all or some of this before, but lets start again. >>> >>> Rowland >>> >> >> Ok, there were still records missing (according to "samba_dnsupdate >> --verbose"). I added them manually, and now I get "No DNS updates >> needed" on both my DCs. >> >> Still/again: "kinit" takes more than a minute on member servers, and >> login via ssh is impossible now (times out eventually). >> >> Some questions: >> >> - what about that corrupted record I mentioned earlier, how can I get >> rid if it? > > Have you tried using samba-tool ? That's what I posted earlier: "I accidentally created a record with a false port. I then updated the port but was afraid of any consequences. So I deleted that record again and wanted to re-create it. But I can't: "The record already exists." Although I can't see it in the gui. And I also can't delete it (EDIT: although this worked with the corresponding record for the 1st DC; so the command is ok): # samba-tool dns delete DC1 _msdcs.my.domain.tld _ldap._tcp.gc._msdcs.my.domain.tld SRV "dc2.my.domain.tld 3268 0 100" ERROR: Record does not exist But it can be found with dig: # dig @DC1 _ldap._tcp.gc._msdcs.my.domain.tld SRV ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> @DC1 _ldap._tcp.gc._msdcs.my.domain.tld SRV ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28612 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;_ldap._tcp.gc._msdcs.my.domain.tld. IN SRV ;; ANSWER SECTION: _ldap._tcp.gc._msdcs.my.domain.tld. 180 IN SRV 0 100 3268 dc1.my.domain.tld. _ldap._tcp.gc._msdcs.my.domain.tld. 180 IN SRV 0 100 3268 dc2.my.domain.tld. ;; Query time: 1 msec ;; SERVER: IP_of_1stDC#53(IP_of_1stDC) ;; WHEN: Thu Dec 17 13:28:06 2015 ;; MSG SIZE rcvd: 103" > >> - why does "samba_dnsupdate --verbose" on DC1 check records only >> against 1 instance (record from DC1), while the same command issued >> on DC2 checks records against both existing instances (records from >> DC1 and DC2)? > > Don't know, if you understand python, you could try looking at the > script. Does it behave the same way on your 1st (one check) and 2nd DC (two checks)? > >> >> - why does the dns update fail in the first place? > > I am not sure that it does fail. When you provision the first DC, all > the required dns entries are added by the provision, but when you join > a DC, a lot of the dns entries are only added by the samba_dnsupdate > script and this is only run when you start samba on the newly joined > DC. It does print a lot of error messages, but it seems to work anyway. > If you check the dns on the first DC before starting the second, you > will find missing dns entries, but these should be filled once the > samba_dnsupdate script is run. And this is what is not happening here. I can't say whether it is run when samba restarts, but when run manually, it fails. That's why I created the records by hand. > >> will I have the same problem again with the next DC I set up? > > Again, I am unsure why you are having the problems, so I do not know > if you will have the same problems. If you have done some thing > incorrectly and do this again when you join another DC, then you are > likely to again have problems. > >> - why do I still have the login problems? >> > > Don't know, can you answer the questions I asked earlier. > > Rowland > >> Ole >> >> > > From lingpanda101 at gmail.com Thu Dec 17 16:08:30 2015 From: lingpanda101 at gmail.com (James) Date: Thu, 17 Dec 2015 11:08:30 -0500 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5672D763.3000601@tu-berlin.de> References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> <5672BE7B.5060802@tu-berlin.de> <5672C79C.9060408@samba.org> <5672CD2C.2010305@tu-berlin.de> <5672D2DB.1010802@gmail.com> <5672D763.3000601@tu-berlin.de> Message-ID: <5672DDFE.3070202@gmail.com> On 12/17/2015 10:40 AM, Ole Traupe wrote: > >>>> >>> >>> >> I just disabled my DC that is listed as SOA in a production >> environment. I'm using the internal DNS. I have 6 DC's in total >> across 3 sites. Around 200+ users and 140+ workstations. Everything >> appears to be working as normal aside from my monitoring tools going >> crazy. No issues so far. I am not authenticating local users to my >> member server however. > > What exactly do you mean by that last sentence? > > >> I will monitor for a awhile and see if anything creeps up or I start >> to get phone calls.. >> > > > Thanks for the feedback! > > > Took about an an hour but issues starting happening. Windows workstations would spin on the welcome screen and not log in. Shares on a member server were inaccessible to users. Started the DC and everything came back up. Sorry for my last sentence. I am not authenticating users who log in locally against AD for my domain member server. -- -James From ole.traupe at tu-berlin.de Thu Dec 17 16:18:31 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Thu, 17 Dec 2015 17:18:31 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5672D134.4010006@tu-berlin.de> References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> <5672BE7B.5060802@tu-berlin.de> <5672C79C.9060408@samba.org> <5672CD2C.2010305@tu-berlin.de> <5672D134.4010006@tu-berlin.de> Message-ID: <5672E057.1020805@tu-berlin.de> Am 17.12.2015 um 16:13 schrieb Ole Traupe: > Can *anyone* report that he/she has a fail-safe domain in the sense > that the first DC (FSMO role holder) can be offline and login still > works on Windows clients AND Linux member servers? > > Samba 4.2.5 (from source) > Internal DNS PS: No changes to the default site structure. > > Ole > > > Am 17.12.2015 um 15:56 schrieb Ole Traupe: >> >> >> Am 17.12.2015 um 15:33 schrieb Rowland penny: >>> On 17/12/15 13:54, Ole Traupe wrote: >>>> Rowland, thank you, but before we do that: >>>> >>>> - what now with the 'gc' record? 2nd DC yes or no? >>> >>> Which one ? I have these: >>> >>> dn: >>> DC=_gc._tcp.Default-First-Site-Name._sites,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >>> >>> dn: >>> DC=_gc._tcp,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >>> >>> dn: >>> DC=_ldap._tcp.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >>> >>> dn: >>> DC=_ldap._tcp.Default-First-Site-Name._sites.gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >>> >>> dn: >>> DC=gc,DC=_msdcs.samdom.example.com,CN=MicrosoftDNS,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >>> >>> They all contain two dnsrecords, one from each DC >>> >>>> - if you say that the internal DNS is not compatible with a >>>> multi-DC setting, than we can stop here, no? >>>> >>> >>> Please stop putting words in my mouth :-) >>> >>> All I said was that you will only get one NS record if you use the >>> internal DNS server, >> >> Ok. And do you *need* both? >> >> >>> everything else seems to work though, although I haven't tried >>> turning the first DC off yet. >> >> Why? I mean, could you perhaps? Please? >> >>> >>> Rowland >>> >>>> Ole >>>> >>>> >>>> Am 17.12.2015 um 14:32 schrieb Rowland penny: >>>>> On 17/12/15 12:50, Ole Traupe wrote: >>>>>> >>>>>> I somehow doubt that. Still it seems that no one here has an idea >>>>>> of why log-on from member servers isn't working properly (for >>>>>> me). However, in the meantime I have created all the necessary >>>>>> DNS records. This can't be the issue anymore. >>>>>> >>>>>> >>>>> >>>>> If you are sure that you now have all the dns records for both DCs >>>>> in AD, then I would agree that this is probably not the issue >>>>> (there is just the 0.1% chance you are still missing something) >>>>> >>>>> Can your domain members find the DCs ? >>>>> Do your domain members have a FQDN ? >>>>> Are they joined to the domain ? >>>>> What have got in smb.conf on the domain members ? >>>>> >>>>> You may have posted all or some of this before, but lets start again. >>>>> >>>>> Rowland >>>>> >>>> >>>> >>> >>> >> >> > > From nicolas.boisse at univ-lemans.fr Thu Dec 17 16:08:36 2015 From: nicolas.boisse at univ-lemans.fr (Nico) Date: Thu, 17 Dec 2015 08:08:36 -0800 (PST) Subject: [Samba] Samba 4.0.21 and Windows 10 In-Reply-To: References: <1450183783573-4695846.post@n4.nabble.com> Message-ID: <1450368516547-4695981.post@n4.nabble.com> No I have not seen this page :-( And NT1 protocol works indeed ! But NT1 is deprecated no ? And maybe less efficient for network rate transfer ? SMB2 and SMB3 protocols needs to have an Samba with AD ? Thanks for your help ;-) -- View this message in context: http://samba.2283325.n4.nabble.com/Samba-4-0-21-and-Windows-10-tp4695846p4695981.html Sent from the Samba - General mailing list archive at Nabble.com. From hat at fa2.so-net.ne.jp Thu Dec 17 16:14:25 2015 From: hat at fa2.so-net.ne.jp (HAT) Date: Fri, 18 Dec 2015 01:14:25 +0900 (JST) Subject: [Samba] vfs_fruit: xattr imcompatible with netatalk In-Reply-To: <20150314.000413.89612630868608021.hat@fa2.so-net.ne.jp> References: <20150311.233045.1229136848886583105.hat@fa2.so-net.ne.jp> <20150314.000413.89612630868608021.hat@fa2.so-net.ne.jp> Message-ID: <20151218.011425.2015344679552890895.hat@fa2.so-net.ne.jp> Hi, >> not sure, but the colon in xattr names is probably not handled >> correctly at this point. Can you please file a bugreport so we can >> track this? > > Bug 11162 > https://bugzilla.samba.org/show_bug.cgi?id=11162 I tested samba 4.3.1 on Fedora 23 and rawhide. The colon problem is not corrected yet. $ getfattr Mew.txt # file: Mew.txt user.com.apple.TextEncoding user.com.apple.metadatakMDItemFinderComment $ rpm -qi samba Name : samba Epoch : 2 Version : 4.3.1 Release : 3.fc23 Architecture: x86_64 Install Date: Wed Nov 25 01:34:40 2015 Group : System Environment/Daemons Size : 1900499 License : GPLv3+ and LGPLv3+ Signature : RSA/SHA256, Thu Nov 19 08:38:33 2015, Key ID 32474cf834ec9cba Source RPM : samba-4.3.1-3.fc23.src.rpm Build Date : Wed Nov 18 20:29:52 2015 Build Host : buildvm-25.phx2.fedoraproject.org Relocations : (not relocatable) Packager : Fedora Project Vendor : Fedora Project URL : http://www.samba.org/ Summary : Server and Client software to interoperate with Windows machines Description : Samba is the standard Windows interoperability suite of programs for Linux and Unix. smb.conf: vfs objects = catia fruit streams_xattr fruit:locking = netatalk streams_xattr:prefix = user. streams_xattr:store_stream_type = no kernel oplocks = No -- HAT From ole.traupe at tu-berlin.de Thu Dec 17 16:44:21 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Thu, 17 Dec 2015 17:44:21 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5672DDFE.3070202@gmail.com> References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> <5672BE7B.5060802@tu-berlin.de> <5672C79C.9060408@samba.org> <5672CD2C.2010305@tu-berlin.de> <5672D2DB.1010802@gmail.com> <5672D763.3000601@tu-berlin.de> <5672DDFE.3070202@gmail.com> Message-ID: <5672E665.6030305@tu-berlin.de> Am 17.12.2015 um 17:08 schrieb James: > On 12/17/2015 10:40 AM, Ole Traupe wrote: >> >>>>> >>>> >>>> >>> I just disabled my DC that is listed as SOA in a production >>> environment. I'm using the internal DNS. I have 6 DC's in total >>> across 3 sites. Around 200+ users and 140+ workstations. Everything >>> appears to be working as normal aside from my monitoring tools going >>> crazy. No issues so far. I am not authenticating local users to my >>> member server however. >> >> What exactly do you mean by that last sentence? >> >> >>> I will monitor for a awhile and see if anything creeps up or I start >>> to get phone calls.. >>> >> >> >> Thanks for the feedback! >> >> >> > Took about an an hour but issues starting happening. Windows > workstations would spin on the welcome screen and not log in. Shares > on a member server were inaccessible to users. Started the DC and > everything came back up. Hm, strange that it initially was no problem. > > Sorry for my last sentence. I am not authenticating users who log in > locally against AD for my domain member server. > You mean your users don't use domain accounts when they log on to member servers, but they use local linux users? From drescherjm at gmail.com Thu Dec 17 16:44:57 2015 From: drescherjm at gmail.com (John Drescher) Date: Thu, 17 Dec 2015 11:44:57 -0500 Subject: [Samba] Samba 4.0.21 and Windows 10 In-Reply-To: <1450368516547-4695981.post@n4.nabble.com> References: <1450183783573-4695846.post@n4.nabble.com> <1450368516547-4695981.post@n4.nabble.com> Message-ID: > No I have not seen this page :-( And NT1 protocol works indeed ! > > But NT1 is deprecated no ? And maybe less efficient for network rate > transfer ? SMB2 and SMB3 protocols needs to have an Samba with AD ? > Just do that for your PDC and BDCs. Your fileservers can be SMB3. That is what I do at work. John From h.reindl at thelounge.net Thu Dec 17 16:49:05 2015 From: h.reindl at thelounge.net (Reindl Harald) Date: Thu, 17 Dec 2015 17:49:05 +0100 Subject: [Samba] vfs_fruit: xattr imcompatible with netatalk In-Reply-To: <20151218.011425.2015344679552890895.hat@fa2.so-net.ne.jp> References: <20150311.233045.1229136848886583105.hat@fa2.so-net.ne.jp> <20150314.000413.89612630868608021.hat@fa2.so-net.ne.jp> <20151218.011425.2015344679552890895.hat@fa2.so-net.ne.jp> Message-ID: <5672E781.8050608@thelounge.net> Am 17.12.2015 um 17:14 schrieb HAT: >>> not sure, but the colon in xattr names is probably not handled >>> correctly at this point. Can you please file a bugreport so we can >>> track this? >> >> Bug 11162 >> https://bugzilla.samba.org/show_bug.cgi?id=11162 > > I tested samba 4.3.1 on Fedora 23 and rawhide. > The colon problem is not corrected yet. > > $ getfattr Mew.txt > # file: Mew.txt > user.com.apple.TextEncoding > user.com.apple.metadatakMDItemFinderComment > > smb.conf: > vfs objects = catia fruit streams_xattr > fruit:locking = netatalk > streams_xattr:prefix = user. > streams_xattr:store_stream_type = no > kernel oplocks = No ouch - sounds we should wait with replace netatalk completly with samba without losing any attributes and ressource forks -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: From lingpanda101 at gmail.com Thu Dec 17 17:01:33 2015 From: lingpanda101 at gmail.com (James) Date: Thu, 17 Dec 2015 12:01:33 -0500 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5672E665.6030305@tu-berlin.de> References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> <5672BE7B.5060802@tu-berlin.de> <5672C79C.9060408@samba.org> <5672CD2C.2010305@tu-berlin.de> <5672D2DB.1010802@gmail.com> <5672D763.3000601@tu-berlin.de> <5672DDFE.3070202@gmail.com> <5672E665.6030305@tu-berlin.de> Message-ID: <5672EA6D.5040200@gmail.com> On 12/17/2015 11:44 AM, Ole Traupe wrote: > > > Am 17.12.2015 um 17:08 schrieb James: >> On 12/17/2015 10:40 AM, Ole Traupe wrote: >>> >>>>>> >>>>> >>>>> >>>> I just disabled my DC that is listed as SOA in a production >>>> environment. I'm using the internal DNS. I have 6 DC's in total >>>> across 3 sites. Around 200+ users and 140+ workstations. Everything >>>> appears to be working as normal aside from my monitoring tools >>>> going crazy. No issues so far. I am not authenticating local users >>>> to my member server however. >>> >>> What exactly do you mean by that last sentence? >>> >>> >>>> I will monitor for a awhile and see if anything creeps up or I >>>> start to get phone calls.. >>>> >>> >>> >>> Thanks for the feedback! >>> >>> >>> >> Took about an an hour but issues starting happening. Windows >> workstations would spin on the welcome screen and not log in. Shares >> on a member server were inaccessible to users. Started the DC and >> everything came back up. > > Hm, strange that it initially was no problem. > > >> >> Sorry for my last sentence. I am not authenticating users who log in >> locally against AD for my domain member server. >> > > You mean your users don't use domain accounts when they log on to > member servers, but they use local linux users? > > > Correct on my member server. -- -James From rb at sernet.de Thu Dec 17 17:05:33 2015 From: rb at sernet.de (Ralph Boehme) Date: Thu, 17 Dec 2015 18:05:33 +0100 Subject: [Samba] vfs_fruit: xattr imcompatible with netatalk In-Reply-To: <20151218.011425.2015344679552890895.hat@fa2.so-net.ne.jp> References: <20150311.233045.1229136848886583105.hat@fa2.so-net.ne.jp> <20150314.000413.89612630868608021.hat@fa2.so-net.ne.jp> <20151218.011425.2015344679552890895.hat@fa2.so-net.ne.jp> Message-ID: <20151217170533.GA6159@sernet.sernet.private> On Fri, Dec 18, 2015 at 01:14:25AM +0900, HAT wrote: > Hi, > > >> not sure, but the colon in xattr names is probably not handled > >> correctly at this point. Can you please file a bugreport so we can > >> track this? > > > > Bug 11162 > > https://bugzilla.samba.org/show_bug.cgi?id=11162 > > I tested samba 4.3.1 on Fedora 23 and rawhide. > The colon problem is not corrected yet. > > $ getfattr Mew.txt > # file: Mew.txt > user.com.apple.TextEncoding > user.com.apple.metadatakMDItemFinderComment > > > $ rpm -qi samba > Name : samba > Epoch : 2 > Version : 4.3.1 > Release : 3.fc23 > Architecture: x86_64 > Install Date: Wed Nov 25 01:34:40 2015 > Group : System Environment/Daemons > Size : 1900499 > License : GPLv3+ and LGPLv3+ > Signature : RSA/SHA256, Thu Nov 19 08:38:33 2015, Key ID 32474cf834ec9cba > Source RPM : samba-4.3.1-3.fc23.src.rpm > Build Date : Wed Nov 18 20:29:52 2015 > Build Host : buildvm-25.phx2.fedoraproject.org > Relocations : (not relocatable) > Packager : Fedora Project > Vendor : Fedora Project > URL : http://www.samba.org/ > Summary : Server and Client software to interoperate with Windows machines > Description : > Samba is the standard Windows interoperability suite of programs for Linux and Unix. > > > smb.conf: > vfs objects = catia fruit streams_xattr > fruit:locking = netatalk > streams_xattr:prefix = user. > streams_xattr:store_stream_type = no > kernel oplocks = No iirc you need fruit:encoding = native -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de,mailto:kontakt at sernet.de From hat at fa2.so-net.ne.jp Thu Dec 17 17:20:54 2015 From: hat at fa2.so-net.ne.jp (HAT) Date: Fri, 18 Dec 2015 02:20:54 +0900 (JST) Subject: [Samba] vfs_fruit: xattr imcompatible with netatalk In-Reply-To: <20151217170533.GA6159@sernet.sernet.private> References: <20150314.000413.89612630868608021.hat@fa2.so-net.ne.jp> <20151218.011425.2015344679552890895.hat@fa2.so-net.ne.jp> <20151217170533.GA6159@sernet.sernet.private> Message-ID: <20151218.022054.912311642197468250.hat@fa2.so-net.ne.jp> Thu, 17 Dec 2015 18:05:33 +0100, Ralph Boehme : > iirc you need fruit:encoding = native Solved. Thanks! I'm looking forward to netatalk 3.1.8. $ getfattr Mew.txt # file: Mew.txt user.com.apple.TextEncoding user.com.apple.metadata:kMDItemFinderComment smb.conf: vfs objects = catia fruit streams_xattr fruit:locking = netatalk fruit:encoding = native streams_xattr:prefix = user. streams_xattr:store_stream_type = no kernel oplocks = No -- HAT From rpenny at samba.org Thu Dec 17 17:30:37 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 17 Dec 2015 17:30:37 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5672EA6D.5040200@gmail.com> References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> <5672BE7B.5060802@tu-berlin.de> <5672C79C.9060408@samba.org> <5672CD2C.2010305@tu-berlin.de> <5672D2DB.1010802@gmail.com> <5672D763.3000601@tu-berlin.de> <5672DDFE.3070202@gmail.com> <5672E665.6030305@tu-berlin.de> <5672EA6D.5040200@gmail.com> Message-ID: <5672F13D.9000204@samba.org> On 17/12/15 17:01, James wrote: > >> >> You mean your users don't use domain accounts when they log on to >> member servers, but they use local linux users? >> >> >> > Correct on my member server. > Then they are *not* domain users From rb at sernet.de Thu Dec 17 17:44:40 2015 From: rb at sernet.de (Ralph Boehme) Date: Thu, 17 Dec 2015 18:44:40 +0100 Subject: [Samba] vfs_fruit: xattr imcompatible with netatalk In-Reply-To: <20151218.022054.912311642197468250.hat@fa2.so-net.ne.jp> References: <20150314.000413.89612630868608021.hat@fa2.so-net.ne.jp> <20151218.011425.2015344679552890895.hat@fa2.so-net.ne.jp> <20151217170533.GA6159@sernet.sernet.private> <20151218.022054.912311642197468250.hat@fa2.so-net.ne.jp> Message-ID: <20151217174440.GA8610@sernet.sernet.private> On Fri, Dec 18, 2015 at 02:20:54AM +0900, HAT wrote: > Thu, 17 Dec 2015 18:05:33 +0100, Ralph Boehme : > > iirc you need fruit:encoding = native > > Solved. Thanks! > I'm looking forward to netatalk 3.1.8. > > $ getfattr Mew.txt > # file: Mew.txt > user.com.apple.TextEncoding > user.com.apple.metadata:kMDItemFinderComment > > smb.conf: > vfs objects = catia fruit streams_xattr > fruit:locking = netatalk > fruit:encoding = native > streams_xattr:prefix = user. > streams_xattr:store_stream_type = no ahhhhhhh, so many options. Sorry about that! :( Cheerio! -slow -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de,mailto:kontakt at sernet.de From hat at fa2.so-net.ne.jp Thu Dec 17 17:57:44 2015 From: hat at fa2.so-net.ne.jp (HAT) Date: Fri, 18 Dec 2015 02:57:44 +0900 (JST) Subject: [Samba] vfs_fruit: mangled if last char is dot References: <20151217174440.GA8610@sernet.sernet.private> Message-ID: <20151218.025744.1394071191547701596.hat@fa2.so-net.ne.jp> vfs_fruit and Netatalk are still incompatible when last char is dot. On OS X: $ cd /Volumes/NetatalkVol/ $ ls abc.txt. $ cd /Volumes/SambaVol/ $ ls AL3JQG~9 vfs_fruit should convert last dot to 0xf029. -- HAT From lingpanda101 at gmail.com Thu Dec 17 18:39:43 2015 From: lingpanda101 at gmail.com (James) Date: Thu, 17 Dec 2015 13:39:43 -0500 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5672F13D.9000204@samba.org> References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> <5672BE7B.5060802@tu-berlin.de> <5672C79C.9060408@samba.org> <5672CD2C.2010305@tu-berlin.de> <5672D2DB.1010802@gmail.com> <5672D763.3000601@tu-berlin.de> <5672DDFE.3070202@gmail.com> <5672E665.6030305@tu-berlin.de> <5672EA6D.5040200@gmail.com> <5672F13D.9000204@samba.org> Message-ID: <5673016F.2010609@gmail.com> On 12/17/2015 12:30 PM, Rowland penny wrote: > On 17/12/15 17:01, James wrote: >> >>> >>> You mean your users don't use domain accounts when they log on to >>> member servers, but they use local linux users? >>> >>> >>> >> Correct on my member server. >> > > Then they are *not* domain users > > > Yes. Sorry for the lack of clarity. Wireshark traces show my workstation using my other DC to authenticate and log in with when one is down. Event logs for windows workstations that had issues had Event 5719 and 1014. These workstations are portable. I'm thinking a latency issue with DNS resolve? Looking into my DNS cache and resolver times led me to something interesting. I flushed my dns cache on a windows workstation. Switched user and viewed my cache again. It showed the following. _ldap._tcp.default-first-site-name._sites.dc2.domain.local --------------------------------------------------------------------------------- Name does not exist. _ldap.tcp.dc2.domain.local ------------------------------------------ Name does not exist. A nslookup for _ldap._tcp.domain.local does display all my DC's. -- -James From rb at sernet.de Thu Dec 17 18:45:19 2015 From: rb at sernet.de (Ralph Boehme) Date: Thu, 17 Dec 2015 19:45:19 +0100 Subject: [Samba] vfs_fruit: mangled if last char is dot In-Reply-To: <20151218.025744.1394071191547701596.hat@fa2.so-net.ne.jp> References: <20151217174440.GA8610@sernet.sernet.private> <20151218.025744.1394071191547701596.hat@fa2.so-net.ne.jp> Message-ID: <20151217184519.GA9805@sernet.sernet.private> On Fri, Dec 18, 2015 at 02:57:44AM +0900, HAT wrote: > vfs_fruit and Netatalk are still incompatible when last char is dot. > > On OS X: > > $ cd /Volumes/NetatalkVol/ > $ ls > abc.txt. > > $ cd /Volumes/SambaVol/ > $ ls > AL3JQG~9 > > > vfs_fruit should convert last dot to 0xf029. > https://bugzilla.samba.org/show_bug.cgi?id=11206 Cheerio! -slow -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de,mailto:kontakt at sernet.de From tabolin at speechpro.com Thu Dec 17 18:53:09 2015 From: tabolin at speechpro.com (=?UTF-8?B?0KLQsNCx0L7Qu9C40L0g0K7RgNC40Lk=?=) Date: Thu, 17 Dec 2015 21:53:09 +0300 Subject: [Samba] samba4 schema for openldap In-Reply-To: <5671D744.5030401@samba.org> References: <5671B52C.9000804@speechpro.com> <5671BCFA.2020001@samba.org> <5671BFC8.4090509@samba.org> <5671CC38.5050200@speechpro.com> <5671D744.5030401@samba.org> Message-ID: <56730495.2060607@speechpro.com> 17.12.2015 0:27, Rowland penny пишет: > On 16/12/15 20:40, Таболин Юрий wrote: >> 16.12.2015 22:47, Rowland penny пишет: >>> On 16/12/15 19:35, Rowland penny wrote: >>>> On 16/12/15 19:02, Таболин Юрий wrote: >>>>> Hi all. >>>>> >>>>> I have samba 4.2.3 on freebsd 10.1 server. There are three DC and >>>>> about 350 PC on domain. I wrote earlier that samba4 ldap >>>>> performance is not enough for me. Now I want to try a server in >>>>> the middle with openldap pcache - ldap cache proxy function. But >>>>> it only works with appropriate openldap schema. Where I can find >>>>> samba4 openldap schema? I'm going to cache simple queries such as >>>>> >>>>> (&(objectClass=user)(sAMAccountName=username)) >>>>> >>>>> I will have enough and the simplified schema. Thanks! >>>>> >>>>> >>>> >>>> Not sure there is one, there is some work going on to get samba4 >>>> working with LDAP instead of the builtin ldap server, but it has >>>> gone quiet lately, not this means anything really. I understand >>>> that initially, Samba tried to use LDAP but could not get it to >>>> work, so had to go with their own built in ldap server. If you want >>>> to attempt something, you could do worse than looking in the setup >>>> directory that samba installs. >>>> >>>> Rowland >>>> >>> >>> And then after I posted. I thought, I wonder if he didn't actually >>> mean the AD schema, so did a quick google and within 10 seconds I >>> found this: https://haroonferoze.wordpress.com/2012/11/26/openldap/ >>> >>> Rowland >>> >>> >> I have seen this article earlier, but there is setup only proxy >> without cache. Similarinstructionshere >> https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD . That's not >> whatI need. >> >> >> >> > > OK, a bit more googling, turned this up, but it in japanese: > http://www.hanabusa.net/intra/ldapcache.html > Big thanks! It very helps for me. I don’t understand japanese, but there is a link to ad.schema file. I have done some modifications on it and it works for me. -- With best regards, Tabolin Yuriy System administrator Speech Technology Center From rpenny at samba.org Thu Dec 17 19:01:19 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 17 Dec 2015 19:01:19 +0000 Subject: [Samba] samba4 schema for openldap In-Reply-To: <56730495.2060607@speechpro.com> References: <5671B52C.9000804@speechpro.com> <5671BCFA.2020001@samba.org> <5671BFC8.4090509@samba.org> <5671CC38.5050200@speechpro.com> <5671D744.5030401@samba.org> <56730495.2060607@speechpro.com> Message-ID: <5673067F.2060108@samba.org> On 17/12/15 18:53, Таболин Юрий wrote: > 17.12.2015 0:27, Rowland penny пишет: >> On 16/12/15 20:40, Таболин Юрий wrote: >>> 16.12.2015 22:47, Rowland penny пишет: >>>> On 16/12/15 19:35, Rowland penny wrote: >>>>> On 16/12/15 19:02, Таболин Юрий wrote: >>>>>> Hi all. >>>>>> >>>>>> I have samba 4.2.3 on freebsd 10.1 server. There are three DC and >>>>>> about 350 PC on domain. I wrote earlier that samba4 ldap >>>>>> performance is not enough for me. Now I want to try a server in >>>>>> the middle with openldap pcache - ldap cache proxy function. But >>>>>> it only works with appropriate openldap schema. Where I can find >>>>>> samba4 openldap schema? I'm going to cache simple queries such as >>>>>> >>>>>> (&(objectClass=user)(sAMAccountName=username)) >>>>>> >>>>>> I will have enough and the simplified schema. Thanks! >>>>>> >>>>>> >>>>> >>>>> Not sure there is one, there is some work going on to get samba4 >>>>> working with LDAP instead of the builtin ldap server, but it has >>>>> gone quiet lately, not this means anything really. I understand >>>>> that initially, Samba tried to use LDAP but could not get it to >>>>> work, so had to go with their own built in ldap server. If you >>>>> want to attempt something, you could do worse than looking in the >>>>> setup directory that samba installs. >>>>> >>>>> Rowland >>>>> >>>> >>>> And then after I posted. I thought, I wonder if he didn't actually >>>> mean the AD schema, so did a quick google and within 10 seconds I >>>> found this: https://haroonferoze.wordpress.com/2012/11/26/openldap/ >>>> >>>> Rowland >>>> >>>> >>> I have seen this article earlier, but there is setup only proxy >>> without cache. Similarinstructionshere >>> https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD . That's >>> not whatI need. >>> >>> >>> >>> >> >> OK, a bit more googling, turned this up, but it in japanese: >> http://www.hanabusa.net/intra/ldapcache.html >> > > Big thanks! It very helps for me. I don’t understand japanese, but > there is a link to ad.schema file. I have done some modifications on > it and it works for me. > I had a 'play' with it and yes it does seem to work, though I had to source some extra info elsewhere. Fairly typical for online howtos :-) Rowland From tabolin at speechpro.com Thu Dec 17 19:25:19 2015 From: tabolin at speechpro.com (=?UTF-8?B?0KLQsNCx0L7Qu9C40L0g0K7RgNC40Lk=?=) Date: Thu, 17 Dec 2015 22:25:19 +0300 Subject: [Samba] samba4 schema for openldap In-Reply-To: References: <5671B52C.9000804@speechpro.com> <5671BCFA.2020001@samba.org> <5671BFC8.4090509@samba.org> <5671CC38.5050200@speechpro.com> Message-ID: <56730C1F.5050309@speechpro.com> 17.12.2015 0:28, Nigel W пишет: > Assuming the DNS for the site is setup correctly, the srv records should be > evenly spreading the load among the servers on the site that the client is > on. > > With Windows based domain the answer to this question is either fix your > ldap client to use the SRV records and not use only the DC with the PDC > Emulator role, or add more DCs to the site. I would assume the answer is > the same for a Samba domain. > > Though I would be interested in understanding how the OP came to the > conclusion that they need to cache the LDAP queries. > > Thanks, I have many services which use only ldap for authentication. There I must specify only A dns records of my ldap DC servers. In times of peak load DCs can't handle the load. Openldap proxy allows to cache simple requests and reduce load to DCs. For example the ldap search filter (&(objectClass=user)(sAMAccountName=)). Measured in apache jmeter: openldap - 1075.8 requests/sec samba ldap - 30.3 req/sec openldap proxy to samba (from cache) – 391.6 req/sec > > On Wed, Dec 16, 2015 at 1:54 PM, Lee Brown wrote: > >> On Wed, Dec 16, 2015 at 12:40 PM, Таболин Юрий >> wrote: >> >>> 16.12.2015 22:47, Rowland penny пишет: >>> >>>> On 16/12/15 19:35, Rowland penny wrote: >>>> >>>>> On 16/12/15 19:02, Таболин Юрий wrote: >>>>> >>>>>> Hi all. >>>>>> >>>>>> I have samba 4.2.3 on freebsd 10.1 server. There are three DC and >> about >>>>>> 350 PC on domain. I wrote earlier that samba4 ldap performance is not >>>>>> enough for me. Now I want to try a server in the middle with openldap >>>>>> pcache - ldap cache proxy function. But it only works with appropriate >>>>>> openldap schema. Where I can find samba4 openldap schema? I'm going to >>>>>> cache simple queries such as >>>>>> >>>>>> (&(objectClass=user)(sAMAccountName=username)) >>>>>> >>>>>> I will have enough and the simplified schema. Thanks! >>>>>> >>>>>> >>>>>> >>>>> Not sure there is one, there is some work going on to get samba4 >> working >>>>> with LDAP instead of the builtin ldap server, but it has gone quiet >> lately, >>>>> not this means anything really. I understand that initially, Samba >> tried to >>>>> use LDAP but could not get it to work, so had to go with their own >> built in >>>>> ldap server. If you want to attempt something, you could do worse than >>>>> looking in the setup directory that samba installs. >>>>> >>>>> Rowland >>>>> >>>>> >>>> And then after I posted. I thought, I wonder if he didn't actually mean >>>> the AD schema, so did a quick google and within 10 seconds I found this: >>>> https://haroonferoze.wordpress.com/2012/11/26/openldap/ >>>> >>>> Rowland >>>> >>>> >>>> I have seen this article earlier, but there is setup only proxy without >>> cache. Similarinstructionshere >>> https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD . That's not >>> whatI need. >>> >>> >>> Would using HAProxy to spread the load across the 3 DC's help at all? >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> -- With best regards, Tabolin Yuriy System administrator Speech Technology Center From rpenny at samba.org Fri Dec 18 09:44:32 2015 From: rpenny at samba.org (Rowland penny) Date: Fri, 18 Dec 2015 09:44:32 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5672D6AA.4070907@tu-berlin.de> References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> <5672BE7B.5060802@tu-berlin.de> <5672C79C.9060408@samba.org> <5672CD2C.2010305@tu-berlin.de> <5672D072.9010901@samba.org> <5672D6AA.4070907@tu-berlin.de> Message-ID: <5673D580.3060306@samba.org> On 17/12/15 15:37, Ole Traupe wrote: > > > >> >>> >>> >>> >>>> everything else seems to work though, although I haven't tried >>>> turning the first DC off yet. >>> >>> Why? I mean, could you perhaps? Please? >>> >> >> Probably, but not today, will do it as soon as possible. > > I would be more than happy about that! > > OK, before I did anything else this morning, I started up my test domain. Note that this domain only existed to try and find out why the second DC didn't have a NS record in the SOA and uses the internal dns. Both of the DCs have the relevant line in the hosts file: root at testdc1:~# nano /etc/hosts 127.0.0.1 localhost 192.168.0.240 testdc1.home.lan testdc1 root at testdc2:~# nano /etc/hosts 127.0.0.1 localhost 192.168.0.241 testdc2.home.lan testdc2 Both of the DCs point to each other as their nameserver: root at testdc1:~# nano /etc/resolv.conf search home.lan nameserver 192.168.0.241 nameserver 192.168.0.240 root at testdc2:~# nano /etc/resolv.conf search home.lan nameserver 192.168.0.240 nameserver 192.168.0.241 If I examine the SOA record in AD I find this: dn: DC=@,DC=home.lan,CN=MicrosoftDNS,DC=DomainDnsZones,DC=home,DC=lan ..................... dnsRecord: NDR: struct dnsp_DnssrvRpcRecord wDataLength : 0x003f (63) wType : DNS_TYPE_SOA (6) version : 0x05 (5) rank : DNS_RANK_ZONE (240) flags : 0x0000 (0) dwSerial : 0x0000006e (110) dwTtlSeconds : 0x00000e10 (3600) dwReserved : 0x00000000 (0) dwTimeStamp : 0x00000000 (0) data : union dnsRecordData(case 6) soa: struct dnsp_soa serial : 0x00000001 (1) refresh : 0x00000384 (900) retry : 0x00000258 (600) expire : 0x00015180 (86400) minimum : 0x00000e10 (3600) mname : testdc1.home.lan rname : hostmaster.home.lan dnsRecord: NDR: struct dnsp_DnssrvRpcRecord wDataLength : 0x0014 (20) wType : DNS_TYPE_NS (2) version : 0x05 (5) rank : DNS_RANK_ZONE (240) flags : 0x0000 (0) dwSerial : 0x0000006e (110) dwTtlSeconds : 0x00000384 (900) dwReserved : 0x00000000 (0) dwTimeStamp : 0x00000000 (0) data : union dnsRecordData(case 2) ns : testdc1.home.lan dnsRecord: NDR: struct dnsp_DnssrvRpcRecord wDataLength : 0x0014 (20) wType : DNS_TYPE_NS (2) version : 0x05 (5) rank : DNS_RANK_ZONE (240) flags : 0x0000 (0) dwSerial : 0x0000006e (110) dwTtlSeconds : 0x00000384 (900) dwReserved : 0x00000000 (0) dwTimeStamp : 0x00000000 (0) data : union dnsRecordData(case 2) ns : testdc2.home.lan dnsRecord: NDR: struct dnsp_DnssrvRpcRecord wDataLength : 0x0004 (4) wType : DNS_TYPE_A (1) version : 0x05 (5) rank : DNS_RANK_ZONE (240) flags : 0x0000 (0) dwSerial : 0x0000006e (110) dwTtlSeconds : 0x00000384 (900) dwReserved : 0x00000000 (0) dwTimeStamp : 0x00000000 (0) data : union dnsRecordData(case 1) ipv4 : 192.168.0.240 dnsRecord: NDR: struct dnsp_DnssrvRpcRecord wDataLength : 0x0004 (4) wType : DNS_TYPE_A (1) version : 0x05 (5) rank : DNS_RANK_ZONE (240) flags : 0x0000 (0) dwSerial : 0x0000006e (110) dwTtlSeconds : 0x00000384 (900) dwReserved : 0x00000000 (0) dwTimeStamp : 0x00000000 (0) data : union dnsRecordData(case 1) ipv4 : 192.168.0.241 So, as you can see both the DCs have their NS & A records in the SOA If I then run nslookup on both machines, I get this: root at testdc1:~# nslookup > set querytype=soa > home.lan Server: 192.168.0.241 Address: 192.168.0.241#53 home.lan origin = testdc1.home.lan mail addr = hostmaster.home.lan serial = 1 refresh = 900 retry = 600 expire = 86400 minimum = 3600 > exit root at testdc2:~# nslookup > set querytype=soa > home.lan Server: 192.168.0.240 Address: 192.168.0.240#53 home.lan origin = testdc1.home.lan mail addr = hostmaster.home.lan serial = 1 refresh = 900 retry = 600 expire = 86400 minimum = 3600 > exit As you can see, only the first DC is show as the NS for the SOA, what happens if we turn off the first DC? We get this: root at testdc2:~# nslookup > set querytype=soa > home.lan Server: 192.168.0.241 Address: 192.168.0.241#53 home.lan origin = testdc1.home.lan mail addr = hostmaster.home.lan serial = 1 refresh = 900 retry = 600 expire = 86400 minimum = 3600 > exit The second DC is now using itself as its nameserver, but still gives the first DC as the NS This is totally different from what is returned if you use Bind9: Similar setup, only the names & ipaddresses have changed: root at dc1:~# nslookup > set querytype=soa > samdom.example.com Server: 192.168.0.6 Address: 192.168.0.6#53 samdom.example.com origin = dc2.samdom.example.com mail addr = hostmaster.samdom.example.com serial = 101 refresh = 900 retry = 600 expire = 86400 minimum = 3600 > exit root at dc2:~# nslookup > set querytype=soa > samdom.example.com Server: 192.168.0.5 Address: 192.168.0.5#53 samdom.example.com origin = dc1.samdom.example.com mail addr = hostmaster.samdom.example.com serial = 101 refresh = 900 retry = 600 expire = 86400 minimum = 3600 > exit Here, each DC shows the other as being the NS, so what happens if we turn off the first DC? root at dc2:~# nslookup > set querytype=soa > samdom.example.com Server: 192.168.0.6 Address: 192.168.0.6#53 samdom.example.com origin = dc2.samdom.example.com mail addr = hostmaster.samdom.example.com serial = 101 refresh = 900 retry = 600 expire = 86400 minimum = 3600 > exit Now the second DC shows itself as being the NS. It seems that the internal dns server works very different from Bind9. Conclusions? From my very limited testing, it would seem that, whilst it will work if you use multiple DCs running the internal dns servers, it would probably be better to use Bind9 instead. Rowland From ole.traupe at tu-berlin.de Fri Dec 18 11:19:48 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Fri, 18 Dec 2015 12:19:48 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5673D580.3060306@samba.org> References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> <5672BE7B.5060802@tu-berlin.de> <5672C79C.9060408@samba.org> <5672CD2C.2010305@tu-berlin.de> <5672D072.9010901@samba.org> <5672D6AA.4070907@tu-berlin.de> <5673D580.3060306@samba.org> Message-ID: <5673EBD4.5040308@tu-berlin.de> Hi Rowland, I am very thankful, that you take the time and test all this! Before I go and check if this is the same with my setup and possibly the problem, could you perhaps try a logon to a member server, while the 1st DC is unavailable? From my understanding of your post I take it, you will have the same problem. But then, my understanding is limited. However, if you DO have the same problem, and my understanding is correct, then the internal DNS of Samba is clearly *broken* and needs fixing! Also I would like to state then, that I am somewhat disappointed. I have spent weeks (if not months) to get my domain running as it is now, only to find out that I will have no good sleep with it. Sorry to be so blunt. Ole Am 18.12.2015 um 10:44 schrieb Rowland penny: > On 17/12/15 15:37, Ole Traupe wrote: >> >> >> >>> >>>> >>>> >>>> >>>>> everything else seems to work though, although I haven't tried >>>>> turning the first DC off yet. >>>> >>>> Why? I mean, could you perhaps? Please? >>>> >>> >>> Probably, but not today, will do it as soon as possible. >> >> I would be more than happy about that! >> >> > > OK, before I did anything else this morning, I started up my test > domain. Note that this domain only existed to try and find out why the > second DC didn't have a NS record in the SOA and uses the internal dns. > > Both of the DCs have the relevant line in the hosts file: > > root at testdc1:~# nano /etc/hosts > > 127.0.0.1 localhost > 192.168.0.240 testdc1.home.lan testdc1 > > root at testdc2:~# nano /etc/hosts > > 127.0.0.1 localhost > 192.168.0.241 testdc2.home.lan testdc2 > > > Both of the DCs point to each other as their nameserver: > > root at testdc1:~# nano /etc/resolv.conf > > search home.lan > nameserver 192.168.0.241 > nameserver 192.168.0.240 > > root at testdc2:~# nano /etc/resolv.conf > > search home.lan > nameserver 192.168.0.240 > nameserver 192.168.0.241 > > If I examine the SOA record in AD I find this: > > dn: DC=@,DC=home.lan,CN=MicrosoftDNS,DC=DomainDnsZones,DC=home,DC=lan > ..................... > dnsRecord: NDR: struct dnsp_DnssrvRpcRecord > wDataLength : 0x003f (63) > wType : DNS_TYPE_SOA (6) > version : 0x05 (5) > rank : DNS_RANK_ZONE (240) > flags : 0x0000 (0) > dwSerial : 0x0000006e (110) > dwTtlSeconds : 0x00000e10 (3600) > dwReserved : 0x00000000 (0) > dwTimeStamp : 0x00000000 (0) > data : union dnsRecordData(case 6) > soa: struct dnsp_soa > serial : 0x00000001 (1) > refresh : 0x00000384 (900) > retry : 0x00000258 (600) > expire : 0x00015180 (86400) > minimum : 0x00000e10 (3600) > mname : testdc1.home.lan > rname : hostmaster.home.lan > > dnsRecord: NDR: struct dnsp_DnssrvRpcRecord > wDataLength : 0x0014 (20) > wType : DNS_TYPE_NS (2) > version : 0x05 (5) > rank : DNS_RANK_ZONE (240) > flags : 0x0000 (0) > dwSerial : 0x0000006e (110) > dwTtlSeconds : 0x00000384 (900) > dwReserved : 0x00000000 (0) > dwTimeStamp : 0x00000000 (0) > data : union dnsRecordData(case 2) > ns : testdc1.home.lan > > dnsRecord: NDR: struct dnsp_DnssrvRpcRecord > wDataLength : 0x0014 (20) > wType : DNS_TYPE_NS (2) > version : 0x05 (5) > rank : DNS_RANK_ZONE (240) > flags : 0x0000 (0) > dwSerial : 0x0000006e (110) > dwTtlSeconds : 0x00000384 (900) > dwReserved : 0x00000000 (0) > dwTimeStamp : 0x00000000 (0) > data : union dnsRecordData(case 2) > ns : testdc2.home.lan > > dnsRecord: NDR: struct dnsp_DnssrvRpcRecord > wDataLength : 0x0004 (4) > wType : DNS_TYPE_A (1) > version : 0x05 (5) > rank : DNS_RANK_ZONE (240) > flags : 0x0000 (0) > dwSerial : 0x0000006e (110) > dwTtlSeconds : 0x00000384 (900) > dwReserved : 0x00000000 (0) > dwTimeStamp : 0x00000000 (0) > data : union dnsRecordData(case 1) > ipv4 : 192.168.0.240 > > dnsRecord: NDR: struct dnsp_DnssrvRpcRecord > wDataLength : 0x0004 (4) > wType : DNS_TYPE_A (1) > version : 0x05 (5) > rank : DNS_RANK_ZONE (240) > flags : 0x0000 (0) > dwSerial : 0x0000006e (110) > dwTtlSeconds : 0x00000384 (900) > dwReserved : 0x00000000 (0) > dwTimeStamp : 0x00000000 (0) > data : union dnsRecordData(case 1) > ipv4 : 192.168.0.241 > > So, as you can see both the DCs have their NS & A records in the SOA > > If I then run nslookup on both machines, I get this: > > root at testdc1:~# nslookup > > set querytype=soa > > home.lan > Server: 192.168.0.241 > Address: 192.168.0.241#53 > > home.lan > origin = testdc1.home.lan > mail addr = hostmaster.home.lan > serial = 1 > refresh = 900 > retry = 600 > expire = 86400 > minimum = 3600 > > exit > > root at testdc2:~# nslookup > > set querytype=soa > > home.lan > Server: 192.168.0.240 > Address: 192.168.0.240#53 > > home.lan > origin = testdc1.home.lan > mail addr = hostmaster.home.lan > serial = 1 > refresh = 900 > retry = 600 > expire = 86400 > minimum = 3600 > > exit > > As you can see, only the first DC is show as the NS for the SOA, what > happens if we turn off the first DC? > > We get this: > > root at testdc2:~# nslookup > > set querytype=soa > > home.lan > Server: 192.168.0.241 > Address: 192.168.0.241#53 > > home.lan > origin = testdc1.home.lan > mail addr = hostmaster.home.lan > serial = 1 > refresh = 900 > retry = 600 > expire = 86400 > minimum = 3600 > > exit > > The second DC is now using itself as its nameserver, but still gives > the first DC as the NS > > This is totally different from what is returned if you use Bind9: > > Similar setup, only the names & ipaddresses have changed: > > root at dc1:~# nslookup > > set querytype=soa > > samdom.example.com > Server: 192.168.0.6 > Address: 192.168.0.6#53 > > samdom.example.com > origin = dc2.samdom.example.com > mail addr = hostmaster.samdom.example.com > serial = 101 > refresh = 900 > retry = 600 > expire = 86400 > minimum = 3600 > > exit > > root at dc2:~# nslookup > > set querytype=soa > > samdom.example.com > Server: 192.168.0.5 > Address: 192.168.0.5#53 > > samdom.example.com > origin = dc1.samdom.example.com > mail addr = hostmaster.samdom.example.com > serial = 101 > refresh = 900 > retry = 600 > expire = 86400 > minimum = 3600 > > exit > > Here, each DC shows the other as being the NS, so what happens if we > turn off the first DC? > > root at dc2:~# nslookup > > set querytype=soa > > samdom.example.com > Server: 192.168.0.6 > Address: 192.168.0.6#53 > > samdom.example.com > origin = dc2.samdom.example.com > mail addr = hostmaster.samdom.example.com > serial = 101 > refresh = 900 > retry = 600 > expire = 86400 > minimum = 3600 > > exit > > Now the second DC shows itself as being the NS. > > It seems that the internal dns server works very different from Bind9. > > Conclusions? From my very limited testing, it would seem that, whilst > it will work if you use multiple DCs running the internal dns servers, > it would probably be better to use Bind9 instead. > > Rowland > > > From rpenny at samba.org Fri Dec 18 11:30:24 2015 From: rpenny at samba.org (Rowland penny) Date: Fri, 18 Dec 2015 11:30:24 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5673EBD4.5040308@tu-berlin.de> References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> <5672BE7B.5060802@tu-berlin.de> <5672C79C.9060408@samba.org> <5672CD2C.2010305@tu-berlin.de> <5672D072.9010901@samba.org> <5672D6AA.4070907@tu-berlin.de> <5673D580.3060306@samba.org> <5673EBD4.5040308@tu-berlin.de> Message-ID: <5673EE50.4080808@samba.org> On 18/12/15 11:19, Ole Traupe wrote: > Hi Rowland, > > I am very thankful, that you take the time and test all this! No problem. > > Before I go and check if this is the same with my setup and possibly > the problem, could you perhaps try a logon to a member server, while > the 1st DC is unavailable? Ah, slight problem there, as I said, this is just a couple of test DCs and there are no test domain members, you will have to bear with me whilst I create one. Rowland > > From my understanding of your post I take it, you will have the same > problem. But then, my understanding is limited. > > However, if you DO have the same problem, and my understanding is > correct, then the internal DNS of Samba is clearly *broken* and needs > fixing! > > Also I would like to state then, that I am somewhat disappointed. I > have spent weeks (if not months) to get my domain running as it is > now, only to find out that I will have no good sleep with it. Sorry to > be so blunt. > > Ole > > > From ole.traupe at tu-berlin.de Fri Dec 18 12:07:09 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Fri, 18 Dec 2015 13:07:09 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5673EE50.4080808@samba.org> References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> <5672BE7B.5060802@tu-berlin.de> <5672C79C.9060408@samba.org> <5672CD2C.2010305@tu-berlin.de> <5672D072.9010901@samba.org> <5672D6AA.4070907@tu-berlin.de> <5673D580.3060306@samba.org> <5673EBD4.5040308@tu-berlin.de> <5673EE50.4080808@samba.org> Message-ID: <5673F6ED.9090209@tu-berlin.de> Am 18.12.2015 um 12:30 schrieb Rowland penny: > On 18/12/15 11:19, Ole Traupe wrote: >> Hi Rowland, >> >> I am very thankful, that you take the time and test all this! > > No problem. > >> >> Before I go and check if this is the same with my setup and possibly >> the problem, could you perhaps try a logon to a member server, while >> the 1st DC is unavailable? > > Ah, slight problem there, as I said, this is just a couple of test DCs > and there are no test domain members, you will have to bear with me > whilst I create one. I would be very greatful, and I guess many others too. I heard from many sides that you should really only use bind9 in case you plan a more complicated setup. Until now I thought that having 2 DCs wasn't considered as such. > > Rowland > >> >> From my understanding of your post I take it, you will have the same >> problem. But then, my understanding is limited. >> >> However, if you DO have the same problem, and my understanding is >> correct, then the internal DNS of Samba is clearly *broken* and needs >> fixing! >> >> Also I would like to state then, that I am somewhat disappointed. I >> have spent weeks (if not months) to get my domain running as it is >> now, only to find out that I will have no good sleep with it. Sorry >> to be so blunt. >> >> Ole >> >> >> > > From ole.traupe at tu-berlin.de Fri Dec 18 12:44:27 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Fri, 18 Dec 2015 13:44:27 +0100 Subject: [Samba] How to delete a corrupt record from internal DNS Message-ID: <5673FFAB.6050004@tu-berlin.de> I accidentally created a SRV record with a false port. I then updated the port but was afraid of any consequences. So I deleted that record again and wanted to re-create it. But now I can't: "The record already exists." Observations: 1) I can't see it in the RSAT DNS gui, so I can't delete it there. 2) I also can't delete it via samba-tool (although I could delete it's counter part for the other DC; so the command is ok): # samba-tool dns delete DC1 _msdcs.my.domain.tld _ldap._tcp.gc._msdcs.my.domain.tld SRV "dc2.my.domain.tld 3268 0 100" ERROR: Record does not exist 3) However, it can be found with dig: # dig @DC1 _ldap._tcp.gc._msdcs.my.domain.tld SRV ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.4 <<>> @DC1 _ldap._tcp.gc._msdcs.my.domain.tld SRV ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28612 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;_ldap._tcp.gc._msdcs.my.domain.tld. IN SRV ;; ANSWER SECTION: _ldap._tcp.gc._msdcs.my.domain.tld. 180 IN SRV 0 100 3268 dc1.my.domain.tld. _ldap._tcp.gc._msdcs.my.domain.tld. 180 IN SRV 0 100 3268 dc2.my.domain.tld. ;; Query time: 1 msec ;; SERVER: IP_of_1stDC#53(IP_of_1stDC) ;; WHEN: Thu Dec 17 13:28:06 2015 ;; MSG SIZE rcvd: 103 So, how do I get rid of this problematic record for my DC2? From belle at bazuin.nl Fri Dec 18 12:50:33 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Fri, 18 Dec 2015 13:50:33 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5673F6ED.9090209@tu-berlin.de> References: <5673EE50.4080808@samba.org> Message-ID: Ole, > >> Also I would like to state then, that I am somewhat disappointed. I > >> have spent weeks (if not months) to get my domain running as it is > >> now, only to find out that I will have no good sleep with it. Sorry > >> to be so blunt. Just months.. my testing periode was about 1 year! ok i have a complex network and extra things to account for and this was all done, while doing my normal work... Really try this. Go here : https://secure.bazuin.nl/scripts Install a clean debian jessie. select only ssh server at package selection, (optional base packages wont have negative inpact on the scripts, just your server performance. Get these (wget --no-check-certificate .. ) https://secure.bazuin.nl/scripts/0-setup-apt-debian.sh https://secure.bazuin.nl/scripts/1-tools.sh https://secure.bazuin.nl/scripts/2-setup-network-hostname.sh https://secure.bazuin.nl/scripts/3-setup-ssh-debian.sh https://secure.bazuin.nl/scripts/4-jessie-samba-DC.sh Configure the scripts and run them order. In the end you have a good working samba ad dc. You can use it also to join a Samba AD. Give it a try, most problems you have are from a ; wrong change/broken DC/installed new DC with old ip/ etc. Many things here can be a case of your problems. You spent weeks,months on a problem, and you learn from it, so now your production ready. ;-) And if you server is in production, use the script to join a DC. Sieze the FMSO roles, and remove the old. And NEVER!!! Use the samba server name/IP when you change a DC. And if you really need the old name, which for a DC should not be needed. Add a CNAME in the dns with the oldname. And dont confure things base on ip adres and always based on names, keeps you flexible to change things without damaging other things. .. yes... i learned the hardway also. ;-) know what your talking about.. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe > Verzonden: vrijdag 18 december 2015 13:07 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller > initially fails when PDC is offline > > > > Am 18.12.2015 um 12:30 schrieb Rowland penny: > > On 18/12/15 11:19, Ole Traupe wrote: > >> Hi Rowland, > >> > >> I am very thankful, that you take the time and test all this! > > > > No problem. > > > >> > >> Before I go and check if this is the same with my setup and possibly > >> the problem, could you perhaps try a logon to a member server, while > >> the 1st DC is unavailable? > > > > Ah, slight problem there, as I said, this is just a couple of test DCs > > and there are no test domain members, you will have to bear with me > > whilst I create one. > > I would be very greatful, and I guess many others too. > > I heard from many sides that you should really only use bind9 in case > you plan a more complicated setup. Until now I thought that having 2 DCs > wasn't considered as such. > > > > > > > Rowland > > > >> > >> From my understanding of your post I take it, you will have the same > >> problem. But then, my understanding is limited. > >> > >> However, if you DO have the same problem, and my understanding is > >> correct, then the internal DNS of Samba is clearly *broken* and needs > >> fixing! > >> > >> Also I would like to state then, that I am somewhat disappointed. I > >> have spent weeks (if not months) to get my domain running as it is > >> now, only to find out that I will have no good sleep with it. Sorry > >> to be so blunt. > >> > >> Ole > >> > >> > >> > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From gimili17 at gmail.com Fri Dec 18 13:07:17 2015 From: gimili17 at gmail.com (gimili) Date: Fri, 18 Dec 2015 08:07:17 -0500 Subject: [Samba] domain authentication issue after rebooting Debian Jessie - need to restart samba each time In-Reply-To: <56712E17.5000208@gmail.com> References: <56712E17.5000208@gmail.com> Message-ID: <56740505.2010006@gmail.com> On 12/16/2015 4:25 AM, Daniel Carrasco Marín wrote: > Hi again, i've restarted my server to check if fails and is working > fine. My specifications are: > > - Debian 8u6 jessie 3.16.0-4-amd64 > - Samba version 4.2.5-SerNet-Debian-8.jessie > - DNS Backend Bind Thanks. Good to know. I may just start again from scratch. Probably I missed something. -- gimili From gimili17 at gmail.com Fri Dec 18 13:10:11 2015 From: gimili17 at gmail.com (gimili) Date: Fri, 18 Dec 2015 08:10:11 -0500 Subject: [Samba] domain authentication issue after rebooting Debian Jessie - need to restart samba each time In-Reply-To: <5670681E.1020208@samba.org> References: <566C492B.6070205@samba.org> <56705C80.9010909@gmail.com> <5670681E.1020208@samba.org> Message-ID: <567405B3.9010808@gmail.com> On 12/15/2015 2:21 PM, Rowland penny wrote: > Could you post the smb.conf from the DC? > > Rowland # Global parameters [global] workgroup = AD realm = AD.MYCOMPANY.ORG netbios name = BOB server role = active directory domain controller dns forwarder = 192.168.10.13 idmap_ldb:use rfc2307 = yes logon script = logon.bat interfaces = lo eth0 bind interfaces only = true [netlogon] path = /var/lib/samba/sysvol/ad.mycompany.org/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No -- gimili From gimili17 at gmail.com Fri Dec 18 13:16:45 2015 From: gimili17 at gmail.com (gimili) Date: Fri, 18 Dec 2015 08:16:45 -0500 Subject: [Samba] domain authentication issue after rebooting Debian Jessie - need to restart samba each time In-Reply-To: <5670706E.20806@orniz.org> References: <566C492B.6070205@samba.org> <56705C80.9010909@gmail.com> <5670681E.1020208@samba.org> <5670703C.5020107@orniz.org> <5670706E.20806@orniz.org> Message-ID: <5674073D.5060609@gmail.com> On 12/15/2015 2:56 PM, Sébastien Le Ray wrote: > > > Le 15/12/2015 20:55, Sébastien Le Ray a écrit : >> >> >> Le 15/12/2015 20:21, Rowland penny a écrit : >>> On 15/12/15 18:31, gimili wrote: >>>> >>>> >>>> >systemctl status samba-ad-dc >>>> >>>> â samba-ad-dc.service - LSB: start Samba daemons for the AD DC >>>> Loaded: loaded (/etc/init.d/samba-ad-dc) >>>> Active: active (running) since Tue 2015-12-15 13:14:43 EST; >>>> 11min ago >>>> [snip] >>>> Dec 15 13:14:43 bob.ad.test.org samba[841]: [2015/12/15 >>>> 13:14:43.398943, 0] ../source4/smbd/server.c:370(binary_smbd_main) >>>> Dec 15 13:14:43 bob.ad.test.org samba[841]: samba version >>>> 4.1.17-Debian started. >>>> Dec 15 13:14:43 bob.ad.test.org samba[841]: Copyright Andrew >>>> Tridgell and the Samba Team 1992-2013 >>>> Dec 15 13:14:43 bob.ad.test.org samba-ad-dc[471]: Starting Samba AD >>>> DC daemon: samba. >>>> Dec 15 13:14:43 bob.ad.test.org samba[846]: [2015/12/15 >>>> 13:14:43.782455, 0] ../source4/smbd/server.c:488(binary_smbd_main) >>>> Dec 15 13:14:43 bob.ad.test.org samba[846]: samba: using 'standard' >>>> process model >>>> Dec 15 13:14:43 bob.ad.test.org samba[846]: [2015/12/15 >>>> 13:14:43.829676, 0] ../lib/util/become_daemon.c:136(daemon_ready) >>>> Dec 15 13:14:44 bob.ad.test.org smbd[905]: [2015/12/15 >>>> 13:14:44.332073, 0] ../lib/util/become_daemon.c:136(daemon_ready) >>>> Dec 15 13:25:03 bob.ad.test.org samba[912]: [2015/12/15 >>>> 13:25:03.932432, 0] >>>> ../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done) >>>> Dec 15 13:25:03 bob.ad.test.org samba[912]: >>>> ../source4/dsdb/dns/dns_update.c:294: Failed DNS update - >>>> NT_STATUS_IO_TIMEOUT >>>> >>> >>> I wonder if systemd doesn't like the DNS update failing?? >> >> "Active: active (running)" so there's nothing it doesn't like >> >> Is this status right after boot or after restart? >> >> > > Yes this was after rebooting the computer but before restarting samba-ad-dc. -- gimili From sebastien-samba at orniz.org Fri Dec 18 13:28:34 2015 From: sebastien-samba at orniz.org (=?UTF-8?Q?S=c3=a9bastien_Le_Ray?=) Date: Fri, 18 Dec 2015 14:28:34 +0100 Subject: [Samba] domain authentication issue after rebooting Debian Jessie - need to restart samba each time In-Reply-To: <5674073D.5060609@gmail.com> References: <566C492B.6070205@samba.org> <56705C80.9010909@gmail.com> <5670681E.1020208@samba.org> <5670703C.5020107@orniz.org> <5670706E.20806@orniz.org> <5674073D.5060609@gmail.com> Message-ID: <56740A02.7060405@orniz.org> Le 18/12/2015 14:16, gimili a écrit : > Yes this was after rebooting the computer but before restarting > samba-ad-dc. > You could try a netstat -latupne to see if samba is listening where it should, and try a smbclient '\\localhost' -L -Usomeuser -Wyourdomain Regards From belle at bazuin.nl Fri Dec 18 13:54:45 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Fri, 18 Dec 2015 14:54:45 +0100 Subject: [Samba] domain authentication issue after rebooting Debian Jessie - need to restart samba each time In-Reply-To: <56740505.2010006@gmail.com> References: <56712E17.5000208@gmail.com> Message-ID: Gimili is using internal dns.. I use bind dns. Daniel used bind dns. So if you up to it gimili, upgrade your internal dns to bind. And test again. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens gimili > Verzonden: vrijdag 18 december 2015 14:07 > Aan: Daniel Carrasco Marín; samba at lists.samba.org > Onderwerp: Re: [Samba] domain authentication issue after rebooting Debian > Jessie - need to restart samba each time > > On 12/16/2015 4:25 AM, Daniel Carrasco Marín wrote: > > Hi again, i've restarted my server to check if fails and is working > > fine. My specifications are: > > > > - Debian 8u6 jessie 3.16.0-4-amd64 > > - Samba version 4.2.5-SerNet-Debian-8.jessie > > - DNS Backend Bind > > Thanks. Good to know. I may just start again from scratch. Probably I > missed something. > > -- > gimili > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From rpenny at samba.org Fri Dec 18 13:56:45 2015 From: rpenny at samba.org (Rowland penny) Date: Fri, 18 Dec 2015 13:56:45 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5673F6ED.9090209@tu-berlin.de> References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> <5672BE7B.5060802@tu-berlin.de> <5672C79C.9060408@samba.org> <5672CD2C.2010305@tu-berlin.de> <5672D072.9010901@samba.org> <5672D6AA.4070907@tu-berlin.de> <5673D580.3060306@samba.org> <5673EBD4.5040308@tu-berlin.de> <5673EE50.4080808@samba.org> <5673F6ED.9090209@tu-berlin.de> Message-ID: <5674109D.7090406@samba.org> On 18/12/15 12:07, Ole Traupe wrote: > > > Am 18.12.2015 um 12:30 schrieb Rowland penny: >> On 18/12/15 11:19, Ole Traupe wrote: >>> Hi Rowland, >>> >>> I am very thankful, that you take the time and test all this! >> >> No problem. >> >>> >>> Before I go and check if this is the same with my setup and possibly >>> the problem, could you perhaps try a logon to a member server, while >>> the 1st DC is unavailable? >> >> Ah, slight problem there, as I said, this is just a couple of test >> DCs and there are no test domain members, you will have to bear with >> me whilst I create one. > > I would be very greatful, and I guess many others too. > > I heard from many sides that you should really only use bind9 in case > you plan a more complicated setup. Until now I thought that having 2 > DCs wasn't considered as such. > > Hi Ole, Would you like to know how to set up bind9 ? or to put it another way, you cannot login via ssh to a domain member if the the first DC goes down when you are using the internal dns server. If you use bind9, you can login, although there is a bit of a lag. Rowland From ole.traupe at tu-berlin.de Fri Dec 18 14:23:42 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Fri, 18 Dec 2015 15:23:42 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <5674109D.7090406@samba.org> References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> <5672BE7B.5060802@tu-berlin.de> <5672C79C.9060408@samba.org> <5672CD2C.2010305@tu-berlin.de> <5672D072.9010901@samba.org> <5672D6AA.4070907@tu-berlin.de> <5673D580.3060306@samba.org> <5673EBD4.5040308@tu-berlin.de> <5673EE50.4080808@samba.org> <5673F6ED.9090209@tu-berlin.de> <5674109D.7090406@samba.org> Message-ID: <567416EE.6060003@tu-berlin.de> Am 18.12.2015 um 14:56 schrieb Rowland penny: > On 18/12/15 12:07, Ole Traupe wrote: >> >> >> Am 18.12.2015 um 12:30 schrieb Rowland penny: >>> On 18/12/15 11:19, Ole Traupe wrote: >>>> Hi Rowland, >>>> >>>> I am very thankful, that you take the time and test all this! >>> >>> No problem. >>> >>>> >>>> Before I go and check if this is the same with my setup and >>>> possibly the problem, could you perhaps try a logon to a member >>>> server, while the 1st DC is unavailable? >>> >>> Ah, slight problem there, as I said, this is just a couple of test >>> DCs and there are no test domain members, you will have to bear with >>> me whilst I create one. >> >> I would be very greatful, and I guess many others too. >> >> I heard from many sides that you should really only use bind9 in case >> you plan a more complicated setup. Until now I thought that having 2 >> DCs wasn't considered as such. >> >> > > Hi Ole, Would you like to know how to set up bind9 ? or to put it > another way, you cannot login via ssh to a domain member if the the > first DC goes down when you are using the internal dns server. If you > use bind9, you can login, although there is a bit of a lag. > > Rowland > Hi Rowland, yes, I would like to know how to migrate. But before that: are you 100% sure that this is the problem? Before having tested it? How much lag? Ole From belle at bazuin.nl Fri Dec 18 14:41:15 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Fri, 18 Dec 2015 15:41:15 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <567416EE.6060003@tu-berlin.de> References: <5674109D.7090406@samba.org> Message-ID: I can confirm this also. I do maintainance in work times, and yes, i to can login on the member with a DC down server. The lag is the "timeout" time for the dns responce. For me about 1.5 sec, just tested it. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe > Verzonden: vrijdag 18 december 2015 15:24 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Authentication to Secondary Domain Controller > initially fails when PDC is offline > > > > Am 18.12.2015 um 14:56 schrieb Rowland penny: > > On 18/12/15 12:07, Ole Traupe wrote: > >> > >> > >> Am 18.12.2015 um 12:30 schrieb Rowland penny: > >>> On 18/12/15 11:19, Ole Traupe wrote: > >>>> Hi Rowland, > >>>> > >>>> I am very thankful, that you take the time and test all this! > >>> > >>> No problem. > >>> > >>>> > >>>> Before I go and check if this is the same with my setup and > >>>> possibly the problem, could you perhaps try a logon to a member > >>>> server, while the 1st DC is unavailable? > >>> > >>> Ah, slight problem there, as I said, this is just a couple of test > >>> DCs and there are no test domain members, you will have to bear with > >>> me whilst I create one. > >> > >> I would be very greatful, and I guess many others too. > >> > >> I heard from many sides that you should really only use bind9 in case > >> you plan a more complicated setup. Until now I thought that having 2 > >> DCs wasn't considered as such. > >> > >> > > > > Hi Ole, Would you like to know how to set up bind9 ? or to put it > > another way, you cannot login via ssh to a domain member if the the > > first DC goes down when you are using the internal dns server. If you > > use bind9, you can login, although there is a bit of a lag. > > > > Rowland > > > > Hi Rowland, > > yes, I would like to know how to migrate. But before that: are you 100% > sure that this is the problem? Before having tested it? > > How much lag? > > Ole > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From rpenny at samba.org Fri Dec 18 14:42:13 2015 From: rpenny at samba.org (Rowland penny) Date: Fri, 18 Dec 2015 14:42:13 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <567416EE.6060003@tu-berlin.de> References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> <5672BE7B.5060802@tu-berlin.de> <5672C79C.9060408@samba.org> <5672CD2C.2010305@tu-berlin.de> <5672D072.9010901@samba.org> <5672D6AA.4070907@tu-berlin.de> <5673D580.3060306@samba.org> <5673EBD4.5040308@tu-berlin.de> <5673EE50.4080808@samba.org> <5673F6ED.9090209@tu-berlin.de> <5674109D.7090406@samba.org> <567416EE.6060003@tu-berlin.de> Message-ID: <56741B45.70500@samba.org> On 18/12/15 14:23, Ole Traupe wrote: > > > Am 18.12.2015 um 14:56 schrieb Rowland penny: >> On 18/12/15 12:07, Ole Traupe wrote: >>> >>> >>> Am 18.12.2015 um 12:30 schrieb Rowland penny: >>>> On 18/12/15 11:19, Ole Traupe wrote: >>>>> Hi Rowland, >>>>> >>>>> I am very thankful, that you take the time and test all this! >>>> >>>> No problem. >>>> >>>>> >>>>> Before I go and check if this is the same with my setup and >>>>> possibly the problem, could you perhaps try a logon to a member >>>>> server, while the 1st DC is unavailable? >>>> >>>> Ah, slight problem there, as I said, this is just a couple of test >>>> DCs and there are no test domain members, you will have to bear >>>> with me whilst I create one. >>> >>> I would be very greatful, and I guess many others too. >>> >>> I heard from many sides that you should really only use bind9 in >>> case you plan a more complicated setup. Until now I thought that >>> having 2 DCs wasn't considered as such. >>> >>> >> >> Hi Ole, Would you like to know how to set up bind9 ? or to put it >> another way, you cannot login via ssh to a domain member if the the >> first DC goes down when you are using the internal dns server. If you >> use bind9, you can login, although there is a bit of a lag. >> >> Rowland >> > > Hi Rowland, > > yes, I would like to know how to migrate. But before that: are you > 100% sure that this is the problem? Before having tested it? > > How much lag? > > Ole > > > Hi Ole, all I can say is that I have two DCs running in VMs, they use the internal dns server. I have joined a samba domain member (again running in a VM) to the domain. If I turn off the first DC I created, I cannot log into the domain member via ssh, but if I have both DCs running, I can. There is another problem, after I restart the first DC, I still cannot login, I had to restart Samba on all three machines before I could log into the domain member again. With my domain that uses Bind9, I turned off the first DC and attempted to log into a domain member via ssh, after a few seconds (approx 5) it logged me in, I then exited again, restarted the first DC again and tried to log in again, this time there was no lag and I logged in straight away. Can I suggest that you do what I did, create your own small test domain in VMs using Bind9 Rowland From sjhoward at iu.edu Fri Dec 18 15:18:21 2015 From: sjhoward at iu.edu (Howard, Stewart Jameson) Date: Fri, 18 Dec 2015 15:18:21 +0000 Subject: [Samba] CTDB Changes in 4.2.7 Message-ID: <1450451901604.48540@iu.edu> Hi All, I just have a couple of quick questions about CTDB. I've recently installed the Sernet Samba packages for 4.2.7-19, which included CTDB 4.2.7-19. After the install, I noticed a couple of things that had changed since the previous (much older) version of CTDB that I was running: 1) The Sernet packaging did not seem to include the `man` page for CTDB. I was wondering if there is a location where I can download that separately. 2) When running command in the CTDB client on the command line, I now have to explicitly supply the `--socket=` option, or the client cannot connect to the CTDB daemon. This despite the fact that I'm keeping the socket in the default location (/tmp/ctdb.socket). Is there some new configuration source for the CTDB client in which I need to specify this socket location? This install is on a RHEL 6.6 system. Thank you so much for your time! Stewart Howard Indiana University From ole.traupe at tu-berlin.de Fri Dec 18 15:27:30 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Fri, 18 Dec 2015 16:27:30 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <56741B45.70500@samba.org> References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> <5672BE7B.5060802@tu-berlin.de> <5672C79C.9060408@samba.org> <5672CD2C.2010305@tu-berlin.de> <5672D072.9010901@samba.org> <5672D6AA.4070907@tu-berlin.de> <5673D580.3060306@samba.org> <5673EBD4.5040308@tu-berlin.de> <5673EE50.4080808@samba.org> <5673F6ED.9090209@tu-berlin.de> <5674109D.7090406@samba.org> <567416EE.6060003@tu-berlin.de> <56741B45.70500@samba.org> Message-ID: <567425E2.5000504@tu-berlin.de> Am 18.12.2015 um 15:42 schrieb Rowland penny: > On 18/12/15 14:23, Ole Traupe wrote: >> >> >> Am 18.12.2015 um 14:56 schrieb Rowland penny: >>> On 18/12/15 12:07, Ole Traupe wrote: >>>> >>>> >>>> Am 18.12.2015 um 12:30 schrieb Rowland penny: >>>>> On 18/12/15 11:19, Ole Traupe wrote: >>>>>> Hi Rowland, >>>>>> >>>>>> I am very thankful, that you take the time and test all this! >>>>> >>>>> No problem. >>>>> >>>>>> >>>>>> Before I go and check if this is the same with my setup and >>>>>> possibly the problem, could you perhaps try a logon to a member >>>>>> server, while the 1st DC is unavailable? >>>>> >>>>> Ah, slight problem there, as I said, this is just a couple of test >>>>> DCs and there are no test domain members, you will have to bear >>>>> with me whilst I create one. >>>> >>>> I would be very greatful, and I guess many others too. >>>> >>>> I heard from many sides that you should really only use bind9 in >>>> case you plan a more complicated setup. Until now I thought that >>>> having 2 DCs wasn't considered as such. >>>> >>>> >>> >>> Hi Ole, Would you like to know how to set up bind9 ? or to put it >>> another way, you cannot login via ssh to a domain member if the the >>> first DC goes down when you are using the internal dns server. If >>> you use bind9, you can login, although there is a bit of a lag. >>> >>> Rowland >>> >> >> Hi Rowland, >> >> yes, I would like to know how to migrate. But before that: are you >> 100% sure that this is the problem? Before having tested it? >> >> How much lag? >> >> Ole >> >> >> > > Hi Ole, all I can say is that I have two DCs running in VMs, they use > the internal dns server. I have joined a samba domain member (again > running in a VM) to the domain. If I turn off the first DC I created, > I cannot log into the domain member via ssh, but if I have both DCs > running, I can. Ok, that is enough confirmation for me. Thank you very much, I highly appreciate this. > There is another problem, after I restart the first DC, I still cannot > login, I had to restart Samba on all three machines before I could log > into the domain member again. Strange, but that is different here. Do you use a different Samba version, possibly 4.3.x? I still have 4.2.5. > > With my domain that uses Bind9, I turned off the first DC and > attempted to log into a domain member via ssh, after a few seconds > (approx 5) it logged me in, I then exited again, restarted the first > DC again and tried to log in again, this time there was no lag and I > logged in straight away. This sounds promising and as expected: a short timeout due to the (preferred?) DNS server being offline. > > Can I suggest that you do what I did, create your own small test > domain in VMs using Bind9 Yes, that is a good idea. However, from what I had read before, much of it on the Samba wiki, I was expecting Samba4 to just work with multiple DCs. I still wonder why no one ever seems to have tested or questioned that (publicly). And I don't feel that I have to question something myself that is broadly recommended: use the internal DNS unless you really have to do otherwise (even by the developers, it seems). In addition, bind9 working with multiple DC's does not necessarily mean that internal DNS won't. I also feel the need to would like to state that I am a part-time admin and I can't test something for a year or so (like others) before I go into production. With Samba 4 I was rather happy to find something that won't require so much work (although it feels differently now, partially due to me being more or less a newbee to unix-based systems, I guess). In any way, I would like to avoid any more unnecessary effort due to missing or misleading information (what I tried was never expected to work; and some of us have invested a lot of time to find out). That is why I asked so explicitly for your (or others') experience on that matter. Also, it might have been, that I am doing something else wrong, which might have interfered with my own experience being diagnostic of Samba internal DNS. -- Now I can finally stop thinking about internal DNS anymore and what might or might not have misconfigured. So, how can I migrate my DNS from internal to bind with hopefully not so much effort (as to create a bunch of new DCs)? In particular: how can I avoid carrying over any mis-configurations to my new DNS? I would be very happy about any suggestions. Ole > > Rowland > > From rpenny at samba.org Fri Dec 18 16:04:30 2015 From: rpenny at samba.org (Rowland penny) Date: Fri, 18 Dec 2015 16:04:30 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <567425E2.5000504@tu-berlin.de> References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> <5672BE7B.5060802@tu-berlin.de> <5672C79C.9060408@samba.org> <5672CD2C.2010305@tu-berlin.de> <5672D072.9010901@samba.org> <5672D6AA.4070907@tu-berlin.de> <5673D580.3060306@samba.org> <5673EBD4.5040308@tu-berlin.de> <5673EE50.4080808@samba.org> <5673F6ED.9090209@tu-berlin.de> <5674109D.7090406@samba.org> <567416EE.6060003@tu-berlin.de> <56741B45.70500@samba.org> <567425E2.5000504@tu-berlin.de> Message-ID: <56742E8E.5070303@samba.org> On 18/12/15 15:27, Ole Traupe wrote: > > > Am 18.12.2015 um 15:42 schrieb Rowland penny: >> >> Hi Ole, all I can say is that I have two DCs running in VMs, they use >> the internal dns server. I have joined a samba domain member (again >> running in a VM) to the domain. If I turn off the first DC I created, >> I cannot log into the domain member via ssh, but if I have both DCs >> running, I can. > > Ok, that is enough confirmation for me. Thank you very much, I highly > appreciate this. > > >> There is another problem, after I restart the first DC, I still >> cannot login, I had to restart Samba on all three machines before I >> could log into the domain member again. > > Strange, but that is different here. Do you use a different Samba > version, possibly 4.3.x? I still have 4.2.5. > > This is with 4.1.17 from wheezy backports, though as far as I know the dns server part of Samba hasn't changed much since. >> >> With my domain that uses Bind9, I turned off the first DC and >> attempted to log into a domain member via ssh, after a few seconds >> (approx 5) it logged me in, I then exited again, restarted the first >> DC again and tried to log in again, this time there was no lag and I >> logged in straight away. > > This sounds promising and as expected: a short timeout due to the > (preferred?) DNS server being offline. > > >> >> Can I suggest that you do what I did, create your own small test >> domain in VMs using Bind9 > > Yes, that is a good idea. However, from what I had read before, much > of it on the Samba wiki, I was expecting Samba4 to just work with > multiple DCs. I still wonder why no one ever seems to have tested or > questioned that (publicly). And I don't feel that I have to question > something myself that is broadly recommended: use the internal DNS > unless you really have to do otherwise (even by the developers, it > seems). In addition, bind9 working with multiple DC's does not > necessarily mean that internal DNS won't. > I am going to discuss this with Marc and the rest of the team, like you, I am surprised that nobody has raised this before. I have always used Samba with Bind9, so was unaware of this possible problem, it only came to head for me when you mentioned it. I then found I only had one NS record in the SOA and this lead to where we are now. > I also feel the need to would like to state that I am a part-time > admin and I can't test something for a year or so (like others) before > I go into production. With Samba 4 I was rather happy to find > something that won't require so much work (although it feels > differently now, partially due to me being more or less a newbee to > unix-based systems, I guess). It doesn't need much looking after, once you have got it up and running :-) Rowland > > > In any way, I would like to avoid any more unnecessary effort due to > missing or misleading information (what I tried was never expected to > work; and some of us have invested a lot of time to find out). That is > why I asked so explicitly for your (or others') experience on that > matter. Also, it might have been, that I am doing something else > wrong, which might have interfered with my own experience being > diagnostic of Samba internal DNS. > > -- > > Now I can finally stop thinking about internal DNS anymore and what > might or might not have misconfigured. > > So, how can I migrate my DNS from internal to bind with hopefully not > so much effort (as to create a bunch of new DCs)? In particular: how > can I avoid carrying over any mis-configurations to my new DNS? > > I would be very happy about any suggestions. > > Ole > > > > >> >> Rowland >> >> > > From dandbnews2 at talktalk.net Fri Dec 18 19:46:00 2015 From: dandbnews2 at talktalk.net (DavidA) Date: Fri, 18 Dec 2015 19:46:00 -0000 Subject: [Samba] Windows 7 can't see Pi Samba server In-Reply-To: <566D4183.5010803@samba.org> References: <566C7236.7030000@samba.org> <8AE7A8AAD3BC416B951A72A863F15B56@DavidPC> <566D4183.5010803@samba.org> Message-ID: <72FBB05FFDB7471F99EAC97E57EC94D7@DavidPC> Hi I'm still struggling with this problem. Here is my situation: I have two Windows 7 laptops, call them A and B, and a Raspberry Pi Samba server on a home network, all with the same workgroup name. The Pi's name is RPHS. A and B can see each other (their names appear under Network in Explorer on both laptops). Both A and B can access the Pi if I specify the IP Address in Explorer. The Pi's name appears only in A (under Network). On B, if I execute: nbtstat -a RPHS I get 'Host not found'. (On A RPHS is resolved correctly). I don't understand Windows networking well enough to debug this. Should I be using NetBios? Should I be using WINS? If yes/no, how do I enable/disable them? I would greatly appreciate some help. I am close to pulling my hair out! Best regards David -----Original Message----- From: Rowland penny Sent: Sunday, December 13, 2015 9:59 AM To: samba at lists.samba.org Subject: Re: [Samba] Windows 7 can't see Pi Samba server On 13/12/15 09:36, DavidA wrote: > Hi > > Here's some more info about my problem: > > ========================================== > > log.nmbd contains: > > Samba name server RPHS is now a local master browser for workgroup HOME > on subnet 192.168.2.8 > > ***** > [2015/12/12 20:48:19.709456, 0] > ../source3/nmbd/nmbd_browsesync.c:354(find_domain_master_name_query_fail) > find_domain_master_name_query_fail: > Unable to find the Domain Master Browser name HOME<1b> for the workgroup > HOME. > Unable to sync browse lists in this workgroup. > [2015/12/12 20:48:28.490472, 0] > ../source3/nmbd/nmbd_incomingdgrams.c:311(process_local_master_announce) > process_local_master_announce: Server BELSIE-PC at IP 192.168.2.5 is > announcing itself as a local master browser for workgroup HOME and we > think we are master. Forcing election. > [2015/12/12 20:48:28.491628, 0] > ../source3/nmbd/nmbd_become_lmb.c:150(unbecome_local_master_success) > ***** > > Samba name server RPHS has stopped being a local master browser for > workgroup HOME on subnet 192.168.2.8 > > ========================================== > > > RPHS is the rpi. BELSIE-PC is the pc which does not show the rpi. > > The Domain Master Browser seems to change frequently. Is this significant? > > Best regards > > David > No, it isn't significant, the elections go on all the time. As you can browse from one windows 7 client, but not from the other, this tends to suggest that the Samba machine is working correctly. You need to compare the two windows 7 machines, there must be a difference between them, I am fairly sure that this is a windows problem. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba From rpenny at samba.org Fri Dec 18 20:23:38 2015 From: rpenny at samba.org (Rowland penny) Date: Fri, 18 Dec 2015 20:23:38 +0000 Subject: [Samba] Windows 7 can't see Pi Samba server In-Reply-To: <72FBB05FFDB7471F99EAC97E57EC94D7@DavidPC> References: <566C7236.7030000@samba.org> <8AE7A8AAD3BC416B951A72A863F15B56@DavidPC> <566D4183.5010803@samba.org> <72FBB05FFDB7471F99EAC97E57EC94D7@DavidPC> Message-ID: <56746B4A.2030603@samba.org> On 18/12/15 19:46, DavidA wrote: > Hi > > I'm still struggling with this problem. Here is my situation: > > I have two Windows 7 laptops, call them A and B, and a Raspberry Pi > Samba server on a home network, all with the same workgroup name. The > Pi's name is RPHS. > > A and B can see each other (their names appear under Network in > Explorer on both laptops). > > Both A and B can access the Pi if I specify the IP Address in Explorer. > > The Pi's name appears only in A (under Network). > > On B, if I execute: > > nbtstat -a RPHS > > I get 'Host not found'. > > (On A RPHS is resolved correctly). > > I don't understand Windows networking well enough to debug this. > Should I be using NetBios? Should I be using WINS? If yes/no, how do > I enable/disable them? > > I would greatly appreciate some help. I am close to pulling my hair out! > > Best regards > > David > > Hi, I still think this is a windows problem, so I did a bit of googling and found this: http://serverfault.com/questions/559657/windows-7-pc-cannot-see-some-lan-pcs-but-can-access-them-via-path If this doesn't help, I would suggest you try a windows mailing list. Rowland From dandbnews2 at talktalk.net Fri Dec 18 22:06:38 2015 From: dandbnews2 at talktalk.net (DavidA) Date: Fri, 18 Dec 2015 22:06:38 -0000 Subject: [Samba] Windows 7 can't see Pi Samba server In-Reply-To: <56746B4A.2030603@samba.org> References: <566C7236.7030000@samba.org> <8AE7A8AAD3BC416B951A72A863F15B56@DavidPC> <566D4183.5010803@samba.org> <72FBB05FFDB7471F99EAC97E57EC94D7@DavidPC> <56746B4A.2030603@samba.org> Message-ID: Hi Rowland Thanks for your reply. I'm afraid that link didn't help. I have tried a Microsoft forum but am not getting very far there. Will try again. Trouble is understanding how Windows networks are supposed to work. I wonder if a Workgroup is the way to go or if there is a better model I could use. Best regards David -----Original Message----- From: Rowland penny Sent: Friday, December 18, 2015 8:23 PM To: samba at lists.samba.org Subject: Re: [Samba] Windows 7 can't see Pi Samba server On 18/12/15 19:46, DavidA wrote: > Hi > > I'm still struggling with this problem. Here is my situation: > > I have two Windows 7 laptops, call them A and B, and a Raspberry Pi Samba > server on a home network, all with the same workgroup name. The Pi's name > is RPHS. > > A and B can see each other (their names appear under Network in Explorer > on both laptops). > > Both A and B can access the Pi if I specify the IP Address in Explorer. > > The Pi's name appears only in A (under Network). > > On B, if I execute: > > nbtstat -a RPHS > > I get 'Host not found'. > > (On A RPHS is resolved correctly). > > I don't understand Windows networking well enough to debug this. Should I > be using NetBios? Should I be using WINS? If yes/no, how do I > enable/disable them? > > I would greatly appreciate some help. I am close to pulling my hair out! > > Best regards > > David > > Hi, I still think this is a windows problem, so I did a bit of googling and found this: http://serverfault.com/questions/559657/windows-7-pc-cannot-see-some-lan-pcs-but-can-access-them-via-path If this doesn't help, I would suggest you try a windows mailing list. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba From post at rolandgruber.de Sat Dec 19 08:48:29 2015 From: post at rolandgruber.de (Roland Gruber) Date: Sat, 19 Dec 2015 09:48:29 +0100 Subject: [Samba] LDAP Account Manager 5.2.RC1 with extended Windows support and more password expiration jobs In-Reply-To: <1449007510.19054.0.camel@samba.org> References: <565C979E.5050601@rolandgruber.de> <1448921401.3103.12.camel@samba.org> <565DF240.8050200@rolandgruber.de> <1449007510.19054.0.camel@samba.org> Message-ID: <567519DD.1000001@rolandgruber.de> Hi Andrew, On 01.12.2015 23:05, Andrew Bartlett wrote: >> sounds great. I can provide you a template config file and a short >> description for the installation if you want. > > That would be great. Patches or Pull requests against our github repo > are even better :-) I attached a sample config file (lam.conf). There is also a description what you need to replace in the file (readme_devel.txt) and user documentation (readme_user.txt). Please let me know if you need any more information. Best regards Roland -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature URL: From biku at argusqatar.com Sat Dec 19 11:06:48 2015 From: biku at argusqatar.com (Biku Argus) Date: Sat, 19 Dec 2015 14:06:48 +0300 Subject: [Samba] Fwd: Active Directory Installation error In-Reply-To: References: Message-ID: *Hi! When I tried to install active directory in Debian Jessie I had following errors in the end. I followed the samba instructions to install it. Can you please help me? And plus I'm new in linux. :)* root at server-linux:~# nano /etc/hosts root at server-linux:~# export PATH=/usr/local/samba/bin/:/usr/local/samba/sbin/:$PATH root at server-linux:~# samba-tool domain provision ..... --option="interfaces=lo eth0" --option="bind interfaces only=yes" Usage: samba-tool domain provision [options] root at server-linux:~# samba-tool domain provision --use-rfc2307 --interactive Realm [TESTARGUS123.COM]: TESTARGUS123.COM Domain [TESTARGUS123]: TESTARGUS123 Server Role (dc, member, standalone) [dc]: dc DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: SAMBA_INTERNAL DNS forwarder IP address (write 'none' to disable forwarding) [192.168.200.1]: 8.8.8.8 Administrator password: Retype password: ERROR(): Provision failed - ProvisioningError: guess_names: 'realm =' was not specified in supplied /etc/samba/smb.conf. Please remove the smb.conf file and let provision generate it File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 401, in run use_rfc2307=use_rfc2307, skip_sysvolacl=False) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 2019, in provision sitename=sitename, rootdn=rootdn, domain_names_forced=(samdb_fill == FILL_DRS)) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 595, in guess_names raise ProvisioningError("guess_names: 'realm =' was not specified in supplied %s. Please remove the smb.conf file and let provision generate it" % lp.configfile) root at server-linux:~# mv /etc/samba/smb.conf /etc/samba/smb.conf.bak root at server-linux:~# samba-tool domain provision --use-rfc2307 --interactive Realm [TESTARGUS123.COM]: TESTARGUS123.COM Domain [TESTARGUS123]: TESTARGUS Server Role (dc, member, standalone) [dc]: dc DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: SAMBA_INTERNAL DNS forwarder IP address (write 'none' to disable forwarding) [192.168.200.1]: 8.8.8.8 Administrator password: Retype password: Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=testargus123,DC=com Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC=testargus123,DC=com Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf Setting up fake yp server settings Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller Hostname: server-linux NetBIOS Domain: TESTARGUS DNS Domain: testargus123.com DOMAIN SID: S-1-5-21-3659101674-2677919897-2034844652 root at server-linux:~# samba root at server-linux:~# smbclient -bash: smbclient: command not found root at server-linux:~# exit logout biku at server-linux:~$ smbclient -L linux-server -U% bash: smbclient: command not found biku at server-linux:~$ smbclient -L localhost -U% bash: smbclient: command not found -- Regards, Biku Balami Technical Support-Hardware +974-55476123 From rpenny at samba.org Sat Dec 19 11:27:46 2015 From: rpenny at samba.org (Rowland penny) Date: Sat, 19 Dec 2015 11:27:46 +0000 Subject: [Samba] Fwd: Active Directory Installation error In-Reply-To: References: Message-ID: <56753F32.3090606@samba.org> On 19/12/15 11:06, Biku Argus wrote: > *Hi! When I tried to install active directory in Debian Jessie I had > following errors in the end. I followed the samba instructions to install > it. Can you please help me? And plus I'm new in linux. :)* > > root at server-linux:~# nano /etc/hosts > root at server-linux:~# export > PATH=/usr/local/samba/bin/:/usr/local/samba/sbin/:$PATH > root at server-linux:~# samba-tool domain provision ..... > --option="interfaces=lo eth0" --option="bind interfaces only=yes" > Usage: samba-tool domain provision [options] > > root at server-linux:~# samba-tool domain provision --use-rfc2307 --interactive > Realm [TESTARGUS123.COM]: TESTARGUS123.COM > Domain [TESTARGUS123]: TESTARGUS123 > Server Role (dc, member, standalone) [dc]: dc > DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) > [SAMBA_INTERNAL]: SAMBA_INTERNAL > DNS forwarder IP address (write 'none' to disable forwarding) > [192.168.200.1]: 8.8.8.8 > Administrator password: > Retype password: > ERROR(): Provision failed - > ProvisioningError: guess_names: 'realm =' was not specified in supplied > /etc/samba/smb.conf. Please remove the smb.conf file and let provision > generate it > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 401, > in run > use_rfc2307=use_rfc2307, skip_sysvolacl=False) > File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line > 2019, in provision > sitename=sitename, rootdn=rootdn, domain_names_forced=(samdb_fill == > FILL_DRS)) > File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line > 595, in guess_names > raise ProvisioningError("guess_names: 'realm =' was not specified in > supplied %s. Please remove the smb.conf file and let provision generate > it" % lp.configfile) > > root at server-linux:~# mv /etc/samba/smb.conf /etc/samba/smb.conf.bak > root at server-linux:~# samba-tool domain provision --use-rfc2307 --interactive > Realm [TESTARGUS123.COM]: TESTARGUS123.COM > Domain [TESTARGUS123]: TESTARGUS > Server Role (dc, member, standalone) [dc]: dc > DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) > [SAMBA_INTERNAL]: SAMBA_INTERNAL > DNS forwarder IP address (write 'none' to disable forwarding) > [192.168.200.1]: 8.8.8.8 > Administrator password: > Retype password: > Looking up IPv4 addresses > Looking up IPv6 addresses > No IPv6 address will be assigned > Setting up share.ldb > Setting up secrets.ldb > Setting up the registry > Setting up the privileges database > Setting up idmap db > Setting up SAM db > Setting up sam.ldb partitions and settings > Setting up sam.ldb rootDSE > Pre-loading the Samba 4 and AD schema > Adding DomainDN: DC=testargus123,DC=com > Adding configuration container > Setting up sam.ldb schema > Setting up sam.ldb configuration data > Setting up display specifiers > Modifying display specifiers > Adding users container > Modifying users container > Adding computers container > Modifying computers container > Setting up sam.ldb data > Setting up well known security principals > Setting up sam.ldb users and groups > Setting up self join > Adding DNS accounts > Creating CN=MicrosoftDNS,CN=System,DC=testargus123,DC=com > Creating DomainDnsZones and ForestDnsZones partitions > Populating DomainDnsZones and ForestDnsZones partitions > Setting up sam.ldb rootDSE marking as synchronized > Fixing provision GUIDs > A Kerberos configuration suitable for Samba 4 has been generated at > /var/lib/samba/private/krb5.conf > Setting up fake yp server settings > Once the above files are installed, your Samba4 server will be ready to use > Server Role: active directory domain controller > Hostname: server-linux > NetBIOS Domain: TESTARGUS > DNS Domain: testargus123.com > DOMAIN SID: S-1-5-21-3659101674-2677919897-2034844652 > > root at server-linux:~# samba > root at server-linux:~# smbclient > -bash: smbclient: command not found > root at server-linux:~# exit > logout > biku at server-linux:~$ smbclient -L linux-server -U% > bash: smbclient: command not found > biku at server-linux:~$ smbclient -L localhost -U% > bash: smbclient: command not found > > > The only thing that I can see missing is this: echo "PATH=/usr/local/samba/bin:/usr/local/samba/sbin:\$PATH" > /etc/profile.d/samba4.sh This should give you the correct path to smbclient etc, you can check by running 'env | grep PATH' in a terminal, it should return something like this: PATH=/usr/local/samba/bin:/usr/local/samba/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin You will need to open a new terminal after running the 'echo' command. Rowland From bouke at ict-diensten.com Sat Dec 19 22:12:32 2015 From: bouke at ict-diensten.com (Bouke J. Henstra) Date: Sat, 19 Dec 2015 23:12:32 +0100 Subject: [Samba] Sysvol: users - access denied Message-ID: Hello, I have a question regarding to access permissions. Recently I have upgraded my DC from version 41.12 to 4.1.21. This weekend I have decided to upgrade to 4.3.3. I have noticed that my users weren't able to access the sysvol share after the upgraded to 4.3.3. As a test I have created a new user "test" and I was able to open the sysvol share without any issues. Next I have recreated my own user account (delete user, create user) and everything works like a charm... but not for my other users. I would like to know why these users aren't able to access the sysvol share. In the AD console the other user accounts look the similar: same group memberships. I have tried the "samba-tool ntacl sysvolreset" command but this did not help to resolve the issue. ​I have read the steps which I had found at " https://wiki.samba.org/index.php/Updating_Samba"​ but these steps did not help me to resolve the issue too (as I could not find issues). The users "test" + the recreated user "bouke" work fine now. I did not recreated user account "renate" as I would like to know if it is able to fix this user's access to sysvol manually (without recreating the user). Or is it possible to overwrite the user account for Renate with defaults without recreating the account? I have noticed that Windows asks me for Renate's username + password after I am logged in (Windows 10) and trying to access \\srv001.alpha.inet\sysvol​ ​. I would like to know how I could troubleshoot this matter, what could cause this and how I could fix it. I have copied some lines from the log file. I am hoping that these are relevant. I have also copied some lines from the console - I have verified the group memberships with wbinfo. I think these look okay. Thank you for your help.​ [2015/12/19 22:47:00.113129, 2] ../source3/smbd/open.c:1005(open_file) ALPHA\renate opened file renate/My Documents/My Pictures/desktop.ini read=No write=No (numopen=3) [2015/12/19 22:47:00.141442, 2] ../source3/smbd/close.c:780(close_normal_file) ALPHA\bouke closed file bouke/Desktop/OpenOffice Calc.lnk (numopen=11) NT_STATUS_OK [2015/12/19 22:47:00.148576, 2] ../source3/smbd/close.c:780(close_normal_file) ALPHA\renate closed file renate/My Documents/My Pictures/desktop.ini (numopen=2) NT_STATUS_OK [2015/12/19 22:47:00.149778, 2] ../source3/smbd/open.c:1005(open_file) ALPHA\bouke opened file bouke/Desktop/OpenOffice Calc.lnk read=No write=No (numopen=12) [2015/12/19 22:47:00.212121, 2] ../source3/smbd/open.c:1005(open_file) ALPHA\renate opened file renate/My Documents/My Pictures/desktop.ini read=No write=No (numopen=3) [2015/12/19 22:47:00.333266, 2] ../source3/smbd/close.c:780(close_normal_file) ALPHA\bouke closed file bouke/Desktop/OpenOffice Calc.lnk (numopen=11) NT_STATUS_OK [2015/12/19 22:47:00.333948, 2] ../source3/smbd/close.c:780(close_normal_file) ALPHA\renate closed file renate/My Documents/My Pictures/desktop.ini (numopen=2) NT_STATUS_OK [2015/12/19 22:47:00.337362, 2] ../source3/smbd/open.c:1005(open_file) ALPHA\renate opened file renate/My Documents/My Pictures/desktop.ini read=No write=No (numopen=3) [2015/12/19 22:47:00.532273, 2] ../source3/smbd/close.c:780(close_normal_file) ALPHA\renate closed file renate/My Documents/My Pictures/desktop.ini (numopen=2) NT_STATUS_OK [2015/12/19 22:47:00.532821, 2] ../source3/smbd/open.c:1005(open_file) ALPHA\bouke opened file bouke/Desktop/OpenOffice Writer.lnk read=No write=No (numopen=12) [2015/12/19 22:47:00.537035, 2] ../source3/smbd/open.c:1005(open_file) ALPHA\renate opened file renate/My Documents/My Pictures/desktop.ini read=Yes write=No (numopen=3) [2015/12/19 22:47:00.537134, 3] ../source3/smbd/oplock_linux.c:155(linux_set_kernel_oplock) linux_set_kernel_oplock: got kernel oplock on file renate/My Documents/My Pictures/desktop.ini, file_id = fc00:29c1dfc:0 gen_id = 888224576 [2015/12/19 22:47:00.558468, 3] ../source3/smbd/smb2_read.c:413(smb2_read_complete) smbd_smb2_read: fnum 459648465, file renate/My Documents/My Pictures/desktop.ini, length=520 offset=0 read=520 [2015/12/19 22:47:00.566730, 2] ../source3/smbd/open.c:1005(open_file) ALPHA\renate opened file renate/My Documents/My Pictures/desktop.ini read=No write=No (numopen=4) [2015/12/19 22:47:00.567591, 2] ../source3/smbd/close.c:780(close_normal_file) ALPHA\bouke closed file bouke/Desktop/OpenOffice Writer.lnk (numopen=11) NT_STATUS_OK [2015/12/19 22:47:00.569662, 2] ../source3/smbd/close.c:780(close_normal_file) ALPHA\renate closed file renate/My Documents/My Pictures/desktop.ini (numopen=3) NT_STATUS_OK [2015/12/19 22:47:00.571575, 2] ../source3/smbd/open.c:1005(open_file) ALPHA\bouke opened file bouke/Desktop/OpenOffice Writer.lnk read=No write=No (numopen=12) [2015/12/19 22:47:00.573297, 2] ../source3/smbd/close.c:780(close_normal_file) ALPHA\renate closed file renate/My Documents/My Pictures/desktop.ini (numopen=2) NT_STATUS_OK [2015/12/19 22:47:00.576533, 2] ../source3/smbd/open.c:1005(open_file) ALPHA\renate opened file renate/My Documents/My Pictures/desktop.ini read=Yes write=No (numopen=3) [2015/12/19 22:47:00.576651, 3] ../source3/smbd/oplock_linux.c:155(linux_set_kernel_oplock) linux_set_kernel_oplock: got kernel oplock on file renate/My Documents/My Pictures/desktop.ini, file_id = fc00:29c1dfc:0 gen_id = 1048579373 [2015/12/19 22:47:00.586313, 2] ../source3/smbd/close.c:780(close_normal_file) ALPHA\bouke closed file bouke/Desktop/OpenOffice Writer.lnk (numopen=11) NT_STATUS_OK [2015/12/19 22:47:00.587248, 2] ../source3/smbd/open.c:1005(open_file) ALPHA\renate opened file renate/My Documents/My Pictures/desktop.ini read=No write=No (numopen=4) [2015/12/19 22:47:00.611137, 2] ../source3/smbd/close.c:780(close_normal_file) ALPHA\renate closed file renate/My Documents/My Pictures/desktop.ini (numopen=3) NT_STATUS_OK [2015/12/19 22:47:00.614821, 2] ../source3/smbd/open.c:1005(open_file) ALPHA\bouke opened file bouke/Desktop/Opera.lnk read=No write=No (numopen=12) [2015/12/19 22:47:00.623441, 3] ../source3/smbd/open.c:881(open_file) Error opening file renate/My Documents/My Pictures/desktop.ini (NT_STATUS_NETWORK_BUSY) (local_flags=2048) (flags=2048) [2015/12/19 22:47:00.623715, 3] ../source3/smbd/oplock.c:648(initial_break_processing) initial_break_processing: called for fc00:29c1dfc:0/1048579373 Current oplocks_open (exclusive = 7, levelII = 0) [2015/12/19 22:47:00.623812, 3] ../source3/smbd/oplock.c:648(initial_break_processing) initial_break_processing: called for fc00:29c1dfc:0/1048579373 Current oplocks_open (exclusive = 7, levelII = 0) [2015/12/19 22:47:00.623848, 3] ../source3/smbd/oplock.c:1005(process_kernel_oplock_break) Got a kernel oplock request while waiting for a break reply [2015/12/19 22:47:00.726924, 2] ../source3/smbd/open.c:1005(open_file) ALPHA\renate opened file renate/My Documents/My Pictures/desktop.ini read=Yes write=No (numopen=4) [2015/12/19 22:47:00.848688, 2] ../source3/smbd/close.c:780(close_normal_file) ALPHA\bouke closed file bouke/Desktop/Opera.lnk (numopen=11) NT_STATUS_OK [2015/12/19 22:47:00.851135, 3] ../source3/lib/util.c:1181(fcntl_getlock) fcntl_getlock: fd 57 is returned info 2 pid 0 [2015/12/19 22:47:00.851176, 3] ../source3/smbd/smb2_read.c:413(smb2_read_complete) smbd_smb2_read: fnum 3879432779, file renate/My Documents/My Pictures/desktop.ini, length=520 offset=0 read=520 [2015/12/19 22:47:00.853536, 2] ../source3/smbd/open.c:1005(open_file) ALPHA\bouke opened file bouke/Desktop/Opera.lnk read=No write=No (numopen=12) [..] [2015/12/19 22:47:07.994002, 3] ../source3/smbd/service.c:614(make_connection_snum) Connect path is '/usr/local/samba/var/locks/sysvol' for service [sysvol] [2015/12/19 22:47:07.994109, 3] ../source3/smbd/vfs.c:113(vfs_init_default) Initialising default vfs hooks [2015/12/19 22:47:07.994141, 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising custom vfs hooks from [/[Default VFS]/] [2015/12/19 22:47:07.994154, 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising custom vfs hooks from [acl_xattr] [2015/12/19 22:47:07.994203, 2] ../source3/smbd/close.c:780(close_normal_file) ALPHA\bouke closed file bouke/Desktop/PuTTY.lnk (numopen=22) NT_STATUS_OK [2015/12/19 22:47:07.994375, 2] ../source3/smbd/close.c:780(close_normal_file) ALPHA\renate closed file renate/Desktop/desktop.ini (numopen=6) NT_STATUS_OK [2015/12/19 22:47:07.996611, 2] ../lib/util/modules.c:196(do_smb_load_module) Module 'acl_xattr' loaded [2015/12/19 22:47:07.996640, 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising custom vfs hooks from [dfs_samba4] [2015/12/19 22:47:07.996660, 2] ../source3/modules/vfs_acl_xattr.c:193(connect_acl_xattr) connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service sysvol [2015/12/19 22:47:07.999610, 3] ../source3/smbd/oplock_linux.c:251(linux_init_kernel_oplocks) Linux kernel oplocks enabled [2015/12/19 22:47:07.999823, 2] ../source3/smbd/service.c:864(make_connection_snum) 172.16.24.194 (ipv4:172.16.24.194:50845) connect to service sysvol initially as user ALPHA\renate (uid=3000036, gid=100) (pid 7121) [2015/12/19 22:47:08.351737, 3] ../source3/smbd/dir.c:628(dptr_create) creating new dirptr 0 for path renate/My Documents/My Pictures, expect_close = 0 [2015/12/19 22:47:08.351961, 3] ../source3/smbd/dir.c:1187(smbd_dirptr_get_entry) smbd_dirptr_get_entry mask=[*] found renate/My Documents/My Pictures/. fname=. (.) [2015/12/19 22:47:08.352052, 3] ../source3/smbd/dir.c:1187(smbd_dirptr_get_entry) smbd_dirptr_get_entry mask=[*] found renate/My Documents/My Pictures/.. fname=.. (..) [2015/12/19 22:47:08.353296, 3] ../source3/smbd/dir.c:1187(smbd_dirptr_get_entry) root at srv001:/usr/local/samba/bin# ./wbinfo -n bouke S-1-5-21-1489937584-2541206552-3137005897-1135 SID_USER (1) root at srv001:/usr/local/samba/bin# ./wbinfo --user-sids=S-1-5-21-1489937584-2541206552-3137005897-1135 S-1-5-21-1489937584-2541206552-3137005897-1135 S-1-5-21-1489937584-2541206552-3137005897-513 S-1-5-21-1489937584-2541206552-3137005897-1124 S-1-5-32-545 root at srv001:/usr/local/samba/bin# ./wbinfo -n test S-1-5-21-1489937584-2541206552-3137005897-1134 SID_USER (1) root at srv001:/usr/local/samba/bin# ./wbinfo --user-sids=S-1-5-21-1489937584-2541206552-3137005897-1134 S-1-5-21-1489937584-2541206552-3137005897-1134 S-1-5-21-1489937584-2541206552-3137005897-513 S-1-5-21-1489937584-2541206552-3137005897-1124 S-1-5-32-545 root at srv001:/usr/local/samba/bin# ./wbinfo -n renate S-1-5-21-1489937584-2541206552-3137005897-1120 SID_USER (1) root at srv001:/usr/local/samba/bin# ./wbinfo --user-sids=S-1-5-21-1489937584-2541206552-3137005897-1120 S-1-5-21-1489937584-2541206552-3137005897-1120 S-1-5-21-1489937584-2541206552-3137005897-513 S-1-5-21-1489937584-2541206552-3137005897-1124 S-1-5-32-545 Met vriendelijke groet, kind regards, Bouke J. Henstra E bouke at ict-diensten.com -- This message (and any associated files) may contain confidential and/or privileged information. If you are not the intended recipient or authorized to receive this for the intended recipient, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by sending a reply e-mail and delete this message. Thank you for your cooperation. From obnox at samba.org Mon Dec 21 07:42:42 2015 From: obnox at samba.org (Michael Adam) Date: Mon, 21 Dec 2015 08:42:42 +0100 Subject: [Samba] CTDB and glusterfs (solved) In-Reply-To: <564B662E.20006@kania-online.de> References: <564B02AD.4080504@kania-online.de> <20151117172248.GC28915@samba.org> <564B662E.20006@kania-online.de> Message-ID: <20151221074242.GB11467@samba.org> On 2015-11-17 at 18:38 +0100, Stefan Kania wrote: > To show what we did here the entry in /etc/fstab: > > knoten-01:/gv0 /glusterfs glusterfs defaults,_netdev,acl,selinux 0 0 This is a heads-up that I have meanwhile fixed this in Gluster upstream: https://bugzilla.redhat.com/show_bug.cgi?id=1283103 (master) https://bugzilla.redhat.com/show_bug.cgi?id=1283107 (3.7) So the mount option won't be necessary any more starting from GlusterFS 3.7.7. Cheers - Michael > Am 17.11.2015 um 18:22 schrieb Michael Adam: > > We just analyzed the situation together, and the solution is that > > in order to access security.FOOBAR xattrs on the gluster fuse > > mount, you have to specify the 'selinux' mount option to the > > glusterfs fuse mount... ...THis is necassary even if selinux is > > disabled. > > > > This sounds strange, but it currently is the solution. > > > > Note that the recommended way is to use the glusterfs vfs module > > instead of the fuse mount. > > > > Cheers - Michael > > > > On 2015-11-17 at 11:34 +0100, Stefan Kania wrote: > >> Hello, > >> > >> I'm trying to setup a CTDB-Cluster together with GLusterFS. > >> GlusterFS is running great. CTDB can connect to the > >> gluster-volume. I can store files, using Windows or Linux, and > >> set new acls on the commandline of the cluster. BUT as soon as I > >> try to set permissions via windows it fails with "the request is > >> not supported" I use "vfs objects = acl_xattr". When I create a > >> second share with "vfs objects = acl_tdb" ist works, but I think > >> storing ACLS in a TDB-file is no option for large systems. > >> > >> Here my setup: Distribution: name it, I tried it. At the moment > >> Debian 8 and Centos 7 Gluster-version: 7.6 from gluster.org > >> Samba-version: SerNet Samba 4.3.1 > >> > >> Here my smb.conf out of the regestry: ---------------- [global] > >> workgroup = example netbios name = centos-c1 security = ads realm > >> = EXAMPLE.NET idmap config *:range = 10000-19999 idmap config > >> example:backend = rid idmap config example:range = > >> 1000000-1999999 winbind enum users = yes winbind enum groups = > >> yes winbind use default domain = yes winbind refresh tickets = > >> yes template shell = /bin/bash wins server = 192.168.56.254 > >> > >> [daten] path = /glusterfs/daten comment = Daten im Cluster guest > >> ok = no read only = no browseable = yes store dos attributes = > >> yes map acl inherit = yes vfs objects = acl_xattr > >> > >> [daten2] path = /glusterfs/daten2 comment = Daten im Cluster > >> guest ok = no read only = no browseable = yes store dos > >> attributes = yes map acl inherit = yes vfs objects = acl_tdb > >> ---------------- > >> > >> Any help would be great > >> > >> Stefan > >> > >> -- To unsubscribe from this list go to the following URL and read > >> the instructions: https://lists.samba.org/mailman/options/samba > >> > >> > > > -- > Stefan Kania > Landweg 13 > 25693 St. Michaelisdonn > > > Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre > E-Mail. Weiter Informationen unter http://www.gnupg.org > > Mein Schlüssel liegt auf > > hkp://subkeys.pgp.net > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From obnox at samba.org Mon Dec 21 07:56:11 2015 From: obnox at samba.org (Michael Adam) Date: Mon, 21 Dec 2015 08:56:11 +0100 Subject: [Samba] CTDB and glusterfs In-Reply-To: <20151117172248.GC28915@samba.org> References: <564B02AD.4080504@kania-online.de> <20151117172248.GC28915@samba.org> Message-ID: <20151221075611.GC11467@samba.org> On 2015-11-17 at 18:22 +0100, Michael Adam wrote: > We just analyzed the situation together, > and the solution is that in order to > access security.FOOBAR xattrs on the gluster > fuse mount, you have to specify the 'selinux' > mount option to the glusterfs fuse mount... > ...THis is necassary even if selinux is disabled. > > This sounds strange, but it currently is > the solution. > > Note that the recommended way is to use > the glusterfs vfs module instead of the > fuse mount. Note that meanwhile we have uploaded samba packages again at https://download.gluster.org/pub/gluster/glusterfs/samba/ for CentOS and RHEL flavors. These match the glusterfs community packages under https://download.gluster.org/pub/gluster/glusterfs/3.7/LATEST/ (currently https://download.gluster.org/pub/gluster/glusterfs/3.7/3.7.6/) The Samba packages ship a matching glusterfs vfs module, i.e. you don't need to mount the volume you want to share with Samba with fuse any more. Michael > Cheers - Michael > > On 2015-11-17 at 11:34 +0100, Stefan Kania wrote: > > Hello, > > > > I'm trying to setup a CTDB-Cluster together with GLusterFS. GlusterFS > > is running great. CTDB can connect to the gluster-volume. I can store > > files, using Windows or Linux, and set new acls on the commandline of > > the cluster. BUT as soon as I try to set permissions via windows it > > fails with "the request is not supported" I use "vfs objects = > > acl_xattr". When I create a second share with "vfs objects = acl_tdb" > > ist works, but I think storing ACLS in a TDB-file is no option for > > large systems. > > > > Here my setup: > > Distribution: name it, I tried it. At the moment Debian 8 and Centos 7 > > Gluster-version: 7.6 from gluster.org > > Samba-version: SerNet Samba 4.3.1 > > > > Here my smb.conf out of the regestry: > > ---------------- > > [global] > > workgroup = example > > netbios name = centos-c1 > > security = ads > > realm = EXAMPLE.NET > > idmap config *:range = 10000-19999 > > idmap config example:backend = rid > > idmap config example:range = 1000000-1999999 > > winbind enum users = yes > > winbind enum groups = yes > > winbind use default domain = yes > > winbind refresh tickets = yes > > template shell = /bin/bash > > wins server = 192.168.56.254 > > > > [daten] > > path = /glusterfs/daten > > comment = Daten im Cluster > > guest ok = no > > read only = no > > browseable = yes > > store dos attributes = yes > > map acl inherit = yes > > vfs objects = acl_xattr > > > > [daten2] > > path = /glusterfs/daten2 > > comment = Daten im Cluster > > guest ok = no > > read only = no > > browseable = yes > > store dos attributes = yes > > map acl inherit = yes > > vfs objects = acl_tdb > > ---------------- > > > > Any help would be great > > > > Stefan > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: not available URL: From kuon at goyman.com Mon Dec 21 16:44:52 2015 From: kuon at goyman.com (Nicolas Goy) Date: Mon, 21 Dec 2015 17:44:52 +0100 Subject: [Samba] Fruit module configured to use matter still write ._* files Message-ID: I have configured samba as follow: [global] workgroup = GOYMAN netbios name = MATRIX security = user encrypt passwords = yes smb passwd file = /var/db/samba4/private/passdb.ntdb vfs objects = catia fruit streams_xattr fruit:resource = xattr fruit:metadata = netatalk fruit:locking = netatalk fruit:encoding = private [projects] path = /data/projects write list = kuon, ino force create mode = 0770 create mask = 0770 I expect "fruit:resource = xattr" to avoid the creation of ._ files, but I still get some. If I add a tag with the OSX finder, the tag get stored as an extended attribute. But I copied an illustrator file (.ai) and I got a ._ file generated alongside it. The thing is I also got some metadata on the file itself. kuon at matrix /d/projects ❯❯❯ ls -la drwxrwxrwx  20 kuon  users       24 Dec 22 00:38 . drwxr-xr-x   9 root  wheel        9 Dec 19 09:18 .. -rwxr--r--   1 kuon  users     8196 Dec 22 00:11 .DS_Store -rwxrwxr--   1 kuon  users      443 Dec 22 00:17 ._layout.ai -rwxrwxr--   1 kuon  users  1607888 Nov 18 11:39 layout.ai kuon at matrix /d/projects ❯❯❯ lsextattr user layout.ai layout.ai netatalk.Metadata kuon at matrix /d/projects ❯❯❯ getextattr user netatalk.Metadata layout.ai layout.ai      b z r�DEVv�INO~�SYN��SV~�PDF ART5��                                                          E�                                                            E kuon at matrix /d/projects ❯❯❯ cat ._layout.ai Netatalk        Ri 2 //:+�17!Saved As v.17 Created by v.19.1.0//:��2vers Version%                                                                                                                                                    kuon at matrix /d/projects ❯❯❯ I'm using FreeBSD with ZFS, samba is 4.3.1 Thanks -- Nicolas Goy Programmer From jorgito1412 at gmail.com Mon Dec 21 17:53:25 2015 From: jorgito1412 at gmail.com (George) Date: Mon, 21 Dec 2015 14:53:25 -0300 Subject: [Samba] FSMO commands not working on 4.3.1 In-Reply-To: <566F2D6E.6020300@samba.org> References: <566D3577.3080600@samba.org> <566F2D6E.6020300@samba.org> Message-ID: On Mon, Dec 14, 2015 at 5:58 PM, Rowland penny wrote: > > Try this: > > ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb > '(fsmoroleowner=*)' | grep 'dn:' | sed 's|dn: ||' > > It should return something like this: > > CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com > CN=Partitions,CN=Configuration,DC=samdom,DC=example,DC=com > CN=Infrastructure,DC=DomainDnsZones,DC=samdom,DC=example,DC=com > CN=Infrastructure,DC=ForestDnsZones,DC=samdom,DC=example,DC=com > CN=Infrastructure,DC=samdom,DC=example,DC=com > DC=samdom,DC=example,DC=com > CN=RID Manager$,CN=System,DC=samdom,DC=example,DC=com > > How did you provision? > > > Rowland > > Yes, that command returns exactly what you said. This domain was provisioned on some early 4.0.x release and upgraded several times afterwards. Any other idea? Maybe it is some kind of bug within the Debian packaging. Best regards. From jorgito1412 at gmail.com Mon Dec 21 17:54:30 2015 From: jorgito1412 at gmail.com (George) Date: Mon, 21 Dec 2015 14:54:30 -0300 Subject: [Samba] restarting samba using a cron job on Debian In-Reply-To: References: <565C1E5D.2060004@lhanke.de> <565C2F55.4080408@gmail.com> <565C42A0.7040003@lhanke.de> <565C4DFA.9060304@gmail.com> <565CA082.1020606@lhanke.de> <565CA955.2030003@gmail.com> Message-ID: I can confirm that this issue seems resolved (at least) on v.4.3.1 Best regards On Mon, Nov 30, 2015 at 6:05 PM, George wrote: > The same happens to me on Debian 7 with the included Samba 4.1.17. > > Although relates to Ubuntu, this is the same issue: > https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1357471 > > I can tell you that what triggers this are network connectivity issues > between the DCs, even if they last a couple of seconds. Once the > connectivity is restored, the replication stays broken unless Samba is > restarted. > > I have recently compiled 4.3.1 and the related libraries from Experimental > and will give it a shot soon, we'll see if it behaves in the same way. I'll > keep you posted. > > You can also use this little script as a workaround, run frequently via > cron (provided by Marco van Zwetselaar). Will check if replication is > broken and restart the service accordingly. > > ----- > > #!/bin/sh > # > # check-samba-ad-dc.sh > # > # Stop gap measure to restart the Samba AD DC on WERR_CONNECTION_REFUSED > # https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1357471 > # https://bugzilla.samba.org/show_bug.cgi?id=11164 > > TMPFILE="/tmp/$(basename "$0").$$" > > if ! samba-tool drs showrepl > "$TMPFILE" || > ! grep -q 'Last attempt .* successful' "$TMPFILE" || > grep -q 'Last attempt .* failed' "$TMPFILE"; then > echo "Restarting Samba AD DC at $(date)" > service samba-ad-dc restart > fi > > rm -f "$TMPFILE" > > ----- > > > Best regards. > > George > From rpenny at samba.org Mon Dec 21 19:00:31 2015 From: rpenny at samba.org (Rowland penny) Date: Mon, 21 Dec 2015 19:00:31 +0000 Subject: [Samba] FSMO commands not working on 4.3.1 In-Reply-To: References: <566D3577.3080600@samba.org> <566F2D6E.6020300@samba.org> Message-ID: <56784C4F.30102@samba.org> On 21/12/15 17:53, George wrote: > On Mon, Dec 14, 2015 at 5:58 PM, Rowland penny wrote: > >> Try this: >> >> ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb >> '(fsmoroleowner=*)' | grep 'dn:' | sed 's|dn: ||' >> >> It should return something like this: >> >> CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com >> CN=Partitions,CN=Configuration,DC=samdom,DC=example,DC=com >> CN=Infrastructure,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >> CN=Infrastructure,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >> CN=Infrastructure,DC=samdom,DC=example,DC=com >> DC=samdom,DC=example,DC=com >> CN=RID Manager$,CN=System,DC=samdom,DC=example,DC=com >> >> How did you provision? >> >> >> Rowland >> >> > Yes, that command returns exactly what you said. This domain was > provisioned on some early 4.0.x release and upgraded several times > afterwards. > > Any other idea? Maybe it is some kind of bug within the Debian packaging. > > Best regards. Very strange, can you find fsmo.py on your system (probably somewhere like /usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py) and then send me a copy (send it directly to 'rpenny at samba.org') , can you also send your smb.conf. Rowland From rb at sernet.de Mon Dec 21 19:56:36 2015 From: rb at sernet.de (Ralph Boehme) Date: Mon, 21 Dec 2015 20:56:36 +0100 Subject: [Samba] Fruit module configured to use matter still write ._* files In-Reply-To: References: Message-ID: <20151221195635.GA29621@sernet.sernet.private> On Mon, Dec 21, 2015 at 05:44:52PM +0100, Nicolas Goy wrote: > I have configured samba as follow: > > [global] > workgroup = GOYMAN > netbios name = MATRIX > security = user > encrypt passwords = yes > smb passwd file = /var/db/samba4/private/passdb.ntdb > vfs objects = catia fruit streams_xattr > fruit:resource = xattr > fruit:metadata = netatalk > fruit:locking = netatalk > fruit:encoding = private > > [projects] > path = /data/projects > write list = kuon, ino > force create mode = 0770 > create mask = 0770 > > > I expect "fruit:resource = xattr" to avoid the creation of ._ files, but I still get some. cf man vfs_fruit: > I'm using FreeBSD with ZFS, samba is 4.3.1 "fruit:resource = xattr" only works on Solaris or a Solaris descendant, because it not only requires support for xattrs of arbitrary size, but also that the POSIX file IO API (open, read, write asf) works with xattrs. -Ralph -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de,mailto:kontakt at sernet.de From k.hiroshi at gmail.com Mon Dec 21 23:38:01 2015 From: k.hiroshi at gmail.com (Hiroshi K) Date: Tue, 22 Dec 2015 08:38:01 +0900 Subject: [Samba] FSMO commands not working on 4.3.1 Message-ID: > On 21/12/15 17:53, George wrote: > > On Mon, Dec 14, 2015 at 5:58 PM, Rowland penny wrote: > > > >> Try this: > >> > >> ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb > >> '(fsmoroleowner=*)' | grep 'dn:' | sed 's|dn: ||' > >> > >> It should return something like this: > >> > >> CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com > >> CN=Partitions,CN=Configuration,DC=samdom,DC=example,DC=com > >> CN=Infrastructure,DC=DomainDnsZones,DC=samdom,DC=example,DC=com > >> CN=Infrastructure,DC=ForestDnsZones,DC=samdom,DC=example,DC=com > >> CN=Infrastructure,DC=samdom,DC=example,DC=com > >> DC=samdom,DC=example,DC=com > >> CN=RID Manager$,CN=System,DC=samdom,DC=example,DC=com > >> > >> How did you provision? > >> > >> > >> Rowland > >> > >> > > Yes, that command returns exactly what you said. This domain was > > provisioned on some early 4.0.x release and upgraded several times > > afterwards. > > > > Any other idea? Maybe it is some kind of bug within the Debian packaging. > > > > Best regards. > > Very strange, can you find fsmo.py on your system (probably somewhere > like /usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py) and then > send me a copy (send it directly to 'rpenny at samba.org') , can you > also send your smb.conf. > > Rowland I go to the same that I upgraded Samba 4.0.x to 4.3.x, and getting same (previously quoted) error. (Tested on Debian 7,8 and CentOS 7 and got the same error) I managed to solve the problem, and I'll share the info, hoping it'll solve yours and future releases to be better. The error I also got is the same as George, so I'll quote his (the point is 'No such element') >>>* --------- *>>>* root at dc2 :~# samba-tool fsmo show *>>>* ERROR(): uncaught exception - 'No such *>>>* element' *>>>* File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line *>>>* 175, in _run *>>>* return self.run(*args, **kwargs) *>>>* File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 395, *>>>* in run *>>>* domaindnszonesMaster = get_fsmo_roleowner(samdb, domaindns_dn) *>>>* File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 42, *>>>* in *>>>* get_fsmo_roleowner *>>>* master_owner = res[0]["fSMORoleOwner"][0] *>>> * ---------* Follwing command returned a record, but without fSMORoleOwner $ /usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb --cross-ncs --show-binary -b "CN=Infrastructure,DC=ForestDnsZones,DC=test,DC=local" fSMORoleOwner # record 1 dn: CN=Infrastructure,DC=ForestDnsZones,DC=test,DC=local (*** without fSMORoleOwner here ***) It seemed that the my case (upgrading from Samba 4.0.x), there was no ForestDns/DomainDnsZone entries with riht FSMO server name... And so, I prepared ldif file & loaded to edit it $ cat ldb.ldif dn: CN=Infrastructure,DC=DomainDnsZones,dc=test,dc=local changetype: modify replace: fSMORoleOwner fSMORoleOwner: CN=NTDS Settings,CN=SAMBA4-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local $ /usr/local/samba/bin/ldbmodify -H /usr/local/samba/private/sam.ldb --cross-ncs ./ldb.ldif Modified 1 records successfully After, fsmo works properly (tested with Samba 4.3.3 on Debian 8 and CentOS 7). $ /usr/local/samba/bin/samba-tool fsmo show SchemaMasterRole owner: CN=NTDS Settings,CN=SAMBA4-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local InfrastructureMasterRole owner: CN=NTDS Settings,CN=SAMBA4-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local RidAllocationMasterRole owner: CN=NTDS Settings,CN=SAMBA4-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local PdcEmulationMasterRole owner: CN=NTDS Settings,CN=SAMBA4-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local DomainNamingMasterRole owner: CN=NTDS Settings,CN=SAMBA4-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local DomainDnsZonesMasterRole owner: CN=NTDS Settings,CN=SAMBA4-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local ForestDnsZonesMasterRole owner: CN=NTDS Settings,CN=SAMBA4-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local I hope it helps! From garydale at torfree.net Tue Dec 22 05:25:42 2015 From: garydale at torfree.net (Gary Dale) Date: Tue, 22 Dec 2015 00:25:42 -0500 Subject: [Samba] restoring roaming profiles Message-ID: <5678DED6.3000203@torfree.net> I'm running Version 4.1.17-Debian as a DC on a Debian/Jessie AMD64 system. After rebuilding a domain with slightly different settings, roaming profiles stopped working. https://wiki.samba.org/index.php/Implementing_roaming_profiles contains a suggestion (see Troubleshooting roaming profiles) that gets them working again - deleting the user subkey from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList. Unfortunately this requires logging onto each client machine, removing the subkey, logging in as the user to recreate the subkey then logging out again. Next I have to log back in as a different (administrative) so I can change the location of the user's local profile back to what it was (e.g. if it used to be C:\users\\domainname, the new profile is created at C:\users\\domainname.000) then deleting the new profile location. Not only do I have to do this for every machine but I also have to do it for every account that has a profile on that machine. This is tedious and time consuming. Does anyone have a faster way to do this? From rpenny at samba.org Tue Dec 22 08:06:28 2015 From: rpenny at samba.org (Rowland penny) Date: Tue, 22 Dec 2015 08:06:28 +0000 Subject: [Samba] FSMO commands not working on 4.3.1 In-Reply-To: References: Message-ID: <56790484.3060600@samba.org> On 21/12/15 23:38, Hiroshi K wrote: >> On 21/12/15 17:53, George wrote: >>> On Mon, Dec 14, 2015 at 5:58 PM, Rowland penny > wrote: >>>> Try this: >>>> >>>> ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb >>>> '(fsmoroleowner=*)' | grep 'dn:' | sed 's|dn: ||' >>>> >>>> It should return something like this: >>>> >>>> CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com >>>> CN=Partitions,CN=Configuration,DC=samdom,DC=example,DC=com >>>> CN=Infrastructure,DC=DomainDnsZones,DC=samdom,DC=example,DC=com >>>> CN=Infrastructure,DC=ForestDnsZones,DC=samdom,DC=example,DC=com >>>> CN=Infrastructure,DC=samdom,DC=example,DC=com >>>> DC=samdom,DC=example,DC=com >>>> CN=RID Manager$,CN=System,DC=samdom,DC=example,DC=com >>>> >>>> How did you provision? >>>> >>>> >>>> Rowland >>>> >>>> >>> Yes, that command returns exactly what you said. This domain was >>> provisioned on some early 4.0.x release and upgraded several times >>> afterwards. >>> >>> Any other idea? Maybe it is some kind of bug within the Debian > packaging. >>> Best regards. >> Very strange, can you find fsmo.py on your system (probably somewhere >> like /usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py) and then >> send me a copy (send it directly to 'rpenny at samba.org') , can you >> also send your smb.conf. >> >> Rowland > > I go to the same that I upgraded Samba 4.0.x to 4.3.x, > and getting same (previously quoted) error. > (Tested on Debian 7,8 and CentOS 7 and got the same error) > > I managed to solve the problem, and I'll share the info, > hoping it'll solve yours and future releases to be better. > > > The error I also got is the same as George, so I'll quote his > (the point is 'No such element') > >>>> * --------- > *>>>* root at dc2 :~# > samba-tool fsmo show > *>>>* ERROR(): uncaught exception - 'No such > *>>>* element' > *>>>* File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > *>>>* 175, in _run > *>>>* return self.run(*args, **kwargs) > *>>>* File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", > line 395, > *>>>* in run > *>>>* domaindnszonesMaster = get_fsmo_roleowner(samdb, domaindns_dn) > *>>>* File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", line 42, > *>>>* in > *>>>* get_fsmo_roleowner > *>>>* master_owner = res[0]["fSMORoleOwner"][0] > *>>> > > * ---------* > > Follwing command returned a record, but without fSMORoleOwner > > > $ /usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb > --cross-ncs --show-binary -b > "CN=Infrastructure,DC=ForestDnsZones,DC=test,DC=local" fSMORoleOwner > > # record 1 > dn: CN=Infrastructure,DC=ForestDnsZones,DC=test,DC=local > (*** without fSMORoleOwner here ***) > > > It seemed that the my case (upgrading from Samba 4.0.x), > there was no ForestDns/DomainDnsZone entries with riht FSMO server name... > > And so, I prepared ldif file & loaded to edit it > > $ cat ldb.ldif > dn: CN=Infrastructure,DC=DomainDnsZones,dc=test,dc=local > changetype: modify > replace: fSMORoleOwner > fSMORoleOwner: CN=NTDS > Settings,CN=SAMBA4-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local > > $ /usr/local/samba/bin/ldbmodify -H /usr/local/samba/private/sam.ldb > --cross-ncs ./ldb.ldif > Modified 1 records successfully > > > After, fsmo works properly (tested with Samba 4.3.3 on Debian 8 and CentOS 7). > > $ /usr/local/samba/bin/samba-tool fsmo show > SchemaMasterRole owner: CN=NTDS > Settings,CN=SAMBA4-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local > InfrastructureMasterRole owner: CN=NTDS > Settings,CN=SAMBA4-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local > RidAllocationMasterRole owner: CN=NTDS > Settings,CN=SAMBA4-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local > PdcEmulationMasterRole owner: CN=NTDS > Settings,CN=SAMBA4-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local > DomainNamingMasterRole owner: CN=NTDS > Settings,CN=SAMBA4-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local > DomainDnsZonesMasterRole owner: CN=NTDS > Settings,CN=SAMBA4-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local > ForestDnsZonesMasterRole owner: CN=NTDS > Settings,CN=SAMBA4-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local > > > I hope it helps! Hi, that is what I expected the OP to say, that he didn't have all 7 fsmo roles, but he claims that he has. I think I need to come up with a script to get the info from sam.ldb and display it in a meaningful way. Rowland From egarette at cadoles.com Tue Dec 22 10:10:09 2015 From: egarette at cadoles.com (Emmanuel Garette) Date: Tue, 22 Dec 2015 11:10:09 +0100 Subject: [Samba] wide links and privileges Message-ID: <56792181.2020703@cadoles.com> Hi, I'm using samba version samba-4.1.6+dfsg included in last ubuntu LTS version. Here is my smb.conf file: [global] # configuration du serveur netbios name = scribe workgroup = dompedago server string = scribe preferred master = yes domain logons = yes security = user ldap passwd sync = yes passdb backend = ldapsam:ldap://127.0.0.1:389 ldap suffix = o=gouv,c=fr ldap admin dn = cn=admin,o=gouv,c=fr ldap ssl = no domain master = yes os level = 99 admin users = @DomainAdmins encrypt passwords = yes unix extensions = no wide links = yes [perso] path = %H/perso read only = no valid users = %U write list = %U In this share, I've a symlink to a directory ouside this share. I've this error: check_reduced_name_with_privilege: Bad access attempt: esu is a symlink outside the share path Option "wide links" is turn to "Yes", so we could access to this directory. If I set "enable privileges" to "No" in Global section, all works fine. When I read source code, I can see that check_reduced_name function check widelinks option but not check_reduced_name_with_privilege one's. Is "wide links" is inconsistent with privileges? I can't see information about this behaviour. Regards, From belle at bazuin.nl Tue Dec 22 10:22:30 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Tue, 22 Dec 2015 11:22:30 +0100 Subject: [Samba] wide links and privileges In-Reply-To: <56792181.2020703@cadoles.com> References: <56792181.2020703@cadoles.com> Message-ID: >From : man smb.conf .... G is a Global setting S is a share setting. unix extensions (G) allow insecure wide links (G) wide links (S) follow symlinks (S) In global add: allow insecure wide links = yes on the share add : wide links = yes follow symlinks = yes Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Emmanuel Garette > Verzonden: dinsdag 22 december 2015 11:10 > Aan: samba at lists.samba.org > Onderwerp: [Samba] wide links and privileges > > Hi, > > I'm using samba version samba-4.1.6+dfsg included in last ubuntu LTS > version. > > Here is my smb.conf file: > > [global] > # configuration du serveur > netbios name = scribe > workgroup = dompedago > server string = scribe > preferred master = yes > domain logons = yes > security = user > ldap passwd sync = yes > passdb backend = ldapsam:ldap://127.0.0.1:389 > ldap suffix = o=gouv,c=fr > ldap admin dn = cn=admin,o=gouv,c=fr > ldap ssl = no > domain master = yes > os level = 99 > admin users = @DomainAdmins > encrypt passwords = yes > unix extensions = no > wide links = yes > > [perso] > path = %H/perso > read only = no > valid users = %U > write list = %U > > In this share, I've a symlink to a directory ouside this share. > > I've this error: > > check_reduced_name_with_privilege: Bad access attempt: esu is a symlink > outside the share path > > Option "wide links" is turn to "Yes", so we could access to this > directory. > > If I set "enable privileges" to "No" in Global section, all works fine. > > When I read source code, I can see that check_reduced_name function > check widelinks option but not check_reduced_name_with_privilege one's. > > Is "wide links" is inconsistent with privileges? I can't see information > about this behaviour. > > Regards, > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From egarette at cadoles.com Tue Dec 22 10:32:50 2015 From: egarette at cadoles.com (Emmanuel Garette) Date: Tue, 22 Dec 2015 11:32:50 +0100 Subject: [Samba] wide links and privileges In-Reply-To: References: <56792181.2020703@cadoles.com> Message-ID: <567926D2.3020205@cadoles.com> Le 22/12/2015 11:22, L.P.H. van Belle a écrit : > From : man smb.conf .... > > G is a Global setting > S is a share setting. > > unix extensions (G) > allow insecure wide links (G) > wide links (S) > follow symlinks (S) > > In global add: > allow insecure wide links = yes Not usefull (unix extension is set to "No"). I've tried to set this option, has expected, there is no differents. > > > on the share add : > wide links = yes > follow symlinks = yes Those options has no effect (smbd said those option are already set to "Yes" in this shared). As I said, I only need to turn "enable extesions" to "No". Regards, > > > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Emmanuel Garette >> Verzonden: dinsdag 22 december 2015 11:10 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] wide links and privileges >> >> Hi, >> >> I'm using samba version samba-4.1.6+dfsg included in last ubuntu LTS >> version. >> >> Here is my smb.conf file: >> >> [global] >> # configuration du serveur >> netbios name = scribe >> workgroup = dompedago >> server string = scribe >> preferred master = yes >> domain logons = yes >> security = user >> ldap passwd sync = yes >> passdb backend = ldapsam:ldap://127.0.0.1:389 >> ldap suffix = o=gouv,c=fr >> ldap admin dn = cn=admin,o=gouv,c=fr >> ldap ssl = no >> domain master = yes >> os level = 99 >> admin users = @DomainAdmins >> encrypt passwords = yes >> unix extensions = no >> wide links = yes >> >> [perso] >> path = %H/perso >> read only = no >> valid users = %U >> write list = %U >> >> In this share, I've a symlink to a directory ouside this share. >> >> I've this error: >> >> check_reduced_name_with_privilege: Bad access attempt: esu is a symlink >> outside the share path >> >> Option "wide links" is turn to "Yes", so we could access to this >> directory. >> >> If I set "enable privileges" to "No" in Global section, all works fine. >> >> When I read source code, I can see that check_reduced_name function >> check widelinks option but not check_reduced_name_with_privilege one's. >> >> Is "wide links" is inconsistent with privileges? I can't see information >> about this behaviour. >> >> Regards, >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > -- Emmanuel Garette Ingénieur logiciels libres Cadoles (http://www.cadoles.com) Experts EOLE, Gaspacho, logiciels libres From ole.traupe at tu-berlin.de Tue Dec 22 10:44:24 2015 From: ole.traupe at tu-berlin.de (Ole Traupe) Date: Tue, 22 Dec 2015 11:44:24 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <56742E8E.5070303@samba.org> References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> <5672BE7B.5060802@tu-berlin.de> <5672C79C.9060408@samba.org> <5672CD2C.2010305@tu-berlin.de> <5672D072.9010901@samba.org> <5672D6AA.4070907@tu-berlin.de> <5673D580.3060306@samba.org> <5673EBD4.5040308@tu-berlin.de> <5673EE50.4080808@samba.org> <5673F6ED.9090209@tu-berlin.de> <5674109D.7090406@samba.org> <567416EE.6060003@tu-berlin.de> <56741B45.70500@samba.org> <567425E2.5000504@tu-berlin.de> <56742E8E.5070303@samba.org> Message-ID: <56792988.9090903@tu-berlin.de> >>> >>> Can I suggest that you do what I did, create your own small test >>> domain in VMs using Bind9 >> >> Yes, that is a good idea. However, from what I had read before, much >> of it on the Samba wiki, I was expecting Samba4 to just work with >> multiple DCs. I still wonder why no one ever seems to have tested or >> questioned that (publicly). And I don't feel that I have to question >> something myself that is broadly recommended: use the internal DNS >> unless you really have to do otherwise (even by the developers, it >> seems). In addition, bind9 working with multiple DC's does not >> necessarily mean that internal DNS won't. >> > > I am going to discuss this with Marc and the rest of the team, like > you, I am surprised that nobody has raised this before. I have always > used Samba with Bind9, so was unaware of this possible problem, it > only came to head for me when you mentioned it. I then found I only > had one NS record in the SOA and this lead to where we are now. Hi Rowland, Again: thanks a lot for your support. Merry Christmas and good holidays to the list! Ole > >> I also feel the need to would like to state that I am a part-time >> admin and I can't test something for a year or so (like others) >> before I go into production. With Samba 4 I was rather happy to find >> something that won't require so much work (although it feels >> differently now, partially due to me being more or less a newbee to >> unix-based systems, I guess). > > It doesn't need much looking after, once you have got it up and > running :-) > > Rowland From nico.deranter at esaturnus.com Tue Dec 22 15:43:42 2015 From: nico.deranter at esaturnus.com (Nico De Ranter) Date: Tue, 22 Dec 2015 16:43:42 +0100 Subject: [Samba] The number of maximum ticket referrals has been exceeded Message-ID: Hi, I have a AD domain based on 2 Ubuntu servers running Samba 4.1.17 I've successfully added a number of windows and linux clients to the domain. I now tried adding an extra Linux printer server. When I try to access the server from a Windows client, I am asked to enter a username and password (altough I am already logged in to the domain). Whatever username and password I enter access is always refused. At the bottom I see: "The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you". In the event viewer on the windows pc I see: "The Securyty System detected an authentication erro for the server cifs/print.office. The failure code from authentication protocol Kerberos was "The number of maximum ticket referrals has been exceeded (0xc00002f4)" I also see: "Time provider ntpClient: No valid response has been received from domain controller dc1.win.office after 8 attempts to contact it. This domain controller will be discarded as a time source and ntpClient will attempt to discover a new domain controller from which to synchronize. The error was: peer is unreachable" The clocks of all Linux servers are in sync. Any idea what may be wrong? I'm not running ntp on the AD servers (they are syncing to the vmware server in stead). Do I need to run an ntp server on the AD servers (I was told this is not a good idea on a VMware virtual machine)? I assumed Windows uses its own time protocol so any way to ensure the clocks are in sync would be enough. Nico -- Nico De Ranter Operations Engineer T. +32 16 40 12 82 M. +32 497 91 53 78 From peruchi at pti.org.br Tue Dec 22 17:30:41 2015 From: peruchi at pti.org.br (Lucas Peruchi) Date: Tue, 22 Dec 2015 15:30:41 -0200 (BRST) Subject: [Samba] Dead Domain Controller server Message-ID: <2107573568.31621.1450805441867.JavaMail.zimbra@pti.org.br> Good afternoon, I have an environment with 4 servers samba 4 and yesterday one of them died, I tried removing it and not found, then recreated the server with the same name and joined him as a DC, however, he created a new uuid and sync entres servers I stopped, I had to force a forced sync: # samba-tool drs replicate samba02 samba01 DC=example,DC=com,DC=br # samba-tool drs replicate samba03 samba01 DC=example,DC=com,DC=br # samba-tool drs replicate samba04 samba01 DC=example,DC=com,DC=br And also performed in the 4 servers: # samba_dnsupdate --verbose --all-names # samba-tool dbcheck Checking 4376 objects Checked 4376 objects (0 errors) But still an error occurs: Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for ncacn_ip_tcp:192.168.0.195[1024,seal,krb5,target_hostname=092bc931-4e23-416d-bc04-218e3fc8ef62._msdcs.example.com.br,target_principal=E3514235-4B06-11D1-AB04-00C04FC2DCD2/092bc931-4e23-416d-bc04-218e3fc8ef62/example.com.br at example.com.br,abstract_syntax=e3514235-4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.0.5] NT_STATUS_INVALID_PARAMETER This error is showing every second in the log, have a safe way to remove the old domain server? As I should have proceeded to remove a dead DC Samba4 server domain? Samba: 4.3.3 S.O: Centos 7 Bind: 9.9.4-29 Thank you for your help! Atenciosamente, Lucas M. Peruchi Tecnologia da Informação e Comunicação Fundação Parque Tecnológico Itaipu – Brasil Contato: +55 (45) 3576-7231 / +55 (45) 9151-5497 www.pti.org.br "A Fundação Parque Tecnológico Itaipu - Brasil esclarece que, por força do seu Estatuto, a presente mensagem não implica a assunção de obrigações em seu nome." From abartlet at samba.org Tue Dec 22 23:19:58 2015 From: abartlet at samba.org (Andrew Bartlett) Date: Wed, 23 Dec 2015 12:19:58 +1300 Subject: [Samba] Samba Team encourages supporting the Software Freedom Conservancy In-Reply-To: <5669D9BB.8010900@samba.org> References: <5669D9BB.8010900@samba.org> Message-ID: <1450826398.15623.13.camel@samba.org> On Thu, 2015-12-10 at 14:59 -0500, Jim McDonough wrote: > For a number of years now, the Samba Team has been a member of the > Software Freedom Conservancy.  They handle quite a bit of > administration > for our project as well as pursuing GPL compliance.  If you'd like to > see more about what they do, please check: https://sfconservancy.org/ > about/ > > > We urge you to support the Conservancy.  Here is a message from our > own > Jeremy Allison: > https://sfconservancy.org/blog/2015/dec/09/jra-supporter-video/ Just a reminder that the Conservancy's annual supporter campaign continues.   I'm on the PLC representing Samba to the Conservancy, and as the legal home of Samba needs your support, to in turn support Samba and many other worthwhile projects.   Please consider becoming an annual supporter:  http://sfconservancy.org/supporter/ Thanks, Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part URL: From garydale at torfree.net Tue Dec 22 23:51:53 2015 From: garydale at torfree.net (Gary Dale) Date: Tue, 22 Dec 2015 18:51:53 -0500 Subject: [Samba] restoring roaming profiles In-Reply-To: <5678DED6.3000203@torfree.net> References: <5678DED6.3000203@torfree.net> Message-ID: <5679E219.4080703@torfree.net> On 22/12/15 12:25 AM, Gary Dale wrote: > I'm running Version 4.1.17-Debian as a DC on a Debian/Jessie AMD64 > system. > > After rebuilding a domain with slightly different settings, roaming > profiles stopped working. > https://wiki.samba.org/index.php/Implementing_roaming_profiles > contains a suggestion (see Troubleshooting roaming profiles) that gets > them working again - deleting the user subkey from > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList. > > Unfortunately this requires logging onto each client machine, removing > the subkey, logging in as the user to recreate the subkey then logging > out again. Next I have to log back in as a different (administrative) > so I can change the location of the user's local profile back to what > it was (e.g. if it used to be C:\users\\domainname, the new > profile is created at C:\users\\domainname.000) then > deleting the new profile location. > > Not only do I have to do this for every machine but I also have to do > it for every account that has a profile on that machine. This is > tedious and time consuming. Does anyone have a faster way to do this? > Another problem: I've got one old XP64 box that the fix doesn't work on. If I delete the subkey, I can't log on using that account. From yabkopl at yahoo.com Wed Dec 23 02:26:58 2015 From: yabkopl at yahoo.com (yabko) Date: Tue, 22 Dec 2015 18:26:58 -0800 (PST) Subject: [Samba] samba4 windows 10 pro bitlocker key managment Message-ID: <1450837618849-4696100.post@n4.nabble.com> hi did anyone successfully implemented bitlocker key management in samba4 ad? searching web i can find one hit on this http://kidcartouche.blogspot.com/2013/03/bitlocker-drive-encryption-and-samba4.html i'm on 4.3.3. do i still need to import the bitlocker schema? any info on the subject is appreciated. thanks -- View this message in context: http://samba.2283325.n4.nabble.com/samba4-windows-10-pro-bitlocker-key-managment-tp4696100.html Sent from the Samba - General mailing list archive at Nabble.com. From esiotrot at gmail.com Wed Dec 23 05:24:40 2015 From: esiotrot at gmail.com (Michael Wood) Date: Wed, 23 Dec 2015 07:24:40 +0200 Subject: [Samba] Unable to map a network drive on my PC to a shared directory on my LINUX server. In-Reply-To: References: Message-ID: Removing samba-technical from cc list. Hi Kenneth. It looks like this is a problem with your windows PC. -- Michael Wood On 21 Dec 2015 8:45 PM, "Kenneth Watanabe" wrote: > To samba technical support, > > I am still unable to map a network drive on my PC to my LINUX server using > Samba. Below are the revised steps I have taken to get this to work. > > > I installed samba on my Fedora LINUX server. > > Below is a copy of my /etc/samba/smb.conf file > > [global] > > workgroup = WORKGROUP > > netbios name = SAMBA > > server string = Samba Server Version %v > > map to guest = Bad User > > log file = /var/log/samba/log.%m > > max log size = 50 > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > preferred master = No > > local master = No > > dns proxy = No > > security = User > > [share] > > path = /home/shared_data > > valid users = kwatanabe > > read only = No > > > > I typed the following command to ensure the smb.conf file had no errors > > root# testparm > > The testparm command completed successfully with no errors. > > > Then I added a samba user via the following command: > > root# smbpasswd -a kwatanabe > > > Then I restarted samba services with the following commands: > > root# service smb restart > > root# service nmb restart > > Note: I could not start the winbind service since it is only available on > NT-servers. > > > I created a directory in the /home directory > > # mkdir /home/shared_data > # chmod 777 /home/shared_data > > > From Windows Explorer on my PC, I clicked on the map network drive icon and > entered "\\131.216.46.60\shared_data". The following message appeared for > several minutes: > > Attempting to connect to \\131.216.46.60\shared_data > > [image: Inline image 1] > > > Then the following error appeared. > > Windows cannot access \\131.216.46.60\shared_data > > [image: Inline image 3] > > > When I click on the “Diagnose” button, the following error appears: > > “One or more network protocols are missing on this computer” > > > > Any help would be greatly appreciated. > > Ken > > > -- > Kenneth Watanabe > University of Nevada > From nagendra.shiv at gmail.com Wed Dec 23 07:27:02 2015 From: nagendra.shiv at gmail.com (nagendra ps) Date: Wed, 23 Dec 2015 12:57:02 +0530 Subject: [Samba] Samba 4 slower ? Message-ID: Hi All, I have samba 3.6 and samba 4.2 running on 2 different freebsd machines. Both are virtual machines and have 1GB Ethernet and exact same configurations. Samba is joined to a 2K8 server(security = ADS). Both use a minimal similar smb.conf. Am using smbtorture bench.nbench from another freebsd machine. Samba 3.6 Throughput is at: 12.6165 MB/sec Samba 4.2 Throughput is at: 1.5359 MB/sec 4.2 appears almost 10X slower. What could be going wrong for me ? Is there an official bench-marking of Samba 3 and Samba 4, which I could refer to ? btw.. netbench seems to be going over SMB1 . Is there a benchmarking tool which uses SMB2/SMB3 ? Thanks, Nagendra From belle at bazuin.nl Wed Dec 23 08:23:53 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Wed, 23 Dec 2015 09:23:53 +0100 Subject: [Samba] Dead Domain Controller server In-Reply-To: <2107573568.31621.1450805441867.JavaMail.zimbra@pti.org.br> References: <2107573568.31621.1450805441867.JavaMail.zimbra@pti.org.br> Message-ID: Hai, The errors you see is because of installing with the same name. Best thing todo, remove the just installed dc from the AD and DNS. In order.. Sieze the FSMO roles, put them on an other dc. Wait/resync all DC.s On the just installed server, Remove it from the domain again. Change the hostname ( you can still use the same ip ) Reboot, and rejoin the domain. Create an CNAME for the old name to the new name the stay compatible. Resync the DC's, (at least check it.) That should fix it. Greetz, Loius > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Lucas Peruchi > Verzonden: dinsdag 22 december 2015 18:31 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Dead Domain Controller server > > Good afternoon, > > I have an environment with 4 servers samba 4 and yesterday one of them > died, I tried removing it and not found, then recreated the server with > the same name and joined him as a DC, however, he created a new uuid and > sync entres servers I stopped, I had to force a forced sync: > > # samba-tool drs replicate samba02 samba01 DC=example,DC=com,DC=br > # samba-tool drs replicate samba03 samba01 DC=example,DC=com,DC=br > # samba-tool drs replicate samba04 samba01 DC=example,DC=com,DC=br > > And also performed in the 4 servers: > > # samba_dnsupdate --verbose --all-names > # samba-tool dbcheck > Checking 4376 objects > Checked 4376 objects (0 errors) > > But still an error occurs: > > Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for > ncacn_ip_tcp:192.168.0.195[1024,seal,krb5,target_hostname=092bc931-4e23- > 416d-bc04-218e3fc8ef62._msdcs.example.com.br,target_principal=E3514235- > 4B06-11D1-AB04-00C04FC2DCD2/092bc931-4e23-416d-bc04- > 218e3fc8ef62/example.com.br at example.com.br,abstract_syntax=e3514235-4b06- > 11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.0.5] > NT_STATUS_INVALID_PARAMETER > > This error is showing every second in the log, have a safe way to remove > the old domain server? As I should have proceeded to remove a dead DC > Samba4 server domain? > > Samba: 4.3.3 > S.O: Centos 7 > Bind: 9.9.4-29 > > > Thank you for your help! > > > Atenciosamente, > > Lucas M. Peruchi > Tecnologia da Informação e Comunicação > Fundação Parque Tecnológico Itaipu ? Brasil > Contato: +55 (45) 3576-7231 / +55 (45) 9151-5497 > www.pti.org.br > > "A Fundação Parque Tecnológico Itaipu - Brasil esclarece que, por força do > seu Estatuto, a presente mensagem não implica a assunção de obrigações em > seu nome." > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From rpenny at samba.org Wed Dec 23 08:27:36 2015 From: rpenny at samba.org (Rowland penny) Date: Wed, 23 Dec 2015 08:27:36 +0000 Subject: [Samba] restoring roaming profiles In-Reply-To: <5679E219.4080703@torfree.net> References: <5678DED6.3000203@torfree.net> <5679E219.4080703@torfree.net> Message-ID: <567A5AF8.7030803@samba.org> On 22/12/15 23:51, Gary Dale wrote: > On 22/12/15 12:25 AM, Gary Dale wrote: >> I'm running Version 4.1.17-Debian as a DC on a Debian/Jessie AMD64 >> system. >> >> After rebuilding a domain with slightly different settings, roaming >> profiles stopped working. I suppose the questions are, why did you rebuild the domain, what settings did you change and did you re-provision. Rowland >> https://wiki.samba.org/index.php/Implementing_roaming_profiles >> contains a suggestion (see Troubleshooting roaming profiles) that >> gets them working again - deleting the user subkey from >> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList. >> >> Unfortunately this requires logging onto each client machine, >> removing the subkey, logging in as the user to recreate the subkey >> then logging out again. Next I have to log back in as a different >> (administrative) so I can change the location of the user's local >> profile back to what it was (e.g. if it used to be >> C:\users\\domainname, the new profile is created at >> C:\users\\domainname.000) then deleting the new profile >> location. >> >> Not only do I have to do this for every machine but I also have to do >> it for every account that has a profile on that machine. This is >> tedious and time consuming. Does anyone have a faster way to do this? >> > > Another problem: I've got one old XP64 box that the fix doesn't work > on. If I delete the subkey, I can't log on using that account. > > From abartlet at samba.org Wed Dec 23 08:43:31 2015 From: abartlet at samba.org (Andrew Bartlett) Date: Wed, 23 Dec 2015 21:43:31 +1300 Subject: [Samba] Dead Domain Controller server In-Reply-To: <2107573568.31621.1450805441867.JavaMail.zimbra@pti.org.br> References: <2107573568.31621.1450805441867.JavaMail.zimbra@pti.org.br> Message-ID: <1450860211.15594.255.camel@samba.org> On Tue, 2015-12-22 at 15:30 -0200, Lucas Peruchi wrote: > Good afternoon, > > I have an environment with 4 servers samba 4 and yesterday one of > them died, I tried removing it and not found, then recreated the > server with the same name and joined him as a DC, however, he created > a new uuid and sync entres servers I stopped, I had to force a forced > sync: > > # samba-tool drs replicate samba02 samba01 DC=example,DC=com,DC=br > # samba-tool drs replicate samba03 samba01 DC=example,DC=com,DC=br > # samba-tool drs replicate samba04 samba01 DC=example,DC=com,DC=br > > And also performed in the 4 servers: > > # samba_dnsupdate --verbose --all-names > # samba-tool dbcheck > Checking 4376 objects > Checked 4376 objects (0 errors) > > But still an error occurs: > > Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for > ncacn_ip_tcp:192.168.0.195[1024,seal,krb5,target_hostname=092bc931 > -4e23-416d-bc04-218e3fc8ef62._msdcs.example.com.br,target_principal=E > 3514235-4B06-11D1-AB04-00C04FC2DCD2/092bc931-4e23-416d-bc04 > -218e3fc8ef62/example.com.br at example.com.br,abstract_syntax=e3514235 > -4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.0.5] > NT_STATUS_INVALID_PARAMETER > > This error is showing every second in the log, have a safe way to > remove the old domain server? As I should have proceeded to remove a > dead DC Samba4 server domain? > > Samba: 4.3.3 > S.O: Centos 7 > Bind: 9.9.4-29 Samba git master (and so 4.4 when we release it) has a new 'samba-tool domain demote --remove-other-dead-server' option designed to clean up exactly this. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba From belle at bazuin.nl Wed Dec 23 09:00:45 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Wed, 23 Dec 2015 10:00:45 +0100 Subject: [Samba] Dead Domain Controller server In-Reply-To: <1450860211.15594.255.camel@samba.org> References: <2107573568.31621.1450805441867.JavaMail.zimbra@pti.org.br> Message-ID: Great ! ???????????????????????????????????????? ?????????????????????????????????????????????????????? ??????????????????????????????????????????????????????????????? ????????????????????????????????????????????????????????????????????? ??????????????????????????????????????????????????????????????????????? ???????????????????????????????????????????????????????????????????????? ????????????????????????????????????????????????????????????????????????????? ????????????????????????????????????????????????????????????????????????????? ??????????????????????????????????????????????????????????????????????????????? ???????????????????????????????????????????????????????????????????????????????? ???????????????????????????????????????????????????????????????????????????????? ?????????????????????????????????????????????????????????????????????????????? ????????????????????????????????????????????????????????????????????????? ????????????????????????????????????????????????????????????????????? ??????????????????????????????????????????????????????????????? > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Andrew Bartlett > Verzonden: woensdag 23 december 2015 9:44 > Aan: Lucas Peruchi; samba at lists.samba.org > Onderwerp: Re: [Samba] Dead Domain Controller server > > On Tue, 2015-12-22 at 15:30 -0200, Lucas Peruchi wrote: > > Good afternoon, > > > > I have an environment with 4 servers samba 4 and yesterday one of > > them died, I tried removing it and not found, then recreated the > > server with the same name and joined him as a DC, however, he created > > a new uuid and sync entres servers I stopped, I had to force a forced > > sync: > > > > # samba-tool drs replicate samba02 samba01 DC=example,DC=com,DC=br > > # samba-tool drs replicate samba03 samba01 DC=example,DC=com,DC=br > > # samba-tool drs replicate samba04 samba01 DC=example,DC=com,DC=br > > > > And also performed in the 4 servers: > > > > # samba_dnsupdate --verbose --all-names > > # samba-tool dbcheck > > Checking 4376 objects > > Checked 4376 objects (0 errors) > > > > But still an error occurs: > > > > Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for > > ncacn_ip_tcp:192.168.0.195[1024,seal,krb5,target_hostname=092bc931 > > -4e23-416d-bc04-218e3fc8ef62._msdcs.example.com.br,target_principal=E > > 3514235-4B06-11D1-AB04-00C04FC2DCD2/092bc931-4e23-416d-bc04 > > -218e3fc8ef62/example.com.br at example.com.br,abstract_syntax=e3514235 > > -4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.0.5] > > NT_STATUS_INVALID_PARAMETER > > > > This error is showing every second in the log, have a safe way to > > remove the old domain server? As I should have proceeded to remove a > > dead DC Samba4 server domain? > > > > Samba: 4.3.3 > > S.O: Centos 7 > > Bind: 9.9.4-29 > > Samba git master (and so 4.4 when we release it) has a new 'samba-tool > domain demote --remove-other-dead-server' option designed to clean up > exactly this. > > Thanks, > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT > http://catalyst.net.nz/services/samba > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From rpenny at samba.org Wed Dec 23 09:08:56 2015 From: rpenny at samba.org (Rowland penny) Date: Wed, 23 Dec 2015 09:08:56 +0000 Subject: [Samba] samba4 windows 10 pro bitlocker key managment In-Reply-To: <1450837618849-4696100.post@n4.nabble.com> References: <1450837618849-4696100.post@n4.nabble.com> Message-ID: <567A64A8.8020501@samba.org> On 23/12/15 02:26, yabko wrote: > hi > > did anyone successfully implemented bitlocker key management in samba4 ad? > searching web i can find one hit on this > > http://kidcartouche.blogspot.com/2013/03/bitlocker-drive-encryption-and-samba4.html > > i'm on 4.3.3. do i still need to import the bitlocker schema? Never attempted this, but on link you provided is this: If you have installed a domain controller running Windows Server 2008 Beta 2, you must upgrade the schema to sch39 or later, or complete the following procedure. Samba4 uses schema 47, so this bit is probably not required, all the objectclasses & attributes are in Samba AD. Rowland > any info on the subject is appreciated. > > thanks > From rpenny at samba.org Wed Dec 23 09:11:33 2015 From: rpenny at samba.org (Rowland penny) Date: Wed, 23 Dec 2015 09:11:33 +0000 Subject: [Samba] Dead Domain Controller server In-Reply-To: References: <2107573568.31621.1450805441867.JavaMail.zimbra@pti.org.br> Message-ID: <567A6545.6080904@samba.org> On 23/12/15 09:00, L.P.H. van Belle wrote: > Great ! > > ???????????????????????????????????????? > ?????????????????????????????????????????????????????? > ??????????????????????????????????????????????????????????????? > ????????????????????????????????????????????????????????????????????? > ??????????????????????????????????????????????????????????????????????? > ???????????????????????????????????????????????????????????????????????? > ????????????????????????????????????????????????????????????????????????????? > ????????????????????????????????????????????????????????????????????????????? > ??????????????????????????????????????????????????????????????????????????????? > ???????????????????????????????????????????????????????????????????????????????? > ???????????????????????????????????????????????????????????????????????????????? > ?????????????????????????????????????????????????????????????????????????????? > ????????????????????????????????????????????????????????????????????????? > ????????????????????????????????????????????????????????????????????? > ??????????????????????????????????????????????????????????????? > > > Excuse me, but was that 'oh no, my ? is stuck down' :-D Rowland From infractory at gmail.com Wed Dec 23 15:51:18 2015 From: infractory at gmail.com (mathias dufresne) Date: Wed, 23 Dec 2015 16:51:18 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <56792988.9090903@tu-berlin.de> References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> <5672BE7B.5060802@tu-berlin.de> <5672C79C.9060408@samba.org> <5672CD2C.2010305@tu-berlin.de> <5672D072.9010901@samba.org> <5672D6AA.4070907@tu-berlin.de> <5673D580.3060306@samba.org> <5673EBD4.5040308@tu-berlin.de> <5673EE50.4080808@samba.org> <5673F6ED.9090209@tu-berlin.de> <5674109D.7090406@samba.org> <567416EE.6060003@tu-berlin.de> <56741B45.70500@samba.org> <567425E2.5000504@tu-berlin.de> <56742E8E.5070303@samba.org> <56792988.9090903@tu-berlin.de> Message-ID: Hi all, Firs I apologize I did not manage to find time to reply earlier. The initial issue was about how Samba AD react when one DC is out and more specifically about what happen when FSMO ower is unreachable (poweroff in Ole tests). This issue is solved using a correct AD Sites configuration. Here I kept 3 DCs in my domain. Sites: I set up a second site named "authentication" and I've added in that site 2 DCs, including FSMO owner. On that "authentication" site I've added the network on which my clients are. On "Default-First-Site-Name" I do not configured any network addresses. All 3 DCs are declared in "Default-First-Site-Name". All DC up behaviour: The windows client when connecting ask to AD for a DC, AD answer this client it depends of "authentication" site and this client re-launch DNS requests taking in account AD Site information to retrieve DC list for that site. Then the client connects to AD. To check which AD DC was used to connected on: launch "cmd" then in that window type "set". In "set" result there is a line LOGONSERVER= This is the DC used for connection (and later normally). The test: I powered off both DC in "authentication" site. So only one DC is up and running, the one *outside* of that site. Login in Windows works. Using cmd -> set -> LOGONSERVER= I waited something like one hour then I rebooted my MS Windows client. I can still log in using differnt accounts (administrator then my own account). This MS Windows client is still using the only running DC, the one outside of client's site, this because this DC is in Default-First-Site-Name. This behaviour is normal. It is Site behaviour. It is AD Sites purpose. So configuring AD Sites correctly would solve the issue about failover. DNS issue: SOA and NS records are used when DNS servers are discussing together but not when a DNS client is asking for records (execpt for SOA or NS obvisouly). SOA and NS records are, in my understanding, used when the DNS server receive a request for a zone this server does not know. In that specific case the DNS server must find a name server for that zone, so our DNS server is asking to upper level for a NS in the mentioned zone. So, if my understanding is correct, client never uses NS record (not in normal mode). And so there is no much issue that Samba DNS has only one SOA and one NS. Regarding NS records, I create them manually because it matches our real configuration (each DC is DNS, each DNS as NS record). The point to make Samba AD works with internal is to work around the issue of samba_dnsupdate. At least it is all I have to do on all domains I tested, even with the 4.3.3. samba_dnsupdate could work with some option in smb.conf to grant unsecure update of DNS zones. If you don't want to allow unsecure update, use the awk script I provided in that thread days (or weeks) ago. I use Samba AD with Internal DNS with no issue except for samba_dnsupdate which not able to create internal record. To solve that issue I provided here a awk script which extract from samba_dnsupdate needed information to force recrods creation using samba-tool. This awk script is not dangerous: you can run it as much you want, it just tries to create entries. If entry exists, an error is displayed: ERROR: Record already exists If you are afraid of that script you can modify its behaviour replacing: cmd = "samba-tool dns add " with cmd = "echo samba-tool dns add " Then the script will do nothing except display what command could be run to force DNS records creation. With all needed DNS records and a well configured AD Sites failover works. Nicely. A last note: 3 DCs means 3 DNS servers. You want your DC can be down so your clients MUST have all DC declared as "nameserver" in /etc/resolv.conf. Another strategy is to build one Bind server with one zone configured with the exact same name as AD domain, this zone will do forward only and will forward to all DCs. Doing that your clients can have only one DNS configured: the one with Bind forwarding to DCs. This bind zone config: ------------------ zone "samba.domain.tld" IN { type forward; forward only; forwarders { IP_DC1; IP_DC2; IP_DC3; }; }; ------------------- I hope you will finally be able to have failover working Ole. 2015-12-22 11:44 GMT+01:00 Ole Traupe : > > >>>> Can I suggest that you do what I did, create your own small test domain >>>> in VMs using Bind9 >>>> >>> >>> Yes, that is a good idea. However, from what I had read before, much of >>> it on the Samba wiki, I was expecting Samba4 to just work with multiple >>> DCs. I still wonder why no one ever seems to have tested or questioned that >>> (publicly). And I don't feel that I have to question something myself that >>> is broadly recommended: use the internal DNS unless you really have to do >>> otherwise (even by the developers, it seems). In addition, bind9 working >>> with multiple DC's does not necessarily mean that internal DNS won't. >>> >>> >> I am going to discuss this with Marc and the rest of the team, like you, >> I am surprised that nobody has raised this before. I have always used Samba >> with Bind9, so was unaware of this possible problem, it only came to head >> for me when you mentioned it. I then found I only had one NS record in the >> SOA and this lead to where we are now. >> > > Hi Rowland, > > Again: thanks a lot for your support. > > Merry Christmas and good holidays to the list! > > Ole > > > >> I also feel the need to would like to state that I am a part-time admin >>> and I can't test something for a year or so (like others) before I go into >>> production. With Samba 4 I was rather happy to find something that won't >>> require so much work (although it feels differently now, partially due to >>> me being more or less a newbee to unix-based systems, I guess). >>> >> >> It doesn't need much looking after, once you have got it up and running >> :-) >> >> Rowland >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From infractory at gmail.com Wed Dec 23 15:59:49 2015 From: infractory at gmail.com (mathias dufresne) Date: Wed, 23 Dec 2015 16:59:49 +0100 Subject: [Samba] Dead Domain Controller server In-Reply-To: <567A6545.6080904@samba.org> References: <2107573568.31621.1450805441867.JavaMail.zimbra@pti.org.br> <567A6545.6080904@samba.org> Message-ID: Hi all, This issue remind me that: https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins#Resolve_the_objectGUID_CNAME_record_of_the_new_joined_Domain_Controller Of course i could be wrong but this error remind me a missing CNAME as described in the link. And about re-adding a DC with same name this should not be an issue: samba-tool domain join check and remove old entries before adding new DC (which is a process which looks very like the new patch for Andrew to demote dead DC, anyway: thanks again Andrew :) I tried re-add DC several times without any issue. Using same system or using a brand new system with same name and IP. Cheers and happy Christmas, mathias 2015-12-23 10:11 GMT+01:00 Rowland penny : > On 23/12/15 09:00, L.P.H. van Belle wrote: > >> Great ! >> >> ???????????????????????????????????????? >> ?????????????????????????????????????????????????????? >> ??????????????????????????????????????????????????????????????? >> ????????????????????????????????????????????????????????????????????? >> ??????????????????????????????????????????????????????????????????????? >> ???????????????????????????????????????????????????????????????????????? >> >> ????????????????????????????????????????????????????????????????????????????? >> >> ????????????????????????????????????????????????????????????????????????????? >> >> ??????????????????????????????????????????????????????????????????????????????? >> >> ???????????????????????????????????????????????????????????????????????????????? >> >> ???????????????????????????????????????????????????????????????????????????????? >> >> ?????????????????????????????????????????????????????????????????????????????? >> ????????????????????????????????????????????????????????????????????????? >> ????????????????????????????????????????????????????????????????????? >> ??????????????????????????????????????????????????????????????? >> >> >> >> > Excuse me, but was that 'oh no, my ? is stuck down' :-D > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From infractory at gmail.com Wed Dec 23 17:14:23 2015 From: infractory at gmail.com (mathias dufresne) Date: Wed, 23 Dec 2015 18:14:23 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> <5672BE7B.5060802@tu-berlin.de> <5672C79C.9060408@samba.org> <5672CD2C.2010305@tu-berlin.de> <5672D072.9010901@samba.org> <5672D6AA.4070907@tu-berlin.de> <5673D580.3060306@samba.org> <5673EBD4.5040308@tu-berlin.de> <5673EE50.4080808@samba.org> <5673F6ED.9090209@tu-berlin.de> <5674109D.7090406@samba.org> <567416EE.6060003@tu-berlin.de> <56741B45.70500@samba.org> <567425E2.5000504@tu-berlin.de> <56742E8E.5070303@samba.org> <56792988.9090903@tu-berlin.de> Message-ID: Once both DC were rebooted, after the MS Windows was also rebooted (here I could have just wait I think) this MS Windows client is connecting on DC from its AD Site again. 2015-12-23 16:51 GMT+01:00 mathias dufresne : > Hi all, > > Firs I apologize I did not manage to find time to reply earlier. > > The initial issue was about how Samba AD react when one DC is out and more > specifically about what happen when FSMO ower is unreachable (poweroff in > Ole tests). > > This issue is solved using a correct AD Sites configuration. > > Here I kept 3 DCs in my domain. > Sites: > I set up a second site named "authentication" and I've added in that site > 2 DCs, including FSMO owner. > On that "authentication" site I've added the network on which my clients > are. > On "Default-First-Site-Name" I do not configured any network addresses. > All 3 DCs are declared in "Default-First-Site-Name". > > All DC up behaviour: > The windows client when connecting ask to AD for a DC, AD answer this > client it depends of "authentication" site and this client re-launch DNS > requests taking in account AD Site information to retrieve DC list for that > site. > Then the client connects to AD. > > To check which AD DC was used to connected on: launch "cmd" then in that > window type "set". In "set" result there is a line > LOGONSERVER= > This is the DC used for connection (and later normally). > > The test: > I powered off both DC in "authentication" site. So only one DC is up and > running, the one *outside* of that site. > Login in Windows works. > Using cmd -> set -> LOGONSERVER= > > I waited something like one hour then I rebooted my MS Windows client. I > can still log in using differnt accounts (administrator then my own > account). > This MS Windows client is still using the only running DC, the one outside > of client's site, this because this DC is in Default-First-Site-Name. > > This behaviour is normal. It is Site behaviour. It is AD Sites purpose. > > So configuring AD Sites correctly would solve the issue about failover. > > > DNS issue: > SOA and NS records are used when DNS servers are discussing together but > not when a DNS client is asking for records (execpt for SOA or NS > obvisouly). > SOA and NS records are, in my understanding, used when the DNS server > receive a request for a zone this server does not know. In that specific > case the DNS server must find a name server for that zone, so our DNS > server is asking to upper level for a NS in the mentioned zone. > > So, if my understanding is correct, client never uses NS record (not in > normal mode). And so there is no much issue that Samba DNS has only one SOA > and one NS. > > Regarding NS records, I create them manually because it matches our real > configuration (each DC is DNS, each DNS as NS record). > > The point to make Samba AD works with internal is to work around the issue > of samba_dnsupdate. At least it is all I have to do on all domains I > tested, even with the 4.3.3. > > samba_dnsupdate could work with some option in smb.conf to grant unsecure > update of DNS zones. > If you don't want to allow unsecure update, use the awk script I provided > in that thread days (or weeks) ago. > > I use Samba AD with Internal DNS with no issue except for samba_dnsupdate > which not able to create internal record. To solve that issue I provided > here a awk script which extract from samba_dnsupdate needed information to > force recrods creation using samba-tool. This awk script is not dangerous: > you can run it as much you want, it just tries to create entries. If entry > exists, an error is displayed: > ERROR: Record already exists > > If you are afraid of that script you can modify its behaviour replacing: > cmd = "samba-tool dns add " > with > cmd = "echo samba-tool dns add " > > Then the script will do nothing except display what command could be run > to force DNS records creation. > > With all needed DNS records and a well configured AD Sites failover works. > Nicely. > > A last note: 3 DCs means 3 DNS servers. You want your DC can be down so > your clients MUST have all DC declared as "nameserver" in /etc/resolv.conf. > > Another strategy is to build one Bind server with one zone configured with > the exact same name as AD domain, this zone will do forward only and will > forward to all DCs. > Doing that your clients can have only one DNS configured: the one with > Bind forwarding to DCs. > This bind zone config: > ------------------ > zone "samba.domain.tld" IN { > type forward; > forward only; > forwarders { > IP_DC1; > IP_DC2; > IP_DC3; > }; > }; > ------------------- > > I hope you will finally be able to have failover working Ole. > > > > > 2015-12-22 11:44 GMT+01:00 Ole Traupe : > >> >> >>>>> Can I suggest that you do what I did, create your own small test >>>>> domain in VMs using Bind9 >>>>> >>>> >>>> Yes, that is a good idea. However, from what I had read before, much of >>>> it on the Samba wiki, I was expecting Samba4 to just work with multiple >>>> DCs. I still wonder why no one ever seems to have tested or questioned that >>>> (publicly). And I don't feel that I have to question something myself that >>>> is broadly recommended: use the internal DNS unless you really have to do >>>> otherwise (even by the developers, it seems). In addition, bind9 working >>>> with multiple DC's does not necessarily mean that internal DNS won't. >>>> >>>> >>> I am going to discuss this with Marc and the rest of the team, like you, >>> I am surprised that nobody has raised this before. I have always used Samba >>> with Bind9, so was unaware of this possible problem, it only came to head >>> for me when you mentioned it. I then found I only had one NS record in the >>> SOA and this lead to where we are now. >>> >> >> Hi Rowland, >> >> Again: thanks a lot for your support. >> >> Merry Christmas and good holidays to the list! >> >> Ole >> >> >> >>> I also feel the need to would like to state that I am a part-time admin >>>> and I can't test something for a year or so (like others) before I go into >>>> production. With Samba 4 I was rather happy to find something that won't >>>> require so much work (although it feels differently now, partially due to >>>> me being more or less a newbee to unix-based systems, I guess). >>>> >>> >>> It doesn't need much looking after, once you have got it up and running >>> :-) >>> >>> Rowland >>> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > From garydale at torfree.net Wed Dec 23 17:17:46 2015 From: garydale at torfree.net (Gary Dale) Date: Wed, 23 Dec 2015 12:17:46 -0500 Subject: [Samba] restoring roaming profiles In-Reply-To: <5679E219.4080703@torfree.net> References: <5678DED6.3000203@torfree.net> <5679E219.4080703@torfree.net> Message-ID: <567AD73A.9070800@torfree.net> On 22/12/15 06:51 PM, Gary Dale wrote: > On 22/12/15 12:25 AM, Gary Dale wrote: >> I'm running Version 4.1.17-Debian as a DC on a Debian/Jessie AMD64 >> system. >> >> After rebuilding a domain with slightly different settings, roaming >> profiles stopped working. >> https://wiki.samba.org/index.php/Implementing_roaming_profiles >> contains a suggestion (see Troubleshooting roaming profiles) that >> gets them working again - deleting the user subkey from >> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList. >> >> Unfortunately this requires logging onto each client machine, >> removing the subkey, logging in as the user to recreate the subkey >> then logging out again. Next I have to log back in as a different >> (administrative) so I can change the location of the user's local >> profile back to what it was (e.g. if it used to be >> C:\users\\domainname, the new profile is created at >> C:\users\\domainname.000) then deleting the new profile >> location. >> >> Not only do I have to do this for every machine but I also have to do >> it for every account that has a profile on that machine. This is >> tedious and time consuming. Does anyone have a faster way to do this? >> > > Another problem: I've got one old XP64 box that the fix doesn't work > on. If I delete the subkey, I can't log on using that account. > > Never mind. This issue is actually that you need to reboot after deleting the subkey. Simply logging off doesn't do it. From garydale at torfree.net Wed Dec 23 17:23:06 2015 From: garydale at torfree.net (Gary Dale) Date: Wed, 23 Dec 2015 12:23:06 -0500 Subject: [Samba] restoring roaming profiles In-Reply-To: <567A5AF8.7030803@samba.org> References: <5678DED6.3000203@torfree.net> <5679E219.4080703@torfree.net> <567A5AF8.7030803@samba.org> Message-ID: <567AD87A.6030905@torfree.net> On 23/12/15 03:27 AM, Rowland penny wrote: > On 22/12/15 23:51, Gary Dale wrote: >> On 22/12/15 12:25 AM, Gary Dale wrote: >>> I'm running Version 4.1.17-Debian as a DC on a Debian/Jessie AMD64 >>> system. >>> >>> After rebuilding a domain with slightly different settings, roaming >>> profiles stopped working. > > I suppose the questions are, why did you rebuild the domain, what > settings did you change and did you re-provision. > > Rowland The original setting for domain name was creating problems with ACLs. I changed the domain name to the form .. and that fixed it. The current issue is just with getting roaming profiles to work without having to do so much work. The wiki's procedure does work but it's time consuming. From infractory at gmail.com Wed Dec 23 17:39:06 2015 From: infractory at gmail.com (mathias dufresne) Date: Wed, 23 Dec 2015 18:39:06 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> <5672BE7B.5060802@tu-berlin.de> <5672C79C.9060408@samba.org> <5672CD2C.2010305@tu-berlin.de> <5672D072.9010901@samba.org> <5672D6AA.4070907@tu-berlin.de> <5673D580.3060306@samba.org> <5673EBD4.5040308@tu-berlin.de> <5673EE50.4080808@samba.org> <5673F6ED.9090209@tu-berlin.de> <5674109D.7090406@samba.org> <567416EE.6060003@tu-berlin.de> <56741B45.70500@samba.org> <567425E2.5000504@tu-berlin.de> <56742E8E.5070303@samba.org> <56792988.9090903@tu-berlin.de> Message-ID: And for Ole, the OP, to solve its own failover issue: As there is 2 physical sites and only 2 DC. Let's say Site1 is 10.1.0.0/16 Site2 is 10.2.0.0/16 I would create 2 additional AD Sites : Site1 + Site2 To AD site "Site1" I would associate 10.1.0.0/16 and associate also DC1 To AD site "Site2" I would associate 10.2.0.0/16 and associate also DC2 To Default-First-Site-Name no network is associated but both DC must be in that site too. Client from 10.2.0.0/16 will be asked to launch DNS query to look for DC on "Site2" and as long as DC2 is UP this client should use DC2. DC2 is out. This means no DC is available for client's AD site, so the client fall back to default behaviour which is finding a DC in Default-First-Site-Name where the DC are declared ==> this client would be able to use DC1 to authenticate. Cheers mathias 2015-12-23 18:14 GMT+01:00 mathias dufresne : > Once both DC were rebooted, after the MS Windows was also rebooted (here I > could have just wait I think) this MS Windows client is connecting on DC > from its AD Site again. > > 2015-12-23 16:51 GMT+01:00 mathias dufresne : > >> Hi all, >> >> Firs I apologize I did not manage to find time to reply earlier. >> >> The initial issue was about how Samba AD react when one DC is out and >> more specifically about what happen when FSMO ower is unreachable (poweroff >> in Ole tests). >> >> This issue is solved using a correct AD Sites configuration. >> >> Here I kept 3 DCs in my domain. >> Sites: >> I set up a second site named "authentication" and I've added in that site >> 2 DCs, including FSMO owner. >> On that "authentication" site I've added the network on which my clients >> are. >> On "Default-First-Site-Name" I do not configured any network addresses. >> All 3 DCs are declared in "Default-First-Site-Name". >> >> All DC up behaviour: >> The windows client when connecting ask to AD for a DC, AD answer this >> client it depends of "authentication" site and this client re-launch DNS >> requests taking in account AD Site information to retrieve DC list for that >> site. >> Then the client connects to AD. >> >> To check which AD DC was used to connected on: launch "cmd" then in that >> window type "set". In "set" result there is a line >> LOGONSERVER= >> This is the DC used for connection (and later normally). >> >> The test: >> I powered off both DC in "authentication" site. So only one DC is up and >> running, the one *outside* of that site. >> Login in Windows works. >> Using cmd -> set -> LOGONSERVER= >> >> I waited something like one hour then I rebooted my MS Windows client. I >> can still log in using differnt accounts (administrator then my own >> account). >> This MS Windows client is still using the only running DC, the one >> outside of client's site, this because this DC is in >> Default-First-Site-Name. >> >> This behaviour is normal. It is Site behaviour. It is AD Sites purpose. >> >> So configuring AD Sites correctly would solve the issue about failover. >> >> >> DNS issue: >> SOA and NS records are used when DNS servers are discussing together but >> not when a DNS client is asking for records (execpt for SOA or NS >> obvisouly). >> SOA and NS records are, in my understanding, used when the DNS server >> receive a request for a zone this server does not know. In that specific >> case the DNS server must find a name server for that zone, so our DNS >> server is asking to upper level for a NS in the mentioned zone. >> >> So, if my understanding is correct, client never uses NS record (not in >> normal mode). And so there is no much issue that Samba DNS has only one SOA >> and one NS. >> >> Regarding NS records, I create them manually because it matches our real >> configuration (each DC is DNS, each DNS as NS record). >> >> The point to make Samba AD works with internal is to work around the >> issue of samba_dnsupdate. At least it is all I have to do on all domains I >> tested, even with the 4.3.3. >> >> samba_dnsupdate could work with some option in smb.conf to grant unsecure >> update of DNS zones. >> If you don't want to allow unsecure update, use the awk script I provided >> in that thread days (or weeks) ago. >> >> I use Samba AD with Internal DNS with no issue except for samba_dnsupdate >> which not able to create internal record. To solve that issue I provided >> here a awk script which extract from samba_dnsupdate needed information to >> force recrods creation using samba-tool. This awk script is not dangerous: >> you can run it as much you want, it just tries to create entries. If entry >> exists, an error is displayed: >> ERROR: Record already exists >> >> If you are afraid of that script you can modify its behaviour replacing: >> cmd = "samba-tool dns add " >> with >> cmd = "echo samba-tool dns add " >> >> Then the script will do nothing except display what command could be run >> to force DNS records creation. >> >> With all needed DNS records and a well configured AD Sites failover >> works. Nicely. >> >> A last note: 3 DCs means 3 DNS servers. You want your DC can be down so >> your clients MUST have all DC declared as "nameserver" in /etc/resolv.conf. >> >> Another strategy is to build one Bind server with one zone configured >> with the exact same name as AD domain, this zone will do forward only and >> will forward to all DCs. >> Doing that your clients can have only one DNS configured: the one with >> Bind forwarding to DCs. >> This bind zone config: >> ------------------ >> zone "samba.domain.tld" IN { >> type forward; >> forward only; >> forwarders { >> IP_DC1; >> IP_DC2; >> IP_DC3; >> }; >> }; >> ------------------- >> >> I hope you will finally be able to have failover working Ole. >> >> >> >> >> 2015-12-22 11:44 GMT+01:00 Ole Traupe : >> >>> >>> >>>>>> Can I suggest that you do what I did, create your own small test >>>>>> domain in VMs using Bind9 >>>>>> >>>>> >>>>> Yes, that is a good idea. However, from what I had read before, much >>>>> of it on the Samba wiki, I was expecting Samba4 to just work with multiple >>>>> DCs. I still wonder why no one ever seems to have tested or questioned that >>>>> (publicly). And I don't feel that I have to question something myself that >>>>> is broadly recommended: use the internal DNS unless you really have to do >>>>> otherwise (even by the developers, it seems). In addition, bind9 working >>>>> with multiple DC's does not necessarily mean that internal DNS won't. >>>>> >>>>> >>>> I am going to discuss this with Marc and the rest of the team, like >>>> you, I am surprised that nobody has raised this before. I have always used >>>> Samba with Bind9, so was unaware of this possible problem, it only came to >>>> head for me when you mentioned it. I then found I only had one NS record >>>> in the SOA and this lead to where we are now. >>>> >>> >>> Hi Rowland, >>> >>> Again: thanks a lot for your support. >>> >>> Merry Christmas and good holidays to the list! >>> >>> Ole >>> >>> >>> >>>> I also feel the need to would like to state that I am a part-time admin >>>>> and I can't test something for a year or so (like others) before I go into >>>>> production. With Samba 4 I was rather happy to find something that won't >>>>> require so much work (although it feels differently now, partially due to >>>>> me being more or less a newbee to unix-based systems, I guess). >>>>> >>>> >>>> It doesn't need much looking after, once you have got it up and running >>>> :-) >>>> >>>> Rowland >>>> >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >> >> > From lingpanda101 at gmail.com Wed Dec 23 18:05:49 2015 From: lingpanda101 at gmail.com (James) Date: Wed, 23 Dec 2015 13:05:49 -0500 Subject: [Samba] Audit object creation Message-ID: <567AE27D.4060109@gmail.com> Hello, Is it possible to audit objects created by a user? Specifically user and computer objects. Thanks. -- -James From yabkopl at yahoo.com Wed Dec 23 17:49:21 2015 From: yabkopl at yahoo.com (yabko) Date: Wed, 23 Dec 2015 09:49:21 -0800 (PST) Subject: [Samba] samba4 windows 10 pro bitlocker key managment In-Reply-To: <567A64A8.8020501@samba.org> References: <1450837618849-4696100.post@n4.nabble.com> <567A64A8.8020501@samba.org> Message-ID: <1450892961183-4696131.post@n4.nabble.com> thanks Rowland penny-7. I enabled the feature and the BitLocker tab shows up on computer account. Next is testing the actualy key storing. I'll report back with my findings. Thanks -- View this message in context: http://samba.2283325.n4.nabble.com/samba4-windows-10-pro-bitlocker-key-managment-tp4696100p4696131.html Sent from the Samba - General mailing list archive at Nabble.com. From lingpanda101 at gmail.com Wed Dec 23 18:46:15 2015 From: lingpanda101 at gmail.com (James) Date: Wed, 23 Dec 2015 13:46:15 -0500 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> <5672BE7B.5060802@tu-berlin.de> <5672C79C.9060408@samba.org> <5672CD2C.2010305@tu-berlin.de> <5672D072.9010901@samba.org> <5672D6AA.4070907@tu-berlin.de> <5673D580.3060306@samba.org> <5673EBD4.5040308@tu-berlin.de> <5673EE50.4080808@samba.org> <5673F6ED.9090209@tu-berlin.de> <5674109D.7090406@samba.org> <567416EE.6060003@tu-berlin.de> <56741B45.70500@samba.org> <567425E2.5000504@tu-berlin.de> <56742E8E.5070303@samba.org> <56792988.9090903@tu-berlin.de> Message-ID: <567AEBF7.5090404@gmail.com> On 12/23/2015 12:39 PM, mathias dufresne wrote: > And for Ole, the OP, to solve its own failover issue: > As there is 2 physical sites and only 2 DC. > Let's say > Site1 is 10.1.0.0/16 > Site2 is 10.2.0.0/16 > I would create 2 additional AD Sites : Site1 + Site2 > To AD site "Site1" I would associate 10.1.0.0/16 and associate also DC1 > To AD site "Site2" I would associate 10.2.0.0/16 and associate also DC2 > To Default-First-Site-Name no network is associated but both DC must be in > that site too. > > Client from 10.2.0.0/16 will be asked to launch DNS query to look for DC on > "Site2" and as long as DC2 is UP this client should use DC2. > DC2 is out. This means no DC is available for client's AD site, so the > client fall back to default behaviour which is finding a DC > in Default-First-Site-Name where the DC are declared ==> this client would > be able to use DC1 to authenticate. > > Cheers > > mathias > > > > > 2015-12-23 18:14 GMT+01:00 mathias dufresne : > >> Once both DC were rebooted, after the MS Windows was also rebooted (here I >> could have just wait I think) this MS Windows client is connecting on DC >> from its AD Site again. >> >> 2015-12-23 16:51 GMT+01:00 mathias dufresne : >> >>> Hi all, >>> >>> Firs I apologize I did not manage to find time to reply earlier. >>> >>> The initial issue was about how Samba AD react when one DC is out and >>> more specifically about what happen when FSMO ower is unreachable (poweroff >>> in Ole tests). >>> >>> This issue is solved using a correct AD Sites configuration. >>> >>> Here I kept 3 DCs in my domain. >>> Sites: >>> I set up a second site named "authentication" and I've added in that site >>> 2 DCs, including FSMO owner. >>> On that "authentication" site I've added the network on which my clients >>> are. >>> On "Default-First-Site-Name" I do not configured any network addresses. >>> All 3 DCs are declared in "Default-First-Site-Name". >>> >>> All DC up behaviour: >>> The windows client when connecting ask to AD for a DC, AD answer this >>> client it depends of "authentication" site and this client re-launch DNS >>> requests taking in account AD Site information to retrieve DC list for that >>> site. >>> Then the client connects to AD. >>> >>> To check which AD DC was used to connected on: launch "cmd" then in that >>> window type "set". In "set" result there is a line >>> LOGONSERVER= >>> This is the DC used for connection (and later normally). >>> >>> The test: >>> I powered off both DC in "authentication" site. So only one DC is up and >>> running, the one *outside* of that site. >>> Login in Windows works. >>> Using cmd -> set -> LOGONSERVER= >>> >>> I waited something like one hour then I rebooted my MS Windows client. I >>> can still log in using differnt accounts (administrator then my own >>> account). >>> This MS Windows client is still using the only running DC, the one >>> outside of client's site, this because this DC is in >>> Default-First-Site-Name. >>> >>> This behaviour is normal. It is Site behaviour. It is AD Sites purpose. >>> >>> So configuring AD Sites correctly would solve the issue about failover. >>> >>> >>> DNS issue: >>> SOA and NS records are used when DNS servers are discussing together but >>> not when a DNS client is asking for records (execpt for SOA or NS >>> obvisouly). >>> SOA and NS records are, in my understanding, used when the DNS server >>> receive a request for a zone this server does not know. In that specific >>> case the DNS server must find a name server for that zone, so our DNS >>> server is asking to upper level for a NS in the mentioned zone. >>> >>> So, if my understanding is correct, client never uses NS record (not in >>> normal mode). And so there is no much issue that Samba DNS has only one SOA >>> and one NS. >>> >>> Regarding NS records, I create them manually because it matches our real >>> configuration (each DC is DNS, each DNS as NS record). >>> >>> The point to make Samba AD works with internal is to work around the >>> issue of samba_dnsupdate. At least it is all I have to do on all domains I >>> tested, even with the 4.3.3. >>> >>> samba_dnsupdate could work with some option in smb.conf to grant unsecure >>> update of DNS zones. >>> If you don't want to allow unsecure update, use the awk script I provided >>> in that thread days (or weeks) ago. >>> >>> I use Samba AD with Internal DNS with no issue except for samba_dnsupdate >>> which not able to create internal record. To solve that issue I provided >>> here a awk script which extract from samba_dnsupdate needed information to >>> force recrods creation using samba-tool. This awk script is not dangerous: >>> you can run it as much you want, it just tries to create entries. If entry >>> exists, an error is displayed: >>> ERROR: Record already exists >>> >>> If you are afraid of that script you can modify its behaviour replacing: >>> cmd = "samba-tool dns add " >>> with >>> cmd = "echo samba-tool dns add " >>> >>> Then the script will do nothing except display what command could be run >>> to force DNS records creation. >>> >>> With all needed DNS records and a well configured AD Sites failover >>> works. Nicely. >>> >>> A last note: 3 DCs means 3 DNS servers. You want your DC can be down so >>> your clients MUST have all DC declared as "nameserver" in /etc/resolv.conf. >>> >>> Another strategy is to build one Bind server with one zone configured >>> with the exact same name as AD domain, this zone will do forward only and >>> will forward to all DCs. >>> Doing that your clients can have only one DNS configured: the one with >>> Bind forwarding to DCs. >>> This bind zone config: >>> ------------------ >>> zone "samba.domain.tld" IN { >>> type forward; >>> forward only; >>> forwarders { >>> IP_DC1; >>> IP_DC2; >>> IP_DC3; >>> }; >>> }; >>> ------------------- >>> >>> I hope you will finally be able to have failover working Ole. >>> >>> >>> >>> >>> 2015-12-22 11:44 GMT+01:00 Ole Traupe : >>> >>>> >>>>>>> Can I suggest that you do what I did, create your own small test >>>>>>> domain in VMs using Bind9 >>>>>>> >>>>>> Yes, that is a good idea. However, from what I had read before, much >>>>>> of it on the Samba wiki, I was expecting Samba4 to just work with multiple >>>>>> DCs. I still wonder why no one ever seems to have tested or questioned that >>>>>> (publicly). And I don't feel that I have to question something myself that >>>>>> is broadly recommended: use the internal DNS unless you really have to do >>>>>> otherwise (even by the developers, it seems). In addition, bind9 working >>>>>> with multiple DC's does not necessarily mean that internal DNS won't. >>>>>> >>>>>> >>>>> I am going to discuss this with Marc and the rest of the team, like >>>>> you, I am surprised that nobody has raised this before. I have always used >>>>> Samba with Bind9, so was unaware of this possible problem, it only came to >>>>> head for me when you mentioned it. I then found I only had one NS record >>>>> in the SOA and this lead to where we are now. >>>>> >>>> Hi Rowland, >>>> >>>> Again: thanks a lot for your support. >>>> >>>> Merry Christmas and good holidays to the list! >>>> >>>> Ole >>>> >>>> >>>> >>>>> I also feel the need to would like to state that I am a part-time admin >>>>>> and I can't test something for a year or so (like others) before I go into >>>>>> production. With Samba 4 I was rather happy to find something that won't >>>>>> require so much work (although it feels differently now, partially due to >>>>>> me being more or less a newbee to unix-based systems, I guess). >>>>>> >>>>> It doesn't need much looking after, once you have got it up and running >>>>> :-) >>>>> >>>>> Rowland >>>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>> Mathias, I discovered similar issues after testing for Ole. I have sites and services configured as well. It took over a hour for issues to arise after shutting down my DC that held all my FSMO roles and SOA record. I decided to do a quick packet capture just now. I shutdown my DC that holds all the roles and SOA record. I logged into the workstation and reviewed the trace. I can see the workstation attempt to locate the SRV records needed from the first DC. It failed so it then asked my 2nd DC in my site. It resolved the SRV records and it allowed me to log in. This process never asks for the SOA. I can rule out it plays no part? It seems fail over works as expected. I decided to shutdown my 2nd DC in my site as test. Logged in as another user(It allowed me) and reviewed the trace. I can see where the workstation attempts to ask both DC's in the site for the SRV records. Of course it fails but I see no trace of authentication happening. Why did it allow me to log in? I look at the windows event viewer and review the auth log. I find this. Logon Type: 11 New Logon: Security ID: DOMAIN\duser Account Name: duser Account Domain: DOMAIN Logon ID: 0x7b11e9 Logon GUID: {00000000-0000-0000-0000-000000000000} I decided to research logon type 11. I find this. *Logon Type 11 – CachedInteractive* Windows supports a feature called Cached Logons which facilitate mobile users. When you are not connected to the your organization’s network and attempt to logon to your laptop with a domain account there’s no domain controller available to the laptop with which to verify your identity. To solve this problem, Windows caches a hash of the credentials of the last 10 interactive domain logons. Later when no domain controller is available, Windows uses these hashes to verify your identity when you attempt to logon with a domain account. I assume this is a windows only feature and not a linux feature? This was on a wired workstation and not a mobile device. The issues with authentication only arouse from mobile devices and only after approximately an hour of the "primary" DC being down. -- -James From debian at lhanke.de Wed Dec 23 19:04:06 2015 From: debian at lhanke.de (Lars Hanke) Date: Wed, 23 Dec 2015 20:04:06 +0100 Subject: [Samba] restarting samba using a cron job on Debian In-Reply-To: <565CA955.2030003@gmail.com> References: <565C1E5D.2060004@lhanke.de> <565C2F55.4080408@gmail.com> <565C42A0.7040003@lhanke.de> <565C4DFA.9060304@gmail.com> <565CA082.1020606@lhanke.de> <565CA955.2030003@gmail.com> Message-ID: <567AF026.5050606@lhanke.de> Hi Rowland, >> > Why bother with all the above, just use samba-ad-dc instead. >> Yes, I streamlined the script somewhat. Let's see what happens when >> replication fails next time. >> > You are going to have to supply more info, is there anything in the >> logs >> > when replication fails? Didn't yet raise the log level to 10, but will do now. However, the new script did an automatic restart, which apparently worked fine, but actually did wreak obscure havoc. Today I got reports that write access to the file servers was erratic and slow. Checking that secondary DC I found: # samba-tool drs showrepl Failed to connect host 172.16.10.17 on port 135 - NT_STATUS_CONNECTION_REFUSED something I did not check for, ps aux revealed: root 23501 3.6 0.6 493684 49016 ? S Dez11 621:24 /usr/sbin/samba -D i.e. the process eats a lot of CPU and was quite resistive to being killed. The automatic restart happened on Dec 21st! The primary DC had some 800 consecutive failures. I restarted the container and everything worked fine. I'll set the log level to 10 and we'll see what happens ... Regards, - lars- From infractory at gmail.com Wed Dec 23 19:37:38 2015 From: infractory at gmail.com (mathias dufresne) Date: Wed, 23 Dec 2015 20:37:38 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <567AEBF7.5090404@gmail.com> References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> <5672BE7B.5060802@tu-berlin.de> <5672C79C.9060408@samba.org> <5672CD2C.2010305@tu-berlin.de> <5672D072.9010901@samba.org> <5672D6AA.4070907@tu-berlin.de> <5673D580.3060306@samba.org> <5673EBD4.5040308@tu-berlin.de> <5673EE50.4080808@samba.org> <5673F6ED.9090209@tu-berlin.de> <5674109D.7090406@samba.org> <567416EE.6060003@tu-berlin.de> <56741B45.70500@samba.org> <567425E2.5000504@tu-berlin.de> <56742E8E.5070303@samba.org> <56792988.9090903@tu-berlin.de> <567AEBF7.5090404@gmail.com> Message-ID: Hi James, First thanks for you detailed answer and the tests you did to be able to write this. Before reading your mail I was believing MS Windows keeps only one credentials, those for last connected account. This is why I did not pushed too far authentication process. Tomorrow I'm back to work and I'll redo this test, using some others users to test than some I have already used to connect on that MS Windows acting as client. I'll try to power down the DC in the morning and I'll try to make tests in the afternoon. If I can't tomorrow I won't be able to do these tests before January. The caching of credentials is default behaviour of Windows systems yes. You can have similar behavior on Linux with SSSD and also Winbind or nslcd, I believe (so I'm not sure). SSSD is also supposed to come with AD Sites management but I missed something during the few time I tried that. Two reasons could have made me failed on that: a too old SSSD version or a bad admin (me). I expect it's the latter. What I wrote about NS and SOA came from a discussion I had several weeks ago with one person managing Bind daily for the company I work for. She agreed client should not use NS nor SOA but as this is not one of her problem, this was just thoughts (but her thoughts seems more trustable as most of mines :D) 2015-12-23 19:46 GMT+01:00 James : > On 12/23/2015 12:39 PM, mathias dufresne wrote: > > And for Ole, the OP, to solve its own failover issue: > As there is 2 physical sites and only 2 DC. > Let's say > Site1 is 10.1.0.0/16 > Site2 is 10.2.0.0/16 > I would create 2 additional AD Sites : Site1 + Site2 > To AD site "Site1" I would associate 10.1.0.0/16 and associate also DC1 > To AD site "Site2" I would associate 10.2.0.0/16 and associate also DC2 > To Default-First-Site-Name no network is associated but both DC must be in > that site too. > > Client from 10.2.0.0/16 will be asked to launch DNS query to look for DC on > "Site2" and as long as DC2 is UP this client should use DC2. > DC2 is out. This means no DC is available for client's AD site, so the > client fall back to default behaviour which is finding a DC > in Default-First-Site-Name where the DC are declared ==> this client would > be able to use DC1 to authenticate. > > Cheers > > mathias > > > > > 2015-12-23 18:14 GMT+01:00 mathias dufresne : > > > Once both DC were rebooted, after the MS Windows was also rebooted (here I > could have just wait I think) this MS Windows client is connecting on DC > from its AD Site again. > > 2015-12-23 16:51 GMT+01:00 mathias dufresne : > > > Hi all, > > Firs I apologize I did not manage to find time to reply earlier. > > The initial issue was about how Samba AD react when one DC is out and > more specifically about what happen when FSMO ower is unreachable (poweroff > in Ole tests). > > This issue is solved using a correct AD Sites configuration. > > Here I kept 3 DCs in my domain. > Sites: > I set up a second site named "authentication" and I've added in that site > 2 DCs, including FSMO owner. > On that "authentication" site I've added the network on which my clients > are. > On "Default-First-Site-Name" I do not configured any network addresses. > All 3 DCs are declared in "Default-First-Site-Name". > > All DC up behaviour: > The windows client when connecting ask to AD for a DC, AD answer this > client it depends of "authentication" site and this client re-launch DNS > requests taking in account AD Site information to retrieve DC list for that > site. > Then the client connects to AD. > > To check which AD DC was used to connected on: launch "cmd" then in that > window type "set". In "set" result there is a line > LOGONSERVER= > This is the DC used for connection (and later normally). > > The test: > I powered off both DC in "authentication" site. So only one DC is up and > running, the one *outside* of that site. > Login in Windows works. > Using cmd -> set -> LOGONSERVER= > > I waited something like one hour then I rebooted my MS Windows client. I > can still log in using differnt accounts (administrator then my own > account). > This MS Windows client is still using the only running DC, the one > outside of client's site, this because this DC is in > Default-First-Site-Name. > > This behaviour is normal. It is Site behaviour. It is AD Sites purpose. > > So configuring AD Sites correctly would solve the issue about failover. > > > DNS issue: > SOA and NS records are used when DNS servers are discussing together but > not when a DNS client is asking for records (execpt for SOA or NS > obvisouly). > SOA and NS records are, in my understanding, used when the DNS server > receive a request for a zone this server does not know. In that specific > case the DNS server must find a name server for that zone, so our DNS > server is asking to upper level for a NS in the mentioned zone. > > So, if my understanding is correct, client never uses NS record (not in > normal mode). And so there is no much issue that Samba DNS has only one SOA > and one NS. > > Regarding NS records, I create them manually because it matches our real > configuration (each DC is DNS, each DNS as NS record). > > The point to make Samba AD works with internal is to work around the > issue of samba_dnsupdate. At least it is all I have to do on all domains I > tested, even with the 4.3.3. > > samba_dnsupdate could work with some option in smb.conf to grant unsecure > update of DNS zones. > If you don't want to allow unsecure update, use the awk script I provided > in that thread days (or weeks) ago. > > I use Samba AD with Internal DNS with no issue except for samba_dnsupdate > which not able to create internal record. To solve that issue I provided > here a awk script which extract from samba_dnsupdate needed information to > force recrods creation using samba-tool. This awk script is not dangerous: > you can run it as much you want, it just tries to create entries. If entry > exists, an error is displayed: > ERROR: Record already exists > > If you are afraid of that script you can modify its behaviour replacing: > cmd = "samba-tool dns add " > with > cmd = "echo samba-tool dns add " > > Then the script will do nothing except display what command could be run > to force DNS records creation. > > With all needed DNS records and a well configured AD Sites failover > works. Nicely. > > A last note: 3 DCs means 3 DNS servers. You want your DC can be down so > your clients MUST have all DC declared as "nameserver" in /etc/resolv.conf. > > Another strategy is to build one Bind server with one zone configured > with the exact same name as AD domain, this zone will do forward only and > will forward to all DCs. > Doing that your clients can have only one DNS configured: the one with > Bind forwarding to DCs. > This bind zone config: > ------------------ > zone "samba.domain.tld" IN { > type forward; > forward only; > forwarders { > IP_DC1; > IP_DC2; > IP_DC3; > }; > }; > ------------------- > > I hope you will finally be able to have failover working Ole. > > > > > 2015-12-22 11:44 GMT+01:00 Ole Traupe : > > > Can I suggest that you do what I did, create your own small test > domain in VMs using Bind9 > > > Yes, that is a good idea. However, from what I had read before, much > of it on the Samba wiki, I was expecting Samba4 to just work with multiple > DCs. I still wonder why no one ever seems to have tested or questioned that > (publicly). And I don't feel that I have to question something myself that > is broadly recommended: use the internal DNS unless you really have to do > otherwise (even by the developers, it seems). In addition, bind9 working > with multiple DC's does not necessarily mean that internal DNS won't. > > > > I am going to discuss this with Marc and the rest of the team, like > you, I am surprised that nobody has raised this before. I have always used > Samba with Bind9, so was unaware of this possible problem, it only came to > head for me when you mentioned it. I then found I only had one NS record > in the SOA and this lead to where we are now. > > > Hi Rowland, > > Again: thanks a lot for your support. > > Merry Christmas and good holidays to the list! > > Ole > > > > > I also feel the need to would like to state that I am a part-time admin > > and I can't test something for a year or so (like others) before I go into > production. With Samba 4 I was rather happy to find something that won't > require so much work (although it feels differently now, partially due to > me being more or less a newbee to unix-based systems, I guess). > > > It doesn't need much looking after, once you have got it up and running > :-) > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > Mathias, > > I discovered similar issues after testing for Ole. I have sites and > services configured as well. It took over a hour for issues to arise after > shutting down my DC that held all my FSMO roles and SOA record. > > I decided to do a quick packet capture just now. I shutdown my DC that > holds all the roles and SOA record. I logged into the workstation and > reviewed the trace. I can see the workstation attempt to locate the SRV > records needed from the first DC. It failed so it then asked my 2nd DC in > my site. It resolved the SRV records and it allowed me to log in. This > process never asks for the SOA. I can rule out it plays no part? It seems > fail over works as expected. > > I decided to shutdown my 2nd DC in my site as test. Logged in as another > user(It allowed me) and reviewed the trace. I can see where the workstation > attempts to ask both DC's in the site for the SRV records. Of course it > fails but I see no trace of authentication happening. Why did it allow me > to log in? I look at the windows event viewer and review the auth log. I > find this. > > Logon Type: 11 > > New Logon: > Security ID: DOMAIN\duser > Account Name: duser > Account Domain: DOMAIN > Logon ID: 0x7b11e9 > Logon GUID: {00000000-0000-0000-0000-000000000000} > > I decided to research logon type 11. I find this. > > *Logon Type 11 – CachedInteractive* > > Windows supports a feature called Cached Logons which facilitate mobile > users. When you are not connected to the your organization’s network and > attempt to logon to your laptop with a domain account there’s no domain > controller available to the laptop with which to verify your identity. To > solve this problem, Windows caches a hash of the credentials of the last 10 > interactive domain logons. Later when no domain controller is available, > Windows uses these hashes to verify your identity when you attempt to logon > with a domain account. > > I assume this is a windows only feature and not a linux feature? This was > on a wired workstation and not a mobile device. The issues with > authentication only arouse from mobile devices and only after approximately > an hour of the "primary" DC being down. > > > > -- > -James > > From infractory at gmail.com Thu Dec 24 11:16:22 2015 From: infractory at gmail.com (mathias dufresne) Date: Thu, 24 Dec 2015 12:16:22 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> <5672BE7B.5060802@tu-berlin.de> <5672C79C.9060408@samba.org> <5672CD2C.2010305@tu-berlin.de> <5672D072.9010901@samba.org> <5672D6AA.4070907@tu-berlin.de> <5673D580.3060306@samba.org> <5673EBD4.5040308@tu-berlin.de> <5673EE50.4080808@samba.org> <5673F6ED.9090209@tu-berlin.de> <5674109D.7090406@samba.org> <567416EE.6060003@tu-berlin.de> <56741B45.70500@samba.org> <567425E2.5000504@tu-berlin.de> <56742E8E.5070303@samba.org> <56792988.9090903@tu-berlin.de> <567AEBF7.5090404@gmail.com> Message-ID: Hi James and everyone, There is a real issue with samba_dnsupdate and DNS records creation with Samba 4 as AD when it comes to AD Sites. Samba does not seems to create at all any Site relevant DNS record. As AD relies on DNS to find DC on the correct AD site, if no DNS entry is created related to AD Site, no usage of AD Sites. Here Win client ask for domain 11:37:28.671044 IP 10.207.102.32.50193 > dns1.ad.dgfip.finances.gouv.fr.domain: 50244+ SRV? _ldap._tcp.pdc._ msdcs.ad.dgfip.finances.gouv.fr. (65) 11:37:28.671308 IP dns1.ad.dgfip.finances.gouv.fr.domain > 10.207.102.32.50193: 50244 1/2/3 SRV m702.ad.dgfip.finances.gouv.fr.:389 0 100 (202) Just after that it asks for kerberos service on "SCIF" AD Site: 11:44:59.550011 IP 10.207.102.32.52905 > dns1.ad.dgfip.finances.gouv.fr.domain: 17936+ SRV? _kerberos._tcp.SCIF._sites.dc._msdcs.AD.DGFIP.FINANCES.GOUV.FR. (80) 11:44:59.550979 IP dns1.ad.dgfip.finances.gouv.fr.domain > 10.207.102.32.52905: 17936 NXDomain 0/0/0 (80) And no entry. So falling back to domain without site mentioned 11:44:59.621886 IP 10.207.102.32.58708 > dns1.ad.dgfip.finances.gouv.fr.domain: 40345+ SRV? _kerberos._tcp.dc._ msdcs.AD.DGFIP.FINANCES.GOUV.FR. (68) 11:44:59.622133 IP dns1.ad.dgfip.finances.gouv.fr.domain > 10.207.102.32.58708: 40345 5/5/5 SRV m704.ad.dgfip.finances.gouv.fr.:88 0 100, SRV m705.ad.dgfip.finances.gouv.fr.:88 0 100, SRV m702.ad.dgfip.finances.gouv.fr.:88 0 100, SRV m706.ad.dgfip.finances.gouv.fr.:88 0 100, SRV m703.ad.dgfip.finances.gouv.fr.:88 0 100 (468) In DNS MS console from RSAT we can see a directory "_sites" in default domain zone and in _msdcs domain zone. There is no directory related to others sites. In samba.domain.tld -> _sites -> Default-First-Site-Name there are entries related to DC and associated SRV records. I expect this should be the same for any AD Site we configure. And solving these lack of DNS configuration should help to deal with AD Sites and so with AD failover. I did tried to use samba_dnsupdate to create these entries but nothing related to AD Sites except for Default-First-Site-Name site. To be able to manage that first thing would be to have a samba command to list declared Sites (samba-tool sites list ?) then we should have a command to list declared DC in that site. Then we would be able to rely on samba commands to list sites and DC in each sites, so we would be able to script something to create needed entries (these needed entries should be the same or almost as for Default-First-Site-Name, anyway tcpdump could help to find which entries are requested by clients). Best regards, wishing you all a merry Christmas : ) mathias 2015-12-23 20:37 GMT+01:00 mathias dufresne : > Hi James, > > First thanks for you detailed answer and the tests you did to be able to > write this. > > Before reading your mail I was believing MS Windows keeps only one > credentials, those for last connected account. This is why I did not pushed > too far authentication process. > Tomorrow I'm back to work and I'll redo this test, using some others users > to test than some I have already used to connect on that MS Windows acting > as client. > > I'll try to power down the DC in the morning and I'll try to make tests in > the afternoon. If I can't tomorrow I won't be able to do these tests before > January. > > The caching of credentials is default behaviour of Windows systems yes. > You can have similar behavior on Linux with SSSD and also Winbind or nslcd, > I believe (so I'm not sure). > > SSSD is also supposed to come with AD Sites management but I missed > something during the few time I tried that. Two reasons could have made me > failed on that: a too old SSSD version or a bad admin (me). I expect it's > the latter. > > What I wrote about NS and SOA came from a discussion I had several weeks > ago with one person managing Bind daily for the company I work for. She > agreed client should not use NS nor SOA but as this is not one of her > problem, this was just thoughts (but her thoughts seems more trustable as > most of mines :D) > > 2015-12-23 19:46 GMT+01:00 James : > >> On 12/23/2015 12:39 PM, mathias dufresne wrote: >> >> And for Ole, the OP, to solve its own failover issue: >> As there is 2 physical sites and only 2 DC. >> Let's say >> Site1 is 10.1.0.0/16 >> Site2 is 10.2.0.0/16 >> I would create 2 additional AD Sites : Site1 + Site2 >> To AD site "Site1" I would associate 10.1.0.0/16 and associate also DC1 >> To AD site "Site2" I would associate 10.2.0.0/16 and associate also DC2 >> To Default-First-Site-Name no network is associated but both DC must be in >> that site too. >> >> Client from 10.2.0.0/16 will be asked to launch DNS query to look for DC on >> "Site2" and as long as DC2 is UP this client should use DC2. >> DC2 is out. This means no DC is available for client's AD site, so the >> client fall back to default behaviour which is finding a DC >> in Default-First-Site-Name where the DC are declared ==> this client would >> be able to use DC1 to authenticate. >> >> Cheers >> >> mathias >> >> >> >> >> 2015-12-23 18:14 GMT+01:00 mathias dufresne : >> >> >> Once both DC were rebooted, after the MS Windows was also rebooted (here I >> could have just wait I think) this MS Windows client is connecting on DC >> from its AD Site again. >> >> 2015-12-23 16:51 GMT+01:00 mathias dufresne : >> >> >> Hi all, >> >> Firs I apologize I did not manage to find time to reply earlier. >> >> The initial issue was about how Samba AD react when one DC is out and >> more specifically about what happen when FSMO ower is unreachable (poweroff >> in Ole tests). >> >> This issue is solved using a correct AD Sites configuration. >> >> Here I kept 3 DCs in my domain. >> Sites: >> I set up a second site named "authentication" and I've added in that site >> 2 DCs, including FSMO owner. >> On that "authentication" site I've added the network on which my clients >> are. >> On "Default-First-Site-Name" I do not configured any network addresses. >> All 3 DCs are declared in "Default-First-Site-Name". >> >> All DC up behaviour: >> The windows client when connecting ask to AD for a DC, AD answer this >> client it depends of "authentication" site and this client re-launch DNS >> requests taking in account AD Site information to retrieve DC list for that >> site. >> Then the client connects to AD. >> >> To check which AD DC was used to connected on: launch "cmd" then in that >> window type "set". In "set" result there is a line >> LOGONSERVER= >> This is the DC used for connection (and later normally). >> >> The test: >> I powered off both DC in "authentication" site. So only one DC is up and >> running, the one *outside* of that site. >> Login in Windows works. >> Using cmd -> set -> LOGONSERVER= >> >> I waited something like one hour then I rebooted my MS Windows client. I >> can still log in using differnt accounts (administrator then my own >> account). >> This MS Windows client is still using the only running DC, the one >> outside of client's site, this because this DC is in >> Default-First-Site-Name. >> >> This behaviour is normal. It is Site behaviour. It is AD Sites purpose. >> >> So configuring AD Sites correctly would solve the issue about failover. >> >> >> DNS issue: >> SOA and NS records are used when DNS servers are discussing together but >> not when a DNS client is asking for records (execpt for SOA or NS >> obvisouly). >> SOA and NS records are, in my understanding, used when the DNS server >> receive a request for a zone this server does not know. In that specific >> case the DNS server must find a name server for that zone, so our DNS >> server is asking to upper level for a NS in the mentioned zone. >> >> So, if my understanding is correct, client never uses NS record (not in >> normal mode). And so there is no much issue that Samba DNS has only one SOA >> and one NS. >> >> Regarding NS records, I create them manually because it matches our real >> configuration (each DC is DNS, each DNS as NS record). >> >> The point to make Samba AD works with internal is to work around the >> issue of samba_dnsupdate. At least it is all I have to do on all domains I >> tested, even with the 4.3.3. >> >> samba_dnsupdate could work with some option in smb.conf to grant unsecure >> update of DNS zones. >> If you don't want to allow unsecure update, use the awk script I provided >> in that thread days (or weeks) ago. >> >> I use Samba AD with Internal DNS with no issue except for samba_dnsupdate >> which not able to create internal record. To solve that issue I provided >> here a awk script which extract from samba_dnsupdate needed information to >> force recrods creation using samba-tool. This awk script is not dangerous: >> you can run it as much you want, it just tries to create entries. If entry >> exists, an error is displayed: >> ERROR: Record already exists >> >> If you are afraid of that script you can modify its behaviour replacing: >> cmd = "samba-tool dns add " >> with >> cmd = "echo samba-tool dns add " >> >> Then the script will do nothing except display what command could be run >> to force DNS records creation. >> >> With all needed DNS records and a well configured AD Sites failover >> works. Nicely. >> >> A last note: 3 DCs means 3 DNS servers. You want your DC can be down so >> your clients MUST have all DC declared as "nameserver" in /etc/resolv.conf. >> >> Another strategy is to build one Bind server with one zone configured >> with the exact same name as AD domain, this zone will do forward only and >> will forward to all DCs. >> Doing that your clients can have only one DNS configured: the one with >> Bind forwarding to DCs. >> This bind zone config: >> ------------------ >> zone "samba.domain.tld" IN { >> type forward; >> forward only; >> forwarders { >> IP_DC1; >> IP_DC2; >> IP_DC3; >> }; >> }; >> ------------------- >> >> I hope you will finally be able to have failover working Ole. >> >> >> >> >> 2015-12-22 11:44 GMT+01:00 Ole Traupe : >> >> >> Can I suggest that you do what I did, create your own small test >> domain in VMs using Bind9 >> >> >> Yes, that is a good idea. However, from what I had read before, much >> of it on the Samba wiki, I was expecting Samba4 to just work with multiple >> DCs. I still wonder why no one ever seems to have tested or questioned that >> (publicly). And I don't feel that I have to question something myself that >> is broadly recommended: use the internal DNS unless you really have to do >> otherwise (even by the developers, it seems). In addition, bind9 working >> with multiple DC's does not necessarily mean that internal DNS won't. >> >> >> >> I am going to discuss this with Marc and the rest of the team, like >> you, I am surprised that nobody has raised this before. I have always used >> Samba with Bind9, so was unaware of this possible problem, it only came to >> head for me when you mentioned it. I then found I only had one NS record >> in the SOA and this lead to where we are now. >> >> >> Hi Rowland, >> >> Again: thanks a lot for your support. >> >> Merry Christmas and good holidays to the list! >> >> Ole >> >> >> >> >> I also feel the need to would like to state that I am a part-time admin >> >> and I can't test something for a year or so (like others) before I go into >> production. With Samba 4 I was rather happy to find something that won't >> require so much work (although it feels differently now, partially due to >> me being more or less a newbee to unix-based systems, I guess). >> >> >> It doesn't need much looking after, once you have got it up and running >> :-) >> >> Rowland >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> Mathias, >> >> I discovered similar issues after testing for Ole. I have sites and >> services configured as well. It took over a hour for issues to arise after >> shutting down my DC that held all my FSMO roles and SOA record. >> >> I decided to do a quick packet capture just now. I shutdown my DC that >> holds all the roles and SOA record. I logged into the workstation and >> reviewed the trace. I can see the workstation attempt to locate the SRV >> records needed from the first DC. It failed so it then asked my 2nd DC in >> my site. It resolved the SRV records and it allowed me to log in. This >> process never asks for the SOA. I can rule out it plays no part? It seems >> fail over works as expected. >> >> I decided to shutdown my 2nd DC in my site as test. Logged in as another >> user(It allowed me) and reviewed the trace. I can see where the workstation >> attempts to ask both DC's in the site for the SRV records. Of course it >> fails but I see no trace of authentication happening. Why did it allow me >> to log in? I look at the windows event viewer and review the auth log. I >> find this. >> >> Logon Type: 11 >> >> New Logon: >> Security ID: DOMAIN\duser >> Account Name: duser >> Account Domain: DOMAIN >> Logon ID: 0x7b11e9 >> Logon GUID: {00000000-0000-0000-0000-000000000000} >> >> I decided to research logon type 11. I find this. >> >> *Logon Type 11 – CachedInteractive* >> >> Windows supports a feature called Cached Logons which facilitate mobile >> users. When you are not connected to the your organization’s network and >> attempt to logon to your laptop with a domain account there’s no domain >> controller available to the laptop with which to verify your identity. To >> solve this problem, Windows caches a hash of the credentials of the last 10 >> interactive domain logons. Later when no domain controller is available, >> Windows uses these hashes to verify your identity when you attempt to logon >> with a domain account. >> >> I assume this is a windows only feature and not a linux feature? This was >> on a wired workstation and not a mobile device. The issues with >> authentication only arouse from mobile devices and only after approximately >> an hour of the "primary" DC being down. >> >> >> >> -- >> -James >> >> > From infractory at gmail.com Thu Dec 24 13:06:56 2015 From: infractory at gmail.com (mathias dufresne) Date: Thu, 24 Dec 2015 14:06:56 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> <5672BE7B.5060802@tu-berlin.de> <5672C79C.9060408@samba.org> <5672CD2C.2010305@tu-berlin.de> <5672D072.9010901@samba.org> <5672D6AA.4070907@tu-berlin.de> <5673D580.3060306@samba.org> <5673EBD4.5040308@tu-berlin.de> <5673EE50.4080808@samba.org> <5673F6ED.9090209@tu-berlin.de> <5674109D.7090406@samba.org> <567416EE.6060003@tu-berlin.de> <56741B45.70500@samba.org> <567425E2.5000504@tu-berlin.de> <56742E8E.5070303@samba.org> <56792988.9090903@tu-berlin.de> <567AEBF7.5090404@gmail.com> Message-ID: Using ldbsearch we can find needed informations if we know AD Sites names list. Sites informations are stored in CN=CONFIGURATION,DC=SAMBA,DC=DOMAIN,DC=TLD. Here there is a CN=Sites which seems to contains Sites informations. Next using a search with -b 'CN=,CN=Sites,CN=CONFIGURATION,DC=SAMBA,DC=DOMAIN,DC=TLD' we can list object related to . And we would find in there a CN=Servers which contains server list. So using a manually created Sites list we can create missing entries. Next question is what are these missing entries :) 2015-12-24 12:16 GMT+01:00 mathias dufresne : > Hi James and everyone, > > There is a real issue with samba_dnsupdate and DNS records creation with > Samba 4 as AD when it comes to AD Sites. > > Samba does not seems to create at all any Site relevant DNS record. As AD > relies on DNS to find DC on the correct AD site, if no DNS entry is created > related to AD Site, no usage of AD Sites. > > Here Win client ask for domain > 11:37:28.671044 IP 10.207.102.32.50193 > > dns1.ad.dgfip.finances.gouv.fr.domain: 50244+ SRV? _ldap._tcp.pdc._ > msdcs.ad.dgfip.finances.gouv.fr. (65) > 11:37:28.671308 IP dns1.ad.dgfip.finances.gouv.fr.domain > > 10.207.102.32.50193: 50244 1/2/3 SRV m702.ad.dgfip.finances.gouv.fr.:389 0 > 100 (202) > > Just after that it asks for kerberos service on "SCIF" AD Site: > 11:44:59.550011 IP 10.207.102.32.52905 > > dns1.ad.dgfip.finances.gouv.fr.domain: 17936+ SRV? > _kerberos._tcp.SCIF._sites.dc._msdcs.AD.DGFIP.FINANCES.GOUV.FR. (80) > 11:44:59.550979 IP dns1.ad.dgfip.finances.gouv.fr.domain > > 10.207.102.32.52905: 17936 NXDomain 0/0/0 (80) > And no entry. > > So falling back to domain without site mentioned > 11:44:59.621886 IP 10.207.102.32.58708 > > dns1.ad.dgfip.finances.gouv.fr.domain: 40345+ SRV? _kerberos._tcp.dc._ > msdcs.AD.DGFIP.FINANCES.GOUV.FR. (68) > 11:44:59.622133 IP dns1.ad.dgfip.finances.gouv.fr.domain > > 10.207.102.32.58708: 40345 5/5/5 SRV m704.ad.dgfip.finances.gouv.fr.:88 0 > 100, SRV m705.ad.dgfip.finances.gouv.fr.:88 0 100, SRV > m702.ad.dgfip.finances.gouv.fr.:88 0 100, SRV > m706.ad.dgfip.finances.gouv.fr.:88 0 100, SRV > m703.ad.dgfip.finances.gouv.fr.:88 0 100 (468) > > In DNS MS console from RSAT we can see a directory "_sites" in default > domain zone and in _msdcs domain zone. There is no directory related to > others sites. > > In samba.domain.tld -> _sites -> Default-First-Site-Name there are entries > related to DC and associated SRV records. > I expect this should be the same for any AD Site we configure. > > And solving these lack of DNS configuration should help to deal with AD > Sites and so with AD failover. > > I did tried to use samba_dnsupdate to create these entries but nothing > related to AD Sites except for Default-First-Site-Name site. > > To be able to manage that first thing would be to have a samba command to > list declared Sites (samba-tool sites list ?) then we should have a command > to list declared DC in that site. > Then we would be able to rely on samba commands to list sites and DC in > each sites, so we would be able to script something to create needed > entries (these needed entries should be the same or almost as > for Default-First-Site-Name, anyway tcpdump could help to find which > entries are requested by clients). > > Best regards, wishing you all a merry Christmas : ) > > mathias > > 2015-12-23 20:37 GMT+01:00 mathias dufresne : > >> Hi James, >> >> First thanks for you detailed answer and the tests you did to be able to >> write this. >> >> Before reading your mail I was believing MS Windows keeps only one >> credentials, those for last connected account. This is why I did not pushed >> too far authentication process. >> Tomorrow I'm back to work and I'll redo this test, using some others >> users to test than some I have already used to connect on that MS Windows >> acting as client. >> >> I'll try to power down the DC in the morning and I'll try to make tests >> in the afternoon. If I can't tomorrow I won't be able to do these tests >> before January. >> >> The caching of credentials is default behaviour of Windows systems yes. >> You can have similar behavior on Linux with SSSD and also Winbind or nslcd, >> I believe (so I'm not sure). >> >> SSSD is also supposed to come with AD Sites management but I missed >> something during the few time I tried that. Two reasons could have made me >> failed on that: a too old SSSD version or a bad admin (me). I expect it's >> the latter. >> >> What I wrote about NS and SOA came from a discussion I had several weeks >> ago with one person managing Bind daily for the company I work for. She >> agreed client should not use NS nor SOA but as this is not one of her >> problem, this was just thoughts (but her thoughts seems more trustable as >> most of mines :D) >> >> 2015-12-23 19:46 GMT+01:00 James : >> >>> On 12/23/2015 12:39 PM, mathias dufresne wrote: >>> >>> And for Ole, the OP, to solve its own failover issue: >>> As there is 2 physical sites and only 2 DC. >>> Let's say >>> Site1 is 10.1.0.0/16 >>> Site2 is 10.2.0.0/16 >>> I would create 2 additional AD Sites : Site1 + Site2 >>> To AD site "Site1" I would associate 10.1.0.0/16 and associate also DC1 >>> To AD site "Site2" I would associate 10.2.0.0/16 and associate also DC2 >>> To Default-First-Site-Name no network is associated but both DC must be in >>> that site too. >>> >>> Client from 10.2.0.0/16 will be asked to launch DNS query to look for DC on >>> "Site2" and as long as DC2 is UP this client should use DC2. >>> DC2 is out. This means no DC is available for client's AD site, so the >>> client fall back to default behaviour which is finding a DC >>> in Default-First-Site-Name where the DC are declared ==> this client would >>> be able to use DC1 to authenticate. >>> >>> Cheers >>> >>> mathias >>> >>> >>> >>> >>> 2015-12-23 18:14 GMT+01:00 mathias dufresne : >>> >>> >>> Once both DC were rebooted, after the MS Windows was also rebooted (here I >>> could have just wait I think) this MS Windows client is connecting on DC >>> from its AD Site again. >>> >>> 2015-12-23 16:51 GMT+01:00 mathias dufresne : >>> >>> >>> Hi all, >>> >>> Firs I apologize I did not manage to find time to reply earlier. >>> >>> The initial issue was about how Samba AD react when one DC is out and >>> more specifically about what happen when FSMO ower is unreachable (poweroff >>> in Ole tests). >>> >>> This issue is solved using a correct AD Sites configuration. >>> >>> Here I kept 3 DCs in my domain. >>> Sites: >>> I set up a second site named "authentication" and I've added in that site >>> 2 DCs, including FSMO owner. >>> On that "authentication" site I've added the network on which my clients >>> are. >>> On "Default-First-Site-Name" I do not configured any network addresses. >>> All 3 DCs are declared in "Default-First-Site-Name". >>> >>> All DC up behaviour: >>> The windows client when connecting ask to AD for a DC, AD answer this >>> client it depends of "authentication" site and this client re-launch DNS >>> requests taking in account AD Site information to retrieve DC list for that >>> site. >>> Then the client connects to AD. >>> >>> To check which AD DC was used to connected on: launch "cmd" then in that >>> window type "set". In "set" result there is a line >>> LOGONSERVER= >>> This is the DC used for connection (and later normally). >>> >>> The test: >>> I powered off both DC in "authentication" site. So only one DC is up and >>> running, the one *outside* of that site. >>> Login in Windows works. >>> Using cmd -> set -> LOGONSERVER= >>> >>> I waited something like one hour then I rebooted my MS Windows client. I >>> can still log in using differnt accounts (administrator then my own >>> account). >>> This MS Windows client is still using the only running DC, the one >>> outside of client's site, this because this DC is in >>> Default-First-Site-Name. >>> >>> This behaviour is normal. It is Site behaviour. It is AD Sites purpose. >>> >>> So configuring AD Sites correctly would solve the issue about failover. >>> >>> >>> DNS issue: >>> SOA and NS records are used when DNS servers are discussing together but >>> not when a DNS client is asking for records (execpt for SOA or NS >>> obvisouly). >>> SOA and NS records are, in my understanding, used when the DNS server >>> receive a request for a zone this server does not know. In that specific >>> case the DNS server must find a name server for that zone, so our DNS >>> server is asking to upper level for a NS in the mentioned zone. >>> >>> So, if my understanding is correct, client never uses NS record (not in >>> normal mode). And so there is no much issue that Samba DNS has only one SOA >>> and one NS. >>> >>> Regarding NS records, I create them manually because it matches our real >>> configuration (each DC is DNS, each DNS as NS record). >>> >>> The point to make Samba AD works with internal is to work around the >>> issue of samba_dnsupdate. At least it is all I have to do on all domains I >>> tested, even with the 4.3.3. >>> >>> samba_dnsupdate could work with some option in smb.conf to grant unsecure >>> update of DNS zones. >>> If you don't want to allow unsecure update, use the awk script I provided >>> in that thread days (or weeks) ago. >>> >>> I use Samba AD with Internal DNS with no issue except for samba_dnsupdate >>> which not able to create internal record. To solve that issue I provided >>> here a awk script which extract from samba_dnsupdate needed information to >>> force recrods creation using samba-tool. This awk script is not dangerous: >>> you can run it as much you want, it just tries to create entries. If entry >>> exists, an error is displayed: >>> ERROR: Record already exists >>> >>> If you are afraid of that script you can modify its behaviour replacing: >>> cmd = "samba-tool dns add " >>> with >>> cmd = "echo samba-tool dns add " >>> >>> Then the script will do nothing except display what command could be run >>> to force DNS records creation. >>> >>> With all needed DNS records and a well configured AD Sites failover >>> works. Nicely. >>> >>> A last note: 3 DCs means 3 DNS servers. You want your DC can be down so >>> your clients MUST have all DC declared as "nameserver" in /etc/resolv.conf. >>> >>> Another strategy is to build one Bind server with one zone configured >>> with the exact same name as AD domain, this zone will do forward only and >>> will forward to all DCs. >>> Doing that your clients can have only one DNS configured: the one with >>> Bind forwarding to DCs. >>> This bind zone config: >>> ------------------ >>> zone "samba.domain.tld" IN { >>> type forward; >>> forward only; >>> forwarders { >>> IP_DC1; >>> IP_DC2; >>> IP_DC3; >>> }; >>> }; >>> ------------------- >>> >>> I hope you will finally be able to have failover working Ole. >>> >>> >>> >>> >>> 2015-12-22 11:44 GMT+01:00 Ole Traupe : >>> >>> >>> Can I suggest that you do what I did, create your own small test >>> domain in VMs using Bind9 >>> >>> >>> Yes, that is a good idea. However, from what I had read before, much >>> of it on the Samba wiki, I was expecting Samba4 to just work with multiple >>> DCs. I still wonder why no one ever seems to have tested or questioned that >>> (publicly). And I don't feel that I have to question something myself that >>> is broadly recommended: use the internal DNS unless you really have to do >>> otherwise (even by the developers, it seems). In addition, bind9 working >>> with multiple DC's does not necessarily mean that internal DNS won't. >>> >>> >>> >>> I am going to discuss this with Marc and the rest of the team, like >>> you, I am surprised that nobody has raised this before. I have always used >>> Samba with Bind9, so was unaware of this possible problem, it only came to >>> head for me when you mentioned it. I then found I only had one NS record >>> in the SOA and this lead to where we are now. >>> >>> >>> Hi Rowland, >>> >>> Again: thanks a lot for your support. >>> >>> Merry Christmas and good holidays to the list! >>> >>> Ole >>> >>> >>> >>> >>> I also feel the need to would like to state that I am a part-time admin >>> >>> and I can't test something for a year or so (like others) before I go into >>> production. With Samba 4 I was rather happy to find something that won't >>> require so much work (although it feels differently now, partially due to >>> me being more or less a newbee to unix-based systems, I guess). >>> >>> >>> It doesn't need much looking after, once you have got it up and running >>> :-) >>> >>> Rowland >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> Mathias, >>> >>> I discovered similar issues after testing for Ole. I have sites and >>> services configured as well. It took over a hour for issues to arise after >>> shutting down my DC that held all my FSMO roles and SOA record. >>> >>> I decided to do a quick packet capture just now. I shutdown my DC that >>> holds all the roles and SOA record. I logged into the workstation and >>> reviewed the trace. I can see the workstation attempt to locate the SRV >>> records needed from the first DC. It failed so it then asked my 2nd DC in >>> my site. It resolved the SRV records and it allowed me to log in. This >>> process never asks for the SOA. I can rule out it plays no part? It seems >>> fail over works as expected. >>> >>> I decided to shutdown my 2nd DC in my site as test. Logged in as another >>> user(It allowed me) and reviewed the trace. I can see where the workstation >>> attempts to ask both DC's in the site for the SRV records. Of course it >>> fails but I see no trace of authentication happening. Why did it allow me >>> to log in? I look at the windows event viewer and review the auth log. I >>> find this. >>> >>> Logon Type: 11 >>> >>> New Logon: >>> Security ID: DOMAIN\duser >>> Account Name: duser >>> Account Domain: DOMAIN >>> Logon ID: 0x7b11e9 >>> Logon GUID: {00000000-0000-0000-0000-000000000000} >>> >>> I decided to research logon type 11. I find this. >>> >>> *Logon Type 11 – CachedInteractive* >>> >>> Windows supports a feature called Cached Logons which facilitate mobile >>> users. When you are not connected to the your organization’s network and >>> attempt to logon to your laptop with a domain account there’s no domain >>> controller available to the laptop with which to verify your identity. To >>> solve this problem, Windows caches a hash of the credentials of the last 10 >>> interactive domain logons. Later when no domain controller is available, >>> Windows uses these hashes to verify your identity when you attempt to logon >>> with a domain account. >>> >>> I assume this is a windows only feature and not a linux feature? This >>> was on a wired workstation and not a mobile device. The issues with >>> authentication only arouse from mobile devices and only after approximately >>> an hour of the "primary" DC being down. >>> >>> >>> >>> -- >>> -James >>> >>> >> > From Philip.Parsons at wales.nhs.uk Thu Dec 24 14:39:07 2015 From: Philip.Parsons at wales.nhs.uk (Philip Parsons (Velindre - Medical Physics)) Date: Thu, 24 Dec 2015 14:39:07 +0000 Subject: [Samba] debug log level and tar Message-ID: <68408261FC297B4E915F2C96AD0386C4A5848E@GIG06SRVMSGMB02.cymru.nhs.uk> Hi all, Apologies if this is an obvious question! I'm not overly Linux savvy, so please bear with me. I noticed that BackupPC runs the following for its SMB based backups: $smbClientPath \\$host\$shareName $I_option -U $userName -E -d 1 -c tarmode\ full -Tc$X_option - $fileList However, the samba page (https://www.samba.org/samba/docs/man/manpages/smbclient.1.html) says the following about the -T (tar) flag option, c: "c - Create a tar file on UNIX. Must be followed by the name of a tar file, tape device or "-" for standard output. If using standard output you must turn the log level to its lowest value -d0 to avoid corrupting your tar file. This flag is mutually exclusive with the x flag." Is it a problem for the tar that BackupPC is using level 1 logging? Thanks in advance! Phil. From infractory at gmail.com Thu Dec 24 15:32:07 2015 From: infractory at gmail.com (mathias dufresne) Date: Thu, 24 Dec 2015 16:32:07 +0100 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: References: <5672AF98.3050705@tu-berlin.de> <5672B963.40301@samba.org> <5672BE7B.5060802@tu-berlin.de> <5672C79C.9060408@samba.org> <5672CD2C.2010305@tu-berlin.de> <5672D072.9010901@samba.org> <5672D6AA.4070907@tu-berlin.de> <5673D580.3060306@samba.org> <5673EBD4.5040308@tu-berlin.de> <5673EE50.4080808@samba.org> <5673F6ED.9090209@tu-berlin.de> <5674109D.7090406@samba.org> <567416EE.6060003@tu-berlin.de> <56741B45.70500@samba.org> <567425E2.5000504@tu-berlin.de> <56742E8E.5070303@samba.org> <56792988.9090903@tu-berlin.de> <567AEBF7.5090404@gmail.com> Message-ID: And to get mentioned entries list I used: "samba_dnsupdate --verbose --all-names | grep Default-First-Site-name" This list 8 DNS records related to Default Site. Next was to change Default-First... by the name of another AD Site (sed is still working :p) I was able to create DNS entries which were missing for one of my sites. Next, test: Back on one Windows on the network associated to that AD Site, reboot it, and tcpdump on my DNS server (all requests goes through this DNS server) 1° Site related DNS SRV request: 35752:15:24:38.907301 IP 10.156.248.244.64390 > dns1.ad.dgfip.finances.gouv.fr.domain: 23013+ *SRV? _ldap._tcp.authentification._sites.dc.*_msdcs.ad.dgfip.finances.gouv.fr. (88) 2° Site related DNS SRV reply: 35753-15:24:38.907520 IP dns1.ad.dgfip.finances.gouv.fr.domain > 10.156.248.244.64390: 23013 2/2/4 *SRV* *m705.ad.dgfip.finances.gouv.fr.:389 0 100, SRV m706.ad.dgfip.finances.gouv.fr.:389 0 100* (291) 3° Then A request on one DC returned by previous request: 35754-15:24:38.908731 IP 10.156.248.244.56932 > dns1.ad.dgfip.finances.gouv.fr.domain: 16037+ *A? m705.ad.dgfip.finances.gouv.fr *. (48) 4° the reply: 35755-15:24:38.908859 IP dns1.ad.dgfip.finances.gouv.fr.domain > 10.156.248.244.56932: 16037 1/2/2 *A 10.156.248.222* (135) Now my Windows clients receive answer when they request SRV record according to the AD site they belong to. I must say I've also manually declared each DC as NS. As explained yesterday evening I don't think this should be important (even if I say the contrary few weeks ago). NS record should be used only when clients use a DNS server which is not AD DNS and if the declared DNS server on client do not need to ask upper level for NS. This is so badly described here is an example of my thought: With AD Domain = samba.org and Win_client -> DNS server non-AD and nothing configured on this DNS to help it to find samba.org name servers When Win_client request DNS server about samba.org, as DNS server do not know anything about samba.org, the DNS server would ask to root DNS server (the one for ORG) which servers are responsible for samba.org. Here is the case where NS should be used. And with my lack of knowledge about DNS I don't see any other case where NS should be used. 2015-12-24 14:06 GMT+01:00 mathias dufresne : > Using ldbsearch we can find needed informations if we know AD Sites names > list. > > Sites informations are stored > in CN=CONFIGURATION,DC=SAMBA,DC=DOMAIN,DC=TLD. > > Here there is a CN=Sites which seems to contains Sites informations. > > Next using a search with -b > 'CN=,CN=Sites,CN=CONFIGURATION,DC=SAMBA,DC=DOMAIN,DC=TLD' we can > list object related to . > > And we would find in there a CN=Servers which contains server list. > > So using a manually created Sites list we can create missing entries. > > Next question is what are these missing entries :) > > 2015-12-24 12:16 GMT+01:00 mathias dufresne : > >> Hi James and everyone, >> >> There is a real issue with samba_dnsupdate and DNS records creation with >> Samba 4 as AD when it comes to AD Sites. >> >> Samba does not seems to create at all any Site relevant DNS record. As AD >> relies on DNS to find DC on the correct AD site, if no DNS entry is created >> related to AD Site, no usage of AD Sites. >> >> Here Win client ask for domain >> 11:37:28.671044 IP 10.207.102.32.50193 > >> dns1.ad.dgfip.finances.gouv.fr.domain: 50244+ SRV? _ldap._tcp.pdc._ >> msdcs.ad.dgfip.finances.gouv.fr. (65) >> 11:37:28.671308 IP dns1.ad.dgfip.finances.gouv.fr.domain > >> 10.207.102.32.50193: 50244 1/2/3 SRV m702.ad.dgfip.finances.gouv.fr.:389 0 >> 100 (202) >> >> Just after that it asks for kerberos service on "SCIF" AD Site: >> 11:44:59.550011 IP 10.207.102.32.52905 > >> dns1.ad.dgfip.finances.gouv.fr.domain: 17936+ SRV? >> _kerberos._tcp.SCIF._sites.dc._msdcs.AD.DGFIP.FINANCES.GOUV.FR. (80) >> 11:44:59.550979 IP dns1.ad.dgfip.finances.gouv.fr.domain > >> 10.207.102.32.52905: 17936 NXDomain 0/0/0 (80) >> And no entry. >> >> So falling back to domain without site mentioned >> 11:44:59.621886 IP 10.207.102.32.58708 > >> dns1.ad.dgfip.finances.gouv.fr.domain: 40345+ SRV? _kerberos._tcp.dc._ >> msdcs.AD.DGFIP.FINANCES.GOUV.FR. (68) >> 11:44:59.622133 IP dns1.ad.dgfip.finances.gouv.fr.domain > >> 10.207.102.32.58708: 40345 5/5/5 SRV m704.ad.dgfip.finances.gouv.fr.:88 0 >> 100, SRV m705.ad.dgfip.finances.gouv.fr.:88 0 100, SRV >> m702.ad.dgfip.finances.gouv.fr.:88 0 100, SRV >> m706.ad.dgfip.finances.gouv.fr.:88 0 100, SRV >> m703.ad.dgfip.finances.gouv.fr.:88 0 100 (468) >> >> In DNS MS console from RSAT we can see a directory "_sites" in default >> domain zone and in _msdcs domain zone. There is no directory related to >> others sites. >> >> In samba.domain.tld -> _sites -> Default-First-Site-Name there are >> entries related to DC and associated SRV records. >> I expect this should be the same for any AD Site we configure. >> >> And solving these lack of DNS configuration should help to deal with AD >> Sites and so with AD failover. >> >> I did tried to use samba_dnsupdate to create these entries but nothing >> related to AD Sites except for Default-First-Site-Name site. >> >> To be able to manage that first thing would be to have a samba command to >> list declared Sites (samba-tool sites list ?) then we should have a command >> to list declared DC in that site. >> Then we would be able to rely on samba commands to list sites and DC in >> each sites, so we would be able to script something to create needed >> entries (these needed entries should be the same or almost as >> for Default-First-Site-Name, anyway tcpdump could help to find which >> entries are requested by clients). >> >> Best regards, wishing you all a merry Christmas : ) >> >> mathias >> >> 2015-12-23 20:37 GMT+01:00 mathias dufresne : >> >>> Hi James, >>> >>> First thanks for you detailed answer and the tests you did to be able to >>> write this. >>> >>> Before reading your mail I was believing MS Windows keeps only one >>> credentials, those for last connected account. This is why I did not pushed >>> too far authentication process. >>> Tomorrow I'm back to work and I'll redo this test, using some others >>> users to test than some I have already used to connect on that MS Windows >>> acting as client. >>> >>> I'll try to power down the DC in the morning and I'll try to make tests >>> in the afternoon. If I can't tomorrow I won't be able to do these tests >>> before January. >>> >>> The caching of credentials is default behaviour of Windows systems yes. >>> You can have similar behavior on Linux with SSSD and also Winbind or nslcd, >>> I believe (so I'm not sure). >>> >>> SSSD is also supposed to come with AD Sites management but I missed >>> something during the few time I tried that. Two reasons could have made me >>> failed on that: a too old SSSD version or a bad admin (me). I expect it's >>> the latter. >>> >>> What I wrote about NS and SOA came from a discussion I had several weeks >>> ago with one person managing Bind daily for the company I work for. She >>> agreed client should not use NS nor SOA but as this is not one of her >>> problem, this was just thoughts (but her thoughts seems more trustable as >>> most of mines :D) >>> >>> 2015-12-23 19:46 GMT+01:00 James : >>> >>>> On 12/23/2015 12:39 PM, mathias dufresne wrote: >>>> >>>> And for Ole, the OP, to solve its own failover issue: >>>> As there is 2 physical sites and only 2 DC. >>>> Let's say >>>> Site1 is 10.1.0.0/16 >>>> Site2 is 10.2.0.0/16 >>>> I would create 2 additional AD Sites : Site1 + Site2 >>>> To AD site "Site1" I would associate 10.1.0.0/16 and associate also DC1 >>>> To AD site "Site2" I would associate 10.2.0.0/16 and associate also DC2 >>>> To Default-First-Site-Name no network is associated but both DC must be in >>>> that site too. >>>> >>>> Client from 10.2.0.0/16 will be asked to launch DNS query to look for DC on >>>> "Site2" and as long as DC2 is UP this client should use DC2. >>>> DC2 is out. This means no DC is available for client's AD site, so the >>>> client fall back to default behaviour which is finding a DC >>>> in Default-First-Site-Name where the DC are declared ==> this client would >>>> be able to use DC1 to authenticate. >>>> >>>> Cheers >>>> >>>> mathias >>>> >>>> >>>> >>>> >>>> 2015-12-23 18:14 GMT+01:00 mathias dufresne : >>>> >>>> >>>> Once both DC were rebooted, after the MS Windows was also rebooted (here I >>>> could have just wait I think) this MS Windows client is connecting on DC >>>> from its AD Site again. >>>> >>>> 2015-12-23 16:51 GMT+01:00 mathias dufresne : >>>> >>>> >>>> Hi all, >>>> >>>> Firs I apologize I did not manage to find time to reply earlier. >>>> >>>> The initial issue was about how Samba AD react when one DC is out and >>>> more specifically about what happen when FSMO ower is unreachable (poweroff >>>> in Ole tests). >>>> >>>> This issue is solved using a correct AD Sites configuration. >>>> >>>> Here I kept 3 DCs in my domain. >>>> Sites: >>>> I set up a second site named "authentication" and I've added in that site >>>> 2 DCs, including FSMO owner. >>>> On that "authentication" site I've added the network on which my clients >>>> are. >>>> On "Default-First-Site-Name" I do not configured any network addresses. >>>> All 3 DCs are declared in "Default-First-Site-Name". >>>> >>>> All DC up behaviour: >>>> The windows client when connecting ask to AD for a DC, AD answer this >>>> client it depends of "authentication" site and this client re-launch DNS >>>> requests taking in account AD Site information to retrieve DC list for that >>>> site. >>>> Then the client connects to AD. >>>> >>>> To check which AD DC was used to connected on: launch "cmd" then in that >>>> window type "set". In "set" result there is a line >>>> LOGONSERVER= >>>> This is the DC used for connection (and later normally). >>>> >>>> The test: >>>> I powered off both DC in "authentication" site. So only one DC is up and >>>> running, the one *outside* of that site. >>>> Login in Windows works. >>>> Using cmd -> set -> LOGONSERVER= >>>> >>>> I waited something like one hour then I rebooted my MS Windows client. I >>>> can still log in using differnt accounts (administrator then my own >>>> account). >>>> This MS Windows client is still using the only running DC, the one >>>> outside of client's site, this because this DC is in >>>> Default-First-Site-Name. >>>> >>>> This behaviour is normal. It is Site behaviour. It is AD Sites purpose. >>>> >>>> So configuring AD Sites correctly would solve the issue about failover. >>>> >>>> >>>> DNS issue: >>>> SOA and NS records are used when DNS servers are discussing together but >>>> not when a DNS client is asking for records (execpt for SOA or NS >>>> obvisouly). >>>> SOA and NS records are, in my understanding, used when the DNS server >>>> receive a request for a zone this server does not know. In that specific >>>> case the DNS server must find a name server for that zone, so our DNS >>>> server is asking to upper level for a NS in the mentioned zone. >>>> >>>> So, if my understanding is correct, client never uses NS record (not in >>>> normal mode). And so there is no much issue that Samba DNS has only one SOA >>>> and one NS. >>>> >>>> Regarding NS records, I create them manually because it matches our real >>>> configuration (each DC is DNS, each DNS as NS record). >>>> >>>> The point to make Samba AD works with internal is to work around the >>>> issue of samba_dnsupdate. At least it is all I have to do on all domains I >>>> tested, even with the 4.3.3. >>>> >>>> samba_dnsupdate could work with some option in smb.conf to grant unsecure >>>> update of DNS zones. >>>> If you don't want to allow unsecure update, use the awk script I provided >>>> in that thread days (or weeks) ago. >>>> >>>> I use Samba AD with Internal DNS with no issue except for samba_dnsupdate >>>> which not able to create internal record. To solve that issue I provided >>>> here a awk script which extract from samba_dnsupdate needed information to >>>> force recrods creation using samba-tool. This awk script is not dangerous: >>>> you can run it as much you want, it just tries to create entries. If entry >>>> exists, an error is displayed: >>>> ERROR: Record already exists >>>> >>>> If you are afraid of that script you can modify its behaviour replacing: >>>> cmd = "samba-tool dns add " >>>> with >>>> cmd = "echo samba-tool dns add " >>>> >>>> Then the script will do nothing except display what command could be run >>>> to force DNS records creation. >>>> >>>> With all needed DNS records and a well configured AD Sites failover >>>> works. Nicely. >>>> >>>> A last note: 3 DCs means 3 DNS servers. You want your DC can be down so >>>> your clients MUST have all DC declared as "nameserver" in /etc/resolv.conf. >>>> >>>> Another strategy is to build one Bind server with one zone configured >>>> with the exact same name as AD domain, this zone will do forward only and >>>> will forward to all DCs. >>>> Doing that your clients can have only one DNS configured: the one with >>>> Bind forwarding to DCs. >>>> This bind zone config: >>>> ------------------ >>>> zone "samba.domain.tld" IN { >>>> type forward; >>>> forward only; >>>> forwarders { >>>> IP_DC1; >>>> IP_DC2; >>>> IP_DC3; >>>> }; >>>> }; >>>> ------------------- >>>> >>>> I hope you will finally be able to have failover working Ole. >>>> >>>> >>>> >>>> >>>> 2015-12-22 11:44 GMT+01:00 Ole Traupe : >>>> >>>> >>>> Can I suggest that you do what I did, create your own small test >>>> domain in VMs using Bind9 >>>> >>>> >>>> Yes, that is a good idea. However, from what I had read before, much >>>> of it on the Samba wiki, I was expecting Samba4 to just work with multiple >>>> DCs. I still wonder why no one ever seems to have tested or questioned that >>>> (publicly). And I don't feel that I have to question something myself that >>>> is broadly recommended: use the internal DNS unless you really have to do >>>> otherwise (even by the developers, it seems). In addition, bind9 working >>>> with multiple DC's does not necessarily mean that internal DNS won't. >>>> >>>> >>>> >>>> I am going to discuss this with Marc and the rest of the team, like >>>> you, I am surprised that nobody has raised this before. I have always used >>>> Samba with Bind9, so was unaware of this possible problem, it only came to >>>> head for me when you mentioned it. I then found I only had one NS record >>>> in the SOA and this lead to where we are now. >>>> >>>> >>>> Hi Rowland, >>>> >>>> Again: thanks a lot for your support. >>>> >>>> Merry Christmas and good holidays to the list! >>>> >>>> Ole >>>> >>>> >>>> >>>> >>>> I also feel the need to would like to state that I am a part-time admin >>>> >>>> and I can't test something for a year or so (like others) before I go into >>>> production. With Samba 4 I was rather happy to find something that won't >>>> require so much work (although it feels differently now, partially due to >>>> me being more or less a newbee to unix-based systems, I guess). >>>> >>>> >>>> It doesn't need much looking after, once you have got it up and running >>>> :-) >>>> >>>> Rowland >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> Mathias, >>>> >>>> I discovered similar issues after testing for Ole. I have sites and >>>> services configured as well. It took over a hour for issues to arise after >>>> shutting down my DC that held all my FSMO roles and SOA record. >>>> >>>> I decided to do a quick packet capture just now. I shutdown my DC that >>>> holds all the roles and SOA record. I logged into the workstation and >>>> reviewed the trace. I can see the workstation attempt to locate the SRV >>>> records needed from the first DC. It failed so it then asked my 2nd DC in >>>> my site. It resolved the SRV records and it allowed me to log in. This >>>> process never asks for the SOA. I can rule out it plays no part? It seems >>>> fail over works as expected. >>>> >>>> I decided to shutdown my 2nd DC in my site as test. Logged in as >>>> another user(It allowed me) and reviewed the trace. I can see where the >>>> workstation attempts to ask both DC's in the site for the SRV records. Of >>>> course it fails but I see no trace of authentication happening. Why did it >>>> allow me to log in? I look at the windows event viewer and review the auth >>>> log. I find this. >>>> >>>> Logon Type: 11 >>>> >>>> New Logon: >>>> Security ID: DOMAIN\duser >>>> Account Name: duser >>>> Account Domain: DOMAIN >>>> Logon ID: 0x7b11e9 >>>> Logon GUID: {00000000-0000-0000-0000-000000000000} >>>> >>>> I decided to research logon type 11. I find this. >>>> >>>> *Logon Type 11 – CachedInteractive* >>>> >>>> Windows supports a feature called Cached Logons which facilitate mobile >>>> users. When you are not connected to the your organization’s network and >>>> attempt to logon to your laptop with a domain account there’s no domain >>>> controller available to the laptop with which to verify your identity. To >>>> solve this problem, Windows caches a hash of the credentials of the last 10 >>>> interactive domain logons. Later when no domain controller is available, >>>> Windows uses these hashes to verify your identity when you attempt to logon >>>> with a domain account. >>>> >>>> I assume this is a windows only feature and not a linux feature? This >>>> was on a wired workstation and not a mobile device. The issues with >>>> authentication only arouse from mobile devices and only after approximately >>>> an hour of the "primary" DC being down. >>>> >>>> >>>> >>>> -- >>>> -James >>>> >>>> >>> >> > From jra at samba.org Thu Dec 24 16:23:55 2015 From: jra at samba.org (Jeremy Allison) Date: Thu, 24 Dec 2015 08:23:55 -0800 Subject: [Samba] Samba 4 slower ? In-Reply-To: References: Message-ID: <20151224162355.GA1770@jeremy-acer> On Wed, Dec 23, 2015 at 12:57:02PM +0530, nagendra ps wrote: > Hi All, > > I have samba 3.6 and samba 4.2 running on 2 different freebsd machines. > Both are virtual machines and have 1GB Ethernet and exact same configurations. > Samba is joined to a 2K8 server(security = ADS). > Both use a minimal similar smb.conf. > > Am using smbtorture bench.nbench from another freebsd machine. > > Samba 3.6 Throughput is at: 12.6165 MB/sec > Samba 4.2 Throughput is at: 1.5359 MB/sec > > 4.2 appears almost 10X slower. What could be going wrong for me ? Not sure. Most people get line-speed out of Samba 4.x (as they also did out of Samba 3.x). > Is there an official bench-marking of Samba 3 and Samba 4, which I > could refer to ? > > btw.. netbench seems to be going over SMB1 . Is there a benchmarking > tool which uses SMB2/SMB3 ? nbench didn't get updated for smb2. Should be possible. Not a high priority for the Team - but if you want to patch it I'm happy to review ! From rpenny at samba.org Thu Dec 24 16:32:36 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 24 Dec 2015 16:32:36 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: References: <5672CD2C.2010305@tu-berlin.de> <5672D072.9010901@samba.org> <5672D6AA.4070907@tu-berlin.de> <5673D580.3060306@samba.org> <5673EBD4.5040308@tu-berlin.de> <5673EE50.4080808@samba.org> <5673F6ED.9090209@tu-berlin.de> <5674109D.7090406@samba.org> <567416EE.6060003@tu-berlin.de> <56741B45.70500@samba.org> <567425E2.5000504@tu-berlin.de> <56742E8E.5070303@samba.org> <56792988.9090903@tu-berlin.de> <567AEBF7.5090404@gmail.com> Message-ID: <567C1E24.40603@samba.org> On 24/12/15 15:32, mathias dufresne wrote: > And to get mentioned entries list I used: > "samba_dnsupdate --verbose --all-names | grep Default-First-Site-name" > > This list 8 DNS records related to Default Site. > > Next was to change Default-First... by the name of another AD Site (sed is > still working :p) > > I was able to create DNS entries which were missing for one of my sites. > > Next, test: > Back on one Windows on the network associated to that AD Site, reboot it, > and tcpdump on my DNS server (all requests goes through this DNS server) > > 1° Site related DNS SRV request: > 35752:15:24:38.907301 IP 10.156.248.244.64390 > > dns1.ad.dgfip.finances.gouv.fr.domain: 23013+ *SRV? > _ldap._tcp.authentification._sites.dc.*_msdcs.ad.dgfip.finances.gouv.fr. > (88) > 2° Site related DNS SRV reply: > 35753-15:24:38.907520 IP dns1.ad.dgfip.finances.gouv.fr.domain > > 10.156.248.244.64390: 23013 2/2/4 *SRV* *m705.ad.dgfip.finances.gouv.fr.:389 > 0 100, SRV m706.ad.dgfip.finances.gouv.fr.:389 0 100* (291) > > 3° Then A request on one DC returned by previous request: > 35754-15:24:38.908731 IP 10.156.248.244.56932 > > dns1.ad.dgfip.finances.gouv.fr.domain: 16037+ *A? > m705.ad.dgfip.finances.gouv.fr *. > (48) > 4° the reply: > 35755-15:24:38.908859 IP dns1.ad.dgfip.finances.gouv.fr.domain > > 10.156.248.244.56932: 16037 1/2/2 *A 10.156.248.222* (135) > > Now my Windows clients receive answer when they request SRV record > according to the AD site they belong to. > > I must say I've also manually declared each DC as NS. As explained > yesterday evening I don't think this should be important (even if I say the > contrary few weeks ago). > NS record should be used only when clients use a DNS server which is not AD > DNS and if the declared DNS server on client do not need to ask upper level > for NS. > This is so badly described here is an example of my thought: > With AD Domain = samba.org > and Win_client -> DNS server non-AD and nothing configured on this DNS to > help it to find samba.org name servers > > When Win_client request DNS server about samba.org, as DNS server do not > know anything about samba.org, the DNS server would ask to root DNS server > (the one for ORG) which servers are responsible for samba.org. Here is the > case where NS should be used. > > And with my lack of knowledge about DNS I don't see any other case where NS > should be used. > > > > > Hi Mathias, one of the problems with your setup, is that you seem to be running dns differently from what Samba (and for that matter, windows) recommends, you seem to be using a dns server that is not an AD DC. Normally to find a DC, you would ask the dns server that is authoritative for the domain, with a Samba AD domain this is usually a DC, and is identified by its SOA record, which is supposed to contain the authoritative name servers. Now, with a Samba domain, if you use the internal dns server, you only get *one* authoritative name server even if you add the required records to the domain SOA. The net result is, if the first DC in the domain goes down, you don't have an authoritative name server. If you use bind9 instead of the internal dns server, each DC becomes authoritative for the domain after you add the required records to the domain SOA. As you are using bind9 (although in a non recommended way), each of your DCs will be authoritative as you have added the required records. When I get the time, I will create a bug report for this, this will probably be after Christmas though. Rowland From subscribe at korigan.com Thu Dec 24 16:25:20 2015 From: subscribe at korigan.com (subscribe at korigan.com) Date: Thu, 24 Dec 2015 17:25:20 +0100 Subject: [Samba] Windows machines not visible in CentOS 7 Message-ID: <000001d13e67$af1be6d0$0d53b470$@korigan.com> Hi, I’ve a main windows 10 machine. On this computer I’ve installed VMWare Workstation 12 where I have several virtual windows 8.1 machines, I’ve also installed a CentOS 7 machine where I need to access A file Sharing residing on one of my Virtual Windows machines. I’ve tried the following procedure and everything works fine to connect from my Windows machines to a CentOS 7 file sharing. http://sharadchhetri.com/2014/10/09/centos-7-rhel-7-install-and-setup-samba- server-file-sharing/ But the opposite doesn’t work. I’m not able to see my Windows machines when I click on “Browse network” and “Windows Network” icon. I suspect a firewall problem, but I’m not sure where to look for. (I have attached my smb.conf) Thanks in advance for help J. Dupourqué From frankaritchie at gmail.com Thu Dec 24 23:32:33 2015 From: frankaritchie at gmail.com (Frank Ritchie) Date: Thu, 24 Dec 2015 18:32:33 -0500 Subject: [Samba] disable dns update with net ads join Message-ID: I saw a few posts from a few years ago regarding adding an option to net ads join to disable dns updates ie, net ads join --disable-dns-update Was this ever added? If not, is there any workaround for this? My clients are going through a list of 18 name servers and it's taking forever. From hat at fa2.so-net.ne.jp Sat Dec 26 17:08:53 2015 From: hat at fa2.so-net.ne.jp (HAT) Date: Sun, 27 Dec 2015 02:08:53 +0900 (JST) Subject: [Samba] vfs_fruit: xattr imcompatible with netatalk In-Reply-To: <20150311.233045.1229136848886583105.hat@fa2.so-net.ne.jp> References: <20150311.233045.1229136848886583105.hat@fa2.so-net.ne.jp> Message-ID: <20151227.020853.2254997908707263022.hat@fa2.so-net.ne.jp> Hi, I'm testing samba 4.3.3 vfs_fruit on Fedora rawhide. The EAs are not seen from clients yet. smb.conf: path = /export/test1/ writable = yes vfs objects = catia fruit streams_xattr fruit:locking = netatalk fruit:encoding = native streams_xattr:prefix = user. streams_xattr:store_stream_type = no On OS X: $ cd ~/test $ xattr ICONandEA.txt com.apple.FinderInfo com.apple.ResourceFork com.apple.TextEncoding com.apple.metadata:kMDItemFinderComment Copy from OS X to Fedora via Samba. On Fedora: $ cd /export/test1 $ ls -a ./ ../ .DS_Store ._ICONandEA.txt ICONandEA.txt $ getfattr ICONandEA.txt # file: ICONandEA.txt user.com.apple.TextEncoding user.com.apple.metadata:kMDItemFinderComment user.org.netatalk.Metadata On OS X via Samba: $ cd /Volumes/test1 $ xattr ICONandEA.txt com.apple.FinderInfo com.apple.ResourceFork The EAs are not seen from clients. How can I handle EAs? -- HAT From rpenny at samba.org Sat Dec 26 17:22:56 2015 From: rpenny at samba.org (Rowland penny) Date: Sat, 26 Dec 2015 17:22:56 +0000 Subject: [Samba] vfs_fruit: xattr imcompatible with netatalk In-Reply-To: <20151227.020853.2254997908707263022.hat@fa2.so-net.ne.jp> References: <20150311.233045.1229136848886583105.hat@fa2.so-net.ne.jp> <20151227.020853.2254997908707263022.hat@fa2.so-net.ne.jp> Message-ID: <567ECCF0.1010508@samba.org> On 26/12/15 17:08, HAT wrote: > Hi, > I'm testing samba 4.3.3 vfs_fruit on Fedora rawhide. > > The EAs are not seen from clients yet. > > smb.conf: > path = /export/test1/ > writable = yes > vfs objects = catia fruit streams_xattr > fruit:locking = netatalk > fruit:encoding = native > streams_xattr:prefix = user. > streams_xattr:store_stream_type = no Is that your entire smb.conf or just the share ? Rowland > > On OS X: > $ cd ~/test > $ xattr ICONandEA.txt > com.apple.FinderInfo > com.apple.ResourceFork > com.apple.TextEncoding > com.apple.metadata:kMDItemFinderComment > > Copy from OS X to Fedora via Samba. > On Fedora: > $ cd /export/test1 > $ ls -a > ./ > ../ > .DS_Store > ._ICONandEA.txt > ICONandEA.txt > $ getfattr ICONandEA.txt > # file: ICONandEA.txt > user.com.apple.TextEncoding > user.com.apple.metadata:kMDItemFinderComment > user.org.netatalk.Metadata > > On OS X via Samba: > $ cd /Volumes/test1 > $ xattr ICONandEA.txt > com.apple.FinderInfo > com.apple.ResourceFork > > The EAs are not seen from clients. > > How can I handle EAs? > From hat at fa2.so-net.ne.jp Sat Dec 26 17:33:10 2015 From: hat at fa2.so-net.ne.jp (HAT) Date: Sun, 27 Dec 2015 02:33:10 +0900 (JST) Subject: [Samba] vfs_fruit: xattr imcompatible with netatalk In-Reply-To: <567ECCF0.1010508@samba.org> References: <20150311.233045.1229136848886583105.hat@fa2.so-net.ne.jp> <20151227.020853.2254997908707263022.hat@fa2.so-net.ne.jp> <567ECCF0.1010508@samba.org> Message-ID: <20151227.023310.2093955830328763814.hat@fa2.so-net.ne.jp> Sat, 26 Dec 2015 17:22:56 +0000, Rowland penny : > On 26/12/15 17:08, HAT wrote: >> Hi, >> I'm testing samba 4.3.3 vfs_fruit on Fedora rawhide. >> >> The EAs are not seen from clients yet. >> >> smb.conf: >> path = /export/test1/ >> writable = yes >> vfs objects = catia fruit streams_xattr >> fruit:locking = netatalk >> fruit:encoding = native >> streams_xattr:prefix = user. >> streams_xattr:store_stream_type = no > > Is that your entire smb.conf or just the share ? $ /etc/samba# cat /etc/samba/smb.conf | grep -v \; | grep -v \# | grep -v ^$ [global] workgroup = LOCALNET server string = %h dos charset = CP932 log file = /var/log/samba/log.%m max log size = 50 security = user passdb backend = smbpasswd load printers = yes cups options = raw [Test 1] path = /export/test1/ writable = yes vfs objects = catia fruit streams_xattr fruit:locking = netatalk fruit:encoding = native streams_xattr:prefix = user. streams_xattr:store_stream_type = no -- HAT From rb at sernet.de Sat Dec 26 18:20:49 2015 From: rb at sernet.de (Ralph Boehme) Date: Sat, 26 Dec 2015 19:20:49 +0100 Subject: [Samba] vfs_fruit: xattr imcompatible with netatalk In-Reply-To: <20151227.023310.2093955830328763814.hat@fa2.so-net.ne.jp> References: <20150311.233045.1229136848886583105.hat@fa2.so-net.ne.jp> <20151227.020853.2254997908707263022.hat@fa2.so-net.ne.jp> <567ECCF0.1010508@samba.org> <20151227.023310.2093955830328763814.hat@fa2.so-net.ne.jp> Message-ID: <20151226182049.GA5629@sernet.sernet.private> On Sun, Dec 27, 2015 at 02:33:10AM +0900, HAT wrote: > Sat, 26 Dec 2015 17:22:56 +0000, Rowland penny : > > On 26/12/15 17:08, HAT wrote: > >> Hi, > >> I'm testing samba 4.3.3 vfs_fruit on Fedora rawhide. > >> > >> The EAs are not seen from clients yet. > >> > >> smb.conf: > >> path = /export/test1/ > >> writable = yes > >> vfs objects = catia fruit streams_xattr > >> fruit:locking = netatalk > >> fruit:encoding = native > >> streams_xattr:prefix = user. > >> streams_xattr:store_stream_type = no > > > > Is that your entire smb.conf or just the share ? > > $ /etc/samba# cat /etc/samba/smb.conf | grep -v \; | grep -v \# | grep -v ^$ > [global] > workgroup = LOCALNET > server string = %h > dos charset = CP932 > log file = /var/log/samba/log.%m > max log size = 50 > security = user > passdb backend = smbpasswd > load printers = yes > cups options = raw you need "ea support = yes". -Ralph -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de,mailto:kontakt at sernet.de From rpenny at samba.org Sat Dec 26 18:47:46 2015 From: rpenny at samba.org (Rowland penny) Date: Sat, 26 Dec 2015 18:47:46 +0000 Subject: [Samba] vfs_fruit: xattr imcompatible with netatalk In-Reply-To: <20151227.023310.2093955830328763814.hat@fa2.so-net.ne.jp> References: <20150311.233045.1229136848886583105.hat@fa2.so-net.ne.jp> <20151227.020853.2254997908707263022.hat@fa2.so-net.ne.jp> <567ECCF0.1010508@samba.org> <20151227.023310.2093955830328763814.hat@fa2.so-net.ne.jp> Message-ID: <567EE0D2.5030409@samba.org> On 26/12/15 17:33, HAT wrote: > Sat, 26 Dec 2015 17:22:56 +0000, Rowland penny : >> On 26/12/15 17:08, HAT wrote: >>> Hi, >>> I'm testing samba 4.3.3 vfs_fruit on Fedora rawhide. >>> >>> The EAs are not seen from clients yet. >>> >>> smb.conf: >>> path = /export/test1/ >>> writable = yes >>> vfs objects = catia fruit streams_xattr >>> fruit:locking = netatalk >>> fruit:encoding = native >>> streams_xattr:prefix = user. >>> streams_xattr:store_stream_type = no >> Is that your entire smb.conf or just the share ? > $ /etc/samba# cat /etc/samba/smb.conf | grep -v \; | grep -v \# | grep -v ^$ > [global] > workgroup = LOCALNET > server string = %h > dos charset = CP932 > log file = /var/log/samba/log.%m > max log size = 50 > security = user > passdb backend = smbpasswd > load printers = yes > cups options = raw > [Test 1] > path = /export/test1/ > writable = yes > vfs objects = catia fruit streams_xattr > fruit:locking = netatalk > fruit:encoding = native > streams_xattr:prefix = user. > streams_xattr:store_stream_type = no > OK, so you are trying to connect from apple clients to a share on a Samba standalone server, do your apple users exist as Unix & Samba users on the Samba server? Rowland From hat at fa2.so-net.ne.jp Sun Dec 27 03:32:58 2015 From: hat at fa2.so-net.ne.jp (HAT) Date: Sun, 27 Dec 2015 12:32:58 +0900 (JST) Subject: [Samba] vfs_fruit: xattr imcompatible with netatalk In-Reply-To: <20151226182049.GA5629@sernet.sernet.private> References: <567ECCF0.1010508@samba.org> <20151227.023310.2093955830328763814.hat@fa2.so-net.ne.jp> <20151226182049.GA5629@sernet.sernet.private> Message-ID: <20151227.123258.410261612646774678.hat@fa2.so-net.ne.jp> > you need "ea support = yes". ok! solved. On Fedora: ----------------------------------------------------- $ cat /etc/samba/smb.conf | grep -v \; | grep -v \# | grep -v ^$ [global] workgroup = LOCALNET server string = %h dos charset = CP932 log file = /var/log/samba/log.%m max log size = 50 security = user passdb backend = smbpasswd load printers = yes cups options = raw [Test 1] path = /export/test1/ writable = yes vfs objects = catia fruit streams_xattr fruit:locking = netatalk fruit:encoding = native streams_xattr:prefix = user. streams_xattr:store_stream_type = no ea support = yes $ getfattr ICONandEA.txt # file: ICONandEA.txt user.com.apple.TextEncoding user.com.apple.metadata:kMDItemFinderComment user.org.netatalk.Metadata On OS X: -------------------------------------------------------- $ xattr ICONandEA.txt com.apple.FinderInfo com.apple.ResourceFork com.apple.TextEncoding org.netatalk.Metadata com.apple.metadata:kMDItemFinderComment On Windows 7: --------------------------------------------------------- Z:\>dir /r ICONandEA.txt Volume in drive Z is Test 1 Volume Serial Number is DA11-AA00 Directory of Z:\ 2010/01/10 00:14 225 ICONandEA.txt 60 ICONandEA.txt:AFP_AfpInfo:$DATA 4,764 ICONandEA.txt:AFP_Resource:$DATA 15 ICONandEA.txt:com.apple.TextEncoding:$DATA 401 ICONandEA.txt:org.netatalk.Metadata:$DATA 81 ICONandEA.txt:com.apple.metadata?kMDItemFinderComment:$DATA 1 File(s) 225 bytes 0 Dir(s) 59,059,187,712 bytes free --------------------------------------------------------- I'm going to test "ea = samba" of netatalk 3.1.8dev. Thanks. -- HAT From hat at fa2.so-net.ne.jp Sun Dec 27 03:35:37 2015 From: hat at fa2.so-net.ne.jp (HAT) Date: Sun, 27 Dec 2015 12:35:37 +0900 (JST) Subject: [Samba] vfs_fruit: xattr imcompatible with netatalk In-Reply-To: <567EE0D2.5030409@samba.org> References: <567ECCF0.1010508@samba.org> <20151227.023310.2093955830328763814.hat@fa2.so-net.ne.jp> <567EE0D2.5030409@samba.org> Message-ID: <20151227.123537.358042998896936959.hat@fa2.so-net.ne.jp> >> [global] >> workgroup = LOCALNET >> server string = %h >> dos charset = CP932 >> log file = /var/log/samba/log.%m >> max log size = 50 >> security = user >> passdb backend = smbpasswd >> load printers = yes >> cups options = raw >> [Test 1] >> path = /export/test1/ >> writable = yes >> vfs objects = catia fruit streams_xattr >> fruit:locking = netatalk >> fruit:encoding = native >> streams_xattr:prefix = user. >> streams_xattr:store_stream_type = no >> > > OK, so you are trying to connect from apple clients to a share on a > Samba standalone server, do your apple users exist as Unix & Samba > users on the Samba server? Yes. If no, I can't test this. -- HAT From viktor at troja.ch Sun Dec 27 17:54:05 2015 From: viktor at troja.ch (Viktor Trojanovic) Date: Sun, 27 Dec 2015 18:54:05 +0100 Subject: [Samba] How to remove a Samba AD config? Message-ID: <568025BD.9070503@troja.ch> On a test installation, I chose some wrong values when setting up a Samba AD DC. Instead of trying to rectify this, I'd prefer just to remove it all and start from scratch. I did the following: - Remove Samba package using the package manager - Remove /etc/samba/smb.conf - Delete folder /var/lib/samba (this is equal to /usr/share/samba on some systems - it's where sysvol is located) I thought that's all but it's obviously not. While the original AD provisioning gave me correct standard values for the realm, that's not the case on the second install. Even though that's not really important, it means that something must have changed and I'd just wish to understand what. Is there a list of all folders and files that change upon AD DC provisioning? Is there a better way to completely remove a Samba installation? Viktor From viktor at troja.ch Sun Dec 27 18:41:25 2015 From: viktor at troja.ch (Viktor Trojanovic) Date: Sun, 27 Dec 2015 19:41:25 +0100 Subject: [Samba] Wrong interface on AD Provisioning Message-ID: <568030D5.3070101@troja.ch> When I provisioned a new AD domain, I used the wrong network interface in the provisioning command. samba-tool domain provision --option="interfaces=lo eth2" --option="bind interfaces only=yes" --use-rfc2307 --use-xattrs=yes --interactive I should have used eth1 instead of eth2. The latter had no IP address attached to it so that there is no (correct) A record in the internal DNS for the DC. At any rate host -t A dc.samdom.domain.com is returning an error (Host not found: 3(NXDOMAIN)). How can I correct this *without* MS Windows RSAT? Can I just run the same command again and it will overwrite the previous config? From mmuehlfeld at samba.org Sun Dec 27 19:48:03 2015 From: mmuehlfeld at samba.org (Marc Muehlfeld) Date: Sun, 27 Dec 2015 20:48:03 +0100 Subject: [Samba] Wrong interface on AD Provisioning In-Reply-To: <568030D5.3070101@troja.ch> References: <568030D5.3070101@troja.ch> Message-ID: <56804073.80904@samba.org> Hello Viktor, Am 27.12.2015 um 19:41 schrieb Viktor Trojanovic: > When I provisioned a new AD domain, I used the wrong network interface > in the provisioning command. > > samba-tool domain provision --option="interfaces=lo eth2" --option="bind > interfaces only=yes" --use-rfc2307 --use-xattrs=yes --interactive > > I should have used eth1 instead of eth2. The latter had no IP address > attached to it so that there is no (correct) A record in the internal > DNS for the DC. At any rate host -t A dc.samdom.domain.com is returning > an error (Host not found: 3(NXDOMAIN)). > > How can I correct this *without* MS Windows RSAT? Can I just run the > same command again and it will overwrite the previous config? * Remove the smb.conf. Otherwise, you have to fix the 'interfaces' option values manually. * Remove all databases (/usr/local/samba/var/ and /usr/local/samba/private/). Not all files will be overwritten, so it's better to remove all, instead to mixup something. * re-run the command. Warning: You will loose you entire domain! Everything has to be re-created (users, groups, machines need to be rejoined, etc.). Regards, Marc From rpenny at samba.org Sun Dec 27 19:49:38 2015 From: rpenny at samba.org (Rowland penny) Date: Sun, 27 Dec 2015 19:49:38 +0000 Subject: [Samba] How to remove a Samba AD config? In-Reply-To: <568025BD.9070503@troja.ch> References: <568025BD.9070503@troja.ch> Message-ID: <568040D2.4060606@samba.org> On 27/12/15 17:54, Viktor Trojanovic wrote: > On a test installation, I chose some wrong values when setting up a > Samba AD DC. Instead of trying to rectify this, I'd prefer just to > remove it all and start from scratch. You do not have to remove *all* of Samba, just delete or rename smb.conf and then re-provision, this will overwrite everything else. Rowland > > I did the following: > > - Remove Samba package using the package manager > - Remove /etc/samba/smb.conf > - Delete folder /var/lib/samba (this is equal to /usr/share/samba on > some systems - it's where sysvol is located) > > I thought that's all but it's obviously not. While the original AD > provisioning gave me correct standard values for the realm, that's not > the case on the second install. Even though that's not really > important, it means that something must have changed and I'd just wish > to understand what. > > Is there a list of all folders and files that change upon AD DC > provisioning? Is there a better way to completely remove a Samba > installation? > > Viktor > From rpenny at samba.org Sun Dec 27 19:50:48 2015 From: rpenny at samba.org (Rowland penny) Date: Sun, 27 Dec 2015 19:50:48 +0000 Subject: [Samba] Wrong interface on AD Provisioning In-Reply-To: <568030D5.3070101@troja.ch> References: <568030D5.3070101@troja.ch> Message-ID: <56804118.8010300@samba.org> On 27/12/15 18:41, Viktor Trojanovic wrote: > When I provisioned a new AD domain, I used the wrong network interface > in the provisioning command. > > samba-tool domain provision --option="interfaces=lo eth2" > --option="bind interfaces only=yes" --use-rfc2307 --use-xattrs=yes > --interactive > > I should have used eth1 instead of eth2. The latter had no IP address > attached to it so that there is no (correct) A record in the internal > DNS for the DC. At any rate host -t A dc.samdom.domain.com is > returning an error (Host not found: 3(NXDOMAIN)). > > How can I correct this *without* MS Windows RSAT? Can I just run the > same command again and it will overwrite the previous config? > Remove smb.conf and then re-provision Rowland From viktor at troja.ch Sun Dec 27 23:14:05 2015 From: viktor at troja.ch (Viktor Trojanovic) Date: Mon, 28 Dec 2015 00:14:05 +0100 Subject: [Samba] Wrong interface on AD Provisioning In-Reply-To: <56804073.80904@samba.org> References: <568030D5.3070101@troja.ch> <56804073.80904@samba.org> Message-ID: <568070BD.5000808@troja.ch> On 27.12.2015 20:48, Marc Muehlfeld wrote: > Hello Viktor, > > Am 27.12.2015 um 19:41 schrieb Viktor Trojanovic: >> When I provisioned a new AD domain, I used the wrong network interface >> in the provisioning command. >> >> samba-tool domain provision --option="interfaces=lo eth2" --option="bind >> interfaces only=yes" --use-rfc2307 --use-xattrs=yes --interactive >> >> I should have used eth1 instead of eth2. The latter had no IP address >> attached to it so that there is no (correct) A record in the internal >> DNS for the DC. At any rate host -t A dc.samdom.domain.com is returning >> an error (Host not found: 3(NXDOMAIN)). >> >> How can I correct this *without* MS Windows RSAT? Can I just run the >> same command again and it will overwrite the previous config? > * Remove the smb.conf. Otherwise, you have to fix the 'interfaces' > option values manually. > > * Remove all databases (/usr/local/samba/var/ and > /usr/local/samba/private/). Not all files will be overwritten, so it's > better to remove all, instead to mixup something. > > * re-run the command. > > Warning: You will loose you entire domain! Everything has to be > re-created (users, groups, machines need to be rejoined, etc.). > > > Regards, > Marc That's what I was looking for. Thanks. From stefan at kania-online.de Mon Dec 28 09:56:29 2015 From: stefan at kania-online.de (Stefan Kania) Date: Mon, 28 Dec 2015 10:56:29 +0100 Subject: [Samba] Wrong ACL on GPO Message-ID: <5681074D.9060700@kania-online.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I use Samba 4.3.3 and Rowland it dosn't metter if I build it by my self or install tehe SerNet-Packages ;-) Everytime I craete a new GPO or change something in an existing GPO, the test with "samba-tool ntacl sysvolcheck" fails with the following Error: - ---------------- ERROR(): uncaught exception - - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/example.net/Policies/{BE881E3F-DDDE-48A6-9279-4C87 CD150568} O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0 x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0 x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) does not match expected value O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0 x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0 x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) from GPO object File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 249, in run lp) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1733, in checksysvolacl direct_db_access) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1684, in check_gpos_acl domainsid, direct_db_access) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1631, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) - ---------------- Running "samba-tool gpo aclcheck" exits with the following error: - ---------------- ERROR(): uncaught exception - 'No such element' File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line 1150, in run ds_sd_ndr = m['nTSecurityDescriptor'][0] - ---------------- Running "samba-tool ntacl sysvolcheck" fixes all the Problems. I manage the GPOs with RSAT on a Windows 10 Machine. I have two DCs replicated with rsync: Here are the smb.conf - ----dc1------ # Global parameters [global] workgroup = EXAMPLE realm = EXAMPLE.NET comment = Samba 4.3.2 netbios name = SAMBABUCH server role = active directory domain controller dns forwarder = 8.8.8.8 interfaces = 192.168.56.11 bind interfaces only = yes [netlogon] path = /var/lib/samba/sysvol/example.net/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No - ------------- - -----dc2----- # Global parameters [global] workgroup = EXAMPLE realm = example.net netbios name = SAMBABUCH-DC2 server role = active directory domain controller dns forwarder = 8.8.8.8 interfaces = 192.168.56.21 bind interfaces only = yes [netlogon] path = /var/lib/samba/sysvol/example.net/scripts read only = yes [sysvol] path = /var/lib/samba/sysvol read only = yes - ------------- This is the replication-command: - ------------- rsync -XAavz --delete-after --password-file=/etc/samba/rsync.pass rsync://sysvol-repl at sambabuch/sysvol/ /var/lib/samba/sysvol/ - ------------- I can reproduce this on any installation on any distribution. So is it a bug? Stefan -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlaBB0wACgkQ2JOGcNAHDTbxPgCgmaL0gHn1ZJmBnre2LPQRC26t S9oAn0bOKhDXp35r6bu2d9AX43uyAose =gdCy -----END PGP SIGNATURE----- From rpenny at samba.org Mon Dec 28 09:57:41 2015 From: rpenny at samba.org (Rowland penny) Date: Mon, 28 Dec 2015 09:57:41 +0000 Subject: [Samba] Wrong interface on AD Provisioning In-Reply-To: <568070BD.5000808@troja.ch> References: <568030D5.3070101@troja.ch> <56804073.80904@samba.org> <568070BD.5000808@troja.ch> Message-ID: <56810795.1030700@samba.org> On 27/12/15 23:14, Viktor Trojanovic wrote: > > > On 27.12.2015 20:48, Marc Muehlfeld wrote: >> Hello Viktor, >> >> Am 27.12.2015 um 19:41 schrieb Viktor Trojanovic: >>> When I provisioned a new AD domain, I used the wrong network interface >>> in the provisioning command. >>> >>> samba-tool domain provision --option="interfaces=lo eth2" >>> --option="bind >>> interfaces only=yes" --use-rfc2307 --use-xattrs=yes --interactive >>> >>> I should have used eth1 instead of eth2. The latter had no IP address >>> attached to it so that there is no (correct) A record in the internal >>> DNS for the DC. At any rate host -t A dc.samdom.domain.com is returning >>> an error (Host not found: 3(NXDOMAIN)). >>> >>> How can I correct this *without* MS Windows RSAT? Can I just run the >>> same command again and it will overwrite the previous config? >> * Remove the smb.conf. Otherwise, you have to fix the 'interfaces' >> option values manually. >> >> * Remove all databases (/usr/local/samba/var/ and >> /usr/local/samba/private/). Not all files will be overwritten, so it's >> better to remove all, instead to mixup something. >> >> * re-run the command. >> >> Warning: You will loose you entire domain! Everything has to be >> re-created (users, groups, machines need to be rejoined, etc.). >> >> >> Regards, >> Marc > > That's what I was looking for. Thanks. > Hi Marc, if, as you say, you need to remove everything before reprovisioning, why are there these lines in the provisioning code (/samba/provision/__init__.py): def provision(logger, session_info, smbconf=None, """Provision samba4 :note: caution, this wipes all existing data! """ And: def setup_samdb_partitions(samdb_path, logger, lp, session_info, """Setup the partitions for the SAM database. Alternatively, provision() may call this, and then populate the database. :note: This will wipe the Sam Database! :note: This function always removes the local SAM LDB file. The erase parameter controls whether to erase the existing data, which may not be stored locally but in LDAP. If I have to reprovision, I just remove smb.conf and I have never had a problem. Rowland From belle at bazuin.nl Mon Dec 28 10:07:04 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Mon, 28 Dec 2015 11:07:04 +0100 Subject: [Samba] Wrong ACL on GPO In-Reply-To: <5681074D.9060700@kania-online.de> References: <5681074D.9060700@kania-online.de> Message-ID: Hai Stefan, If you look from within windows, are you sysvol rights ok? If so, just ignore these message. There think there is nothing wrong with your sysvol rights, old bug imo. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Stefan Kania > Verzonden: maandag 28 december 2015 10:56 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Wrong ACL on GPO > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello, > > I use Samba 4.3.3 and Rowland it dosn't metter if I build it by my > self or install tehe SerNet-Packages ;-) > Everytime I craete a new GPO or change something in an existing GPO, > the test with "samba-tool ntacl sysvolcheck" fails with the following > Error: > - ---------------- > ERROR(): uncaught exception > - - ProvisioningError: DB ACL on GPO directory > /var/lib/samba/sysvol/example.net/Policies/{BE881E3F-DDDE-48A6-9279-4C87 > CD150568} > O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0 > x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0 > x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) > does not match expected value > O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0 > x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0 > x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) > from GPO object > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 175, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line > 249, in run > lp) > File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", > line 1733, in checksysvolacl > direct_db_access) > File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", > line 1684, in check_gpos_acl > domainsid, direct_db_access) > File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", > line 1631, in check_dir_acl > raise ProvisioningError('%s ACL on GPO directory %s %s does not > match expected value %s from GPO object' % > (acl_type(direct_db_access), path, fsacl_sddl, acl)) > - ---------------- > Running "samba-tool gpo aclcheck" exits with the following error: > - ---------------- > ERROR(): uncaught exception - 'No such > element' > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 175, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line > 1150, in run > ds_sd_ndr = m['nTSecurityDescriptor'][0] > - ---------------- > > Running "samba-tool ntacl sysvolcheck" fixes all the Problems. > > I manage the GPOs with RSAT on a Windows 10 Machine. I have two DCs > replicated with rsync: > Here are the smb.conf > - ----dc1------ > # Global parameters > [global] > workgroup = EXAMPLE > realm = EXAMPLE.NET > comment = Samba 4.3.2 > netbios name = SAMBABUCH > server role = active directory domain controller > dns forwarder = 8.8.8.8 > interfaces = 192.168.56.11 > bind interfaces only = yes > > [netlogon] > path = /var/lib/samba/sysvol/example.net/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > - ------------- > > - -----dc2----- > # Global parameters > [global] > workgroup = EXAMPLE > realm = example.net > netbios name = SAMBABUCH-DC2 > server role = active directory domain controller > dns forwarder = 8.8.8.8 > interfaces = 192.168.56.21 > bind interfaces only = yes > > [netlogon] > path = /var/lib/samba/sysvol/example.net/scripts > read only = yes > > [sysvol] > path = /var/lib/samba/sysvol > read only = yes > - ------------- > This is the replication-command: > - ------------- > rsync -XAavz --delete-after --password-file=/etc/samba/rsync.pass > rsync://sysvol-repl at sambabuch/sysvol/ /var/lib/samba/sysvol/ > - ------------- > I can reproduce this on any installation on any distribution. > > So is it a bug? > > Stefan > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (GNU/Linux) > > iEYEARECAAYFAlaBB0wACgkQ2JOGcNAHDTbxPgCgmaL0gHn1ZJmBnre2LPQRC26t > S9oAn0bOKhDXp35r6bu2d9AX43uyAose > =gdCy > -----END PGP SIGNATURE----- > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From rpenny at samba.org Mon Dec 28 11:22:13 2015 From: rpenny at samba.org (Rowland penny) Date: Mon, 28 Dec 2015 11:22:13 +0000 Subject: [Samba] Wrong ACL on GPO In-Reply-To: References: <5681074D.9060700@kania-online.de> Message-ID: <56811B65.703@samba.org> On 28/12/15 10:07, L.P.H. van Belle wrote: > Hai Stefan, > > If you look from within windows, are you sysvol rights ok? > If so, just ignore these message. > There think there is nothing wrong with your sysvol rights, old bug imo. > > Greetz, > > Louis > > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Stefan Kania >> Verzonden: maandag 28 december 2015 10:56 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] Wrong ACL on GPO >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hello, >> >> I use Samba 4.3.3 and Rowland it dosn't metter if I build it by my >> self or install tehe SerNet-Packages ;-) >> Everytime I craete a new GPO or change something in an existing GPO, >> the test with "samba-tool ntacl sysvolcheck" fails with the following >> Error: >> - ---------------- >> ERROR(): uncaught exception >> - - ProvisioningError: DB ACL on GPO directory >> /var/lib/samba/sysvol/example.net/Policies/{BE881E3F-DDDE-48A6-9279-4C87 >> CD150568} >> O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0 >> x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0 >> x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) >> does not match expected value >> O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0 >> x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0 >> x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) >> from GPO object >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", >> line 175, in _run >> return self.run(*args, **kwargs) >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line >> 249, in run >> lp) >> File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", >> line 1733, in checksysvolacl >> direct_db_access) >> File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", >> line 1684, in check_gpos_acl >> domainsid, direct_db_access) >> File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", >> line 1631, in check_dir_acl >> raise ProvisioningError('%s ACL on GPO directory %s %s does not >> match expected value %s from GPO object' % >> (acl_type(direct_db_access), path, fsacl_sddl, acl)) >> - ---------------- >> Running "samba-tool gpo aclcheck" exits with the following error: >> - ---------------- >> ERROR(): uncaught exception - 'No such >> element' >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", >> line 175, in _run >> return self.run(*args, **kwargs) >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line >> 1150, in run >> ds_sd_ndr = m['nTSecurityDescriptor'][0] >> - ---------------- >> >> Running "samba-tool ntacl sysvolcheck" fixes all the Problems. >> >> I manage the GPOs with RSAT on a Windows 10 Machine. I have two DCs >> replicated with rsync: >> Here are the smb.conf >> - ----dc1------ >> # Global parameters >> [global] >> workgroup = EXAMPLE >> realm = EXAMPLE.NET >> comment = Samba 4.3.2 >> netbios name = SAMBABUCH >> server role = active directory domain controller >> dns forwarder = 8.8.8.8 >> interfaces = 192.168.56.11 >> bind interfaces only = yes >> >> [netlogon] >> path = /var/lib/samba/sysvol/example.net/scripts >> read only = No >> >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> - ------------- >> >> - -----dc2----- >> # Global parameters >> [global] >> workgroup = EXAMPLE >> realm = example.net >> netbios name = SAMBABUCH-DC2 >> server role = active directory domain controller >> dns forwarder = 8.8.8.8 >> interfaces = 192.168.56.21 >> bind interfaces only = yes >> >> [netlogon] >> path = /var/lib/samba/sysvol/example.net/scripts >> read only = yes >> >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = yes >> - ------------- >> This is the replication-command: >> - ------------- >> rsync -XAavz --delete-after --password-file=/etc/samba/rsync.pass >> rsync://sysvol-repl at sambabuch/sysvol/ /var/lib/samba/sysvol/ >> - ------------- >> I can reproduce this on any installation on any distribution. >> >> So is it a bug? >> >> Stefan >> >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v2.0.22 (GNU/Linux) >> >> iEYEARECAAYFAlaBB0wACgkQ2JOGcNAHDTbxPgCgmaL0gHn1ZJmBnre2LPQRC26t >> S9oAn0bOKhDXp35r6bu2d9AX43uyAose >> =gdCy >> -----END PGP SIGNATURE----- >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > As Louis says, this is nothing to worry about. The error message tells you that the policy ACL doesn't match what is expected, but if you examine what the difference is. You will find this: O:DAG:DAD:PAI against the expected O:DAG:DAD:PAR, everything else is the same. If we break this down we get the owner O:DA (Domain Admins), group G:DA (Domain Admins) and the DACL's D:PAI & D:PAR, we can break these down further: D = DACL P = Protected against inheriting AI = Automatically propagate the ACL to child objects (assuming P not set deeper), AR = same as AR but checks if the file system supports automatic propagation of inheritable ACE's (eg. NT4) So, as you can see, AR is expected, but you have got AI instead and I don't think it really matters. Rowland From peruchi at pti.org.br Mon Dec 28 11:47:09 2015 From: peruchi at pti.org.br (Lucas Peruchi) Date: Mon, 28 Dec 2015 09:47:09 -0200 (BRST) Subject: [Samba] Dead Domain Controller server In-Reply-To: <1450860211.15594.255.camel@samba.org> References: <2107573568.31621.1450805441867.JavaMail.zimbra@pti.org.br> <1450860211.15594.255.camel@samba.org> Message-ID: <2091365207.280641.1451303229950.JavaMail.zimbra@pti.org.br> Nice, But for now there is anything I can do? When is stable version 4.4? It is occurring in other error logs: Dez 28 09:41:37 samba01 samba[31522]: [2015/12/28 09:41:37.812043, 0] ../source4/rpc_server/common/forward.c:51(dcesrv_irpc_forward_callback) Dez 28 09:41:37 samba01 samba[31522]: IRPC callback failed for DsReplicaSync - NT_STATUS_OBJECT_NAME_NOT_FOUND And this losing sync between them after they updated to version 4.3.3 is some relation to the dead server? Atenciosamente, Lucas M. Peruchi Tecnologia da Informação e Comunicação Fundação Parque Tecnológico Itaipu – Brasil Contato: +55 (45) 3576-7231 / +55 (45) 9151-5497 www.pti.org.br "A Fundação Parque Tecnológico Itaipu - Brasil esclarece que, por força do seu Estatuto, a presente mensagem não implica a assunção de obrigações em seu nome." ----- Mensagem original ----- De: "Andrew Bartlett" Para: "Lucas Peruchi" , samba at lists.samba.org Enviadas: Quarta-feira, 23 de dezembro de 2015 6:43:31 Assunto: Re: [Samba] Dead Domain Controller server On Tue, 2015-12-22 at 15:30 -0200, Lucas Peruchi wrote: > Good afternoon, > > I have an environment with 4 servers samba 4 and yesterday one of > them died, I tried removing it and not found, then recreated the > server with the same name and joined him as a DC, however, he created > a new uuid and sync entres servers I stopped, I had to force a forced > sync: > > # samba-tool drs replicate samba02 samba01 DC=example,DC=com,DC=br > # samba-tool drs replicate samba03 samba01 DC=example,DC=com,DC=br > # samba-tool drs replicate samba04 samba01 DC=example,DC=com,DC=br > > And also performed in the 4 servers: > > # samba_dnsupdate --verbose --all-names > # samba-tool dbcheck > Checking 4376 objects > Checked 4376 objects (0 errors) > > But still an error occurs: > > Failed to bind to uuid e3514235-4b06-11d1-ab04-00c04fc2dcd2 for > ncacn_ip_tcp:192.168.0.195[1024,seal,krb5,target_hostname=092bc931 > -4e23-416d-bc04-218e3fc8ef62._msdcs.example.com.br,target_principal=E > 3514235-4B06-11D1-AB04-00C04FC2DCD2/092bc931-4e23-416d-bc04 > -218e3fc8ef62/example.com.br at example.com.br,abstract_syntax=e3514235 > -4b06-11d1-ab04-00c04fc2dcd2/0x00000004,localaddress=192.168.0.5] > NT_STATUS_INVALID_PARAMETER > > This error is showing every second in the log, have a safe way to > remove the old domain server? As I should have proceeded to remove a > dead DC Samba4 server domain? > > Samba: 4.3.3 > S.O: Centos 7 > Bind: 9.9.4-29 Samba git master (and so 4.4 when we release it) has a new 'samba-tool domain demote --remove-other-dead-server' option designed to clean up exactly this. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba From shahsaurabh0103 at gmail.com Mon Dec 28 11:48:58 2015 From: shahsaurabh0103 at gmail.com (Saurabh Shah) Date: Mon, 28 Dec 2015 17:18:58 +0530 Subject: [Samba] Getting Started Message-ID: Hello, My name is Saurabh Shah and I am a second year undergraduate student at DA-IICT, Gandhinagar, India. I am new towards the open source organizations and I find your organization an appropriate one to work on. I know C language very well and eager to learn whatever the suitable project demands. So please guide me on how to get started with any specific project or solving bugs etc. Thanking You, Saurabh Shah. From thomas.rosenstein at itdata.at Mon Dec 28 11:44:26 2015 From: thomas.rosenstein at itdata.at (Thomas Rosenstein) Date: Mon, 28 Dec 2015 12:44:26 +0100 Subject: [Samba] Wrong ACL on GPO In-Reply-To: <56811B65.703@samba.org> References: <5681074D.9060700@kania-online.de> <56811B65.703@samba.org> Message-ID: <05F6D1DF-B511-4A99-9080-2A616326F5AD@itdata.at> Hi, to chime in here, I had the same problem! I added the `samba-tool ntacl sysvolcheck` to my rsync script which fixed all issues for me. Not sure if you got problems with the GPO besides the check, mine failed and the computers didn't have access to them. Thomas On 28 Dec 2015, at 12:22, Rowland penny wrote: > On 28/12/15 10:07, L.P.H. van Belle wrote: >> Hai Stefan, >> >> If you look from within windows, are you sysvol rights ok? >> If so, just ignore these message. >> There think there is nothing wrong with your sysvol rights, old bug >> imo. >> >> Greetz, >> >> Louis >> >> >> >> >>> -----Oorspronkelijk bericht----- >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Stefan >>> Kania >>> Verzonden: maandag 28 december 2015 10:56 >>> Aan: samba at lists.samba.org >>> Onderwerp: [Samba] Wrong ACL on GPO >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Hello, >>> >>> I use Samba 4.3.3 and Rowland it dosn't metter if I build it by my >>> self or install tehe SerNet-Packages ;-) >>> Everytime I craete a new GPO or change something in an existing GPO, >>> the test with "samba-tool ntacl sysvolcheck" fails with the >>> following >>> Error: >>> - ---------------- >>> ERROR(): uncaught >>> exception >>> - - ProvisioningError: DB ACL on GPO directory >>> /var/lib/samba/sysvol/example.net/Policies/{BE881E3F-DDDE-48A6-9279-4C87 >>> CD150568} >>> O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0 >>> x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0 >>> x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) >>> does not match expected value >>> O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0 >>> x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0 >>> x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) >>> from GPO object >>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", >>> line 175, in _run >>> return self.run(*args, **kwargs) >>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line >>> 249, in run >>> lp) >>> File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", >>> line 1733, in checksysvolacl >>> direct_db_access) >>> File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", >>> line 1684, in check_gpos_acl >>> domainsid, direct_db_access) >>> File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", >>> line 1631, in check_dir_acl >>> raise ProvisioningError('%s ACL on GPO directory %s %s does not >>> match expected value %s from GPO object' % >>> (acl_type(direct_db_access), path, fsacl_sddl, acl)) >>> - ---------------- >>> Running "samba-tool gpo aclcheck" exits with the following error: >>> - ---------------- >>> ERROR(): uncaught exception - 'No such >>> element' >>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", >>> line 175, in _run >>> return self.run(*args, **kwargs) >>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line >>> 1150, in run >>> ds_sd_ndr = m['nTSecurityDescriptor'][0] >>> - ---------------- >>> >>> Running "samba-tool ntacl sysvolcheck" fixes all the Problems. >>> >>> I manage the GPOs with RSAT on a Windows 10 Machine. I have two DCs >>> replicated with rsync: >>> Here are the smb.conf >>> - ----dc1------ >>> # Global parameters >>> [global] >>> workgroup = EXAMPLE >>> realm = EXAMPLE.NET >>> comment = Samba 4.3.2 >>> netbios name = SAMBABUCH >>> server role = active directory domain controller >>> dns forwarder = 8.8.8.8 >>> interfaces = 192.168.56.11 >>> bind interfaces only = yes >>> >>> [netlogon] >>> path = /var/lib/samba/sysvol/example.net/scripts >>> read only = No >>> >>> [sysvol] >>> path = /var/lib/samba/sysvol >>> read only = No >>> - ------------- >>> >>> - -----dc2----- >>> # Global parameters >>> [global] >>> workgroup = EXAMPLE >>> realm = example.net >>> netbios name = SAMBABUCH-DC2 >>> server role = active directory domain controller >>> dns forwarder = 8.8.8.8 >>> interfaces = 192.168.56.21 >>> bind interfaces only = yes >>> >>> [netlogon] >>> path = /var/lib/samba/sysvol/example.net/scripts >>> read only = yes >>> >>> [sysvol] >>> path = /var/lib/samba/sysvol >>> read only = yes >>> - ------------- >>> This is the replication-command: >>> - ------------- >>> rsync -XAavz --delete-after --password-file=/etc/samba/rsync.pass >>> rsync://sysvol-repl at sambabuch/sysvol/ /var/lib/samba/sysvol/ >>> - ------------- >>> I can reproduce this on any installation on any distribution. >>> >>> So is it a bug? >>> >>> Stefan >>> >>> >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v2.0.22 (GNU/Linux) >>> >>> iEYEARECAAYFAlaBB0wACgkQ2JOGcNAHDTbxPgCgmaL0gHn1ZJmBnre2LPQRC26t >>> S9oAn0bOKhDXp35r6bu2d9AX43uyAose >>> =gdCy >>> -----END PGP SIGNATURE----- >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >> >> > > As Louis says, this is nothing to worry about. The error message tells > you that the policy ACL doesn't match what is expected, but if you > examine what the difference is. You will find this: O:DAG:DAD:PAI > against the expected O:DAG:DAD:PAR, everything else is the same. If we > break this down we get the owner O:DA (Domain Admins), group G:DA > (Domain Admins) and the DACL's D:PAI & D:PAR, we can break these down > further: > > D = DACL > P = Protected against inheriting > AI = Automatically propagate the ACL to child objects (assuming P not > set deeper), > AR = same as AR but checks if the file system supports automatic > propagation of inheritable ACE's (eg. NT4) > > So, as you can see, AR is expected, but you have got AI instead and I > don't think it really matters. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From stefan at kania-online.de Mon Dec 28 12:55:37 2015 From: stefan at kania-online.de (Stefan Kania) Date: Mon, 28 Dec 2015 13:55:37 +0100 Subject: [Samba] Wrong ACL on GPO In-Reply-To: References: <5681074D.9060700@kania-online.de> Message-ID: <56813149.80102@kania-online.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am 28.12.2015 um 11:07 schrieb L.P.H. van Belle: > Hai Stefan, > > If you look from within windows, are you sysvol rights ok? Yes , I checkt it and everything is OK here. > If so, just ignore these message. There think there is nothing > wrong with your sysvol rights, old bug imo. I didn't see this befor. Might be a combination from Windows 10 and Samb a. Stefan > > Greetz, > > Louis > > > > >> -----Oorspronkelijk bericht----- Van: samba >> [mailto:samba-bounces at lists.samba.org] Namens Stefan Kania >> Verzonden: maandag 28 december 2015 10:56 Aan: >> samba at lists.samba.org Onderwerp: [Samba] Wrong ACL on GPO >> > Hello, > > I use Samba 4.3.3 and Rowland it dosn't metter if I build it by my > self or install tehe SerNet-Packages ;-) Everytime I craete a new > GPO or change something in an existing GPO, the test with > "samba-tool ntacl sysvolcheck" fails with the following Error: > ---------------- ERROR( 'samba.provision.ProvisioningError'>): uncaught exception - > ProvisioningError: DB ACL on GPO directory > /var/lib/samba/sysvol/example.net/Policies/{BE881E3F-DDDE-48A6-9279-4C 87 > > CD150568} > O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO ;0 > > x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0 > x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) does not match expected > value > O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO ;0 > > x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0 > x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) from GPO object File > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 175, in _run return self.run(*args, **kwargs) File > "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 249, > in run lp) File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", > line 1733, in checksysvolacl direct_db_access) File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", > line 1684, in check_gpos_acl domainsid, direct_db_access) File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", > line 1631, in check_dir_acl raise ProvisioningError('%s ACL on GPO > directory %s %s does not match expected value %s from GPO object' > % (acl_type(direct_db_access), path, fsacl_sddl, acl)) > ---------------- Running "samba-tool gpo aclcheck" exits with the > following error: ---------------- ERROR( 'exceptions.KeyError'>): uncaught exception - 'No such element' > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 175, in _run return self.run(*args, **kwargs) File > "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line 1150, > in run ds_sd_ndr = m['nTSecurityDescriptor'][0] ---------------- > > Running "samba-tool ntacl sysvolcheck" fixes all the Problems. > > I manage the GPOs with RSAT on a Windows 10 Machine. I have two > DCs replicated with rsync: Here are the smb.conf ----dc1------ # > Global parameters [global] workgroup = EXAMPLE realm = EXAMPLE.NET > comment = Samba 4.3.2 netbios name = SAMBABUCH server role = active > directory domain controller dns forwarder = 8.8.8.8 interfaces = > 192.168.56.11 bind interfaces only = yes > > [netlogon] path = /var/lib/samba/sysvol/example.net/scripts read > only = No > > [sysvol] path = /var/lib/samba/sysvol read only = No ------------- > > -----dc2----- # Global parameters [global] workgroup = EXAMPLE > realm = example.net netbios name = SAMBABUCH-DC2 server role = > active directory domain controller dns forwarder = 8.8.8.8 > interfaces = 192.168.56.21 bind interfaces only = yes > > [netlogon] path = /var/lib/samba/sysvol/example.net/scripts read > only = yes > > [sysvol] path = /var/lib/samba/sysvol read only = yes > ------------- This is the replication-command: ------------- rsync > -XAavz --delete-after --password-file=/etc/samba/rsync.pass > rsync://sysvol-repl at sambabuch/sysvol/ /var/lib/samba/sysvol/ > ------------- I can reproduce this on any installation on any > distribution. > > So is it a bug? > > Stefan > > >> >> -- To unsubscribe from this list go to the following URL and read >> the instructions: https://lists.samba.org/mailman/options/samba > > > - -- Stefan Kania Landweg 13 25693 St. Michaelisdonn Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre E-Mail. Weiter Informationen unter http://www.gnupg.org Mein Schlüssel liegt auf hkp://subkeys.pgp.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlaBMUkACgkQ2JOGcNAHDTZvGACgykRv9EKRzTCtx2kTQAXQoFGl wiIAoKu+jQughf+0lGgnCuS0SP7f4dmY =o/vI -----END PGP SIGNATURE----- From stefan at kania-online.de Mon Dec 28 12:57:07 2015 From: stefan at kania-online.de (Stefan Kania) Date: Mon, 28 Dec 2015 13:57:07 +0100 Subject: [Samba] Wrong ACL on GPO [solved] In-Reply-To: <05F6D1DF-B511-4A99-9080-2A616326F5AD@itdata.at> References: <5681074D.9060700@kania-online.de> <56811B65.703@samba.org> <05F6D1DF-B511-4A99-9080-2A616326F5AD@itdata.at> Message-ID: <568131A3.3010505@kania-online.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am 28.12.2015 um 12:44 schrieb Thomas Rosenstein: > Hi, > > to chime in here, I had the same problem! I added the `samba-tool > ntacl sysvolcheck` to my rsync script which fixed all issues for > me. > For me too. > Not sure if you got problems with the GPO besides the check, mine > failed and the computers didn't have access to them. Yes, that's the way I will go. Stefan > > Thomas > > On 28 Dec 2015, at 12:22, Rowland penny wrote: > >> On 28/12/15 10:07, L.P.H. van Belle wrote: >>> Hai Stefan, >>> >>> If you look from within windows, are you sysvol rights ok? If >>> so, just ignore these message. There think there is nothing >>> wrong with your sysvol rights, old bug imo. >>> >>> Greetz, >>> >>> Louis >>> >>> >>> >>> >>>> -----Oorspronkelijk bericht----- Van: samba >>>> [mailto:samba-bounces at lists.samba.org] Namens Stefan Kania >>>> Verzonden: maandag 28 december 2015 10:56 Aan: >>>> samba at lists.samba.org Onderwerp: [Samba] Wrong ACL on GPO >>>> > Hello, > > I use Samba 4.3.3 and Rowland it dosn't metter if I build it by my > self or install tehe SerNet-Packages ;-) Everytime I craete a new > GPO or change something in an existing GPO, the test with > "samba-tool ntacl sysvolcheck" fails with the following Error: > ---------------- ERROR( 'samba.provision.ProvisioningError'>): uncaught exception - > ProvisioningError: DB ACL on GPO directory > /var/lib/samba/sysvol/example.net/Policies/{BE881E3F-DDDE-48A6-9279-4C 87 > > CD150568} > O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO ;0 > > > x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI ;0 > > x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) does not match expected > value > O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO ;0 > > > x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI ;0 > > x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) from GPO object File > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 175, in _run return self.run(*args, **kwargs) File > "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 249, > in run lp) File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", > line 1733, in checksysvolacl direct_db_access) File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", > line 1684, in check_gpos_acl domainsid, direct_db_access) File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", > line 1631, in check_dir_acl raise ProvisioningError('%s ACL on GPO > directory %s %s does not match expected value %s from GPO object' > % (acl_type(direct_db_access), path, fsacl_sddl, acl)) > ---------------- Running "samba-tool gpo aclcheck" exits with the > following error: ---------------- ERROR( 'exceptions.KeyError'>): uncaught exception - 'No such element' > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 175, in _run return self.run(*args, **kwargs) File > "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line 1150, > in run ds_sd_ndr = m['nTSecurityDescriptor'][0] ---------------- > > Running "samba-tool ntacl sysvolcheck" fixes all the Problems. > > I manage the GPOs with RSAT on a Windows 10 Machine. I have two > DCs replicated with rsync: Here are the smb.conf ----dc1------ # > Global parameters [global] workgroup = EXAMPLE realm = EXAMPLE.NET > comment = Samba 4.3.2 netbios name = SAMBABUCH server role = active > directory domain controller dns forwarder = 8.8.8.8 interfaces = > 192.168.56.11 bind interfaces only = yes > > [netlogon] path = /var/lib/samba/sysvol/example.net/scripts read > only = No > > [sysvol] path = /var/lib/samba/sysvol read only = No ------------- > > -----dc2----- # Global parameters [global] workgroup = EXAMPLE > realm = example.net netbios name = SAMBABUCH-DC2 server role = > active directory domain controller dns forwarder = 8.8.8.8 > interfaces = 192.168.56.21 bind interfaces only = yes > > [netlogon] path = /var/lib/samba/sysvol/example.net/scripts read > only = yes > > [sysvol] path = /var/lib/samba/sysvol read only = yes > ------------- This is the replication-command: ------------- rsync > -XAavz --delete-after --password-file=/etc/samba/rsync.pass > rsync://sysvol-repl at sambabuch/sysvol/ /var/lib/samba/sysvol/ > ------------- I can reproduce this on any installation on any > distribution. > > So is it a bug? > > Stefan > > >>>> >>>> -- To unsubscribe from this list go to the following URL and >>>> read the instructions: >>>> https://lists.samba.org/mailman/options/samba >>> >>> >> >> As Louis says, this is nothing to worry about. The error message >> tells you that the policy ACL doesn't match what is expected, but >> if you examine what the difference is. You will find this: >> O:DAG:DAD:PAI against the expected O:DAG:DAD:PAR, everything else >> is the same. If we break this down we get the owner O:DA (Domain >> Admins), group G:DA (Domain Admins) and the DACL's D:PAI & D:PAR, >> we can break these down further: >> >> D = DACL P = Protected against inheriting AI = Automatically >> propagate the ACL to child objects (assuming P not set deeper), >> AR = same as AR but checks if the file system supports automatic >> propagation of inheritable ACE's (eg. NT4) >> >> So, as you can see, AR is expected, but you have got AI instead >> and I don't think it really matters. >> >> Rowland >> >> -- To unsubscribe from this list go to the following URL and read >> the instructions: https://lists.samba.org/mailman/options/samba > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlaBMaMACgkQ2JOGcNAHDTbguwCbBoe8eC2nIZRRnu2DkhGFkJfB +N4AoM5ON5RaoHvP56BaWPGQ5H6VHBth =M2oi -----END PGP SIGNATURE----- From lingpanda101 at gmail.com Mon Dec 28 14:06:55 2015 From: lingpanda101 at gmail.com (James) Date: Mon, 28 Dec 2015 09:06:55 -0500 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <567C1E24.40603@samba.org> References: <5672D072.9010901@samba.org> <5672D6AA.4070907@tu-berlin.de> <5673D580.3060306@samba.org> <5673EBD4.5040308@tu-berlin.de> <5673EE50.4080808@samba.org> <5673F6ED.9090209@tu-berlin.de> <5674109D.7090406@samba.org> <567416EE.6060003@tu-berlin.de> <56741B45.70500@samba.org> <567425E2.5000504@tu-berlin.de> <56742E8E.5070303@samba.org> <56792988.9090903@tu-berlin.de> <567AEBF7.5090404@gmail.com> <567C1E24.40603@samba.org> Message-ID: <568141FF.2060404@gmail.com> On 12/24/2015 11:32 AM, Rowland penny wrote: > On 24/12/15 15:32, mathias dufresne wrote: >> And to get mentioned entries list I used: >> "samba_dnsupdate --verbose --all-names | grep Default-First-Site-name" >> >> This list 8 DNS records related to Default Site. >> >> Next was to change Default-First... by the name of another AD Site >> (sed is >> still working :p) >> >> I was able to create DNS entries which were missing for one of my sites. >> >> Next, test: >> Back on one Windows on the network associated to that AD Site, reboot >> it, >> and tcpdump on my DNS server (all requests goes through this DNS server) >> >> 1° Site related DNS SRV request: >> 35752:15:24:38.907301 IP 10.156.248.244.64390 > >> dns1.ad.dgfip.finances.gouv.fr.domain: 23013+ *SRV? >> _ldap._tcp.authentification._sites.dc.*_msdcs.ad.dgfip.finances.gouv.fr. >> (88) >> 2° Site related DNS SRV reply: >> 35753-15:24:38.907520 IP dns1.ad.dgfip.finances.gouv.fr.domain > >> 10.156.248.244.64390: 23013 2/2/4 *SRV* >> *m705.ad.dgfip.finances.gouv.fr.:389 >> 0 100, SRV m706.ad.dgfip.finances.gouv.fr.:389 0 100* (291) >> >> 3° Then A request on one DC returned by previous request: >> 35754-15:24:38.908731 IP 10.156.248.244.56932 > >> dns1.ad.dgfip.finances.gouv.fr.domain: 16037+ *A? >> m705.ad.dgfip.finances.gouv.fr *. >> (48) >> 4° the reply: >> 35755-15:24:38.908859 IP dns1.ad.dgfip.finances.gouv.fr.domain > >> 10.156.248.244.56932: 16037 1/2/2 *A 10.156.248.222* (135) >> >> Now my Windows clients receive answer when they request SRV record >> according to the AD site they belong to. >> >> I must say I've also manually declared each DC as NS. As explained >> yesterday evening I don't think this should be important (even if I >> say the >> contrary few weeks ago). >> NS record should be used only when clients use a DNS server which is >> not AD >> DNS and if the declared DNS server on client do not need to ask upper >> level >> for NS. >> This is so badly described here is an example of my thought: >> With AD Domain = samba.org >> and Win_client -> DNS server non-AD and nothing configured on this >> DNS to >> help it to find samba.org name servers >> >> When Win_client request DNS server about samba.org, as DNS server do not >> know anything about samba.org, the DNS server would ask to root DNS >> server >> (the one for ORG) which servers are responsible for samba.org. Here >> is the >> case where NS should be used. >> >> And with my lack of knowledge about DNS I don't see any other case >> where NS >> should be used. >> >> >> >> >> > > Hi Mathias, one of the problems with your setup, is that you seem to > be running dns differently from what Samba (and for that matter, > windows) recommends, you seem to be using a dns server that is not an > AD DC. > > Normally to find a DC, you would ask the dns server that is > authoritative for the domain, with a Samba AD domain this is usually a > DC, and is identified by its SOA record, which is supposed to contain > the authoritative name servers. > Now, with a Samba domain, if you use the internal dns server, you only > get *one* authoritative name server even if you add the required > records to the domain SOA. The net result is, if the first DC in the > domain goes down, you don't have an authoritative name server. If you > use bind9 instead of the internal dns server, each DC becomes > authoritative for the domain after you add the required records to the > domain SOA. > > As you are using bind9 (although in a non recommended way), each of > your DCs will be authoritative as you have added the required records. > > When I get the time, I will create a bug report for this, this will > probably be after Christmas though. > > Rowland > > I'm using the internal DNS and I have all the necessary SRV records for all my sites and DC's. They were created automatically by Samba. You should have the following if missing. Forward Lookup Zones/Domain_Name/_msdcs/dc/_sites/Default-First-Site-Name/_tcp Forward Lookup Zones/Domain_Name/_msdcs/dc/_tcp You should have a SRV record for the following. _kerberos and _ldap -- -James From rpenny at samba.org Mon Dec 28 14:21:24 2015 From: rpenny at samba.org (Rowland penny) Date: Mon, 28 Dec 2015 14:21:24 +0000 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <568141FF.2060404@gmail.com> References: <5672D6AA.4070907@tu-berlin.de> <5673D580.3060306@samba.org> <5673EBD4.5040308@tu-berlin.de> <5673EE50.4080808@samba.org> <5673F6ED.9090209@tu-berlin.de> <5674109D.7090406@samba.org> <567416EE.6060003@tu-berlin.de> <56741B45.70500@samba.org> <567425E2.5000504@tu-berlin.de> <56742E8E.5070303@samba.org> <56792988.9090903@tu-berlin.de> <567AEBF7.5090404@gmail.com> <567C1E24.40603@samba.org> <568141FF.2060404@gmail.com> Message-ID: <56814564.1060502@samba.org> On 28/12/15 14:06, James wrote: > On 12/24/2015 11:32 AM, Rowland penny wrote: >> On 24/12/15 15:32, mathias dufresne wrote: >>> And to get mentioned entries list I used: >>> "samba_dnsupdate --verbose --all-names | grep Default-First-Site-name" >>> >>> This list 8 DNS records related to Default Site. >>> >>> Next was to change Default-First... by the name of another AD Site >>> (sed is >>> still working :p) >>> >>> I was able to create DNS entries which were missing for one of my >>> sites. >>> >>> Next, test: >>> Back on one Windows on the network associated to that AD Site, >>> reboot it, >>> and tcpdump on my DNS server (all requests goes through this DNS >>> server) >>> >>> 1° Site related DNS SRV request: >>> 35752:15:24:38.907301 IP 10.156.248.244.64390 > >>> dns1.ad.dgfip.finances.gouv.fr.domain: 23013+ *SRV? >>> _ldap._tcp.authentification._sites.dc.*_msdcs.ad.dgfip.finances.gouv.fr. >>> >>> (88) >>> 2° Site related DNS SRV reply: >>> 35753-15:24:38.907520 IP dns1.ad.dgfip.finances.gouv.fr.domain > >>> 10.156.248.244.64390: 23013 2/2/4 *SRV* >>> *m705.ad.dgfip.finances.gouv.fr.:389 >>> 0 100, SRV m706.ad.dgfip.finances.gouv.fr.:389 0 100* (291) >>> >>> 3° Then A request on one DC returned by previous request: >>> 35754-15:24:38.908731 IP 10.156.248.244.56932 > >>> dns1.ad.dgfip.finances.gouv.fr.domain: 16037+ *A? >>> m705.ad.dgfip.finances.gouv.fr >>> *. >>> (48) >>> 4° the reply: >>> 35755-15:24:38.908859 IP dns1.ad.dgfip.finances.gouv.fr.domain > >>> 10.156.248.244.56932: 16037 1/2/2 *A 10.156.248.222* (135) >>> >>> Now my Windows clients receive answer when they request SRV record >>> according to the AD site they belong to. >>> >>> I must say I've also manually declared each DC as NS. As explained >>> yesterday evening I don't think this should be important (even if I >>> say the >>> contrary few weeks ago). >>> NS record should be used only when clients use a DNS server which is >>> not AD >>> DNS and if the declared DNS server on client do not need to ask >>> upper level >>> for NS. >>> This is so badly described here is an example of my thought: >>> With AD Domain = samba.org >>> and Win_client -> DNS server non-AD and nothing configured on this >>> DNS to >>> help it to find samba.org name servers >>> >>> When Win_client request DNS server about samba.org, as DNS server do >>> not >>> know anything about samba.org, the DNS server would ask to root DNS >>> server >>> (the one for ORG) which servers are responsible for samba.org. Here >>> is the >>> case where NS should be used. >>> >>> And with my lack of knowledge about DNS I don't see any other case >>> where NS >>> should be used. >>> >>> >>> >>> >>> >> >> Hi Mathias, one of the problems with your setup, is that you seem to >> be running dns differently from what Samba (and for that matter, >> windows) recommends, you seem to be using a dns server that is not an >> AD DC. >> >> Normally to find a DC, you would ask the dns server that is >> authoritative for the domain, with a Samba AD domain this is usually >> a DC, and is identified by its SOA record, which is supposed to >> contain the authoritative name servers. >> Now, with a Samba domain, if you use the internal dns server, you >> only get *one* authoritative name server even if you add the >> required records to the domain SOA. The net result is, if the first >> DC in the domain goes down, you don't have an authoritative name >> server. If you use bind9 instead of the internal dns server, each DC >> becomes authoritative for the domain after you add the required >> records to the domain SOA. >> >> As you are using bind9 (although in a non recommended way), each of >> your DCs will be authoritative as you have added the required records. >> >> When I get the time, I will create a bug report for this, this will >> probably be after Christmas though. >> >> Rowland >> >> > I'm using the internal DNS and I have all the necessary SRV records > for all my sites and DC's. They were created automatically by Samba. > You should have the following if missing. > > Forward Lookup > Zones/Domain_Name/_msdcs/dc/_sites/Default-First-Site-Name/_tcp > Forward Lookup Zones/Domain_Name/_msdcs/dc/_tcp > > You should have a SRV record for the following. > > _kerberos > > and > > _ldap > Ah, I think you are missing the point here James, yes you need all the SRV records etc that you refer to, but, from my testing, if you use the internal dns server, you will only have one authoritative nameserver for the dns domain, even if you add the NS & A records to the zone SOA. I cannot log into the second DC via ssh if I turn off the first DC, something that does work if I use the bind9 server. Rowland From lingpanda101 at gmail.com Mon Dec 28 14:34:43 2015 From: lingpanda101 at gmail.com (James) Date: Mon, 28 Dec 2015 09:34:43 -0500 Subject: [Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline In-Reply-To: <56814564.1060502@samba.org> References: <5673D580.3060306@samba.org> <5673EBD4.5040308@tu-berlin.de> <5673EE50.4080808@samba.org> <5673F6ED.9090209@tu-berlin.de> <5674109D.7090406@samba.org> <567416EE.6060003@tu-berlin.de> <56741B45.70500@samba.org> <567425E2.5000504@tu-berlin.de> <56742E8E.5070303@samba.org> <56792988.9090903@tu-berlin.de> <567AEBF7.5090404@gmail.com> <567C1E24.40603@samba.org> <568141FF.2060404@gmail.com> <56814564.1060502@samba.org> Message-ID: <56814883.2050704@gmail.com> On 12/28/2015 9:21 AM, Rowland penny wrote: > On 28/12/15 14:06, James wrote: >> On 12/24/2015 11:32 AM, Rowland penny wrote: >>> On 24/12/15 15:32, mathias dufresne wrote: >>>> And to get mentioned entries list I used: >>>> "samba_dnsupdate --verbose --all-names | grep Default-First-Site-name" >>>> >>>> This list 8 DNS records related to Default Site. >>>> >>>> Next was to change Default-First... by the name of another AD Site >>>> (sed is >>>> still working :p) >>>> >>>> I was able to create DNS entries which were missing for one of my >>>> sites. >>>> >>>> Next, test: >>>> Back on one Windows on the network associated to that AD Site, >>>> reboot it, >>>> and tcpdump on my DNS server (all requests goes through this DNS >>>> server) >>>> >>>> 1° Site related DNS SRV request: >>>> 35752:15:24:38.907301 IP 10.156.248.244.64390 > >>>> dns1.ad.dgfip.finances.gouv.fr.domain: 23013+ *SRV? >>>> _ldap._tcp.authentification._sites.dc.*_msdcs.ad.dgfip.finances.gouv.fr. >>>> >>>> (88) >>>> 2° Site related DNS SRV reply: >>>> 35753-15:24:38.907520 IP dns1.ad.dgfip.finances.gouv.fr.domain > >>>> 10.156.248.244.64390: 23013 2/2/4 *SRV* >>>> *m705.ad.dgfip.finances.gouv.fr.:389 >>>> 0 100, SRV m706.ad.dgfip.finances.gouv.fr.:389 0 100* (291) >>>> >>>> 3° Then A request on one DC returned by previous request: >>>> 35754-15:24:38.908731 IP 10.156.248.244.56932 > >>>> dns1.ad.dgfip.finances.gouv.fr.domain: 16037+ *A? >>>> m705.ad.dgfip.finances.gouv.fr >>>> *. >>>> (48) >>>> 4° the reply: >>>> 35755-15:24:38.908859 IP dns1.ad.dgfip.finances.gouv.fr.domain > >>>> 10.156.248.244.56932: 16037 1/2/2 *A 10.156.248.222* (135) >>>> >>>> Now my Windows clients receive answer when they request SRV record >>>> according to the AD site they belong to. >>>> >>>> I must say I've also manually declared each DC as NS. As explained >>>> yesterday evening I don't think this should be important (even if I >>>> say the >>>> contrary few weeks ago). >>>> NS record should be used only when clients use a DNS server which >>>> is not AD >>>> DNS and if the declared DNS server on client do not need to ask >>>> upper level >>>> for NS. >>>> This is so badly described here is an example of my thought: >>>> With AD Domain = samba.org >>>> and Win_client -> DNS server non-AD and nothing configured on this >>>> DNS to >>>> help it to find samba.org name servers >>>> >>>> When Win_client request DNS server about samba.org, as DNS server >>>> do not >>>> know anything about samba.org, the DNS server would ask to root DNS >>>> server >>>> (the one for ORG) which servers are responsible for samba.org. Here >>>> is the >>>> case where NS should be used. >>>> >>>> And with my lack of knowledge about DNS I don't see any other case >>>> where NS >>>> should be used. >>>> >>>> >>>> >>>> >>>> >>> >>> Hi Mathias, one of the problems with your setup, is that you seem to >>> be running dns differently from what Samba (and for that matter, >>> windows) recommends, you seem to be using a dns server that is not >>> an AD DC. >>> >>> Normally to find a DC, you would ask the dns server that is >>> authoritative for the domain, with a Samba AD domain this is usually >>> a DC, and is identified by its SOA record, which is supposed to >>> contain the authoritative name servers. >>> Now, with a Samba domain, if you use the internal dns server, you >>> only get *one* authoritative name server even if you add the >>> required records to the domain SOA. The net result is, if the first >>> DC in the domain goes down, you don't have an authoritative name >>> server. If you use bind9 instead of the internal dns server, each DC >>> becomes authoritative for the domain after you add the required >>> records to the domain SOA. >>> >>> As you are using bind9 (although in a non recommended way), each of >>> your DCs will be authoritative as you have added the required records. >>> >>> When I get the time, I will create a bug report for this, this will >>> probably be after Christmas though. >>> >>> Rowland >>> >>> >> I'm using the internal DNS and I have all the necessary SRV records >> for all my sites and DC's. They were created automatically by Samba. >> You should have the following if missing. >> >> Forward Lookup >> Zones/Domain_Name/_msdcs/dc/_sites/Default-First-Site-Name/_tcp >> Forward Lookup Zones/Domain_Name/_msdcs/dc/_tcp >> >> You should have a SRV record for the following. >> >> _kerberos >> >> and >> >> _ldap >> > > Ah, I think you are missing the point here James, yes you need all the > SRV records etc that you refer to, but, from my testing, if you use > the internal dns server, you will only have one authoritative > nameserver for the dns domain, even if you add the NS & A records to > the zone SOA. > I cannot log into the second DC via ssh if I turn off the first DC, > something that does work if I use the bind9 server. > > Rowland > > Hello Rowland. I understand your point. You are correct. It's a issue with the internal DNS. I was under the impression that Mathias was missing SRV records for his sites. I wanted to confirm that SRV records are created by Samba if using the internal DNS. It appears he isn't using the internal DNS for Samba which may be causing some confusion? -- -James From ryana at reachtechfp.com Mon Dec 28 15:33:53 2015 From: ryana at reachtechfp.com (Ryan Ashley) Date: Mon, 28 Dec 2015 10:33:53 -0500 Subject: [Samba] Firewall trouble? Message-ID: <56815661.4050208@reachtechfp.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I recently tried adding a firewall to my Samba 4 server using the port information I found on the wiki. Below is a dump of the resulting rules. root at dc01:~# iptables -S - -P INPUT DROP - -P FORWARD DROP - -P OUTPUT ACCEPT - -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set - --name BLOCKED --rsource - -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent - --update --seconds 600 --hitcount 4 --name BLOCKED --rsource -j DROP - -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT - -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT - -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT - -A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset - -A INPUT -p gre -j ACCEPT - -A INPUT -p esp -j ACCEPT - -A INPUT -p ah -j ACCEPT - -A INPUT -p tcp -m state --state NEW -m multiport --dports 22,53,88,135,139,445,464,636,1024:5000,3268,3269 -j ACCEPT - -A INPUT -p udp -m state --state NEW -m multiport --dports 53,67,88,123,137,138,389,464 -j ACCEPT - -A INPUT -i lo -j ACCEPT As you can see, I try to prevent brute-force attacks on SSH, but accept data, both TCP and UDP on the ports specified by the wiki article. However, when this firewall is on my AD DC server, logins take eons, everything is SLOW on workstations, and sometimes authentications just plain fail. Why? - -- Lead IT/IS Specialist Reach Technology FP, Inc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWgVZhAAoJEBJm6+aLKsMNWR8H+wY51lD4DauyhTJBA9fULYbG JRMDTfR5C90wwnfZlQI/vS+iA/TUG29MC09rMe6FFk4LS31xRTWtxmXk3r7BUph5 jHWvAohlOxhx1hEnvDgqmK2nULZQ6sWXK9ikZpky7/Z2LFOM3ABt3EUq7i8/MPNd 40TycXR8N13uMBrehs3UOXK3gj8+9KFpkfyeTOr+u/+j5yNOCAS/Uu+tx8ZCMY8H EKW/1G615SxFzd8VJ0HREMWoeKOia+xqCo71zq38SJ6t2N6f+/IFpDxfXthdJSU4 FfbACHeyvVLc17IiTDlLNawZ+X/Cpnj2AsJXKKEuU3SY1K/hISCz18RKnov7QNE= =iO++ -----END PGP SIGNATURE----- From rpenny at samba.org Mon Dec 28 16:12:29 2015 From: rpenny at samba.org (Rowland penny) Date: Mon, 28 Dec 2015 16:12:29 +0000 Subject: [Samba] Firewall trouble? In-Reply-To: <56815661.4050208@reachtechfp.com> References: <56815661.4050208@reachtechfp.com> Message-ID: <56815F6D.4050504@samba.org> On 28/12/15 15:33, Ryan Ashley wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > I recently tried adding a firewall to my Samba 4 server using the port > information I found on the wiki. Below is a dump of the resulting rules. > > root at dc01:~# iptables -S > - -P INPUT DROP > - -P FORWARD DROP > - -P OUTPUT ACCEPT > - -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > - -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set > - --name BLOCKED --rsource > - -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent > - --update --seconds 600 --hitcount 4 --name BLOCKED --rsource -j DROP > - -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT > - -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT > - -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT > - -A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j > REJECT --reject-with tcp-reset > - -A INPUT -p gre -j ACCEPT > - -A INPUT -p esp -j ACCEPT > - -A INPUT -p ah -j ACCEPT > - -A INPUT -p tcp -m state --state NEW -m multiport --dports > 22,53,88,135,139,445,464,636,1024:5000,3268,3269 -j ACCEPT > - -A INPUT -p udp -m state --state NEW -m multiport --dports > 53,67,88,123,137,138,389,464 -j ACCEPT > - -A INPUT -i lo -j ACCEPT > > As you can see, I try to prevent brute-force attacks on SSH, but > accept data, both TCP and UDP on the ports specified by the wiki > article. I would check the ports again, if I were you, you need port 389 tcp as well as udp. Also whilst not being a firewall expert, doesn't having port 22 mentioned at the end of the file take precedence over the earlier line ? Rowland From h.reindl at thelounge.net Mon Dec 28 16:20:49 2015 From: h.reindl at thelounge.net (Reindl Harald) Date: Mon, 28 Dec 2015 17:20:49 +0100 Subject: [Samba] Firewall trouble? In-Reply-To: <56815F6D.4050504@samba.org> References: <56815661.4050208@reachtechfp.com> <56815F6D.4050504@samba.org> Message-ID: <56816161.7000903@thelounge.net> Am 28.12.2015 um 17:12 schrieb Rowland penny: > On 28/12/15 15:33, Ryan Ashley wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> I recently tried adding a firewall to my Samba 4 server using the port >> information I found on the wiki. Below is a dump of the resulting rules. >> >> root at dc01:~# iptables -S >> - -P INPUT DROP >> - -P FORWARD DROP >> - -P OUTPUT ACCEPT >> - -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT >> - -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set >> - --name BLOCKED --rsource >> - -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent >> - --update --seconds 600 --hitcount 4 --name BLOCKED --rsource -j DROP >> - -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT >> - -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT >> - -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT >> - -A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j >> REJECT --reject-with tcp-reset >> - -A INPUT -p gre -j ACCEPT >> - -A INPUT -p esp -j ACCEPT >> - -A INPUT -p ah -j ACCEPT >> - -A INPUT -p tcp -m state --state NEW -m multiport --dports >> 22,53,88,135,139,445,464,636,1024:5000,3268,3269 -j ACCEPT >> - -A INPUT -p udp -m state --state NEW -m multiport --dports >> 53,67,88,123,137,138,389,464 -j ACCEPT >> - -A INPUT -i lo -j ACCEPT >> >> As you can see, I try to prevent brute-force attacks on SSH, but >> accept data, both TCP and UDP on the ports specified by the wiki >> article. > > > I would check the ports again, if I were you, you need port 389 tcp as > well as udp. Also whilst not being a firewall expert, doesn't having > port 22 mentioned at the end of the file take precedence over the > earlier line? iptables work from top to bottom the first rule which hits is a final decision the erlier lines are conditional DROP after more than 4 hits within 600 seconds for a specific IP, the ACCEPT at the bottom is needed because otherwise 22 would be closed at all but never hits for the IP's hitted the rate control at the begin -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: From lingpanda101 at gmail.com Mon Dec 28 16:27:03 2015 From: lingpanda101 at gmail.com (James) Date: Mon, 28 Dec 2015 11:27:03 -0500 Subject: [Samba] Firewall trouble? In-Reply-To: <56815661.4050208@reachtechfp.com> References: <56815661.4050208@reachtechfp.com> Message-ID: <568162D7.8090102@gmail.com> On 12/28/2015 10:33 AM, Ryan Ashley wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > I recently tried adding a firewall to my Samba 4 server using the port > information I found on the wiki. Below is a dump of the resulting rules. > > root at dc01:~# iptables -S > - -P INPUT DROP > - -P FORWARD DROP > - -P OUTPUT ACCEPT > - -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > - -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set > - --name BLOCKED --rsource > - -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent > - --update --seconds 600 --hitcount 4 --name BLOCKED --rsource -j DROP > - -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT > - -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT > - -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT > - -A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j > REJECT --reject-with tcp-reset > - -A INPUT -p gre -j ACCEPT > - -A INPUT -p esp -j ACCEPT > - -A INPUT -p ah -j ACCEPT > - -A INPUT -p tcp -m state --state NEW -m multiport --dports > 22,53,88,135,139,445,464,636,1024:5000,3268,3269 -j ACCEPT > - -A INPUT -p udp -m state --state NEW -m multiport --dports > 53,67,88,123,137,138,389,464 -j ACCEPT > - -A INPUT -i lo -j ACCEPT > > As you can see, I try to prevent brute-force attacks on SSH, but > accept data, both TCP and UDP on the ports specified by the wiki > article. However, when this firewall is on my AD DC server, logins > take eons, everything is SLOW on workstations, and sometimes > authentications just plain fail. Why? > - -- > Lead IT/IS Specialist > Reach Technology FP, Inc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQEcBAEBCAAGBQJWgVZhAAoJEBJm6+aLKsMNWR8H+wY51lD4DauyhTJBA9fULYbG > JRMDTfR5C90wwnfZlQI/vS+iA/TUG29MC09rMe6FFk4LS31xRTWtxmXk3r7BUph5 > jHWvAohlOxhx1hEnvDgqmK2nULZQ6sWXK9ikZpky7/Z2LFOM3ABt3EUq7i8/MPNd > 40TycXR8N13uMBrehs3UOXK3gj8+9KFpkfyeTOr+u/+j5yNOCAS/Uu+tx8ZCMY8H > EKW/1G615SxFzd8VJ0HREMWoeKOia+xqCo71zq38SJ6t2N6f+/IFpDxfXthdJSU4 > FfbACHeyvVLc17IiTDlLNawZ+X/Cpnj2AsJXKKEuU3SY1K/hISCz18RKnov7QNE= > =iO++ > -----END PGP SIGNATURE----- > I assume this is for a DC. If so are you using functional level 2008? You need to open ports 49152 through 65535 if you are. Level 2003 used 1025 through 5000. -- -James From hat at fa2.so-net.ne.jp Mon Dec 28 16:34:34 2015 From: hat at fa2.so-net.ne.jp (HAT) Date: Tue, 29 Dec 2015 01:34:34 +0900 (JST) Subject: [Samba] vfs_fruit: cannot remove any file Message-ID: <20151229.013434.203362852067445732.hat@fa2.so-net.ne.jp> In case of OS X 10.9 and later, any file could not be removed. $ rm test.txt rm: test.txt: Resource busy cannot remove: OS X 10.11.2 El Capitan OS X 10.10.5 Yosemite OS X 10.9.5 Mavericks can remove: OS X 10.8.5 Mountain Lion OS X 10.7.5 Lion OS X 10.6.8 Snow Leopard Windows 7 Environment: Fedora rawhide samba-4.3.3-0.fc24 smb.conf: [global] workgroup = LOCALNET server string = %h dos charset = CP932 log file = /var/log/samba/log.%m max log size = 50 security = user passdb backend = smbpasswd load printers = yes cups options = raw [Test 1] path = /export/test1/ writable = yes vfs objects = catia fruit streams_xattr fruit:locking = netatalk fruit:encoding = native streams_xattr:prefix = user. streams_xattr:store_stream_type = no ea support = yes If "fruit:locking = netatalk" line is deleted, there is no problem. -- HAT From slow at samba.org Mon Dec 28 17:24:17 2015 From: slow at samba.org (Ralph Boehme) Date: Mon, 28 Dec 2015 18:24:17 +0100 Subject: [Samba] vfs_fruit: cannot remove any file In-Reply-To: <20151229.013434.203362852067445732.hat@fa2.so-net.ne.jp> References: <20151229.013434.203362852067445732.hat@fa2.so-net.ne.jp> Message-ID: <20151228172416.GA10324@sernet.sernet.private> On Tue, Dec 29, 2015 at 01:34:34AM +0900, HAT wrote: > In case of OS X 10.9 and later, any file could not be removed. > > $ rm test.txt > rm: test.txt: Resource busy > > cannot remove: > OS X 10.11.2 El Capitan > OS X 10.10.5 Yosemite > OS X 10.9.5 Mavericks > > can remove: > OS X 10.8.5 Mountain Lion > OS X 10.7.5 Lion > OS X 10.6.8 Snow Leopard > Windows 7 > > Environment: > Fedora rawhide > samba-4.3.3-0.fc24 > > smb.conf: > [global] > workgroup = LOCALNET > server string = %h > dos charset = CP932 > log file = /var/log/samba/log.%m > max log size = 50 > security = user > passdb backend = smbpasswd > load printers = yes > cups options = raw > [Test 1] > path = /export/test1/ > writable = yes > vfs objects = catia fruit streams_xattr > fruit:locking = netatalk > fruit:encoding = native > streams_xattr:prefix = user. > streams_xattr:store_stream_type = no > ea support = yes > > > If "fruit:locking = netatalk" line is deleted, there is no problem. What happens if you keep the locking but remve the streams_xattr options? Cheerio! -slow From samb at fuckaround.org Mon Dec 28 18:19:12 2015 From: samb at fuckaround.org (Pol Hallen) Date: Mon, 28 Dec 2015 19:19:12 +0100 Subject: [Samba] admin users permission Message-ID: Hi all, I've a share samba as this: path=/share/ writable = yes browseable = yes valid users = user1 user2 user3 admin users = user I need to have a file in /share that is not possibile to rename/remove it from user (admin) and other users. How can I do this? thanks for help Pol From jorgito1412 at gmail.com Mon Dec 28 20:13:46 2015 From: jorgito1412 at gmail.com (George) Date: Mon, 28 Dec 2015 17:13:46 -0300 Subject: [Samba] FSMO commands not working on 4.3.1 In-Reply-To: References: Message-ID: On Mon, Dec 21, 2015 at 8:38 PM, Hiroshi K wrote: > I go to the same that I upgraded Samba 4.0.x to 4.3.x, > and getting same (previously quoted) error. > (Tested on Debian 7,8 and CentOS 7 and got the same error) > > I managed to solve the problem, and I'll share the info, > hoping it'll solve yours and future releases to be better. > > > The error I also got is the same as George, so I'll quote his > (the point is 'No such element') > > >>>* --------- > *>>>* root at dc2 :~# > samba-tool fsmo show > *>>>* ERROR(): uncaught exception - 'No such > *>>>* element' > *>>>* File > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > *>>>* 175, in _run > *>>>* return self.run(*args, **kwargs) > *>>>* File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", > line 395, > *>>>* in run > *>>>* domaindnszonesMaster = get_fsmo_roleowner(samdb, domaindns_dn) > *>>>* File "/usr/lib/python2.7/dist-packages/samba/netcmd/fsmo.py", > line 42, > *>>>* in > *>>>* get_fsmo_roleowner > *>>>* master_owner = res[0]["fSMORoleOwner"][0] > *>>> > > * ---------* > > Follwing command returned a record, but without fSMORoleOwner > > > $ /usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb > --cross-ncs --show-binary -b > "CN=Infrastructure,DC=ForestDnsZones,DC=test,DC=local" fSMORoleOwner > > # record 1 > dn: CN=Infrastructure,DC=ForestDnsZones,DC=test,DC=local > (*** without fSMORoleOwner here ***) > > > It seemed that the my case (upgrading from Samba 4.0.x), > there was no ForestDns/DomainDnsZone entries with riht FSMO server name... > > And so, I prepared ldif file & loaded to edit it > > $ cat ldb.ldif > dn: CN=Infrastructure,DC=DomainDnsZones,dc=test,dc=local > changetype: modify > replace: fSMORoleOwner > fSMORoleOwner: CN=NTDS > > Settings,CN=SAMBA4-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local > > $ /usr/local/samba/bin/ldbmodify -H /usr/local/samba/private/sam.ldb > --cross-ncs ./ldb.ldif > Modified 1 records successfully > > > After, fsmo works properly (tested with Samba 4.3.3 on Debian 8 and CentOS > 7). > > $ /usr/local/samba/bin/samba-tool fsmo show > SchemaMasterRole owner: CN=NTDS > > Settings,CN=SAMBA4-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local > InfrastructureMasterRole owner: CN=NTDS > > Settings,CN=SAMBA4-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local > RidAllocationMasterRole owner: CN=NTDS > > Settings,CN=SAMBA4-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local > PdcEmulationMasterRole owner: CN=NTDS > > Settings,CN=SAMBA4-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local > DomainNamingMasterRole owner: CN=NTDS > > Settings,CN=SAMBA4-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local > DomainDnsZonesMasterRole owner: CN=NTDS > > Settings,CN=SAMBA4-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local > ForestDnsZonesMasterRole owner: CN=NTDS > > Settings,CN=SAMBA4-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=test,DC=local > > > I hope it helps! > > This made the trick, thanks a lot!! The roles did exist, but there was no fSMORoleOwner assigned. Is this worth a bug report? I guess this is likely to happen to all upgrades from previous Samba versions. Best regards. From mmuehlfeld at samba.org Mon Dec 28 20:26:12 2015 From: mmuehlfeld at samba.org (Marc Muehlfeld) Date: Mon, 28 Dec 2015 21:26:12 +0100 Subject: [Samba] Wrong interface on AD Provisioning In-Reply-To: <56810795.1030700@samba.org> References: <568030D5.3070101@troja.ch> <56804073.80904@samba.org> <568070BD.5000808@troja.ch> <56810795.1030700@samba.org> Message-ID: <56819AE4.5030806@samba.org> Hello Rowland, Am 28.12.2015 um 10:57 schrieb Rowland penny: > Hi Marc, if, as you say, you need to remove everything before > reprovisioning, why are there these lines in the provisioning code > (/samba/provision/__init__.py): > > def provision(logger, session_info, smbconf=None, > > """Provision samba4 > > :note: caution, this wipes all existing data! > """ My current DC smb.conf: # grep "interfaces" /etc/samba/smb.conf interfaces = lo eth0 bind interfaces only = yes # ls -l /etc/samba/smb.conf -rw-r--r-- 1 root root 947 13. Okt 2014 /etc/samba/smb.conf Then I'm re-provision without removing the smb.conf, but using the 2nd interface (eth1) instead of eth0: # samba-tool domain provision --option="interfaces=lo eth1" --option="bind interfaces only=yes" --use-rfc2307 --use-xattrs=yes --interactive The smb.conf stayed unchanged (same timestamp): # grep "interfaces" /etc/samba/smb.conf interfaces = lo eth0 bind interfaces only = yes # ls -l /etc/samba/smb.conf -rw-r--r-- 1 root root 947 13. Okt 2014 /etc/samba/smb.conf If you remove the smb.conf file instead before the re-provisioning, you'll find the interface options given to samba-tool in that file: # grep "interfaces" /etc/samba/smb.conf interfaces = lo eth1 bind interfaces only = Yes BTW: If you use a different realm on the second provisioning, samba-tool will fail: # samba-tool domain provision --option="interfaces=lo eth1" --option="bind interfaces only=yes" --use-rfc2307 --use-xattrs=yes --interactive Realm [SAMDOM.EXAMPLE.COM]: DEMO.MARC-MUEHLFELD.DE Domain [DEMO]: Server Role (dc, member, standalone) [dc]: DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: DNS forwarder IP address (write 'none' to disable forwarding) [10.99.0.1]: Administrator password: Retype password: ERROR(): Provision failed - ProvisioningError: guess_names: 'realm=SAMDOM.EXAMPLE.COM' in /etc/samba//smb.conf must match chosen realm 'DEMO.MARC-MUEHLFELD.DE'! Please remove the smb.conf file and let provision generate it File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 442, in run nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode) File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 2025, in provision sitename=sitename, rootdn=rootdn, domain_names_forced=(samdb_fill == FILL_DRS)) File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 609, in guess_names raise ProvisioningError("guess_names: 'realm=%s' in %s must match chosen realm '%s'! Please remove the smb.conf file and let provision generate it" % (lp.get("realm").upper(), lp.configfile, realm)) If the code should replace the smb.conf, then might be a bug. Can you please create a bug report, if this is the case? > And: > > def setup_samdb_partitions(samdb_path, logger, lp, session_info, > > """Setup the partitions for the SAM database. > > Alternatively, provision() may call this, and then populate the > database. > > :note: This will wipe the Sam Database! > > :note: This function always removes the local SAM LDB file. The erase > parameter controls whether to erase the existing data, which > may not be stored locally but in LDAP. It wipes the SAM database, but other files and databases are kept. After the re-provisioning you will find several (database) files in /usr/local/samba/var/ and /usr/local/samba/private/, that have timestamps before the provisioning: Re-provisioning finished: Mo 28. Dez 21:08:27 CET 2015 Create a reference file with a timestamp before that time: # touch --date='21:00' /tmp/ref Find files older than the reference file: # find /usr/local/samba/private/ -type f ! -newer /tmp/ref -exec ls -la '{}' ';' -rw-r--r-- 1 root root 989 2. Sep 2014 /usr/local/samba/private/tls/cert.pem -rw-r--r-- 1 root root 989 2. Sep 2014 /usr/local/samba/private/tls/ca.pem -rw------- 1 root root 887 2. Sep 2014 /usr/local/samba/private/tls/key.pem -rw-------. 1 root root 1286144 2. Sep 2014 /usr/local/samba/private/share.ldb -rw------- 1 root root 696 2. Sep 2014 /usr/local/samba/private/randseed.tdb -rw------- 1 root root 696 28. Dez 20:54 /usr/local/samba/private/schannel_store.tdb -r--r--r-- 1 root root 300 2. Sep 2014 /usr/local/samba/private/named.conf.update -rw------- 1 root root 1566 9. Sep 2014 /usr/local/samba/private/dns_update_cache -rw------- 1 root root 696 28. Dez 20:54 /usr/local/samba/private/netlogon_creds_cli.tdb # find /usr/local/samba/var/ -type f ! -newer /tmp/ref -exec ls -la '{}' ';' -rwxrwx---+ 1 3000005 3000005 1240 9. Sep 2014 /usr/local/samba/var/locks/sysvol/samdom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol -rw------- 1 root root 528384 2. Sep 2014 /usr/local/samba/var/locks/registry.tdb -rw------- 1 root root 421888 2. Sep 2014 /usr/local/samba/var/locks/share_info.tdb -rw------- 1 root root 421888 2. Sep 2014 /usr/local/samba/var/locks/account_policy.tdb -rw------- 1 root root 32768 28. Dez 20:57 /usr/local/samba/var/locks/winbindd_cache.tdb -rw-r--r-- 1 root root 20 9. Sep 19:12 /usr/local/samba/var/cache/lck/909 -rw------- 1 root root 696 9. Sep 20:01 /usr/local/samba/var/cache/netsamlogon_cache.tdb -rw------- 1 root root 696 17. Jan 2015 /usr/local/samba/var/lock/messages.tdb -rw------- 1 root root 16384 28. Dez 20:54 /usr/local/samba/var/lock/smbXsrv_version_global.tdb -rw------- 1 root root 696 28. Dez 20:54 /usr/local/samba/var/lock/smbXsrv_session_global.tdb -rw------- 1 root root 696 28. Dez 20:54 /usr/local/samba/var/lock/smbXsrv_tcon_global.tdb -rw-r--r-- 1 root root 40200 28. Dez 20:54 /usr/local/samba/var/lock/brlock.tdb -rw-r--r-- 1 root root 40200 28. Dez 20:54 /usr/local/samba/var/lock/locking.tdb -rw-r--r-- 1 root root 696 9. Sep 19:12 /usr/local/samba/var/lock/notify.tdb -rw-r--r-- 1 root root 696 9. Sep 19:12 /usr/local/samba/var/lock/notify_index.tdb -rw-r--r-- 1 root root 8192 28. Dez 20:54 /usr/local/samba/var/lock/serverid.tdb -rw------- 1 root root 696 28. Dez 20:54 /usr/local/samba/var/lock/smbXsrv_open_global.tdb -rw-r--r-- 1 root root 696 28. Dez 20:54 /usr/local/samba/var/lock/printer_list.tdb -rw------- 1 root root 696 8. Dez 18:55 /usr/local/samba/var/lock/dbwrap_watchers.tdb -rw-r--r-- 1 root root 696 28. Dez 20:54 /usr/local/samba/var/lock/leases.tdb -rw-rw---- 1 root root 8192 8. Dez 17:54 /usr/local/samba/var/lock/msg/names.tdb -rw-r--r-- 1 root root 2 9. Sep 20:01 /usr/local/samba/var/lock/msg/21621 -rw-r--r-- 1 root root 20 9. Sep 20:01 /usr/local/samba/var/lock/msg/21619 -rw-r--r-- 1 root root 20 9. Sep 20:01 /usr/local/samba/var/lock/msg/21625 -rw-r--r-- 1 root root 2 9. Sep 20:01 /usr/local/samba/var/lock/msg/21624 -rw-r--r-- 1 root root 2 9. Sep 20:01 /usr/local/samba/var/lock/msg/21628 -rw-r--r-- 1 root root 2 9. Sep 20:01 /usr/local/samba/var/lock/msg/21629 -rw-r--r-- 1 root root 20 8. Dez 17:31 /usr/local/samba/var/lock/msg/915 -rw-r--r-- 1 root root 2 8. Dez 17:31 /usr/local/samba/var/lock/msg/922 -rw-r--r-- 1 root root 20 8. Dez 17:31 /usr/local/samba/var/lock/msg/923 -rw-r--r-- 1 root root 2 8. Dez 17:31 /usr/local/samba/var/lock/msg/926 -rw-r--r-- 1 root root 2 8. Dez 17:31 /usr/local/samba/var/lock/msg/927 -rw-r--r-- 1 root root 2 8. Dez 17:41 /usr/local/samba/var/lock/msg/912 -rw-r--r-- 1 root root 20 8. Dez 17:41 /usr/local/samba/var/lock/msg/913 -rw-r--r-- 1 root root 20 8. Dez 17:41 /usr/local/samba/var/lock/msg/918 -rw-r--r-- 1 root root 2 8. Dez 17:41 /usr/local/samba/var/lock/msg/917 -rw-r--r-- 1 root root 2 8. Dez 18:33 /usr/local/samba/var/lock/msg.lock/21082 -rw-r--r-- 1 root root 20 8. Dez 18:33 /usr/local/samba/var/lock/msg.lock/21083 -rw-r--r-- 1 root root 20 8. Dez 18:33 /usr/local/samba/var/lock/msg.lock/21087 -rw-r--r-- 1 root root 2 8. Dez 18:33 /usr/local/samba/var/lock/msg.lock/21086 -rw-r--r-- 1 root root 2 8. Dez 18:45 /usr/local/samba/var/lock/msg.lock/22099 -rw-r--r-- 1 root root 2 28. Dez 20:54 /usr/local/samba/var/lock/msg.lock/909 -rw-r--r-- 1 root root 20 28. Dez 20:54 /usr/local/samba/var/lock/msg.lock/910 -rw-r--r-- 1 root root 2 28. Dez 20:54 /usr/local/samba/var/lock/msg.lock/918 -rw-r--r-- 1 root root 20 28. Dez 20:54 /usr/local/samba/var/lock/msg.lock/919 -rw-r--r-- 1 root root 2 28. Dez 20:54 /usr/local/samba/var/lock/msg.lock/922 -rw-r--r-- 1 root root 2 28. Dez 20:54 /usr/local/samba/var/lock/msg.lock/923 -rw-r--r-- 1 root root 4 28. Dez 20:54 /usr/local/samba/var/run/samba.pid -rw-r--r-- 1 root root 4 28. Dez 20:54 /usr/local/samba/var/run/winbindd.pid -rw-r--r-- 1 root root 4 28. Dez 20:54 /usr/local/samba/var/run/smbd.pid Sure, some of the database are cleaned up on startup, but some won't, like registry.tdb. This might also be a bug, if the code says something different. That's why I would always remove the smb.conf and all database folders content, when I start over. Regards, Marc PS: Done on my 4.3.2 DC. From rpenny at samba.org Mon Dec 28 20:53:23 2015 From: rpenny at samba.org (Rowland penny) Date: Mon, 28 Dec 2015 20:53:23 +0000 Subject: [Samba] Wrong interface on AD Provisioning In-Reply-To: <56819AE4.5030806@samba.org> References: <568030D5.3070101@troja.ch> <56804073.80904@samba.org> <568070BD.5000808@troja.ch> <56810795.1030700@samba.org> <56819AE4.5030806@samba.org> Message-ID: <5681A143.2090802@samba.org> On 28/12/15 20:26, Marc Muehlfeld wrote: > Hello Rowland, > > > Am 28.12.2015 um 10:57 schrieb Rowland penny: >> Hi Marc, if, as you say, you need to remove everything before >> reprovisioning, why are there these lines in the provisioning code >> (/samba/provision/__init__.py): >> >> def provision(logger, session_info, smbconf=None, >> >> """Provision samba4 >> >> :note: caution, this wipes all existing data! >> """ > > My current DC smb.conf: > # grep "interfaces" /etc/samba/smb.conf > interfaces = lo eth0 > bind interfaces only = yes > > # ls -l /etc/samba/smb.conf > -rw-r--r-- 1 root root 947 13. Okt 2014 /etc/samba/smb.conf > > > Then I'm re-provision without removing the smb.conf, but using the 2nd > interface (eth1) instead of eth0: > # samba-tool domain provision --option="interfaces=lo eth1" > --option="bind interfaces only=yes" --use-rfc2307 --use-xattrs=yes > --interactive > > > The smb.conf stayed unchanged (same timestamp): > # grep "interfaces" /etc/samba/smb.conf > interfaces = lo eth0 > bind interfaces only = yes > > # ls -l /etc/samba/smb.conf > -rw-r--r-- 1 root root 947 13. Okt 2014 /etc/samba/smb.conf > > > If you remove the smb.conf file instead before the re-provisioning, > you'll find the interface options given to samba-tool in that file: > > # grep "interfaces" /etc/samba/smb.conf > interfaces = lo eth1 > bind interfaces only = Yes > > > BTW: If you use a different realm on the second provisioning, samba-tool > will fail: > # samba-tool domain provision --option="interfaces=lo eth1" > --option="bind interfaces only=yes" --use-rfc2307 --use-xattrs=yes > --interactive > Realm [SAMDOM.EXAMPLE.COM]: DEMO.MARC-MUEHLFELD.DE > Domain [DEMO]: > Server Role (dc, member, standalone) [dc]: > DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) > [SAMBA_INTERNAL]: > DNS forwarder IP address (write 'none' to disable forwarding) [10.99.0.1]: > Administrator password: > Retype password: > ERROR(): Provision failed - > ProvisioningError: guess_names: 'realm=SAMDOM.EXAMPLE.COM' in > /etc/samba//smb.conf must match chosen realm 'DEMO.MARC-MUEHLFELD.DE'! > Please remove the smb.conf file and let provision generate it > File > "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py", > line 442, in run > nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode) > File > "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", > line 2025, in provision > sitename=sitename, rootdn=rootdn, domain_names_forced=(samdb_fill == > FILL_DRS)) > File > "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", > line 609, in guess_names > raise ProvisioningError("guess_names: 'realm=%s' in %s must match > chosen realm '%s'! Please remove the smb.conf file and let provision > generate it" % (lp.get("realm").upper(), lp.configfile, realm)) > > > If the code should replace the smb.conf, then might be a bug. Can you > please create a bug report, if this is the case? > > Hi Marc, good find, who knew there was a bug in the interactive provision code if you don't remove the smb.conf and want to change the realm name ? As you found it, I think you should file the bug report and if you can, fix it, probably the easiest way would be to remove the interactive provision code, never really seen the point to it. :-) Rowland From marciobacci at gmail.com Mon Dec 28 21:10:24 2015 From: marciobacci at gmail.com (Marcio Demetrio Bacci) Date: Mon, 28 Dec 2015 19:10:24 -0200 Subject: [Samba] Problems to authenticate Ubuntu 14 on Samba4 Message-ID: Hi, I have saw many tutorials to ingress Ubuntu 14 in the Samba4 domain, but none worked properly. I put the Ubuntu workstation in the Domain, but when I try to login, appear the following messenge: "your password will be expire in 42 days " and does not permit the authentication. How can I configure correctly Ubuntu 14 workstation to authenticate in the Samba 4 domain? Thanks Márcio Bacci From rpenny at samba.org Mon Dec 28 21:29:33 2015 From: rpenny at samba.org (Rowland penny) Date: Mon, 28 Dec 2015 21:29:33 +0000 Subject: [Samba] Problems to authenticate Ubuntu 14 on Samba4 In-Reply-To: References: Message-ID: <5681A9BD.4020607@samba.org> On 28/12/15 21:10, Marcio Demetrio Bacci wrote: > Hi, > > I have saw many tutorials to ingress Ubuntu 14 in the Samba4 domain, but > none worked properly. I put the Ubuntu workstation in the Domain, but when > I try to login, appear the following messenge: > > "your password will be expire in 42 days" > > and does not permit the authentication. > > How can I configure correctly Ubuntu 14 workstation to authenticate in the > Samba 4 domain? > > > Thanks > > Márcio Bacci Hi, you are going to have to give us more info before we can help you, smb.conf, etc/resolv.conf, /etc/krb5.conf etc Also what packages have you installed with the Samba packages. Rowland From marciobacci at gmail.com Mon Dec 28 22:54:44 2015 From: marciobacci at gmail.com (Marcio Demetrio Bacci) Date: Mon, 28 Dec 2015 20:54:44 -0200 Subject: [Samba] Problems to authenticate Ubuntu 14 on Samba4 In-Reply-To: <5681A9BD.4020607@samba.org> References: <5681A9BD.4020607@samba.org> Message-ID: I'm using Ubuntu 14.04-64 bits I had installed with apt-get the follows packages krb5-user krb5-config winbind samba samba-common smbclient cifs-utils libpam-krb5 libpam-winbind libnss-winbind The samba version is 4.1.16-Ubuntu Below are my files of configuration */etc/samba/smb.conf* [global] netbios name = cliente-ad192 workgroup = EMPRESA security = ads realm = EMPRESA.COM password server = 192.196.40.1 encrypt passwords = yes dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab preferred master = no idmap config *:backend = tdb idmap config *:range = 1000-3000 idmap config EMPRESA:backend = ad idmap config EMPRESA:schema_mode = rfc2307 idmap config EMPRESA:range = 10000-9999999 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = yes template homedir = /home/%D/%U template shell = /bin/bash vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes username map = /etc/samba/user.map */etc/krb5.conf* [libdefaults] default_realm = EMPRESA.COM # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] EMPRESA.COM = { kdc = DC1.EMPRESA.COM admin_server = DC1.EMPRESA.COM } [domain_realm] .empresa.com = EMPRESA.COM empresa.com = EMPRESA.COM [login] krb4_convert = true krb4_get_tickets = false */etc/resolv.conf* nameserver 192.168.40.1 search empresa.com */etc/hosts*127.0.0.1 localhost 127.0.1.1 cliente-ad192.empresa.com cliente-ad192 192.168.40.2 cliente-ad192.empresa.com cliente-ad192 192.168.40.1 dc1.empresa.comdc1 */etc/nsswitch.conf* passwd:compat group:compat shadow:compat hosts:files mdns4_minimal [NOTFOUND=return] dns networks:files protocols: db files services:db files ethers:db files rpc:db files netgroup:nis */etc/pam.d/common-session* session [default=1]pam_permit.so session requisitepam_deny.so session requiredpam_permit.so session optionalpam_umask.so session optionalpam_krb5.so minimum_uid=1000 session requiredpam_unix.so session optionalpam_winbind.so session optionalpam_systemd.so */usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf * [SeatDefaults] user-session=ubuntu greeter-show-manual-login=true */usr/share/lightdm/lightdm.conf.d/50-unity-greeter.conf * [SeatDefaults] allow-guest=false greeter-show-remote-login=false greeter-show-manual-login=true greeter-session=unity-greeter Thanks 2015-12-28 19:29 GMT-02:00 Rowland penny : > On 28/12/15 21:10, Marcio Demetrio Bacci wrote: > >> Hi, >> >> I have saw many tutorials to ingress Ubuntu 14 in the Samba4 domain, but >> none worked properly. I put the Ubuntu workstation in the Domain, but when >> I try to login, appear the following messenge: >> >> "your password will be expire in 42 days" >> >> and does not permit the authentication. >> >> How can I configure correctly Ubuntu 14 workstation to authenticate in the >> Samba 4 domain? >> >> >> Thanks >> >> Márcio Bacci >> > > Hi, you are going to have to give us more info before we can help you, > smb.conf, etc/resolv.conf, /etc/krb5.conf etc > Also what packages have you installed with the Samba packages. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From belle at bazuin.nl Tue Dec 29 08:58:47 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Tue, 29 Dec 2015 09:58:47 +0100 Subject: [Samba] Firewall trouble? In-Reply-To: <568162D7.8090102@gmail.com> References: <56815661.4050208@reachtechfp.com> Message-ID: Hai, Im missing a few things. And maybe time server port to open? Are your dc's time server also? These are the ports i've set. TCP what im having. 22,42,53,88,135,139,389,445,464,636,3268,3269,1024:5000,49612:65535 How you did: 22,53,88,135,139,445,464,636,1024:5000,3268,3269 Your missing 42 389 and range : 49612:65535 UDP what im having. 53,67,68,88,123,137,138,389,464 How you did: 53,67,88,123,137,138,389,464 Your missing 68 ( but i dont know if you need it ) If your not familiar with iptables. I advice you to install ufw for example. I have a nice "base" set of rules, if you need some examples. Ufw isnt that hard and easy to extented. And a handy thing, integrating iptables + GeoIP is really easy. And handy for ssh access/blocks. I only allow ssh acces on my server from the netherlands with a rule like: -A ufw-before-input -m state --state NEW -m geoip ! --src-cc NL -m tcp -p tcp --dport 22 -m comment --comment 'SSH%20Geoip' -j DROP If you want some extra info on that, just mail me, no problem. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens James > Verzonden: maandag 28 december 2015 17:27 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Firewall trouble? > > On 12/28/2015 10:33 AM, Ryan Ashley wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA256 > > > > I recently tried adding a firewall to my Samba 4 server using the port > > information I found on the wiki. Below is a dump of the resulting rules. > > > > root at dc01:~# iptables -S > > - -P INPUT DROP > > - -P FORWARD DROP > > - -P OUTPUT ACCEPT > > - -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > > - -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set > > - --name BLOCKED --rsource > > - -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent > > - --update --seconds 600 --hitcount 4 --name BLOCKED --rsource -j DROP > > - -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT > > - -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT > > - -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT > > - -A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j > > REJECT --reject-with tcp-reset > > - -A INPUT -p gre -j ACCEPT > > - -A INPUT -p esp -j ACCEPT > > - -A INPUT -p ah -j ACCEPT > > - -A INPUT -p tcp -m state --state NEW -m multiport --dports > > 22,53,88,135,139,445,464,636,1024:5000,3268,3269 -j ACCEPT > > - -A INPUT -p udp -m state --state NEW -m multiport --dports > > 53,67,88,123,137,138,389,464 -j ACCEPT > > - -A INPUT -i lo -j ACCEPT > > > > As you can see, I try to prevent brute-force attacks on SSH, but > > accept data, both TCP and UDP on the ports specified by the wiki > > article. However, when this firewall is on my AD DC server, logins > > take eons, everything is SLOW on workstations, and sometimes > > authentications just plain fail. Why? > > - -- > > Lead IT/IS Specialist > > Reach Technology FP, Inc > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v2 > > > > iQEcBAEBCAAGBQJWgVZhAAoJEBJm6+aLKsMNWR8H+wY51lD4DauyhTJBA9fULYbG > > JRMDTfR5C90wwnfZlQI/vS+iA/TUG29MC09rMe6FFk4LS31xRTWtxmXk3r7BUph5 > > jHWvAohlOxhx1hEnvDgqmK2nULZQ6sWXK9ikZpky7/Z2LFOM3ABt3EUq7i8/MPNd > > 40TycXR8N13uMBrehs3UOXK3gj8+9KFpkfyeTOr+u/+j5yNOCAS/Uu+tx8ZCMY8H > > EKW/1G615SxFzd8VJ0HREMWoeKOia+xqCo71zq38SJ6t2N6f+/IFpDxfXthdJSU4 > > FfbACHeyvVLc17IiTDlLNawZ+X/Cpnj2AsJXKKEuU3SY1K/hISCz18RKnov7QNE= > > =iO++ > > -----END PGP SIGNATURE----- > > > I assume this is for a DC. If so are you using functional level 2008? > You need to open ports 49152 through 65535 if you are. Level 2003 used > 1025 through 5000. > > -- > -James > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From belle at bazuin.nl Tue Dec 29 09:04:17 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Tue, 29 Dec 2015 10:04:17 +0100 Subject: [Samba] Problems to authenticate Ubuntu 14 on Samba4 In-Reply-To: References: <5681A9BD.4020607@samba.org> Message-ID: Remove from localhost. 127.0.1.1 cliente-ad192.empresa.com cliente-ad192 Reboot and try again. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marcio Demetrio > Bacci > Verzonden: maandag 28 december 2015 23:55 > Aan: Rowland penny > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] Problems to authenticate Ubuntu 14 on Samba4 > > I'm using Ubuntu 14.04-64 bits > > I had installed with apt-get the follows packages > > > krb5-user krb5-config winbind samba samba-common smbclient cifs-utils > libpam-krb5 libpam-winbind libnss-winbind > > The samba version is 4.1.16-Ubuntu > > Below are my files of configuration > > */etc/samba/smb.conf* > [global] > netbios name = cliente-ad192 > workgroup = EMPRESA > security = ads > realm = EMPRESA.COM > password server = 192.196.40.1 > encrypt passwords = yes > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > preferred master = no > idmap config *:backend = tdb > idmap config *:range = 1000-3000 > idmap config EMPRESA:backend = ad > idmap config EMPRESA:schema_mode = rfc2307 > idmap config EMPRESA:range = 10000-9999999 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = yes > template homedir = /home/%D/%U > template shell = /bin/bash > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > username map = /etc/samba/user.map > > > > */etc/krb5.conf* > [libdefaults] > default_realm = EMPRESA.COM > > # The following krb5.conf variables are only for MIT Kerberos. > krb4_config = /etc/krb.conf > krb4_realms = /etc/krb.realms > dns_lookup_realm = false > dns_lookup_kdc = false > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > > [realms] > EMPRESA.COM = { > kdc = DC1.EMPRESA.COM > admin_server = DC1.EMPRESA.COM > } > > [domain_realm] > .empresa.com = EMPRESA.COM > empresa.com = EMPRESA.COM > > [login] > krb4_convert = true > krb4_get_tickets = false > > > > */etc/resolv.conf* > nameserver 192.168.40.1 > search empresa.com > > > */etc/hosts*127.0.0.1 localhost > 127.0.1.1 cliente-ad192.empresa.com cliente-ad192 > 192.168.40.2 cliente-ad192.empresa.com cliente-ad192 > 192.168.40.1 dc1.empresa.comdc1 > > > */etc/nsswitch.conf* > passwd:compat > group:compat > shadow:compat > hosts:files mdns4_minimal [NOTFOUND=return] dns > networks:files > protocols: db files > services:db files > ethers:db files > rpc:db files > netgroup:nis > > > */etc/pam.d/common-session* > session [default=1]pam_permit.so > session requisitepam_deny.so > session requiredpam_permit.so > session optionalpam_umask.so > session optionalpam_krb5.so minimum_uid=1000 > session requiredpam_unix.so > session optionalpam_winbind.so > session optionalpam_systemd.so > > > */usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf * > [SeatDefaults] > user-session=ubuntu > greeter-show-manual-login=true > > > > */usr/share/lightdm/lightdm.conf.d/50-unity-greeter.conf * > [SeatDefaults] > allow-guest=false > greeter-show-remote-login=false > greeter-show-manual-login=true > greeter-session=unity-greeter > > > Thanks > > 2015-12-28 19:29 GMT-02:00 Rowland penny : > > > On 28/12/15 21:10, Marcio Demetrio Bacci wrote: > > > >> Hi, > >> > >> I have saw many tutorials to ingress Ubuntu 14 in the Samba4 domain, > but > >> none worked properly. I put the Ubuntu workstation in the Domain, but > when > >> I try to login, appear the following messenge: > >> > >> "your password will be expire in 42 days" > >> > >> and does not permit the authentication. > >> > >> How can I configure correctly Ubuntu 14 workstation to authenticate in > the > >> Samba 4 domain? > >> > >> > >> Thanks > >> > >> Márcio Bacci > >> > > > > Hi, you are going to have to give us more info before we can help you, > > smb.conf, etc/resolv.conf, /etc/krb5.conf etc > > Also what packages have you installed with the Samba packages. > > > > Rowland > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From belle at bazuin.nl Tue Dec 29 09:16:38 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Tue, 29 Dec 2015 10:16:38 +0100 Subject: [Samba] Problems to authenticate Ubuntu 14 on Samba4 In-Reply-To: References: Message-ID: .. need more coffe.. >From /etc/hosts i meant.. > > 127.0.1.1 cliente-ad192.empresa.com cliente-ad192 > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle > Verzonden: dinsdag 29 december 2015 10:04 > Aan: samba at lists.samba.org > CC: Marcio Demetrio Bacci > Onderwerp: Re: [Samba] Problems to authenticate Ubuntu 14 on Samba4 > > Remove from localhost. > > 127.0.1.1 cliente-ad192.empresa.com cliente-ad192 > > Reboot and try again. > > Greetz, > > Louis > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Marcio Demetrio > > Bacci > > Verzonden: maandag 28 december 2015 23:55 > > Aan: Rowland penny > > CC: samba at lists.samba.org > > Onderwerp: Re: [Samba] Problems to authenticate Ubuntu 14 on Samba4 > > > > I'm using Ubuntu 14.04-64 bits > > > > I had installed with apt-get the follows packages > > > > > > krb5-user krb5-config winbind samba samba-common smbclient cifs-utils > > libpam-krb5 libpam-winbind libnss-winbind > > > > The samba version is 4.1.16-Ubuntu > > > > Below are my files of configuration > > > > */etc/samba/smb.conf* > > [global] > > netbios name = cliente-ad192 > > workgroup = EMPRESA > > security = ads > > realm = EMPRESA.COM > > password server = 192.196.40.1 > > encrypt passwords = yes > > dedicated keytab file = /etc/krb5.keytab > > kerberos method = secrets and keytab > > preferred master = no > > idmap config *:backend = tdb > > idmap config *:range = 1000-3000 > > idmap config EMPRESA:backend = ad > > idmap config EMPRESA:schema_mode = rfc2307 > > idmap config EMPRESA:range = 10000-9999999 > > > > winbind nss info = rfc2307 > > winbind trusted domains only = no > > winbind use default domain = yes > > winbind enum users = yes > > winbind enum groups = yes > > winbind refresh tickets = yes > > template homedir = /home/%D/%U > > template shell = /bin/bash > > vfs objects = acl_xattr > > map acl inherit = Yes > > store dos attributes = Yes > > username map = /etc/samba/user.map > > > > > > > > */etc/krb5.conf* > > [libdefaults] > > default_realm = EMPRESA.COM > > > > # The following krb5.conf variables are only for MIT Kerberos. > > krb4_config = /etc/krb.conf > > krb4_realms = /etc/krb.realms > > dns_lookup_realm = false > > dns_lookup_kdc = false > > ticket_lifetime = 24h > > renew_lifetime = 7d > > forwardable = true > > > > [realms] > > EMPRESA.COM = { > > kdc = DC1.EMPRESA.COM > > admin_server = DC1.EMPRESA.COM > > } > > > > [domain_realm] > > .empresa.com = EMPRESA.COM > > empresa.com = EMPRESA.COM > > > > [login] > > krb4_convert = true > > krb4_get_tickets = false > > > > > > > > */etc/resolv.conf* > > nameserver 192.168.40.1 > > search empresa.com > > > > > > */etc/hosts*127.0.0.1 localhost > > 127.0.1.1 cliente-ad192.empresa.com cliente-ad192 > > 192.168.40.2 cliente-ad192.empresa.com cliente-ad192 > > 192.168.40.1 dc1.empresa.comdc1 > > > > > > */etc/nsswitch.conf* > > passwd:compat > > group:compat > > shadow:compat > > hosts:files mdns4_minimal [NOTFOUND=return] dns > > networks:files > > protocols: db files > > services:db files > > ethers:db files > > rpc:db files > > netgroup:nis > > > > > > */etc/pam.d/common-session* > > session [default=1]pam_permit.so > > session requisitepam_deny.so > > session requiredpam_permit.so > > session optionalpam_umask.so > > session optionalpam_krb5.so minimum_uid=1000 > > session requiredpam_unix.so > > session optionalpam_winbind.so > > session optionalpam_systemd.so > > > > > > */usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf * > > [SeatDefaults] > > user-session=ubuntu > > greeter-show-manual-login=true > > > > > > > > */usr/share/lightdm/lightdm.conf.d/50-unity-greeter.conf * > > [SeatDefaults] > > allow-guest=false > > greeter-show-remote-login=false > > greeter-show-manual-login=true > > greeter-session=unity-greeter > > > > > > Thanks > > > > 2015-12-28 19:29 GMT-02:00 Rowland penny : > > > > > On 28/12/15 21:10, Marcio Demetrio Bacci wrote: > > > > > >> Hi, > > >> > > >> I have saw many tutorials to ingress Ubuntu 14 in the Samba4 domain, > > but > > >> none worked properly. I put the Ubuntu workstation in the Domain, but > > when > > >> I try to login, appear the following messenge: > > >> > > >> "your password will be expire in 42 days" > > >> > > >> and does not permit the authentication. > > >> > > >> How can I configure correctly Ubuntu 14 workstation to authenticate > in > > the > > >> Samba 4 domain? > > >> > > >> > > >> Thanks > > >> > > >> Márcio Bacci > > >> > > > > > > Hi, you are going to have to give us more info before we can help you, > > > smb.conf, etc/resolv.conf, /etc/krb5.conf etc > > > Also what packages have you installed with the Samba packages. > > > > > > Rowland > > > > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From rpenny at samba.org Tue Dec 29 09:20:40 2015 From: rpenny at samba.org (Rowland penny) Date: Tue, 29 Dec 2015 09:20:40 +0000 Subject: [Samba] Problems to authenticate Ubuntu 14 on Samba4 In-Reply-To: References: <5681A9BD.4020607@samba.org> Message-ID: <56825068.7010004@samba.org> See inline comments: On 28/12/15 22:54, Marcio Demetrio Bacci wrote: > I'm using Ubuntu 14.04-64 bits > > I had installed with apt-get the follows packages > > > krb5-user krb5-config winbind samba samba-common smbclient cifs-utils > libpam-krb5 libpam-winbind libnss-winbind > > The samba version is 4.1.16-Ubuntu > > Below are my files of configuration > > */etc/samba/smb.conf* > [global] > netbios name = cliente-ad192 > workgroup = EMPRESA > security = ads > realm = EMPRESA.COM > password server = 192.196.40.1 > encrypt passwords = yes > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > preferred master = no > idmap config *:backend = tdb > idmap config *:range = 1000-3000 > idmap config EMPRESA:backend = ad > idmap config EMPRESA:schema_mode = rfc2307 > idmap config EMPRESA:range = 10000-9999999 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = yes > template homedir = /home/%D/%U > template shell = /bin/bash > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > username map = /etc/samba/user.map > > Your smb.conf looks ok, apart from: idmap config *:range = 1000-3000 Do you really have no local Unix users ? password server = 192.196.40.1 You should remove this line and let Samba find the DC via dns encrypt passwords = yes You should remove this line because it is the default and is not required. template homedir = /home/%D/%U template shell = /bin/bash You are using the winbind 'ad' backend along with 'winbind nss info = rfc2307' , this means that Samba expects to find the unixHomeDirectory & loginShell attributes in AD. Have you given your users a unique uidNumber attribute and Domain Users (at least) a gidNumber attribute ? > > */etc/krb5.conf* > [libdefaults] > default_realm = EMPRESA.COM > > # The following krb5.conf variables are only for MIT Kerberos. > krb4_config = /etc/krb.conf > krb4_realms = /etc/krb.realms > dns_lookup_realm = false > dns_lookup_kdc = false > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > > [realms] > EMPRESA.COM = { > kdc = DC1.EMPRESA.COM > admin_server = DC1.EMPRESA.COM > } > > [domain_realm] > .empresa.com = EMPRESA.COM > empresa.com = EMPRESA.COM > > [login] > krb4_convert = true > krb4_get_tickets = false > > > > */etc/resolv.conf* > nameserver 192.168.40.1 > search empresa.com > > */etc/hosts > *127.0.0.1 localhost > 127.0.1.1 cliente-ad192.empresa.com > cliente-ad192 > 192.168.40.2 cliente-ad192.empresa.com > cliente-ad192 > 192.168.40.1 dc1.empresa.comdc1 > > I would recommend that you stop Network manager from using dnsmasq, then remove the lines in /etc/resolv.conf that start with '127.0.1.1' & '192.168.40.2', the first because this is the dnsmasq line and the second because you should find your DCs via dns. > */etc/nsswitch.conf* > passwd:compat > group:compat > shadow:compat > hosts:files mdns4_minimal [NOTFOUND=return] dns > networks:files > protocols: db files > services:db files > ethers:db files > rpc:db files > netgroup:nis > OK, here is a major problem, the passwd & group lines in /etc/nsswitch.conf need 'winbind' adding to them i.e. passwd: compat winbind group: compat winbind > > */etc/pam.d/common-session* > session [default=1]pam_permit.so > session requisitepam_deny.so > session requiredpam_permit.so > session optionalpam_umask.so > session optionalpam_krb5.so minimum_uid=1000 > session requiredpam_unix.so > session optionalpam_winbind.so > session optionalpam_systemd.so > > > */usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf * > [SeatDefaults] > user-session=ubuntu > greeter-show-manual-login=true > > > > */usr/share/lightdm/lightdm.conf.d/50-unity-greeter.conf * > [SeatDefaults] > allow-guest=false > greeter-show-remote-login=false > greeter-show-manual-login=true > greeter-session=unity-greeter > > > Thanks > I would also add this to the end of /etc/pam.d/common-account session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 This will create your users home directories as they login, if they do not already exist. Rowland From yamakasi.014 at gmail.com Tue Dec 29 10:00:53 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Tue, 29 Dec 2015 11:00:53 +0100 Subject: [Samba] Authentication against FreeIPA without AD Message-ID: Hi, I wonder if someone here is already authing against FreeIpa with some latest Ubuntu/SSSD install. I'm on on Ubuntu 15.10 for samba to test this out: Samba: 4.1.17 SSSD: 2.1.17 Freeipa: 4 on CentOS 7 I don't need an AD so I'm folling this what still does not apply. http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA I hope someone can help out and it's possible wit the current versions. Thanks, Matt From rpenny at samba.org Tue Dec 29 11:00:22 2015 From: rpenny at samba.org (Rowland penny) Date: Tue, 29 Dec 2015 11:00:22 +0000 Subject: [Samba] Authentication against FreeIPA without AD In-Reply-To: References: Message-ID: <568267C6.7090206@samba.org> On 29/12/15 10:00, Matt . wrote: > Hi, > > I wonder if someone here is already authing against FreeIpa with some > latest Ubuntu/SSSD install. > > I'm on on Ubuntu 15.10 for samba to test this out: > > Samba: 4.1.17 > SSSD: 2.1.17 > > > Freeipa: > > 4 on CentOS 7 > > I don't need an AD so I'm folling this what still does not apply. > > http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA > > I hope someone can help out and it's possible wit the current versions. > > Thanks, > > Matt > Hi, haven't a clue about IPA, never used it, but after reading the link you provided, it looks like IPA is just used for authentication, Samba is then used as a fileserver, with Samba clients accessing the files on the fileserver. This all sounds very like using a Samba AD DC with a Samba domain joined fileserver with Samba domain members accessing the files on the fileserver, and this will work easily on a Ubuntu machine, unlike the IPA setup which will require you to work out what all the red-hat commands actually do. Rowland From yamakasi.014 at gmail.com Tue Dec 29 11:55:45 2015 From: yamakasi.014 at gmail.com (Matt .) Date: Tue, 29 Dec 2015 12:55:45 +0100 Subject: [Samba] Authentication against FreeIPA without AD In-Reply-To: <568267C6.7090206@samba.org> References: <568267C6.7090206@samba.org> Message-ID: Hi, Yes we have had a topic about it @FreeIPA in the past, but as we have not updated packages I wonder if we could get it working. When I do the following: root at myserver:~/# smbclient -k -U username at REALM /myserver.domain.local/shared I get: session setup failed: NT_STATUS_NO_LOGON_SERVERS My DNS is setup ok and it gets a result when I do a tree test. 2015-12-29 12:00 GMT+01:00 Rowland penny : > On 29/12/15 10:00, Matt . wrote: >> >> Hi, >> >> I wonder if someone here is already authing against FreeIpa with some >> latest Ubuntu/SSSD install. >> >> I'm on on Ubuntu 15.10 for samba to test this out: >> >> Samba: 4.1.17 >> SSSD: 2.1.17 >> >> >> Freeipa: >> >> 4 on CentOS 7 >> >> I don't need an AD so I'm folling this what still does not apply. >> >> http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA >> >> I hope someone can help out and it's possible wit the current versions. >> >> Thanks, >> >> Matt >> > > Hi, haven't a clue about IPA, never used it, but after reading the link you > provided, it looks like IPA is just used for authentication, Samba is then > used as a fileserver, with Samba clients accessing the files on the > fileserver. > > This all sounds very like using a Samba AD DC with a Samba domain joined > fileserver with Samba domain members accessing the files on the fileserver, > and this will work easily on a Ubuntu machine, unlike the IPA setup which > will require you to work out what all the red-hat commands actually do. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From J.Morillo at educationetformation.fr Tue Dec 29 13:37:02 2015 From: J.Morillo at educationetformation.fr (MORILLO Jordi) Date: Tue, 29 Dec 2015 13:37:02 +0000 Subject: [Samba] Question with new Samba 4.3's Improved KCC Message-ID: <5B675B42AC323543B15C1E99E934C83EEAEFD8B5@OBIWAN.educ-for.local> Hi everybody, I'm playing with the new Improved KCC of samba 4.3.X Here is my network's topology : - DC : smb4dc located on Default-First-site-Name - DC : dc110 located on PetitQuevilly - DC : dc113 located on SaintEtienne - DC : dc120 located on Barentin - Etc.... (total of 15 DC) I want smb4dc acting as a bridge head for all others sites, and all others sites DC replicating only with sm4dc (not sending anything to each others) This is what i have done : - Sites and services MMC : put prefered bridgehead transport IP for smb4dc - Add kccsrv:samba_kcc=true on each DC configuration (smb4dc too) - Restart all samba - Sites and service MMC : * For each DC : manually added one connexion to smb4dc and i deleted all others generated connexions * For smb4dc : deleted all connexions New Improved KCC don't create new generated connexion, that sounds good ! Samba_kcc generated graphviz sounds good too ! All my DCs (excluding smb4dc's bridgehead) have only one KCC CONNECTION OBJECTS to smb4dc, sounds good too : ==== KCC CONNECTION OBJECTS ==== Connection -- Connection name: SMB4DC Enabled : TRUE Server DNS name : smb4dc.pr.educationetformation.fr Server DN name : CN=NTDS Settings,CN=SMB4DC,CN=Servers,CN=Default-First TransportType: RPC options: 0x00000000 BUT samba-tool showrepl is still showing a full meshed network on INBOUND and OUTBOUND NEIGHBORS :/ Is it normal ? Thanks for all From hat at fa2.so-net.ne.jp Tue Dec 29 14:25:24 2015 From: hat at fa2.so-net.ne.jp (HAT) Date: Tue, 29 Dec 2015 23:25:24 +0900 (JST) Subject: [Samba] vfs_fruit: cannot remove any file In-Reply-To: <20151228172416.GA10324@sernet.sernet.private> References: <20151229.013434.203362852067445732.hat@fa2.so-net.ne.jp> <20151228172416.GA10324@sernet.sernet.private> Message-ID: <20151229.232524.1766027783366207505.hat@fa2.so-net.ne.jp> Mon, 28 Dec 2015 18:24:17 +0100, Ralph Boehme : > On Tue, Dec 29, 2015 at 01:34:34AM +0900, HAT wrote: >> In case of OS X 10.9 and later, any file could not be removed. >> >> $ rm test.txt >> rm: test.txt: Resource busy >> >> cannot remove: >> OS X 10.11.2 El Capitan >> OS X 10.10.5 Yosemite >> OS X 10.9.5 Mavericks >> >> can remove: >> OS X 10.8.5 Mountain Lion >> OS X 10.7.5 Lion >> OS X 10.6.8 Snow Leopard >> Windows 7 >> >> Environment: >> Fedora rawhide >> samba-4.3.3-0.fc24 >> >> smb.conf: >> [global] >> workgroup = LOCALNET >> server string = %h >> dos charset = CP932 >> log file = /var/log/samba/log.%m >> max log size = 50 >> security = user >> passdb backend = smbpasswd >> load printers = yes >> cups options = raw >> [Test 1] >> path = /export/test1/ >> writable = yes >> vfs objects = catia fruit streams_xattr >> fruit:locking = netatalk >> fruit:encoding = native >> streams_xattr:prefix = user. >> streams_xattr:store_stream_type = no >> ea support = yes >> >> >> If "fruit:locking = netatalk" line is deleted, there is no problem. > > What happens if you keep the locking but remve the streams_xattr > options? ------------------------------------------------------------------------- [global] workgroup = LOCALNET server string = %h dos charset = CP932 log file = /var/log/samba/log.%m max log size = 50 security = user passdb backend = smbpasswd load printers = yes cups options = raw [Test 1] path = /export/test1/ writable = yes vfs objects = catia fruit streams_xattr fruit:locking = netatalk fruit:encoding = native ; streams_xattr:prefix = user. ; streams_xattr:store_stream_type = no ea support = yes remove streams_xattr options. $ rm test.txt rm: test.txt: Resource busy ------------------------------------------------------------------------- [global] workgroup = LOCALNET server string = %h dos charset = CP932 log file = /var/log/samba/log.%m max log size = 50 security = user passdb backend = smbpasswd load printers = yes cups options = raw [Test 1] path = /export/test1/ writable = yes ; vfs objects = catia fruit streams_xattr vfs objects = catia fruit fruit:locking = netatalk fruit:encoding = native ; streams_xattr:prefix = user. ; streams_xattr:store_stream_type = no ea support = yes remove vfs_streams_xattr. $ rm test.txt rm: test.txt: Resource busy ------------------------------------------------------------------------- [global] workgroup = LOCALNET server string = %h dos charset = CP932 log file = /var/log/samba/log.%m max log size = 50 security = user passdb backend = smbpasswd load printers = yes cups options = raw [Test 1] path = /export/test1/ writable = yes vfs objects = catia fruit streams_xattr fruit:aapl = no fruit:locking = netatalk fruit:encoding = native streams_xattr:prefix = user. streams_xattr:store_stream_type = no ea support = yes add fruit:aapl = no. $ rm test.txt rm: test.txt: Resource busy ------------------------------------------------------------------------- [global] workgroup = LOCALNET server string = %h dos charset = CP932 log file = /var/log/samba/log.%m max log size = 50 security = user passdb backend = smbpasswd load printers = yes cups options = raw [Test 1] path = /export/test1/ writable = yes ; vfs objects = catia fruit streams_xattr vfs objects = catia streams_xattr ; fruit:locking = netatalk ; fruit:encoding = native streams_xattr:prefix = user. streams_xattr:store_stream_type = no ea support = yes remove vfs_fruit. $ rm test.txt can remove! -- HAT From covici at ccs.covici.com Tue Dec 29 13:59:44 2015 From: covici at ccs.covici.com (covici at ccs.covici.com) Date: Tue, 29 Dec 2015 08:59:44 -0500 Subject: [Samba] permission problems trying to access subdirectories of a samba share Message-ID: <12561.1451397584@ccs.covici.com> Hi. I am having problems accessing subdirectories on a samba share. I am using windows 10 build 10586 and linux kernel 4.1.15-gentoo and samba 4.2.7. I have two shares, one called audio and the other called myshare. I cannot access the subdirectories in the myshare share. Here are the definitions. [myshare] comment = root directory path = / #fake oplocks = yes writable = yes printable = no create mask = 0765 [audio] comment = audio directory path = /audio writable = yes printable = no create mask = 0765 In windows, I access myshare using the root username and password, in audio I access using the user name covici and its password. The audio share works fine, the myshare windows cannot access any subdirectory. I either get the handle is invalid or a message saying I have permission problems. Thanks in advance for any suggestions. -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici covici at ccs.covici.com From belle at bazuin.nl Tue Dec 29 14:38:47 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Tue, 29 Dec 2015 15:38:47 +0100 Subject: [Samba] [squid-users] Squid with NTLM auth behind netscaler In-Reply-To: References: <5671C5B9.5080100@treenet.co.nz> Message-ID: Hai, > i read "Do not use this method if you run winbindd or other > samba services as samba will reset the machine password every x days > and thereby makes the keytab invalid Seems wrong to me. If you use samba 4. ( dont know if its the same for samba 3 ) Make sure you have this in smb.conf dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind refresh tickets = yes winbind offline logon = yes refresh tickets refreshed the machine pass in the keytab. Offline logon is handy if you dc is down. Steps to follow Install samba and join the domain. Check the SPNs of the hostname, if you missing things, add them. Remove /etc/krb5.keytab Recreate it again ( now it has al the needed SPN's ) with : net ads keytab create -U administrator restart samba. Now go configure squid. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens > Fabio Bucci > Verzonden: dinsdag 29 december 2015 15:30 > Aan: Amos Jeffries > CC: squid-users at lists.squid-cache.org > Onderwerp: Re: [squid-users] Squid with NTLM auth behind netscaler > > Hi Amos, > i'm trying to implement kerberos as you suggested me. But following > the guide i read "Do not use this method if you run winbindd or other > samba services as samba will reset the machine password every x days > and thereby makes the keytab invalid !!" and my system guy told me we > use winbindd method. > > How can i implement so? > Thanks > > 2015-12-16 21:12 GMT+01:00 Amos Jeffries : > > On 17/12/2015 5:34 a.m., Fabio Bucci wrote: > >> i'm planning to migrate to kerberos instead NTLM.....i got a question > for > >> you Amos: sometimes a client reports issue in navigation and searching > into > >> log file i cannot see "username" and all the request are 407 > >> > >> In these cases is there a way to reset a user session or it's a > completely > >> client issue? > > > > Usually it is the client stuck in a loop trying Negtiate/NTLM auth for > > some reason. Some old Firefox, most Safari, and older IE can all get > > stuck trying those credentials and ignoring the offers of Basic. > > > > It might be possible to figure out some LmCompatibility settings change > > that makes the problem just go away (eg, forcing NTLM of all versions to > > disabled on the client). > > > > Other than that Squid does have some workaround responses it can be made > > to send back that might help the client reach the right conclusion: > > > > a) list Basic auth first in the config. Any properly working client will > > re-sort the auth types by security level and do theKerberos anyway. But > > the broken ones (particularly IE7 and older) will have more chance of > > using Basic. > > > > b) sending 407 response with no auth headers. Such as a deny 407 status > > generated by external ACL deny, or a URL-redirector. These tell the > > client that auth failed, but there is no acceptible fallback. > > > > c) sending Connection:close. Sometimes (mostly Firefox v20-v40) it is > > the client prematurely attaching the credentials to the connection and > > re-using them. That is supposed to have been fixed recently, but I've > > not confirmed. > > > > d) sending 403 status response. To just flat-out block the client once > > it enters the looping state. Hoping that later requests will start to > > work again. > > > > > > HTH > > Amos > > > _______________________________________________ > squid-users mailing list > squid-users at lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users From rpenny at samba.org Tue Dec 29 14:41:53 2015 From: rpenny at samba.org (Rowland penny) Date: Tue, 29 Dec 2015 14:41:53 +0000 Subject: [Samba] permission problems trying to access subdirectories of a samba share In-Reply-To: <12561.1451397584@ccs.covici.com> References: <12561.1451397584@ccs.covici.com> Message-ID: <56829BB1.5020205@samba.org> On 29/12/15 13:59, covici at ccs.covici.com wrote: > Hi. I am having problems accessing subdirectories on a samba share. I > am using windows 10 build 10586 and linux kernel 4.1.15-gentoo and samba > 4.2.7. I have two shares, one called audio and the other called > myshare. I cannot access the subdirectories in the myshare share. Here > are the definitions. > [myshare] > comment = root directory > path = / > #fake oplocks = yes > writable = yes > printable = no > create mask = 0765 > [audio] > comment = audio directory > path = /audio > writable = yes > printable = no > create mask = 0765 > > In windows, I access myshare using the root username and password, in > audio I access using the user name covici and its password. The audio > share works fine, the myshare windows cannot access any subdirectory. I > either get the handle is invalid or a message saying I have permission > problems. > > Thanks in advance for any suggestions. > Why are you trying to share your entire Unix computer ? By sharing '/' you are giving your users access to the entire directory, do you really want to do this? Rowland From belle at bazuin.nl Tue Dec 29 14:43:17 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Tue, 29 Dec 2015 15:43:17 +0100 Subject: [Samba] [squid-users] Squid with NTLM auth behind netscaler In-Reply-To: References: Message-ID: ... oops.. sorry about that.. Well if someone what to know more, you know to find me. ;-) Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle > Verzonden: dinsdag 29 december 2015 15:39 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] [squid-users] Squid with NTLM auth behind netscaler > > Hai, > > > i read "Do not use this method if you run winbindd or other > > samba services as samba will reset the machine password every x days > > and thereby makes the keytab invalid > > Seems wrong to me. > > If you use samba 4. ( dont know if its the same for samba 3 ) > > Make sure you have this in smb.conf > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > winbind refresh tickets = yes > winbind offline logon = yes > > refresh tickets refreshed the machine pass in the keytab. > Offline logon is handy if you dc is down. > > Steps to follow > > Install samba and join the domain. > Check the SPNs of the hostname, if you missing things, add them. > Remove /etc/krb5.keytab > Recreate it again ( now it has al the needed SPN's ) with : > net ads keytab create -U administrator > > restart samba. > > Now go configure squid. > > > Greetz, > > Louis > > > -----Oorspronkelijk bericht----- > > Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] > Namens > > Fabio Bucci > > Verzonden: dinsdag 29 december 2015 15:30 > > Aan: Amos Jeffries > > CC: squid-users at lists.squid-cache.org > > Onderwerp: Re: [squid-users] Squid with NTLM auth behind netscaler > > > > Hi Amos, > > i'm trying to implement kerberos as you suggested me. But following > > the guide i read "Do not use this method if you run winbindd or other > > samba services as samba will reset the machine password every x days > > and thereby makes the keytab invalid !!" and my system guy told me we > > use winbindd method. > > > > How can i implement so? > > Thanks > > > > 2015-12-16 21:12 GMT+01:00 Amos Jeffries : > > > On 17/12/2015 5:34 a.m., Fabio Bucci wrote: > > >> i'm planning to migrate to kerberos instead NTLM.....i got a question > > for > > >> you Amos: sometimes a client reports issue in navigation and > searching > > into > > >> log file i cannot see "username" and all the request are 407 > > >> > > >> In these cases is there a way to reset a user session or it's a > > completely > > >> client issue? > > > > > > Usually it is the client stuck in a loop trying Negtiate/NTLM auth for > > > some reason. Some old Firefox, most Safari, and older IE can all get > > > stuck trying those credentials and ignoring the offers of Basic. > > > > > > It might be possible to figure out some LmCompatibility settings > change > > > that makes the problem just go away (eg, forcing NTLM of all versions > to > > > disabled on the client). > > > > > > Other than that Squid does have some workaround responses it can be > made > > > to send back that might help the client reach the right conclusion: > > > > > > a) list Basic auth first in the config. Any properly working client > will > > > re-sort the auth types by security level and do theKerberos anyway. > But > > > the broken ones (particularly IE7 and older) will have more chance of > > > using Basic. > > > > > > b) sending 407 response with no auth headers. Such as a deny 407 > status > > > generated by external ACL deny, or a URL-redirector. These tell the > > > client that auth failed, but there is no acceptible fallback. > > > > > > c) sending Connection:close. Sometimes (mostly Firefox v20-v40) it is > > > the client prematurely attaching the credentials to the connection and > > > re-using them. That is supposed to have been fixed recently, but I've > > > not confirmed. > > > > > > d) sending 403 status response. To just flat-out block the client once > > > it enters the looping state. Hoping that later requests will start to > > > work again. > > > > > > > > > HTH > > > Amos > > > > > _______________________________________________ > > squid-users mailing list > > squid-users at lists.squid-cache.org > > http://lists.squid-cache.org/listinfo/squid-users > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From carlos.hollow at gmail.com Tue Dec 29 14:56:26 2015 From: carlos.hollow at gmail.com (Carlos A. P. Cunha) Date: Tue, 29 Dec 2015 12:56:26 -0200 Subject: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' Message-ID: <56829F1A.90106@gmail.com> Good afternoon! Had a samba 4 with a Windows 2003 network that is not over, I went up to the level of my domain / forest Forest level function: (Windows) 2008 R2 Domain function level: (Windows) 2008 R2 Lowest function level of the DC (Windows) 2008 R2 But it seems that Samba is not with all attributes of a Windows 2008. Even try to join another Samba error appears ERROR (ldb): uncaught exception - LDAP error 16 LDAP_NO_SUCH ATTRIBUTE - <0000200 A: objectclass attrs: attribute "msDS-SupportedEncryptionTypes' on entry 'CN = DC-LINUX-09, OU = Domain Controllers, DC = mydomain' was not found in the schema> Any idea ? S.O systems: Both Ubuntu 14:04 Samba version 4.3.3 (the Current was made Upgrade 4.2 -> 4.3 -> 4.3.3) From belle at bazuin.nl Tue Dec 29 15:07:10 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Tue, 29 Dec 2015 16:07:10 +0100 Subject: [Samba] [squid-users] squid3 / debian stable / please update to 3.4.14 In-Reply-To: References: Message-ID: Hai, You can very easy upgrade to 3.5.12 on Jessie. Add sid to your sources.list, or better in : /etc/apt/sources.list.d/debian-sid.list Only the deb-src line is needed. Now apt-get update # install dependecies. apt-get build-dep squid # get and build source. apt-get source squid -b if you missing something, get that package first, build it, install it and do above again. !! thing to know when using the higher versions this way. /etc/squid3 Changed to /etc/squid ( all squid3 changed to squid ) Greetz, Louis > -----Oorspronkelijk bericht----- > Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens > Massimo.Sala at asl.bergamo.it > Verzonden: dinsdag 29 december 2015 15:26 > Aan: luigi at debian.org > CC: squid-users at lists.squid-cache.org > Onderwerp: [squid-users] squid3 / debian stable / please update to 3.4.14 > > ciao Luigi > > I ask to update the distro to squid 3.4.14, the last stable version, > released in august. > > Rationale : > 1) various bugs and memory leaks fixed; > 2) security fix for CVE 2015 5400; > 3) support for Alternate-Protocol HTTP header. > > I need 3) to disable QUIC on youtube, otherwise squid3 cannot cache > videos. > > References : > https://packages.debian.org/jessie/squid3 > > ftp://ftp.fu-berlin.de/unix/www/squid/squid/squid-3.4-ChangeLog.txt > http://wiki.squid-cache.org/KnowledgeBase/Block QUIC protocol > > > Best regards, Massimo > > _______________________________________________ > squid-users mailing list > squid-users at lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users From rpenny at samba.org Tue Dec 29 15:25:32 2015 From: rpenny at samba.org (Rowland penny) Date: Tue, 29 Dec 2015 15:25:32 +0000 Subject: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' In-Reply-To: <56829F1A.90106@gmail.com> References: <56829F1A.90106@gmail.com> Message-ID: <5682A5EC.80200@samba.org> On 29/12/15 14:56, Carlos A. P. Cunha wrote: > Good afternoon! > Had a samba 4 with a Windows 2003 network that is not over, I went up > to the level of my domain / forest > > Forest level function: (Windows) 2008 R2 > Domain function level: (Windows) 2008 R2 > Lowest function level of the DC (Windows) 2008 R2 > > But it seems that Samba is not with all attributes of a Windows 2008. > Even try to join another Samba error appears > > ERROR (ldb): uncaught exception - LDAP error 16 LDAP_NO_SUCH ATTRIBUTE > - <0000200 A: objectclass attrs: attribute > "msDS-SupportedEncryptionTypes' on entry 'CN = DC-LINUX-09, OU = > Domain Controllers, DC = mydomain' was not found in the schema> > > Any idea ? > > There appears to be something wrong with your setup, if you examine the file 'MS-AD_Schema_2K8_R2_Attributes.txt' (should be on your system, in a directory called ad-schema), you will this: cn: ms-DS-Supported-Encryption-Types ldapDisplayName: msDS-SupportedEncryptionTypes attributeId: 1.2.840.113556.1.4.1963 attributeSyntax: 2.5.5.9 omSyntax: 2 isSingleValued: TRUE schemaIdGuid: 20119867-1d04-4ab7-9371-cfc3d5df0afd systemOnly: FALSE searchFlags: 0 attributeSecurityGuid: 77b5b886-944a-11d1-aebd-0000f80367c1 systemFlags: FLAG_SCHEMA_BASE_OBJECT schemaFlagsEx: FLAG_ATTR_IS_CRITICAL And your DC objects should have this: msDS-SupportedEncryptionTypes: 31 Was the original DC a Samba 4 DC ? Rowland From rpenny at samba.org Tue Dec 29 15:28:08 2015 From: rpenny at samba.org (Rowland penny) Date: Tue, 29 Dec 2015 15:28:08 +0000 Subject: [Samba] [squid-users] squid3 / debian stable / please update to 3.4.14 In-Reply-To: References: Message-ID: <5682A688.3090603@samba.org> On 29/12/15 15:07, L.P.H. van Belle wrote: > Hai, > > You can very easy upgrade to 3.5.12 on Jessie. > Add sid to your sources.list, or better in : > /etc/apt/sources.list.d/debian-sid.list > > Only the deb-src line is needed. > > Now apt-get update > > # install dependecies. > apt-get build-dep squid > > # get and build source. > apt-get source squid -b > > if you missing something, get that package first, build it, install it and do above again. > > !! thing to know when using the higher versions this way. > > /etc/squid3 > Changed to > /etc/squid > > ( all squid3 changed to squid ) > > > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens >> Massimo.Sala at asl.bergamo.it >> Verzonden: dinsdag 29 december 2015 15:26 >> Aan: luigi at debian.org >> CC: squid-users at lists.squid-cache.org >> Onderwerp: [squid-users] squid3 / debian stable / please update to 3.4.14 >> >> ciao Luigi >> >> I ask to update the distro to squid 3.4.14, the last stable version, >> released in august. >> >> Rationale : >> 1) various bugs and memory leaks fixed; >> 2) security fix for CVE 2015 5400; >> 3) support for Alternate-Protocol HTTP header. >> >> I need 3) to disable QUIC on youtube, otherwise squid3 cannot cache >> videos. >> >> References : >> https://packages.debian.org/jessie/squid3 >> >> ftp://ftp.fu-berlin.de/unix/www/squid/squid/squid-3.4-ChangeLog.txt >> http://wiki.squid-cache.org/KnowledgeBase/Block QUIC protocol >> >> >> Best regards, Massimo >> >> _______________________________________________ >> squid-users mailing list >> squid-users at lists.squid-cache.org >> http://lists.squid-cache.org/listinfo/squid-users > Excuse me Louis, have you started celebrating the new year early ? :-D This is not the squid mailing list Rowland From belle at bazuin.nl Tue Dec 29 15:36:18 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Tue, 29 Dec 2015 16:36:18 +0100 Subject: [Samba] [squid-users] squid3 / debian stable / please update to 3.4.14 In-Reply-To: <5682A688.3090603@samba.org> References: Message-ID: o.m.g. i did it again... :-/ 1000x sorry... And you wait until new year... ;-) i'll dump some more.. ;-) Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny > Verzonden: dinsdag 29 december 2015 16:28 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] [squid-users] squid3 / debian stable / please > update to 3.4.14 > > On 29/12/15 15:07, L.P.H. van Belle wrote: > > Hai, > > > > You can very easy upgrade to 3.5.12 on Jessie. > > Add sid to your sources.list, or better in : > > /etc/apt/sources.list.d/debian-sid.list > > > > Only the deb-src line is needed. > > > > Now apt-get update > > > > # install dependecies. > > apt-get build-dep squid > > > > # get and build source. > > apt-get source squid -b > > > > if you missing something, get that package first, build it, install it > and do above again. > > > > !! thing to know when using the higher versions this way. > > > > /etc/squid3 > > Changed to > > /etc/squid > > > > ( all squid3 changed to squid ) > > > > > > > > Greetz, > > > > Louis > > > > > >> -----Oorspronkelijk bericht----- > >> Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] > Namens > >> Massimo.Sala at asl.bergamo.it > >> Verzonden: dinsdag 29 december 2015 15:26 > >> Aan: luigi at debian.org > >> CC: squid-users at lists.squid-cache.org > >> Onderwerp: [squid-users] squid3 / debian stable / please update to > 3.4.14 > >> > >> ciao Luigi > >> > >> I ask to update the distro to squid 3.4.14, the last stable version, > >> released in august. > >> > >> Rationale : > >> 1) various bugs and memory leaks fixed; > >> 2) security fix for CVE 2015 5400; > >> 3) support for Alternate-Protocol HTTP header. > >> > >> I need 3) to disable QUIC on youtube, otherwise squid3 cannot cache > >> videos. > >> > >> References : > >> https://packages.debian.org/jessie/squid3 > >> > >> ftp://ftp.fu-berlin.de/unix/www/squid/squid/squid-3.4-ChangeLog.txt > >> http://wiki.squid-cache.org/KnowledgeBase/Block QUIC protocol > >> > >> > >> Best regards, Massimo > >> > >> _______________________________________________ > >> squid-users mailing list > >> squid-users at lists.squid-cache.org > >> http://lists.squid-cache.org/listinfo/squid-users > > > > Excuse me Louis, have you started celebrating the new year early ? :-D > > This is not the squid mailing list > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From covici at ccs.covici.com Tue Dec 29 15:44:39 2015 From: covici at ccs.covici.com (covici at ccs.covici.com) Date: Tue, 29 Dec 2015 10:44:39 -0500 Subject: [Samba] permission problems trying to access subdirectories of a samba share In-Reply-To: <56829BB1.5020205@samba.org> References: <12561.1451397584@ccs.covici.com> <56829BB1.5020205@samba.org> Message-ID: <16512.1451403879@ccs.covici.com> Rowland penny wrote: > On 29/12/15 13:59, covici at ccs.covici.com wrote: > > Hi. I am having problems accessing subdirectories on a samba share. I > > am using windows 10 build 10586 and linux kernel 4.1.15-gentoo and samba > > 4.2.7. I have two shares, one called audio and the other called > > myshare. I cannot access the subdirectories in the myshare share. Here > > are the definitions. > > [myshare] > > comment = root directory > > path = / > > #fake oplocks = yes > > writable = yes > > printable = no > > create mask = 0765 > > [audio] > > comment = audio directory > > path = /audio > > writable = yes > > printable = no > > create mask = 0765 > > In windows, I access myshare using the root username and password, > > in > > audio I access using the user name covici and its password. The audio > > share works fine, the myshare windows cannot access any subdirectory. I > > either get the handle is invalid or a message saying I have permission > > problems. > > > > Thanks in advance for any suggestions. > > > > Why are you trying to share your entire Unix computer ? > > By sharing '/' you are giving your users access to the entire > directory, do you really want to do this? > My users are just me, and sometimes I need to access from windows. -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici covici at ccs.covici.com From ryana at reachtechfp.com Tue Dec 29 16:38:53 2015 From: ryana at reachtechfp.com (Ryan Ashley) Date: Tue, 29 Dec 2015 11:38:53 -0500 Subject: [Samba] Firewall trouble? In-Reply-To: <56815F6D.4050504@samba.org> References: <56815661.4050208@reachtechfp.com> <56815F6D.4050504@samba.org> Message-ID: <5682B71D.3090608@reachtechfp.com> No, iptables will first hit the line: -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name BLOCKED --rsource This line adds the IP to the "BLOCKED" list and increments the attempts to connect by one. The next line checks to see if there are four or more attempts to connect in under ten minutes. If so, drop the connection. If not, continue processing the rules. The rule allowing it later is only reach by somebody who has not tried to repeatedly login to SSH. Yes, I now see I forgot 389 TCP. I will add it and give it a shot. Thank you for pointing that out. Lead IT/IS Specialist Reach Technology FP, Inc On 12/28/2015 11:12 AM, Rowland penny wrote: > On 28/12/15 15:33, Ryan Ashley wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >> >> I recently tried adding a firewall to my Samba 4 server using >> the port information I found on the wiki. Below is a dump of the >> resulting rules. >> >> root at dc01:~# iptables -S - -P INPUT DROP - -P FORWARD DROP - -P >> OUTPUT ACCEPT - -A INPUT -m conntrack --ctstate >> RELATED,ESTABLISHED -j ACCEPT - -A INPUT -p tcp -m tcp --dport >> 22 -m state --state NEW -m recent --set - --name BLOCKED >> --rsource - -A INPUT -p tcp -m tcp --dport 22 -m state --state >> NEW -m recent - --update --seconds 600 --hitcount 4 --name >> BLOCKED --rsource -j DROP - -A INPUT -p icmp -m icmp --icmp-type >> 3 -j ACCEPT - -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT - >> -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT - -A INPUT -p >> tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT >> --reject-with tcp-reset - -A INPUT -p gre -j ACCEPT - -A INPUT -p >> esp -j ACCEPT - -A INPUT -p ah -j ACCEPT - -A INPUT -p tcp -m >> state --state NEW -m multiport --dports >> 22,53,88,135,139,445,464,636,1024:5000,3268,3269 -j ACCEPT - -A >> INPUT -p udp -m state --state NEW -m multiport --dports >> 53,67,88,123,137,138,389,464 -j ACCEPT - -A INPUT -i lo -j >> ACCEPT >> >> As you can see, I try to prevent brute-force attacks on SSH, but >> accept data, both TCP and UDP on the ports specified by the wiki >> article. > > > I would check the ports again, if I were you, you need port 389 > tcp as well as udp. Also whilst not being a firewall expert, > doesn't having port 22 mentioned at the end of the file take > precedence over the earlier line ? > > Rowland > From ryana at reachtechfp.com Tue Dec 29 16:40:43 2015 From: ryana at reachtechfp.com (Ryan Ashley) Date: Tue, 29 Dec 2015 11:40:43 -0500 Subject: [Samba] Firewall trouble? In-Reply-To: <568162D7.8090102@gmail.com> References: <56815661.4050208@reachtechfp.com> <568162D7.8090102@gmail.com> Message-ID: <5682B78B.5060509@reachtechfp.com> James, I am at 2008 R2 level. What you just told me is not mentioned on the wiki and could very well be my problem. I am first going to open 389 TCP and, should that not solve it, allow the ports you specified, but only from the LAN. Lead IT/IS Specialist Reach Technology FP, Inc On 12/28/2015 11:27 AM, James wrote: > On 12/28/2015 10:33 AM, Ryan Ashley wrote: > I recently tried adding a firewall to my Samba 4 server using the port > information I found on the wiki. Below is a dump of the resulting rules. > > root at dc01:~# iptables -S > -P INPUT DROP > -P FORWARD DROP > -P OUTPUT ACCEPT > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set > --name BLOCKED --rsource > -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent > --update --seconds 600 --hitcount 4 --name BLOCKED --rsource -j DROP > -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT > -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT > -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j > REJECT --reject-with tcp-reset > -A INPUT -p gre -j ACCEPT > -A INPUT -p esp -j ACCEPT > -A INPUT -p ah -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m multiport --dports > 22,53,88,135,139,445,464,636,1024:5000,3268,3269 -j ACCEPT > -A INPUT -p udp -m state --state NEW -m multiport --dports > 53,67,88,123,137,138,389,464 -j ACCEPT > -A INPUT -i lo -j ACCEPT > > As you can see, I try to prevent brute-force attacks on SSH, but > accept data, both TCP and UDP on the ports specified by the wiki > article. However, when this firewall is on my AD DC server, logins > take eons, everything is SLOW on workstations, and sometimes > authentications just plain fail. Why? > -- Lead IT/IS Specialist > Reach Technology FP, Inc >> > I assume this is for a DC. If so are you using functional level 2008? > You need to open ports 49152 through 65535 if you are. Level 2003 used > 1025 through 5000. > From lists at xunil.at Tue Dec 29 16:32:02 2015 From: lists at xunil.at (Stefan G. Weichinger) Date: Tue, 29 Dec 2015 17:32:02 +0100 Subject: [Samba] samba4 as ADS member: some users visible, others not Message-ID: <5682B582.6030505@xunil.at> I have to add a brand new fedora 23 server with samba 4.3.3 to an existing Windows ADS domain. The join is OK: # net ads testjoin Join is OK I use winbind as I still have to learn about sssd (and I am unsure which one to prefer). config (workgroup and realm edited): [global] workgroup = customer realm = my.customer server string = security = ADS map to guest = Bad User username map = /etc/samba/smbusers map untrusted to domain = Yes load printers = No printcap name = /dev/null disable spoolss = Yes template shell = /bin/bash winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nss info = rfc2307 idmap config customer:range = 10000-999999 idmap config customer:schema_mode = rfc2307 idmap config customer:backend = ad idmap config *:range = 2000-9999 idmap config * : backend = tdb force create mode = 0664 force directory mode = 0775 printing = bsd level2 oplocks = No --- issues: wbinfo -u wbinfo -g list all users and groups from ADS getent passwd only gives me around 20 users from ADS ... -> some users get access to shares, some not! I assume this has to do with "idmap config customer:range" ? How to determine the values of the max ids? Do I have to "reset" some mappings after changing this parameter? What else to check for? thanks for any help on this, Stefan From ryana at reachtechfp.com Tue Dec 29 16:53:42 2015 From: ryana at reachtechfp.com (Ryan Ashley) Date: Tue, 29 Dec 2015 11:53:42 -0500 Subject: [Samba] Firewall trouble? In-Reply-To: References: <56815661.4050208@reachtechfp.com> Message-ID: <5682BA96.1040107@reachtechfp.com> Louis, I love iptables and while I am NOT a pro, I know it fairly well. You should see the magic I have running on our VPN server and SIP server! Still, you mention TCP 42 and UDP 68. What are these two ports for? The range you mentioned I was just told about in another response. The only range listed on the wiki is apparently for 2003. Do I still need 1024-500 on the 2008 R2 level? Lead IT/IS Specialist Reach Technology FP, Inc On 12/29/2015 03:58 AM, L.P.H. van Belle wrote: > Hai, > > Im missing a few things. > > And maybe time server port to open? Are your dc's time server also? > These are the ports i've set. > > TCP what im having. > 22,42,53,88,135,139,389,445,464,636,3268,3269,1024:5000,49612:65535 > > How you did: > 22,53,88,135,139,445,464,636,1024:5000,3268,3269 > Your missing 42 389 and range : 49612:65535 > > > UDP what im having. > 53,67,68,88,123,137,138,389,464 > > How you did: > 53,67,88,123,137,138,389,464 > Your missing 68 ( but i dont know if you need it ) > > If your not familiar with iptables. > I advice you to install ufw for example. > I have a nice "base" set of rules, if you need some examples. > Ufw isnt that hard and easy to extented. > And a handy thing, integrating iptables + GeoIP is really easy. > And handy for ssh access/blocks. > I only allow ssh acces on my server from the netherlands with a rule like: > > -A ufw-before-input -m state --state NEW -m geoip ! --src-cc NL -m tcp -p tcp --dport 22 -m comment --comment 'SSH%20Geoip' -j DROP > > If you want some extra info on that, just mail me, no problem. > > > Greetz, > > Louis > > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens James >> Verzonden: maandag 28 december 2015 17:27 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Firewall trouble? >> >> On 12/28/2015 10:33 AM, Ryan Ashley wrote: > I recently tried adding a firewall to my Samba 4 server using the port > information I found on the wiki. Below is a dump of the resulting rules. > > root at dc01:~# iptables -S > -P INPUT DROP > -P FORWARD DROP > -P OUTPUT ACCEPT > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set > --name BLOCKED --rsource > -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent > --update --seconds 600 --hitcount 4 --name BLOCKED --rsource -j DROP > -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT > -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT > -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j > REJECT --reject-with tcp-reset > -A INPUT -p gre -j ACCEPT > -A INPUT -p esp -j ACCEPT > -A INPUT -p ah -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m multiport --dports > 22,53,88,135,139,445,464,636,1024:5000,3268,3269 -j ACCEPT > -A INPUT -p udp -m state --state NEW -m multiport --dports > 53,67,88,123,137,138,389,464 -j ACCEPT > -A INPUT -i lo -j ACCEPT > > As you can see, I try to prevent brute-force attacks on SSH, but > accept data, both TCP and UDP on the ports specified by the wiki > article. However, when this firewall is on my AD DC server, logins > take eons, everything is SLOW on workstations, and sometimes > authentications just plain fail. Why? >>> >> I assume this is for a DC. If so are you using functional level 2008? >> You need to open ports 49152 through 65535 if you are. Level 2003 used >> 1025 through 5000. >> >> -- >> -James >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > > From rpenny at samba.org Tue Dec 29 16:55:20 2015 From: rpenny at samba.org (Rowland penny) Date: Tue, 29 Dec 2015 16:55:20 +0000 Subject: [Samba] permission problems trying to access subdirectories of a samba share In-Reply-To: <16512.1451403879@ccs.covici.com> References: <12561.1451397584@ccs.covici.com> <56829BB1.5020205@samba.org> <16512.1451403879@ccs.covici.com> Message-ID: <5682BAF8.9040502@samba.org> On 29/12/15 15:44, covici at ccs.covici.com wrote: > Rowland penny wrote: > >> On 29/12/15 13:59, covici at ccs.covici.com wrote: >>> Hi. I am having problems accessing subdirectories on a samba share. I >>> am using windows 10 build 10586 and linux kernel 4.1.15-gentoo and samba >>> 4.2.7. I have two shares, one called audio and the other called >>> myshare. I cannot access the subdirectories in the myshare share. Here >>> are the definitions. >>> [myshare] >>> comment = root directory >>> path = / >>> #fake oplocks = yes >>> writable = yes >>> printable = no >>> create mask = 0765 >>> [audio] >>> comment = audio directory >>> path = /audio >>> writable = yes >>> printable = no >>> create mask = 0765 >>> In windows, I access myshare using the root username and password, >>> in >>> audio I access using the user name covici and its password. The audio >>> share works fine, the myshare windows cannot access any subdirectory. I >>> either get the handle is invalid or a message saying I have permission >>> problems. >>> >>> Thanks in advance for any suggestions. >>> >> Why are you trying to share your entire Unix computer ? >> >> By sharing '/' you are giving your users access to the entire >> directory, do you really want to do this? >> > My users are just me, and sometimes I need to access from windows. > Then install 'putty' and login via 'ssh', just don't do it via Samba. Rowland From ryana at reachtechfp.com Tue Dec 29 17:00:20 2015 From: ryana at reachtechfp.com (Ryan Ashley) Date: Tue, 29 Dec 2015 12:00:20 -0500 Subject: [Samba] Firewall trouble? In-Reply-To: References: <56815661.4050208@reachtechfp.com> Message-ID: <5682BC24.1080304@reachtechfp.com> I just looked up 42 and 68. I do not use WINS or BOOTP. I am removing range 1024-5000 and replacing it with 49612-65535 now. I already allowed 389 TCP. Lead IT/IS Specialist Reach Technology FP, Inc On 12/29/2015 03:58 AM, L.P.H. van Belle wrote: > Hai, > > Im missing a few things. > > And maybe time server port to open? Are your dc's time server also? > These are the ports i've set. > > TCP what im having. > 22,42,53,88,135,139,389,445,464,636,3268,3269,1024:5000,49612:65535 > > How you did: > 22,53,88,135,139,445,464,636,1024:5000,3268,3269 > Your missing 42 389 and range : 49612:65535 > > > UDP what im having. > 53,67,68,88,123,137,138,389,464 > > How you did: > 53,67,88,123,137,138,389,464 > Your missing 68 ( but i dont know if you need it ) > > If your not familiar with iptables. > I advice you to install ufw for example. > I have a nice "base" set of rules, if you need some examples. > Ufw isnt that hard and easy to extented. > And a handy thing, integrating iptables + GeoIP is really easy. > And handy for ssh access/blocks. > I only allow ssh acces on my server from the netherlands with a rule like: > > -A ufw-before-input -m state --state NEW -m geoip ! --src-cc NL -m tcp -p tcp --dport 22 -m comment --comment 'SSH%20Geoip' -j DROP > > If you want some extra info on that, just mail me, no problem. > > > Greetz, > > Louis > > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens James >> Verzonden: maandag 28 december 2015 17:27 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Firewall trouble? >> >> On 12/28/2015 10:33 AM, Ryan Ashley wrote: > I recently tried adding a firewall to my Samba 4 server using the port > information I found on the wiki. Below is a dump of the resulting rules. > > root at dc01:~# iptables -S > -P INPUT DROP > -P FORWARD DROP > -P OUTPUT ACCEPT > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set > --name BLOCKED --rsource > -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent > --update --seconds 600 --hitcount 4 --name BLOCKED --rsource -j DROP > -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT > -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT > -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j > REJECT --reject-with tcp-reset > -A INPUT -p gre -j ACCEPT > -A INPUT -p esp -j ACCEPT > -A INPUT -p ah -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m multiport --dports > 22,53,88,135,139,445,464,636,1024:5000,3268,3269 -j ACCEPT > -A INPUT -p udp -m state --state NEW -m multiport --dports > 53,67,88,123,137,138,389,464 -j ACCEPT > -A INPUT -i lo -j ACCEPT > > As you can see, I try to prevent brute-force attacks on SSH, but > accept data, both TCP and UDP on the ports specified by the wiki > article. However, when this firewall is on my AD DC server, logins > take eons, everything is SLOW on workstations, and sometimes > authentications just plain fail. Why? >>> >> I assume this is for a DC. If so are you using functional level 2008? >> You need to open ports 49152 through 65535 if you are. Level 2003 used >> 1025 through 5000. >> >> -- >> -James >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > > From rpenny at samba.org Tue Dec 29 17:05:53 2015 From: rpenny at samba.org (Rowland penny) Date: Tue, 29 Dec 2015 17:05:53 +0000 Subject: [Samba] samba4 as ADS member: some users visible, others not In-Reply-To: <5682B582.6030505@xunil.at> References: <5682B582.6030505@xunil.at> Message-ID: <5682BD71.1050101@samba.org> On 29/12/15 16:32, Stefan G. Weichinger wrote: > I have to add a brand new fedora 23 server with samba 4.3.3 to an > existing Windows ADS domain. > > The join is OK: > > # net ads testjoin > Join is OK > > I use winbind as I still have to learn about sssd (and I am unsure which > one to prefer). > > config (workgroup and realm edited): > > [global] > workgroup = customer > realm = my.customer > server string = > security = ADS > map to guest = Bad User > username map = /etc/samba/smbusers > map untrusted to domain = Yes > load printers = No > printcap name = /dev/null > disable spoolss = Yes > template shell = /bin/bash > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > winbind nss info = rfc2307 > idmap config customer:range = 10000-999999 > idmap config customer:schema_mode = rfc2307 > idmap config customer:backend = ad > idmap config *:range = 2000-9999 > idmap config * : backend = tdb > force create mode = 0664 > force directory mode = 0775 > printing = bsd > level2 oplocks = No > > --- > > issues: > > wbinfo -u > wbinfo -g list all users and groups from ADS > > getent passwd only gives me around 20 users from ADS ... > > -> some users get access to shares, some not! > > I assume this has to do with "idmap config customer:range" ? > > How to determine the values of the max ids? > > Do I have to "reset" some mappings after changing this parameter? > > What else to check for? > > thanks for any help on this, Stefan > The only mappings you should have, are the ones for the 'builtin' users & groups, all the others should have a uidNumber or gidNumber attribute in AD, these should be between '10000-999999' I would also recommend you remove these lines: force create mode = 0664 force directory mode = 0775 They really only belong in a share, but you should be using Posix ACLs anyway. If a user isn't shown by getent, then they are unknown to the OS and will not be able to access shares unless the share also allows guest access. Rowland From lingpanda101 at gmail.com Tue Dec 29 17:06:41 2015 From: lingpanda101 at gmail.com (James) Date: Tue, 29 Dec 2015 12:06:41 -0500 Subject: [Samba] Firewall trouble? In-Reply-To: <5682BC24.1080304@reachtechfp.com> References: <56815661.4050208@reachtechfp.com> <5682BC24.1080304@reachtechfp.com> Message-ID: <5682BDA1.2010407@gmail.com> On 12/29/2015 12:00 PM, Ryan Ashley wrote: > I just looked up 42 and 68. I do not use WINS or BOOTP. I am removing > range 1024-5000 and replacing it with 49612-65535 now. I already allowed > 389 TCP. > > Lead IT/IS Specialist > Reach Technology FP, Inc > > On 12/29/2015 03:58 AM, L.P.H. van Belle wrote: >> Hai, >> >> Im missing a few things. >> >> And maybe time server port to open? Are your dc's time server also? >> These are the ports i've set. >> >> TCP what im having. >> 22,42,53,88,135,139,389,445,464,636,3268,3269,1024:5000,49612:65535 >> >> How you did: >> 22,53,88,135,139,445,464,636,1024:5000,3268,3269 >> Your missing 42 389 and range : 49612:65535 >> >> >> UDP what im having. >> 53,67,68,88,123,137,138,389,464 >> >> How you did: >> 53,67,88,123,137,138,389,464 >> Your missing 68 ( but i dont know if you need it ) >> >> If your not familiar with iptables. >> I advice you to install ufw for example. >> I have a nice "base" set of rules, if you need some examples. >> Ufw isnt that hard and easy to extented. >> And a handy thing, integrating iptables + GeoIP is really easy. >> And handy for ssh access/blocks. >> I only allow ssh acces on my server from the netherlands with a rule like: >> >> -A ufw-before-input -m state --state NEW -m geoip ! --src-cc NL -m tcp -p tcp --dport 22 -m comment --comment 'SSH%20Geoip' -j DROP >> >> If you want some extra info on that, just mail me, no problem. >> >> >> Greetz, >> >> Louis >> >> >> >> >>> -----Oorspronkelijk bericht----- >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens James >>> Verzonden: maandag 28 december 2015 17:27 >>> Aan: samba at lists.samba.org >>> Onderwerp: Re: [Samba] Firewall trouble? >>> >>> On 12/28/2015 10:33 AM, Ryan Ashley wrote: >> I recently tried adding a firewall to my Samba 4 server using the port >> information I found on the wiki. Below is a dump of the resulting rules. >> >> root at dc01:~# iptables -S >> -P INPUT DROP >> -P FORWARD DROP >> -P OUTPUT ACCEPT >> -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT >> -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set >> --name BLOCKED --rsource >> -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent >> --update --seconds 600 --hitcount 4 --name BLOCKED --rsource -j DROP >> -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT >> -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT >> -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT >> -A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j >> REJECT --reject-with tcp-reset >> -A INPUT -p gre -j ACCEPT >> -A INPUT -p esp -j ACCEPT >> -A INPUT -p ah -j ACCEPT >> -A INPUT -p tcp -m state --state NEW -m multiport --dports >> 22,53,88,135,139,445,464,636,1024:5000,3268,3269 -j ACCEPT >> -A INPUT -p udp -m state --state NEW -m multiport --dports >> 53,67,88,123,137,138,389,464 -j ACCEPT >> -A INPUT -i lo -j ACCEPT >> >> As you can see, I try to prevent brute-force attacks on SSH, but >> accept data, both TCP and UDP on the ports specified by the wiki >> article. However, when this firewall is on my AD DC server, logins >> take eons, everything is SLOW on workstations, and sometimes >> authentications just plain fail. Why? >>> I assume this is for a DC. If so are you using functional level 2008? >>> You need to open ports 49152 through 65535 if you are. Level 2003 used >>> 1025 through 5000. >>> >>> -- >>> -James >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >> >> Ryan check out this link. It may prove helpful in additional troubleshooting if need be. https://support.microsoft.com/en-us/kb/179442 -- -James From ryana at reachtechfp.com Tue Dec 29 17:13:59 2015 From: ryana at reachtechfp.com (Ryan Ashley) Date: Tue, 29 Dec 2015 12:13:59 -0500 Subject: [Samba] Firewall trouble? In-Reply-To: References: <56815661.4050208@reachtechfp.com> Message-ID: <5682BF57.1040008@reachtechfp.com> Alright, I have setup the new rules and am waiting to see if I have any issues. If I do, I will keep working on it. I also read the article below, which mentions exactly what you I was told about 2008 and newer using different ports. https://support.microsoft.com/en-us/kb/929851 Here is the new configuration: root at dc01:~# iptables -S -P INPUT DROP -P FORWARD DROP -P OUTPUT ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name BLOCKED --rsource -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 600 --hitcount 4 --name BLOCKED --rsource -j DROP -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT -A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset -A INPUT -s 10.0.0.0/22 -p tcp -m state --state NEW -m multiport --dports 22,53,88,135,139,389,445,464,636,3268,3269,49152:65535 -j ACCEPT -A INPUT -s 10.0.0.0/22 -p udp -m state --state NEW -m multiport --dports 53,67,88,123,137,138,389,464 -j ACCEPT -A INPUT -i lo -j ACCEPT As you can see, I only allow access from my LAN now, thus further securing the server. VPN users get a LAN address so they will work with this setup also. Lead IT/IS Specialist Reach Technology FP, Inc On 12/29/2015 03:58 AM, L.P.H. van Belle wrote: > Hai, > > Im missing a few things. > > And maybe time server port to open? Are your dc's time server also? > These are the ports i've set. > > TCP what im having. > 22,42,53,88,135,139,389,445,464,636,3268,3269,1024:5000,49612:65535 > > How you did: > 22,53,88,135,139,445,464,636,1024:5000,3268,3269 > Your missing 42 389 and range : 49612:65535 > > > UDP what im having. > 53,67,68,88,123,137,138,389,464 > > How you did: > 53,67,88,123,137,138,389,464 > Your missing 68 ( but i dont know if you need it ) > > If your not familiar with iptables. > I advice you to install ufw for example. > I have a nice "base" set of rules, if you need some examples. > Ufw isnt that hard and easy to extented. > And a handy thing, integrating iptables + GeoIP is really easy. > And handy for ssh access/blocks. > I only allow ssh acces on my server from the netherlands with a rule like: > > -A ufw-before-input -m state --state NEW -m geoip ! --src-cc NL -m tcp -p tcp --dport 22 -m comment --comment 'SSH%20Geoip' -j DROP > > If you want some extra info on that, just mail me, no problem. > > > Greetz, > > Louis > > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens James >> Verzonden: maandag 28 december 2015 17:27 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Firewall trouble? >> >> On 12/28/2015 10:33 AM, Ryan Ashley wrote: > I recently tried adding a firewall to my Samba 4 server using the port > information I found on the wiki. Below is a dump of the resulting rules. > > root at dc01:~# iptables -S > -P INPUT DROP > -P FORWARD DROP > -P OUTPUT ACCEPT > -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT > -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set > --name BLOCKED --rsource > -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent > --update --seconds 600 --hitcount 4 --name BLOCKED --rsource -j DROP > -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT > -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT > -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j > REJECT --reject-with tcp-reset > -A INPUT -p gre -j ACCEPT > -A INPUT -p esp -j ACCEPT > -A INPUT -p ah -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m multiport --dports > 22,53,88,135,139,445,464,636,1024:5000,3268,3269 -j ACCEPT > -A INPUT -p udp -m state --state NEW -m multiport --dports > 53,67,88,123,137,138,389,464 -j ACCEPT > -A INPUT -i lo -j ACCEPT > > As you can see, I try to prevent brute-force attacks on SSH, but > accept data, both TCP and UDP on the ports specified by the wiki > article. However, when this firewall is on my AD DC server, logins > take eons, everything is SLOW on workstations, and sometimes > authentications just plain fail. Why? >>> >> I assume this is for a DC. If so are you using functional level 2008? >> You need to open ports 49152 through 65535 if you are. Level 2003 used >> 1025 through 5000. >> >> -- >> -James >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > > From carlos.hollow at gmail.com Tue Dec 29 17:18:28 2015 From: carlos.hollow at gmail.com (Carlos A. P. Cunha) Date: Tue, 29 Dec 2015 15:18:28 -0200 Subject: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' In-Reply-To: <5682BFAE.5030006@gmail.com> References: <56829F1A.90106@gmail.com> <5682A5EC.80200@samba.org> <5682BFAE.5030006@gmail.com> Message-ID: <5682C064.9070509@gmail.com> Em 29-12-2015 15:15, Carlos A. P. Cunha escreveu: > Good afternoon! > I found the file that you mentioned and this like yours. > > Looking co attributes like this: > > ldbsearch -H /usr/local/samba/private/sam.ldb '(objectclass = person)' > > Not any line with the ms-DS-Supported-Encryption-Types attribute > > My Orginial scenario went like this: > > Windows 2003 there came the samba (4.2), the windows died, was only > the samba that was upgraded to version 4.3 and climbed the functional > level to those reported in another e-mail, and now version 4.3.3. > > > > Em 29-12-2015 13:25, Rowland penny escreveu: >> On 29/12/15 14:56, Carlos A. P. Cunha wrote: >>> Good afternoon! >>> Had a samba 4 with a Windows 2003 network that is not over, I went >>> up to the level of my domain / forest >>> >>> Forest level function: (Windows) 2008 R2 >>> Domain function level: (Windows) 2008 R2 >>> Lowest function level of the DC (Windows) 2008 R2 >>> >>> But it seems that Samba is not with all attributes of a Windows 2008. >>> Even try to join another Samba error appears >>> >>> ERROR (ldb): uncaught exception - LDAP error 16 LDAP_NO_SUCH >>> ATTRIBUTE - <0000200 A: objectclass attrs: attribute >>> "msDS-SupportedEncryptionTypes' on entry 'CN = DC-LINUX-09, OU = >>> Domain Controllers, DC = mydomain' was not found in the schema> >>> >>> Any idea ? >>> >>> >> >> There appears to be something wrong with your setup, if you examine >> the file 'MS-AD_Schema_2K8_R2_Attributes.txt' (should be on your >> system, in a directory called ad-schema), you will this: >> >> cn: ms-DS-Supported-Encryption-Types >> ldapDisplayName: msDS-SupportedEncryptionTypes >> attributeId: 1.2.840.113556.1.4.1963 >> attributeSyntax: 2.5.5.9 >> omSyntax: 2 >> isSingleValued: TRUE >> schemaIdGuid: 20119867-1d04-4ab7-9371-cfc3d5df0afd >> systemOnly: FALSE >> searchFlags: 0 >> attributeSecurityGuid: 77b5b886-944a-11d1-aebd-0000f80367c1 >> systemFlags: FLAG_SCHEMA_BASE_OBJECT >> schemaFlagsEx: FLAG_ATTR_IS_CRITICAL >> >> And your DC objects should have this: >> >> msDS-SupportedEncryptionTypes: 31 >> >> Was the original DC a Samba 4 DC ? >> >> Rowland >> >> >> > From lists at xunil.at Tue Dec 29 17:30:02 2015 From: lists at xunil.at (Stefan G. Weichinger) Date: Tue, 29 Dec 2015 18:30:02 +0100 Subject: [Samba] samba4 as ADS member: some users visible, others not In-Reply-To: <5682BD71.1050101@samba.org> References: <5682B582.6030505@xunil.at> <5682BD71.1050101@samba.org> Message-ID: <5682C31A.4040109@xunil.at> Am 2015-12-29 um 18:05 schrieb Rowland penny: > On 29/12/15 16:32, Stefan G. Weichinger wrote: >> I have to add a brand new fedora 23 server with samba 4.3.3 to an >> existing Windows ADS domain. >> >> The join is OK: >> >> # net ads testjoin >> Join is OK >> >> I use winbind as I still have to learn about sssd (and I am unsure which >> one to prefer). >> >> config (workgroup and realm edited): >> >> [global] >> workgroup = customer >> realm = my.customer >> server string = >> security = ADS >> map to guest = Bad User >> username map = /etc/samba/smbusers >> map untrusted to domain = Yes >> load printers = No >> printcap name = /dev/null >> disable spoolss = Yes >> template shell = /bin/bash >> winbind enum users = Yes >> winbind enum groups = Yes >> winbind use default domain = Yes >> winbind nss info = rfc2307 >> idmap config customer:range = 10000-999999 >> idmap config customer:schema_mode = rfc2307 >> idmap config customer:backend = ad >> idmap config *:range = 2000-9999 >> idmap config * : backend = tdb >> force create mode = 0664 >> force directory mode = 0775 >> printing = bsd >> level2 oplocks = No >> >> --- >> >> issues: >> >> wbinfo -u >> wbinfo -g list all users and groups from ADS >> >> getent passwd only gives me around 20 users from ADS ... >> >> -> some users get access to shares, some not! >> >> I assume this has to do with "idmap config customer:range" ? >> >> How to determine the values of the max ids? >> >> Do I have to "reset" some mappings after changing this parameter? >> >> What else to check for? >> >> thanks for any help on this, Stefan >> > > The only mappings you should have, are the ones for the 'builtin' users > & groups, all the others should have a uidNumber or gidNumber attribute > in AD, these should be between '10000-999999' > I would also recommend you remove these lines: > > force create mode = 0664 > force directory mode = 0775 I agree, sure. > They really only belong in a share, but you should be using Posix ACLs > anyway. > > If a user isn't shown by getent, then they are unknown to the OS and > will not be able to access shares unless the share also allows guest > access. So I understand you suggest to use this instead ? -> [global] workgroup = CUSTOMER realm = MY.CUSTOMER server string = security = ADS map to guest = Bad User username map = /etc/samba/smbusers map untrusted to domain = Yes load printers = No printcap name = /dev/null disable spoolss = Yes template shell = /bin/bash winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nss info = rfc2307 idmap config *:range = 2000-9999 idmap config * : backend = tdb printing = bsd level2 oplocks = No I will test later as there are some users working (early evening here) ... thanks! Stefan From rpenny at samba.org Tue Dec 29 17:45:46 2015 From: rpenny at samba.org (Rowland penny) Date: Tue, 29 Dec 2015 17:45:46 +0000 Subject: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' In-Reply-To: <5682C064.9070509@gmail.com> References: <56829F1A.90106@gmail.com> <5682A5EC.80200@samba.org> <5682BFAE.5030006@gmail.com> <5682C064.9070509@gmail.com> Message-ID: <5682C6CA.4020103@samba.org> Try your search like this: ldbsearch -H /usr/local/samba/private/sam.ldb '(objectclass=computer)' msDS-SupportedEncryptionTypes From covici at ccs.covici.com Tue Dec 29 17:21:29 2015 From: covici at ccs.covici.com (covici at ccs.covici.com) Date: Tue, 29 Dec 2015 12:21:29 -0500 Subject: [Samba] permission problems trying to access subdirectories of a samba share In-Reply-To: <5682BAF8.9040502@samba.org> References: <12561.1451397584@ccs.covici.com> <56829BB1.5020205@samba.org> <16512.1451403879@ccs.covici.com> <5682BAF8.9040502@samba.org> Message-ID: <19762.1451409689@ccs.covici.com> Rowland penny wrote: > On 29/12/15 15:44, covici at ccs.covici.com wrote: > > Rowland penny wrote: > > > >> On 29/12/15 13:59, covici at ccs.covici.com wrote: > >>> Hi. I am having problems accessing subdirectories on a samba share. I > >>> am using windows 10 build 10586 and linux kernel 4.1.15-gentoo and samba > >>> 4.2.7. I have two shares, one called audio and the other called > >>> myshare. I cannot access the subdirectories in the myshare share. Here > >>> are the definitions. > >>> [myshare] > >>> comment = root directory > >>> path = / > >>> #fake oplocks = yes > >>> writable = yes > >>> printable = no > >>> create mask = 0765 > >>> [audio] > >>> comment = audio directory > >>> path = /audio > >>> writable = yes > >>> printable = no > >>> create mask = 0765 > >>> In windows, I access myshare using the root username and password, > >>> in > >>> audio I access using the user name covici and its password. The audio > >>> share works fine, the myshare windows cannot access any subdirectory. I > >>> either get the handle is invalid or a message saying I have permission > >>> problems. > >>> > >>> Thanks in advance for any suggestions. > >>> > >> Why are you trying to share your entire Unix computer ? > >> > >> By sharing '/' you are giving your users access to the entire > >> directory, do you really want to do this? > >> > > My users are just me, and sometimes I need to access from windows. > > > > Then install 'putty' and login via 'ssh', just don't do it via Samba. > I need to have windows access to some files, and for other reasons, I need samba to work properly, do you have any ideas? -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici covici at ccs.covici.com From rpenny at samba.org Tue Dec 29 17:59:20 2015 From: rpenny at samba.org (Rowland penny) Date: Tue, 29 Dec 2015 17:59:20 +0000 Subject: [Samba] samba4 as ADS member: some users visible, others not In-Reply-To: <5682C31A.4040109@xunil.at> References: <5682B582.6030505@xunil.at> <5682BD71.1050101@samba.org> <5682C31A.4040109@xunil.at> Message-ID: <5682C9F8.2000007@samba.org> On 29/12/15 17:30, Stefan G. Weichinger wrote: > Am 2015-12-29 um 18:05 schrieb Rowland penny: >> On 29/12/15 16:32, Stefan G. Weichinger wrote: >>> I have to add a brand new fedora 23 server with samba 4.3.3 to an >>> existing Windows ADS domain. >>> >>> The join is OK: >>> >>> # net ads testjoin >>> Join is OK >>> >>> I use winbind as I still have to learn about sssd (and I am unsure which >>> one to prefer). >>> >>> config (workgroup and realm edited): >>> >>> [global] >>> workgroup = customer >>> realm = my.customer >>> server string = >>> security = ADS >>> map to guest = Bad User >>> username map = /etc/samba/smbusers >>> map untrusted to domain = Yes >>> load printers = No >>> printcap name = /dev/null >>> disable spoolss = Yes >>> template shell = /bin/bash >>> winbind enum users = Yes >>> winbind enum groups = Yes >>> winbind use default domain = Yes >>> winbind nss info = rfc2307 >>> idmap config customer:range = 10000-999999 >>> idmap config customer:schema_mode = rfc2307 >>> idmap config customer:backend = ad >>> idmap config *:range = 2000-9999 >>> idmap config * : backend = tdb >>> force create mode = 0664 >>> force directory mode = 0775 >>> printing = bsd >>> level2 oplocks = No >>> >>> --- >>> >>> issues: >>> >>> wbinfo -u >>> wbinfo -g list all users and groups from ADS >>> >>> getent passwd only gives me around 20 users from ADS ... >>> >>> -> some users get access to shares, some not! >>> >>> I assume this has to do with "idmap config customer:range" ? >>> >>> How to determine the values of the max ids? >>> >>> Do I have to "reset" some mappings after changing this parameter? >>> >>> What else to check for? >>> >>> thanks for any help on this, Stefan >>> >> The only mappings you should have, are the ones for the 'builtin' users >> & groups, all the others should have a uidNumber or gidNumber attribute >> in AD, these should be between '10000-999999' >> I would also recommend you remove these lines: >> >> force create mode = 0664 >> force directory mode = 0775 > I agree, sure. > >> They really only belong in a share, but you should be using Posix ACLs >> anyway. >> >> If a user isn't shown by getent, then they are unknown to the OS and >> will not be able to access shares unless the share also allows guest >> access. > So I understand you suggest to use this instead ? > > -> > > [global] > workgroup = CUSTOMER > realm = MY.CUSTOMER > server string = > security = ADS > map to guest = Bad User > username map = /etc/samba/smbusers > map untrusted to domain = Yes > load printers = No > printcap name = /dev/null > disable spoolss = Yes > template shell = /bin/bash > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > winbind nss info = rfc2307 > idmap config *:range = 2000-9999 > idmap config * : backend = tdb > printing = bsd > level2 oplocks = No > > I will test later as there are some users working (early evening here) ... > > thanks! Stefan > NO! This will give you precisely 0 users config * == the range the 'builtin' users will be mapped to. config customer == the range for all the domain users that have a uidNumber attribute. If a user doesn't have a uidNumber attribute containing a number inside the range set in smb.conf (in your case 10000-999999) it will be ignored, the user will also be ignored if it doesn't have a uidNumber attribute. There is also another gotchya, the 'Domain Users' group *must* have a gidNumber attribute inside the range, or all users will be ignored even if they have a uidNumber attribute. This all boils down to, have you manually given your users & groups the required uidNumber & gidNumber attributes ? they are not added automatically, they must be added manually. Rowland From rpenny at samba.org Tue Dec 29 18:04:22 2015 From: rpenny at samba.org (Rowland penny) Date: Tue, 29 Dec 2015 18:04:22 +0000 Subject: [Samba] permission problems trying to access subdirectories of a samba share In-Reply-To: <19762.1451409689@ccs.covici.com> References: <12561.1451397584@ccs.covici.com> <56829BB1.5020205@samba.org> <16512.1451403879@ccs.covici.com> <5682BAF8.9040502@samba.org> <19762.1451409689@ccs.covici.com> Message-ID: <5682CB26.2080307@samba.org> On 29/12/15 17:21, covici at ccs.covici.com wrote: > Rowland penny wrote: > >> On 29/12/15 15:44, covici at ccs.covici.com wrote: >>> Rowland penny wrote: >>> >>>> On 29/12/15 13:59, covici at ccs.covici.com wrote: >>>>> Hi. I am having problems accessing subdirectories on a samba share. I >>>>> am using windows 10 build 10586 and linux kernel 4.1.15-gentoo and samba >>>>> 4.2.7. I have two shares, one called audio and the other called >>>>> myshare. I cannot access the subdirectories in the myshare share. Here >>>>> are the definitions. >>>>> [myshare] >>>>> comment = root directory >>>>> path = / >>>>> #fake oplocks = yes >>>>> writable = yes >>>>> printable = no >>>>> create mask = 0765 >>>>> [audio] >>>>> comment = audio directory >>>>> path = /audio >>>>> writable = yes >>>>> printable = no >>>>> create mask = 0765 >>>>> In windows, I access myshare using the root username and password, >>>>> in >>>>> audio I access using the user name covici and its password. The audio >>>>> share works fine, the myshare windows cannot access any subdirectory. I >>>>> either get the handle is invalid or a message saying I have permission >>>>> problems. >>>>> >>>>> Thanks in advance for any suggestions. >>>>> >>>> Why are you trying to share your entire Unix computer ? >>>> >>>> By sharing '/' you are giving your users access to the entire >>>> directory, do you really want to do this? >>>> >>> My users are just me, and sometimes I need to access from windows. >>> >> Then install 'putty' and login via 'ssh', just don't do it via Samba. >> > I need to have windows access to some files, and for other reasons, I > need samba to work properly, do you have any ideas? > It all depends just what the files are, you could use ssh and then scp them to the windows machines, but if you must use the gui, then set up a proper share on the fileserver and store the required files there. It is just not a good idea to open up your entire machine. Rowland From lists at xunil.at Tue Dec 29 18:16:14 2015 From: lists at xunil.at (Stefan G. Weichinger) Date: Tue, 29 Dec 2015 19:16:14 +0100 Subject: [Samba] samba4 as ADS member: some users visible, others not In-Reply-To: <5682C31A.4040109@xunil.at> References: <5682B582.6030505@xunil.at> <5682BD71.1050101@samba.org> <5682C31A.4040109@xunil.at> Message-ID: <5682CDEE.1040604@xunil.at> in the same ADS I have another member server with Samba-3.6.25 [global] workgroup = CUSTOMER realm = MY.CUSTOMER server string = backup security = ADS map to guest = Bad User printcap name = /dev/null os level = 65 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes idmap config * : range = 1000-29999 idmap config * : backend = tdb # nsswitch.conf passwd: compat winbind shadow: compat group: compat winbind this one gives me all users with "getent passwd" ! For the 4.x server I now tried: [global] workgroup = CUSTOMER realm = MY.CUSTOMER server string = security = ADS map to guest = Bad User username map = /etc/samba/smbusers map untrusted to domain = Yes load printers = No printcap name = /dev/null disable spoolss = Yes template shell = /bin/bash winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes idmap config * : range = 1000-29999 idmap config * : backend = tdb printing = bsd level2 oplocks = No And now it works here as well! We will see if it stays this way ;-) Thanks, Stefan From carlos.hollow at gmail.com Tue Dec 29 18:26:54 2015 From: carlos.hollow at gmail.com (Carlos A. P. Cunha) Date: Tue, 29 Dec 2015 16:26:54 -0200 Subject: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' In-Reply-To: <5682C6CA.4020103@samba.org> References: <56829F1A.90106@gmail.com> <5682A5EC.80200@samba.org> <5682BFAE.5030006@gmail.com> <5682C064.9070509@gmail.com> <5682C6CA.4020103@samba.org> Message-ID: <5682D06E.8090709@gmail.com> Performed and output were all like that, no list in the attribute # record 1 dn: CN=001-PLAT-01,CN=Computers,DC=interno,DC=mydoainDC=com,DC=br # record 2 dn: CN=001-COMPRAS-15,CN=Computers,DC=interno,DC=mydomain,DC=com,DC=br # record 3 dn: CN=RECEBIMENTO-1,OU=Computers_Locked,OU=Erechim,OU=Sonda,DC=interno,DC=mydomain,DC=com,DC=br Em 29-12-2015 15:45, Rowland penny escreveu: > Try your search like this: > > ldbsearch -H /usr/local/samba/private/sam.ldb '(objectclass=computer)' > msDS-SupportedEncryptionTypes > From rpenny at samba.org Tue Dec 29 19:34:16 2015 From: rpenny at samba.org (Rowland penny) Date: Tue, 29 Dec 2015 19:34:16 +0000 Subject: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' In-Reply-To: <5682D06E.8090709@gmail.com> References: <56829F1A.90106@gmail.com> <5682A5EC.80200@samba.org> <5682BFAE.5030006@gmail.com> <5682C064.9070509@gmail.com> <5682C6CA.4020103@samba.org> <5682D06E.8090709@gmail.com> Message-ID: <5682E038.6080407@samba.org> On 29/12/15 18:26, Carlos A. P. Cunha wrote: > Performed and output were all like that, no list in the attribute > > # record 1 > dn: CN=001-PLAT-01,CN=Computers,DC=interno,DC=mydoainDC=com,DC=br > > # record 2 > dn: CN=001-COMPRAS-15,CN=Computers,DC=interno,DC=mydomain,DC=com,DC=br > > # record 3 > dn: > CN=RECEBIMENTO-1,OU=Computers_Locked,OU=Erechim,OU=Sonda,DC=interno,DC=mydomain,DC=com,DC=br > > OK, I was expecting something like this: dn: CN=DC1,OU=Domain Controllers,DC=samdom,DC=example,DC=com msDS-SupportedEncryptionTypes: 31 For every DC & computer in your domain. I think your problem has occurred because you started with a windows 2003 DC, see here for info on this attribute: http://blogs.msdn.com/b/openspecification/archive/2009/09/12/msds-supportedencryptiontypes-episode-1-computer-accounts.aspx?Redirected=true You could try adding it to each computer and see how you go on. Rowland Rowland From carlos.hollow at gmail.com Tue Dec 29 19:58:14 2015 From: carlos.hollow at gmail.com (Carlos A. P. Cunha) Date: Tue, 29 Dec 2015 17:58:14 -0200 Subject: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' In-Reply-To: <5682E038.6080407@samba.org> References: <56829F1A.90106@gmail.com> <5682A5EC.80200@samba.org> <5682BFAE.5030006@gmail.com> <5682C064.9070509@gmail.com> <5682C6CA.4020103@samba.org> <5682D06E.8090709@gmail.com> <5682E038.6080407@samba.org> Message-ID: <5682E5D6.7050504@gmail.com> OK, this is bad news, you would know me explain how I do it for my DC and an account? thank you Em 29-12-2015 17:34, Rowland penny escreveu: > On 29/12/15 18:26, Carlos A. P. Cunha wrote: >> Performed and output were all like that, no list in the attribute >> >> # record 1 >> dn: CN=001-PLAT-01,CN=Computers,DC=interno,DC=mydoainDC=com,DC=br >> >> # record 2 >> dn: CN=001-COMPRAS-15,CN=Computers,DC=interno,DC=mydomain,DC=com,DC=br >> >> # record 3 >> dn: >> CN=RECEBIMENTO-1,OU=Computers_Locked,OU=Erechim,OU=Sonda,DC=interno,DC=mydomain,DC=com,DC=br >> >> > > OK, I was expecting something like this: > > dn: CN=DC1,OU=Domain Controllers,DC=samdom,DC=example,DC=com > msDS-SupportedEncryptionTypes: 31 > > For every DC & computer in your domain. > > I think your problem has occurred because you started with a windows > 2003 DC, see here for info on this attribute: > > http://blogs.msdn.com/b/openspecification/archive/2009/09/12/msds-supportedencryptiontypes-episode-1-computer-accounts.aspx?Redirected=true > > > You could try adding it to each computer and see how you go on. > > Rowland > Rowland > > > > From rpenny at samba.org Tue Dec 29 20:26:31 2015 From: rpenny at samba.org (Rowland penny) Date: Tue, 29 Dec 2015 20:26:31 +0000 Subject: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' In-Reply-To: <5682E5D6.7050504@gmail.com> References: <56829F1A.90106@gmail.com> <5682A5EC.80200@samba.org> <5682BFAE.5030006@gmail.com> <5682C064.9070509@gmail.com> <5682C6CA.4020103@samba.org> <5682D06E.8090709@gmail.com> <5682E038.6080407@samba.org> <5682E5D6.7050504@gmail.com> Message-ID: <5682EC77.5010204@samba.org> On 29/12/15 19:58, Carlos A. P. Cunha wrote: > OK, this is bad news, you would know me explain how I do it for my DC > and an account? > > thank you > > Em 29-12-2015 17:34, Rowland penny escreveu: >> On 29/12/15 18:26, Carlos A. P. Cunha wrote: >>> Performed and output were all like that, no list in the attribute >>> >>> # record 1 >>> dn: CN=001-PLAT-01,CN=Computers,DC=interno,DC=mydoainDC=com,DC=br >>> >>> # record 2 >>> dn: CN=001-COMPRAS-15,CN=Computers,DC=interno,DC=mydomain,DC=com,DC=br >>> >>> # record 3 >>> dn: >>> CN=RECEBIMENTO-1,OU=Computers_Locked,OU=Erechim,OU=Sonda,DC=interno,DC=mydomain,DC=com,DC=br >>> >>> >> >> OK, I was expecting something like this: >> >> dn: CN=DC1,OU=Domain Controllers,DC=samdom,DC=example,DC=com >> msDS-SupportedEncryptionTypes: 31 >> >> For every DC & computer in your domain. >> >> I think your problem has occurred because you started with a windows >> 2003 DC, see here for info on this attribute: >> >> http://blogs.msdn.com/b/openspecification/archive/2009/09/12/msds-supportedencryptiontypes-episode-1-computer-accounts.aspx?Redirected=true >> >> >> You could try adding it to each computer and see how you go on. >> >> Rowland >> Rowland >> >> >> >> > There are various way of adding an attribute, you could do it with ldbmodify or ldbedit, or if you feel more comfortable with a gui, you could install ADUC on a windows machine and use this to add the attribute, or you could install ldap account manager (LAM) on the DC and use this to add the attribute. Pick one and search the internet for how to do it, you will learn more doing it this way, rather than me telling you how to do it, step by step. If after choosing a method, you have problems, this I will attempt to help you with. Rowland Rowland From carlos.hollow at gmail.com Tue Dec 29 20:43:03 2015 From: carlos.hollow at gmail.com (Carlos A. P. Cunha) Date: Tue, 29 Dec 2015 18:43:03 -0200 Subject: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' In-Reply-To: <5682EC77.5010204@samba.org> References: <56829F1A.90106@gmail.com> <5682A5EC.80200@samba.org> <5682BFAE.5030006@gmail.com> <5682C064.9070509@gmail.com> <5682C6CA.4020103@samba.org> <5682D06E.8090709@gmail.com> <5682E038.6080407@samba.org> <5682E5D6.7050504@gmail.com> <5682EC77.5010204@samba.org> Message-ID: <5682F057.4060806@gmail.com> I will do that for now Thank you very much, I am grateful. Em 29-12-2015 18:26, Rowland penny escreveu: > There are various way of adding an attribute, you could do it with > ldbmodify or ldbedit, or if you feel more comfortable with a gui, you > could install ADUC on a windows machine and use this to add the > attribute, or you could install ldap account manager (LAM) on the DC > and use this to add the attribute. > > Pick one and search the internet for how to do it, you will learn more > doing it this way, rather than me telling you how to do it, step by > step. If after choosing a method, you have problems, this I will > attempt to help you with. From it at cliffbells.com Wed Dec 30 03:36:54 2015 From: it at cliffbells.com (IT Admin) Date: Tue, 29 Dec 2015 22:36:54 -0500 Subject: [Samba] Samba 4 AD - Samba Fails to Start, hdb_samba4_create_kdc (setup KDC database) failed Message-ID: Hello to the Samba Mailing List, This is my first post, so please, should I commit any faux pas, nudge me in the right direction and I will adjust accordingly. I'm experiencing a complete failure of the PDC in a Samba 4 AD Domain I've deployed for a client. Samba failed a few days ago and I've been unable to resolve the issue on my own. Google searches are leading me in circles, I'm hoping the list can help me get this deployment back in working order. Some details on the failing machine: Release: 15.10 Linux 4.2.0-22-generic #27-Ubuntu SMP x86_64 x86_64 x86_64 GNU/Linux Samba Version: 4.1.17-Ubuntu I provisioned this domain a few months ago, everything was going smoothly until a hardware failure forced me to reprovision a couple of weeks ago. Having just got their network stable again I was rather disheartened to discover Samba had taken a nosedive for Christmas. Relevant info from Samba's logs (debug level 4): /var/log/samba/log/samba: samba version 4.1.17-Ubuntu started. Copyright Andrew Tridgell and the Samba Team 1992-2013 [2015/12/28 21:12:05.907126, 3] ../source4/smbd/server.c:381(binary_smbd_main) Becoming a daemon. [2015/12/28 21:12:05.919238, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_spnego' registered [2015/12/28 21:12:05.919327, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_krb5' registered [2015/12/28 21:12:05.919360, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'gssapi_krb5_sasl' registered [2015/12/28 21:12:05.919437, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'schannel' registered [2015/12/28 21:12:05.919472, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'spnego' registered [2015/12/28 21:12:05.919503, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'ntlmssp' registered [2015/12/28 21:12:05.919537, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'krb5' registered [2015/12/28 21:12:05.919567, 3] ../auth/gensec/gensec_start.c:870(gensec_register) GENSEC backend 'fake_gssapi_krb5' registered [2015/12/28 21:12:05.919643, 3] ../source4/ntptr/ntptr_base.c:67(ntptr_register) NTPTR backend 'simple_ldb' [2015/12/28 21:12:05.919714, 3] ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) NTVFS backend 'default' for type 1 registered [2015/12/28 21:12:05.919753, 3] ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) NTVFS backend 'posix' for type 1 registered [2015/12/28 21:12:05.919791, 3] ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) NTVFS backend 'unixuid' for type 1 registered [2015/12/28 21:12:05.919821, 3] ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) NTVFS backend 'unixuid' for type 3 registered [2015/12/28 21:12:05.919852, 3] ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) NTVFS backend 'unixuid' for type 2 registered [2015/12/28 21:12:05.919884, 3] ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) NTVFS backend 'cifs' for type 1 registered [2015/12/28 21:12:05.919915, 3] ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) NTVFS backend 'smb2' for type 1 registered [2015/12/28 21:12:05.919946, 3] ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) NTVFS backend 'simple' for type 1 registered [2015/12/28 21:12:05.919977, 3] ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) NTVFS backend 'cifsposix' for type 1 registered [2015/12/28 21:12:05.920010, 3] ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) NTVFS backend 'default' for type 3 registered [2015/12/28 21:12:05.920041, 3] ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) NTVFS backend 'default' for type 2 registered [2015/12/28 21:12:05.920078, 3] ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) NTVFS backend 'nbench' for type 1 registered [2015/12/28 21:12:05.921420, 3] ../source4/smbd/process_model.c:97(register_process_model) PROCESS_MODEL 'single' registered [2015/12/28 21:12:05.921479, 3] ../source4/smbd/process_model.c:97(register_process_model) PROCESS_MODEL 'standard' registered [2015/12/28 21:12:05.921510, 3] ../source4/smbd/process_model.c:97(register_process_model) PROCESS_MODEL 'onefork' registered [2015/12/28 21:12:05.921540, 3] ../source4/smbd/process_model.c:97(register_process_model) PROCESS_MODEL 'prefork' registered [2015/12/28 21:12:06.064097, 3] ../source4/auth/ntlm/auth.c:673(auth_register) AUTH backend 'sam' registered [2015/12/28 21:12:06.064187, 3] ../source4/auth/ntlm/auth.c:673(auth_register) AUTH backend 'sam_ignoredomain' registered [2015/12/28 21:12:06.064220, 3] ../source4/auth/ntlm/auth.c:673(auth_register) AUTH backend 'anonymous' registered [2015/12/28 21:12:06.064251, 3] ../source4/auth/ntlm/auth.c:673(auth_register) AUTH backend 'winbind' registered [2015/12/28 21:12:06.064284, 3] ../source4/auth/ntlm/auth.c:673(auth_register) AUTH backend 'winbind_wbclient' registered [2015/12/28 21:12:06.064316, 3] ../source4/auth/ntlm/auth.c:673(auth_register) AUTH backend 'name_to_ntstatus' registered [2015/12/28 21:12:06.064347, 3] ../source4/auth/ntlm/auth.c:673(auth_register) AUTH backend 'unix' registered [2015/12/28 21:12:06.064401, 3] ../source4/param/share.c:124(share_register) SHARE backend [classic] registered. [2015/12/28 21:12:06.697309, 3] ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect) ldb_wrap open of privilege.ldb [2015/12/28 21:12:06.748805, 0] ../source4/smbd/server.c:488(binary_smbd_main) samba: using 'standard' process model samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor. samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor. samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor. samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor. samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor. [2015/12/28 21:12:06.779495, 3] ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) DCERPC endpoint server 'rpcecho' registered [2015/12/28 21:12:06.764776, 0] ../source4/dsdb/common/util.c:1693(samdb_reference_dn_is_our_ntdsa) Failed to find object DC=one,DC=cliffbells,DC=com for attribute fsmoRoleOwner - Cannot find DN DC=one,DC=cliffbells,DC=com to get attribute fsmoRoleOwner for reference dn: (null) [2015/12/28 21:12:06.780250, 1] ../source4/dsdb/common/util.c:1877(samdb_is_pdc) Failed to find if we are the PDC for this ldb: Searching for fSMORoleOwner in DC=one,DC=cliffbells,DC=com failed: Cannot find DN DC=one,DC=cliffbells,DC=com to get attribute fsmoRoleOwner for reference dn: (null) [2015/12/28 21:12:06.788717, 3] ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) DCERPC endpoint server 'epmapper' registered [2015/12/28 21:12:06.789079, 3] ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) DCERPC endpoint server 'remote' registered [2015/12/28 21:12:06.789535, 3] ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) DCERPC endpoint server 'srvsvc' registered [2015/12/28 21:12:06.789597, 3] ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) DCERPC endpoint server 'wkssvc' registered [2015/12/28 21:12:06.789634, 3] ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) DCERPC endpoint server 'unixinfo' registered [2015/12/28 21:12:06.790292, 3] ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) DCERPC endpoint server 'samr' registered [2015/12/28 21:12:06.790372, 3] ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) DCERPC endpoint server 'winreg' registered [2015/12/28 21:12:06.790410, 3] ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) DCERPC endpoint server 'netlogon' registered [2015/12/28 21:12:06.790654, 3] ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) DCERPC endpoint server 'dssetup' registered [2015/12/28 21:12:06.790702, 3] ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) DCERPC endpoint server 'lsarpc' registered [2015/12/28 21:12:06.790739, 3] ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) DCERPC endpoint server 'backupkey' registered [2015/12/28 21:12:06.790783, 3] ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) DCERPC endpoint server 'spoolss' registered [2015/12/28 21:12:06.790818, 3] ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) DCERPC endpoint server 'drsuapi' registered [2015/12/28 21:12:06.790864, 3] ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) DCERPC endpoint server 'browser' registered [2015/12/28 21:12:06.790897, 3] ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) DCERPC endpoint server 'eventlog6' registered [2015/12/28 21:12:06.790941, 3] ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) DCERPC endpoint server 'dnsserver' registered samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor. samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor. samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor. samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor. [2015/12/28 21:12:06.842176, 3] ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2015/12/28 21:12:06.843155, 3] ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect) ldb_wrap open of idmap.ldb samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor. samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor. [2015/12/28 21:12:06.865340, 1] ../source4/kdc/db-glue.c:1956(samba_kdc_setup_db_ctx) samba_kdc_fetch: could not find own KRBTGT in DB: (null) samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor. [2015/12/28 21:12:06.869471, 2] ../source4/dsdb/repl/drepl_partitions.c:116(dreplsrv_load_partitions) dreplsrv_partition[CN=Configuration,DC=one,DC=cliffbells,DC=com] loaded [2015/12/28 21:12:06.869600, 2] ../source4/dsdb/repl/drepl_partitions.c:116(dreplsrv_load_partitions) dreplsrv_partition[CN=Schema,CN=Configuration,DC=one,DC=cliffbells,DC=com] loaded [2015/12/28 21:12:06.869648, 2] ../source4/dsdb/repl/drepl_partitions.c:116(dreplsrv_load_partitions) dreplsrv_partition[DC=one,DC=cliffbells,DC=com] loaded [2015/12/28 21:12:06.869742, 2] ../source4/dsdb/repl/drepl_partitions.c:116(dreplsrv_load_partitions) dreplsrv_partition[DC=DomainDnsZones,DC=one,DC=cliffbells,DC=com] loaded [2015/12/28 21:12:06.869789, 2] ../source4/dsdb/repl/drepl_partitions.c:116(dreplsrv_load_partitions) dreplsrv_partition[DC=ForestDnsZones,DC=one,DC=cliffbells,DC=com] loaded [2015/12/28 21:12:06.865437, 0] ../source4/smbd/service_task.c:35(task_server_terminate) task_server_terminate: [kdc: hdb_samba4_create_kdc (setup KDC database) failed] [2015/12/28 21:12:06.878911, 3] ../source4/dsdb/dns/dns_update.c:340(dnsupdate_check_names) Calling DNS name update script [2015/12/28 21:12:06.888121, 3] ../source4/dsdb/dns/dns_update.c:355(dnsupdate_check_names) Calling SPN name update script samba: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor. [2015/12/28 21:12:06.902840, 2] ../source4/dsdb/kcc/kcc_service.c:127(kccsrv_load_partitions) kccsrv_partition[DC=ONE,DC=CLIFFBELLS,DC=COM] loaded [2015/12/28 21:12:06.902998, 2] ../source4/dsdb/kcc/kcc_service.c:127(kccsrv_load_partitions) kccsrv_partition[CN=Configuration,DC=one,DC=cliffbells,DC=com] loaded [2015/12/28 21:12:06.903036, 2] ../source4/dsdb/kcc/kcc_service.c:127(kccsrv_load_partitions) kccsrv_partition[CN=Schema,CN=Configuration,DC=one,DC=cliffbells,DC=com] loaded [2015/12/28 21:12:06.903072, 2] ../source4/dsdb/kcc/kcc_service.c:127(kccsrv_load_partitions) kccsrv_partition[DC=DomainDnsZones,DC=one,DC=cliffbells,DC=com] loaded [2015/12/28 21:12:06.903107, 2] ../source4/dsdb/kcc/kcc_service.c:127(kccsrv_load_partitions) kccsrv_partition[DC=ForestDnsZones,DC=one,DC=cliffbells,DC=com] loaded [2015/12/28 21:12:06.884922, 0] ../lib/util/become_daemon.c:136(daemon_ready) STATUS=daemon 'samba' finished starting up and ready to serve connectionssamba_terminate: kdc: hdb_samba4_create_kdc (setup KDC database) failed [2015/12/28 21:12:06.930079, 3] ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2015/12/28 21:12:07.752016, 0] ../file_server/file_server.c:48(file_server_smbd_done) file_server smbd daemon exited normally [2015/12/28 21:12:07.752994, 0] ../source4/smbd/service_task.c:35(task_server_terminate) task_server_terminate: [smbd child process exited] /var/log/samba/log.smbd: smbd version 4.1.17-Ubuntu started. Copyright Andrew Tridgell and the Samba Team 1992-2013 [2015/12/28 21:12:06, 2] ../source3/lib/tallocmsg.c:124(register_msg_pool_usage) Registered MSG_REQ_POOL_USAGE [2015/12/28 21:12:06, 2] ../source3/lib/dmallocmsg.c:78(register_dmalloc_msgs) Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED [2015/12/28 21:12:06.975569, 3] ../source3/param/loadparm.c:4839(lp_load_ex) lp_load_ex: refreshing parameters [2015/12/28 21:12:06.975630, 3] ../source3/param/loadparm.c:750(init_globals) Initialising global parameters [2015/12/28 21:12:06.975672, 2] ../source3/param/loadparm.c:543(max_open_files) rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) [2015/12/28 21:12:06.975752, 3] ../lib/util/params.c:550(pm_process) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2015/12/28 21:12:06.975787, 3] ../source3/param/loadparm.c:3565(do_section) Processing section "[global]" [2015/12/28 21:12:06.976003, 2] ../source3/param/loadparm.c:3582(do_section) Processing section "[netlogon]" [2015/12/28 21:12:06.976125, 2] ../source3/param/loadparm.c:3582(do_section) Processing section "[sysvol]" [2015/12/28 21:12:06.976193, 2] ../source3/param/loadparm.c:3582(do_section) Processing section "[accounting]" [2015/12/28 21:12:06.976277, 2] ../source3/param/loadparm.c:3582(do_section) Processing section "[data]" [2015/12/28 21:12:06.976359, 2] ../source3/param/loadparm.c:3582(do_section) Processing section "[backups]" [2015/12/28 21:12:06.976472, 3] ../source3/param/loadparm.c:1774(lp_add_ipc) adding IPC service [2015/12/28 21:12:06.976790, 2] ../source3/lib/interface.c:341(add_interface) added interface eth0 ip=192.168.37.2 bcast=192.168.37.255 netmask=255.255.255.0 [2015/12/28 21:12:06.976876, 3] ../source3/smbd/server.c:1248(main) loaded services [2015/12/28 21:12:06.977004, 3] ../source3/smbd/server.c:1280(main) Becoming a daemon. [2015/12/28 21:12:07.738688, 3] ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect) ldb_wrap open of idmap.ldb [2015/12/28 21:12:07.740665, 0] ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) pdb backend samba_dsdb did not correctly init (error was NT_STATUS_UNSUCCESSFUL) I am at a loss, Samba simply does not start. Any help/guidance the list could provide to assist me in restoring Samba to a working state would be greatly appreciated. Regards, JS From belle at bazuin.nl Wed Dec 30 08:27:48 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Wed, 30 Dec 2015 09:27:48 +0100 Subject: [Samba] Samba 4 AD - Samba Fails to Start, hdb_samba4_create_kdc (setup KDC database) failed In-Reply-To: References: Message-ID: Hai, Can be incorrect rights, of corrupted db. Can you give the output of ls -al /var/lib/samba/ ls -al /var/lib/samba/private ls -al /var/lib/samba/private/dns Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens IT Admin > Verzonden: woensdag 30 december 2015 4:37 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Samba 4 AD - Samba Fails to Start, > hdb_samba4_create_kdc (setup KDC database) failed > > Hello to the Samba Mailing List, > > This is my first post, so please, should I commit any faux pas, nudge me > in > the right direction and I will adjust accordingly. > > I'm experiencing a complete failure of the PDC in a Samba 4 AD Domain I've > deployed for a client. Samba failed a few days ago and I've been unable > to > resolve the issue on my own. Google searches are leading me in circles, > I'm hoping the list can help me get this deployment back in working order. > > Some details on the failing machine: > > Release: 15.10 > Linux 4.2.0-22-generic #27-Ubuntu SMP x86_64 x86_64 x86_64 GNU/Linux > Samba Version: 4.1.17-Ubuntu > > I provisioned this domain a few months ago, everything was going smoothly > until a hardware failure forced me to reprovision a couple of weeks ago. > Having just got their network stable again I was rather disheartened to > discover Samba had taken a nosedive for Christmas. > > Relevant info from Samba's logs (debug level 4): > > /var/log/samba/log/samba: > > samba version 4.1.17-Ubuntu started. > Copyright Andrew Tridgell and the Samba Team 1992-2013 > [2015/12/28 21:12:05.907126, 3] > ../source4/smbd/server.c:381(binary_smbd_main) > Becoming a daemon. > [2015/12/28 21:12:05.919238, 3] > ../auth/gensec/gensec_start.c:870(gensec_register) > GENSEC backend 'gssapi_spnego' registered > [2015/12/28 21:12:05.919327, 3] > ../auth/gensec/gensec_start.c:870(gensec_register) > GENSEC backend 'gssapi_krb5' registered > [2015/12/28 21:12:05.919360, 3] > ../auth/gensec/gensec_start.c:870(gensec_register) > GENSEC backend 'gssapi_krb5_sasl' registered > [2015/12/28 21:12:05.919437, 3] > ../auth/gensec/gensec_start.c:870(gensec_register) > GENSEC backend 'schannel' registered > [2015/12/28 21:12:05.919472, 3] > ../auth/gensec/gensec_start.c:870(gensec_register) > GENSEC backend 'spnego' registered > [2015/12/28 21:12:05.919503, 3] > ../auth/gensec/gensec_start.c:870(gensec_register) > GENSEC backend 'ntlmssp' registered > [2015/12/28 21:12:05.919537, 3] > ../auth/gensec/gensec_start.c:870(gensec_register) > GENSEC backend 'krb5' registered > [2015/12/28 21:12:05.919567, 3] > ../auth/gensec/gensec_start.c:870(gensec_register) > GENSEC backend 'fake_gssapi_krb5' registered > [2015/12/28 21:12:05.919643, 3] > ../source4/ntptr/ntptr_base.c:67(ntptr_register) > NTPTR backend 'simple_ldb' > [2015/12/28 21:12:05.919714, 3] > ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) > NTVFS backend 'default' for type 1 registered > [2015/12/28 21:12:05.919753, 3] > ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) > NTVFS backend 'posix' for type 1 registered > [2015/12/28 21:12:05.919791, 3] > ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) > NTVFS backend 'unixuid' for type 1 registered > [2015/12/28 21:12:05.919821, 3] > ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) > NTVFS backend 'unixuid' for type 3 registered > [2015/12/28 21:12:05.919852, 3] > ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) > NTVFS backend 'unixuid' for type 2 registered > [2015/12/28 21:12:05.919884, 3] > ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) > NTVFS backend 'cifs' for type 1 registered > [2015/12/28 21:12:05.919915, 3] > ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) > NTVFS backend 'smb2' for type 1 registered > [2015/12/28 21:12:05.919946, 3] > ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) > NTVFS backend 'simple' for type 1 registered > [2015/12/28 21:12:05.919977, 3] > ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) > NTVFS backend 'cifsposix' for type 1 registered > [2015/12/28 21:12:05.920010, 3] > ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) > NTVFS backend 'default' for type 3 registered > [2015/12/28 21:12:05.920041, 3] > ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) > NTVFS backend 'default' for type 2 registered > [2015/12/28 21:12:05.920078, 3] > ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) > NTVFS backend 'nbench' for type 1 registered > [2015/12/28 21:12:05.921420, 3] > ../source4/smbd/process_model.c:97(register_process_model) > PROCESS_MODEL 'single' registered > [2015/12/28 21:12:05.921479, 3] > ../source4/smbd/process_model.c:97(register_process_model) > PROCESS_MODEL 'standard' registered > [2015/12/28 21:12:05.921510, 3] > ../source4/smbd/process_model.c:97(register_process_model) > PROCESS_MODEL 'onefork' registered > [2015/12/28 21:12:05.921540, 3] > ../source4/smbd/process_model.c:97(register_process_model) > PROCESS_MODEL 'prefork' registered > [2015/12/28 21:12:06.064097, 3] > ../source4/auth/ntlm/auth.c:673(auth_register) > AUTH backend 'sam' registered > [2015/12/28 21:12:06.064187, 3] > ../source4/auth/ntlm/auth.c:673(auth_register) > AUTH backend 'sam_ignoredomain' registered > [2015/12/28 21:12:06.064220, 3] > ../source4/auth/ntlm/auth.c:673(auth_register) > AUTH backend 'anonymous' registered > [2015/12/28 21:12:06.064251, 3] > ../source4/auth/ntlm/auth.c:673(auth_register) > AUTH backend 'winbind' registered > [2015/12/28 21:12:06.064284, 3] > ../source4/auth/ntlm/auth.c:673(auth_register) > AUTH backend 'winbind_wbclient' registered > [2015/12/28 21:12:06.064316, 3] > ../source4/auth/ntlm/auth.c:673(auth_register) > AUTH backend 'name_to_ntstatus' registered > [2015/12/28 21:12:06.064347, 3] > ../source4/auth/ntlm/auth.c:673(auth_register) > AUTH backend 'unix' registered > [2015/12/28 21:12:06.064401, 3] > ../source4/param/share.c:124(share_register) > SHARE backend [classic] registered. > [2015/12/28 21:12:06.697309, 3] > ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect) > ldb_wrap open of privilege.ldb > [2015/12/28 21:12:06.748805, 0] > ../source4/smbd/server.c:488(binary_smbd_main) > samba: using 'standard' process model > samba: setproctitle not initialized, please either call > setproctitle_init() > or link against libbsd-ctor. > samba: setproctitle not initialized, please either call > setproctitle_init() > or link against libbsd-ctor. > samba: setproctitle not initialized, please either call > setproctitle_init() > or link against libbsd-ctor. > samba: setproctitle not initialized, please either call > setproctitle_init() > or link against libbsd-ctor. > samba: setproctitle not initialized, please either call > setproctitle_init() > or link against libbsd-ctor. > [2015/12/28 21:12:06.779495, 3] > ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) > DCERPC endpoint server 'rpcecho' registered > [2015/12/28 21:12:06.764776, 0] > ../source4/dsdb/common/util.c:1693(samdb_reference_dn_is_our_ntdsa) > Failed to find object DC=one,DC=cliffbells,DC=com for attribute > fsmoRoleOwner - Cannot find DN DC=one,DC=cliffbells,DC=com to get > attribute > fsmoRoleOwner for reference dn: (null) > [2015/12/28 21:12:06.780250, 1] > ../source4/dsdb/common/util.c:1877(samdb_is_pdc) > Failed to find if we are the PDC for this ldb: Searching for > fSMORoleOwner in DC=one,DC=cliffbells,DC=com failed: Cannot find DN > DC=one,DC=cliffbells,DC=com to get attribute fsmoRoleOwner for reference > dn: (null) > [2015/12/28 21:12:06.788717, 3] > ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) > DCERPC endpoint server 'epmapper' registered > [2015/12/28 21:12:06.789079, 3] > ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) > DCERPC endpoint server 'remote' registered > [2015/12/28 21:12:06.789535, 3] > ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) > DCERPC endpoint server 'srvsvc' registered > [2015/12/28 21:12:06.789597, 3] > ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) > DCERPC endpoint server 'wkssvc' registered > [2015/12/28 21:12:06.789634, 3] > ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) > DCERPC endpoint server 'unixinfo' registered > [2015/12/28 21:12:06.790292, 3] > ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) > DCERPC endpoint server 'samr' registered > [2015/12/28 21:12:06.790372, 3] > ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) > DCERPC endpoint server 'winreg' registered > [2015/12/28 21:12:06.790410, 3] > ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) > DCERPC endpoint server 'netlogon' registered > [2015/12/28 21:12:06.790654, 3] > ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) > DCERPC endpoint server 'dssetup' registered > [2015/12/28 21:12:06.790702, 3] > ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) > DCERPC endpoint server 'lsarpc' registered > [2015/12/28 21:12:06.790739, 3] > ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) > DCERPC endpoint server 'backupkey' registered > [2015/12/28 21:12:06.790783, 3] > ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) > DCERPC endpoint server 'spoolss' registered > [2015/12/28 21:12:06.790818, 3] > ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) > DCERPC endpoint server 'drsuapi' registered > [2015/12/28 21:12:06.790864, 3] > ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) > DCERPC endpoint server 'browser' registered > [2015/12/28 21:12:06.790897, 3] > ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) > DCERPC endpoint server 'eventlog6' registered > [2015/12/28 21:12:06.790941, 3] > ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) > DCERPC endpoint server 'dnsserver' registered > samba: setproctitle not initialized, please either call > setproctitle_init() > or link against libbsd-ctor. > samba: setproctitle not initialized, please either call > setproctitle_init() > or link against libbsd-ctor. > samba: setproctitle not initialized, please either call > setproctitle_init() > or link against libbsd-ctor. > samba: setproctitle not initialized, please either call > setproctitle_init() > or link against libbsd-ctor. > [2015/12/28 21:12:06.842176, 3] > ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect) > ldb_wrap open of secrets.ldb > [2015/12/28 21:12:06.843155, 3] > ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect) > ldb_wrap open of idmap.ldb > samba: setproctitle not initialized, please either call > setproctitle_init() > or link against libbsd-ctor. > samba: setproctitle not initialized, please either call > setproctitle_init() > or link against libbsd-ctor. > [2015/12/28 21:12:06.865340, 1] > ../source4/kdc/db-glue.c:1956(samba_kdc_setup_db_ctx) > samba_kdc_fetch: could not find own KRBTGT in DB: (null) > samba: setproctitle not initialized, please either call > setproctitle_init() > or link against libbsd-ctor. > [2015/12/28 21:12:06.869471, 2] > ../source4/dsdb/repl/drepl_partitions.c:116(dreplsrv_load_partitions) > dreplsrv_partition[CN=Configuration,DC=one,DC=cliffbells,DC=com] loaded > [2015/12/28 21:12:06.869600, 2] > ../source4/dsdb/repl/drepl_partitions.c:116(dreplsrv_load_partitions) > > dreplsrv_partition[CN=Schema,CN=Configuration,DC=one,DC=cliffbells,DC=com] > loaded > [2015/12/28 21:12:06.869648, 2] > ../source4/dsdb/repl/drepl_partitions.c:116(dreplsrv_load_partitions) > dreplsrv_partition[DC=one,DC=cliffbells,DC=com] loaded > [2015/12/28 21:12:06.869742, 2] > ../source4/dsdb/repl/drepl_partitions.c:116(dreplsrv_load_partitions) > dreplsrv_partition[DC=DomainDnsZones,DC=one,DC=cliffbells,DC=com] loaded > [2015/12/28 21:12:06.869789, 2] > ../source4/dsdb/repl/drepl_partitions.c:116(dreplsrv_load_partitions) > dreplsrv_partition[DC=ForestDnsZones,DC=one,DC=cliffbells,DC=com] loaded > [2015/12/28 21:12:06.865437, 0] > ../source4/smbd/service_task.c:35(task_server_terminate) > task_server_terminate: [kdc: hdb_samba4_create_kdc (setup KDC database) > failed] > [2015/12/28 21:12:06.878911, 3] > ../source4/dsdb/dns/dns_update.c:340(dnsupdate_check_names) > Calling DNS name update script > [2015/12/28 21:12:06.888121, 3] > ../source4/dsdb/dns/dns_update.c:355(dnsupdate_check_names) > Calling SPN name update script > samba: setproctitle not initialized, please either call > setproctitle_init() > or link against libbsd-ctor. > [2015/12/28 21:12:06.902840, 2] > ../source4/dsdb/kcc/kcc_service.c:127(kccsrv_load_partitions) > kccsrv_partition[DC=ONE,DC=CLIFFBELLS,DC=COM] loaded > [2015/12/28 21:12:06.902998, 2] > ../source4/dsdb/kcc/kcc_service.c:127(kccsrv_load_partitions) > kccsrv_partition[CN=Configuration,DC=one,DC=cliffbells,DC=com] loaded > [2015/12/28 21:12:06.903036, 2] > ../source4/dsdb/kcc/kcc_service.c:127(kccsrv_load_partitions) > kccsrv_partition[CN=Schema,CN=Configuration,DC=one,DC=cliffbells,DC=com] > loaded > [2015/12/28 21:12:06.903072, 2] > ../source4/dsdb/kcc/kcc_service.c:127(kccsrv_load_partitions) > kccsrv_partition[DC=DomainDnsZones,DC=one,DC=cliffbells,DC=com] loaded > [2015/12/28 21:12:06.903107, 2] > ../source4/dsdb/kcc/kcc_service.c:127(kccsrv_load_partitions) > kccsrv_partition[DC=ForestDnsZones,DC=one,DC=cliffbells,DC=com] loaded > [2015/12/28 21:12:06.884922, 0] > ../lib/util/become_daemon.c:136(daemon_ready) > STATUS=daemon 'samba' finished starting up and ready to serve > connectionssamba_terminate: kdc: hdb_samba4_create_kdc (setup KDC > database) > failed > [2015/12/28 21:12:06.930079, 3] > ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect) > ldb_wrap open of secrets.ldb > [2015/12/28 21:12:07.752016, 0] > ../file_server/file_server.c:48(file_server_smbd_done) > file_server smbd daemon exited normally > [2015/12/28 21:12:07.752994, 0] > ../source4/smbd/service_task.c:35(task_server_terminate) > task_server_terminate: [smbd child process exited] > > > /var/log/samba/log.smbd: > > smbd version 4.1.17-Ubuntu started. > Copyright Andrew Tridgell and the Samba Team 1992-2013 > [2015/12/28 21:12:06, 2] > ../source3/lib/tallocmsg.c:124(register_msg_pool_usage) > Registered MSG_REQ_POOL_USAGE > [2015/12/28 21:12:06, 2] > ../source3/lib/dmallocmsg.c:78(register_dmalloc_msgs) > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED > [2015/12/28 21:12:06.975569, 3] > ../source3/param/loadparm.c:4839(lp_load_ex) > lp_load_ex: refreshing parameters > [2015/12/28 21:12:06.975630, 3] > ../source3/param/loadparm.c:750(init_globals) > Initialising global parameters > [2015/12/28 21:12:06.975672, 2] > ../source3/param/loadparm.c:543(max_open_files) > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit > (16384) > [2015/12/28 21:12:06.975752, 3] ../lib/util/params.c:550(pm_process) > params.c:pm_process() - Processing configuration file > "/etc/samba/smb.conf" > [2015/12/28 21:12:06.975787, 3] > ../source3/param/loadparm.c:3565(do_section) > Processing section "[global]" > [2015/12/28 21:12:06.976003, 2] > ../source3/param/loadparm.c:3582(do_section) > Processing section "[netlogon]" > [2015/12/28 21:12:06.976125, 2] > ../source3/param/loadparm.c:3582(do_section) > Processing section "[sysvol]" > [2015/12/28 21:12:06.976193, 2] > ../source3/param/loadparm.c:3582(do_section) > Processing section "[accounting]" > [2015/12/28 21:12:06.976277, 2] > ../source3/param/loadparm.c:3582(do_section) > Processing section "[data]" > [2015/12/28 21:12:06.976359, 2] > ../source3/param/loadparm.c:3582(do_section) > Processing section "[backups]" > [2015/12/28 21:12:06.976472, 3] > ../source3/param/loadparm.c:1774(lp_add_ipc) > adding IPC service > [2015/12/28 21:12:06.976790, 2] > ../source3/lib/interface.c:341(add_interface) > added interface eth0 ip=192.168.37.2 bcast=192.168.37.255 > netmask=255.255.255.0 > [2015/12/28 21:12:06.976876, 3] ../source3/smbd/server.c:1248(main) > loaded services > [2015/12/28 21:12:06.977004, 3] ../source3/smbd/server.c:1280(main) > Becoming a daemon. > [2015/12/28 21:12:07.738688, 3] > ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect) > ldb_wrap open of idmap.ldb > [2015/12/28 21:12:07.740665, 0] > ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) > pdb backend samba_dsdb did not correctly init (error was > NT_STATUS_UNSUCCESSFUL) > > > I am at a loss, Samba simply does not start. Any help/guidance the list > could provide to assist me in restoring Samba to a working state would be > greatly appreciated. > > Regards, > > JS > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From rpenny at samba.org Wed Dec 30 09:38:39 2015 From: rpenny at samba.org (Rowland penny) Date: Wed, 30 Dec 2015 09:38:39 +0000 Subject: [Samba] Samba 4 AD - Samba Fails to Start, hdb_samba4_create_kdc (setup KDC database) failed In-Reply-To: References: Message-ID: <5683A61F.2050108@samba.org> On 30/12/15 03:36, IT Admin wrote: > Hello to the Samba Mailing List, > > This is my first post, so please, should I commit any faux pas, nudge me in > the right direction and I will adjust accordingly. > > I'm experiencing a complete failure of the PDC in a Samba 4 AD Domain I've > deployed for a client. Samba failed a few days ago and I've been unable to > resolve the issue on my own. Google searches are leading me in circles, > I'm hoping the list can help me get this deployment back in working order. > > Some details on the failing machine: > > Release: 15.10 > Linux 4.2.0-22-generic #27-Ubuntu SMP x86_64 x86_64 x86_64 GNU/Linux > Samba Version: 4.1.17-Ubuntu > > I provisioned this domain a few months ago, everything was going smoothly > until a hardware failure forced me to reprovision a couple of weeks ago. > Having just got their network stable again I was rather disheartened to > discover Samba had taken a nosedive for Christmas. > > Relevant info from Samba's logs (debug level 4): > > /var/log/samba/log/samba: > > samba version 4.1.17-Ubuntu started. > Copyright Andrew Tridgell and the Samba Team 1992-2013 > [2015/12/28 21:12:05.907126, 3] > ../source4/smbd/server.c:381(binary_smbd_main) > Becoming a daemon. > [2015/12/28 21:12:05.919238, 3] > ../auth/gensec/gensec_start.c:870(gensec_register) > GENSEC backend 'gssapi_spnego' registered > [2015/12/28 21:12:05.919327, 3] > ../auth/gensec/gensec_start.c:870(gensec_register) > GENSEC backend 'gssapi_krb5' registered > [2015/12/28 21:12:05.919360, 3] > ../auth/gensec/gensec_start.c:870(gensec_register) > GENSEC backend 'gssapi_krb5_sasl' registered > [2015/12/28 21:12:05.919437, 3] > ../auth/gensec/gensec_start.c:870(gensec_register) > GENSEC backend 'schannel' registered > [2015/12/28 21:12:05.919472, 3] > ../auth/gensec/gensec_start.c:870(gensec_register) > GENSEC backend 'spnego' registered > [2015/12/28 21:12:05.919503, 3] > ../auth/gensec/gensec_start.c:870(gensec_register) > GENSEC backend 'ntlmssp' registered > [2015/12/28 21:12:05.919537, 3] > ../auth/gensec/gensec_start.c:870(gensec_register) > GENSEC backend 'krb5' registered > [2015/12/28 21:12:05.919567, 3] > ../auth/gensec/gensec_start.c:870(gensec_register) > GENSEC backend 'fake_gssapi_krb5' registered > [2015/12/28 21:12:05.919643, 3] > ../source4/ntptr/ntptr_base.c:67(ntptr_register) > NTPTR backend 'simple_ldb' > [2015/12/28 21:12:05.919714, 3] > ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) > NTVFS backend 'default' for type 1 registered > [2015/12/28 21:12:05.919753, 3] > ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) > NTVFS backend 'posix' for type 1 registered > [2015/12/28 21:12:05.919791, 3] > ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) > NTVFS backend 'unixuid' for type 1 registered > [2015/12/28 21:12:05.919821, 3] > ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) > NTVFS backend 'unixuid' for type 3 registered > [2015/12/28 21:12:05.919852, 3] > ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) > NTVFS backend 'unixuid' for type 2 registered > [2015/12/28 21:12:05.919884, 3] > ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) > NTVFS backend 'cifs' for type 1 registered > [2015/12/28 21:12:05.919915, 3] > ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) > NTVFS backend 'smb2' for type 1 registered > [2015/12/28 21:12:05.919946, 3] > ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) > NTVFS backend 'simple' for type 1 registered > [2015/12/28 21:12:05.919977, 3] > ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) > NTVFS backend 'cifsposix' for type 1 registered > [2015/12/28 21:12:05.920010, 3] > ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) > NTVFS backend 'default' for type 3 registered > [2015/12/28 21:12:05.920041, 3] > ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) > NTVFS backend 'default' for type 2 registered > [2015/12/28 21:12:05.920078, 3] > ../source4/ntvfs/ntvfs_base.c:79(ntvfs_register) > NTVFS backend 'nbench' for type 1 registered > [2015/12/28 21:12:05.921420, 3] > ../source4/smbd/process_model.c:97(register_process_model) > PROCESS_MODEL 'single' registered > [2015/12/28 21:12:05.921479, 3] > ../source4/smbd/process_model.c:97(register_process_model) > PROCESS_MODEL 'standard' registered > [2015/12/28 21:12:05.921510, 3] > ../source4/smbd/process_model.c:97(register_process_model) > PROCESS_MODEL 'onefork' registered > [2015/12/28 21:12:05.921540, 3] > ../source4/smbd/process_model.c:97(register_process_model) > PROCESS_MODEL 'prefork' registered > [2015/12/28 21:12:06.064097, 3] > ../source4/auth/ntlm/auth.c:673(auth_register) > AUTH backend 'sam' registered > [2015/12/28 21:12:06.064187, 3] > ../source4/auth/ntlm/auth.c:673(auth_register) > AUTH backend 'sam_ignoredomain' registered > [2015/12/28 21:12:06.064220, 3] > ../source4/auth/ntlm/auth.c:673(auth_register) > AUTH backend 'anonymous' registered > [2015/12/28 21:12:06.064251, 3] > ../source4/auth/ntlm/auth.c:673(auth_register) > AUTH backend 'winbind' registered > [2015/12/28 21:12:06.064284, 3] > ../source4/auth/ntlm/auth.c:673(auth_register) > AUTH backend 'winbind_wbclient' registered > [2015/12/28 21:12:06.064316, 3] > ../source4/auth/ntlm/auth.c:673(auth_register) > AUTH backend 'name_to_ntstatus' registered > [2015/12/28 21:12:06.064347, 3] > ../source4/auth/ntlm/auth.c:673(auth_register) > AUTH backend 'unix' registered > [2015/12/28 21:12:06.064401, 3] > ../source4/param/share.c:124(share_register) > SHARE backend [classic] registered. > [2015/12/28 21:12:06.697309, 3] > ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect) > ldb_wrap open of privilege.ldb > [2015/12/28 21:12:06.748805, 0] > ../source4/smbd/server.c:488(binary_smbd_main) > samba: using 'standard' process model > samba: setproctitle not initialized, please either call setproctitle_init() > or link against libbsd-ctor. > samba: setproctitle not initialized, please either call setproctitle_init() > or link against libbsd-ctor. > samba: setproctitle not initialized, please either call setproctitle_init() > or link against libbsd-ctor. > samba: setproctitle not initialized, please either call setproctitle_init() > or link against libbsd-ctor. > samba: setproctitle not initialized, please either call setproctitle_init() > or link against libbsd-ctor. > [2015/12/28 21:12:06.779495, 3] > ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) > DCERPC endpoint server 'rpcecho' registered > [2015/12/28 21:12:06.764776, 0] > ../source4/dsdb/common/util.c:1693(samdb_reference_dn_is_our_ntdsa) > Failed to find object DC=one,DC=cliffbells,DC=com for attribute > fsmoRoleOwner - Cannot find DN DC=one,DC=cliffbells,DC=com to get attribute > fsmoRoleOwner for reference dn: (null) > [2015/12/28 21:12:06.780250, 1] > ../source4/dsdb/common/util.c:1877(samdb_is_pdc) > Failed to find if we are the PDC for this ldb: Searching for > fSMORoleOwner in DC=one,DC=cliffbells,DC=com failed: Cannot find DN > DC=one,DC=cliffbells,DC=com to get attribute fsmoRoleOwner for reference > dn: (null) > [2015/12/28 21:12:06.788717, 3] > ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) > DCERPC endpoint server 'epmapper' registered > [2015/12/28 21:12:06.789079, 3] > ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) > DCERPC endpoint server 'remote' registered > [2015/12/28 21:12:06.789535, 3] > ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) > DCERPC endpoint server 'srvsvc' registered > [2015/12/28 21:12:06.789597, 3] > ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) > DCERPC endpoint server 'wkssvc' registered > [2015/12/28 21:12:06.789634, 3] > ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) > DCERPC endpoint server 'unixinfo' registered > [2015/12/28 21:12:06.790292, 3] > ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) > DCERPC endpoint server 'samr' registered > [2015/12/28 21:12:06.790372, 3] > ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) > DCERPC endpoint server 'winreg' registered > [2015/12/28 21:12:06.790410, 3] > ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) > DCERPC endpoint server 'netlogon' registered > [2015/12/28 21:12:06.790654, 3] > ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) > DCERPC endpoint server 'dssetup' registered > [2015/12/28 21:12:06.790702, 3] > ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) > DCERPC endpoint server 'lsarpc' registered > [2015/12/28 21:12:06.790739, 3] > ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) > DCERPC endpoint server 'backupkey' registered > [2015/12/28 21:12:06.790783, 3] > ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) > DCERPC endpoint server 'spoolss' registered > [2015/12/28 21:12:06.790818, 3] > ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) > DCERPC endpoint server 'drsuapi' registered > [2015/12/28 21:12:06.790864, 3] > ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) > DCERPC endpoint server 'browser' registered > [2015/12/28 21:12:06.790897, 3] > ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) > DCERPC endpoint server 'eventlog6' registered > [2015/12/28 21:12:06.790941, 3] > ../source4/rpc_server/dcerpc_server.c:1208(dcerpc_register_ep_server) > DCERPC endpoint server 'dnsserver' registered > samba: setproctitle not initialized, please either call setproctitle_init() > or link against libbsd-ctor. > samba: setproctitle not initialized, please either call setproctitle_init() > or link against libbsd-ctor. > samba: setproctitle not initialized, please either call setproctitle_init() > or link against libbsd-ctor. > samba: setproctitle not initialized, please either call setproctitle_init() > or link against libbsd-ctor. > [2015/12/28 21:12:06.842176, 3] > ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect) > ldb_wrap open of secrets.ldb > [2015/12/28 21:12:06.843155, 3] > ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect) > ldb_wrap open of idmap.ldb > samba: setproctitle not initialized, please either call setproctitle_init() > or link against libbsd-ctor. > samba: setproctitle not initialized, please either call setproctitle_init() > or link against libbsd-ctor. > [2015/12/28 21:12:06.865340, 1] > ../source4/kdc/db-glue.c:1956(samba_kdc_setup_db_ctx) > samba_kdc_fetch: could not find own KRBTGT in DB: (null) > samba: setproctitle not initialized, please either call setproctitle_init() > or link against libbsd-ctor. > [2015/12/28 21:12:06.869471, 2] > ../source4/dsdb/repl/drepl_partitions.c:116(dreplsrv_load_partitions) > dreplsrv_partition[CN=Configuration,DC=one,DC=cliffbells,DC=com] loaded > [2015/12/28 21:12:06.869600, 2] > ../source4/dsdb/repl/drepl_partitions.c:116(dreplsrv_load_partitions) > > dreplsrv_partition[CN=Schema,CN=Configuration,DC=one,DC=cliffbells,DC=com] > loaded > [2015/12/28 21:12:06.869648, 2] > ../source4/dsdb/repl/drepl_partitions.c:116(dreplsrv_load_partitions) > dreplsrv_partition[DC=one,DC=cliffbells,DC=com] loaded > [2015/12/28 21:12:06.869742, 2] > ../source4/dsdb/repl/drepl_partitions.c:116(dreplsrv_load_partitions) > dreplsrv_partition[DC=DomainDnsZones,DC=one,DC=cliffbells,DC=com] loaded > [2015/12/28 21:12:06.869789, 2] > ../source4/dsdb/repl/drepl_partitions.c:116(dreplsrv_load_partitions) > dreplsrv_partition[DC=ForestDnsZones,DC=one,DC=cliffbells,DC=com] loaded > [2015/12/28 21:12:06.865437, 0] > ../source4/smbd/service_task.c:35(task_server_terminate) > task_server_terminate: [kdc: hdb_samba4_create_kdc (setup KDC database) > failed] > [2015/12/28 21:12:06.878911, 3] > ../source4/dsdb/dns/dns_update.c:340(dnsupdate_check_names) > Calling DNS name update script > [2015/12/28 21:12:06.888121, 3] > ../source4/dsdb/dns/dns_update.c:355(dnsupdate_check_names) > Calling SPN name update script > samba: setproctitle not initialized, please either call setproctitle_init() > or link against libbsd-ctor. > [2015/12/28 21:12:06.902840, 2] > ../source4/dsdb/kcc/kcc_service.c:127(kccsrv_load_partitions) > kccsrv_partition[DC=ONE,DC=CLIFFBELLS,DC=COM] loaded > [2015/12/28 21:12:06.902998, 2] > ../source4/dsdb/kcc/kcc_service.c:127(kccsrv_load_partitions) > kccsrv_partition[CN=Configuration,DC=one,DC=cliffbells,DC=com] loaded > [2015/12/28 21:12:06.903036, 2] > ../source4/dsdb/kcc/kcc_service.c:127(kccsrv_load_partitions) > kccsrv_partition[CN=Schema,CN=Configuration,DC=one,DC=cliffbells,DC=com] > loaded > [2015/12/28 21:12:06.903072, 2] > ../source4/dsdb/kcc/kcc_service.c:127(kccsrv_load_partitions) > kccsrv_partition[DC=DomainDnsZones,DC=one,DC=cliffbells,DC=com] loaded > [2015/12/28 21:12:06.903107, 2] > ../source4/dsdb/kcc/kcc_service.c:127(kccsrv_load_partitions) > kccsrv_partition[DC=ForestDnsZones,DC=one,DC=cliffbells,DC=com] loaded > [2015/12/28 21:12:06.884922, 0] > ../lib/util/become_daemon.c:136(daemon_ready) > STATUS=daemon 'samba' finished starting up and ready to serve > connectionssamba_terminate: kdc: hdb_samba4_create_kdc (setup KDC database) > failed > [2015/12/28 21:12:06.930079, 3] > ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect) > ldb_wrap open of secrets.ldb > [2015/12/28 21:12:07.752016, 0] > ../file_server/file_server.c:48(file_server_smbd_done) > file_server smbd daemon exited normally > [2015/12/28 21:12:07.752994, 0] > ../source4/smbd/service_task.c:35(task_server_terminate) > task_server_terminate: [smbd child process exited] > > > /var/log/samba/log.smbd: > > smbd version 4.1.17-Ubuntu started. > Copyright Andrew Tridgell and the Samba Team 1992-2013 > [2015/12/28 21:12:06, 2] > ../source3/lib/tallocmsg.c:124(register_msg_pool_usage) > Registered MSG_REQ_POOL_USAGE > [2015/12/28 21:12:06, 2] > ../source3/lib/dmallocmsg.c:78(register_dmalloc_msgs) > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED > [2015/12/28 21:12:06.975569, 3] > ../source3/param/loadparm.c:4839(lp_load_ex) > lp_load_ex: refreshing parameters > [2015/12/28 21:12:06.975630, 3] > ../source3/param/loadparm.c:750(init_globals) > Initialising global parameters > [2015/12/28 21:12:06.975672, 2] > ../source3/param/loadparm.c:543(max_open_files) > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > [2015/12/28 21:12:06.975752, 3] ../lib/util/params.c:550(pm_process) > params.c:pm_process() - Processing configuration file > "/etc/samba/smb.conf" > [2015/12/28 21:12:06.975787, 3] > ../source3/param/loadparm.c:3565(do_section) > Processing section "[global]" > [2015/12/28 21:12:06.976003, 2] > ../source3/param/loadparm.c:3582(do_section) > Processing section "[netlogon]" > [2015/12/28 21:12:06.976125, 2] > ../source3/param/loadparm.c:3582(do_section) > Processing section "[sysvol]" > [2015/12/28 21:12:06.976193, 2] > ../source3/param/loadparm.c:3582(do_section) > Processing section "[accounting]" > [2015/12/28 21:12:06.976277, 2] > ../source3/param/loadparm.c:3582(do_section) > Processing section "[data]" > [2015/12/28 21:12:06.976359, 2] > ../source3/param/loadparm.c:3582(do_section) > Processing section "[backups]" > [2015/12/28 21:12:06.976472, 3] > ../source3/param/loadparm.c:1774(lp_add_ipc) > adding IPC service > [2015/12/28 21:12:06.976790, 2] > ../source3/lib/interface.c:341(add_interface) > added interface eth0 ip=192.168.37.2 bcast=192.168.37.255 > netmask=255.255.255.0 > [2015/12/28 21:12:06.976876, 3] ../source3/smbd/server.c:1248(main) > loaded services > [2015/12/28 21:12:06.977004, 3] ../source3/smbd/server.c:1280(main) > Becoming a daemon. > [2015/12/28 21:12:07.738688, 3] > ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect) > ldb_wrap open of idmap.ldb > [2015/12/28 21:12:07.740665, 0] > ../source3/passdb/pdb_interface.c:178(make_pdb_method_name) > pdb backend samba_dsdb did not correctly init (error was > NT_STATUS_UNSUCCESSFUL) > > > I am at a loss, Samba simply does not start. Any help/guidance the list > could provide to assist me in restoring Samba to a working state would be > greatly appreciated. > > Regards, > > JS > -- To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba Why are you using ntvfs ? Also how are you starting the Samba deamons ? Rowland From lists at xunil.at Wed Dec 30 09:40:05 2015 From: lists at xunil.at (Stefan G. Weichinger) Date: Wed, 30 Dec 2015 10:40:05 +0100 Subject: [Samba] samba4 as ADS member: some users visible, others not In-Reply-To: <5682C9F8.2000007@samba.org> References: <5682B582.6030505@xunil.at> <5682BD71.1050101@samba.org> <5682C31A.4040109@xunil.at> <5682C9F8.2000007@samba.org> Message-ID: <5683A675.9080309@xunil.at> Am 2015-12-29 um 18:59 schrieb Rowland penny: > NO! This will give you precisely 0 users > > config * == the range the 'builtin' users will be mapped to. > config customer == the range for all the domain users that have a > uidNumber attribute. If a user doesn't have a uidNumber attribute > containing a number inside the range set in smb.conf (in your case > 10000-999999) it will be ignored, the user will also be ignored if it > doesn't have a uidNumber attribute. There is also another gotchya, the > 'Domain Users' group *must* have a gidNumber attribute inside the range, > or all users will be ignored even if they have a uidNumber attribute. > > This all boils down to, have you manually given your users & groups the > required uidNumber & gidNumber attributes ? they are not added > automatically, they must be added manually. Thanks a lot for that explanation. I read it after it started working here yesterday so excuse my late reply. I never understood it the way you described it above, this would have helped me with other servers earlier as well. thanks, Stefan From cborivant at devinlec.com Wed Dec 30 09:54:47 2015 From: cborivant at devinlec.com (Christophe Borivant) Date: Wed, 30 Dec 2015 10:54:47 +0100 (CET) Subject: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' Message-ID: <118433293.574024.1451469287726.JavaMail.zimbra@devinlecleclerc.com> Hello Carlos, I had the same problem as you. To solve the problem, I just modified the files I needed from adprep in order to be able to run ldbadd and ldbmodify. Can you run something like this to check your schema version ? ldbsearch -H /var/lib/samba/private/sam.ldb -b "CN=Schema,CN=Configuration,DC=YOURDOMAIN,DC=com" -s base objectVersion --------------------------------------------- Christophe Borivant Responsable d'exploitation informatique +33 5 62 20 71 71 (Poste 503) Devinlec - Groupe Leclerc -------------------------------------------- ----- Mail original ----- De: "Carlos A. P. Cunha" À: "Rowland penny" , "samba" Envoyé: Mardi 29 Décembre 2015 21:43:03 Objet: Re: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' I will do that for now Thank you very much, I am grateful. Em 29-12-2015 18:26, Rowland penny escreveu: > There are various way of adding an attribute, you could do it with > ldbmodify or ldbedit, or if you feel more comfortable with a gui, you > could install ADUC on a windows machine and use this to add the > attribute, or you could install ldap account manager (LAM) on the DC > and use this to add the attribute. > > Pick one and search the internet for how to do it, you will learn more > doing it this way, rather than me telling you how to do it, step by > step. If after choosing a method, you have problems, this I will > attempt to help you with. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba From carlos.hollow at gmail.com Wed Dec 30 10:28:11 2015 From: carlos.hollow at gmail.com (Carlos A. P. Cunha) Date: Wed, 30 Dec 2015 08:28:11 -0200 Subject: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' In-Reply-To: <118433293.574024.1451469287726.JavaMail.zimbra@devinlecleclerc.com> References: <118433293.574024.1451469287726.JavaMail.zimbra@devinlecleclerc.com> Message-ID: <5683B1BB.6010606@gmail.com> Good day! Thank you for your attention, follow the process and led to this result: ldbsearch -H /usr/local/samba/private/sam.ldb -b "CN = Schema, CN = Configuration, DC = MYDOMAIN" -s base objectVersion # 1 record dn: CN = Schema, CN = Configuration, DC = MYDOMAIN objectVersion: 31 # Returned 1 records # 1 entries # 0 referrals How can we proceed ? Thanks Em 30-12-2015 07:54, Christophe Borivant escreveu: > Hello Carlos, > > I had the same problem as you. > To solve the problem, I just modified the files I needed from adprep in order to be able > to run ldbadd and ldbmodify. > > Can you run something like this to check your schema version ? > > ldbsearch -H /var/lib/samba/private/sam.ldb -b "CN=Schema,CN=Configuration,DC=YOURDOMAIN,DC=com" -s base objectVersion > > --------------------------------------------- > Christophe Borivant > Responsable d'exploitation informatique > +33 5 62 20 71 71 (Poste 503) > > Devinlec - Groupe Leclerc > -------------------------------------------- > > ----- Mail original ----- > De: "Carlos A. P. Cunha" > À: "Rowland penny" , "samba" > Envoyé: Mardi 29 Décembre 2015 21:43:03 > Objet: Re: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' > > I will do that for now Thank you very much, I am grateful. > > Em 29-12-2015 18:26, Rowland penny escreveu: >> There are various way of adding an attribute, you could do it with >> ldbmodify or ldbedit, or if you feel more comfortable with a gui, you >> could install ADUC on a windows machine and use this to add the >> attribute, or you could install ldap account manager (LAM) on the DC >> and use this to add the attribute. >> >> Pick one and search the internet for how to do it, you will learn more >> doing it this way, rather than me telling you how to do it, step by >> step. If after choosing a method, you have problems, this I will >> attempt to help you with. > From cborivant at devinlec.com Wed Dec 30 10:53:35 2015 From: cborivant at devinlec.com (Christophe Borivant) Date: Wed, 30 Dec 2015 11:53:35 +0100 (CET) Subject: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' In-Reply-To: <5683B1BB.6010606@gmail.com> References: <118433293.574024.1451469287726.JavaMail.zimbra@devinlecleclerc.com> <5683B1BB.6010606@gmail.com> Message-ID: <1427000597.574202.1451472815861.JavaMail.zimbra@devinlecleclerc.com> Ok it seems like you are in the exact same situation I was. So here are the files in a tgz. Once uncompressed, you'll have to change each occurance of "DC=MYDOMAIN,DC=com" according to your configuration. you can do this with something like : perl -pi -e 's/DC=MYDOMAIN,DC=com/DC=Carlos,DC=com/g' * Then you will have to run ldbadd and ldbmodify in the correct order to upgrade your schema to version 47 like this : ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch32.ldf ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch32mod.ldf ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch33.ldf ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch33mod.ldf ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch34-1.ldf ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch34-2.ldf ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch34mod.ldf ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch35.ldf ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch35mod.ldf ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch36.ldf ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch36mod.ldf ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch37.ldf ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch37mod.ldf ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch38mod.ldf ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch39.ldf ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch39mod.ldf ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch40-1.ldf ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch40-2.ldf ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch40mod.ldf ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch41mod.ldf ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch42mod.ldf ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43-1.ldf ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43-2.ldf ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43-3.ldf ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43-4.ldf ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43mod.ldf ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch44.ldf ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch44mod.ldf ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch45-1.ldf ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch45-2.ldf ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch45-3.ldf ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch45mod.ldf ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch46mod.ldf ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch47mod.ldf Don't forget to first try in a test environment. --------------------------------------------- Christophe Borivant Responsable d'exploitation informatique +33 5 62 20 71 71 (Poste 503) Devinlec - Groupe Leclerc -------------------------------------------- ----- Mail original ----- De: "Carlos A. P. Cunha" À: "Christophe BORIVANT" , "samba" Envoyé: Mercredi 30 Décembre 2015 11:28:11 Objet: Re: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' Good day! Thank you for your attention, follow the process and led to this result: ldbsearch -H /usr/local/samba/private/sam.ldb -b "CN = Schema, CN = Configuration, DC = MYDOMAIN" -s base objectVersion # 1 record dn: CN = Schema, CN = Configuration, DC = MYDOMAIN objectVersion: 31 # Returned 1 records # 1 entries # 0 referrals How can we proceed ? Thanks Em 30-12-2015 07:54, Christophe Borivant escreveu: > Hello Carlos, > > I had the same problem as you. > To solve the problem, I just modified the files I needed from adprep in order to be able > to run ldbadd and ldbmodify. > > Can you run something like this to check your schema version ? > > ldbsearch -H /var/lib/samba/private/sam.ldb -b "CN=Schema,CN=Configuration,DC=YOURDOMAIN,DC=com" -s base objectVersion > > --------------------------------------------- > Christophe Borivant > Responsable d'exploitation informatique > +33 5 62 20 71 71 (Poste 503) > > Devinlec - Groupe Leclerc > -------------------------------------------- > > ----- Mail original ----- > De: "Carlos A. P. Cunha" > À: "Rowland penny" , "samba" > Envoyé: Mardi 29 Décembre 2015 21:43:03 > Objet: Re: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' > > I will do that for now Thank you very much, I am grateful. > > Em 29-12-2015 18:26, Rowland penny escreveu: >> There are various way of adding an attribute, you could do it with >> ldbmodify or ldbedit, or if you feel more comfortable with a gui, you >> could install ADUC on a windows machine and use this to add the >> attribute, or you could install ldap account manager (LAM) on the DC >> and use this to add the attribute. >> >> Pick one and search the internet for how to do it, you will learn more >> doing it this way, rather than me telling you how to do it, step by >> step. If after choosing a method, you have problems, this I will >> attempt to help you with. > From carlos.hollow at gmail.com Wed Dec 30 11:05:27 2015 From: carlos.hollow at gmail.com (Carlos A. P. Cunha) Date: Wed, 30 Dec 2015 09:05:27 -0200 Subject: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' In-Reply-To: <1427000597.574202.1451472815861.JavaMail.zimbra@devinlecleclerc.com> References: <118433293.574024.1451469287726.JavaMail.zimbra@devinlecleclerc.com> <5683B1BB.6010606@gmail.com> <1427000597.574202.1451472815861.JavaMail.zimbra@devinlecleclerc.com> Message-ID: <5683BA77.4090106@gmail.com> Okay, I'm already riding the test base ... thank you Leveraging believe may be related, when access peo UDCA part of Domains Controller, I can think of error and logs appears: [12/30/2015 08: 55: 52.277383, 0] ../lib/ldb-samba/ldb wrap.c: 72 (ldb wrap debug) ldb: acl_read: CN = DC-LINUX, OU = Domain Controllers, DC = Internal, DC = MYDOMAIN can not find attr [msDS-isRODC] in schema of It seems to be another missing attribute .... Em 30-12-2015 08:53, Christophe Borivant escreveu: > Ok it seems like you are in the exact same situation I was. > So here are the files in a tgz. > Once uncompressed, you'll have to change each occurance of "DC=MYDOMAIN,DC=com" > according to your configuration. > you can do this with something like : > perl -pi -e 's/DC=MYDOMAIN,DC=com/DC=Carlos,DC=com/g' * > > Then you will have to run ldbadd and ldbmodify in the correct order to upgrade your > schema to version 47 like this : > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch32.ldf > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch32mod.ldf > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch33.ldf > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch33mod.ldf > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch34-1.ldf > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch34-2.ldf > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch34mod.ldf > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch35.ldf > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch35mod.ldf > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch36.ldf > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch36mod.ldf > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch37.ldf > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch37mod.ldf > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch38mod.ldf > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch39.ldf > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch39mod.ldf > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch40-1.ldf > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch40-2.ldf > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch40mod.ldf > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch41mod.ldf > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch42mod.ldf > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43-1.ldf > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43-2.ldf > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43-3.ldf > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43-4.ldf > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43mod.ldf > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch44.ldf > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch44mod.ldf > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch45-1.ldf > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch45-2.ldf > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch45-3.ldf > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch45mod.ldf > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch46mod.ldf > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch47mod.ldf > > Don't forget to first try in a test environment. > > --------------------------------------------- > Christophe Borivant > Responsable d'exploitation informatique > +33 5 62 20 71 71 (Poste 503) > > Devinlec - Groupe Leclerc > -------------------------------------------- > > ----- Mail original ----- > De: "Carlos A. P. Cunha" > À: "Christophe BORIVANT" , "samba" > Envoyé: Mercredi 30 Décembre 2015 11:28:11 > Objet: Re: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' > > Good day! > Thank you for your attention, follow the process and led to this result: > > ldbsearch -H /usr/local/samba/private/sam.ldb -b "CN = Schema, CN = > Configuration, DC = MYDOMAIN" -s base objectVersion > # 1 record > dn: CN = Schema, CN = Configuration, DC = MYDOMAIN > objectVersion: 31 > > # Returned 1 records > # 1 entries > # 0 referrals > > > How can we proceed ? > > Thanks > > > Em 30-12-2015 07:54, Christophe Borivant escreveu: >> Hello Carlos, >> >> I had the same problem as you. >> To solve the problem, I just modified the files I needed from adprep in order to be able >> to run ldbadd and ldbmodify. >> >> Can you run something like this to check your schema version ? >> >> ldbsearch -H /var/lib/samba/private/sam.ldb -b "CN=Schema,CN=Configuration,DC=YOURDOMAIN,DC=com" -s base objectVersion >> >> --------------------------------------------- >> Christophe Borivant >> Responsable d'exploitation informatique >> +33 5 62 20 71 71 (Poste 503) >> >> Devinlec - Groupe Leclerc >> -------------------------------------------- >> >> ----- Mail original ----- >> De: "Carlos A. P. Cunha" >> À: "Rowland penny" , "samba" >> Envoyé: Mardi 29 Décembre 2015 21:43:03 >> Objet: Re: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' >> >> I will do that for now Thank you very much, I am grateful. >> >> Em 29-12-2015 18:26, Rowland penny escreveu: >>> There are various way of adding an attribute, you could do it with >>> ldbmodify or ldbedit, or if you feel more comfortable with a gui, you >>> could install ADUC on a windows machine and use this to add the >>> attribute, or you could install ldap account manager (LAM) on the DC >>> and use this to add the attribute. >>> >>> Pick one and search the internet for how to do it, you will learn more >>> doing it this way, rather than me telling you how to do it, step by >>> step. If after choosing a method, you have problems, this I will >>> attempt to help you with. > > From cborivant at devinlec.com Wed Dec 30 11:15:53 2015 From: cborivant at devinlec.com (Christophe Borivant) Date: Wed, 30 Dec 2015 12:15:53 +0100 (CET) Subject: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' In-Reply-To: <5683BA77.4090106@gmail.com> References: <118433293.574024.1451469287726.JavaMail.zimbra@devinlecleclerc.com> <5683B1BB.6010606@gmail.com> <1427000597.574202.1451472815861.JavaMail.zimbra@devinlecleclerc.com> <5683BA77.4090106@gmail.com> Message-ID: <1128338587.574256.1451474153948.JavaMail.zimbra@devinlecleclerc.com> msDS-isRODC is introduced in version 32 of the schema. This is the problem I faced. You can have a look to https://lists.samba.org/archive/samba/2015-August/193258.html. --------------------------------------------- Christophe Borivant Responsable d'exploitation informatique +33 5 62 20 71 71 (Poste 503) Devinlec - Groupe Leclerc -------------------------------------------- ----- Mail original ----- De: "Carlos A. P. Cunha" À: "Christophe BORIVANT" , "samba" Envoyé: Mercredi 30 Décembre 2015 12:05:27 Objet: Re: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' Okay, I'm already riding the test base ... thank you Leveraging believe may be related, when access peo UDCA part of Domains Controller, I can think of error and logs appears: [12/30/2015 08: 55: 52.277383, 0] ../lib/ldb-samba/ldb wrap.c: 72 (ldb wrap debug) ldb: acl_read: CN = DC-LINUX, OU = Domain Controllers, DC = Internal, DC = MYDOMAIN can not find attr [msDS-isRODC] in schema of It seems to be another missing attribute .... Em 30-12-2015 08:53, Christophe Borivant escreveu: > Ok it seems like you are in the exact same situation I was. > So here are the files in a tgz. > Once uncompressed, you'll have to change each occurance of "DC=MYDOMAIN,DC=com" > according to your configuration. > you can do this with something like : > perl -pi -e 's/DC=MYDOMAIN,DC=com/DC=Carlos,DC=com/g' * > > Then you will have to run ldbadd and ldbmodify in the correct order to upgrade your > schema to version 47 like this : > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch32.ldf > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch32mod.ldf > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch33.ldf > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch33mod.ldf > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch34-1.ldf > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch34-2.ldf > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch34mod.ldf > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch35.ldf > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch35mod.ldf > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch36.ldf > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch36mod.ldf > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch37.ldf > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch37mod.ldf > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch38mod.ldf > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch39.ldf > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch39mod.ldf > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch40-1.ldf > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch40-2.ldf > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch40mod.ldf > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch41mod.ldf > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch42mod.ldf > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43-1.ldf > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43-2.ldf > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43-3.ldf > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43-4.ldf > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43mod.ldf > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch44.ldf > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch44mod.ldf > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch45-1.ldf > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch45-2.ldf > ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch45-3.ldf > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch45mod.ldf > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch46mod.ldf > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch47mod.ldf > > Don't forget to first try in a test environment. > > --------------------------------------------- > Christophe Borivant > Responsable d'exploitation informatique > +33 5 62 20 71 71 (Poste 503) > > Devinlec - Groupe Leclerc > -------------------------------------------- > > ----- Mail original ----- > De: "Carlos A. P. Cunha" > À: "Christophe BORIVANT" , "samba" > Envoyé: Mercredi 30 Décembre 2015 11:28:11 > Objet: Re: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' > > Good day! > Thank you for your attention, follow the process and led to this result: > > ldbsearch -H /usr/local/samba/private/sam.ldb -b "CN = Schema, CN = > Configuration, DC = MYDOMAIN" -s base objectVersion > # 1 record > dn: CN = Schema, CN = Configuration, DC = MYDOMAIN > objectVersion: 31 > > # Returned 1 records > # 1 entries > # 0 referrals > > > How can we proceed ? > > Thanks > > > Em 30-12-2015 07:54, Christophe Borivant escreveu: >> Hello Carlos, >> >> I had the same problem as you. >> To solve the problem, I just modified the files I needed from adprep in order to be able >> to run ldbadd and ldbmodify. >> >> Can you run something like this to check your schema version ? >> >> ldbsearch -H /var/lib/samba/private/sam.ldb -b "CN=Schema,CN=Configuration,DC=YOURDOMAIN,DC=com" -s base objectVersion >> >> --------------------------------------------- >> Christophe Borivant >> Responsable d'exploitation informatique >> +33 5 62 20 71 71 (Poste 503) >> >> Devinlec - Groupe Leclerc >> -------------------------------------------- >> >> ----- Mail original ----- >> De: "Carlos A. P. Cunha" >> À: "Rowland penny" , "samba" >> Envoyé: Mardi 29 Décembre 2015 21:43:03 >> Objet: Re: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' >> >> I will do that for now Thank you very much, I am grateful. >> >> Em 29-12-2015 18:26, Rowland penny escreveu: >>> There are various way of adding an attribute, you could do it with >>> ldbmodify or ldbedit, or if you feel more comfortable with a gui, you >>> could install ADUC on a windows machine and use this to add the >>> attribute, or you could install ldap account manager (LAM) on the DC >>> and use this to add the attribute. >>> >>> Pick one and search the internet for how to do it, you will learn more >>> doing it this way, rather than me telling you how to do it, step by >>> step. If after choosing a method, you have problems, this I will >>> attempt to help you with. > > From carlos.hollow at gmail.com Wed Dec 30 11:33:05 2015 From: carlos.hollow at gmail.com (Carlos A. P. Cunha) Date: Wed, 30 Dec 2015 09:33:05 -0200 Subject: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' In-Reply-To: <1128338587.574256.1451474153948.JavaMail.zimbra@devinlecleclerc.com> References: <118433293.574024.1451469287726.JavaMail.zimbra@devinlecleclerc.com> <5683B1BB.6010606@gmail.com> <1427000597.574202.1451472815861.JavaMail.zimbra@devinlecleclerc.com> <5683BA77.4090106@gmail.com> <1128338587.574256.1451474153948.JavaMail.zimbra@devinlecleclerc.com> Message-ID: <5683C0F1.4020108@gmail.com> OK, ii see this then thank you . Executed the process ldbadd / ldbmodify and me only generated an error ldbmodify -H /var/lib/samba/private/sam.ldb '--option = DSDB: update schema allowed = true' sch40mod.ldf ERR: (Attribute or value exists) "attribute 'possSuperiors': value # 0 on 'CN = msSFU-30-Mail-Aliases, CN = Schema, CN = Configuration, DC = Internal, DC = MYDOMAIN' already exists" on DN CN = msSFU-30-Mail-Aliases, CN = Schema, CN = Configuration, DC = MYDOAIN at block before line 54 Then performed: ldbsearch -H /var/lib/samba/private/sam.ldb -b "CN = Schema, CN = Configuration, DC = Internal, DC = MYDOMAIN" -s base objectVersion # 1 record dn: CN = Schema, CN = Configuration, DC = MYDOMAIN objectVersion: 46 # Returned 1 records # 1 entries # 0 referrals Em 30-12-2015 09:15, Christophe Borivant escreveu: > msDS-isRODC is introduced in version 32 of the schema. > This is the problem I faced. > You can have a look to https://lists.samba.org/archive/samba/2015-August/193258.html. > > --------------------------------------------- > Christophe Borivant > Responsable d'exploitation informatique > +33 5 62 20 71 71 (Poste 503) > > Devinlec - Groupe Leclerc > -------------------------------------------- > > ----- Mail original ----- > De: "Carlos A. P. Cunha" > À: "Christophe BORIVANT" , "samba" > Envoyé: Mercredi 30 Décembre 2015 12:05:27 > Objet: Re: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' > > Okay, I'm already riding the test base ... > thank you > Leveraging believe may be related, when access peo UDCA part of Domains > Controller, I can think of error and logs appears: > > [12/30/2015 08: 55: 52.277383, 0] ../lib/ldb-samba/ldb wrap.c: 72 (ldb > wrap debug) ldb: acl_read: CN = DC-LINUX, OU = Domain Controllers, DC = > Internal, DC = MYDOMAIN can not find attr [msDS-isRODC] in schema of > > It seems to be another missing attribute .... > > > Em 30-12-2015 08:53, Christophe Borivant escreveu: >> Ok it seems like you are in the exact same situation I was. >> So here are the files in a tgz. >> Once uncompressed, you'll have to change each occurance of "DC=MYDOMAIN,DC=com" >> according to your configuration. >> you can do this with something like : >> perl -pi -e 's/DC=MYDOMAIN,DC=com/DC=Carlos,DC=com/g' * >> >> Then you will have to run ldbadd and ldbmodify in the correct order to upgrade your >> schema to version 47 like this : >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch32.ldf >> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch32mod.ldf >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch33.ldf >> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch33mod.ldf >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch34-1.ldf >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch34-2.ldf >> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch34mod.ldf >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch35.ldf >> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch35mod.ldf >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch36.ldf >> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch36mod.ldf >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch37.ldf >> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch37mod.ldf >> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch38mod.ldf >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch39.ldf >> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch39mod.ldf >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch40-1.ldf >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch40-2.ldf >> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch40mod.ldf >> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch41mod.ldf >> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch42mod.ldf >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43-1.ldf >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43-2.ldf >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43-3.ldf >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43-4.ldf >> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43mod.ldf >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch44.ldf >> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch44mod.ldf >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch45-1.ldf >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch45-2.ldf >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch45-3.ldf >> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch45mod.ldf >> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch46mod.ldf >> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch47mod.ldf >> >> Don't forget to first try in a test environment. >> >> --------------------------------------------- >> Christophe Borivant >> Responsable d'exploitation informatique >> +33 5 62 20 71 71 (Poste 503) >> >> Devinlec - Groupe Leclerc >> -------------------------------------------- >> >> ----- Mail original ----- >> De: "Carlos A. P. Cunha" >> À: "Christophe BORIVANT" , "samba" >> Envoyé: Mercredi 30 Décembre 2015 11:28:11 >> Objet: Re: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' >> >> Good day! >> Thank you for your attention, follow the process and led to this result: >> >> ldbsearch -H /usr/local/samba/private/sam.ldb -b "CN = Schema, CN = >> Configuration, DC = MYDOMAIN" -s base objectVersion >> # 1 record >> dn: CN = Schema, CN = Configuration, DC = MYDOMAIN >> objectVersion: 31 >> >> # Returned 1 records >> # 1 entries >> # 0 referrals >> >> >> How can we proceed ? >> >> Thanks >> >> >> Em 30-12-2015 07:54, Christophe Borivant escreveu: >>> Hello Carlos, >>> >>> I had the same problem as you. >>> To solve the problem, I just modified the files I needed from adprep in order to be able >>> to run ldbadd and ldbmodify. >>> >>> Can you run something like this to check your schema version ? >>> >>> ldbsearch -H /var/lib/samba/private/sam.ldb -b "CN=Schema,CN=Configuration,DC=YOURDOMAIN,DC=com" -s base objectVersion >>> >>> --------------------------------------------- >>> Christophe Borivant >>> Responsable d'exploitation informatique >>> +33 5 62 20 71 71 (Poste 503) >>> >>> Devinlec - Groupe Leclerc >>> -------------------------------------------- >>> >>> ----- Mail original ----- >>> De: "Carlos A. P. Cunha" >>> À: "Rowland penny" , "samba" >>> Envoyé: Mardi 29 Décembre 2015 21:43:03 >>> Objet: Re: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' >>> >>> I will do that for now Thank you very much, I am grateful. >>> >>> Em 29-12-2015 18:26, Rowland penny escreveu: >>>> There are various way of adding an attribute, you could do it with >>>> ldbmodify or ldbedit, or if you feel more comfortable with a gui, you >>>> could install ADUC on a windows machine and use this to add the >>>> attribute, or you could install ldap account manager (LAM) on the DC >>>> and use this to add the attribute. >>>> >>>> Pick one and search the internet for how to do it, you will learn more >>>> doing it this way, rather than me telling you how to do it, step by >>>> step. If after choosing a method, you have problems, this I will >>>> attempt to help you with. From cborivant at devinlec.com Wed Dec 30 14:28:37 2015 From: cborivant at devinlec.com (Christophe Borivant) Date: Wed, 30 Dec 2015 15:28:37 +0100 (CET) Subject: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' In-Reply-To: <5683C0F1.4020108@gmail.com> References: <118433293.574024.1451469287726.JavaMail.zimbra@devinlecleclerc.com> <5683B1BB.6010606@gmail.com> <1427000597.574202.1451472815861.JavaMail.zimbra@devinlecleclerc.com> <5683BA77.4090106@gmail.com> <1128338587.574256.1451474153948.JavaMail.zimbra@devinlecleclerc.com> <5683C0F1.4020108@gmail.com> Message-ID: <346616887.574532.1451485717880.JavaMail.zimbra@devinlecleclerc.com> You should run : ldbsearch -H /var/lib/samba/private/sam.ldb -b "CN=msSFU-30-Mail-Aliases,CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=com" -s base possSuperiors If the result is : # record 1 dn: CN=msSFU-30-Mail-Aliases,CN=Schema,CN=Configuration,DC=DEVINLECLECLERC,DC=com possSuperiors: container possSuperiors: domainDNS possSuperiors: nisMap Then it's OK, the script tried to add a value to a multi-value attribute. But the value was already there. If your schema version is 46, then you need to run : ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch47mod.ldf --------------------------------------------- Christophe Borivant Responsable d'exploitation informatique +33 5 62 20 71 71 (Poste 503) Devinlec - Groupe Leclerc -------------------------------------------- ----- Mail original ----- De: "Carlos A. P. Cunha" À: "Christophe BORIVANT" , "samba" Envoyé: Mercredi 30 Décembre 2015 12:33:05 Objet: Re: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' OK, ii see this then thank you . Executed the process ldbadd / ldbmodify and me only generated an error ldbmodify -H /var/lib/samba/private/sam.ldb '--option = DSDB: update schema allowed = true' sch40mod.ldf ERR: (Attribute or value exists) "attribute 'possSuperiors': value # 0 on 'CN = msSFU-30-Mail-Aliases, CN = Schema, CN = Configuration, DC = Internal, DC = MYDOMAIN' already exists" on DN CN = msSFU-30-Mail-Aliases, CN = Schema, CN = Configuration, DC = MYDOAIN at block before line 54 Then performed: ldbsearch -H /var/lib/samba/private/sam.ldb -b "CN = Schema, CN = Configuration, DC = Internal, DC = MYDOMAIN" -s base objectVersion # 1 record dn: CN = Schema, CN = Configuration, DC = MYDOMAIN objectVersion: 46 # Returned 1 records # 1 entries # 0 referrals Em 30-12-2015 09:15, Christophe Borivant escreveu: > msDS-isRODC is introduced in version 32 of the schema. > This is the problem I faced. > You can have a look to https://lists.samba.org/archive/samba/2015-August/193258.html. > > --------------------------------------------- > Christophe Borivant > Responsable d'exploitation informatique > +33 5 62 20 71 71 (Poste 503) > > Devinlec - Groupe Leclerc > -------------------------------------------- > > ----- Mail original ----- > De: "Carlos A. P. Cunha" > À: "Christophe BORIVANT" , "samba" > Envoyé: Mercredi 30 Décembre 2015 12:05:27 > Objet: Re: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' > > Okay, I'm already riding the test base ... > thank you > Leveraging believe may be related, when access peo UDCA part of Domains > Controller, I can think of error and logs appears: > > [12/30/2015 08: 55: 52.277383, 0] ../lib/ldb-samba/ldb wrap.c: 72 (ldb > wrap debug) ldb: acl_read: CN = DC-LINUX, OU = Domain Controllers, DC = > Internal, DC = MYDOMAIN can not find attr [msDS-isRODC] in schema of > > It seems to be another missing attribute .... > > > Em 30-12-2015 08:53, Christophe Borivant escreveu: >> Ok it seems like you are in the exact same situation I was. >> So here are the files in a tgz. >> Once uncompressed, you'll have to change each occurance of "DC=MYDOMAIN,DC=com" >> according to your configuration. >> you can do this with something like : >> perl -pi -e 's/DC=MYDOMAIN,DC=com/DC=Carlos,DC=com/g' * >> >> Then you will have to run ldbadd and ldbmodify in the correct order to upgrade your >> schema to version 47 like this : >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch32.ldf >> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch32mod.ldf >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch33.ldf >> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch33mod.ldf >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch34-1.ldf >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch34-2.ldf >> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch34mod.ldf >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch35.ldf >> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch35mod.ldf >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch36.ldf >> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch36mod.ldf >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch37.ldf >> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch37mod.ldf >> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch38mod.ldf >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch39.ldf >> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch39mod.ldf >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch40-1.ldf >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch40-2.ldf >> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch40mod.ldf >> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch41mod.ldf >> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch42mod.ldf >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43-1.ldf >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43-2.ldf >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43-3.ldf >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43-4.ldf >> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43mod.ldf >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch44.ldf >> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch44mod.ldf >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch45-1.ldf >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch45-2.ldf >> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch45-3.ldf >> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch45mod.ldf >> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch46mod.ldf >> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch47mod.ldf >> >> Don't forget to first try in a test environment. >> >> --------------------------------------------- >> Christophe Borivant >> Responsable d'exploitation informatique >> +33 5 62 20 71 71 (Poste 503) >> >> Devinlec - Groupe Leclerc >> -------------------------------------------- >> >> ----- Mail original ----- >> De: "Carlos A. P. Cunha" >> À: "Christophe BORIVANT" , "samba" >> Envoyé: Mercredi 30 Décembre 2015 11:28:11 >> Objet: Re: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' >> >> Good day! >> Thank you for your attention, follow the process and led to this result: >> >> ldbsearch -H /usr/local/samba/private/sam.ldb -b "CN = Schema, CN = >> Configuration, DC = MYDOMAIN" -s base objectVersion >> # 1 record >> dn: CN = Schema, CN = Configuration, DC = MYDOMAIN >> objectVersion: 31 >> >> # Returned 1 records >> # 1 entries >> # 0 referrals >> >> >> How can we proceed ? >> >> Thanks >> >> >> Em 30-12-2015 07:54, Christophe Borivant escreveu: >>> Hello Carlos, >>> >>> I had the same problem as you. >>> To solve the problem, I just modified the files I needed from adprep in order to be able >>> to run ldbadd and ldbmodify. >>> >>> Can you run something like this to check your schema version ? >>> >>> ldbsearch -H /var/lib/samba/private/sam.ldb -b "CN=Schema,CN=Configuration,DC=YOURDOMAIN,DC=com" -s base objectVersion >>> >>> --------------------------------------------- >>> Christophe Borivant >>> Responsable d'exploitation informatique >>> +33 5 62 20 71 71 (Poste 503) >>> >>> Devinlec - Groupe Leclerc >>> -------------------------------------------- >>> >>> ----- Mail original ----- >>> De: "Carlos A. P. Cunha" >>> À: "Rowland penny" , "samba" >>> Envoyé: Mardi 29 Décembre 2015 21:43:03 >>> Objet: Re: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' >>> >>> I will do that for now Thank you very much, I am grateful. >>> >>> Em 29-12-2015 18:26, Rowland penny escreveu: >>>> There are various way of adding an attribute, you could do it with >>>> ldbmodify or ldbedit, or if you feel more comfortable with a gui, you >>>> could install ADUC on a windows machine and use this to add the >>>> attribute, or you could install ldap account manager (LAM) on the DC >>>> and use this to add the attribute. >>>> >>>> Pick one and search the internet for how to do it, you will learn more >>>> doing it this way, rather than me telling you how to do it, step by >>>> step. If after choosing a method, you have problems, this I will >>>> attempt to help you with. From carlos.hollow at gmail.com Wed Dec 30 14:47:35 2015 From: carlos.hollow at gmail.com (Carlos A. P. Cunha) Date: Wed, 30 Dec 2015 12:47:35 -0200 Subject: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' In-Reply-To: <346616887.574532.1451485717880.JavaMail.zimbra@devinlecleclerc.com> References: <118433293.574024.1451469287726.JavaMail.zimbra@devinlecleclerc.com> <5683B1BB.6010606@gmail.com> <1427000597.574202.1451472815861.JavaMail.zimbra@devinlecleclerc.com> <5683BA77.4090106@gmail.com> <1128338587.574256.1451474153948.JavaMail.zimbra@devinlecleclerc.com> <5683C0F1.4020108@gmail.com> <346616887.574532.1451485717880.JavaMail.zimbra@devinlecleclerc.com> Message-ID: <5683EE87.5040303@gmail.com> Hello! Command output mainly seemed OK. ldbsearch -H /var/lib/samba/private/sam.ldb -b "CN = msSFU-30-Mail-Aliases, CN = Schema, CN = Configuration, DC = MYDOMAIN" -s base possSuperiors # 1 record dn: CN = msSFU-30-Mail-Aliases, CN = Schema, CN = Configuration, DC = Internal, DC = MYDOMAIN possSuperiors: domainDNS possSuperiors: nismap possSuperiors: container # Returned 1 records # 1 entries # 0 referrals But when running ldbmodify ldbmodify -H /var/lib/samba/private/sam.ldb --option = "DSDB: schema update allowed = true" sch47mod.ldf ERR: (Attribute or value exists) "attribute 'systemMayContain': value # 0 on 'CN = NTDS-DSA, CN = Schema, CN = Configuration, DC = MYDOMAIN' already exists" on DN CN = NTDS-DSA, CN = Schema, CN = Configuration, DC = MYDOMAIN at block before line 6 Modify failed after processing 0 records The one problem with leaving the schema in 46 and not 47? Thanks Em 30-12-2015 12:28, Christophe Borivant escreveu: > You should run : > ldbsearch -H /var/lib/samba/private/sam.ldb -b "CN=msSFU-30-Mail-Aliases,CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=com" -s base possSuperiors > > If the result is : > # record 1 > dn: CN=msSFU-30-Mail-Aliases,CN=Schema,CN=Configuration,DC=DEVINLECLECLERC,DC=com > possSuperiors: container > possSuperiors: domainDNS > possSuperiors: nisMap > > Then it's OK, the script tried to add a value to a multi-value attribute. But the value was already there. > > If your schema version is 46, then you need to run : > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch47mod.ldf > > --------------------------------------------- > Christophe Borivant > Responsable d'exploitation informatique > +33 5 62 20 71 71 (Poste 503) > > Devinlec - Groupe Leclerc > -------------------------------------------- > > ----- Mail original ----- > De: "Carlos A. P. Cunha" > À: "Christophe BORIVANT" , "samba" > Envoyé: Mercredi 30 Décembre 2015 12:33:05 > Objet: Re: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' > > OK, ii see this then thank you > . > Executed the process ldbadd / ldbmodify and me only generated an error > > ldbmodify -H /var/lib/samba/private/sam.ldb '--option = DSDB: update > schema allowed = true' sch40mod.ldf > ERR: (Attribute or value exists) "attribute 'possSuperiors': value # 0 > on 'CN = msSFU-30-Mail-Aliases, CN = Schema, CN = Configuration, DC = > Internal, DC = MYDOMAIN' already exists" on DN CN = > msSFU-30-Mail-Aliases, CN = Schema, CN = Configuration, DC = MYDOAIN at > block before line 54 > > Then performed: > > ldbsearch -H /var/lib/samba/private/sam.ldb -b "CN = Schema, CN = > Configuration, DC = Internal, DC = MYDOMAIN" -s base objectVersion > # 1 record > dn: CN = Schema, CN = Configuration, DC = MYDOMAIN > objectVersion: 46 > # Returned 1 records > # 1 entries > # 0 referrals > > Em 30-12-2015 09:15, Christophe Borivant escreveu: >> msDS-isRODC is introduced in version 32 of the schema. >> This is the problem I faced. >> You can have a look to https://lists.samba.org/archive/samba/2015-August/193258.html. >> >> --------------------------------------------- >> Christophe Borivant >> Responsable d'exploitation informatique >> +33 5 62 20 71 71 (Poste 503) >> >> Devinlec - Groupe Leclerc >> -------------------------------------------- >> >> ----- Mail original ----- >> De: "Carlos A. P. Cunha" >> À: "Christophe BORIVANT" , "samba" >> Envoyé: Mercredi 30 Décembre 2015 12:05:27 >> Objet: Re: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' >> >> Okay, I'm already riding the test base ... >> thank you >> Leveraging believe may be related, when access peo UDCA part of Domains >> Controller, I can think of error and logs appears: >> >> [12/30/2015 08: 55: 52.277383, 0] ../lib/ldb-samba/ldb wrap.c: 72 (ldb >> wrap debug) ldb: acl_read: CN = DC-LINUX, OU = Domain Controllers, DC = >> Internal, DC = MYDOMAIN can not find attr [msDS-isRODC] in schema of >> >> It seems to be another missing attribute .... >> >> >> Em 30-12-2015 08:53, Christophe Borivant escreveu: >>> Ok it seems like you are in the exact same situation I was. >>> So here are the files in a tgz. >>> Once uncompressed, you'll have to change each occurance of "DC=MYDOMAIN,DC=com" >>> according to your configuration. >>> you can do this with something like : >>> perl -pi -e 's/DC=MYDOMAIN,DC=com/DC=Carlos,DC=com/g' * >>> >>> Then you will have to run ldbadd and ldbmodify in the correct order to upgrade your >>> schema to version 47 like this : >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch32.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch32mod.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch33.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch33mod.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch34-1.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch34-2.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch34mod.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch35.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch35mod.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch36.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch36mod.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch37.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch37mod.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch38mod.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch39.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch39mod.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch40-1.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch40-2.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch40mod.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch41mod.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch42mod.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43-1.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43-2.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43-3.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43-4.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43mod.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch44.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch44mod.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch45-1.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch45-2.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch45-3.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch45mod.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch46mod.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch47mod.ldf >>> >>> Don't forget to first try in a test environment. >>> >>> --------------------------------------------- >>> Christophe Borivant >>> Responsable d'exploitation informatique >>> +33 5 62 20 71 71 (Poste 503) >>> >>> Devinlec - Groupe Leclerc >>> -------------------------------------------- >>> >>> ----- Mail original ----- >>> De: "Carlos A. P. Cunha" >>> À: "Christophe BORIVANT" , "samba" >>> Envoyé: Mercredi 30 Décembre 2015 11:28:11 >>> Objet: Re: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' >>> >>> Good day! >>> Thank you for your attention, follow the process and led to this result: >>> >>> ldbsearch -H /usr/local/samba/private/sam.ldb -b "CN = Schema, CN = >>> Configuration, DC = MYDOMAIN" -s base objectVersion >>> # 1 record >>> dn: CN = Schema, CN = Configuration, DC = MYDOMAIN >>> objectVersion: 31 >>> >>> # Returned 1 records >>> # 1 entries >>> # 0 referrals >>> >>> >>> How can we proceed ? >>> >>> Thanks >>> >>> >>> Em 30-12-2015 07:54, Christophe Borivant escreveu: >>>> Hello Carlos, >>>> >>>> I had the same problem as you. >>>> To solve the problem, I just modified the files I needed from adprep in order to be able >>>> to run ldbadd and ldbmodify. >>>> >>>> Can you run something like this to check your schema version ? >>>> >>>> ldbsearch -H /var/lib/samba/private/sam.ldb -b "CN=Schema,CN=Configuration,DC=YOURDOMAIN,DC=com" -s base objectVersion >>>> >>>> --------------------------------------------- >>>> Christophe Borivant >>>> Responsable d'exploitation informatique >>>> +33 5 62 20 71 71 (Poste 503) >>>> >>>> Devinlec - Groupe Leclerc >>>> -------------------------------------------- >>>> >>>> ----- Mail original ----- >>>> De: "Carlos A. P. Cunha" >>>> À: "Rowland penny" , "samba" >>>> Envoyé: Mardi 29 Décembre 2015 21:43:03 >>>> Objet: Re: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' >>>> >>>> I will do that for now Thank you very much, I am grateful. >>>> >>>> Em 29-12-2015 18:26, Rowland penny escreveu: >>>>> There are various way of adding an attribute, you could do it with >>>>> ldbmodify or ldbedit, or if you feel more comfortable with a gui, you >>>>> could install ADUC on a windows machine and use this to add the >>>>> attribute, or you could install ldap account manager (LAM) on the DC >>>>> and use this to add the attribute. >>>>> >>>>> Pick one and search the internet for how to do it, you will learn more >>>>> doing it this way, rather than me telling you how to do it, step by >>>>> step. If after choosing a method, you have problems, this I will >>>>> attempt to help you with. From cborivant at devinlec.com Wed Dec 30 14:57:53 2015 From: cborivant at devinlec.com (Christophe Borivant) Date: Wed, 30 Dec 2015 15:57:53 +0100 (CET) Subject: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' In-Reply-To: <5683EE87.5040303@gmail.com> References: <118433293.574024.1451469287726.JavaMail.zimbra@devinlecleclerc.com> <5683B1BB.6010606@gmail.com> <1427000597.574202.1451472815861.JavaMail.zimbra@devinlecleclerc.com> <5683BA77.4090106@gmail.com> <1128338587.574256.1451474153948.JavaMail.zimbra@devinlecleclerc.com> <5683C0F1.4020108@gmail.com> <346616887.574532.1451485717880.JavaMail.zimbra@devinlecleclerc.com> <5683EE87.5040303@gmail.com> Message-ID: <1789580082.574603.1451487473279.JavaMail.zimbra@devinlecleclerc.com> No, the sch47mod.ldf just seems not being run. --------------------------------------------- Christophe Borivant Responsable d'exploitation informatique +33 5 62 20 71 71 (Poste 503) Devinlec - Groupe Leclerc -------------------------------------------- ----- Mail original ----- De: "Carlos A. P. Cunha" À: "Christophe BORIVANT" , "samba" Envoyé: Mercredi 30 Décembre 2015 15:47:35 Objet: Re: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' Hello! Command output mainly seemed OK. ldbsearch -H /var/lib/samba/private/sam.ldb -b "CN = msSFU-30-Mail-Aliases, CN = Schema, CN = Configuration, DC = MYDOMAIN" -s base possSuperiors # 1 record dn: CN = msSFU-30-Mail-Aliases, CN = Schema, CN = Configuration, DC = Internal, DC = MYDOMAIN possSuperiors: domainDNS possSuperiors: nismap possSuperiors: container # Returned 1 records # 1 entries # 0 referrals But when running ldbmodify ldbmodify -H /var/lib/samba/private/sam.ldb --option = "DSDB: schema update allowed = true" sch47mod.ldf ERR: (Attribute or value exists) "attribute 'systemMayContain': value # 0 on 'CN = NTDS-DSA, CN = Schema, CN = Configuration, DC = MYDOMAIN' already exists" on DN CN = NTDS-DSA, CN = Schema, CN = Configuration, DC = MYDOMAIN at block before line 6 Modify failed after processing 0 records The one problem with leaving the schema in 46 and not 47? Thanks Em 30-12-2015 12:28, Christophe Borivant escreveu: > You should run : > ldbsearch -H /var/lib/samba/private/sam.ldb -b "CN=msSFU-30-Mail-Aliases,CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=com" -s base possSuperiors > > If the result is : > # record 1 > dn: CN=msSFU-30-Mail-Aliases,CN=Schema,CN=Configuration,DC=DEVINLECLECLERC,DC=com > possSuperiors: container > possSuperiors: domainDNS > possSuperiors: nisMap > > Then it's OK, the script tried to add a value to a multi-value attribute. But the value was already there. > > If your schema version is 46, then you need to run : > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch47mod.ldf > > --------------------------------------------- > Christophe Borivant > Responsable d'exploitation informatique > +33 5 62 20 71 71 (Poste 503) > > Devinlec - Groupe Leclerc > -------------------------------------------- > > ----- Mail original ----- > De: "Carlos A. P. Cunha" > À: "Christophe BORIVANT" , "samba" > Envoyé: Mercredi 30 Décembre 2015 12:33:05 > Objet: Re: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' > > OK, ii see this then thank you > . > Executed the process ldbadd / ldbmodify and me only generated an error > > ldbmodify -H /var/lib/samba/private/sam.ldb '--option = DSDB: update > schema allowed = true' sch40mod.ldf > ERR: (Attribute or value exists) "attribute 'possSuperiors': value # 0 > on 'CN = msSFU-30-Mail-Aliases, CN = Schema, CN = Configuration, DC = > Internal, DC = MYDOMAIN' already exists" on DN CN = > msSFU-30-Mail-Aliases, CN = Schema, CN = Configuration, DC = MYDOAIN at > block before line 54 > > Then performed: > > ldbsearch -H /var/lib/samba/private/sam.ldb -b "CN = Schema, CN = > Configuration, DC = Internal, DC = MYDOMAIN" -s base objectVersion > # 1 record > dn: CN = Schema, CN = Configuration, DC = MYDOMAIN > objectVersion: 46 > # Returned 1 records > # 1 entries > # 0 referrals > > Em 30-12-2015 09:15, Christophe Borivant escreveu: >> msDS-isRODC is introduced in version 32 of the schema. >> This is the problem I faced. >> You can have a look to https://lists.samba.org/archive/samba/2015-August/193258.html. >> >> --------------------------------------------- >> Christophe Borivant >> Responsable d'exploitation informatique >> +33 5 62 20 71 71 (Poste 503) >> >> Devinlec - Groupe Leclerc >> -------------------------------------------- >> >> ----- Mail original ----- >> De: "Carlos A. P. Cunha" >> À: "Christophe BORIVANT" , "samba" >> Envoyé: Mercredi 30 Décembre 2015 12:05:27 >> Objet: Re: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' >> >> Okay, I'm already riding the test base ... >> thank you >> Leveraging believe may be related, when access peo UDCA part of Domains >> Controller, I can think of error and logs appears: >> >> [12/30/2015 08: 55: 52.277383, 0] ../lib/ldb-samba/ldb wrap.c: 72 (ldb >> wrap debug) ldb: acl_read: CN = DC-LINUX, OU = Domain Controllers, DC = >> Internal, DC = MYDOMAIN can not find attr [msDS-isRODC] in schema of >> >> It seems to be another missing attribute .... >> >> >> Em 30-12-2015 08:53, Christophe Borivant escreveu: >>> Ok it seems like you are in the exact same situation I was. >>> So here are the files in a tgz. >>> Once uncompressed, you'll have to change each occurance of "DC=MYDOMAIN,DC=com" >>> according to your configuration. >>> you can do this with something like : >>> perl -pi -e 's/DC=MYDOMAIN,DC=com/DC=Carlos,DC=com/g' * >>> >>> Then you will have to run ldbadd and ldbmodify in the correct order to upgrade your >>> schema to version 47 like this : >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch32.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch32mod.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch33.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch33mod.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch34-1.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch34-2.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch34mod.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch35.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch35mod.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch36.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch36mod.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch37.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch37mod.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch38mod.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch39.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch39mod.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch40-1.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch40-2.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch40mod.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch41mod.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch42mod.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43-1.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43-2.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43-3.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43-4.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43mod.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch44.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch44mod.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch45-1.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch45-2.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch45-3.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch45mod.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch46mod.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch47mod.ldf >>> >>> Don't forget to first try in a test environment. >>> >>> --------------------------------------------- >>> Christophe Borivant >>> Responsable d'exploitation informatique >>> +33 5 62 20 71 71 (Poste 503) >>> >>> Devinlec - Groupe Leclerc >>> -------------------------------------------- >>> >>> ----- Mail original ----- >>> De: "Carlos A. P. Cunha" >>> À: "Christophe BORIVANT" , "samba" >>> Envoyé: Mercredi 30 Décembre 2015 11:28:11 >>> Objet: Re: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' >>> >>> Good day! >>> Thank you for your attention, follow the process and led to this result: >>> >>> ldbsearch -H /usr/local/samba/private/sam.ldb -b "CN = Schema, CN = >>> Configuration, DC = MYDOMAIN" -s base objectVersion >>> # 1 record >>> dn: CN = Schema, CN = Configuration, DC = MYDOMAIN >>> objectVersion: 31 >>> >>> # Returned 1 records >>> # 1 entries >>> # 0 referrals >>> >>> >>> How can we proceed ? >>> >>> Thanks >>> >>> >>> Em 30-12-2015 07:54, Christophe Borivant escreveu: >>>> Hello Carlos, >>>> >>>> I had the same problem as you. >>>> To solve the problem, I just modified the files I needed from adprep in order to be able >>>> to run ldbadd and ldbmodify. >>>> >>>> Can you run something like this to check your schema version ? >>>> >>>> ldbsearch -H /var/lib/samba/private/sam.ldb -b "CN=Schema,CN=Configuration,DC=YOURDOMAIN,DC=com" -s base objectVersion >>>> >>>> --------------------------------------------- >>>> Christophe Borivant >>>> Responsable d'exploitation informatique >>>> +33 5 62 20 71 71 (Poste 503) >>>> >>>> Devinlec - Groupe Leclerc >>>> -------------------------------------------- >>>> >>>> ----- Mail original ----- >>>> De: "Carlos A. P. Cunha" >>>> À: "Rowland penny" , "samba" >>>> Envoyé: Mardi 29 Décembre 2015 21:43:03 >>>> Objet: Re: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' >>>> >>>> I will do that for now Thank you very much, I am grateful. >>>> >>>> Em 29-12-2015 18:26, Rowland penny escreveu: >>>>> There are various way of adding an attribute, you could do it with >>>>> ldbmodify or ldbedit, or if you feel more comfortable with a gui, you >>>>> could install ADUC on a windows machine and use this to add the >>>>> attribute, or you could install ldap account manager (LAM) on the DC >>>>> and use this to add the attribute. >>>>> >>>>> Pick one and search the internet for how to do it, you will learn more >>>>> doing it this way, rather than me telling you how to do it, step by >>>>> step. If after choosing a method, you have problems, this I will >>>>> attempt to help you with. From okelet at gmail.com Wed Dec 30 14:59:09 2015 From: okelet at gmail.com (=?UTF-8?Q?Juan_Asensio_S=C3=A1nchez?=) Date: Wed, 30 Dec 2015 15:59:09 +0100 Subject: [Samba] Allow self password change using LDAP(s) with Samba4 Message-ID: Hi all I am trying to create a webapp to allow users to change their own passwords in Samba4 (perhaps, also in AD), using LDAP(s). But when I try to modify the user password using this code: dn: ........ changetype: modify replace: unicodePwd unicodePwd: "Temporal2" I get this error: 0x32 (Insufficient access; error in module acl: insufficient access rights during LDB_MODIFY (50)) If I change the code, deleting the old password, and adding the new one: dn: ........ changetype: modify delete: unicodePwd unicodePwd: "Temporal1" - add: unicodePwd unicodePwd: "Temporal2" Then I get this error: #!ERROR [LDAP: error code 53 - 00002035: setup_io: it's not allowed to set the NT hash password directly'] The ldapmodify are executed using the self user credentials, i wouldn't like to use the administrator account. Is this possible? Do I have to change some settings in Samba4? From cborivant at devinlec.com Wed Dec 30 15:04:49 2015 From: cborivant at devinlec.com (Christophe Borivant) Date: Wed, 30 Dec 2015 16:04:49 +0100 (CET) Subject: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' In-Reply-To: <5683EE87.5040303@gmail.com> References: <118433293.574024.1451469287726.JavaMail.zimbra@devinlecleclerc.com> <5683B1BB.6010606@gmail.com> <1427000597.574202.1451472815861.JavaMail.zimbra@devinlecleclerc.com> <5683BA77.4090106@gmail.com> <1128338587.574256.1451474153948.JavaMail.zimbra@devinlecleclerc.com> <5683C0F1.4020108@gmail.com> <346616887.574532.1451485717880.JavaMail.zimbra@devinlecleclerc.com> <5683EE87.5040303@gmail.com> Message-ID: <400594643.574617.1451487889685.JavaMail.zimbra@devinlecleclerc.com> msDS-Enabled-Feature is 1.2.840.113556.1.4.2061 Can you run : ldbsearch -H /var/lib/samba/private/sam.ldb -b "CN=NTDS-DSA,CN=Schema,CN=Configuration,DC=DEVINLECLECLERC,DC=com" -s base systemMayContain and check if msDS-EnabledFeature id in the list ? If this is ok, then you can edit sch47mod.ldf and delete the first block and try to rerun it. --------------------------------------------- Christophe Borivant Responsable d'exploitation informatique +33 5 62 20 71 71 (Poste 503) Devinlec - Groupe Leclerc -------------------------------------------- ----- Mail original ----- De: "Carlos A. P. Cunha" À: "Christophe BORIVANT" , "samba" Envoyé: Mercredi 30 Décembre 2015 15:47:35 Objet: Re: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' Hello! Command output mainly seemed OK. ldbsearch -H /var/lib/samba/private/sam.ldb -b "CN = msSFU-30-Mail-Aliases, CN = Schema, CN = Configuration, DC = MYDOMAIN" -s base possSuperiors # 1 record dn: CN = msSFU-30-Mail-Aliases, CN = Schema, CN = Configuration, DC = Internal, DC = MYDOMAIN possSuperiors: domainDNS possSuperiors: nismap possSuperiors: container # Returned 1 records # 1 entries # 0 referrals But when running ldbmodify ldbmodify -H /var/lib/samba/private/sam.ldb --option = "DSDB: schema update allowed = true" sch47mod.ldf ERR: (Attribute or value exists) "attribute 'systemMayContain': value # 0 on 'CN = NTDS-DSA, CN = Schema, CN = Configuration, DC = MYDOMAIN' already exists" on DN CN = NTDS-DSA, CN = Schema, CN = Configuration, DC = MYDOMAIN at block before line 6 Modify failed after processing 0 records The one problem with leaving the schema in 46 and not 47? Thanks Em 30-12-2015 12:28, Christophe Borivant escreveu: > You should run : > ldbsearch -H /var/lib/samba/private/sam.ldb -b "CN=msSFU-30-Mail-Aliases,CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=com" -s base possSuperiors > > If the result is : > # record 1 > dn: CN=msSFU-30-Mail-Aliases,CN=Schema,CN=Configuration,DC=DEVINLECLECLERC,DC=com > possSuperiors: container > possSuperiors: domainDNS > possSuperiors: nisMap > > Then it's OK, the script tried to add a value to a multi-value attribute. But the value was already there. > > If your schema version is 46, then you need to run : > ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch47mod.ldf > > --------------------------------------------- > Christophe Borivant > Responsable d'exploitation informatique > +33 5 62 20 71 71 (Poste 503) > > Devinlec - Groupe Leclerc > -------------------------------------------- > > ----- Mail original ----- > De: "Carlos A. P. Cunha" > À: "Christophe BORIVANT" , "samba" > Envoyé: Mercredi 30 Décembre 2015 12:33:05 > Objet: Re: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' > > OK, ii see this then thank you > . > Executed the process ldbadd / ldbmodify and me only generated an error > > ldbmodify -H /var/lib/samba/private/sam.ldb '--option = DSDB: update > schema allowed = true' sch40mod.ldf > ERR: (Attribute or value exists) "attribute 'possSuperiors': value # 0 > on 'CN = msSFU-30-Mail-Aliases, CN = Schema, CN = Configuration, DC = > Internal, DC = MYDOMAIN' already exists" on DN CN = > msSFU-30-Mail-Aliases, CN = Schema, CN = Configuration, DC = MYDOAIN at > block before line 54 > > Then performed: > > ldbsearch -H /var/lib/samba/private/sam.ldb -b "CN = Schema, CN = > Configuration, DC = Internal, DC = MYDOMAIN" -s base objectVersion > # 1 record > dn: CN = Schema, CN = Configuration, DC = MYDOMAIN > objectVersion: 46 > # Returned 1 records > # 1 entries > # 0 referrals > > Em 30-12-2015 09:15, Christophe Borivant escreveu: >> msDS-isRODC is introduced in version 32 of the schema. >> This is the problem I faced. >> You can have a look to https://lists.samba.org/archive/samba/2015-August/193258.html. >> >> --------------------------------------------- >> Christophe Borivant >> Responsable d'exploitation informatique >> +33 5 62 20 71 71 (Poste 503) >> >> Devinlec - Groupe Leclerc >> -------------------------------------------- >> >> ----- Mail original ----- >> De: "Carlos A. P. Cunha" >> À: "Christophe BORIVANT" , "samba" >> Envoyé: Mercredi 30 Décembre 2015 12:05:27 >> Objet: Re: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' >> >> Okay, I'm already riding the test base ... >> thank you >> Leveraging believe may be related, when access peo UDCA part of Domains >> Controller, I can think of error and logs appears: >> >> [12/30/2015 08: 55: 52.277383, 0] ../lib/ldb-samba/ldb wrap.c: 72 (ldb >> wrap debug) ldb: acl_read: CN = DC-LINUX, OU = Domain Controllers, DC = >> Internal, DC = MYDOMAIN can not find attr [msDS-isRODC] in schema of >> >> It seems to be another missing attribute .... >> >> >> Em 30-12-2015 08:53, Christophe Borivant escreveu: >>> Ok it seems like you are in the exact same situation I was. >>> So here are the files in a tgz. >>> Once uncompressed, you'll have to change each occurance of "DC=MYDOMAIN,DC=com" >>> according to your configuration. >>> you can do this with something like : >>> perl -pi -e 's/DC=MYDOMAIN,DC=com/DC=Carlos,DC=com/g' * >>> >>> Then you will have to run ldbadd and ldbmodify in the correct order to upgrade your >>> schema to version 47 like this : >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch32.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch32mod.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch33.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch33mod.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch34-1.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch34-2.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch34mod.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch35.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch35mod.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch36.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch36mod.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch37.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch37mod.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch38mod.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch39.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch39mod.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch40-1.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch40-2.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch40mod.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch41mod.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch42mod.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43-1.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43-2.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43-3.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43-4.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch43mod.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch44.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch44mod.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch45-1.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch45-2.ldf >>> ldbadd -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch45-3.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch45mod.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch46mod.ldf >>> ldbmodify -H /var/lib/samba/private/sam.ldb --option="dsdb:schema update allowed=true" sch47mod.ldf >>> >>> Don't forget to first try in a test environment. >>> >>> --------------------------------------------- >>> Christophe Borivant >>> Responsable d'exploitation informatique >>> +33 5 62 20 71 71 (Poste 503) >>> >>> Devinlec - Groupe Leclerc >>> -------------------------------------------- >>> >>> ----- Mail original ----- >>> De: "Carlos A. P. Cunha" >>> À: "Christophe BORIVANT" , "samba" >>> Envoyé: Mercredi 30 Décembre 2015 11:28:11 >>> Objet: Re: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' >>> >>> Good day! >>> Thank you for your attention, follow the process and led to this result: >>> >>> ldbsearch -H /usr/local/samba/private/sam.ldb -b "CN = Schema, CN = >>> Configuration, DC = MYDOMAIN" -s base objectVersion >>> # 1 record >>> dn: CN = Schema, CN = Configuration, DC = MYDOMAIN >>> objectVersion: 31 >>> >>> # Returned 1 records >>> # 1 entries >>> # 0 referrals >>> >>> >>> How can we proceed ? >>> >>> Thanks >>> >>> >>> Em 30-12-2015 07:54, Christophe Borivant escreveu: >>>> Hello Carlos, >>>> >>>> I had the same problem as you. >>>> To solve the problem, I just modified the files I needed from adprep in order to be able >>>> to run ldbadd and ldbmodify. >>>> >>>> Can you run something like this to check your schema version ? >>>> >>>> ldbsearch -H /var/lib/samba/private/sam.ldb -b "CN=Schema,CN=Configuration,DC=YOURDOMAIN,DC=com" -s base objectVersion >>>> >>>> --------------------------------------------- >>>> Christophe Borivant >>>> Responsable d'exploitation informatique >>>> +33 5 62 20 71 71 (Poste 503) >>>> >>>> Devinlec - Groupe Leclerc >>>> -------------------------------------------- >>>> >>>> ----- Mail original ----- >>>> De: "Carlos A. P. Cunha" >>>> À: "Rowland penny" , "samba" >>>> Envoyé: Mardi 29 Décembre 2015 21:43:03 >>>> Objet: Re: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' >>>> >>>> I will do that for now Thank you very much, I am grateful. >>>> >>>> Em 29-12-2015 18:26, Rowland penny escreveu: >>>>> There are various way of adding an attribute, you could do it with >>>>> ldbmodify or ldbedit, or if you feel more comfortable with a gui, you >>>>> could install ADUC on a windows machine and use this to add the >>>>> attribute, or you could install ldap account manager (LAM) on the DC >>>>> and use this to add the attribute. >>>>> >>>>> Pick one and search the internet for how to do it, you will learn more >>>>> doing it this way, rather than me telling you how to do it, step by >>>>> step. If after choosing a method, you have problems, this I will >>>>> attempt to help you with. From rpenny at samba.org Wed Dec 30 15:39:40 2015 From: rpenny at samba.org (Rowland penny) Date: Wed, 30 Dec 2015 15:39:40 +0000 Subject: [Samba] Allow self password change using LDAP(s) with Samba4 In-Reply-To: References: Message-ID: <5683FABC.2040300@samba.org> On 30/12/15 14:59, Juan Asensio Sánchez wrote: > Hi all > > I am trying to create a webapp to allow users to change their own passwords > in Samba4 (perhaps, also in AD), using LDAP(s). But when I try to modify > the user password using this code: > > dn: ........ > changetype: modify > replace: unicodePwd > unicodePwd: "Temporal2" > > I get this error: > > 0x32 (Insufficient access; error in module acl: insufficient access rights > during LDB_MODIFY (50)) > > If I change the code, deleting the old password, and adding the new one: > > dn: ........ > changetype: modify > delete: unicodePwd > unicodePwd: "Temporal1" > - > add: unicodePwd > unicodePwd: "Temporal2" > > Then I get this error: > > #!ERROR [LDAP: error code 53 - 00002035: setup_io: it's not allowed to set > the NT hash password directly'] > > The ldapmodify are executed using the self user credentials, i wouldn't > like to use the administrator account. Is this possible? Do I have to > change some settings in Samba4? That is not going to work :-) You need to do something like this: _USER_PW="Temporal2" UNICODEPWD=$(echo -n "\"$_USER_PW\"" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0) USERLDIF="dn: ................. changetype: modify replace: unicodePwd unicodePwd::$UNICODEPWD" echo "$USERLDIF" | ldbmodify -H /usr/local/samba/private/sam.ldb Rowland From belle at bazuin.nl Wed Dec 30 15:42:33 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Wed, 30 Dec 2015 16:42:33 +0100 Subject: [Samba] Allow self password change using LDAP(s) with Samba4 In-Reply-To: References: Message-ID: Save your time.. Something like : http://ltb-project.org/wiki/documentation/self-service-password good i bookmarked this one. ;-) greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Juan Asensio > Sánchez > Verzonden: woensdag 30 december 2015 15:59 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Allow self password change using LDAP(s) with Samba4 > > Hi all > > I am trying to create a webapp to allow users to change their own > passwords > in Samba4 (perhaps, also in AD), using LDAP(s). But when I try to modify > the user password using this code: > > dn: ........ > changetype: modify > replace: unicodePwd > unicodePwd: "Temporal2" > > I get this error: > > 0x32 (Insufficient access; error in module acl: insufficient access rights > during LDB_MODIFY (50)) > > If I change the code, deleting the old password, and adding the new one: > > dn: ........ > changetype: modify > delete: unicodePwd > unicodePwd: "Temporal1" > - > add: unicodePwd > unicodePwd: "Temporal2" > > Then I get this error: > > #!ERROR [LDAP: error code 53 - 00002035: setup_io: it's not allowed to set > the NT hash password directly'] > > The ldapmodify are executed using the self user credentials, i wouldn't > like to use the administrator account. Is this possible? Do I have to > change some settings in Samba4? > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From carlos.hollow at gmail.com Wed Dec 30 17:39:08 2015 From: carlos.hollow at gmail.com (Carlos A. P. Cunha) Date: Wed, 30 Dec 2015 15:39:08 -0200 Subject: [Samba] Was not found in the schema 'msDS-SupportedEncryptionTypes' In-Reply-To: <1300827194.15.1451495934063.JavaMail.zimbra@devinlecleclerc.com> References: <118433293.574024.1451469287726.JavaMail.zimbra@devinlecleclerc.com> <5683BA77.4090106@gmail.com> <1128338587.574256.1451474153948.JavaMail.zimbra@devinlecleclerc.com> <5683C0F1.4020108@gmail.com> <346616887.574532.1451485717880.JavaMail.zimbra@devinlecleclerc.com> <5683EE87.5040303@gmail.com> <400594643.574617.1451487889685.JavaMail.zimbra@devinlecleclerc.com> <56840D52.4060407@gmail.com> <1300827194.15.1451495934063.JavaMail.zimbra@devinlecleclerc.com> Message-ID: <568416BC.7050805@gmail.com> Hello! # I edited the file cat sch47mod.ldif #increase object version dn: CN = Schema, CN = Configuration, DC = Internal, DC = mastersonda, DC = com, DC = us changetype: modify replace: objectVersion objectVersion: 47 - and ran the ldbmodify And now this version and 47 ldbsearch -H /var/lib/samba/private/sam.ldb -b "CN = Schema, CN = Configuration, DC = MYDOMAIN" -s base objectVersion # 1 record dn: CN = Schema, CN = Configuration, DC = Internal, DC = mastersonda, DC = com, DC = us objectVersion: 47 # Returned 1 records # 1 entries # 0 referrals I think my problem resolved?? Thank you for your help my friend again. Em 30-12-2015 15:18, Christophe Borivant escreveu: > By second block I mean the now first block. > you need to keep the last one because this is the one who update the schema version From carlos.hollow at gmail.com Wed Dec 30 18:19:22 2015 From: carlos.hollow at gmail.com (Carlos A. P. Cunha) Date: Wed, 30 Dec 2015 16:19:22 -0200 Subject: [Samba] dns_tkey_negotiategss: TKEY is unacceptable Message-ID: <5684202A.7070406@gmail.com> Hello! I've got this error dns_tkey_negotiategss: TKEY is unacceptable when running samba_dnsupdate --verbose With this error dynamic entries stopped working as Type A machines that entered in the field or entry to a new DC. Already tried the step described here https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable But when trying to delete the account used the same says that there is (and it really is not listed, create a manual account ok), but when running samba_upgradedns --dns-backend = BIND9_DLZ I got the error Reading domain information Traceback (most recent call last): File "/ opt / samba / sbin / samba_upgradedns", line 262, in paths, lp.configfile, lp) File "/opt/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 282, in find_provision_key_parameters names.policyid = str (res7 [0] ["cn"]). replace ("{", ""). replace ("}", "") IndexError: list index out of range With more Debug [....] Module 'tombstone_reanimate' is disabled. Skip registration.lpcfg_servicenumber: could not find ldb schema_fsmo_init: we are master [in] updates allowed [in] lpcfg_servicenumber: could not find ldb lpcfg_servicenumber: could not find ldb lpcfg_servicenumber: could not find ldb schema_fsmo_init: we are master [in] updates allowed [in] Traceback (most recent call last): File "/ opt / samba / sbin / samba_upgradedns", line 262, in paths, lp.configfile, lp) File "/opt/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 282, in find_provision_key_parameters names.policyid = str (res7 [0] ["cn"]). replace ("{", ""). replace ("}", "") IndexError: list index out of range Thanks From rpenny at samba.org Wed Dec 30 18:57:53 2015 From: rpenny at samba.org (Rowland penny) Date: Wed, 30 Dec 2015 18:57:53 +0000 Subject: [Samba] dns_tkey_negotiategss: TKEY is unacceptable In-Reply-To: <5684202A.7070406@gmail.com> References: <5684202A.7070406@gmail.com> Message-ID: <56842931.1050307@samba.org> On 30/12/15 18:19, Carlos A. P. Cunha wrote: > Hello! > I've got this error > dns_tkey_negotiategss: TKEY is unacceptable > > when running samba_dnsupdate --verbose > > With this error dynamic entries stopped working as Type A machines > that entered in the field or entry to a new DC. > > Already tried the step described here > > https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable > > > But when trying to delete the account used the same says that there is > (and it really is not listed, create a manual account ok), but when > running > > samba_upgradedns --dns-backend = BIND9_DLZ > > I got the error > > Reading domain information > Traceback (most recent call last): > File "/ opt / samba / sbin / samba_upgradedns", line 262, in > paths, lp.configfile, lp) > File > "/opt/samba/lib/python2.7/site-packages/samba/provision/__init__.py", > line 282, in find_provision_key_parameters > names.policyid = str (res7 [0] ["cn"]). replace ("{", ""). replace > ("}", "") > IndexError: list index out of range > > With more Debug > > [....] > > Module 'tombstone_reanimate' is disabled. Skip > registration.lpcfg_servicenumber: could not find ldb > schema_fsmo_init: we are master [in] updates allowed [in] > lpcfg_servicenumber: could not find ldb > lpcfg_servicenumber: could not find ldb > lpcfg_servicenumber: could not find ldb > schema_fsmo_init: we are master [in] updates allowed [in] > Traceback (most recent call last): > File "/ opt / samba / sbin / samba_upgradedns", line 262, in > paths, lp.configfile, lp) > File > "/opt/samba/lib/python2.7/site-packages/samba/provision/__init__.py", > line 282, in find_provision_key_parameters > names.policyid = str (res7 [0] ["cn"]). replace ("{", ""). replace > ("}", "") > IndexError: list index out of range > > > Thanks > I had this problem, and I think, like me, you missed this: *NOTE:* Until Bug #10882 is fixed, you will have to temporary switch the backend to SAMBA_INTERNAL and then back to BIND9_DLZ as a workaround instead of just setting just it to BIND9_DLZ again! Otherwise the account will not be created. Rowland From carlos.hollow at gmail.com Wed Dec 30 19:07:03 2015 From: carlos.hollow at gmail.com (Carlos A. P. Cunha) Date: Wed, 30 Dec 2015 17:07:03 -0200 Subject: [Samba] dns_tkey_negotiategss: TKEY is unacceptable In-Reply-To: <56842931.1050307@samba.org> References: <5684202A.7070406@gmail.com> <56842931.1050307@samba.org> Message-ID: <56842B57.4010002@gmail.com> Hello! I had tested it but validei and still generates the error I had this problem, and I think, like me, you missed this: * NOTE: * Until Bug # 10882 is fixed, you will have temporary switch to the backend to SAMBA_INTERNAL And Then back to BIND9_DLZ as a workaround instead of just setting it to just BIND9_DLZ again! Otherwise the account will not be created. Debug Module 'tombstone_reanimate' is disabled. Skip registration.schema_fsmo_init: we are master [yes] updates allowed [in] schema_fsmo_init: we are master [yes] updates allowed [in] Traceback (most recent call last): File "/ opt / samba / sbin / samba_upgradedns", line 262, in paths, lp.configfile, lp) File "/opt/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 282, in find_provision_key_parameters names.policyid = str (res7 [0] ["cn"]). replace ("{", ""). replace ("}", "") IndexError: list index out of range Thanks Em 30-12-2015 16:57, Rowland penny escreveu: > On 30/12/15 18:19, Carlos A. P. Cunha wrote: >> Hello! >> I've got this error >> dns_tkey_negotiategss: TKEY is unacceptable >> >> when running samba_dnsupdate --verbose >> >> With this error dynamic entries stopped working as Type A machines >> that entered in the field or entry to a new DC. >> >> Already tried the step described here >> >> https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable >> >> >> But when trying to delete the account used the same says that there >> is (and it really is not listed, create a manual account ok), but >> when running >> >> samba_upgradedns --dns-backend = BIND9_DLZ >> >> I got the error >> >> Reading domain information >> Traceback (most recent call last): >> File "/ opt / samba / sbin / samba_upgradedns", line 262, in >> paths, lp.configfile, lp) >> File >> "/opt/samba/lib/python2.7/site-packages/samba/provision/__init__.py", >> line 282, in find_provision_key_parameters >> names.policyid = str (res7 [0] ["cn"]). replace ("{", ""). replace >> ("}", "") >> IndexError: list index out of range >> >> With more Debug >> >> [....] >> >> Module 'tombstone_reanimate' is disabled. Skip >> registration.lpcfg_servicenumber: could not find ldb >> schema_fsmo_init: we are master [in] updates allowed [in] >> lpcfg_servicenumber: could not find ldb >> lpcfg_servicenumber: could not find ldb >> lpcfg_servicenumber: could not find ldb >> schema_fsmo_init: we are master [in] updates allowed [in] >> Traceback (most recent call last): >> File "/ opt / samba / sbin / samba_upgradedns", line 262, in >> paths, lp.configfile, lp) >> File >> "/opt/samba/lib/python2.7/site-packages/samba/provision/__init__.py", >> line 282, in find_provision_key_parameters >> names.policyid = str (res7 [0] ["cn"]). replace ("{", ""). replace >> ("}", "") >> IndexError: list index out of range >> >> >> Thanks >> > > I had this problem, and I think, like me, you missed this: > > *NOTE:* Until Bug #10882 > is fixed, you will > have to temporary switch the backend to SAMBA_INTERNAL and then back > to BIND9_DLZ as a workaround instead of just setting just it to > BIND9_DLZ again! Otherwise the account will not be created. > > Rowland From rpenny at samba.org Wed Dec 30 19:41:47 2015 From: rpenny at samba.org (Rowland penny) Date: Wed, 30 Dec 2015 19:41:47 +0000 Subject: [Samba] dns_tkey_negotiategss: TKEY is unacceptable In-Reply-To: <5684202A.7070406@gmail.com> References: <5684202A.7070406@gmail.com> Message-ID: <5684337B.3060909@samba.org> On 30/12/15 18:19, Carlos A. P. Cunha wrote: > Hello! > I've got this error > dns_tkey_negotiategss: TKEY is unacceptable > > when running samba_dnsupdate --verbose > > With this error dynamic entries stopped working as Type A machines > that entered in the field or entry to a new DC. > > Already tried the step described here > > https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable > > > But when trying to delete the account used the same says that there is > (and it really is not listed, create a manual account ok), but when > running > > samba_upgradedns --dns-backend = BIND9_DLZ > > I got the error > > Reading domain information > Traceback (most recent call last): > File "/ opt / samba / sbin / samba_upgradedns", line 262, in > paths, lp.configfile, lp) > File > "/opt/samba/lib/python2.7/site-packages/samba/provision/__init__.py", > line 282, in find_provision_key_parameters > names.policyid = str (res7 [0] ["cn"]). replace ("{", ""). replace > ("}", "") > IndexError: list index out of range > > With more Debug > > [....] > > Module 'tombstone_reanimate' is disabled. Skip > registration.lpcfg_servicenumber: could not find ldb > schema_fsmo_init: we are master [in] updates allowed [in] > lpcfg_servicenumber: could not find ldb > lpcfg_servicenumber: could not find ldb > lpcfg_servicenumber: could not find ldb > schema_fsmo_init: we are master [in] updates allowed [in] > Traceback (most recent call last): > File "/ opt / samba / sbin / samba_upgradedns", line 262, in > paths, lp.configfile, lp) > File > "/opt/samba/lib/python2.7/site-packages/samba/provision/__init__.py", > line 282, in find_provision_key_parameters > names.policyid = str (res7 [0] ["cn"]). replace ("{", ""). replace > ("}", "") > IndexError: list index out of range > > > Thanks > OK, try running this: ldbsearch -H /usr/local/samba/private/sam.ldb '(cn={31B2F340-016D-11D2-945F-00C04FB984F9})' cn name What does it return? Rowland From lingpanda101 at gmail.com Wed Dec 30 19:48:09 2015 From: lingpanda101 at gmail.com (James) Date: Wed, 30 Dec 2015 14:48:09 -0500 Subject: [Samba] How to switch from internal DNS to Bind Message-ID: <568434F9.4060501@gmail.com> Hello, I'm attempting to switch from the internal DNS to Bind. This is for my Samba test environment on a VM running Samba 4.3.1 on Ubuntu server 12.04.1. Installed Samba using all the defaults. ./configure make make install Pulled up the wiki link https://wiki.samba.org/index.php/Changing_the_DNS_backend#Changing_from_Samba_Internal_DNS_to_BIND_DLZ Not sure if this is the correct start page. After the introduction I see the link "Setup Bind". I figure I need to start there? So I click the link and in the introduction I see another link for "Setup_a_basic_BIND_installation". Maybe this is where I should begin? I install BIND via. the repository. apt-get install bind9 The wiki then says "*make sure that it was compiled with the '--with-gssapi' and '--with-dlopen' options*". I check by using named -V | grep "gssapi" '--with-gssapi=/usr' Is this sufficient or do I need the absolute path to --with-gssapi=/usr/include/gssapi? named -V | grep "dlopen" Returns nothing. Can I add these options after the fact or do I need to uninstall and compile on my own before proceeding any further? Thanks. -- -James From carlos.hollow at gmail.com Wed Dec 30 19:57:37 2015 From: carlos.hollow at gmail.com (Carlos A. P. Cunha) Date: Wed, 30 Dec 2015 17:57:37 -0200 Subject: [Samba] dns_tkey_negotiategss: TKEY is unacceptable In-Reply-To: <5684337B.3060909@samba.org> References: <5684202A.7070406@gmail.com> <5684337B.3060909@samba.org> Message-ID: <56843731.7050306@gmail.com> Hello! Output of command # 1 record dn: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=MYDOMAIN cn: {31B2F340-016D-11D2-945F-00C04FB984F9} name: {31B2F340-016D-11D2-945F-00C04FB984F9} Referral # ref: ldap: //interno.mastersonda.com.br/CN=Configuration,DC=MYDOMAIN Referral # ref: ldap: //interno.mastersonda.com.br/DC=DomainDnsZones,DC=MYDOMAIN Referral # ref: ldap: //interno.mastersonda.com.br/DC=ForestDnsZones,DC=MYDOMAIN # Returned 4 records # 1 entries # 3 referrals One important thing to previous email error edited the file in line where accuses the error I came /opt/samba/lib/python2.7/site-packages/samba/provision/__init__.py +282 and commented the line (not sure if this and bad) # names.policyid = str (res7 [0] ["cn"]). replace ("{", ""). replace ("}", "") Thus the error entering --dns-backend samba_upgradedns = BIND9_DLZ or --dns-backend samba_upgradedns = SAMBA_INTERNAL sumio and the case is made that, however validei the DNS account is deleted but not recreated, and sometimes when trying to recreate Manually says ERROR (ldb): Failed to add user 'dns-DC-Linux': - samldb: Account name (sAMAccountName) 'dns-DC-LINUX' already in use! However the account does not exist in the User list. Thanks Em 30-12-2015 17:41, Rowland penny escreveu: > On 30/12/15 18:19, Carlos A. P. Cunha wrote: >> Hello! >> I've got this error >> dns_tkey_negotiategss: TKEY is unacceptable >> >> when running samba_dnsupdate --verbose >> >> With this error dynamic entries stopped working as Type A machines >> that entered in the field or entry to a new DC. >> >> Already tried the step described here >> >> https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable >> >> >> But when trying to delete the account used the same says that there >> is (and it really is not listed, create a manual account ok), but >> when running >> >> samba_upgradedns --dns-backend = BIND9_DLZ >> >> I got the error >> >> Reading domain information >> Traceback (most recent call last): >> File "/ opt / samba / sbin / samba_upgradedns", line 262, in >> paths, lp.configfile, lp) >> File >> "/opt/samba/lib/python2.7/site-packages/samba/provision/__init__.py", >> line 282, in find_provision_key_parameters >> names.policyid = str (res7 [0] ["cn"]). replace ("{", ""). replace >> ("}", "") >> IndexError: list index out of range >> >> With more Debug >> >> [....] >> >> Module 'tombstone_reanimate' is disabled. Skip >> registration.lpcfg_servicenumber: could not find ldb >> schema_fsmo_init: we are master [in] updates allowed [in] >> lpcfg_servicenumber: could not find ldb >> lpcfg_servicenumber: could not find ldb >> lpcfg_servicenumber: could not find ldb >> schema_fsmo_init: we are master [in] updates allowed [in] >> Traceback (most recent call last): >> File "/ opt / samba / sbin / samba_upgradedns", line 262, in >> paths, lp.configfile, lp) >> File >> "/opt/samba/lib/python2.7/site-packages/samba/provision/__init__.py", >> line 282, in find_provision_key_parameters >> names.policyid = str (res7 [0] ["cn"]). replace ("{", ""). replace >> ("}", "") >> IndexError: list index out of range >> >> >> Thanks >> > > OK, try running this: > > ldbsearch -H /usr/local/samba/private/sam.ldb > '(cn={31B2F340-016D-11D2-945F-00C04FB984F9})' cn name > > What does it return? > > Rowland > > From rpenny at samba.org Wed Dec 30 20:29:53 2015 From: rpenny at samba.org (Rowland penny) Date: Wed, 30 Dec 2015 20:29:53 +0000 Subject: [Samba] How to switch from internal DNS to Bind In-Reply-To: <568434F9.4060501@gmail.com> References: <568434F9.4060501@gmail.com> Message-ID: <56843EC1.8020107@samba.org> On 30/12/15 19:48, James wrote: > Hello, > > I'm attempting to switch from the internal DNS to Bind. This is > for my Samba test environment on a VM running Samba 4.3.1 on Ubuntu > server 12.04.1. Installed Samba using all the defaults. > > ./configure > make > make install > > Pulled up the wiki link > > https://wiki.samba.org/index.php/Changing_the_DNS_backend#Changing_from_Samba_Internal_DNS_to_BIND_DLZ > > > Not sure if this is the correct start page. After the introduction I > see the link "Setup Bind". I figure I need to start there? So I click > the link and in the introduction I see another link for > "Setup_a_basic_BIND_installation". Maybe this is where I should begin? > I install BIND via. the repository. > > apt-get install bind9 > > The wiki then says "*make sure that it was compiled with the > '--with-gssapi' and '--with-dlopen' options*". I check by using > > named -V | grep "gssapi" > > '--with-gssapi=/usr' > > Is this sufficient or do I need the absolute path to > --with-gssapi=/usr/include/gssapi? > > named -V | grep "dlopen" > > Returns nothing. Can I add these options after the fact or do I need > to uninstall and compile on my own before proceeding any further? Thanks. > > > > What version of bind9 ? later versions have dlopen builtin, but I seem to remember (from when I used 12.04) having to build bind9. Could you upgrade to 14.04, this will definitely give you a working bind9 Rowland From rpenny at samba.org Wed Dec 30 20:38:22 2015 From: rpenny at samba.org (Rowland penny) Date: Wed, 30 Dec 2015 20:38:22 +0000 Subject: [Samba] dns_tkey_negotiategss: TKEY is unacceptable In-Reply-To: <56843731.7050306@gmail.com> References: <5684202A.7070406@gmail.com> <5684337B.3060909@samba.org> <56843731.7050306@gmail.com> Message-ID: <568440BE.9010109@samba.org> On 30/12/15 19:57, Carlos A. P. Cunha wrote: > Hello! > Output of command > > # 1 record > dn: > CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=MYDOMAIN > cn: {31B2F340-016D-11D2-945F-00C04FB984F9} > name: {31B2F340-016D-11D2-945F-00C04FB984F9} > > Referral # > ref: ldap: //interno.mastersonda.com.br/CN=Configuration,DC=MYDOMAIN > Referral # > ref: ldap: //interno.mastersonda.com.br/DC=DomainDnsZones,DC=MYDOMAIN > Referral # > ref: ldap: //interno.mastersonda.com.br/DC=ForestDnsZones,DC=MYDOMAIN > # Returned 4 records > # 1 entries > # 3 referrals > > > One important thing to previous email error edited the file in line > where accuses the error > > I came > /opt/samba/lib/python2.7/site-packages/samba/provision/__init__.py +282 > > and commented the line (not sure if this and bad) > > # names.policyid = str (res7 [0] ["cn"]). replace ("{", ""). replace > ("}", "") > > Thus the error entering --dns-backend samba_upgradedns = BIND9_DLZ or > --dns-backend samba_upgradedns = SAMBA_INTERNAL sumio and the case is > made that, however validei the DNS account is deleted but not > recreated, and sometimes when trying to recreate Manually says > > > ERROR (ldb): Failed to add user 'dns-DC-Linux': - samldb: Account name > (sAMAccountName) 'dns-DC-LINUX' already in use! > > However the account does not exist in the User list. > > > > Thanks > > Have you attempted to change the dns backend to the internal dns server, then change it back to the BIND_DLZ dns server, as the wiki page advises ? Rowland From lingpanda101 at gmail.com Wed Dec 30 20:42:38 2015 From: lingpanda101 at gmail.com (James) Date: Wed, 30 Dec 2015 15:42:38 -0500 Subject: [Samba] How to switch from internal DNS to Bind In-Reply-To: <56843EC1.8020107@samba.org> References: <568434F9.4060501@gmail.com> <56843EC1.8020107@samba.org> Message-ID: <568441BE.2080307@gmail.com> On 12/30/2015 3:29 PM, Rowland penny wrote: > On 30/12/15 19:48, James wrote: >> Hello, >> >> I'm attempting to switch from the internal DNS to Bind. This is >> for my Samba test environment on a VM running Samba 4.3.1 on Ubuntu >> server 12.04.1. Installed Samba using all the defaults. >> >> ./configure >> make >> make install >> >> Pulled up the wiki link >> >> https://wiki.samba.org/index.php/Changing_the_DNS_backend#Changing_from_Samba_Internal_DNS_to_BIND_DLZ >> >> >> Not sure if this is the correct start page. After the introduction I >> see the link "Setup Bind". I figure I need to start there? So I click >> the link and in the introduction I see another link for >> "Setup_a_basic_BIND_installation". Maybe this is where I should >> begin? I install BIND via. the repository. >> >> apt-get install bind9 >> >> The wiki then says "*make sure that it was compiled with the >> '--with-gssapi' and '--with-dlopen' options*". I check by using >> >> named -V | grep "gssapi" >> >> '--with-gssapi=/usr' >> >> Is this sufficient or do I need the absolute path to >> --with-gssapi=/usr/include/gssapi? >> >> named -V | grep "dlopen" >> >> Returns nothing. Can I add these options after the fact or do I need >> to uninstall and compile on my own before proceeding any further? >> Thanks. >> >> >> >> > > What version of bind9 ? > later versions have dlopen builtin, but I seem to remember (from when > I used 12.04) having to build bind9. Could you upgrade to 14.04, this > will definitely give you a working bind9 > > Rowland > > It's 9.8.1. I decided to compile myself seeing as this is just a test environment. I'll make note of possibly needing a newer distro in order to avoid building in the future. Thanks. -- -James From carlos.hollow at gmail.com Wed Dec 30 20:49:27 2015 From: carlos.hollow at gmail.com (Carlos A. P. Cunha) Date: Wed, 30 Dec 2015 18:49:27 -0200 Subject: [Samba] dns_tkey_negotiategss: TKEY is unacceptable In-Reply-To: <568440BE.9010109@samba.org> References: <5684202A.7070406@gmail.com> <5684337B.3060909@samba.org> <56843731.7050306@gmail.com> <568440BE.9010109@samba.org> Message-ID: <56844357.50800@gmail.com> Hello! Yes already tried this, both he always says that the account already exists even if it does not exist, it affects only dicamicas entries, entries staticas work and replication as well, but as dynamic are troubled by instances in Multiple Sites will have problems ... But some log or command that can help? Thanks Em 30-12-2015 18:38, Rowland penny escreveu: > On 30/12/15 19:57, Carlos A. P. Cunha wrote: >> Hello! >> Output of command >> >> # 1 record >> dn: >> CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=MYDOMAIN >> cn: {31B2F340-016D-11D2-945F-00C04FB984F9} >> name: {31B2F340-016D-11D2-945F-00C04FB984F9} >> >> Referral # >> ref: ldap: //interno.mastersonda.com.br/CN=Configuration,DC=MYDOMAIN >> Referral # >> ref: ldap: //interno.mastersonda.com.br/DC=DomainDnsZones,DC=MYDOMAIN >> Referral # >> ref: ldap: //interno.mastersonda.com.br/DC=ForestDnsZones,DC=MYDOMAIN >> # Returned 4 records >> # 1 entries >> # 3 referrals >> >> >> One important thing to previous email error edited the file in line >> where accuses the error >> >> I came >> /opt/samba/lib/python2.7/site-packages/samba/provision/__init__.py +282 >> >> and commented the line (not sure if this and bad) >> >> # names.policyid = str (res7 [0] ["cn"]). replace ("{", ""). replace >> ("}", "") >> >> Thus the error entering --dns-backend samba_upgradedns = BIND9_DLZ or >> --dns-backend samba_upgradedns = SAMBA_INTERNAL sumio and the case is >> made that, however validei the DNS account is deleted but not >> recreated, and sometimes when trying to recreate Manually says >> >> >> ERROR (ldb): Failed to add user 'dns-DC-Linux': - samldb: Account >> name (sAMAccountName) 'dns-DC-LINUX' already in use! >> >> However the account does not exist in the User list. >> >> >> >> Thanks >> >> > > Have you attempted to change the dns backend to the internal dns > server, then change it back to the BIND_DLZ dns server, as the wiki > page advises ? > > Rowland > > From rpenny at samba.org Wed Dec 30 21:14:14 2015 From: rpenny at samba.org (Rowland penny) Date: Wed, 30 Dec 2015 21:14:14 +0000 Subject: [Samba] How to switch from internal DNS to Bind In-Reply-To: <568441BE.2080307@gmail.com> References: <568434F9.4060501@gmail.com> <56843EC1.8020107@samba.org> <568441BE.2080307@gmail.com> Message-ID: <56844926.8020001@samba.org> On 30/12/15 20:42, James wrote: > On 12/30/2015 3:29 PM, Rowland penny wrote: >> On 30/12/15 19:48, James wrote: >>> Hello, >>> >>> I'm attempting to switch from the internal DNS to Bind. This is >>> for my Samba test environment on a VM running Samba 4.3.1 on Ubuntu >>> server 12.04.1. Installed Samba using all the defaults. >>> >>> ./configure >>> make >>> make install >>> >>> Pulled up the wiki link >>> >>> https://wiki.samba.org/index.php/Changing_the_DNS_backend#Changing_from_Samba_Internal_DNS_to_BIND_DLZ >>> >>> >>> Not sure if this is the correct start page. After the introduction I >>> see the link "Setup Bind". I figure I need to start there? So I >>> click the link and in the introduction I see another link for >>> "Setup_a_basic_BIND_installation". Maybe this is where I should >>> begin? I install BIND via. the repository. >>> >>> apt-get install bind9 >>> >>> The wiki then says "*make sure that it was compiled with the >>> '--with-gssapi' and '--with-dlopen' options*". I check by using >>> >>> named -V | grep "gssapi" >>> >>> '--with-gssapi=/usr' >>> >>> Is this sufficient or do I need the absolute path to >>> --with-gssapi=/usr/include/gssapi? >>> >>> named -V | grep "dlopen" >>> >>> Returns nothing. Can I add these options after the fact or do I >>> need to uninstall and compile on my own before proceeding any >>> further? Thanks. >>> >>> >>> >>> >> >> What version of bind9 ? >> later versions have dlopen builtin, but I seem to remember (from when >> I used 12.04) having to build bind9. Could you upgrade to 14.04, this >> will definitely give you a working bind9 >> >> Rowland >> >> > It's 9.8.1. > > I decided to compile myself seeing as this is just a test environment. > I'll make note of possibly needing a newer distro in order to avoid > building in the future. Thanks. > You need a later version, this is what I used to do: apt-get -y remove bind9 &> /dev/null # <-- this was only installed to get all the required configuration files! wget ftp://ftp.isc.org/isc/bind9/9.9.2-P2/bind-9.9.2-P2.tar.gz tar zxf bind-9.9.2-P2.tar.gz cd bind-9.9.2-P2 ./configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --sysconfdir=/etc/bind --localstatedir=/var --enable-threads --enable-largefile --with-libtool --enable-shared --enable-static --with-openssl=/usr --with-gssapi=/usr --with-dlopen=yes --with-gnu-ld --enable-ipv6 CFLAGS='-fno-strict-aliasing -DDIG_SIGCHASE -O2' LDFLAGS='-Wl,-Bsymbolic-functions -Wl,-z,relro' CPPFLAGS='-D_FORTIFY_SOURCE=2' make make install NOTE: this was some time ago, there are newer versions available, if you do go with a newer version and it throws an error about dlopen, just remove '--with-dlopen=yes' Rowland From dandbnews2 at talktalk.net Wed Dec 30 21:42:24 2015 From: dandbnews2 at talktalk.net (DavidA) Date: Wed, 30 Dec 2015 21:42:24 -0000 Subject: [Samba] ICMP 'Destination unreachable (Port unreachable)' Message-ID: <6D3F80EC16484EDDA475919EA3C81ADB@DavidPC> Hi I am still having trouble getting Windows 10 and Windows 7 laptops to communicate with a Samba server (4.1.17-Debian) running on Rasbian Jesse. Running Wireshark on one of the laptops I notice these sequential packet transfers: Laptop –> Pi BJNP Scanner command: discover Pi –> Laptop ICMP 'Destination unreachable (Port unreachable)' This happens even on a laptop that successfully communicates with the Samba server. Could this indicate a configuration problem? If so, how might I fix it? Best regards David From it at cliffbells.com Wed Dec 30 22:41:30 2015 From: it at cliffbells.com (JS) Date: Wed, 30 Dec 2015 22:41:30 +0000 (UTC) Subject: [Samba] =?utf-8?q?Samba_4_AD_-_Samba_Fails_to_Start=2C_hdb=5Fsamb?= =?utf-8?q?a4=5Fcreate=5Fkdc_=28setup_KDC_database=29_failed?= References: Message-ID: <=?windows-1252?Q?L.P.H._van_Belle?=> writes: > > Hai, > > Can be incorrect rights, of corrupted db. > > Can you give the output of > > ls -al /var/lib/samba/ > ls -al /var/lib/samba/private > ls -al /var/lib/samba/private/dns > > Greetz, > > Louis > Hi Louis, thanks for your reply, here is the info you requested: ls -al /var/lib/samba/ total 1376 drwxr-xr-x 8 root root 4096 Dec 13 21:07 . drwxr-xr-x 59 root root 4096 Dec 13 20:16 .. -rw------- 1 root root 421888 Dec 13 21:07 account_policy.tdb drwxr-x--- 2 root root 4096 Dec 28 21:12 ntp_signd drwxr-xr-x 10 root root 4096 Dec 13 20:51 printers drwxr-xr-x 6 root root 4096 Dec 28 21:12 private -rw------- 1 root root 528384 Dec 13 21:07 registry.tdb -rw------- 1 root root 421888 Dec 13 21:07 share_info.tdb drwxrwx---+ 6 root 3000000 4096 Dec 13 21:59 sysvol drwxrwx--T 2 root sambashare 4096 Dec 13 20:36 usershares drwxr-x--- 2 root root 4096 Dec 28 21:12 winbindd_privileged ls -al /var/lib/samba/private/ total 11220 drwxr-xr-x 6 root root 4096 Dec 28 21:12 . drwxr-xr-x 8 root root 4096 Dec 13 21:07 .. -rw------- 1 root root 2085 Dec 13 21:07 dns_update_cache -rw-r--r-- 1 root root 3183 Dec 13 21:03 dns_update_list -rw------- 1 root root 1286144 Dec 13 21:02 hklm.ldb -rw------- 1 root root 1609728 Dec 23 20:15 idmap.ldb -rw-r--r-- 1 root root 99 Dec 13 21:03 krb5.conf srwxrwxrwx 1 root root 0 Dec 28 21:12 ldapi drwxr-x--- 2 root root 4096 Dec 28 21:12 ldap_priv -r--r--r-- 1 root root 242 Dec 13 21:07 named.conf.update -rw------- 1 root root 1286144 Dec 13 21:41 privilege.ldb -rw------- 1 root root 696 Dec 13 21:07 randseed.tdb -rw------- 1 root root 4247552 Dec 28 07:22 sam.ldb drwx------ 2 root root 4096 Dec 13 21:02 sam.ldb.d -rw------- 1 root root 696 Dec 28 21:12 schannel_store.tdb -rw------- 1 root root 1212 Dec 13 21:03 secrets.keytab -rw------- 1 root root 1286144 Dec 13 21:03 secrets.ldb -rw------- 1 root root 430080 Dec 13 21:03 secrets.tdb -rw------- 1 root root 1286144 Dec 13 21:02 share.ldb drwxr-xr-x 3 root root 4096 Dec 13 21:07 smbd.tmp -rw-r--r-- 1 root root 955 Dec 13 21:03 spn_update_list drwx------ 2 root root 4096 Dec 13 21:07 tls I have no /var/lib/samba/private/dns directory. Note that I am using Samba's internal DNS server as opposed to Bind9 or anything else. JS From it at cliffbells.com Wed Dec 30 22:55:18 2015 From: it at cliffbells.com (JS) Date: Wed, 30 Dec 2015 22:55:18 +0000 (UTC) Subject: [Samba] =?utf-8?q?Samba_4_AD_-_Samba_Fails_to_Start=2C_hdb=5Fsamb?= =?utf-8?q?a4=5Fcreate=5Fkdc_=28setup_KDC_database=29_failed?= References: <5683A61F.2050108@samba.org> Message-ID: Rowland penny samba.org> writes: > Why are you using ntvfs ? > Also how are you starting the Samba deamons ? > > Rowland > Hi Rowland, Your mention of ntvfs is the first I've heard of it. A cursory search reveals it was implemented in alpha versions of Samba4, did I provision this domain incorrectly? Below are the commands I used when provisioning this domain: sudo samba-tool domain provision --use-rfc2307 --interactive sudo samba-tool domain level raise --domain-level 2008_R2 --forest-level 2008_R2 Thanks for your reply. JS From thomas at tlm.id.au Wed Dec 30 23:29:57 2015 From: thomas at tlm.id.au (thomas Thomas) Date: Thu, 31 Dec 2015 09:29:57 +1000 Subject: [Samba] Windows 10 SysVol and GPO problems Message-ID: <768C95EF-226D-4F93-80DF-E94A1D9C7ACD@tlm.id.au> Hi, Thanks for reading. I have recently started to try and get Windows 10 machines working with our Samba 4.3.3 domain controller and have run into a few issues with gpupdate /force The error given by Windows is “The processing of group policy failed. Windows attempted to read the file \\domain.com.au ” etc. Its interesting because access is denied with the file path to sysvol as the domain but when the domain name of the server is used it works (“\\voyager.domain.com.au ”). This is the domain name used by Windows 8.1 when running gpupdate /force Another note is when navigating to Sysvol as Administrator I am denied access but if I used the machine domain name it works. Thanks in advance for the help. Kind Regards From belle at bazuin.nl Thu Dec 31 08:45:44 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Thu, 31 Dec 2015 09:45:44 +0100 Subject: [Samba] Samba 4 AD - Samba Fails to Start, hdb_samba4_create_kdc (setup KDC database) failed In-Reply-To: References: Message-ID: Ok, First things is see. NTP drwxr-x--- 2 root root 4096 Dec 28 21:12 ntp_signd should be root:ntp SYVOL drwxrwx---+ 3 root BUILTIN\administrators 4096 Apr 28 2015 sysvol your shows 300000 while mine gives : BUILTIN\administrators but i have winbind/nsswitch etc configured on my DC, dont ask why, but i need it, and it works good for me. so besides your ntp folder this looks all ok. Can you tell more about the hardware failure? Disk problems, power outage etc what exact happend? Did you see an filesystem check the first time starting up after the failuere? I asume its the only server, do no other DC's. Stop all samba processes and backup at least these folders. /etc/samba /var/lib/samba /var/cache/samba When you run : samba-tool fsmo show You probely get an error, so try the following. samba-tool fsmo sieze ( i dont think i will work, but give it a try, any outputs is most welkom ) These do worry me. Failed to find object DC=one,DC=cliffbells,DC=com for attribute fsmoRoleOwner - Cannot find DN DC=one,DC=cliffbells,DC=com to get attribute fsmoRoleOwner for reference dn: (null) ./source4/dsdb/common/util.c:1877(samdb_is_pdc) Failed to find if we are the PDC for this ldb: Searching for fSMORoleOwner in DC=one,DC=cliffbells,DC=com failed: Cannot find DN DC=one,DC=cliffbells,DC=com to get attribute fsmoRoleOwner for reference dn: (null) which looks like you samba DB is corrected, probely due to the hardware failure. Do you have a backup, made with samba_backup ? ( shown here : https://wiki.samba.org/index.php/Backup_and_restore_an_Samba_AD_DC ) Because i think you db is corrected and beyond recovery. If you have backupped : /etc/samba /var/lib/samba /var/cache/samba You can remove the content of /var/lib/samba /var/cache/samba And reprovision, bases on the posts here and the things i see. If you have a backup "any" which have also the samba databases, thats the first you can try. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens JS > Verzonden: woensdag 30 december 2015 23:42 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Samba 4 AD - Samba Fails to Start, > hdb_samba4_create_kdc (setup KDC database) failed > > <=?windows-1252?Q?L.P.H._van_Belle?=> writes: > > > > > Hai, > > > > Can be incorrect rights, of corrupted db. > > > > Can you give the output of > > > > ls -al /var/lib/samba/ > > ls -al /var/lib/samba/private > > ls -al /var/lib/samba/private/dns > > > > Greetz, > > > > Louis > > > > > > Hi Louis, thanks for your reply, here is the info you requested: > > ls -al /var/lib/samba/ > total 1376 > drwxr-xr-x 8 root root 4096 Dec 13 21:07 . > drwxr-xr-x 59 root root 4096 Dec 13 20:16 .. > -rw------- 1 root root 421888 Dec 13 21:07 account_policy.tdb > drwxr-x--- 2 root root 4096 Dec 28 21:12 ntp_signd > drwxr-xr-x 10 root root 4096 Dec 13 20:51 printers > drwxr-xr-x 6 root root 4096 Dec 28 21:12 private > -rw------- 1 root root 528384 Dec 13 21:07 registry.tdb > -rw------- 1 root root 421888 Dec 13 21:07 share_info.tdb > drwxrwx---+ 6 root 3000000 4096 Dec 13 21:59 sysvol > drwxrwx--T 2 root sambashare 4096 Dec 13 20:36 usershares > drwxr-x--- 2 root root 4096 Dec 28 21:12 winbindd_privileged > > > ls -al /var/lib/samba/private/ > total 11220 > drwxr-xr-x 6 root root 4096 Dec 28 21:12 . > drwxr-xr-x 8 root root 4096 Dec 13 21:07 .. > -rw------- 1 root root 2085 Dec 13 21:07 dns_update_cache > -rw-r--r-- 1 root root 3183 Dec 13 21:03 dns_update_list > -rw------- 1 root root 1286144 Dec 13 21:02 hklm.ldb > -rw------- 1 root root 1609728 Dec 23 20:15 idmap.ldb > -rw-r--r-- 1 root root 99 Dec 13 21:03 krb5.conf > srwxrwxrwx 1 root root 0 Dec 28 21:12 ldapi > drwxr-x--- 2 root root 4096 Dec 28 21:12 ldap_priv > -r--r--r-- 1 root root 242 Dec 13 21:07 named.conf.update > -rw------- 1 root root 1286144 Dec 13 21:41 privilege.ldb > -rw------- 1 root root 696 Dec 13 21:07 randseed.tdb > -rw------- 1 root root 4247552 Dec 28 07:22 sam.ldb > drwx------ 2 root root 4096 Dec 13 21:02 sam.ldb.d > -rw------- 1 root root 696 Dec 28 21:12 schannel_store.tdb > -rw------- 1 root root 1212 Dec 13 21:03 secrets.keytab > -rw------- 1 root root 1286144 Dec 13 21:03 secrets.ldb > -rw------- 1 root root 430080 Dec 13 21:03 secrets.tdb > -rw------- 1 root root 1286144 Dec 13 21:02 share.ldb > drwxr-xr-x 3 root root 4096 Dec 13 21:07 smbd.tmp > -rw-r--r-- 1 root root 955 Dec 13 21:03 spn_update_list > drwx------ 2 root root 4096 Dec 13 21:07 tls > > > I have no /var/lib/samba/private/dns directory. Note that I am using > Samba's internal DNS server as opposed to Bind9 or anything else. > > JS > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From belle at bazuin.nl Thu Dec 31 09:00:24 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Thu, 31 Dec 2015 10:00:24 +0100 Subject: [Samba] Windows 10 SysVol and GPO problems In-Reply-To: <768C95EF-226D-4F93-80DF-E94A1D9C7ACD@tlm.id.au> References: <768C95EF-226D-4F93-80DF-E94A1D9C7ACD@tlm.id.au> Message-ID: Ok, so do the following. 1) login as a user. Open explorer and go to \\servername.domain.tld\sysvol Do the same for \\servername\sysvol Do both work on only one and which one? 2) login as a Administrator Open explorer and go to \\servername.domain.tld\sysvol Do the same for \\servername\sysvol Do both work on only one and which one? Of the \\servername.domain.tld\sysvol work Try this on you computer, run_as Administrator CMD sc.exe config lanmanworkstation depend=bowser/mrxsmb10/nsi sc.exe config mrxsmb20 start=disabled Windows 10 will try to negotiate SMB3_11, which apparenty goes wrong. So try for now disabling SMB2/3 on the Windows 10 client is your best, not ideal, option. Or set the max protocol in smb.conf ( see man smb.conf ) Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens thomas Thomas > Verzonden: donderdag 31 december 2015 0:30 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Windows 10 SysVol and GPO problems > > Hi, > > Thanks for reading. I have recently started to try and get Windows 10 > machines working with our Samba 4.3.3 domain controller and have run into > a few issues with gpupdate /force > > The error given by Windows is “The processing of group policy failed. > Windows attempted to read the file \\domain.com.au ” > etc. > > Its interesting because access is denied with the file path to sysvol as > the domain but when the domain name of the server is used it works > (“\\voyager.domain.com.au ”). This is the > domain name used by Windows 8.1 when running gpupdate /force > > Another note is when navigating to Sysvol as Administrator I am denied > access but if I used the machine domain name it works. > > Thanks in advance for the help. > > Kind Regards > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From belle at bazuin.nl Thu Dec 31 09:03:12 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Thu, 31 Dec 2015 10:03:12 +0100 Subject: [Samba] Samba 4 AD - Samba Fails to Start, hdb_samba4_create_kdc (setup KDC database) failed In-Reply-To: References: Message-ID: In addition. You can try : samba-tool dbcheck --cross-ncs --fix but again, i think quicker with a backup restore or new provisioning. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle > Verzonden: donderdag 31 december 2015 9:46 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Samba 4 AD - Samba Fails to Start, > hdb_samba4_create_kdc (setup KDC database) failed > > Ok, > > First things is see. > > NTP > drwxr-x--- 2 root root 4096 Dec 28 21:12 ntp_signd > should be root:ntp > > SYVOL > drwxrwx---+ 3 root BUILTIN\administrators 4096 Apr 28 2015 sysvol > your shows 300000 while mine gives : BUILTIN\administrators > but i have winbind/nsswitch etc configured on my DC, dont ask why, but i > need it, and it works good for me. > > so besides your ntp folder this looks all ok. > > Can you tell more about the hardware failure? > Disk problems, power outage etc what exact happend? > Did you see an filesystem check the first time starting up after the > failuere? > > I asume its the only server, do no other DC's. > Stop all samba processes and backup at least these folders. > /etc/samba > /var/lib/samba > /var/cache/samba > > When you run : samba-tool fsmo show > You probely get an error, so try the following. > samba-tool fsmo sieze > > ( i dont think i will work, but give it a try, any outputs is most welkom > ) > > These do worry me. > Failed to find object DC=one,DC=cliffbells,DC=com for attribute > fsmoRoleOwner - Cannot find DN DC=one,DC=cliffbells,DC=com to get > attribute fsmoRoleOwner for reference dn: (null) > > ./source4/dsdb/common/util.c:1877(samdb_is_pdc) > Failed to find if we are the PDC for this ldb: Searching for > fSMORoleOwner in DC=one,DC=cliffbells,DC=com failed: Cannot find DN > DC=one,DC=cliffbells,DC=com to get attribute fsmoRoleOwner for reference > dn: (null) > > which looks like you samba DB is corrected, probely due to the hardware > failure. > > Do you have a backup, made with samba_backup ? > ( shown here : > https://wiki.samba.org/index.php/Backup_and_restore_an_Samba_AD_DC ) > > Because i think you db is corrected and beyond recovery. > > If you have backupped : > /etc/samba > /var/lib/samba > /var/cache/samba > > You can remove the content of > /var/lib/samba > /var/cache/samba > > And reprovision, bases on the posts here and the things i see. > If you have a backup "any" which have also the samba databases, thats the > first you can try. > > > Greetz, > > Louis > > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens JS > > Verzonden: woensdag 30 december 2015 23:42 > > Aan: samba at lists.samba.org > > Onderwerp: Re: [Samba] Samba 4 AD - Samba Fails to Start, > > hdb_samba4_create_kdc (setup KDC database) failed > > > > <=?windows-1252?Q?L.P.H._van_Belle?=> writes: > > > > > > > > Hai, > > > > > > Can be incorrect rights, of corrupted db. > > > > > > Can you give the output of > > > > > > ls -al /var/lib/samba/ > > > ls -al /var/lib/samba/private > > > ls -al /var/lib/samba/private/dns > > > > > > Greetz, > > > > > > Louis > > > > > > > > > > > Hi Louis, thanks for your reply, here is the info you requested: > > > > ls -al /var/lib/samba/ > > total 1376 > > drwxr-xr-x 8 root root 4096 Dec 13 21:07 . > > drwxr-xr-x 59 root root 4096 Dec 13 20:16 .. > > -rw------- 1 root root 421888 Dec 13 21:07 account_policy.tdb > > drwxr-x--- 2 root root 4096 Dec 28 21:12 ntp_signd > > drwxr-xr-x 10 root root 4096 Dec 13 20:51 printers > > drwxr-xr-x 6 root root 4096 Dec 28 21:12 private > > -rw------- 1 root root 528384 Dec 13 21:07 registry.tdb > > -rw------- 1 root root 421888 Dec 13 21:07 share_info.tdb > > drwxrwx---+ 6 root 3000000 4096 Dec 13 21:59 sysvol > > drwxrwx--T 2 root sambashare 4096 Dec 13 20:36 usershares > > drwxr-x--- 2 root root 4096 Dec 28 21:12 winbindd_privileged > > > > > > ls -al /var/lib/samba/private/ > > total 11220 > > drwxr-xr-x 6 root root 4096 Dec 28 21:12 . > > drwxr-xr-x 8 root root 4096 Dec 13 21:07 .. > > -rw------- 1 root root 2085 Dec 13 21:07 dns_update_cache > > -rw-r--r-- 1 root root 3183 Dec 13 21:03 dns_update_list > > -rw------- 1 root root 1286144 Dec 13 21:02 hklm.ldb > > -rw------- 1 root root 1609728 Dec 23 20:15 idmap.ldb > > -rw-r--r-- 1 root root 99 Dec 13 21:03 krb5.conf > > srwxrwxrwx 1 root root 0 Dec 28 21:12 ldapi > > drwxr-x--- 2 root root 4096 Dec 28 21:12 ldap_priv > > -r--r--r-- 1 root root 242 Dec 13 21:07 named.conf.update > > -rw------- 1 root root 1286144 Dec 13 21:41 privilege.ldb > > -rw------- 1 root root 696 Dec 13 21:07 randseed.tdb > > -rw------- 1 root root 4247552 Dec 28 07:22 sam.ldb > > drwx------ 2 root root 4096 Dec 13 21:02 sam.ldb.d > > -rw------- 1 root root 696 Dec 28 21:12 schannel_store.tdb > > -rw------- 1 root root 1212 Dec 13 21:03 secrets.keytab > > -rw------- 1 root root 1286144 Dec 13 21:03 secrets.ldb > > -rw------- 1 root root 430080 Dec 13 21:03 secrets.tdb > > -rw------- 1 root root 1286144 Dec 13 21:02 share.ldb > > drwxr-xr-x 3 root root 4096 Dec 13 21:07 smbd.tmp > > -rw-r--r-- 1 root root 955 Dec 13 21:03 spn_update_list > > drwx------ 2 root root 4096 Dec 13 21:07 tls > > > > > > I have no /var/lib/samba/private/dns directory. Note that I am using > > Samba's internal DNS server as opposed to Bind9 or anything else. > > > > JS > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From rpenny at samba.org Thu Dec 31 09:45:34 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 31 Dec 2015 09:45:34 +0000 Subject: [Samba] Samba 4 AD - Samba Fails to Start, hdb_samba4_create_kdc (setup KDC database) failed In-Reply-To: References: <5683A61F.2050108@samba.org> Message-ID: <5684F93E.9050105@samba.org> On 30/12/15 22:55, JS wrote: > Rowland penny samba.org> writes: > >> Why are you using ntvfs ? >> Also how are you starting the Samba deamons ? >> >> Rowland >> > Hi Rowland, > > Your mention of ntvfs is the first I've heard of it. A cursory search > reveals it was implemented in alpha versions of Samba4, did I provision this > domain incorrectly? Below are the commands I used when provisioning this > domain: > > sudo samba-tool domain provision --use-rfc2307 --interactive Yes, but what were your answers to the questions you were asked ? Having read your reply to Louis and his answers, I am with him, you will probably be better of provisioning again, but this time don't bother with the interactive provision, set the required settings in the provision command, run 'samba-tool domain provision --help' for what you can set. Rowland > sudo samba-tool domain level raise --domain-level 2008_R2 --forest-level 2008_R2 > > Thanks for your reply. > > JS > > > From belle at bazuin.nl Thu Dec 31 10:05:20 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Thu, 31 Dec 2015 11:05:20 +0100 Subject: [Samba] [squid-users] squid3 / debian stable / please update to 3.4.14 In-Reply-To: <63565ce8c070246b4976a4351027b99b@treenet.co.nz> References: Message-ID: > you are better off building the more up to date 3.5 version available > from Stretch/Testing repository. I disagree with this one, use SID and not testing, testing has a longer delay in security updates and koms after unstable. See : https://www.debian.org/security/faq Greetz, Louis > -----Oorspronkelijk bericht----- > Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens > Amos Jeffries > Verzonden: donderdag 31 december 2015 10:43 > Aan: Massimo.Sala at asl.bergamo.it > CC: luigi at debian.org; squid-users at lists.squid-cache.org > Onderwerp: Re: [squid-users] squid3 / debian stable / please update to > 3.4.14 > > On 2015-12-30 03:26, Massimo.Sala at asl.bergamo.it wrote: > > ciao Luigi > > > > I ask to update the distro to squid 3.4.14, the last stable version, > > released in august. > > > > Rationale : > > 1) various bugs and memory leaks fixed; > > 2) security fix for CVE 2015 5400; > > 3) support for Alternate-Protocol HTTP header. > > > > I need 3) to disable QUIC on youtube, otherwise squid3 cannot cache > > videos. > > > > > Hi Massimo, why cc'ing squid-users? nothing this list can do about it. > > Anyhow, the Debian 3.4.8-6 package has already been patched to contain > the important fixes from later upstream 3.4 releases. > master.debian.org/changelogs/main/s/squid3/squid3_3.4.8- > 6+deb8u1_changelog> > > (that covers your #1 and #2 items) > > All it lacks is the minor changes which AFAIK do not meet the criteria > required for acceptance into the Debian stable distro. > > If you need custom build with other features (such as HTTPS support), > you are better off building the more up to date 3.5 version available > from Stretch/Testing repository. > > > As for #3, the Alternate-Protocol header patch is just automating these > squid.conf settings, which you can use explicitly in any Squid version: > > acl AP rep_header_regex Alternate-Protocol . > reply_header_access deny AP > > > HTH > Amos > > _______________________________________________ > squid-users mailing list > squid-users at lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users From abartlet at samba.org Thu Dec 31 10:08:35 2015 From: abartlet at samba.org (Andrew Bartlett) Date: Thu, 31 Dec 2015 23:08:35 +1300 Subject: [Samba] Audit object creation In-Reply-To: <567AE27D.4060109@gmail.com> References: <567AE27D.4060109@gmail.com> Message-ID: <1451556515.10827.17.camel@samba.org> On Wed, 2015-12-23 at 13:05 -0500, James wrote: > Hello, > > Is it possible to audit objects created by a user? Specifically > user and computer objects. Thanks. Not currently, but I've had similar requests in the past - to the extent even of preparing quotes for clients at work - but sadly nothing has been started yet. This, and a the ability to audit logon success/failure records properly would be great additions to our AD DC. Sorry, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba From belle at bazuin.nl Thu Dec 31 10:16:37 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Thu, 31 Dec 2015 11:16:37 +0100 Subject: [Samba] [squid-users] squid3 / debian stable / please update to 3.4.14 In-Reply-To: <63565ce8c070246b4976a4351027b99b@treenet.co.nz> References: Message-ID: > you are better off building the more up to date 3.5 version available > from Stretch/Testing repository. I disagree with this one, use SID and not testing, testing has a longer delay in security updates and coms after unstable. See : https://www.debian.org/security/faq Greetz, Louis > -----Oorspronkelijk bericht----- > Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens > Amos Jeffries > Verzonden: donderdag 31 december 2015 10:43 > Aan: Massimo.Sala at asl.bergamo.it > CC: luigi at debian.org; squid-users at lists.squid-cache.org > Onderwerp: Re: [squid-users] squid3 / debian stable / please update to > 3.4.14 > > On 2015-12-30 03:26, Massimo.Sala at asl.bergamo.it wrote: > > ciao Luigi > > > > I ask to update the distro to squid 3.4.14, the last stable version, > > released in august. > > > > Rationale : > > 1) various bugs and memory leaks fixed; > > 2) security fix for CVE 2015 5400; > > 3) support for Alternate-Protocol HTTP header. > > > > I need 3) to disable QUIC on youtube, otherwise squid3 cannot cache > > videos. > > > > > Hi Massimo, why cc'ing squid-users? nothing this list can do about it. > > Anyhow, the Debian 3.4.8-6 package has already been patched to contain > the important fixes from later upstream 3.4 releases. > master.debian.org/changelogs/main/s/squid3/squid3_3.4.8- > 6+deb8u1_changelog> > > (that covers your #1 and #2 items) > > All it lacks is the minor changes which AFAIK do not meet the criteria > required for acceptance into the Debian stable distro. > > If you need custom build with other features (such as HTTPS support), > you are better off building the more up to date 3.5 version available > from Stretch/Testing repository. > > > As for #3, the Alternate-Protocol header patch is just automating these > squid.conf settings, which you can use explicitly in any Squid version: > > acl AP rep_header_regex Alternate-Protocol . > reply_header_access deny AP > > > HTH > Amos > > _______________________________________________ > squid-users mailing list > squid-users at lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users From rpenny at samba.org Thu Dec 31 10:23:11 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 31 Dec 2015 10:23:11 +0000 Subject: [Samba] [squid-users] squid3 / debian stable / please update to 3.4.14 In-Reply-To: References: Message-ID: <5685020F.9030407@samba.org> On 31/12/15 10:16, L.P.H. van Belle wrote: >> you are better off building the more up to date 3.5 version available >> from Stretch/Testing repository. > I disagree with this one, use SID and not testing, testing has a longer delay in security updates and coms after unstable. > See : https://www.debian.org/security/faq > > > Greetz, > > Louis > >> -----Oorspronkelijk bericht----- >> Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens >> Amos Jeffries >> Verzonden: donderdag 31 december 2015 10:43 >> Aan: Massimo.Sala at asl.bergamo.it >> CC: luigi at debian.org; squid-users at lists.squid-cache.org >> Onderwerp: Re: [squid-users] squid3 / debian stable / please update to >> 3.4.14 >> >> On 2015-12-30 03:26, Massimo.Sala at asl.bergamo.it wrote: >>> ciao Luigi >>> >>> I ask to update the distro to squid 3.4.14, the last stable version, >>> released in august. >>> >>> Rationale : >>> 1) various bugs and memory leaks fixed; >>> 2) security fix for CVE 2015 5400; >>> 3) support for Alternate-Protocol HTTP header. >>> >>> I need 3) to disable QUIC on youtube, otherwise squid3 cannot cache >>> videos. >>> >> >> Hi Massimo, why cc'ing squid-users? nothing this list can do about it. >> >> Anyhow, the Debian 3.4.8-6 package has already been patched to contain >> the important fixes from later upstream 3.4 releases. >> > master.debian.org/changelogs/main/s/squid3/squid3_3.4.8- >> 6+deb8u1_changelog> >> >> (that covers your #1 and #2 items) >> >> All it lacks is the minor changes which AFAIK do not meet the criteria >> required for acceptance into the Debian stable distro. >> >> If you need custom build with other features (such as HTTPS support), >> you are better off building the more up to date 3.5 version available >> from Stretch/Testing repository. >> >> >> As for #3, the Alternate-Protocol header patch is just automating these >> squid.conf settings, which you can use explicitly in any Squid version: >> >> acl AP rep_header_regex Alternate-Protocol . >> reply_header_access deny AP >> >> >> HTH >> Amos >> >> _______________________________________________ >> squid-users mailing list >> squid-users at lists.squid-cache.org >> http://lists.squid-cache.org/listinfo/squid-users > You really must be having good Christmas/new year Louis, this is still not the squid mailing list :-D :-D :-D Rowland From belle at bazuin.nl Thu Dec 31 10:32:59 2015 From: belle at bazuin.nl (=?windows-1252?Q?L.P.H._van_Belle?=) Date: Thu, 31 Dec 2015 11:32:59 +0100 Subject: [Samba] [squid-users] In-Reply-To: <5685020F.9030407@samba.org> References: Message-ID: Hai, Yeah.. The problem is, when i reply on a email, is sometimes takes the e-mail adres of the previous e-mail in my list. Stupid outlook bug... No of the solutions on the internet fixed it for me :-(( Yeah, ... upgrading outlook... not going to.. im fase-ing out ms office here. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny > Verzonden: donderdag 31 december 2015 11:23 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] [squid-users] squid3 / debian stable / please > update to 3.4.14 > > On 31/12/15 10:16, L.P.H. van Belle wrote: > >> you are better off building the more up to date 3.5 version available > >> from Stretch/Testing repository. > > I disagree with this one, use SID and not testing, testing has a longer > delay in security updates and coms after unstable. > > See : https://www.debian.org/security/faq > > > > > > Greetz, > > > > Louis > > > >> -----Oorspronkelijk bericht----- > >> Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] > Namens > >> Amos Jeffries > >> Verzonden: donderdag 31 december 2015 10:43 > >> Aan: Massimo.Sala at asl.bergamo.it > >> CC: luigi at debian.org; squid-users at lists.squid-cache.org > >> Onderwerp: Re: [squid-users] squid3 / debian stable / please update to > >> 3.4.14 > >> > >> On 2015-12-30 03:26, Massimo.Sala at asl.bergamo.it wrote: > >>> ciao Luigi > >>> > >>> I ask to update the distro to squid 3.4.14, the last stable version, > >>> released in august. > >>> > >>> Rationale : > >>> 1) various bugs and memory leaks fixed; > >>> 2) security fix for CVE 2015 5400; > >>> 3) support for Alternate-Protocol HTTP header. > >>> > >>> I need 3) to disable QUIC on youtube, otherwise squid3 cannot cache > >>> videos. > >>> > >> > >> Hi Massimo, why cc'ing squid-users? nothing this list can do about it. > >> > >> Anyhow, the Debian 3.4.8-6 package has already been patched to contain > >> the important fixes from later upstream 3.4 releases. > >> >> master.debian.org/changelogs/main/s/squid3/squid3_3.4.8- > >> 6+deb8u1_changelog> > >> > >> (that covers your #1 and #2 items) > >> > >> All it lacks is the minor changes which AFAIK do not meet the criteria > >> required for acceptance into the Debian stable distro. > >> > >> If you need custom build with other features (such as HTTPS support), > >> you are better off building the more up to date 3.5 version available > >> from Stretch/Testing repository. > >> > >> > >> As for #3, the Alternate-Protocol header patch is just automating these > >> squid.conf settings, which you can use explicitly in any Squid version: > >> > >> acl AP rep_header_regex Alternate-Protocol . > >> reply_header_access deny AP > >> > >> > >> HTH > >> Amos > >> > >> _______________________________________________ > >> squid-users mailing list > >> squid-users at lists.squid-cache.org > >> http://lists.squid-cache.org/listinfo/squid-users > > > > You really must be having good Christmas/new year Louis, this is still > not the squid mailing list :-D :-D :-D > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From lingpanda101 at gmail.com Thu Dec 31 13:42:13 2015 From: lingpanda101 at gmail.com (James) Date: Thu, 31 Dec 2015 08:42:13 -0500 Subject: [Samba] How to switch from internal DNS to Bind In-Reply-To: <56844926.8020001@samba.org> References: <568434F9.4060501@gmail.com> <56843EC1.8020107@samba.org> <568441BE.2080307@gmail.com> <56844926.8020001@samba.org> Message-ID: <568530B5.8000600@gmail.com> On 12/30/2015 4:14 PM, Rowland penny wrote: > On 30/12/15 20:42, James wrote: >> On 12/30/2015 3:29 PM, Rowland penny wrote: >>> On 30/12/15 19:48, James wrote: >>>> Hello, >>>> >>>> I'm attempting to switch from the internal DNS to Bind. This is >>>> for my Samba test environment on a VM running Samba 4.3.1 on Ubuntu >>>> server 12.04.1. Installed Samba using all the defaults. >>>> >>>> ./configure >>>> make >>>> make install >>>> >>>> Pulled up the wiki link >>>> >>>> https://wiki.samba.org/index.php/Changing_the_DNS_backend#Changing_from_Samba_Internal_DNS_to_BIND_DLZ >>>> >>>> >>>> Not sure if this is the correct start page. After the introduction >>>> I see the link "Setup Bind". I figure I need to start there? So I >>>> click the link and in the introduction I see another link for >>>> "Setup_a_basic_BIND_installation". Maybe this is where I should >>>> begin? I install BIND via. the repository. >>>> >>>> apt-get install bind9 >>>> >>>> The wiki then says "*make sure that it was compiled with the >>>> '--with-gssapi' and '--with-dlopen' options*". I check by using >>>> >>>> named -V | grep "gssapi" >>>> >>>> '--with-gssapi=/usr' >>>> >>>> Is this sufficient or do I need the absolute path to >>>> --with-gssapi=/usr/include/gssapi? >>>> >>>> named -V | grep "dlopen" >>>> >>>> Returns nothing. Can I add these options after the fact or do I >>>> need to uninstall and compile on my own before proceeding any >>>> further? Thanks. >>>> >>>> >>>> >>>> >>> >>> What version of bind9 ? >>> later versions have dlopen builtin, but I seem to remember (from >>> when I used 12.04) having to build bind9. Could you upgrade to >>> 14.04, this will definitely give you a working bind9 >>> >>> Rowland >>> >>> >> It's 9.8.1. >> >> I decided to compile myself seeing as this is just a test >> environment. I'll make note of possibly needing a newer distro in >> order to avoid building in the future. Thanks. >> > > You need a later version, this is what I used to do: > > apt-get -y remove bind9 &> /dev/null # <-- this was only installed to > get all the required configuration files! > wget ftp://ftp.isc.org/isc/bind9/9.9.2-P2/bind-9.9.2-P2.tar.gz > tar zxf bind-9.9.2-P2.tar.gz > cd bind-9.9.2-P2 > ./configure --prefix=/usr --mandir=/usr/share/man > --infodir=/usr/share/info --sysconfdir=/etc/bind --localstatedir=/var > --enable-threads --enable-largefile --with-libtool --enable-shared > --enable-static --with-openssl=/usr --with-gssapi=/usr > --with-dlopen=yes --with-gnu-ld --enable-ipv6 > CFLAGS='-fno-strict-aliasing -DDIG_SIGCHASE -O2' > LDFLAGS='-Wl,-Bsymbolic-functions -Wl,-z,relro' > CPPFLAGS='-D_FORTIFY_SOURCE=2' > make > make install > > NOTE: this was some time ago, there are newer versions available, if > you do go with a newer version and it throws an error about dlopen, > just remove '--with-dlopen=yes' > > Rowland > > > Thanks for those compile suggestions. I'll build again using those options. -- -James From lists at merit.unu.edu Thu Dec 31 14:04:01 2015 From: lists at merit.unu.edu (mj) Date: Thu, 31 Dec 2015 15:04:01 +0100 Subject: [Samba] Getting Started In-Reply-To: References: Message-ID: <568535D1.4040502@merit.unu.edu> Hi Saurabh, Strange that nobody seemed to have replied to your question. Anyway: if I were a programmer I would have tried to add functionality to the logging part of samba: - we very much miss detailed information on failed authentication attempts on our DC's. A failed auth attempt on a samba DC is logged with no details at all, like. The most valuale one would be: - coming-from ip address Sadly I cannot add this myself, but since you ARE a c programmer, and asked for things you could add to samba...: This addition would be _very much_ welcomed by us. Another thing was written by Andrew Bartlett, today on this list: > On Wed, 2015-12-23 at 13:05 -0500, James wrote: >> Hello, >> >> Is it possible to audit objects created by a user? Specifically >> user and computer objects. Thanks. > > Not currently, but I've had similar requests in the past - to the > extent even of preparing quotes for clients at work - but sadly nothing > has been started yet. > > This, and a the ability to audit logon success/failure records properly > would be great additions to our AD DC. > > Sorry, > > Andrew Bartlett On 12/28/2015 12:48 PM, Saurabh Shah wrote: > Hello, > > My name is Saurabh Shah and I am a second year undergraduate student at > DA-IICT, Gandhinagar, India. I am new towards the open source organizations > and I find your organization an appropriate one to work on. > > I know C language very well and eager to learn whatever the suitable > project demands. So please guide me on how to get started with any specific > project or solving bugs etc. > > Thanking You, > > Saurabh Shah. > From lingpanda101 at gmail.com Thu Dec 31 14:43:43 2015 From: lingpanda101 at gmail.com (James) Date: Thu, 31 Dec 2015 09:43:43 -0500 Subject: [Samba] How to switch from internal DNS to Bind In-Reply-To: <56844926.8020001@samba.org> References: <568434F9.4060501@gmail.com> <56843EC1.8020107@samba.org> <568441BE.2080307@gmail.com> <56844926.8020001@samba.org> Message-ID: <56853F1F.40800@gmail.com> On 12/30/2015 4:14 PM, Rowland penny wrote: > ./configure --prefix=/usr --mandir=/usr/share/man > --infodir=/usr/share/info --sysconfdir=/etc/bind --localstatedir=/var > --enable-threads --enable-largefile --with-libtool --enable-shared > --enable-static --with-openssl=/usr --with-gssapi=/usr > --with-dlopen=yes --with-gnu-ld --enable-ipv6 > CFLAGS='-fno-strict-aliasing -DDIG_SIGCHASE -O2' > LDFLAGS='-Wl,-Bsymbolic-functions -Wl,-z,relro' > CPPFLAGS='-D_FORTIFY_SOURCE=2' I seem to have a few errors in my syslog. Dec 31 09:35:17 VMDC1 named[24025]: couldn't mkdir '/var/run/named': Permission denied Dec 31 09:35:17 VMDC1 named[24025]: generating session key for dynamic DNS Dec 31 09:35:17 VMDC1 named[24025]: couldn't mkdir '/var/run/named': Permission denied Dec 31 09:35:17 VMDC1 named[24025]: could not create /var/run/named/session.key Dec 31 09:35:17 VMDC1 named[24025]: failed to generate session key for dynamic DNS: permission denied Dec 31 09:35:17 VMDC1 named[24025]: sizing zone task pool based on 3 zones Dec 31 09:35:17 VMDC1 named[24025]: set up managed keys zone for view _default, file 'managed-keys.bind' Dec 31 09:35:17 VMDC1 named[24025]: configuring command channel from '/etc/bind/rndc.key' Dec 31 09:35:17 VMDC1 named[24025]: couldn't add command channel 127.0.0.1#953: file not found Dec 31 09:35:17 VMDC1 named[24025]: configuring command channel from '/etc/bind/rndc.key' Dec 31 09:35:17 VMDC1 named[24025]: couldn't add command channel ::1#953: file not found Dec 31 09:35:17 VMDC1 named[24025]: the working directory is not writable Dec 31 09:35:17 VMDC1 named[24025]: managed-keys-zone: loaded serial 0 Dec 31 09:35:17 VMDC1 named[24025]: zone 0.0.127.in-addr.arpa/IN: loaded serial 2013050101 Dec 31 09:35:17 VMDC1 named[24025]: zone localhost/IN: loaded serial 2013050101 Dec 31 09:35:17 VMDC1 named[24025]: all zones loaded Dec 31 09:35:17 VMDC1 named[24025]: running I compiled using 9.9.8-P2 and your suggested configure options. I see /run is owned by root:root. Should I give group 'named' permission to this folder? It's not documented in the wiki as needed. -- -James From h.reindl at thelounge.net Thu Dec 31 14:55:12 2015 From: h.reindl at thelounge.net (Reindl Harald) Date: Thu, 31 Dec 2015 15:55:12 +0100 Subject: [Samba] How to switch from internal DNS to Bind In-Reply-To: <56853F1F.40800@gmail.com> References: <568434F9.4060501@gmail.com> <56843EC1.8020107@samba.org> <568441BE.2080307@gmail.com> <56844926.8020001@samba.org> <56853F1F.40800@gmail.com> Message-ID: <568541D0.2000608@thelounge.net> Am 31.12.2015 um 15:43 schrieb James: > On 12/30/2015 4:14 PM, Rowland penny wrote: >> ./configure --prefix=/usr --mandir=/usr/share/man >> --infodir=/usr/share/info --sysconfdir=/etc/bind --localstatedir=/var >> --enable-threads --enable-largefile --with-libtool --enable-shared >> --enable-static --with-openssl=/usr --with-gssapi=/usr >> --with-dlopen=yes --with-gnu-ld --enable-ipv6 >> CFLAGS='-fno-strict-aliasing -DDIG_SIGCHASE -O2' >> LDFLAGS='-Wl,-Bsymbolic-functions -Wl,-z,relro' >> CPPFLAGS='-D_FORTIFY_SOURCE=2' > I seem to have a few errors in my syslog. > > Dec 31 09:35:17 VMDC1 named[24025]: couldn't mkdir '/var/run/named': > Permission denied > I compiled using 9.9.8-P2 and your suggested configure options. I see > /run is owned by root:root. Should I give group 'named' permission to > this folder? It's not documented in the wiki as needed nobody but root has a business directly on /run you should create the subfolder as any bind-package does on modern systems /run is a tmpfs and hence empty at boot so it's "tmpfiles" job to re-create them at boot that config is typically part of the bind package [root at srv-rhsoft:~]$ cat /usr/lib/tmpfiles.d/named.conf d /run/named 0755 named named - -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: From rpenny at samba.org Thu Dec 31 15:10:44 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 31 Dec 2015 15:10:44 +0000 Subject: [Samba] How to switch from internal DNS to Bind In-Reply-To: <56853F1F.40800@gmail.com> References: <568434F9.4060501@gmail.com> <56843EC1.8020107@samba.org> <568441BE.2080307@gmail.com> <56844926.8020001@samba.org> <56853F1F.40800@gmail.com> Message-ID: <56854574.2020403@samba.org> On 31/12/15 14:43, James wrote: > On 12/30/2015 4:14 PM, Rowland penny wrote: >> ./configure --prefix=/usr --mandir=/usr/share/man >> --infodir=/usr/share/info --sysconfdir=/etc/bind --localstatedir=/var >> --enable-threads --enable-largefile --with-libtool --enable-shared >> --enable-static --with-openssl=/usr --with-gssapi=/usr >> --with-dlopen=yes --with-gnu-ld --enable-ipv6 >> CFLAGS='-fno-strict-aliasing -DDIG_SIGCHASE -O2' >> LDFLAGS='-Wl,-Bsymbolic-functions -Wl,-z,relro' >> CPPFLAGS='-D_FORTIFY_SOURCE=2' > I seem to have a few errors in my syslog. > > Dec 31 09:35:17 VMDC1 named[24025]: couldn't mkdir '/var/run/named': > Permission denied > Dec 31 09:35:17 VMDC1 named[24025]: generating session key for dynamic > DNS > Dec 31 09:35:17 VMDC1 named[24025]: couldn't mkdir '/var/run/named': > Permission denied > Dec 31 09:35:17 VMDC1 named[24025]: could not create > /var/run/named/session.key > Dec 31 09:35:17 VMDC1 named[24025]: failed to generate session key for > dynamic DNS: permission denied > Dec 31 09:35:17 VMDC1 named[24025]: sizing zone task pool based on 3 > zones > Dec 31 09:35:17 VMDC1 named[24025]: set up managed keys zone for view > _default, file 'managed-keys.bind' > Dec 31 09:35:17 VMDC1 named[24025]: configuring command channel from > '/etc/bind/rndc.key' > Dec 31 09:35:17 VMDC1 named[24025]: couldn't add command channel > 127.0.0.1#953: file not found > Dec 31 09:35:17 VMDC1 named[24025]: configuring command channel from > '/etc/bind/rndc.key' > Dec 31 09:35:17 VMDC1 named[24025]: couldn't add command channel > ::1#953: file not found > Dec 31 09:35:17 VMDC1 named[24025]: the working directory is not writable > Dec 31 09:35:17 VMDC1 named[24025]: managed-keys-zone: loaded serial 0 > Dec 31 09:35:17 VMDC1 named[24025]: zone 0.0.127.in-addr.arpa/IN: > loaded serial 2013050101 > Dec 31 09:35:17 VMDC1 named[24025]: zone localhost/IN: loaded serial > 2013050101 > Dec 31 09:35:17 VMDC1 named[24025]: all zones loaded > Dec 31 09:35:17 VMDC1 named[24025]: running > > I compiled using 9.9.8-P2 and your suggested configure options. I see > /run is owned by root:root. Should I give group 'named' permission to > this folder? It's not documented in the wiki as needed. > Did you run 'make install' as root or via sudo ? sorry, but I should have been a bit more explicit. I don't remember having to change anything. I will dig out my notes and see if there was anything else. Rowland From lingpanda101 at gmail.com Thu Dec 31 15:27:14 2015 From: lingpanda101 at gmail.com (James) Date: Thu, 31 Dec 2015 10:27:14 -0500 Subject: [Samba] How to switch from internal DNS to Bind In-Reply-To: <568541D0.2000608@thelounge.net> References: <568434F9.4060501@gmail.com> <56843EC1.8020107@samba.org> <568441BE.2080307@gmail.com> <56844926.8020001@samba.org> <56853F1F.40800@gmail.com> <568541D0.2000608@thelounge.net> Message-ID: <56854952.7070003@gmail.com> On 12/31/2015 9:55 AM, Reindl Harald wrote: > > > Am 31.12.2015 um 15:43 schrieb James: >> On 12/30/2015 4:14 PM, Rowland penny wrote: >>> ./configure --prefix=/usr --mandir=/usr/share/man >>> --infodir=/usr/share/info --sysconfdir=/etc/bind --localstatedir=/var >>> --enable-threads --enable-largefile --with-libtool --enable-shared >>> --enable-static --with-openssl=/usr --with-gssapi=/usr >>> --with-dlopen=yes --with-gnu-ld --enable-ipv6 >>> CFLAGS='-fno-strict-aliasing -DDIG_SIGCHASE -O2' >>> LDFLAGS='-Wl,-Bsymbolic-functions -Wl,-z,relro' >>> CPPFLAGS='-D_FORTIFY_SOURCE=2' >> I seem to have a few errors in my syslog. >> >> Dec 31 09:35:17 VMDC1 named[24025]: couldn't mkdir '/var/run/named': >> Permission denied >> I compiled using 9.9.8-P2 and your suggested configure options. I see >> /run is owned by root:root. Should I give group 'named' permission to >> this folder? It's not documented in the wiki as needed > > nobody but root has a business directly on /run > you should create the subfolder as any bind-package does > > on modern systems /run is a tmpfs and hence empty at boot > so it's "tmpfiles" job to re-create them at boot > > that config is typically part of the bind package > > [root at srv-rhsoft:~]$ cat /usr/lib/tmpfiles.d/named.conf > d /run/named 0755 named named - > > > I seem to be missing the tmpfiles.d folder. cat: /usr/lib/tmpfiles.d/named.conf: No such file or directory I tried to use locate and didn't receive any results. -- -James From rpenny at samba.org Thu Dec 31 15:27:32 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 31 Dec 2015 15:27:32 +0000 Subject: [Samba] How to switch from internal DNS to Bind In-Reply-To: <568541D0.2000608@thelounge.net> References: <568434F9.4060501@gmail.com> <56843EC1.8020107@samba.org> <568441BE.2080307@gmail.com> <56844926.8020001@samba.org> <56853F1F.40800@gmail.com> <568541D0.2000608@thelounge.net> Message-ID: <56854964.7050107@samba.org> On 31/12/15 14:55, Reindl Harald wrote: > > > Am 31.12.2015 um 15:43 schrieb James: >> On 12/30/2015 4:14 PM, Rowland penny wrote: >>> ./configure --prefix=/usr --mandir=/usr/share/man >>> --infodir=/usr/share/info --sysconfdir=/etc/bind --localstatedir=/var >>> --enable-threads --enable-largefile --with-libtool --enable-shared >>> --enable-static --with-openssl=/usr --with-gssapi=/usr >>> --with-dlopen=yes --with-gnu-ld --enable-ipv6 >>> CFLAGS='-fno-strict-aliasing -DDIG_SIGCHASE -O2' >>> LDFLAGS='-Wl,-Bsymbolic-functions -Wl,-z,relro' >>> CPPFLAGS='-D_FORTIFY_SOURCE=2' >> I seem to have a few errors in my syslog. >> >> Dec 31 09:35:17 VMDC1 named[24025]: couldn't mkdir '/var/run/named': >> Permission denied >> I compiled using 9.9.8-P2 and your suggested configure options. I see >> /run is owned by root:root. Should I give group 'named' permission to >> this folder? It's not documented in the wiki as needed > > nobody but root has a business directly on /run > you should create the subfolder as any bind-package does I totally agree > > on modern systems /run is a tmpfs and hence empty at boot > so it's "tmpfiles" job to re-create them at boot Ah, but the OP is using Ubuntu 12.04 and I don't think that it uses the 'tmpfile' /run, I am sure it used the 'fixed' /var/run instead. > > > that config is typically part of the bind package Yes, that is where I got it from, it puts everything where the distro package did, you can then use the distro's init script etc. If he was to move to a later distro, then he wouldn't have to compile Bind9 :-) > > [root at srv-rhsoft:~]$ cat /usr/lib/tmpfiles.d/named.conf > d /run/named 0755 named named - > I have checked and all I did after compiling bind9 was to provision samba4, setup bind with samba and then started bind and samba. Rowland From lingpanda101 at gmail.com Thu Dec 31 15:27:32 2015 From: lingpanda101 at gmail.com (James) Date: Thu, 31 Dec 2015 10:27:32 -0500 Subject: [Samba] How to switch from internal DNS to Bind In-Reply-To: <56854574.2020403@samba.org> References: <568434F9.4060501@gmail.com> <56843EC1.8020107@samba.org> <568441BE.2080307@gmail.com> <56844926.8020001@samba.org> <56853F1F.40800@gmail.com> <56854574.2020403@samba.org> Message-ID: <56854964.7050203@gmail.com> On 12/31/2015 10:10 AM, Rowland penny wrote: > On 31/12/15 14:43, James wrote: >> On 12/30/2015 4:14 PM, Rowland penny wrote: >>> ./configure --prefix=/usr --mandir=/usr/share/man >>> --infodir=/usr/share/info --sysconfdir=/etc/bind >>> --localstatedir=/var --enable-threads --enable-largefile >>> --with-libtool --enable-shared --enable-static --with-openssl=/usr >>> --with-gssapi=/usr --with-dlopen=yes --with-gnu-ld --enable-ipv6 >>> CFLAGS='-fno-strict-aliasing -DDIG_SIGCHASE -O2' >>> LDFLAGS='-Wl,-Bsymbolic-functions -Wl,-z,relro' >>> CPPFLAGS='-D_FORTIFY_SOURCE=2' >> I seem to have a few errors in my syslog. >> >> Dec 31 09:35:17 VMDC1 named[24025]: couldn't mkdir '/var/run/named': >> Permission denied >> Dec 31 09:35:17 VMDC1 named[24025]: generating session key for >> dynamic DNS >> Dec 31 09:35:17 VMDC1 named[24025]: couldn't mkdir '/var/run/named': >> Permission denied >> Dec 31 09:35:17 VMDC1 named[24025]: could not create >> /var/run/named/session.key >> Dec 31 09:35:17 VMDC1 named[24025]: failed to generate session key >> for dynamic DNS: permission denied >> Dec 31 09:35:17 VMDC1 named[24025]: sizing zone task pool based on 3 >> zones >> Dec 31 09:35:17 VMDC1 named[24025]: set up managed keys zone for view >> _default, file 'managed-keys.bind' >> Dec 31 09:35:17 VMDC1 named[24025]: configuring command channel from >> '/etc/bind/rndc.key' >> Dec 31 09:35:17 VMDC1 named[24025]: couldn't add command channel >> 127.0.0.1#953: file not found >> Dec 31 09:35:17 VMDC1 named[24025]: configuring command channel from >> '/etc/bind/rndc.key' >> Dec 31 09:35:17 VMDC1 named[24025]: couldn't add command channel >> ::1#953: file not found >> Dec 31 09:35:17 VMDC1 named[24025]: the working directory is not >> writable >> Dec 31 09:35:17 VMDC1 named[24025]: managed-keys-zone: loaded serial 0 >> Dec 31 09:35:17 VMDC1 named[24025]: zone 0.0.127.in-addr.arpa/IN: >> loaded serial 2013050101 >> Dec 31 09:35:17 VMDC1 named[24025]: zone localhost/IN: loaded serial >> 2013050101 >> Dec 31 09:35:17 VMDC1 named[24025]: all zones loaded >> Dec 31 09:35:17 VMDC1 named[24025]: running >> >> I compiled using 9.9.8-P2 and your suggested configure options. I see >> /run is owned by root:root. Should I give group 'named' permission to >> this folder? It's not documented in the wiki as needed. >> > > Did you run 'make install' as root or via sudo ? sorry, but I should > have been a bit more explicit. I don't remember having to change > anything. I will dig out my notes and see if there was anything else. > > Rowland > > I did everything as root. -- -James From lingpanda101 at gmail.com Thu Dec 31 15:31:59 2015 From: lingpanda101 at gmail.com (James) Date: Thu, 31 Dec 2015 10:31:59 -0500 Subject: [Samba] How to switch from internal DNS to Bind In-Reply-To: <56854964.7050107@samba.org> References: <568434F9.4060501@gmail.com> <56843EC1.8020107@samba.org> <568441BE.2080307@gmail.com> <56844926.8020001@samba.org> <56853F1F.40800@gmail.com> <568541D0.2000608@thelounge.net> <56854964.7050107@samba.org> Message-ID: <56854A6F.9070808@gmail.com> On 12/31/2015 10:27 AM, Rowland penny wrote: > On 31/12/15 14:55, Reindl Harald wrote: >> >> >> Am 31.12.2015 um 15:43 schrieb James: >>> On 12/30/2015 4:14 PM, Rowland penny wrote: >>>> ./configure --prefix=/usr --mandir=/usr/share/man >>>> --infodir=/usr/share/info --sysconfdir=/etc/bind --localstatedir=/var >>>> --enable-threads --enable-largefile --with-libtool --enable-shared >>>> --enable-static --with-openssl=/usr --with-gssapi=/usr >>>> --with-dlopen=yes --with-gnu-ld --enable-ipv6 >>>> CFLAGS='-fno-strict-aliasing -DDIG_SIGCHASE -O2' >>>> LDFLAGS='-Wl,-Bsymbolic-functions -Wl,-z,relro' >>>> CPPFLAGS='-D_FORTIFY_SOURCE=2' >>> I seem to have a few errors in my syslog. >>> >>> Dec 31 09:35:17 VMDC1 named[24025]: couldn't mkdir '/var/run/named': >>> Permission denied >>> I compiled using 9.9.8-P2 and your suggested configure options. I see >>> /run is owned by root:root. Should I give group 'named' permission to >>> this folder? It's not documented in the wiki as needed >> >> nobody but root has a business directly on /run >> you should create the subfolder as any bind-package does > > I totally agree > >> >> on modern systems /run is a tmpfs and hence empty at boot >> so it's "tmpfiles" job to re-create them at boot > > Ah, but the OP is using Ubuntu 12.04 and I don't think that it uses > the 'tmpfile' /run, I am sure it used the 'fixed' /var/run instead. > >> >> >> that config is typically part of the bind package > > Yes, that is where I got it from, it puts everything where the distro > package did, you can then use the distro's init script etc. If he was > to move to a later distro, then he wouldn't have to compile Bind9 :-) > >> >> [root at srv-rhsoft:~]$ cat /usr/lib/tmpfiles.d/named.conf >> d /run/named 0755 named named - >> > > I have checked and all I did after compiling bind9 was to provision > samba4, setup bind with samba and then started bind and samba. > > Rowland > > I'm going to update my distro and see what happens. As a FYI Ubuntu 12.04 seems to treat /var/run as a sysmlink. lrwxrwxrwx 1 root root 4 Dec 31 10:06 /var/run -> /run -- -James From rpenny at samba.org Thu Dec 31 15:34:43 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 31 Dec 2015 15:34:43 +0000 Subject: [Samba] How to switch from internal DNS to Bind In-Reply-To: <56854964.7050203@gmail.com> References: <568434F9.4060501@gmail.com> <56843EC1.8020107@samba.org> <568441BE.2080307@gmail.com> <56844926.8020001@samba.org> <56853F1F.40800@gmail.com> <56854574.2020403@samba.org> <56854964.7050203@gmail.com> Message-ID: <56854B13.3040002@samba.org> On 31/12/15 15:27, James wrote: > On 12/31/2015 10:10 AM, Rowland penny wrote: >> On 31/12/15 14:43, James wrote: >>> On 12/30/2015 4:14 PM, Rowland penny wrote: >>>> ./configure --prefix=/usr --mandir=/usr/share/man >>>> --infodir=/usr/share/info --sysconfdir=/etc/bind >>>> --localstatedir=/var --enable-threads --enable-largefile >>>> --with-libtool --enable-shared --enable-static --with-openssl=/usr >>>> --with-gssapi=/usr --with-dlopen=yes --with-gnu-ld --enable-ipv6 >>>> CFLAGS='-fno-strict-aliasing -DDIG_SIGCHASE -O2' >>>> LDFLAGS='-Wl,-Bsymbolic-functions -Wl,-z,relro' >>>> CPPFLAGS='-D_FORTIFY_SOURCE=2' >>> I seem to have a few errors in my syslog. >>> >>> Dec 31 09:35:17 VMDC1 named[24025]: couldn't mkdir '/var/run/named': >>> Permission denied >>> Dec 31 09:35:17 VMDC1 named[24025]: generating session key for >>> dynamic DNS >>> Dec 31 09:35:17 VMDC1 named[24025]: couldn't mkdir '/var/run/named': >>> Permission denied >>> Dec 31 09:35:17 VMDC1 named[24025]: could not create >>> /var/run/named/session.key >>> Dec 31 09:35:17 VMDC1 named[24025]: failed to generate session key >>> for dynamic DNS: permission denied >>> Dec 31 09:35:17 VMDC1 named[24025]: sizing zone task pool based on 3 >>> zones >>> Dec 31 09:35:17 VMDC1 named[24025]: set up managed keys zone for >>> view _default, file 'managed-keys.bind' >>> Dec 31 09:35:17 VMDC1 named[24025]: configuring command channel from >>> '/etc/bind/rndc.key' >>> Dec 31 09:35:17 VMDC1 named[24025]: couldn't add command channel >>> 127.0.0.1#953: file not found >>> Dec 31 09:35:17 VMDC1 named[24025]: configuring command channel from >>> '/etc/bind/rndc.key' >>> Dec 31 09:35:17 VMDC1 named[24025]: couldn't add command channel >>> ::1#953: file not found >>> Dec 31 09:35:17 VMDC1 named[24025]: the working directory is not >>> writable >>> Dec 31 09:35:17 VMDC1 named[24025]: managed-keys-zone: loaded serial 0 >>> Dec 31 09:35:17 VMDC1 named[24025]: zone 0.0.127.in-addr.arpa/IN: >>> loaded serial 2013050101 >>> Dec 31 09:35:17 VMDC1 named[24025]: zone localhost/IN: loaded serial >>> 2013050101 >>> Dec 31 09:35:17 VMDC1 named[24025]: all zones loaded >>> Dec 31 09:35:17 VMDC1 named[24025]: running >>> >>> I compiled using 9.9.8-P2 and your suggested configure options. I >>> see /run is owned by root:root. Should I give group 'named' >>> permission to this folder? It's not documented in the wiki as needed. >>> >> >> Did you run 'make install' as root or via sudo ? sorry, but I should >> have been a bit more explicit. I don't remember having to change >> anything. I will dig out my notes and see if there was anything else. >> >> Rowland >> >> > I did everything as root. > Can you post your bind conf files, and your bind init file Also does /var/run exist Rowland From h.reindl at thelounge.net Thu Dec 31 15:46:08 2015 From: h.reindl at thelounge.net (Reindl Harald) Date: Thu, 31 Dec 2015 16:46:08 +0100 Subject: [Samba] How to switch from internal DNS to Bind In-Reply-To: <56854A6F.9070808@gmail.com> References: <568434F9.4060501@gmail.com> <56843EC1.8020107@samba.org> <568441BE.2080307@gmail.com> <56844926.8020001@samba.org> <56853F1F.40800@gmail.com> <568541D0.2000608@thelounge.net> <56854964.7050107@samba.org> <56854A6F.9070808@gmail.com> Message-ID: <56854DC0.8000301@thelounge.net> Am 31.12.2015 um 16:31 schrieb James: > I'm going to update my distro and see what happens nothing else when you deal with your self built binaries > 12.04 seems to treat /var/run as a sysmlink. > > lrwxrwxrwx 1 root root 4 Dec 31 10:06 /var/run -> /run that's normal, the main question is if it's enough to create /run/named with the correct permissions once or if it needs to be done before the service at every boot (in case it's a tmpfs) [root at local:~]$ mount | grep /run tmpfs on /run type tmpfs (rw,nosuid,nodev,mode=755) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: From rpenny at samba.org Thu Dec 31 15:51:05 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 31 Dec 2015 15:51:05 +0000 Subject: [Samba] How to switch from internal DNS to Bind In-Reply-To: <56854A6F.9070808@gmail.com> References: <568434F9.4060501@gmail.com> <56843EC1.8020107@samba.org> <568441BE.2080307@gmail.com> <56844926.8020001@samba.org> <56853F1F.40800@gmail.com> <568541D0.2000608@thelounge.net> <56854964.7050107@samba.org> <56854A6F.9070808@gmail.com> Message-ID: <56854EE9.4010509@samba.org> On 31/12/15 15:31, James wrote: > On 12/31/2015 10:27 AM, Rowland penny wrote: >> On 31/12/15 14:55, Reindl Harald wrote: >>> >>> >>> Am 31.12.2015 um 15:43 schrieb James: >>>> On 12/30/2015 4:14 PM, Rowland penny wrote: >>>>> ./configure --prefix=/usr --mandir=/usr/share/man >>>>> --infodir=/usr/share/info --sysconfdir=/etc/bind --localstatedir=/var >>>>> --enable-threads --enable-largefile --with-libtool --enable-shared >>>>> --enable-static --with-openssl=/usr --with-gssapi=/usr >>>>> --with-dlopen=yes --with-gnu-ld --enable-ipv6 >>>>> CFLAGS='-fno-strict-aliasing -DDIG_SIGCHASE -O2' >>>>> LDFLAGS='-Wl,-Bsymbolic-functions -Wl,-z,relro' >>>>> CPPFLAGS='-D_FORTIFY_SOURCE=2' >>>> I seem to have a few errors in my syslog. >>>> >>>> Dec 31 09:35:17 VMDC1 named[24025]: couldn't mkdir '/var/run/named': >>>> Permission denied >>>> I compiled using 9.9.8-P2 and your suggested configure options. I see >>>> /run is owned by root:root. Should I give group 'named' permission to >>>> this folder? It's not documented in the wiki as needed >>> >>> nobody but root has a business directly on /run >>> you should create the subfolder as any bind-package does >> >> I totally agree >> >>> >>> on modern systems /run is a tmpfs and hence empty at boot >>> so it's "tmpfiles" job to re-create them at boot >> >> Ah, but the OP is using Ubuntu 12.04 and I don't think that it uses >> the 'tmpfile' /run, I am sure it used the 'fixed' /var/run instead. >> >>> >>> >>> that config is typically part of the bind package >> >> Yes, that is where I got it from, it puts everything where the distro >> package did, you can then use the distro's init script etc. If he was >> to move to a later distro, then he wouldn't have to compile Bind9 :-) >> >>> >>> [root at srv-rhsoft:~]$ cat /usr/lib/tmpfiles.d/named.conf >>> d /run/named 0755 named named - >>> >> >> I have checked and all I did after compiling bind9 was to provision >> samba4, setup bind with samba and then started bind and samba. >> >> Rowland >> >> > I'm going to update my distro and see what happens. As a FYI Ubuntu > 12.04 seems to treat /var/run as a sysmlink. > > lrwxrwxrwx 1 root root 4 Dec 31 10:06 /var/run -> /run > I am certain it didn't use to be like that, but if you upgrade to 14.04, you will not need to compile bind. Rowland From lingpanda101 at gmail.com Thu Dec 31 15:51:18 2015 From: lingpanda101 at gmail.com (James) Date: Thu, 31 Dec 2015 10:51:18 -0500 Subject: [Samba] How to switch from internal DNS to Bind In-Reply-To: <56854B13.3040002@samba.org> References: <568434F9.4060501@gmail.com> <56843EC1.8020107@samba.org> <568441BE.2080307@gmail.com> <56844926.8020001@samba.org> <56853F1F.40800@gmail.com> <56854574.2020403@samba.org> <56854964.7050203@gmail.com> <56854B13.3040002@samba.org> Message-ID: <56854EF6.8050700@gmail.com> On 12/31/2015 10:34 AM, Rowland penny wrote: > On 31/12/15 15:27, James wrote: >> On 12/31/2015 10:10 AM, Rowland penny wrote: >>> On 31/12/15 14:43, James wrote: >>>> On 12/30/2015 4:14 PM, Rowland penny wrote: >>>>> ./configure --prefix=/usr --mandir=/usr/share/man >>>>> --infodir=/usr/share/info --sysconfdir=/etc/bind >>>>> --localstatedir=/var --enable-threads --enable-largefile >>>>> --with-libtool --enable-shared --enable-static --with-openssl=/usr >>>>> --with-gssapi=/usr --with-dlopen=yes --with-gnu-ld --enable-ipv6 >>>>> CFLAGS='-fno-strict-aliasing -DDIG_SIGCHASE -O2' >>>>> LDFLAGS='-Wl,-Bsymbolic-functions -Wl,-z,relro' >>>>> CPPFLAGS='-D_FORTIFY_SOURCE=2' >>>> I seem to have a few errors in my syslog. >>>> >>>> Dec 31 09:35:17 VMDC1 named[24025]: couldn't mkdir >>>> '/var/run/named': Permission denied >>>> Dec 31 09:35:17 VMDC1 named[24025]: generating session key for >>>> dynamic DNS >>>> Dec 31 09:35:17 VMDC1 named[24025]: couldn't mkdir >>>> '/var/run/named': Permission denied >>>> Dec 31 09:35:17 VMDC1 named[24025]: could not create >>>> /var/run/named/session.key >>>> Dec 31 09:35:17 VMDC1 named[24025]: failed to generate session key >>>> for dynamic DNS: permission denied >>>> Dec 31 09:35:17 VMDC1 named[24025]: sizing zone task pool based on >>>> 3 zones >>>> Dec 31 09:35:17 VMDC1 named[24025]: set up managed keys zone for >>>> view _default, file 'managed-keys.bind' >>>> Dec 31 09:35:17 VMDC1 named[24025]: configuring command channel >>>> from '/etc/bind/rndc.key' >>>> Dec 31 09:35:17 VMDC1 named[24025]: couldn't add command channel >>>> 127.0.0.1#953: file not found >>>> Dec 31 09:35:17 VMDC1 named[24025]: configuring command channel >>>> from '/etc/bind/rndc.key' >>>> Dec 31 09:35:17 VMDC1 named[24025]: couldn't add command channel >>>> ::1#953: file not found >>>> Dec 31 09:35:17 VMDC1 named[24025]: the working directory is not >>>> writable >>>> Dec 31 09:35:17 VMDC1 named[24025]: managed-keys-zone: loaded serial 0 >>>> Dec 31 09:35:17 VMDC1 named[24025]: zone 0.0.127.in-addr.arpa/IN: >>>> loaded serial 2013050101 >>>> Dec 31 09:35:17 VMDC1 named[24025]: zone localhost/IN: loaded >>>> serial 2013050101 >>>> Dec 31 09:35:17 VMDC1 named[24025]: all zones loaded >>>> Dec 31 09:35:17 VMDC1 named[24025]: running >>>> >>>> I compiled using 9.9.8-P2 and your suggested configure options. I >>>> see /run is owned by root:root. Should I give group 'named' >>>> permission to this folder? It's not documented in the wiki as needed. >>>> >>> >>> Did you run 'make install' as root or via sudo ? sorry, but I should >>> have been a bit more explicit. I don't remember having to change >>> anything. I will dig out my notes and see if there was anything else. >>> >>> Rowland >>> >>> >> I did everything as root. >> > > Can you post your bind conf files, and your bind init file > Also does /var/run exist > > Rowland > > > I forgot, I do not want to update the distro at the moment. My production is currently on 12.04. Want to keep things symmetrical. I'm going to compile and build bind again. mount | grep /run tmpfs on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755) none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880) none on /run/shm type tmpfs (rw,nosuid,nodev) -- -James From h.reindl at thelounge.net Thu Dec 31 16:01:57 2015 From: h.reindl at thelounge.net (Reindl Harald) Date: Thu, 31 Dec 2015 17:01:57 +0100 Subject: [Samba] How to switch from internal DNS to Bind In-Reply-To: <56854EF6.8050700@gmail.com> References: <568434F9.4060501@gmail.com> <56843EC1.8020107@samba.org> <568441BE.2080307@gmail.com> <56844926.8020001@samba.org> <56853F1F.40800@gmail.com> <56854574.2020403@samba.org> <56854964.7050203@gmail.com> <56854B13.3040002@samba.org> <56854EF6.8050700@gmail.com> Message-ID: <56855175.1090301@thelounge.net> Am 31.12.2015 um 16:51 schrieb James: > I forgot, I do not want to update the distro at the moment. My > production is currently on 12.04. Want to keep things symmetrical. I'm > going to compile and build bind again. > > mount | grep /run > tmpfs on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755) > none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880) > none on /run/shm type tmpfs (rw,nosuid,nodev) so it's like on every recent distribution not persistent https://www.google.at/#q=ubuntu+12.04+/var/run http://askubuntu.com/questions/303120/how-folders-created-in-var-run-on-each-reboot -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: From jra at samba.org Thu Dec 31 16:16:00 2015 From: jra at samba.org (Jeremy Allison) Date: Thu, 31 Dec 2015 08:16:00 -0800 Subject: [Samba] Getting Started In-Reply-To: <568535D1.4040502@merit.unu.edu> References: <568535D1.4040502@merit.unu.edu> Message-ID: <20151231161600.GA14020@jeremy-acer> On Thu, Dec 31, 2015 at 03:04:01PM +0100, mj wrote: > Hi Saurabh, > > Strange that nobody seemed to have replied to your question. Christmas and New Year break in the US, Australia and Europe. He's not being ignored, just many people are on vacation. > Anyway: if I were a programmer I would have tried to add functionality to > the logging part of samba: > > - we very much miss detailed information on failed authentication attempts > on our DC's. > > A failed auth attempt on a samba DC is logged with no details at all, like. > The most valuale one would be: > > - coming-from ip address > > Sadly I cannot add this myself, but since you ARE a c programmer, and asked > for things you could add to samba...: This addition would be _very much_ > welcomed by us. Next week (back in work) I'm planning to look over tasks for beginners and see how I can help. Sorry for the delay. Happy New Year ! :-). Jeremy. From lingpanda101 at gmail.com Thu Dec 31 17:05:06 2015 From: lingpanda101 at gmail.com (James) Date: Thu, 31 Dec 2015 12:05:06 -0500 Subject: [Samba] How to switch from internal DNS to Bind In-Reply-To: <56855175.1090301@thelounge.net> References: <568434F9.4060501@gmail.com> <56843EC1.8020107@samba.org> <568441BE.2080307@gmail.com> <56844926.8020001@samba.org> <56853F1F.40800@gmail.com> <56854574.2020403@samba.org> <56854964.7050203@gmail.com> <56854B13.3040002@samba.org> <56854EF6.8050700@gmail.com> <56855175.1090301@thelounge.net> Message-ID: <56856042.9070108@gmail.com> On 12/31/2015 11:01 AM, Reindl Harald wrote: > > > Am 31.12.2015 um 16:51 schrieb James: >> I forgot, I do not want to update the distro at the moment. My >> production is currently on 12.04. Want to keep things symmetrical. I'm >> going to compile and build bind again. >> >> mount | grep /run >> tmpfs on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755) >> none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880) >> none on /run/shm type tmpfs (rw,nosuid,nodev) > > so it's like on every recent distribution not persistent > https://www.google.at/#q=ubuntu+12.04+/var/run > > http://askubuntu.com/questions/303120/how-folders-created-in-var-run-on-each-reboot > > > > That second link proved helpful. Thank you. The errors I posted were prior to using a init script. Creating one and using the following eliminated the errors. cat /etc/init/bind9.conf # bind9 - bind9 job file description "bind9 Domain Name Server For Samba4" start on runlevel [2345] stop on runlevel [!2345] pre-start script mkdir -p -m0777 /run/named chown root:named /run/named end script exec /usr/sbin/named -u named Do the permissions look about right for /run? I now get these errors. Dec 31 12:01:59 VMDC1 named[939]: configuring command channel from '/etc/bind/rndc.key' Dec 31 12:01:59 VMDC1 named[939]: couldn't add command channel 127.0.0.1#953: file not found Dec 31 12:01:59 VMDC1 named[939]: configuring command channel from '/etc/bind/rndc.key' Dec 31 12:01:59 VMDC1 named[939]: couldn't add command channel ::1#953: file not found Dec 31 12:01:59 VMDC1 named[939]: the working directory is not writable If I make /etc/bind writable via. the init script. I still get these messages. Maybe it's referring to another folder? -- -James From lingpanda101 at gmail.com Thu Dec 31 17:33:51 2015 From: lingpanda101 at gmail.com (James) Date: Thu, 31 Dec 2015 12:33:51 -0500 Subject: [Samba] How to switch from internal DNS to Bind In-Reply-To: <56855175.1090301@thelounge.net> References: <568434F9.4060501@gmail.com> <56843EC1.8020107@samba.org> <568441BE.2080307@gmail.com> <56844926.8020001@samba.org> <56853F1F.40800@gmail.com> <56854574.2020403@samba.org> <56854964.7050203@gmail.com> <56854B13.3040002@samba.org> <56854EF6.8050700@gmail.com> <56855175.1090301@thelounge.net> Message-ID: <568566FF.8070600@gmail.com> On 12/31/2015 11:01 AM, Reindl Harald wrote: > > > Am 31.12.2015 um 16:51 schrieb James: >> I forgot, I do not want to update the distro at the moment. My >> production is currently on 12.04. Want to keep things symmetrical. I'm >> going to compile and build bind again. >> >> mount | grep /run >> tmpfs on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755) >> none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880) >> none on /run/shm type tmpfs (rw,nosuid,nodev) > > so it's like on every recent distribution not persistent > https://www.google.at/#q=ubuntu+12.04+/var/run > > http://askubuntu.com/questions/303120/how-folders-created-in-var-run-on-each-reboot > > > > I think I can safely ignore these warnings for configuring command channel from '/etc/bind/rndc.key' couldn't add command channel 127.0.0.1#953: file not found It appears rndc is for the following. "BIND includes a utility called rndc which allows command line administration of the named daemon from the localhost or a remote host." I will be using either samba-tool or Microsoft tools to manage the dns. -- -James From lingpanda101 at gmail.com Thu Dec 31 17:59:05 2015 From: lingpanda101 at gmail.com (James) Date: Thu, 31 Dec 2015 12:59:05 -0500 Subject: [Samba] How to switch from internal DNS to Bind In-Reply-To: <56855175.1090301@thelounge.net> References: <568434F9.4060501@gmail.com> <56843EC1.8020107@samba.org> <568441BE.2080307@gmail.com> <56844926.8020001@samba.org> <56853F1F.40800@gmail.com> <56854574.2020403@samba.org> <56854964.7050203@gmail.com> <56854B13.3040002@samba.org> <56854EF6.8050700@gmail.com> <56855175.1090301@thelounge.net> Message-ID: <56856CE9.8050007@gmail.com> On 12/31/2015 11:01 AM, Reindl Harald wrote: > > > Am 31.12.2015 um 16:51 schrieb James: >> I forgot, I do not want to update the distro at the moment. My >> production is currently on 12.04. Want to keep things symmetrical. I'm >> going to compile and build bind again. >> >> mount | grep /run >> tmpfs on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755) >> none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880) >> none on /run/shm type tmpfs (rw,nosuid,nodev) > > so it's like on every recent distribution not persistent > https://www.google.at/#q=ubuntu+12.04+/var/run > > http://askubuntu.com/questions/303120/how-folders-created-in-var-run-on-each-reboot > > > > It appears I'm running into issues with the actual switch to bind. loading configuration from '/etc/bind/named.conf' Dec 31 12:48:49 VMDC1 named[918]: /usr/local/samba/private/named.conf.update:2: unknown option 'update-policy' Dec 31 12:48:49 VMDC1 named[918]: /etc/bind/named.conf:54: unknown option 'tkey-gssapi-keytab' Dec 31 12:48:49 VMDC1 named[918]: loading configuration: failure The wiki says During provisioning/upgrading, a file ('/usr/local/samba/private/named.conf') was created, this must be included in your BIND named.conf: include "/usr/local/samba/private/named.conf"; Mine actually is labeled 'named.conf.update'. Should I rename? I also added per the wiki tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; cat /etc/bind/named.conf # /etc/bind/named.conf # Global BIND configuration options include "/usr/local/samba/private/named.conf.update"; options { auth-nxdomain yes; directory "/var/named"; notify no; empty-zones-enable no; allow-query { 127.0.0.1; 192.168.1.0/24; # add other networks you want to allow to query your DNS }; allow-recursion { 192.168.1.0/24; # add other networks you want to allow to do recursive queries }; forwarders { # Google public DNS server here - replace with your own if necessary 8.8.8.8; 8.8.4.4; }; allow-transfer { # this config is for a single master DNS server none; }; }; # Root servers (required zone for recursive queries) zone "." { type hint; file "named.root"; }; # Required localhost forward-/reverse zones zone "localhost" { type master; file "master/localhost.zone"; }; zone "0.0.127.in-addr.arpa" { type master; file "master/0.0.127.zone"; }; tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; }; }; -- -James From lingpanda101 at gmail.com Thu Dec 31 18:06:26 2015 From: lingpanda101 at gmail.com (James) Date: Thu, 31 Dec 2015 13:06:26 -0500 Subject: [Samba] How to switch from internal DNS to Bind In-Reply-To: <56855175.1090301@thelounge.net> References: <568434F9.4060501@gmail.com> <56843EC1.8020107@samba.org> <568441BE.2080307@gmail.com> <56844926.8020001@samba.org> <56853F1F.40800@gmail.com> <56854574.2020403@samba.org> <56854964.7050203@gmail.com> <56854B13.3040002@samba.org> <56854EF6.8050700@gmail.com> <56855175.1090301@thelounge.net> Message-ID: <56856EA2.3080108@gmail.com> On 12/31/2015 11:01 AM, Reindl Harald wrote: > > > Am 31.12.2015 um 16:51 schrieb James: >> I forgot, I do not want to update the distro at the moment. My >> production is currently on 12.04. Want to keep things symmetrical. I'm >> going to compile and build bind again. >> >> mount | grep /run >> tmpfs on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755) >> none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880) >> none on /run/shm type tmpfs (rw,nosuid,nodev) > > so it's like on every recent distribution not persistent > https://www.google.at/#q=ubuntu+12.04+/var/run > > http://askubuntu.com/questions/303120/how-folders-created-in-var-run-on-each-reboot > > > > It appears named.conf isn't created until after invoking the actual upgrade command. Corrected that issue. I now see named.conf in /usr/local/samba/private However I still seem to have the /etc/bind/named.conf:54: unknown option 'tkey-gssapi-keytab' -- -James From lingpanda101 at gmail.com Thu Dec 31 18:28:39 2015 From: lingpanda101 at gmail.com (James) Date: Thu, 31 Dec 2015 13:28:39 -0500 Subject: [Samba] How to switch from internal DNS to Bind In-Reply-To: <56855175.1090301@thelounge.net> References: <568434F9.4060501@gmail.com> <56843EC1.8020107@samba.org> <568441BE.2080307@gmail.com> <56844926.8020001@samba.org> <56853F1F.40800@gmail.com> <56854574.2020403@samba.org> <56854964.7050203@gmail.com> <56854B13.3040002@samba.org> <56854EF6.8050700@gmail.com> <56855175.1090301@thelounge.net> Message-ID: <568573D7.2090004@gmail.com> On 12/31/2015 11:01 AM, Reindl Harald wrote: > > > Am 31.12.2015 um 16:51 schrieb James: >> I forgot, I do not want to update the distro at the moment. My >> production is currently on 12.04. Want to keep things symmetrical. I'm >> going to compile and build bind again. >> >> mount | grep /run >> tmpfs on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755) >> none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880) >> none on /run/shm type tmpfs (rw,nosuid,nodev) > > so it's like on every recent distribution not persistent > https://www.google.at/#q=ubuntu+12.04+/var/run > > http://askubuntu.com/questions/303120/how-folders-created-in-var-run-on-each-reboot > > > > OK I think I solved the tkey-gssapi issue. Apparently It wasn't in the correct location in named.conf. The syslog no longer shows any meaningful bind errors. Looking at the samba log I do see some. [2015/12/31 13:22:46.466800, 0] ../source4/smbd/server.c:370(binary_smbd_main) samba version 4.2.5 started. Copyright Andrew Tridgell and the Samba Team 1992-2014 ldb: unable to dlopen /usr/local/samba/lib/ldb/dns_notify.so : /usr/local/samba/lib/private/liberrors-samba4.so: version `SAMBA_4.3.0' not found (required by /usr/local/samba/lib/ldb/dns_notify. so) ldb: unable to dlopen /usr/local/samba/lib/ldb/tombstone_reanimate.so : /usr/local/samba/lib/private/libdsdb-module-samba4.so: version `SAMBA_4.3.0' not found (required by /usr/local/samba/lib/l db/tombstone_reanimate.so) [2015/12/31 13:22:48.050030, 0] ../source4/smbd/server.c:488(binary_smbd_main) samba: using 'standard' process model [2015/12/31 13:22:48.358595, 0] ../lib/util/become_daemon.c:124(daemon_ready) STATUS=daemon 'samba' finished starting up and ready to serve connections [2015/12/31 13:22:50.709103, 0] ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_spnupdate: ldb: unable to dlopen /usr/local/samba/lib/ldb/dns_notify.so : /usr/local/samba/lib/private/liberrors-samba4.so: version `SAMBA_4.3.0' not found (require d by /usr/local/samba/lib/ldb/dns_notify.so) [2015/12/31 13:22:51.022158, 0] ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_spnupdate: ldb: unable to dlopen /usr/local/samba/lib/ldb/tombstone_reanimate.so : /usr/local/samba/lib/private/libdsdb-module-samba4.so: version `SAMBA_4.3.0' not found (required by /usr/local/samba/lib/ldb/tombstone_reanimate.so) [2015/12/31 13:22:51.377786, 0] ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: ldb: unable to dlopen /usr/local/samba/lib/ldb/dns_notify.so : /usr/local/samba/lib/private/liberrors-samba4.so: version `SAMBA_4.3.0' not found (require d by /usr/local/samba/lib/ldb/dns_notify.so) [2015/12/31 13:22:51.800456, 0] ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler) /usr/local/samba/sbin/samba_dnsupdate: ldb: unable to dlopen /usr/local/samba/lib/ldb/tombstone_reanimate.so : /usr/local/samba/lib/private/libdsdb-module-samba4.so: version `SAMBA_4.3.0' not found (required by /usr/local/samba/lib/ldb/tombstone_reanimate.so) I need to update to Samba 4.3 in order to resolve this. What exactly do I lose by not updating? -- -James From lists at merit.unu.edu Thu Dec 31 18:44:04 2015 From: lists at merit.unu.edu (mj) Date: Thu, 31 Dec 2015 19:44:04 +0100 Subject: [Samba] Getting Started In-Reply-To: <20151231161600.GA14020@jeremy-acer> References: <568535D1.4040502@merit.unu.edu> <20151231161600.GA14020@jeremy-acer> Message-ID: <56857774.7030608@merit.unu.edu> Hi, Still waiting (just over 4 hours to go) but.... happy new year to you as well. > Sorry for the delay. Happy New Year ! :-). > > Jeremy. MJ From rpenny at samba.org Thu Dec 31 19:30:08 2015 From: rpenny at samba.org (Rowland penny) Date: Thu, 31 Dec 2015 19:30:08 +0000 Subject: [Samba] How to switch from internal DNS to Bind In-Reply-To: <568573D7.2090004@gmail.com> References: <568434F9.4060501@gmail.com> <56843EC1.8020107@samba.org> <568441BE.2080307@gmail.com> <56844926.8020001@samba.org> <56853F1F.40800@gmail.com> <56854574.2020403@samba.org> <56854964.7050203@gmail.com> <56854B13.3040002@samba.org> <56854EF6.8050700@gmail.com> <56855175.1090301@thelounge.net> <568573D7.2090004@gmail.com> Message-ID: <56858240.3030103@samba.org> On 31/12/15 18:28, James wrote: > On 12/31/2015 11:01 AM, Reindl Harald wrote: >> >> >> Am 31.12.2015 um 16:51 schrieb James: >>> I forgot, I do not want to update the distro at the moment. My >>> production is currently on 12.04. Want to keep things symmetrical. I'm >>> going to compile and build bind again. >>> >>> mount | grep /run >>> tmpfs on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755) >>> none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880) >>> none on /run/shm type tmpfs (rw,nosuid,nodev) >> >> so it's like on every recent distribution not persistent >> https://www.google.at/#q=ubuntu+12.04+/var/run >> >> http://askubuntu.com/questions/303120/how-folders-created-in-var-run-on-each-reboot >> >> >> >> > OK I think I solved the tkey-gssapi issue. Apparently It wasn't in the > correct location in named.conf. The syslog no longer shows any > meaningful bind errors. Looking at the samba log I do see some. > > > [2015/12/31 13:22:46.466800, 0] > ../source4/smbd/server.c:370(binary_smbd_main) > samba version 4.2.5 started. > Copyright Andrew Tridgell and the Samba Team 1992-2014 > ldb: unable to dlopen /usr/local/samba/lib/ldb/dns_notify.so : > /usr/local/samba/lib/private/liberrors-samba4.so: version > `SAMBA_4.3.0' not found (required by > /usr/local/samba/lib/ldb/dns_notify. so) > ldb: unable to dlopen /usr/local/samba/lib/ldb/tombstone_reanimate.so > : /usr/local/samba/lib/private/libdsdb-module-samba4.so: version > `SAMBA_4.3.0' not found (required by /usr/local/samba/lib/l > db/tombstone_reanimate.so) > [2015/12/31 13:22:48.050030, 0] > ../source4/smbd/server.c:488(binary_smbd_main) > samba: using 'standard' process model > [2015/12/31 13:22:48.358595, 0] > ../lib/util/become_daemon.c:124(daemon_ready) > STATUS=daemon 'samba' finished starting up and ready to serve > connections > [2015/12/31 13:22:50.709103, 0] > ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_spnupdate: ldb: unable to dlopen > /usr/local/samba/lib/ldb/dns_notify.so : > /usr/local/samba/lib/private/liberrors-samba4.so: version > `SAMBA_4.3.0' not found (require d by > /usr/local/samba/lib/ldb/dns_notify.so) > [2015/12/31 13:22:51.022158, 0] > ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_spnupdate: ldb: unable to dlopen > /usr/local/samba/lib/ldb/tombstone_reanimate.so : > /usr/local/samba/lib/private/libdsdb-module-samba4.so: version > `SAMBA_4.3.0' not found (required by > /usr/local/samba/lib/ldb/tombstone_reanimate.so) > [2015/12/31 13:22:51.377786, 0] > ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_dnsupdate: ldb: unable to dlopen > /usr/local/samba/lib/ldb/dns_notify.so : > /usr/local/samba/lib/private/liberrors-samba4.so: version > `SAMBA_4.3.0' not found (require d by > /usr/local/samba/lib/ldb/dns_notify.so) > [2015/12/31 13:22:51.800456, 0] > ../lib/util/util_runcmd.c:324(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_dnsupdate: ldb: unable to dlopen > /usr/local/samba/lib/ldb/tombstone_reanimate.so : > /usr/local/samba/lib/private/libdsdb-module-samba4.so: version > `SAMBA_4.3.0' not found (required by > /usr/local/samba/lib/ldb/tombstone_reanimate.so) > > > I need to update to Samba 4.3 in order to resolve this. What exactly > do I lose by not updating? > OK James, I have just spent the last hour trying to compile bind9 on the latest Ubuntu 12.04, well that is not entirely true. I have been trying to install the require packages to compile bind9 and it seems that lots of required packages are no longer available i.e. Package gcc is not available, but is referred to by another package. This may mean that the package is missing, has been obsoleted, or is only available from another source E: Package 'gcc' has no installation candidate So, sorry, but I have given up, I have had another thought, could your problems be caused by apparmor ? I still think that you would be better off upgrading to 14.04. Rowland