From rpenny at samba.org Wed May 1 08:18:54 2024 From: rpenny at samba.org (Rowland Penny) Date: Wed, 1 May 2024 09:18:54 +0100 Subject: [Samba] named wont start In-Reply-To: References: Message-ID: <20240501091854.4af3d662@devstation.samdom.example.com> On Tue, 30 Apr 2024 07:54:15 -0700 Peter Carlson via samba wrote: > Not sure if this library is provided by samba team or isc, but I can > no longer start my named service if I connect it with samba. brief > history: I am having problems with named hanging, isc says step1 is > to upgrade to the latest bind.? As soon as I upgrade to latest bind, > it wont start. Now the first step is to figure out which mailing list > to talk to > > ?syslog: > > Apr 30 07:43:02 nc1 named[27557]: Loading 'AD DNS Zone' using > driver dlopen > Apr 30 07:43:02 nc1 named[27557]: free(): invalid pointer > Apr 30 07:43:03 nc1 systemd[1]: named.service: Main process > exited, code=killed, status=6/ABRT > > if I comment out the include it works > include "/var/lib/samba/bind-dns/named.conf"; > > versions: > root at nc1:/etc/bind# named -version > BIND 9.18.26-1+ubuntu22.04.1+deb.sury.org+1-Ubuntu (Extended > Support Version) > root at nc1:/etc/bind# smbd --version > Version 4.20.0-Ubuntu > OK, this works for myself, but using Samba 4.19.5 and named 9.18.24 on aarch64. It looks like something changed, but where. Does named start if you use the latest Ubuntu package (9.18.18 from security) with Samba 4.20.0 ? As far as I am aware, there have been no recent major changes in the Samba bind9_dlz code. Rowland From rpenny at samba.org Wed May 1 09:02:53 2024 From: rpenny at samba.org (Rowland Penny) Date: Wed, 1 May 2024 10:02:53 +0100 Subject: [Samba] named wont start In-Reply-To: <20240501091854.4af3d662@devstation.samdom.example.com> References: <20240501091854.4af3d662@devstation.samdom.example.com> Message-ID: <20240501100253.6881b9f8@devstation.samdom.example.com> On Wed, 1 May 2024 09:18:54 +0100 Rowland Penny via samba wrote: > On Tue, 30 Apr 2024 07:54:15 -0700 > Peter Carlson via samba wrote: > > > Not sure if this library is provided by samba team or isc, but I can > > no longer start my named service if I connect it with samba. brief > > history: I am having problems with named hanging, isc says step1 is > > to upgrade to the latest bind.? As soon as I upgrade to latest bind, > > it wont start. Now the first step is to figure out which mailing > > list to talk to > > > > ?syslog: > > > > Apr 30 07:43:02 nc1 named[27557]: Loading 'AD DNS Zone' using > > driver dlopen > > Apr 30 07:43:02 nc1 named[27557]: free(): invalid pointer > > Apr 30 07:43:03 nc1 systemd[1]: named.service: Main process > > exited, code=killed, status=6/ABRT > > > > if I comment out the include it works > > include "/var/lib/samba/bind-dns/named.conf"; > > > > versions: > > root at nc1:/etc/bind# named -version > > BIND 9.18.26-1+ubuntu22.04.1+deb.sury.org+1-Ubuntu (Extended > > Support Version) > > root at nc1:/etc/bind# smbd --version > > Version 4.20.0-Ubuntu > > > > OK, this works for myself, but using Samba 4.19.5 and named 9.18.24 on > aarch64. > It looks like something changed, but where. > > Does named start if you use the latest Ubuntu package (9.18.18 from > security) with Samba 4.20.0 ? > > As far as I am aware, there have been no recent major changes in the > Samba bind9_dlz code. > > Rowland > I found your named.conf files on the bind9 mailing lists, why are you using 'views' ? Also to raise the log level, you need to add '-d3' to the end of the database line in /var/lib/samba/bind-dns/named.conf, for example: database "dlopen /usr/lib/aarch64-linux-gnu/samba/bind9/dlz_bind9_18.so" -d3; NOTE: You can use higher numbers than '3' which will give you more output. Rowland From peter at howudodat.com Wed May 1 13:51:00 2024 From: peter at howudodat.com (Peter Carlson) Date: Wed, 1 May 2024 06:51:00 -0700 Subject: [Samba] named wont start In-Reply-To: <20240501100253.6881b9f8@devstation.samdom.example.com> References: <20240501091854.4af3d662@devstation.samdom.example.com> <20240501100253.6881b9f8@devstation.samdom.example.com> Message-ID: <70e71867-4b35-4100-a359-8f1df3b4fd4b@howudodat.com> On 5/1/24 02:02, Rowland Penny via samba wrote: > On Wed, 1 May 2024 09:18:54 +0100 > Rowland Penny via samba wrote: > >> On Tue, 30 Apr 2024 07:54:15 -0700 >> Peter Carlson via samba wrote: >> >>> Not sure if this library is provided by samba team or isc, but I can >>> no longer start my named service if I connect it with samba. brief >>> history: I am having problems with named hanging, isc says step1 is >>> to upgrade to the latest bind.? As soon as I upgrade to latest bind, >>> it wont start. Now the first step is to figure out which mailing >>> list to talk to >>> >>> ?syslog: >>> >>> Apr 30 07:43:02 nc1 named[27557]: Loading 'AD DNS Zone' using >>> driver dlopen >>> Apr 30 07:43:02 nc1 named[27557]: free(): invalid pointer >>> Apr 30 07:43:03 nc1 systemd[1]: named.service: Main process >>> exited, code=killed, status=6/ABRT >>> >>> if I comment out the include it works >>> include "/var/lib/samba/bind-dns/named.conf"; >>> >>> versions: >>> root at nc1:/etc/bind# named -version >>> BIND 9.18.26-1+ubuntu22.04.1+deb.sury.org+1-Ubuntu (Extended >>> Support Version) >>> root at nc1:/etc/bind# smbd --version >>> Version 4.20.0-Ubuntu >>> >> OK, this works for myself, but using Samba 4.19.5 and named 9.18.24 on >> aarch64. >> It looks like something changed, but where. >> >> Does named start if you use the latest Ubuntu package (9.18.18 from >> security) with Samba 4.20.0 ? >> >> As far as I am aware, there have been no recent major changes in the >> Samba bind9_dlz code. >> >> Rowland >> I will try that combo this afternoon.? BTW, I was running on MJTs repo using the latest 4.17 version and it also has the same error. It was the error that moved me to try 4.20 branch. > I found your named.conf files on the bind9 mailing lists, why are you > using 'views' ? > > Also to raise the log level, you need to add '-d3' to the end of the > database line in /var/lib/samba/bind-dns/named.conf, for example: > > database "dlopen > /usr/lib/aarch64-linux-gnu/samba/bind9/dlz_bind9_18.so" -d3; > > NOTE: You can use higher numbers than '3' which will give you more > output. > > Rowland I will also add the debug this afternoon.? Views....I need diiferent resolution for internal users vs vpn users vs external users users.internal: all external resources, all domain resources, 3CX resolves directly to internal PBX? (override for XYZ.3cx.us) users.vpn: all external resources, all domain resources, 3CX resolves vi 3CX's domain servers users.external: all external resources Internal vs external is? easy with split level.? However the mess came from needing internal users to use the internal address of the PBX and vpn users needing the public ip of the pbx. Peter From rpenny at samba.org Wed May 1 14:51:16 2024 From: rpenny at samba.org (Rowland Penny) Date: Wed, 1 May 2024 15:51:16 +0100 Subject: [Samba] named wont start In-Reply-To: <70e71867-4b35-4100-a359-8f1df3b4fd4b@howudodat.com> References: <20240501091854.4af3d662@devstation.samdom.example.com> <20240501100253.6881b9f8@devstation.samdom.example.com> <70e71867-4b35-4100-a359-8f1df3b4fd4b@howudodat.com> Message-ID: <20240501155116.5560dc97@devstation.samdom.example.com> On Wed, 1 May 2024 06:51:00 -0700 Peter Carlson via samba wrote: > > On 5/1/24 02:02, Rowland Penny via samba wrote: > > On Wed, 1 May 2024 09:18:54 +0100 > > Rowland Penny via samba wrote: > > > >> On Tue, 30 Apr 2024 07:54:15 -0700 > >> Peter Carlson via samba wrote: > >> > >>> Not sure if this library is provided by samba team or isc, but I > >>> can no longer start my named service if I connect it with samba. > >>> brief history: I am having problems with named hanging, isc says > >>> step1 is to upgrade to the latest bind.? As soon as I upgrade to > >>> latest bind, it wont start. Now the first step is to figure out > >>> which mailing list to talk to > >>> > >>> ?syslog: > >>> > >>> Apr 30 07:43:02 nc1 named[27557]: Loading 'AD DNS Zone' using > >>> driver dlopen > >>> Apr 30 07:43:02 nc1 named[27557]: free(): invalid pointer > >>> Apr 30 07:43:03 nc1 systemd[1]: named.service: Main process > >>> exited, code=killed, status=6/ABRT > >>> > >>> if I comment out the include it works > >>> include "/var/lib/samba/bind-dns/named.conf"; > >>> > >>> versions: > >>> root at nc1:/etc/bind# named -version > >>> BIND 9.18.26-1+ubuntu22.04.1+deb.sury.org+1-Ubuntu (Extended > >>> Support Version) > >>> root at nc1:/etc/bind# smbd --version > >>> Version 4.20.0-Ubuntu > >>> > >> OK, this works for myself, but using Samba 4.19.5 and named > >> 9.18.24 on aarch64. > >> It looks like something changed, but where. > >> > >> Does named start if you use the latest Ubuntu package (9.18.18 from > >> security) with Samba 4.20.0 ? > >> > >> As far as I am aware, there have been no recent major changes in > >> the Samba bind9_dlz code. > >> > >> Rowland > >> > I will try that combo this afternoon.? BTW, I was running on MJTs > repo using the latest 4.17 version and it also has the same error. It > was the error that moved me to try 4.20 branch. > > I found your named.conf files on the bind9 mailing lists, why are > > you using 'views' ? > > > > Also to raise the log level, you need to add '-d3' to the end of the > > database line in /var/lib/samba/bind-dns/named.conf, for example: > > > > database "dlopen > > /usr/lib/aarch64-linux-gnu/samba/bind9/dlz_bind9_18.so" -d3; > > > > NOTE: You can use higher numbers than '3' which will give you more > > output. > > > > Rowland > > I will also add the debug this afternoon.? Views....I need diiferent > resolution for internal users vs vpn users vs external users > > users.internal: all external resources, all domain resources, 3CX > resolves directly to internal PBX? (override for XYZ.3cx.us) > > users.vpn: all external resources, all domain resources, 3CX resolves > vi 3CX's domain servers > > users.external: all external resources > > Internal vs external is? easy with split level.? However the mess > came from needing internal users to use the internal address of the > PBX and vpn users needing the public ip of the pbx. > > Peter I think your problems could be all down to the way that your dns is set up, I do not think the Samba bind_dlz module knows anything about 'views'. In an ideal world, the Samba dns server (be it the internal or Bind9) should just be responsible for the AD domain and forward anything unknown to another dns server (which is how dns servers generally work). One of the reasons that people try to use a setup like yours, is that they have a registered dns domain (lets say 'example.com') and then use that domain for AD instead of something like 'ad.example.com'. This is definitely not a good idea and isn't best practice. If your AD is using something like 'ad.example.com' and your registered dns domain is 'example.com', then I suggest you setup a dns server on a non domain machine to work with your 'view' and forward everything for 'ad.example.com' to a DC. If your external and AD dns domains are both the same, then you either put up with the problems you are having or you rebuild your AD using a supported dns domain. As I said, it works for myself using the Debian Bookworm Bind9 package and Samba 4.19.5 from BookWorm-backports (which from my understanding is built exactly like the 4.20.0 mjt package), however, I do not use a 'view' Rowland From peter at howudodat.com Wed May 1 15:21:25 2024 From: peter at howudodat.com (Peter Carlson) Date: Wed, 1 May 2024 08:21:25 -0700 Subject: [Samba] named wont start In-Reply-To: <20240501155116.5560dc97@devstation.samdom.example.com> References: <20240501091854.4af3d662@devstation.samdom.example.com> <20240501100253.6881b9f8@devstation.samdom.example.com> <70e71867-4b35-4100-a359-8f1df3b4fd4b@howudodat.com> <20240501155116.5560dc97@devstation.samdom.example.com> Message-ID: <76f2f2a0-7e97-43d5-8317-5213973729dc@howudodat.com> > I think your problems could be all down to the way that your dns is set > up, I do not think the Samba bind_dlz module knows anything about > 'views'. ugg...ok > > In an ideal world, the Samba dns server (be it the internal or Bind9) > should just be responsible for the AD domain and forward anything > unknown to another dns server (which is how dns servers generally work). > > One of the reasons that people try to use a setup like yours, is that > they have a registered dns domain (lets say 'example.com') and then use > that domain for AD instead of something like 'ad.example.com'. This is > definitely not a good idea and isn't best practice. > > If your AD is using something like 'ad.example.com' and your registered > dns domain is 'example.com', then I suggest you setup a dns server on a > non domain machine to work with your 'view' and forward everything for > 'ad.example.com' to a DC. > > If your external and AD dns domains are both the same, then you either > put up with the problems you are having or you rebuild your AD using a > supported dns domain. > > As I said, it works for myself using the Debian Bookworm Bind9 package > and Samba 4.19.5 from BookWorm-backports (which from my understanding > is built exactly like the 4.20.0 mjt package), however, I do not use a > 'view' > > Rowland > This is an inherited scenario and some changes would be hard to do at the moment.? Good news is that the public domain and internal domain are different.? Bad news is that it was set up as .com and .local...sigh...but that can't be changed at the moment. The current configuration, and imo is something strong to be considered, is a unified network controller...network boss, small business server, whatever you want to call it that is responsible for dhcp, dns and AD.? A small business sometimes needs some of the capabilities of a larger network but cant afford multiple servers.? No one should have to put up with crashing or hanging services. Good news is that I can easily spin up another server (thanks to running everything on proxmox) to split out AD from the rest of the network controller.? If I have no other choice I will do that. However another point of reference is that I can launch both named and smbd without it immediately crashing using versions: administrator at nc1:~$ smbd --version Version 4.20.0-Ubuntu administrator at nc1:~$ named -version BIND 9.18.18-0ubuntu0.22.04.2-Ubuntu (Extended Support Version) However that combination creates an occasional 100% utilization hung named process Peter From rpenny at samba.org Wed May 1 15:34:03 2024 From: rpenny at samba.org (Rowland Penny) Date: Wed, 1 May 2024 16:34:03 +0100 Subject: [Samba] named wont start In-Reply-To: <76f2f2a0-7e97-43d5-8317-5213973729dc@howudodat.com> References: <20240501091854.4af3d662@devstation.samdom.example.com> <20240501100253.6881b9f8@devstation.samdom.example.com> <70e71867-4b35-4100-a359-8f1df3b4fd4b@howudodat.com> <20240501155116.5560dc97@devstation.samdom.example.com> <76f2f2a0-7e97-43d5-8317-5213973729dc@howudodat.com> Message-ID: <20240501163403.2fad913e@devstation.samdom.example.com> On Wed, 1 May 2024 08:21:25 -0700 Peter Carlson via samba wrote: > > I think your problems could be all down to the way that your dns is > > set up, I do not think the Samba bind_dlz module knows anything > > about 'views'. > ugg...ok I didn't think you would like that fact :-( > > > > In an ideal world, the Samba dns server (be it the internal or > > Bind9) should just be responsible for the AD domain and forward > > anything unknown to another dns server (which is how dns servers > > generally work). > > > > One of the reasons that people try to use a setup like yours, is > > that they have a registered dns domain (lets say 'example.com') and > > then use that domain for AD instead of something like > > 'ad.example.com'. This is definitely not a good idea and isn't best > > practice. > > > > If your AD is using something like 'ad.example.com' and your > > registered dns domain is 'example.com', then I suggest you setup a > > dns server on a non domain machine to work with your 'view' and > > forward everything for 'ad.example.com' to a DC. > > > > If your external and AD dns domains are both the same, then you > > either put up with the problems you are having or you rebuild your > > AD using a supported dns domain. > > > > As I said, it works for myself using the Debian Bookworm Bind9 > > package and Samba 4.19.5 from BookWorm-backports (which from my > > understanding is built exactly like the 4.20.0 mjt package), > > however, I do not use a 'view' > > > > Rowland > > > This is an inherited scenario and some changes would be hard to do at > the moment.? Good news is that the public domain and internal domain > are different.? Bad news is that it was set up as .com and > .local...sigh...but that can't be changed at the moment. Well at least they are different, just turn off Avahi everywhere and ban MAC machines from your AD domain. > > The current configuration, and imo is something strong to be > considered, is a unified network controller...network boss, small > business server, whatever you want to call it that is responsible for > dhcp, dns and AD. A small business sometimes needs some of the > capabilities of a larger network but cant afford multiple servers. > No one should have to put up with crashing or hanging services. That idea is a bit old now, using VMs is what would be used now. > > Good news is that I can easily spin up another server (thanks to > running everything on proxmox) to split out AD from the rest of the > network controller.? If I have no other choice I will do that. See my comment above. > > However another point of reference is that I can launch both named > and smbd without it immediately crashing using versions: > > administrator at nc1:~$ smbd --version > Version 4.20.0-Ubuntu > administrator at nc1:~$ named -version > BIND 9.18.18-0ubuntu0.22.04.2-Ubuntu (Extended Support Version) > > > However that combination creates an occasional 100% utilization hung > named process I thought we were discussing using Bind9 with a Samba AD DC, if so, you shouldn't be starting the 'smbd' daemon manually, the 'samba' daemon should be doing it for you. Rowland From peter at howudodat.com Wed May 1 15:44:02 2024 From: peter at howudodat.com (Peter Carlson) Date: Wed, 1 May 2024 08:44:02 -0700 Subject: [Samba] named wont start In-Reply-To: <20240501163403.2fad913e@devstation.samdom.example.com> References: <20240501091854.4af3d662@devstation.samdom.example.com> <20240501100253.6881b9f8@devstation.samdom.example.com> <70e71867-4b35-4100-a359-8f1df3b4fd4b@howudodat.com> <20240501155116.5560dc97@devstation.samdom.example.com> <76f2f2a0-7e97-43d5-8317-5213973729dc@howudodat.com> <20240501163403.2fad913e@devstation.samdom.example.com> Message-ID: <9fdde38d-2def-4b17-8726-a5d177883867@howudodat.com> On 5/1/24 08:34, Rowland Penny via samba wrote: > On Wed, 1 May 2024 08:21:25 -0700 > Peter Carlson via samba wrote: > >>> I think your problems could be all down to the way that your dns is >>> set up, I do not think the Samba bind_dlz module knows anything >>> about 'views'. >> ugg...ok > I didn't think you would like that fact :-( > >>> In an ideal world, the Samba dns server (be it the internal or >>> Bind9) should just be responsible for the AD domain and forward >>> anything unknown to another dns server (which is how dns servers >>> generally work). >>> >>> One of the reasons that people try to use a setup like yours, is >>> that they have a registered dns domain (lets say 'example.com') and >>> then use that domain for AD instead of something like >>> 'ad.example.com'. This is definitely not a good idea and isn't best >>> practice. >>> >>> If your AD is using something like 'ad.example.com' and your >>> registered dns domain is 'example.com', then I suggest you setup a >>> dns server on a non domain machine to work with your 'view' and >>> forward everything for 'ad.example.com' to a DC. >>> >>> If your external and AD dns domains are both the same, then you >>> either put up with the problems you are having or you rebuild your >>> AD using a supported dns domain. >>> >>> As I said, it works for myself using the Debian Bookworm Bind9 >>> package and Samba 4.19.5 from BookWorm-backports (which from my >>> understanding is built exactly like the 4.20.0 mjt package), >>> however, I do not use a 'view' >>> >>> Rowland >>> >> This is an inherited scenario and some changes would be hard to do at >> the moment.? Good news is that the public domain and internal domain >> are different.? Bad news is that it was set up as .com and >> .local...sigh...but that can't be changed at the moment. > Well at least they are different, just turn off Avahi everywhere and > ban MAC machines from your AD domain. > >> The current configuration, and imo is something strong to be >> considered, is a unified network controller...network boss, small >> business server, whatever you want to call it that is responsible for >> dhcp, dns and AD. A small business sometimes needs some of the >> capabilities of a larger network but cant afford multiple servers. >> No one should have to put up with crashing or hanging services. > That idea is a bit old now, using VMs is what would be used now. I will see if I can convince them to let me re-architect the design and split it into multiple pieces.? VMs are a bit advanced for most small businesses but I guess even Synology all in one NAS supports VMs.? (dont worry, this isn't running on a synology). > >> Good news is that I can easily spin up another server (thanks to >> running everything on proxmox) to split out AD from the rest of the >> network controller.? If I have no other choice I will do that. > See my comment above. > >> However another point of reference is that I can launch both named >> and smbd without it immediately crashing using versions: >> >> administrator at nc1:~$ smbd --version >> Version 4.20.0-Ubuntu >> administrator at nc1:~$ named -version >> BIND 9.18.18-0ubuntu0.22.04.2-Ubuntu (Extended Support Version) >> >> >> However that combination creates an occasional 100% utilization hung >> named process > I thought we were discussing using Bind9 with a Samba AD DC, if so, you > shouldn't be starting the 'smbd' daemon manually, the 'samba' daemon > should be doing it for you. > > Rowland I am, i only ran the command to show the versions, sorry for any confusion there. From peter at howudodat.com Thu May 2 00:32:47 2024 From: peter at howudodat.com (Peter Carlson) Date: Wed, 1 May 2024 17:32:47 -0700 Subject: [Samba] named wont start In-Reply-To: <9fdde38d-2def-4b17-8726-a5d177883867@howudodat.com> References: <20240501091854.4af3d662@devstation.samdom.example.com> <20240501100253.6881b9f8@devstation.samdom.example.com> <70e71867-4b35-4100-a359-8f1df3b4fd4b@howudodat.com> <20240501155116.5560dc97@devstation.samdom.example.com> <76f2f2a0-7e97-43d5-8317-5213973729dc@howudodat.com> <20240501163403.2fad913e@devstation.samdom.example.com> <9fdde38d-2def-4b17-8726-a5d177883867@howudodat.com> Message-ID: <84192959-f8f2-4089-a01f-df579d265e75@howudodat.com> >>>> In an ideal world, the Samba dns server (be it the internal or >>>> Bind9) should just be responsible for the AD domain and forward >>>> anything unknown to another dns server (which is how dns servers >>>> generally work). ok, so I spun up another server and split dns out. I ran: systemctl stop named systemctl disable named samba_upgradedns --dns-backend=SAMBA_INTERNAL systemctl restart samba-ad-dc.service nothing responds on port 53 for dns :( Peter From peter at howudodat.com Thu May 2 00:51:09 2024 From: peter at howudodat.com (Peter Carlson) Date: Wed, 1 May 2024 17:51:09 -0700 Subject: [Samba] named wont start In-Reply-To: <84192959-f8f2-4089-a01f-df579d265e75@howudodat.com> References: <20240501091854.4af3d662@devstation.samdom.example.com> <20240501100253.6881b9f8@devstation.samdom.example.com> <70e71867-4b35-4100-a359-8f1df3b4fd4b@howudodat.com> <20240501155116.5560dc97@devstation.samdom.example.com> <76f2f2a0-7e97-43d5-8317-5213973729dc@howudodat.com> <20240501163403.2fad913e@devstation.samdom.example.com> <9fdde38d-2def-4b17-8726-a5d177883867@howudodat.com> <84192959-f8f2-4089-a01f-df579d265e75@howudodat.com> Message-ID: <9ca0ab48-20b8-4165-b3e0-47c024af9647@howudodat.com> On 5/1/24 17:32, Peter Carlson via samba wrote: > >>>>> In an ideal world, the Samba dns server (be it the internal or >>>>> Bind9) should just be responsible for the AD domain and forward >>>>> anything unknown to another dns server (which is how dns servers >>>>> generally work). > > ok, so I spun up another server and split dns out. I ran: > > ?? systemctl stop named > > ?? systemctl disable named > > ?? samba_upgradedns --dns-backend=SAMBA_INTERNAL > > ?? systemctl restart samba-ad-dc.service > > nothing responds on port 53 for dns :( > > Peter oops I forgot to add "dns" to server services in smb.conf From peter at howudodat.com Thu May 2 01:01:48 2024 From: peter at howudodat.com (Peter Carlson) Date: Wed, 1 May 2024 18:01:48 -0700 Subject: [Samba] named wont start In-Reply-To: <9ca0ab48-20b8-4165-b3e0-47c024af9647@howudodat.com> References: <20240501091854.4af3d662@devstation.samdom.example.com> <20240501100253.6881b9f8@devstation.samdom.example.com> <70e71867-4b35-4100-a359-8f1df3b4fd4b@howudodat.com> <20240501155116.5560dc97@devstation.samdom.example.com> <76f2f2a0-7e97-43d5-8317-5213973729dc@howudodat.com> <20240501163403.2fad913e@devstation.samdom.example.com> <9fdde38d-2def-4b17-8726-a5d177883867@howudodat.com> <84192959-f8f2-4089-a01f-df579d265e75@howudodat.com> <9ca0ab48-20b8-4165-b3e0-47c024af9647@howudodat.com> Message-ID: <7fcefd39-fdc8-4435-88aa-0976e124d8e3@howudodat.com> On 5/1/24 17:51, Peter Carlson via samba wrote: > > On 5/1/24 17:32, Peter Carlson via samba wrote: >> >>>>>> In an ideal world, the Samba dns server (be it the internal or >>>>>> Bind9) should just be responsible for the AD domain and forward >>>>>> anything unknown to another dns server (which is how dns servers >>>>>> generally work). >> >> ok, so I spun up another server and split dns out. I ran: >> >> ?? systemctl stop named >> >> ?? systemctl disable named >> >> ?? samba_upgradedns --dns-backend=SAMBA_INTERNAL >> >> ?? systemctl restart samba-ad-dc.service >> >> nothing responds on port 53 for dns :( >> >> Peter > > oops I forgot to add "dns" to server services in smb.conf ok, but I am not getting resolution of the default records root at nc1:/etc/samba# host -t SRV _ldap._tcp.san***ent.local. Host _ldap._tcp.san***ent.local. not found: 3(NXDOMAIN) root at nc1:/etc/samba# host -t SRV _ldap._tcp.san***ent.local Host _ldap._tcp.san***ent.local not found: 3(NXDOMAIN) root at nc1:/etc/samba# samba-tool dns zonelist 127.0.0.1 -U peter ? 2 zone(s) found ? pszZoneName???????????????? : san***ent.local ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY ? Version???????????????????? : 50 ? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED ? pszDpFqdn?????????????????? : DomainDnsZones.san***ent.local ? pszZoneName???????????????? : _msdcs.san***ent.local ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY ? Version???????????????????? : 50 ? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED ? pszDpFqdn?????????????????? : ForestDnsZones.san***ent.local root at nc1:/etc/samba# samba-tool dns zoneinfo 127.0.0.1 san***ent.local -U peter ? pszZoneName???????????????? : san***ent.local ? dwZoneType????????????????? : DNS_ZONE_TYPE_PRIMARY ? fReverse??????????????????? : FALSE ? fAllowUpdate??????????????? : DNS_ZONE_UPDATE_SECURE ? fPaused???????????????????? : FALSE ? fShutdown?????????????????? : FALSE ? fAutoCreated??????????????? : FALSE ? fUseDatabase??????????????? : TRUE ? pszDataFile???????????????? : None ? aipMasters????????????????? : [] ? fSecureSecondaries????????? : DNS_ZONE_SECSECURE_NO_XFER ? fNotifyLevel??????????????? : DNS_ZONE_NOTIFY_LIST_ONLY ? aipSecondaries????????????? : [] ? aipNotify?????????????????? : [] ? fUseWins??????????????????? : FALSE ? fUseNbstat????????????????? : FALSE ? fAging????????????????????? : FALSE ? dwNoRefreshInterval???????? : 168 ? dwRefreshInterval?????????? : 168 ? dwAvailForScavengeTime????? : 0 ? aipScavengeServers????????? : [] ? dwRpcStructureVersion?????? : 0x2 ? dwForwarderTimeout????????? : 0 ? fForwarderSlave???????????? : 0 ? aipLocalMasters???????????? : [] ? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED ? pszDpFqdn?????????????????? : DomainDnsZones.san***ent.local ? pwszZoneDn????????????????? : DC=san***ent.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=san***ent,DC=local ? dwLastSuccessfulSoaCheck??? : 0 ? dwLastSuccessfulXfr???????? : 0 ? fQueuedForBackgroundLoad??? : FALSE ? fBackgroundLoadInProgress?? : FALSE ? fReadOnlyZone?????????????? : FALSE ? dwLastXfrAttempt??????????? : 0 ? dwLastXfrResult???????????? : 0 root at nc1:/etc/samba# root at nc1:/etc/samba# cat /etc/resolv.conf # Samba server IP address nameserver 192.168.10.11 # fallback resolver nameserver 8.8.8.8 # main domain for Samba search san***ent.local root at nc1:/etc/samba# cat smb.conf # Global parameters [global] ?? ?netbios name = NC1 ?? ?realm = SAN***ENT.LOCAL ?? ?server role = active directory domain controller ?? ?server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dns, dnsupdate ?? ?workgroup = SDCP ?? ?idmap_ldb:use rfc2307 = yes ?? ?ldap server require strong auth = no ?? ?tls enabled? = yes ?? ?tls keyfile? = tls/myKey.pem ?? ?tls certfile = tls/myCert.pem #??? tls cafile?? = tls/myIntermediate .pem? # if not required, set empty [sysvol] ?? ?path = /var/lib/samba/sysvol ?? ?read only = No [netlogon] ?? ?path = /var/lib/samba/sysvol/san***ent.local/scripts ?? ?read only = No From rpenny at samba.org Thu May 2 08:25:03 2024 From: rpenny at samba.org (Rowland Penny) Date: Thu, 2 May 2024 09:25:03 +0100 Subject: [Samba] named wont start In-Reply-To: <7fcefd39-fdc8-4435-88aa-0976e124d8e3@howudodat.com> References: <20240501091854.4af3d662@devstation.samdom.example.com> <20240501100253.6881b9f8@devstation.samdom.example.com> <70e71867-4b35-4100-a359-8f1df3b4fd4b@howudodat.com> <20240501155116.5560dc97@devstation.samdom.example.com> <76f2f2a0-7e97-43d5-8317-5213973729dc@howudodat.com> <20240501163403.2fad913e@devstation.samdom.example.com> <9fdde38d-2def-4b17-8726-a5d177883867@howudodat.com> <84192959-f8f2-4089-a01f-df579d265e75@howudodat.com> <9ca0ab48-20b8-4165-b3e0-47c024af9647@howudodat.com> <7fcefd39-fdc8-4435-88aa-0976e124d8e3@howudodat.com> Message-ID: <20240502092503.2ab24694@devstation.samdom.example.com> On Wed, 1 May 2024 18:01:48 -0700 Peter Carlson via samba wrote: > ok, but I am not getting resolution of the default records > > root at nc1:/etc/samba# host -t SRV _ldap._tcp.san***ent.local. > Host _ldap._tcp.san***ent.local. not found: 3(NXDOMAIN) > root at nc1:/etc/samba# host -t SRV _ldap._tcp.san***ent.local > Host _ldap._tcp.san***ent.local not found: 3(NXDOMAIN) You should get back lines like this: _ldap._tcp.samdom.example.com has SRV record 0 100 389 rpidc1.samdom.example.com. One for every DC you have. > > root at nc1:/etc/samba# samba-tool dns zonelist 127.0.0.1 -U peter > ? 2 zone(s) found > > ? pszZoneName???????????????? : san***ent.local > ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > ? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY > ? Version???????????????????? : 50 > ? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > ? pszDpFqdn?????????????????? : DomainDnsZones.san***ent.local > > ? pszZoneName???????????????? : _msdcs.san***ent.local > ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > ? ZoneType??????????????????? : DNS_ZONE_TYPE_PRIMARY > ? Version???????????????????? : 50 > ? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED > DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED > ? pszDpFqdn?????????????????? : ForestDnsZones.san***ent.local No reversezone. > > root at nc1:/etc/samba# samba-tool dns zoneinfo 127.0.0.1 > san***ent.local -U peter > ? pszZoneName???????????????? : san***ent.local > ? dwZoneType????????????????? : DNS_ZONE_TYPE_PRIMARY > ? fReverse??????????????????? : FALSE > ? fAllowUpdate??????????????? : DNS_ZONE_UPDATE_SECURE > ? fPaused???????????????????? : FALSE > ? fShutdown?????????????????? : FALSE > ? fAutoCreated??????????????? : FALSE > ? fUseDatabase??????????????? : TRUE > ? pszDataFile???????????????? : None > ? aipMasters????????????????? : [] > ? fSecureSecondaries????????? : DNS_ZONE_SECSECURE_NO_XFER > ? fNotifyLevel??????????????? : DNS_ZONE_NOTIFY_LIST_ONLY > ? aipSecondaries????????????? : [] > ? aipNotify?????????????????? : [] > ? fUseWins??????????????????? : FALSE > ? fUseNbstat????????????????? : FALSE > ? fAging????????????????????? : FALSE > ? dwNoRefreshInterval???????? : 168 > ? dwRefreshInterval?????????? : 168 > ? dwAvailForScavengeTime????? : 0 > ? aipScavengeServers????????? : [] > ? dwRpcStructureVersion?????? : 0x2 > ? dwForwarderTimeout????????? : 0 > ? fForwarderSlave???????????? : 0 > ? aipLocalMasters???????????? : [] > ? dwDpFlags?????????????????? : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > ? pszDpFqdn?????????????????? : DomainDnsZones.san***ent.local > ? pwszZoneDn????????????????? : > DC=san***ent.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=san***ent,DC=local > ? dwLastSuccessfulSoaCheck??? : 0 > ? dwLastSuccessfulXfr???????? : 0 > ? fQueuedForBackgroundLoad??? : FALSE > ? fBackgroundLoadInProgress?? : FALSE > ? fReadOnlyZone?????????????? : FALSE > ? dwLastXfrAttempt??????????? : 0 > ? dwLastXfrResult???????????? : 0 > root at nc1:/etc/samba# Nothing wrong there. > > root at nc1:/etc/samba# cat /etc/resolv.conf > # Samba server IP address > nameserver 192.168.10.11 > # fallback resolver > nameserver 8.8.8.8 > # main domain for Samba > search san***ent.local I take it that 192.168.10.11 is the ipaddress for the DC > root at nc1:/etc/samba# cat smb.conf > # Global parameters > [global] > ?? ?netbios name = NC1 > ?? ?realm = SAN***ENT.LOCAL > ?? ?server role = active directory domain controller > ?? ?server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dns, dnsupdate > ?? ?workgroup = SDCP > ?? ?idmap_ldb:use rfc2307 = yes > ?? ?ldap server require strong auth = no > > ?? ?tls enabled? = yes > ?? ?tls keyfile? = tls/myKey.pem > ?? ?tls certfile = tls/myCert.pem > #??? tls cafile?? = tls/myIntermediate .pem? # if not required, set > empty > > [sysvol] > ?? ?path = /var/lib/samba/sysvol > ?? ?read only = No > > [netlogon] > ?? ?path = /var/lib/samba/sysvol/san***ent.local/scripts > ?? ?read only = No Have you read these wiki pages ? https://wiki.samba.org/index.php/The_Samba_AD_DNS_Back_Ends https://wiki.samba.org/index.php/Samba_Internal_DNS_Back_End https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_a_Samba_AD_DC Rowland From oalonso at mailteck.com Thu May 2 08:39:21 2024 From: oalonso at mailteck.com (Oscar Alonso | MailTecK) Date: Thu, 2 May 2024 08:39:21 +0000 Subject: [Samba] Group Membership Retrieval not using kerberos authentication Message-ID: Hello, I have an Active Directory domain to which a Linux machine with Ubuntu 20.04 LTS is joined using Winbind. The version of Winbind is 4.15.13. On this machine, users authenticate via SSH using PAM (pam_winbind), and I need to know their group membership. NSS is configured for this purpose. When users authenticate via username and password, there's no issue retrieving the list of groups because they are obtained through the PAC of the Kerberos ticket. However, when users authenticate via SSH public key, since there's no Kerberos authentication, I'm unable to retrieve the user's group list. Previously, Winbind could accomplish this through an LDAP query using the server's machine account, but it seems that functionality has been removed. >From what I've read in some technical presentations about Samba, the correct approach is to do this using S4U2Self, so that the machine or service obtains a Kerberos ticket on behalf of the user to retrieve the list of groups to which the user belongs. I'm unaware if this functionality is fully developed and if so, from which version of Samba. If it is, I would be very grateful if someone could assist me in configuring it, as I am unable to find documentation on the subject. I should also add that the machine has a two-way trust relationship between 2 forests, allowing users from 2 different domains to authenticate. I'm not sure if this impacts the configuration in any way. Please, if anyone can assist me, I would be very grateful. Best regards, ?scar Alonso Este correo electr?nico y la informaci?n contenida en ?l es confidencial, dirigi?ndose exclusivamente a el/los destinatario/s mencionado/s en el encabezamiento. Util?celos ?nicamente para la finalidad a la que se destina y no los transmita a terceros. Si usted no es el destinatario de este correo, no lo utilice; en base a la buena fe, b?rrelo y no lo transmita a terceros." Los datos personales facilitados por usted o por terceros forman parte de un fichero responsabilidad de MAILTECK S.A. con la finalidad de gestionar y mantener los contactos y relaciones que se produzcan como consecuencia de la relaci?n que mantiene con MAILTECK S.A. La base jur?dica que legitima este tratamiento, ser? su consentimiento, el inter?s leg?timo o la necesidad para gestionar una relaci?n contractual o similar. Util?celos ?nicamente para la finalidad a la que se destina y no los transmita a terceros. El plazo de conservaci?n de sus datos vendr? determinado por la relaci?n que mantiene con nosotros. Para m?s informaci?n al respecto, o para ejercer sus derechos de Acceso, Rectificaci?n, Cancelaci?n/Supresi?n, Oposici?n, limitaci?n o portabilidad, puede ponerse en contacto con nosotros enviando un escrito a la siguiente direcci?n: Avda. La Recomba 12 - 14. Pol. Industrial La Laguna. 28914 Legan?s - Madrid, o mediante un correo electr?nico a nuestro Delegado de Protecci?n de Datos (dpo at mailteck.com). From keesvanvloten at gmail.com Thu May 2 09:56:35 2024 From: keesvanvloten at gmail.com (Kees van Vloten) Date: Thu, 2 May 2024 11:56:35 +0200 Subject: [Samba] Group Membership Retrieval not using kerberos authentication In-Reply-To: References: Message-ID: Op 02-05-2024 om 10:39 schreef Oscar Alonso | MailTecK via samba: > Hello, > > I have an Active Directory domain to which a Linux machine with Ubuntu 20.04 LTS is joined using Winbind. The version of Winbind is 4.15.13. > On this machine, users authenticate via SSH using PAM (pam_winbind), and I need to know their group membership. > NSS is configured for this purpose. > When users authenticate via username and password, there's no issue retrieving the list of groups because they are obtained through the PAC of the Kerberos ticket. > However, when users authenticate via SSH public key, since there's no Kerberos authentication, I'm unable to retrieve the user's group list. This is done by nss_winbind. Did you install it and configure it in /etc/samba/smb.conf and add it to /etc/nsswitch.conf? You should be able to do:? id and see all groups of the user > Previously, Winbind could accomplish this through an LDAP query using the server's machine account, but it seems that functionality has been removed. > From what I've read in some technical presentations about Samba, the correct approach is to do this using S4U2Self, so that the machine or service obtains a Kerberos ticket on behalf of the user to retrieve the list of groups to which the user belongs. > I'm unaware if this functionality is fully developed and if so, from which version of Samba. If it is, I would be very grateful if someone could assist me in configuring it, as I am unable to find documentation on the subject. > I should also add that the machine has a two-way trust relationship between 2 forests, allowing users from 2 different domains to authenticate. I'm not sure if this impacts the configuration in any way. > > Please, if anyone can assist me, I would be very grateful. > > Best regards, > ?scar Alonso > > Este correo electr?nico y la informaci?n contenida en ?l es confidencial, dirigi?ndose exclusivamente a el/los destinatario/s mencionado/s en el encabezamiento. Util?celos ?nicamente para la finalidad a la que se destina y no los transmita a terceros. Si usted no es el destinatario de este correo, no lo utilice; en base a la buena fe, b?rrelo y no lo transmita a terceros." Los datos personales facilitados por usted o por terceros forman parte de un fichero responsabilidad de MAILTECK S.A. con la finalidad de gestionar y mantener los contactos y relaciones que se produzcan como consecuencia de la relaci?n que mantiene con MAILTECK S.A. La base jur?dica que legitima este tratamiento, ser? su consentimiento, el inter?s leg?timo o la necesidad para gestionar una relaci?n contractual o similar. Util?celos ?nicamente para la finalidad a la que se destina y no los transmita a terceros. El plazo de conservaci?n de sus datos vendr? determinado por la relaci?n que mantiene con nosotros. Para m?s informaci?n al respecto, o para ejercer sus derechos de Acceso, Rectificaci?n, Cancelaci?n/Supresi?n, Oposici?n, limitaci?n o portabilidad, puede ponerse en contacto con nosotros enviando un escrito a la siguiente direcci?n: Avda. La Recomba 12 - 14. Pol. Industrial La Laguna. 28914 Legan?s - Madrid, o mediante un correo electr?nico a nuestro Delegado de Protecci?n de Datos (dpo at mailteck.com). From jc at info-systems.de Thu May 2 10:07:13 2024 From: jc at info-systems.de (Jakob Curdes) Date: Thu, 2 May 2024 12:07:13 +0200 Subject: [Samba] GPO Editor says "Access denied" for Group Policy Objects In-Reply-To: <8f2e4ea4-3df9-48e4-8df4-0a88c01c4c81@info-systems.de> References: <20240425162449.504dee42@devstation.samdom.example.com> <97418284-23bf-49fb-bcdf-349c547e1d6b@info-systems.de> <20240425175622.24d2db37@devstation.samdom.example.com> <002e9641-d52b-45ea-a7c9-cb316ca7e49a@info-systems.de> <20240425185949.3b6935c4@devstation.samdom.example.com> <8f2e4ea4-3df9-48e4-8df4-0a88c01c4c81@info-systems.de> Message-ID: Hello all, to return to the original topic: My original problem was that I could not edit GP objects with the GP Editor, even as Domain admin. I always got "access denied". A sysvolcheck returned no errors and the Windows "Security" tab for the object in question on the sysvol share looked correct. I now found out that the group id of the sysvol folder (and everything below) was 3000000, while the "Administrators" group has the group ID 3000002. I corrected the group ID assigned to the sysvol folder on both DCs and now I can edit the GP objects with the GPO editor. I still do not understand why on my DCs "getent group" and "getent user" do not return the Windows groups and users, but that is probably a cosmetic thing as you can get all info via wbinfo and samba-tool. Just for this case here it would then also display the group ownership of the sysvol folder. I have "winbind" in nsswitch .conf and no other special settings, on other similar DCs getent group returns the groups, not sure why it is not working here, but perhaps not important enough to invest more time. I will correct the smb.conf of the member server to omit unneccessary bits with the next maintenance slot. Hope this helps others, Jakob Am 25.04.2024 um 21:11 schrieb Jakob Curdes via samba: > > Am 25.04.2024 um 19:59 schrieb Rowland Penny via samba: >> I suspect that I forgot to set the idmap config on the DC(s) >> accordingly? >> Do not set idmap config lines on a Samba DC, they do not work, you must >> use the 3000000 numbers or use rfc2307 attributes (uidNumber, >> gidNumber, etc) >> >> Have you read this: >> >> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege >> >> > Yes, but rereading it and the mail thread I think I will try to > sanitize my configs and then go through that page again. But I would > like to do this with hands-on to the domain as it is in production, so > this will have to wait until next week. > > I will try to heed your hints and get back with a result. > > Thank you and best regards, Jakob From mjt at tls.msk.ru Thu May 2 10:44:47 2024 From: mjt at tls.msk.ru (Michael Tokarev) Date: Thu, 2 May 2024 13:44:47 +0300 Subject: [Samba] winbind: does it actually depend on nmbd? and network-online? Message-ID: Hi! In packaging/systemd/winbind.service, there's this ordering: After=network.target nmb.service Does winbind really need nmbd running? Another interesting dependency here. nmb.service (in the same directory) has Wants=network-online.target After=network.target network-online.target Note nmbd needs network to be online. While winbind only needs network to be up. If winbind requires nmbd, who in turn requires network to be online, winbind will be started only with online network. If we drop winbind dependency on nmbd here, winbind will be started earlier, before network is online. Does winbind requires network to be online or just up? I *guess* in order for winbind to be useful, network should be online, or else it wont be able to resolve names. On the other hand, it keeps internal cache so once a user is looked up, winbind can return this user from the cache without network being up. FWIW, requiring network.target doesn't really give us much: if it needs just basic tcp/ip to be able to bind to all-zeros address, loopback iface is being configured much earlier than any other services. On the other hand, if it needs particular interfaces to be up, it should depend on these interfaces, - after network.target is available, there's no guarantee that all interfaces are configured. Thanks, /mjt -- GPG Key transition (from rsa2048 to rsa4096) since 2024-04-24. New key: rsa4096/61AD3D98ECDF2C8E 9D8B E14E 3F2A 9DD7 9199 28F1 61AD 3D98 ECDF 2C8E Old key: rsa2048/457CE0A0804465C5 6EE1 95D1 886E 8FFB 810D 4324 457C E0A0 8044 65C5 Transition statement: http://www.corpit.ru/mjt/gpg-transition-2024.txt From rpenny at samba.org Thu May 2 11:00:20 2024 From: rpenny at samba.org (Rowland Penny) Date: Thu, 2 May 2024 12:00:20 +0100 Subject: [Samba] GPO Editor says "Access denied" for Group Policy Objects In-Reply-To: References: <20240425162449.504dee42@devstation.samdom.example.com> <97418284-23bf-49fb-bcdf-349c547e1d6b@info-systems.de> <20240425175622.24d2db37@devstation.samdom.example.com> <002e9641-d52b-45ea-a7c9-cb316ca7e49a@info-systems.de> <20240425185949.3b6935c4@devstation.samdom.example.com> <8f2e4ea4-3df9-48e4-8df4-0a88c01c4c81@info-systems.de> Message-ID: <20240502120020.23f6f9a0@devstation.samdom.example.com> On Thu, 2 May 2024 12:07:13 +0200 Jakob Curdes via samba wrote: > Hello all, to return to the original topic: > > My original problem was that I could not edit GP objects with the GP > Editor, even as Domain admin. I always got "access denied". A > sysvolcheck returned no errors and the Windows "Security" tab for the > object in question on the sysvol share looked correct. > > I now found out that the group id of the sysvol folder (and > everything below) was 3000000, while the "Administrators" group has > the group ID 3000002. I corrected the group ID assigned to the sysvol > folder on both DCs and now I can edit the GP objects with the GPO > editor. The permissions set on the sysvol directory are: O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU) Which in a more readable form is: Owner:LOCAL_ADMIN Group:BUILTIN_ADMINISTRATORS D:P(Allow;Full control;;;BUILTIN_ADMINISTRATORS)(Allow;Read and Execute,Inherited;;;SERVER_OPERATORS)(Allow;Full control;;;LOCAL_SYSTEM)(Allow;Read and Execute,Inherited;;;_AUTHENTICATED_USERS) Now all that depends on the various users and groups having the same ID on every DC, the problem with that is, you cannot depend on every DC giving the same IDs to users and groups, they are handed out on a 'first come' basis. This is why you need to sync idmap.ldb from one DC (usually the one holding the PDC_Emulator FSMO role) to all others. > > I still do not understand why on my DCs "getent group" and "getent > user" do not return the Windows groups and users, but that is > probably a cosmetic thing as you can get all info via wbinfo and > samba-tool. Just for this case here it would then also display the > group ownership of the sysvol folder. I have "winbind" in nsswitch > .conf and no other special settings, on other similar DCs getent > group returns the groups, not sure why it is not working here, but > perhaps not important enough to invest more time. If you run 'getent group' and get no result, try: getent group Domain\ Users Does this return output ? If it doesn't, check that you have the correct libnss winbind links installed and that /etc/nsswitch.conf is setup correctly. Rowland From rpenny at samba.org Thu May 2 11:17:43 2024 From: rpenny at samba.org (Rowland Penny) Date: Thu, 2 May 2024 12:17:43 +0100 Subject: [Samba] winbind: does it actually depend on nmbd? and network-online? In-Reply-To: References: Message-ID: <20240502121743.5fe49fde@devstation.samdom.example.com> On Thu, 2 May 2024 13:44:47 +0300 Michael Tokarev via samba wrote: > Hi! > > In packaging/systemd/winbind.service, there's this ordering: > > After=network.target nmb.service > > Does winbind really need nmbd running? Well, no and yes ;-) No, if you are running Samba as an AD Unix domain member without SMBv1 (in which case, you do not need nmbd at all), but if you are still running an NT4-style domain, then you need nmbd to provide NetBIOS Browsing. > > Another interesting dependency here. nmb.service (in the same > directory) has > > Wants=network-online.target > After=network.target network-online.target > > Note nmbd needs network to be online. While winbind only needs > network to be up. If winbind requires nmbd, who in turn requires > network to be online, winbind will be started only with online > network. If we drop winbind dependency on nmbd here, winbind will > be started earlier, before network is online. > > Does winbind requires network to be online or just up? No idea about that, perhaps Jeremy will know. Rowland From mjt at tls.msk.ru Thu May 2 11:48:55 2024 From: mjt at tls.msk.ru (Michael Tokarev) Date: Thu, 2 May 2024 14:48:55 +0300 Subject: [Samba] winbind: does it actually depend on nmbd? and network-online? In-Reply-To: <20240502121743.5fe49fde@devstation.samdom.example.com> References: <20240502121743.5fe49fde@devstation.samdom.example.com> Message-ID: <1b2c02d1-28a5-4a4a-a717-f546787125df@tls.msk.ru> 02.05.2024 14:17, Rowland Penny via samba wrote: > On Thu, 2 May 2024 13:44:47 +0300 > Michael Tokarev via samba wrote: > >> Hi! >> >> In packaging/systemd/winbind.service, there's this ordering: >> >> After=network.target nmb.service >> >> Does winbind really need nmbd running? > > Well, no and yes ;-) > > No, if you are running Samba as an AD Unix domain member without SMBv1 > (in which case, you do not need nmbd at all), but if you are still > running an NT4-style domain, then you need nmbd to provide NetBIOS > Browsing. Okay, I suspected it will be a bit more difficult. Let's put it this way: does winbind in non-AD environment really need NetBIOS Browsing to work? Or if it does, where the requirement is coming from? Or maybe, can it be avoided, like, by providing LMHOSTS entry? Winbind being dependent on UDP-based, quite fragile, browsing sounds like a good way to disaster. And yes, I know full well that these days, nmbd and netbois aren't used. Thanks, /mjt -- GPG Key transition (from rsa2048 to rsa4096) since 2024-04-24. New key: rsa4096/61AD3D98ECDF2C8E 9D8B E14E 3F2A 9DD7 9199 28F1 61AD 3D98 ECDF 2C8E Old key: rsa2048/457CE0A0804465C5 6EE1 95D1 886E 8FFB 810D 4324 457C E0A0 8044 65C5 Transition statement: http://www.corpit.ru/mjt/gpg-transition-2024.txt From jc at info-systems.de Thu May 2 11:51:54 2024 From: jc at info-systems.de (Jakob Curdes) Date: Thu, 2 May 2024 13:51:54 +0200 Subject: [Samba] GPO Editor says "Access denied" for Group Policy Objects In-Reply-To: <20240502120020.23f6f9a0@devstation.samdom.example.com> References: <20240425162449.504dee42@devstation.samdom.example.com> <97418284-23bf-49fb-bcdf-349c547e1d6b@info-systems.de> <20240425175622.24d2db37@devstation.samdom.example.com> <002e9641-d52b-45ea-a7c9-cb316ca7e49a@info-systems.de> <20240425185949.3b6935c4@devstation.samdom.example.com> <8f2e4ea4-3df9-48e4-8df4-0a88c01c4c81@info-systems.de> <20240502120020.23f6f9a0@devstation.samdom.example.com> Message-ID: <8b6adac6-06d9-4a03-bd40-ac338f59f383@info-systems.de> Hello Rowland, Am 02.05.2024 um 13:00 schrieb Rowland Penny via samba: > On Thu, 2 May 2024 12:07:13 +0200 > Jakob Curdes via samba wrote: > >> Hello all, to return to the original topic: >> >> My original problem was that I could not edit GP objects with the GP >> Editor, even as Domain admin. I always got "access denied". A >> sysvolcheck returned no errors and the Windows "Security" tab for the >> object in question on the sysvol share looked correct. >> >> I now found out that the group id of the sysvol folder (and >> everything below) was 3000000, while the "Administrators" group has >> the group ID 3000002. I corrected the group ID assigned to the sysvol >> folder on both DCs and now I can edit the GP objects with the GPO >> editor. > The permissions set on the sysvol directory are: > O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU) > > Which in a more readable form is: > Owner:LOCAL_ADMIN Group:BUILTIN_ADMINISTRATORS D:P(Allow;Full > control;;;BUILTIN_ADMINISTRATORS)(Allow;Read and > Execute,Inherited;;;SERVER_OPERATORS)(Allow;Full > control;;;LOCAL_SYSTEM)(Allow;Read and > Execute,Inherited;;;_AUTHENTICATED_USERS) > > Now all that depends on the various users and groups having the same ID > on every DC, the problem with that is, you cannot depend on every DC > giving the same IDs to users and groups, they are handed out on a > 'first come' basis. This is why you need to sync idmap.ldb from one DC > (usually the one holding the PDC_Emulator FSMO role) to all others. > Yes, I know and we have a periodic sync, also the group ID for "Administrators" on both DCs were the same, it just did not match what was set on the sysvol directory. >> I still do not understand why on my DCs "getent group" and "getent >> user" do not return the Windows groups and users, but that is >> probably a cosmetic thing as you can get all info via wbinfo and >> samba-tool. Just for this case here it would then also display the >> group ownership of the sysvol folder. I have "winbind" in nsswitch >> .conf and no other special settings, on other similar DCs getent >> group returns the groups, not sure why it is not working here, but >> perhaps not important enough to invest more time. > If you run 'getent group' and get no result, try: > getent group Domain\ Users > > Does this return output ? If it doesn't, check that you have the > correct libnss winbind links installed and that /etc/nsswitch.conf is > setup correctly. > Ha, there you hit me, actually the libnss library was still missing, I cannot remember which checklist we followed when installing these servers, but after "sudo apt-get install libnss-winbind" all is well now! Obviously, without the libraries nsswitch.conf settings cannot be applied completely. This also solved the problem that I did not see the group name when doing ls -l /var/lib/samba/sysvol. So all solved now, thank you for your help! Best regards, Jakob From jra at samba.org Thu May 2 16:43:17 2024 From: jra at samba.org (Jeremy Allison) Date: Thu, 2 May 2024 09:43:17 -0700 Subject: [Samba] winbind: does it actually depend on nmbd? and network-online? In-Reply-To: <20240502121743.5fe49fde@devstation.samdom.example.com> References: <20240502121743.5fe49fde@devstation.samdom.example.com> Message-ID: On Thu, May 02, 2024 at 12:17:43PM +0100, Rowland Penny via samba wrote: >On Thu, 2 May 2024 13:44:47 +0300 >Michael Tokarev via samba wrote: >> >> Note nmbd needs network to be online. While winbind only needs >> network to be up. If winbind requires nmbd, who in turn requires >> network to be online, winbind will be started only with online >> network. If we drop winbind dependency on nmbd here, winbind will >> be started earlier, before network is online. >> >> Does winbind requires network to be online or just up? > >No idea about that, perhaps Jeremy will know. What's the difference between "online" and "up" ? From mjt at tls.msk.ru Thu May 2 17:00:09 2024 From: mjt at tls.msk.ru (Michael Tokarev) Date: Thu, 2 May 2024 20:00:09 +0300 Subject: [Samba] winbind: does it actually depend on nmbd? and network-online? In-Reply-To: References: <20240502121743.5fe49fde@devstation.samdom.example.com> Message-ID: <9c1b5def-ffe0-41dc-99bc-4c481b96b1bb@tls.msk.ru> 02.05.2024 19:43, Jeremy Allison via samba wrote: >>> Does winbind requires network to be online or just up? > > What's the difference between "online" and "up" ? "Online" has numerous meanings depending on the settings, but the basic idea is the same: when there's some connectivity present. I had a trap on my notebook due to this and due to debian-specific settings. Obviously, a notebook is supposed to be without connectivity just fine. This one has been upgraded from an old version of debian, - a version which used to use /etc/rc.local which was ordered after networking, and at that old time, there was no notion of "network-online" at all. My rc.local was empty. Debian decided to make rc.local dependent on network-ONLINE.target. And user logins are ordered after rc.local if it is present. So as the result, I wasn't able to log in to my notebook until there's a known wifi network nearby, or available ethernet port - not even root login was possible. See https://www.freedesktop.org/software/systemd/man/latest/systemd.special.html#network-online.target for a bit more context about this, and the page referenced from there, https://systemd.io/NETWORK_ONLINE . The meaning of "online" can be adjusted by the local settings. By default it means "at least one network interface (besides loopback) is configured and has carrier". In this context, basically, network-online means winbind is able to send queries to a remote domain controller (hopefully it is up and running). While network means the interfaces are configured (and might not even be configured, - eg. systemd-networkd can delay interface configuration until it detects carrier). Since winbind can cache network information, and since samba even allows network-less login with saved/cached credentials, I guess it should depend on network.target, not network-online.target. Not for the first login though. For nmbd, - this one apparently is the same (when it is used), though it might not find any active interface in this case (when networkd delays carrier-less interface configuration) and even fail to start. Still, without network-online, nmbd becomes basically useless. Thanks, /mjt -- GPG Key transition (from rsa2048 to rsa4096) since 2024-04-24. New key: rsa4096/61AD3D98ECDF2C8E 9D8B E14E 3F2A 9DD7 9199 28F1 61AD 3D98 ECDF 2C8E Old key: rsa2048/457CE0A0804465C5 6EE1 95D1 886E 8FFB 810D 4324 457C E0A0 8044 65C5 Transition statement: http://www.corpit.ru/mjt/gpg-transition-2024.txt From pavel.lisy at gmail.com Fri May 3 08:11:48 2024 From: pavel.lisy at gmail.com (pavel.lisy at gmail.com) Date: Fri, 03 May 2024 10:11:48 +0200 Subject: [Samba] Samba AD not listening on ipv4 - 464/tcp Message-ID: Hello I'm not able to connect to Samba AD domain by realm. sudo realm join OFFICE.COMPANY.COM -U administrator Password for administrator: See: journalctl REALMD_OPERATION=r41422.307314 realm: Couldn't join realm: Failed to join the domain this is in journal: smbmem41.office.company.com realmd[211374]: adcli: joining domain office.company.com failed: Couldn't set password for computer account: SMBMEM41$: Cannot contact any KDC for requested realm according to https://access.redhat.com/solutions/3697241 it is necessary to open ports 464/tpc, ?464/udp ?(kpasswd5) but samba AD is listening on IPv6 localhost only sudo ss -tulpn | grep ':464\|:88' udp UNCONN 0 0 0.0.0.0:88 0.0.0.0:* users:(("krb5kdc",pid=217785,fd=16)) udp UNCONN 0 0 [::1]:464 [::]:* users:(("kdc[master]",pid=217782,fd=38)) tcp LISTEN 0 5 0.0.0.0:88 0.0.0.0:* users:(("krb5kdc",pid=217785,fd=17)) tcp LISTEN 0 10 [::1]:464 [::]:* users:(("kdc[master]",pid=217782,fd=37)) I'm trying to set this explicitly in file?/var/lib/samba/private/kdc.conf by this directive "kpasswd_listen" [kdcdefaults] kdc_listen = 0.0.0.0 kdc_tcp_listen = 0.0.0.0 kpasswd_listen = 127.0.0.1:464 192.168.95.111:464 kdc_ports = 88 kdc_tcp_ports = 88 but nothing changed when I've changed kdc_listen I can see difference by "sudo ss -tulpn" but no changes for kpasswd_listen How is it possible to make it work? Pavel From rpenny at samba.org Fri May 3 08:34:15 2024 From: rpenny at samba.org (Rowland Penny) Date: Fri, 3 May 2024 09:34:15 +0100 Subject: [Samba] Samba AD not listening on ipv4 - 464/tcp In-Reply-To: References: Message-ID: <20240503093415.6941f341@devstation.samdom.example.com> On Fri, 03 May 2024 10:11:48 +0200 PaLi via samba wrote: > Hello > > I'm not able to connect to Samba AD domain by realm. > > sudo realm join OFFICE.COMPANY.COM -U administrator > > Password for administrator: > See: journalctl REALMD_OPERATION=r41422.307314 > realm: Couldn't join realm: Failed to join the domain > > this is in journal: > > smbmem41.office.company.com realmd[211374]: adcli: joining domain > office.company.com failed: Couldn't set password for computer > account: SMBMEM41$: Cannot contact any KDC for requested realm > > according to > https://access.redhat.com/solutions/3697241 > it is necessary to open ports 464/tpc, ?464/udp ?(kpasswd5) > > but samba AD is listening on IPv6 localhost only > > sudo ss -tulpn | grep ':464\|:88' > udp UNCONN 0 0 0.0.0.0:88 0.0.0.0:* > users:(("krb5kdc",pid=217785,fd=16)) udp UNCONN 0 0 > [::1]:464 [::]:* > users:(("kdc[master]",pid=217782,fd=38)) tcp LISTEN 0 5 > 0.0.0.0:88 0.0.0.0:* > users:(("krb5kdc",pid=217785,fd=17)) tcp LISTEN 0 10 > [::1]:464 [::]:* > users:(("kdc[master]",pid=217782,fd=37)) > > > I'm trying to set this explicitly in > file?/var/lib/samba/private/kdc.conf by this directive > "kpasswd_listen" > > [kdcdefaults] > kdc_listen = 0.0.0.0 > kdc_tcp_listen = 0.0.0.0 > kpasswd_listen = 127.0.0.1:464 192.168.95.111:464 > kdc_ports = 88 > kdc_tcp_ports = 88 > > but nothing changed > > when I've changed kdc_listen I can see difference by "sudo ss -tulpn" > but no changes for kpasswd_listen > > How is it possible to make it work? > > Pavel > Sorry, but you appear to be asking in the wrong place, realmd and adcli are not produced by Samba Samba uses 'net ads join' to join to an AD domain and non of my DCs have /var/lib/samba/private/kdc.conf, so could you be using the experimental MIT kerberos ? What OS are you using and how have you setup smb.conf There is also the problem of the the link you provided being behind a registration wall that I cannot get through. Rowland From pavel.lisy at gmail.com Fri May 3 10:39:26 2024 From: pavel.lisy at gmail.com (pavel.lisy at gmail.com) Date: Fri, 03 May 2024 12:39:26 +0200 Subject: [Samba] Samba AD not listening on ipv4 - 464/tcp In-Reply-To: <20240503093415.6941f341@devstation.samdom.example.com> References: <20240503093415.6941f341@devstation.samdom.example.com> Message-ID: On Fri, 2024-05-03 at 09:34 +0100, Rowland Penny via samba wrote: > On Fri, 03 May 2024 10:11:48 +0200 > PaLi via samba wrote: > > > Hello > > > > I'm not able to connect to Samba AD domain by realm. > > > > sudo realm join OFFICE.COMPANY.COM -U administrator > > > > Password for administrator: > > See: journalctl REALMD_OPERATION=r41422.307314 > > realm: Couldn't join realm: Failed to join the domain > > > > this is in journal: > > > > smbmem41.office.company.com realmd[211374]: adcli: joining domain > > office.company.com failed: Couldn't set password for computer > > account: SMBMEM41$: Cannot contact any KDC for requested realm > > > > according to > > https://access.redhat.com/solutions/3697241 > > it is necessary to open ports 464/tpc, ?464/udp ?(kpasswd5) > > > > but samba AD is listening on IPv6 localhost only > > > > sudo ss -tulpn | grep ':464\|:88' > > udp?? UNCONN 0????? 0????????????? 0.0.0.0:88???????? 0.0.0.0:* > > users:(("krb5kdc",pid=217785,fd=16)) udp?? UNCONN 0????? 0 > > ??? [::1]:464?????????? [::]:* > > users:(("kdc[master]",pid=217782,fd=38)) tcp?? LISTEN 0????? 5 > > ????? 0.0.0.0:88???????? 0.0.0.0:* > > users:(("krb5kdc",pid=217785,fd=17)) tcp?? LISTEN 0????? 10 > > ??? [::1]:464?????????? [::]:* > > users:(("kdc[master]",pid=217782,fd=37)) > > > > > > I'm trying to set this explicitly in > > file?/var/lib/samba/private/kdc.conf by this directive > > "kpasswd_listen" > > > > [kdcdefaults] > > ?? kdc_listen = 0.0.0.0 > > ?? kdc_tcp_listen = 0.0.0.0 > > ?? kpasswd_listen = 127.0.0.1:464 192.168.95.111:464 > > ?? kdc_ports = 88 > > ?? kdc_tcp_ports = 88 > > > > but nothing changed > > > > when I've changed kdc_listen I can see difference by "sudo ss - > > tulpn" > > but no changes for kpasswd_listen > > > > How is it possible to make it work? > > > > Pavel > > > > Sorry, but you appear to be asking in the wrong place, realmd and > adcli > are not produced by Samba > > Samba uses 'net ads join' to join to an AD domain and non of my DCs > have /var/lib/samba/private/kdc.conf, so could you be using the > experimental MIT kerberos ? Yes, you are right. I use samba packages from Fedora linux - so you advise is to ask in Fedora lists? release -- 2:4.19.6-1.fc39 samba.x86_64 samba-dc.x86_64 samba-dc-bind-dlz.x86_64 samba-dc-provision.noarch ... > What OS are you using and how have you setup smb.conf smb.conf on DC is quite simple [global] bind interfaces only = Yes interfaces = lo enp1s0 netbios name = DC11 realm = OFFICE.COMPANY.COM server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = OFFICE winbind enum groups = Yes winbind enum users = Yes idmap_ldb:use rfc2307 = yes winbind use default domain = yes winbind nss info = template winbind nss info = rfc2307 template homedir = /home/%U template shell = /bin/bash > > There is also the problem of the the link you provided being behind a > registration wall that I cannot get through. Sorry, relevant parts are error message and diagnostic steps (see bellow Quotation:) After their suggestion I wanted to enable listening on port 464, but it is listening only on localhost IPv6 no matter what is in config file /var/lib/samba/private/kdc.conf. tests on my DC: $ sudo nmap -sT -sU -p 464 -6 ::1 PORT STATE SERVICE 464/tcp open kpasswd5 464/udp open|filtered kpasswd5 $ sudo nmap -sT -sU -p 464 127.0.0.1 PORT STATE SERVICE 464/tcp closed kpasswd5 464/udp closed kpasswd5 Quotation: Issue When attempting to join a RHEL server to an Active Directory domain, we receive an error that the password for the computer account could not be set: Raw [1] # adcli join example.com -U Administrator at EXAMPLE.COM ... * Found computer account for $ at: CN=,OU=Servers,DC=example,DC=com ! Couldn't set password for computer account: $: Cannot contact any KDC for requested realm adcli: joining domain example.com failed: Couldn't set password for computer account: $: Cannot contact any KDC for requested real Resolution The port required to make password changes on a KDC is closed. You will have to open UDP/TCP 464 (Kerberos Password Change requests) ports to allow the adding of computer account. You can read more about this in this Microsoft article: Conditions for Kerberos to be used over an External Trust [2] Root Cause The port 464 udp/tcp are closed. This is not well documented, but they are required for password management. For more information refer to Technologies for Federating Multiple Forests [3] Diagnostic Steps An nmap scan of both the tcp and udp ports will fail. Raw [1] # nmap -sT -sU -p 464 AD.EXAMPLE.COM ... PORT STATE SERVICE 464/tcp closed kpasswd5 464/udp closed kpasswd5 ... [1] Raw https://access.redhat.com/solutions/3697241# [2] Conditions for Kerberos to be used over an External Trust https://access.redhat.com/bounce/?externalURL=https%3A%2F%2Fblogs.technet.microsoft.com%2Factivedirectoryua%2F2010%2F08%2F04%2Fconditions-for-kerberos-to-be-used-over-an-external-trust%2F [3] Technologies for Federating Multiple Forests https://access.redhat.com/bounce/?externalURL=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2003%2Fdd560679%28v%3Dws.10%29 From rpenny at samba.org Fri May 3 11:05:21 2024 From: rpenny at samba.org (Rowland Penny) Date: Fri, 3 May 2024 12:05:21 +0100 Subject: [Samba] Samba AD not listening on ipv4 - 464/tcp In-Reply-To: References: <20240503093415.6941f341@devstation.samdom.example.com> Message-ID: <20240503120521.08c7b427@devstation.samdom.example.com> On Fri, 03 May 2024 12:39:26 +0200 pavel.lisy at gmail.com wrote: > On Fri, 2024-05-03 at 09:34 +0100, Rowland Penny via samba wrote: > > On Fri, 03 May 2024 10:11:48 +0200 > > PaLi via samba wrote: > > > > > Hello > > > > > > I'm not able to connect to Samba AD domain by realm. > > > > > > sudo realm join OFFICE.COMPANY.COM -U administrator > > > > > > Password for administrator: > > > See: journalctl REALMD_OPERATION=r41422.307314 > > > realm: Couldn't join realm: Failed to join the domain > > > > > > this is in journal: > > > > > > smbmem41.office.company.com realmd[211374]: adcli: joining domain > > > office.company.com failed: Couldn't set password for computer > > > account: SMBMEM41$: Cannot contact any KDC for requested realm > > > > > > according to > > > https://access.redhat.com/solutions/3697241 > > > it is necessary to open ports 464/tpc, ?464/udp ?(kpasswd5) > > > > > > but samba AD is listening on IPv6 localhost only > > > > > > sudo ss -tulpn | grep ':464\|:88' > > > udp?? UNCONN 0????? 0????????????? 0.0.0.0:88???????? 0.0.0.0:* > > > users:(("krb5kdc",pid=217785,fd=16)) udp?? UNCONN 0????? 0 > > > ??? [::1]:464?????????? [::]:* > > > users:(("kdc[master]",pid=217782,fd=38)) tcp?? LISTEN 0????? 5 > > > ????? 0.0.0.0:88???????? 0.0.0.0:* > > > users:(("krb5kdc",pid=217785,fd=17)) tcp?? LISTEN 0????? 10 > > > ??? [::1]:464?????????? [::]:* > > > users:(("kdc[master]",pid=217782,fd=37)) > > > > > > > > > I'm trying to set this explicitly in > > > file?/var/lib/samba/private/kdc.conf by this directive > > > "kpasswd_listen" > > > > > > [kdcdefaults] > > > ?? kdc_listen = 0.0.0.0 > > > ?? kdc_tcp_listen = 0.0.0.0 > > > ?? kpasswd_listen = 127.0.0.1:464 192.168.95.111:464 > > > ?? kdc_ports = 88 > > > ?? kdc_tcp_ports = 88 > > > > > > but nothing changed > > > > > > when I've changed kdc_listen I can see difference by "sudo ss - > > > tulpn" > > > but no changes for kpasswd_listen > > > > > > How is it possible to make it work? > > > > > > Pavel > > > > > > > Sorry, but you appear to be asking in the wrong place, realmd and > > adcli > > are not produced by Samba > > > > Samba uses 'net ads join' to join to an AD domain and non of my DCs > > have /var/lib/samba/private/kdc.conf, so could you be using the > > experimental MIT kerberos ? > Yes, you are right. > > I use samba packages from Fedora linux - so you advise is to ask in > Fedora lists? > > release -- 2:4.19.6-1.fc39 > samba.x86_64 > samba-dc.x86_64 > samba-dc-bind-dlz.x86_64 > samba-dc-provision.noarch > ... > > > > What OS are you using and how have you setup smb.conf > smb.conf on DC is quite simple > > [global] > bind interfaces only = Yes > interfaces = lo enp1s0 > netbios name = DC11 > realm = OFFICE.COMPANY.COM > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = OFFICE > > winbind enum groups = Yes > winbind enum users = Yes > idmap_ldb:use rfc2307 = yes > > winbind use default domain = yes > winbind nss info = template > winbind nss info = rfc2307 > > template homedir = /home/%U > template shell = /bin/bash > > That is for the AD DC, I take it that: A) The DC is running on Fedora. B) You are using Bind9 for the dns server. Nothing wrong with 'B', but I cannot recommend using the DC in production, it will be using MIT kerberos and, as such, it is still marked as experimental. However, your initial post was about joining a Unix domain member to AD, so how have you set up the smb.conf on that (which I take it is Fedora again). Please just reply to the list, do not 'CC' me. Rowland From oalonso at mailteck.com Fri May 3 11:25:28 2024 From: oalonso at mailteck.com (Oscar Alonso | MailTecK) Date: Fri, 3 May 2024 11:25:28 +0000 Subject: [Samba] Group Membership Retrieval not using kerberos authentication In-Reply-To: References:

Message-ID: Hello, Kees. > > Hello, > > > > I have an Active Directory domain to which a Linux machine with Ubuntu > 20.04 LTS is joined using Winbind. The version of Winbind is 4.15.13. > > On this machine, users authenticate via SSH using PAM (pam_winbind), > and I need to know their group membership. > > NSS is configured for this purpose. > > When users authenticate via username and password, there's no issue > retrieving the list of groups because they are obtained through the PAC of > the Kerberos ticket. > > However, when users authenticate via SSH public key, since there's no > Kerberos authentication, I'm unable to retrieve the user's group list. > > This is done by nss_winbind. > > Did you install it and configure it in /etc/samba/smb.conf and add it to > /etc/nsswitch.conf? Yes, nss_winbind is installed, and everything was working correctly until Samba was updated from version 4.13 to 4.15. When a user logs in with a username and password, everything works as expected. A Kerberos ticket is obtained, and through that ticket, the user's group list is known. However, until there's a new Kerberos ticket, that list isn't updated (or if there hasn't been previous Kerberos authentication, the groups aren't shown). In version 4.13, when the group list wasn't updated because there hadn't been recent user authentication, what I did was clear the samlogon cache with 'net cache samlogon delete ', and that triggered a new LDAP group query from the machine account. However, in version 4.15, that functionality seems to have been completely removed. Best regards, Oscar. Este correo electr?nico y la informaci?n contenida en ?l es confidencial, dirigi?ndose exclusivamente a el/los destinatario/s mencionado/s en el encabezamiento. Util?celos ?nicamente para la finalidad a la que se destina y no los transmita a terceros. Si usted no es el destinatario de este correo, no lo utilice; en base a la buena fe, b?rrelo y no lo transmita a terceros.? Los datos personales facilitados por usted o por terceros forman parte de un fichero responsabilidad de MAILTECK S.A. con la finalidad de gestionar y mantener los contactos y relaciones que se produzcan como consecuencia de la relaci?n que mantiene con MAILTECK S.A. La base jur?dica que legitima este tratamiento, ser? su consentimiento, el inter?s leg?timo o la necesidad para gestionar una relaci?n contractual o similar. Util?celos ?nicamente para la finalidad a la que se destina y no los transmita a terceros. El plazo de conservaci?n de sus datos vendr? determinado por la relaci?n que mantiene con nosotros. Para m?s informaci?n al respecto, o para ejercer sus derechos de Acceso, Rectificaci?n, Cancelaci?n/Supresi?n, Oposici?n, limitaci?n o portabilidad, puede ponerse en contacto con nosotros enviando un escrito a la siguiente direcci?n: Avda. La Recomba 12 - 14. Pol. Industrial La Laguna. 28914 Legan?s ? Madrid, o mediante un correo electr?nico a nuestro Delegado de Protecci?n de Datos (dpo at mailteck.com). From anders.ostling at gmail.com Fri May 3 13:19:01 2024 From: anders.ostling at gmail.com (=?UTF-8?Q?Anders_=C3=96stling?=) Date: Fri, 3 May 2024 15:19:01 +0200 Subject: [Samba] Domain membership Message-ID: I wrote a message a couple of days ago asking about Samba and SMB protocol levels on an old industrial robot with a pre-2010 Samba. That was resolved successfully. I now have another question concerning the same systems (the robots and the new Samba server, HP-SRV03). root at hp-srv03:/ *smbclient -L localhost -U administrator* Enter HPLTS\administrator's password: Sharename Type Comment --------- ---- ------- bock Disk IPC$ IPC IPC Service (Samba 4.13.13-Debian) Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- HPLTS HP-SRV02 NUMALLIANCE R206 WORKGROUP HP-SRV03 What puzzles me is the last three lines. The actual domain is HPLTS to which the member server HP-SRV03 is joined. NUMALLIANCE is the "name" of one of the robots. No way to change or domain join these as I understand. So why is there a WORKGROUP record with the Samba servers name as master? Is this just a glitch due to the old samba version on the robots, or is it caused the the NT1 protocol level? The smb.conf looks like this (realm obfusated) root at hp-srv03:/BOCK# cat /etc/samba/smb.conf # Global parameters [global] security = ADS workgroup = HPLTS realm = HXXXXXXXXEN.SE server role = member server log file = /var/log/samba/%m.log bind interfaces only = yes interfaces = lo enp1s0 # Enable Group Policy application in winbind, apply group policies = yes client min protocol = NT1 server min protocol = NT1 #client min protocol = SMB2 # winbind config: winbind use default domain = yes # The following options are only useful for testing. Comment out in production. winbind enum users = yes winbind enum groups = yes # Map Administrator to root username map = /etc/samba/user.map min domain uid = 0 # Kerberos winbind refresh tickets = Yes dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab # Configure shares using extended access control lists (ACL) # Needed for Linux, as it does not support NFS4 ACLs vfs objects = acl_xattr map acl inherit = yes acl_xattr:ignore system acls = yes # Default ID mapping configuration for local BUILTIN accounts idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config HPLTS : backend = rid idmap config HPLTS : range = 10000-999999 -- ------ -------------------- 8 ------------------ ------ "A *wise* man once told me - Any idiot can do backups, but it takes a genius to successfully restore" Anders ?stling +46 768 716 165 (Mobil) From rpenny at samba.org Fri May 3 14:04:05 2024 From: rpenny at samba.org (Rowland Penny) Date: Fri, 3 May 2024 15:04:05 +0100 Subject: [Samba] Domain membership In-Reply-To: References: Message-ID: <20240503150405.03732b67@devstation.samdom.example.com> On Fri, 3 May 2024 15:19:01 +0200 Anders ?stling via samba wrote: > I wrote a message a couple of days ago asking about Samba and SMB > protocol levels on an old industrial robot with a pre-2010 Samba. > That was resolved successfully. I now have another question > concerning the same systems (the robots and the new Samba server, > HP-SRV03). > > root at hp-srv03:/ > *smbclient -L localhost -U administrator* > Enter HPLTS\administrator's password: > > Sharename Type Comment > --------- ---- ------- > bock Disk > IPC$ IPC IPC Service (Samba 4.13.13-Debian) > Reconnecting with SMB1 for workgroup listing. > > Server Comment > --------- ------- > > Workgroup Master > --------- ------- > HPLTS HP-SRV02 > NUMALLIANCE R206 > WORKGROUP HP-SRV03 > > What puzzles me is the last three lines. The actual domain is HPLTS to > which the member server HP-SRV03 is joined. NUMALLIANCE is the "name" > of one of the robots. No way to change or domain join these as I > understand. So why is there a WORKGROUP record with the Samba servers > name as master? Is this just a glitch due to the old samba version on > the robots, or is it caused the the NT1 protocol level? I wouldn't worry about it, they are an artefact of running nmbd and will not cause any problems. Rowland From anders.ostling at gmail.com Fri May 3 15:51:27 2024 From: anders.ostling at gmail.com (=?UTF-8?Q?Anders_=C3=96stling?=) Date: Fri, 3 May 2024 17:51:27 +0200 Subject: [Samba] Domain membership In-Reply-To: <20240503150405.03732b67@devstation.samdom.example.com> References: <20240503150405.03732b67@devstation.samdom.example.com> Message-ID: nmbd is not running, but since all seems to work as expected, I will leave it as it is for now. Thanks Rowland for the assurance :) On Fri, May 3, 2024 at 4:05?PM Rowland Penny via samba < samba at lists.samba.org> wrote: > On Fri, 3 May 2024 15:19:01 +0200 > Anders ?stling via samba wrote: > > > I wrote a message a couple of days ago asking about Samba and SMB > > protocol levels on an old industrial robot with a pre-2010 Samba. > > That was resolved successfully. I now have another question > > concerning the same systems (the robots and the new Samba server, > > HP-SRV03). > > > > root at hp-srv03:/ > > *smbclient -L localhost -U administrator* > > Enter HPLTS\administrator's password: > > > > Sharename Type Comment > > --------- ---- ------- > > bock Disk > > IPC$ IPC IPC Service (Samba 4.13.13-Debian) > > Reconnecting with SMB1 for workgroup listing. > > > > Server Comment > > --------- ------- > > > > Workgroup Master > > --------- ------- > > HPLTS HP-SRV02 > > NUMALLIANCE R206 > > WORKGROUP HP-SRV03 > > > > What puzzles me is the last three lines. The actual domain is HPLTS to > > which the member server HP-SRV03 is joined. NUMALLIANCE is the "name" > > of one of the robots. No way to change or domain join these as I > > understand. So why is there a WORKGROUP record with the Samba servers > > name as master? Is this just a glitch due to the old samba version on > > the robots, or is it caused the the NT1 protocol level? > > I wouldn't worry about it, they are an artefact of running nmbd and > will not cause any problems. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- ------ -------------------- 8 ------------------ ------ "A *wise* man once told me - Any idiot can do backups, but it takes a genius to successfully restore" Anders ?stling +46 768 716 165 (Mobil) From jra at samba.org Fri May 3 17:10:16 2024 From: jra at samba.org (Jeremy Allison) Date: Fri, 3 May 2024 10:10:16 -0700 Subject: [Samba] winbind: does it actually depend on nmbd? and network-online? In-Reply-To: <9c1b5def-ffe0-41dc-99bc-4c481b96b1bb@tls.msk.ru> References: <20240502121743.5fe49fde@devstation.samdom.example.com> <9c1b5def-ffe0-41dc-99bc-4c481b96b1bb@tls.msk.ru> Message-ID: On Thu, May 02, 2024 at 08:00:09PM +0300, Michael Tokarev wrote: > >Since winbind can cache network information, and since samba even allows >network-less login with saved/cached credentials, I guess it should depend >on network.target, not network-online.target. Not for the first login >though. Yep, that seems correct to me. >For nmbd, - this one apparently is the same (when it is used), though it >might not find any active interface in this case (when networkd delays >carrier-less interface configuration) and even fail to start. Still, >without network-online, nmbd becomes basically useless. Yes, nmbd needs network-online. From contactdarin at posteo.net Fri May 3 18:07:23 2024 From: contactdarin at posteo.net (contactdarin at posteo.net) Date: Fri, 03 May 2024 18:07:23 +0000 Subject: [Samba] Clarification on Samba AD functional levels Message-ID: <1d3567c155492cfe327e415acdc27647@posteo.com> Hello all, Does Samba properly support 2012_R2 domains? If so, what is the earliest version of Samba AD that supports it? I see that the most recent versions support ad dc functional level = 2012_R2 in smb.conf but I am unsure if I can safely run 2012_R2 functional level on older versions of Samba. A little background: In my test environment I setup a Samba 4.20 AD Domain Controller with functional level 2012_R2. From there I joined a Windows Server 2022 to the domain and I forced the activation of the time and sysvol with help from this guide: https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_add_windows_active_directory.html As far as I can tell it is working correctly correctly. However, I am curious if I can get something similar to this working on something more stable than Fedora server. Thank you for your time, Darin From sage at newdream.net Fri May 3 21:17:45 2024 From: sage at newdream.net (Sage Weil) Date: Fri, 3 May 2024 16:17:45 -0500 Subject: [Samba] samba failover with ctdb and client-visible errors Message-ID: Hi everyone, I'm setting up a clustered Samba+CTDB in front of CephFS and am running into an issue during failover. For the most part everything seems to work: the IP moves quickly, smbd is started on the right node, etc, but if there is an IO load from a client during failover (e.g., copying a big directory full of files in File Explorer), it pauses for a couple of seconds and then pops up an error dialog box. If I hit 'Try Again' everything continues without problems. However... I assume that a client-visible error like this will cause problems with most applications (that may not be persistent enough to retry everything). I did a google search and the only thing I found was something suggesting passing a flag to xcopy that forces a retry on error. Here's what the dialog looks like when I reboot one of the gateway nodes: https://i.ibb.co/kh4fFPW/tryagain.png If I click 'Try Again' everything proceeds. Here's my smb.conf: root at smbgw2:/etc/samba# cat smb.conf [global] clustering = yes include = registry root at smbgw2:/etc/samba# net conf list [global] netbios name = smbgw clustering = yes idmap config * : backend = tdb2 passdb backend = tdbsam load printers = no smbd: backgroundqueue = no [Audio] path = /mnt/audio read only = no oplocks = no kernel share modes = no CTDB config looks like so: # See ctdb.conf(5) for documentation # # See ctdb-script.options(5) for documentation about event script # options [logging] # Enable logging to syslog location = syslog # Default log level log level = NOTICE [cluster] # Shared recovery lock file to avoid split brain. Daemon # default is no recovery lock. Do NOT run CTDB without a # recovery lock file unless you know exactly what you are # doing. # # Please see the RECOVERY LOCK section in ctdb(7) for more # details. # # recovery lock = !/bin/false RECOVERY LOCK NOT CONFIGURED recovery lock = /mnt/audio/.ctdb/recovery_lock ^ /mnt/audio is the CephFS mount I am reexporting. CTDB has a single IP in public_addresses that is moving around between the gateway nodes as expected--from what I can tell that is all working well. The only other issue I've identified is that I seem to have to create the user (and set the password with smbpasswd) on each of the gateways... even though I expected that the 'passdb backend = tdbsam' line would keep user and password info in ctdb somewhere. Am I missing something there? Thanks! sage From martin at meltin.net Sat May 4 02:05:21 2024 From: martin at meltin.net (Martin Schwenke) Date: Sat, 4 May 2024 12:05:21 +1000 Subject: [Samba] samba failover with ctdb and client-visible errors In-Reply-To: References: Message-ID: <20240504120521.197bb52d@martins.ozlabs.org> Hi Sage, On Fri, 3 May 2024 16:17:45 -0500, Sage Weil via samba wrote: > I'm setting up a clustered Samba+CTDB in front of CephFS and am > running into an issue during failover. For the most part everything > seems to work: the IP moves quickly, smbd is started on the right > node, etc, but if there is an IO load from a client during failover > (e.g., copying a big directory full of files in File Explorer), it > pauses for a couple of seconds and then pops up an error dialog box. > If I hit 'Try Again' everything continues without problems. > However... I assume that a client-visible error like this will cause > problems with most applications (that may not be persistent enough to > retry everything). I did a google search and the only thing I found > was something suggesting passing a flag to xcopy that forces a retry > on error. > > Here's what the dialog looks like when I reboot one of the gateway nodes: > https://i.ibb.co/kh4fFPW/tryagain.png > If I click 'Try Again' everything proceeds. Error handling seems to be application-dependent on Windows. If you're doing lots of copying then the hint you found for xcopy is probably a good idea. Many applications will silently reconnect. One issue is that CTDB's failover is done at the TCP networking level, so it is impossible to hide errors from applications. The dream is to get transparent failover with Microsoft's Witness Protocol (available in Samba ? 4.20) and persistent file handles (not yet in Samba). > Here's my smb.conf: > > root at smbgw2:/etc/samba# cat smb.conf > [global] > clustering = yes > include = registry > root at smbgw2:/etc/samba# net conf list > [global] > netbios name = smbgw > clustering = yes > idmap config * : backend = tdb2 For default domain ID mapping, you probably want autorid these days: https://www.samba.org/samba/docs/current/man-html/idmap_autorid.8.html > [...] > CTDB config looks like so: > CTDB has a single IP in public_addresses that is moving around between > the gateway nodes as expected--from what I can tell that is all > working well. If CephFS is sane (i.e. has proper locking coherency - others will be able to make better comments about this) then clustered Samba can happily be active-active, so you can multiple IPs in public_addresses, so multiple clients can access via different gateway nodes in parallel. > The only other issue I've identified is that I seem to have to create > the user (and set the password with smbpasswd) on each of the > gateways... even though I expected that the 'passdb backend = tdbsam' > line would keep user and password info in ctdb somewhere. Am I > missing something there? There currently isn't a way of exposing local users at the OS level, and an OS user is needed for file permissions. We have thought of faking this via winbind, but it keeps sliding down the priority queue. Setting up a Samba Active Directory server isn't especially difficult, so tends to be a good option. I hope some of that is useful... :-) peace & happiness, martin From mfoley at novatec-inc.com Sat May 4 17:28:15 2024 From: mfoley at novatec-inc.com (Mark Foley) Date: Sat, 4 May 2024 13:28:15 -0400 Subject: [Samba] Joining Linux Domain Member to Samba DC, issues Message-ID: <76a85820-3226-47bb-a0a2-c84c55fd4155@novatec-inc.com> I've posted on this not long ago, but I've run more tests since. Here's my situation (all Linux host running Samba Version 4.18.9) ... I have a Linux Domain Member, NAS, sharing a directory /public. Domain Windows users can map to this share and their domain user credentials are automatically accepted without them having to enter their credentials. This worked as well with our older Samba version. Now, I want to move this shared directory to a different host, WEBSERVER, which is not currently a domain member. I upgraded the OS version and Samba version (to 4.18.9) on WEBSERVER and joined it as a member to the domain. I copied the /public directory from NAS to WEBSERVER. The smb.conf on WEBSERVER is a clone of that which is on NAS except for the path: # Global parameters [global] ??????? max log size = 10000 ??????? realm = HPRS.LOCAL ??????? security = ADS ??????? server role = member server ??????? server string = HPRS WEBSERVER ??????? template homedir = /home/%U ??????? template shell = /bin/bash ??????? workgroup = HPRS ??????? idmap config hprs : range = 10000-999999 ??????? idmap config hprs : backend = rid ??????? idmap config * : range = 3000-7999 ??????? idmap config * : backend = tdb vfs objects = acl_xattr map acl inherit = yes load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes usershare allow guests = Yes usershare max shares = 10 [public] comment = OHPRS main file and document repository path = /public store dos attributes = no hide dot files = yes hide files = /Outlook/outlook/~*/ readonly = no locking = yes public = yes printable = no create mask = 0660 force user = ohprso force group = ohprs force create mode = 0660 directory mask = 2771 When I then attempted to map a Windows user to \\webserver\public, it did not automatically use the user's domain credentials and asked for credentials to be entered. No credentials I entered works (but I didn't exhaustively test this). I restored WEBSERVER back to its pre-upgrade state and tried again, a few times in fact, with no success. I then used a spare computer, wiped the drive and installed the OS from scratch with the upgraded Samba. I named this host WEBMEMBER. I joined it to the domain and added the A record. I again copied the /public folder from NAS to WEBMEMBER and ran Samba using the same smb.conf file as shown above. This time, when I tried to map the drive from a Windows domain computer it worked just fine automatically using the domain credentials and not asking the user to enter credentials. Next, I unjoined WEBMEMBER from the domain, took WEBSERVER offline, deleted the A records for WEBMEMBER and WEBSERVER, renamed WEBMEMBER to WEBSERVER (/etc/hosts, etc/HOSTNAMES), changed WEBMEMBER's IP address to be the same as the former WEBSERVER, rebooted, joined WEBSERVER (former webmember) to the domain, added its A record and ran samba. When I attempted to map the /public directory from a Windows computer I again was prompted to explicitly enter credentials. It did not automatically mount. This self-same computer when named WEBMEMBER had no problem mapping this shared folder. Unjoining it from the Domain, renaming to WEBSERVER and joining to the domain caused a problem mapping with domain credentials. Nothing else changed with this computer. This doesn't make sense. Neither does it make sense that the original WEBSERVER would not allow mapping with domain credentials once joined as a member. Is there something in some tbd/ldb file or somewhere hanging around from the original WEBSERVER that inhibits mapping shared drives with domain credentials? I still have the staged new WEBSERVER offline and can continue testing. If there is something I could check when the mapping is rejected, please advice and I'll check it out. Thanks --Mark From abartlet at samba.org Sun May 5 09:38:41 2024 From: abartlet at samba.org (Andrew Bartlett) Date: Sun, 05 May 2024 21:38:41 +1200 Subject: [Samba] Clarification on Samba AD functional levels In-Reply-To: <1d3567c155492cfe327e415acdc27647@posteo.com> References: <1d3567c155492cfe327e415acdc27647@posteo.com> Message-ID: <2753b3b02b5841cc5d5958611cd8746582cff9fb.camel@samba.org> On Fri, 2024-05-03 at 18:07 +0000, Darin via samba wrote: > Hello all, > Does Samba properly support 2012_R2 domains? If so, what is the > earliest version of Samba AD that supports it? I see that the most > recent versions support ad dc functional level = 2012_R2 in smb.conf > but I am unsure if I can safely run 2012_R2 functional level on older > versions of Samba. Samba 4.20 is the first to do this with any seriousness. The option appeared in Samba 4.19 but much of the features that would imply only arrived with 4.20. > A little background: > In my test environment I setup a Samba 4.20 AD Domain Controller with > functional level 2012_R2. From there I joined a Windows Server 2022 > to the domain and I forced the activation of the time and sysvol with > help from this guide: > https://samba.tranquil.it/doc/en/samba_advanced_methods/samba_add_windows_active_directory.html > > As far as I can tell it is working correctly correctly. However, I am > curious if I can get something similar to this working on something > more stable than Fedora server. You may need to find another source for your packages for a current Samba 4.20 package stream if you want it on an 'enterprise' OS, as most disable the Samba AD DC. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead https://catalyst.net.nz/services/sambaCatalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions From samba at txschroeder.family Mon May 6 00:55:02 2024 From: samba at txschroeder.family (Dale Schroeder) Date: Sun, 5 May 2024 19:55:02 -0500 Subject: [Samba] ntpsec Message-ID: <189b3c0e-9922-4ee5-a282-a2ef6be4b039@txschroeder.family> I haven't seen anyone mention this on the list, but found on the Debian changelog for ntpsec: ntpsec (1.2.3+dfsg1-1) unstable; urgency=low [...] - We think we have fixed ms-sntp Thanks to Jakob Haufe for testing. (Closes: 1033088) [...] -- Richard Laager Sun, 10 Mar 2024 22:01:29 -0500 This version is for Debian Trixie; currently, no mention of backporting to Bookworm. https://packages.debian.org/testing/ntpsec Dale From anders.ostling at gmail.com Mon May 6 07:06:36 2024 From: anders.ostling at gmail.com (=?UTF-8?Q?Anders_=C3=96stling?=) Date: Mon, 6 May 2024 09:06:36 +0200 Subject: [Samba] NT1 protocol question Message-ID: Hi Some may remember that I asked about configuring a Samba server for the legacy NT1 protocol due to a couple of old industrial systems that do not support SMB2/3. I noticed this today from the Samba server, probably doesnt mean anything but I still would like to ask the group. The server is of course joined to a domain and operates as it should. sysman at hp-srv03:~$ *net domain testjoin -U administrator* Enter administrator's password: Enumerating domains: Domain name Server name of Browse Master ------------- ---------------------------- *smb1cli_req_writev_submit: called for dialect[SMB3_11] server[127.0.0.1]* Cheers -- ------ -------------------- 8 ------------------ ------ "A *wise* man once told me - Any idiot can do backups, but it takes a genius to successfully restore" Anders ?stling +46 768 716 165 (Mobil) From rpenny at samba.org Mon May 6 07:33:10 2024 From: rpenny at samba.org (Rowland Penny) Date: Mon, 6 May 2024 08:33:10 +0100 Subject: [Samba] NT1 protocol question In-Reply-To: References: Message-ID: <20240506083310.164d321a@devstation.samdom.example.com> On Mon, 6 May 2024 09:06:36 +0200 Anders ?stling via samba wrote: > Hi > Some may remember that I asked about configuring a Samba server for > the legacy NT1 protocol due to a couple of old industrial systems > that do not support SMB2/3. > I noticed this today from the Samba server, probably doesnt mean > anything but I still would like to ask the group. The server is of > course joined to a domain and operates as it should. > > sysman at hp-srv03:~$ *net domain testjoin -U administrator* > Enter administrator's password: > > Enumerating domains: > > Domain name Server name of Browse Master > ------------- ---------------------------- > *smb1cli_req_writev_submit: called for dialect[SMB3_11] > server[127.0.0.1]* > > Cheers > > > I suppose the question has to be: Why are you running a command meant for an NT4-style domain on an AD domain ? Especially as it doesn't seem to exist ? 'net domain' is supposed to list domains or workgroups on the network and relies on smbV1 and Network Browsing. If you are trying to check if the domain join is valid, use this (as root): net ads testjoin -U administrator Rowland Rowland From anders.ostling at gmail.com Mon May 6 07:44:43 2024 From: anders.ostling at gmail.com (=?UTF-8?Q?Anders_=C3=96stling?=) Date: Mon, 6 May 2024 09:44:43 +0200 Subject: [Samba] NT1 protocol question In-Reply-To: <20240506083310.164d321a@devstation.samdom.example.com> References: <20240506083310.164d321a@devstation.samdom.example.com> Message-ID: Of course 'net ads testjoin' worked fine. Sorry for the brainfreeze. It's been one of these mornings :/ /Anders On Mon, May 6, 2024 at 9:34?AM Rowland Penny via samba < samba at lists.samba.org> wrote: > On Mon, 6 May 2024 09:06:36 +0200 > Anders ?stling via samba wrote: > > > Hi > > Some may remember that I asked about configuring a Samba server for > > the legacy NT1 protocol due to a couple of old industrial systems > > that do not support SMB2/3. > > I noticed this today from the Samba server, probably doesnt mean > > anything but I still would like to ask the group. The server is of > > course joined to a domain and operates as it should. > > > > sysman at hp-srv03:~$ *net domain testjoin -U administrator* > > Enter administrator's password: > > > > Enumerating domains: > > > > Domain name Server name of Browse Master > > ------------- ---------------------------- > > *smb1cli_req_writev_submit: called for dialect[SMB3_11] > > server[127.0.0.1]* > > > > Cheers > > > > > > > > I suppose the question has to be: Why are you running a command meant > for an NT4-style domain on an AD domain ? > Especially as it doesn't seem to exist ? > > 'net domain' is supposed to list domains or workgroups on the network > and relies on smbV1 and Network Browsing. > > If you are trying to check if the domain join is valid, use this (as > root): net ads testjoin -U administrator > > Rowland > > > > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- ------ -------------------- 8 ------------------ ------ "A *wise* man once told me - Any idiot can do backups, but it takes a genius to successfully restore" Anders ?stling +46 768 716 165 (Mobil) From zhongdong.sun at yale.edu Mon May 6 19:50:18 2024 From: zhongdong.sun at yale.edu (Sun, Zhongdong) Date: Mon, 6 May 2024 19:50:18 +0000 Subject: [Samba] Samba domain name in short format Message-ID: Hello everyone, We have a Samba server that experiences very strange problems. I wonder if anyone can provide some advice. This is a Redhat 8.4 machine with Samba 4.13.3. We setup Samba according to Redat document https://access.redhat.com/solutions/3802321 .It works well in most cases but has some issues. When user tries to mount a share from his/her PC, he/she must use the long format of domain name, such as yu.yale.edu\zs24. It works but most users don't like it. Instead, all users prefer to use the short format like YALE\zs24, but this doesn't work anymore. Here, YALE is a short format of yu.yale.edu. This short format works well in Redhat 7.4 with Samba 4.6.2. But we have to upgrade Redhat 7.x to 8.x. I wonder if anyone experienced similar issues or has any direction on what's going on here. Any advice will be appreciated. Thanks. Zhongdong From rpenny at samba.org Mon May 6 20:05:32 2024 From: rpenny at samba.org (Rowland Penny) Date: Mon, 6 May 2024 21:05:32 +0100 Subject: [Samba] Samba domain name in short format In-Reply-To: References: Message-ID: <20240506210532.1fe40448@devstation.samdom.example.com> On Mon, 6 May 2024 19:50:18 +0000 "Sun, Zhongdong via samba" wrote: > Hello everyone, > > We have a Samba server that experiences very strange problems. I > wonder if anyone can provide some advice. > > This is a Redhat 8.4 machine with Samba 4.13.3. We setup Samba > according to Redat document > https://access.redhat.com/solutions/3802321 . Sorry but that is behind a redhat wall and I cannot access it, but as it seems to how to use Samba with sssd, I suppose it uses their 'sss' idmap backend. > It works well in most > cases but has some issues. When user tries to mount a share from > his/her PC, he/she must use the long format of domain name, such as > yu.yale.edu\zs24. It works but most users don't like it. Instead, all > users prefer to use the short format like YALE\zs24, but this doesn't > work anymore. Here, YALE is a short format of yu.yale.edu. This short > format works well in Redhat 7.4 with Samba 4.6.2. But we have to > upgrade Redhat 7.x to 8.x. > > I wonder if anyone experienced similar issues or has any direction on > what's going on here. Any advice will be appreciated. Samba doesn't produce sssd, so doesn't have access to the code if it needs fixing. I suggest you contact redhat to get this fixed if you want to continue to use sssd with Samba. If, however, you want to use Samba as Samba intended, that is by using winbind without sssd, I am more than willing to help with this. I suppose that I should also point out that, from the Samba of point of view, Samba 4.13.3 is ancient. Rowland From zhongdong.sun at yale.edu Mon May 6 21:03:14 2024 From: zhongdong.sun at yale.edu (Sun, Zhongdong) Date: Mon, 6 May 2024 21:03:14 +0000 Subject: [Samba] Samba domain name in short format In-Reply-To: <20240506210532.1fe40448@devstation.samdom.example.com> References: <20240506210532.1fe40448@devstation.samdom.example.com> Message-ID: Hi Rowland, Thanks for your quick response. Yes, it's Samba+sssd+krb5+AD. So many technologies wrapped together, and I don't know which part can go wrong. We managed to make them work together with the full domain name format such as yu.yale.edu\zs24. But it didn't work with short format as YALE\zs24. When I did this in a Windows computer, it reported "We can't sign you in with this credential because your domain isn't available." This seems a DNS issue, because it cannot convert 'YALE' to its full name 'yu.yale.edu'. But I don't know where I should input this name resolution in this Samba server. Unfortunately, we don't have Redhat support contract and cannot get technical support from Redhat. Yes, we are very careful to upgrade Samba and its version may fall behind from the latest one. Zhongdong -----Original Message----- From: samba On Behalf Of Rowland Penny via samba Sent: Monday, May 6, 2024 4:06 PM To: samba at lists.samba.org Cc: Rowland Penny Subject: Re: [Samba] Samba domain name in short format On Mon, 6 May 2024 19:50:18 +0000 "Sun, Zhongdong via samba" wrote: > Hello everyone, > > We have a Samba server that experiences very strange problems. I > wonder if anyone can provide some advice. > > This is a Redhat 8.4 machine with Samba 4.13.3. We setup Samba > according to Redat document > https://access.redhat.com/solutions/3802321 . Sorry but that is behind a redhat wall and I cannot access it, but as it seems to how to use Samba with sssd, I suppose it uses their 'sss' idmap backend. > It works well in most > cases but has some issues. When user tries to mount a share from > his/her PC, he/she must use the long format of domain name, such as > yu.yale.edu\zs24. It works but most users don't like it. Instead, all > users prefer to use the short format like YALE\zs24, but this doesn't > work anymore. Here, YALE is a short format of yu.yale.edu. This short > format works well in Redhat 7.4 with Samba 4.6.2. But we have to > upgrade Redhat 7.x to 8.x. > > I wonder if anyone experienced similar issues or has any direction on > what's going on here. Any advice will be appreciated. Samba doesn't produce sssd, so doesn't have access to the code if it needs fixing. I suggest you contact redhat to get this fixed if you want to continue to use sssd with Samba. If, however, you want to use Samba as Samba intended, that is by using winbind without sssd, I am more than willing to help with this. I suppose that I should also point out that, from the Samba of point of view, Samba 4.13.3 is ancient. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba From jra at samba.org Mon May 6 21:49:52 2024 From: jra at samba.org (Jeremy Allison) Date: Mon, 6 May 2024 14:49:52 -0700 Subject: [Samba] Samba domain name in short format In-Reply-To: References: <20240506210532.1fe40448@devstation.samdom.example.com> Message-ID: On Mon, May 06, 2024 at 09:03:14PM +0000, Sun, Zhongdong via samba wrote: >Hi Rowland, > >Thanks for your quick response. > >Yes, it's Samba+sssd+krb5+AD. So many technologies wrapped together, > and I don't know which part can go wrong. We managed to make them work >together with the full domain name format such as yu.yale.edu\zs24. >But it didn't work with short format as YALE\zs24. When I did this >in a Windows computer, it reported "We can't sign you in with this >credential because your domain isn't available." >This seems a DNS issue, because it cannot convert 'YALE' to its full name 'yu.yale.edu'. Yep it's DNS. Client can't get a krb5 ticket for the server as the full hostname isn't correct. From zhongdong.sun at yale.edu Tue May 7 01:34:58 2024 From: zhongdong.sun at yale.edu (Sun, Zhongdong) Date: Tue, 7 May 2024 01:34:58 +0000 Subject: [Samba] Samba domain name in short format In-Reply-To: References: <20240506210532.1fe40448@devstation.samdom.example.com>

Message-ID: Hi Jeremy, I forgot to mention this. All these strange behaviors occurred when winbind was turned off. If I turn on winbind, this problem could be resolved, i.e. at least it allowed me to login as YALE\zs24, but it always said 'access is denied' even I input the correct password. Maybe something wrong with the Samba settings. Here is my smb.conf file. Anything looks unusual? I'm not sure about the ipmap config part, especially the range and backend. Thanks. Zhongdong [global] netbios name = HECATE workgroup = YALE realm = YU.YALE.EDU server string = PET Center Samba Server security = ADS #2017-11-23 zs24, allow ntlm which is still used by some local accounts and old Windows XP machines. ntlm auth = yes client NTLMv2 auth = yes client lanman auth = no client plaintext auth = no min protocol = NT1 kerberos method = secrets and keytab idmap config * : backend = tdb idmap config * : range = 10000-199999 idmap config YALE : backend = sss idmap config YALE : range = 200000-2147483647 machine password timeout = 0 -----Original Message----- From: Jeremy Allison Sent: Monday, May 6, 2024 5:50 PM To: Sun, Zhongdong Cc: samba at lists.samba.org Subject: Re: [Samba] Samba domain name in short format On Mon, May 06, 2024 at 09:03:14PM +0000, Sun, Zhongdong via samba wrote: >Hi Rowland, > >Thanks for your quick response. > >Yes, it's Samba+sssd+krb5+AD. So many technologies wrapped together, >and I don't know which part can go wrong. We managed to make them work >together with the full domain name format such as yu.yale.edu\zs24. >But it didn't work with short format as YALE\zs24. When I did this in a >Windows computer, it reported "We can't sign you in with this >credential because your domain isn't available." >This seems a DNS issue, because it cannot convert 'YALE' to its full name 'yu.yale.edu'. Yep it's DNS. Client can't get a krb5 ticket for the server as the full hostname isn't correct. From rpenny at samba.org Tue May 7 05:43:31 2024 From: rpenny at samba.org (Rowland Penny) Date: Tue, 7 May 2024 06:43:31 +0100 Subject: [Samba] Samba domain name in short format In-Reply-To: References: <20240506210532.1fe40448@devstation.samdom.example.com>

Message-ID: <20240507064331.3ea34f0f@devstation.samdom.example.com> On Tue, 7 May 2024 01:34:58 +0000 "Sun, Zhongdong via samba" wrote: > Hi Jeremy, > > I forgot to mention this. All these strange behaviors occurred when > winbind was turned off. You cannot turn winbind off on a Samba AD domain member, it must be running and if winbind is running, you do not need sssd. > If I turn on winbind, this problem could be > resolved, i.e. at least it allowed me to login as YALE\zs24, but it > always said 'access is denied' even I input the correct password. > Maybe something wrong with the Samba settings. Here is my smb.conf > file. Anything looks unusual? I'm not sure about the ipmap config > part, especially the range and backend. > > Thanks. > Zhongdong > > [global] > > netbios name = HECATE > workgroup = YALE > realm = YU.YALE.EDU > server string = PET Center Samba Server > security = ADS > #2017-11-23 zs24, allow ntlm which is still used by some local > accounts and old Windows XP machines. ntlm auth = yes > client NTLMv2 auth = yes > client lanman auth = no > client plaintext auth = no > min protocol = NT1 > > kerberos method = secrets and keytab > idmap config * : backend = tdb > idmap config * : range = 10000-199999 > idmap config YALE : backend = sss > idmap config YALE : range = 200000-2147483647 > machine password timeout = 0 > I have very little knowledge about the 'sss' idmap backend, mainly because I do not use it, but the above appears to be correct. You say that 'yu.yale.edu\zs24' works, but 'YALE\zs24' doesn't. The first is using the dns domain and the second is using the NetBIOS domain name (aka workgroup). I use the 'rid' idmap backend with winbind and it is the opposite way around for me 'SAMDOM\rowland' works, 'samdom.example.com\rowland' doesn't. As you do not have a redhat contract, can I suggest you setup a Rocky Linux 9 machine (in a VM will do) and I will talk you through setting up a Unix domain member on it using winbind, that way you will be able to see what works. Rowland From zhongdong.sun at yale.edu Tue May 7 16:37:29 2024 From: zhongdong.sun at yale.edu (Sun, Zhongdong) Date: Tue, 7 May 2024 16:37:29 +0000 Subject: [Samba] Samba domain name in short format In-Reply-To: <20240507064331.3ea34f0f@devstation.samdom.example.com> References: <20240506210532.1fe40448@devstation.samdom.example.com>

<20240507064331.3ea34f0f@devstation.samdom.example.com> Message-ID: Hi Rowland, I don't mind in using any technology as long as it works. In Redhat 7 and Samba 4.6, everything is simple and work well. But Redhat 7 is near end-of-life, and we have to move on. The next choice is Redhat 8, but we met with this strange problem. We also tried Ubuntu 22.04 with Samba 4.16 which didn't work neither. If you think Rocky 9 and its Samba/winbind will work, I'd like to try it. Let me provide some descriptions on the configuration here. This machine is a dedicated Samba server, which serves about 200-300 users. However, neither the file systems nor the user accounts are in this Samba server. The file systems are in several other NFS servers, and user accounts are in another NIS server. However, user accounts are their netids (like zs24) which are authenticated again Yale central AD. This is the only reason why the Samba server must join AD, i.e. to authenticate user. We managed to use sss to integrate user accounts with NIS and AD. With winbind, this doesn't work. Either it cannot find the user account, or the authentication always fail. If you think Rocky 9 with Samba/winbind can satisfy the requirements, I'll be happy to install Rocky 9 and all associated software in this server for test purposes. Let me know if you have any questions before I reimage the server. Thanks. Zhongdong -----Original Message----- From: samba On Behalf Of Rowland Penny via samba Sent: Tuesday, May 7, 2024 1:44 AM To: samba at lists.samba.org Cc: Rowland Penny Subject: Re: [Samba] Samba domain name in short format On Tue, 7 May 2024 01:34:58 +0000 "Sun, Zhongdong via samba" wrote: > Hi Jeremy, > > I forgot to mention this. All these strange behaviors occurred when > winbind was turned off. You cannot turn winbind off on a Samba AD domain member, it must be running and if winbind is running, you do not need sssd. > If I turn on winbind, this problem could be resolved, i.e. at least it > allowed me to login as YALE\zs24, but it always said 'access is > denied' even I input the correct password. > Maybe something wrong with the Samba settings. Here is my smb.conf > file. Anything looks unusual? I'm not sure about the ipmap config > part, especially the range and backend. > > Thanks. > Zhongdong > > [global] > > netbios name = HECATE > workgroup = YALE > realm = YU.YALE.EDU > server string = PET Center Samba Server > security = ADS > #2017-11-23 zs24, allow ntlm which is still used by some local > accounts and old Windows XP machines. ntlm auth = yes > client NTLMv2 auth = yes > client lanman auth = no > client plaintext auth = no > min protocol = NT1 > > kerberos method = secrets and keytab > idmap config * : backend = tdb > idmap config * : range = 10000-199999 > idmap config YALE : backend = sss > idmap config YALE : range = 200000-2147483647 > machine password timeout = 0 > I have very little knowledge about the 'sss' idmap backend, mainly because I do not use it, but the above appears to be correct. You say that 'yu.yale.edu\zs24' works, but 'YALE\zs24' doesn't. The first is using the dns domain and the second is using the NetBIOS domain name (aka workgroup). I use the 'rid' idmap backend with winbind and it is the opposite way around for me 'SAMDOM\rowland' works, 'samdom.example.com\rowland' doesn't. As you do not have a redhat contract, can I suggest you setup a Rocky Linux 9 machine (in a VM will do) and I will talk you through setting up a Unix domain member on it using winbind, that way you will be able to see what works. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba From rpenny at samba.org Tue May 7 18:20:00 2024 From: rpenny at samba.org (Rowland Penny) Date: Tue, 7 May 2024 19:20:00 +0100 Subject: [Samba] Samba domain name in short format In-Reply-To: References: <20240506210532.1fe40448@devstation.samdom.example.com>

<20240507064331.3ea34f0f@devstation.samdom.example.com> Message-ID: <20240507192000.35406f55@devstation.samdom.example.com> On Tue, 7 May 2024 16:37:29 +0000 "Sun, Zhongdong" wrote: > Hi Rowland, > > I don't mind in using any technology as long as it works. In Redhat 7 > and Samba 4.6, everything is simple and work well. But Redhat 7 is > near end-of-life, and we have to move on. The next choice is Redhat > 8, but we met with this strange problem. We also tried Ubuntu 22.04 > with Samba 4.16 which didn't work neither. If you think Rocky 9 and > its Samba/winbind will work, I'd like to try it. > > Let me provide some descriptions on the configuration here. This > machine is a dedicated Samba server, which serves about 200-300 > users. However, neither the file systems nor the user accounts are in > this Samba server. The file systems are in several other NFS servers, > and user accounts are in another NIS server. However, user accounts > are their netids (like zs24) which are authenticated again Yale > central AD. This is the only reason why the Samba server must join > AD, i.e. to authenticate user. It sounds like you are sharing NFS shares via Samba, for various reasons this is not a good idea. Your other problem is that NIS, for all intents and purposes, is dead. > > We managed to use sss to integrate user accounts with NIS and AD. > With winbind, this doesn't work. Either it cannot find the user > account, or the authentication always fail. If you think Rocky 9 with > Samba/winbind can satisfy the requirements, I'll be happy to install > Rocky 9 and all associated software in this server for test purposes. > Let me know if you have any questions before I reimage the server. I thought that you had been using redhat for some time, seemingly this isn't the case. Just what are you using NIS for ? It is a directory service in the same vein as Active Directory, so you really do not need both. From my viewpoint, I have to ask, what is it with universities ? do they run uptodate IT departments, or they really history departments ? Rowland From zhongdong.sun at yale.edu Tue May 7 22:19:38 2024 From: zhongdong.sun at yale.edu (Sun, Zhongdong) Date: Tue, 7 May 2024 22:19:38 +0000 Subject: [Samba] Samba domain name in short format In-Reply-To: <20240507192000.35406f55@devstation.samdom.example.com> References: <20240506210532.1fe40448@devstation.samdom.example.com>

<20240507064331.3ea34f0f@devstation.samdom.example.com> <20240507192000.35406f55@devstation.samdom.example.com> Message-ID: Hi Rowland, You are right. We are running some old software here, such as NIS. All these started in 20 years ago when I joined the group and we had about 20-30 workstations running Linux. NIS was chosen at that time to manage user accounts. Some users were not familiar with Linux, so we provided Samba to them so that they could map Linux file systems to their computers. I know NIS is old technology and can be replaced with others, such as LDAP. But this is clinical research environment and is very difficult to change system. We have to live with this system. Fortunately, NIS is only used to manage account. And user authentication occurs in AD. So there is not too much security concern here. I'll say it's not easy to manage such a complicated and a little outdated system in a production environment, because we cannot shut down the system for upgrade or maintenance. For the Samba server, I just leave the production server running, and use another server to test new version of Samba. If it works, we may switch the new server as production system. Otherwise, we have to keep the current Samba server running. For the test Samba server, I followed the instructions to setup Samba, but without winbind. In my test, everything works except that it cannot recognize the short domain name YALE. If I use the full domain name yu.yale.edu, everything works well. But it's difficult to ask all users to use the long format. As I think, this seems a DNS issue. But I don't know how to tell Samba server to resolve the short name YALE as long name yu.yale.edu. I wonder if you or any experts here can provide any advice on this. Thanks. Zhongdong -----Original Message----- From: samba On Behalf Of Rowland Penny via samba Sent: Tuesday, May 7, 2024 2:20 PM To: samba at lists.samba.org Cc: Rowland Penny Subject: Re: [Samba] Samba domain name in short format On Tue, 7 May 2024 16:37:29 +0000 "Sun, Zhongdong" wrote: > Hi Rowland, > > I don't mind in using any technology as long as it works. In Redhat 7 > and Samba 4.6, everything is simple and work well. But Redhat 7 is > near end-of-life, and we have to move on. The next choice is Redhat 8, > but we met with this strange problem. We also tried Ubuntu 22.04 with > Samba 4.16 which didn't work neither. If you think Rocky 9 and its > Samba/winbind will work, I'd like to try it. > > Let me provide some descriptions on the configuration here. This > machine is a dedicated Samba server, which serves about 200-300 users. > However, neither the file systems nor the user accounts are in this > Samba server. The file systems are in several other NFS servers, and > user accounts are in another NIS server. However, user accounts are > their netids (like zs24) which are authenticated again Yale central > AD. This is the only reason why the Samba server must join AD, i.e. to > authenticate user. It sounds like you are sharing NFS shares via Samba, for various reasons this is not a good idea. Your other problem is that NIS, for all intents and purposes, is dead. > > We managed to use sss to integrate user accounts with NIS and AD. > With winbind, this doesn't work. Either it cannot find the user > account, or the authentication always fail. If you think Rocky 9 with > Samba/winbind can satisfy the requirements, I'll be happy to install > Rocky 9 and all associated software in this server for test purposes. > Let me know if you have any questions before I reimage the server. I thought that you had been using redhat for some time, seemingly this isn't the case. Just what are you using NIS for ? It is a directory service in the same vein as Active Directory, so you really do not need both. >From my viewpoint, I have to ask, what is it with universities ? do they run uptodate IT departments, or they really history departments ? Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba From rpenny at samba.org Wed May 8 05:42:23 2024 From: rpenny at samba.org (Rowland Penny) Date: Wed, 8 May 2024 06:42:23 +0100 Subject: [Samba] Samba domain name in short format In-Reply-To: References: <20240506210532.1fe40448@devstation.samdom.example.com>

<20240507064331.3ea34f0f@devstation.samdom.example.com> <20240507192000.35406f55@devstation.samdom.example.com> Message-ID: <20240508064223.4bd1d7d8@devstation.samdom.example.com> On Tue, 7 May 2024 22:19:38 +0000 "Sun, Zhongdong" wrote: > Hi Rowland, > > You are right. We are running some old software here, such as NIS. > All these started in 20 years ago when I joined the group and we had > about 20-30 workstations running Linux. NIS was chosen at that time > to manage user accounts. Some users were not familiar with Linux, so > we provided Samba to them so that they could map Linux file systems > to their computers. I know NIS is old technology and can be replaced > with others, such as LDAP. But this is clinical research environment > and is very difficult to change system. We have to live with this > system. Even 20 years ago NIS was dying and I have since found out that NIS has been removed from RHEL 9. I really think you need to seriously consider upgrading your setup. > > Fortunately, NIS is only used to manage account. And user > authentication occurs in AD. Samba, if used correctly, can manage the account, but you would have to join it to the AD domain and probably use the 'ad' idmap backend with RFC2307 attributes, that is if the current ID numbers must be used. > So there is not too much security > concern here. I'll say it's not easy to manage such a complicated and > a little outdated system in a production environment, because we > cannot shut down the system for upgrade or maintenance. For the Samba > server, I just leave the production server running, and use another > server to test new version of Samba. If it works, we may switch the > new server as production system. Otherwise, we have to keep the > current Samba server running. > > For the test Samba server, I followed the instructions to setup > Samba, but without winbind. In my test, everything works except that > it cannot recognize the short domain name YALE. If I use the full > domain name yu.yale.edu, everything works well. But it's difficult to > ask all users to use the long format. As I think, this seems a DNS > issue. But I don't know how to tell Samba server to resolve the short > name YALE as long name yu.yale.edu. I wonder if you or any experts > here can provide any advice on this. If you run Samba without winbind, then it cannot be joined to a domain and can only be a standalone server. When it comes to the domain names, 'yu.yale.edu' looks like it is the AD dns domain (which means the kerberos realm will be 'YU.YALE.EDU'), 'YALE' will be the NetBIOS domain name, which is also known as the workgroup name or 'pre-windows 2000' domain name. So, while 'yu.yale.edu' seems to be working for you, I do not think 'YALE' not working is a dns problem, NetBIOS doesn't use dns. Here is what I suggest you do, setup a test VM using Debian 12 and I will then talk you through joining that to your AD using Samba. You can then test its capabilities to see if you could use it instead of your present setup. The only 'problem' I can see is the NFS shares, it isn't a good idea to re-share them via Samba to Windows, you would probably be better off getting the Linux machines to use Samba instead. My rule of thumb is: All Linux machines, use NFS A mixture of Linux and Windows machines, use Samba. A side affect of using Samba is that your users will be able to logon using 'username' instead of 'YALE\username' or 'yu.yale.edu\username' if required. Rowland From lists at zxt10d.de Wed May 8 07:48:48 2024 From: lists at zxt10d.de (lists at zxt10d.de) Date: Wed, 8 May 2024 09:48:48 +0200 Subject: [Samba] Wiki - Best Practise to install a 2nd AD-DC or "backup"-DC Message-ID: <95617452-1a87-4b90-8618-bef3f0cca30d@zxt10d.de> Hello list, I searched the wiki, but couldn't find any article on this topic - maybe I used the wrong terms ... Is there a "Best Practise" documentation how to install a 2nd AD-DC (or "backup"-DC)? Cheers, Torsten From janger at samba.org Wed May 8 08:17:45 2024 From: janger at samba.org (Jule Anger) Date: Wed, 8 May 2024 10:17:45 +0200 Subject: [Samba] [Announce] Samba 4.20.1 Available for Download Message-ID: <3fca632b-f1b4-4826-9411-29a75f318c11@samba.org> Release Announcements --------------------- This is the latest stable release of the Samba 4.20 release series. Changes since 4.20.0 -------------------- o? Douglas Bagnall ?? * BUG 15630: dns update debug message is too noisy. o? Alexander Bokovoy ?? * BUG 15635: Do not fail PAC validation for RFC8009 checksums types. o? Pavel Filipensk? ?? * BUG 15605: Improve performance of lookup_groupmem() in idmap_ad. o? Anna Popova ?? * BUG 15636: Smbcacls incorrectly propagates inheritance with Inherit-Only ???? flag. o? Noel Power ?? * BUG 15611: http library doesn't support 'chunked transfer encoding'. o? Andreas Schneider ?? * BUG 15600: Provide a systemd service file for the background queue daemon. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored.? All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ====================================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== ================ Download Details ================ The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620).? The source code can be downloaded from: ??????? https://download.samba.org/pub/samba/stable/ The release notes are available online at: ??????? https://www.samba.org/samba/history/samba-4.20.1.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) ??????????????????????? --Enjoy ??????????????????????? The Samba Team From foren at asche-rz.de Wed May 8 08:21:59 2024 From: foren at asche-rz.de (Ingo Asche) Date: Wed, 8 May 2024 10:21:59 +0200 Subject: [Samba] Wiki - Best Practise to install a 2nd AD-DC or "backup"-DC In-Reply-To: <95617452-1a87-4b90-8618-bef3f0cca30d@zxt10d.de> References: <95617452-1a87-4b90-8618-bef3f0cca30d@zxt10d.de> Message-ID: <246d2716-9dc6-4737-ba1e-8a8990988cf5@asche-rz.de> Hi Torsten, I think what you're searching for is this: https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory By the way, in AD there's no backup DC. Except for the FSMO every DC has the same rights, it is a multi master replication in AD. Regards Ingo https://github.com/WAdama lists--- via samba schrieb am 08.05.2024 um 09:48: > Hello list, > > I searched the wiki, but couldn't find any article on this topic - > maybe I used the wrong terms ... > > Is there a "Best Practise" documentation how to install a 2nd AD-DC > (or "backup"-DC)? > > Cheers, > Torsten > From rpenny at samba.org Wed May 8 08:23:44 2024 From: rpenny at samba.org (Rowland Penny) Date: Wed, 8 May 2024 09:23:44 +0100 Subject: [Samba] Wiki - Best Practise to install a 2nd AD-DC or "backup"-DC In-Reply-To: <95617452-1a87-4b90-8618-bef3f0cca30d@zxt10d.de> References: <95617452-1a87-4b90-8618-bef3f0cca30d@zxt10d.de> Message-ID: <20240508092344.6453d259@devstation.samdom.example.com> On Wed, 8 May 2024 09:48:48 +0200 lists--- via samba wrote: > Hello list, > > I searched the wiki, but couldn't find any article on this topic - > maybe I used the wrong terms ... > > Is there a "Best Practise" documentation how to install a 2nd AD-DC > (or "backup"-DC)? > > Cheers, > Torsten > That will probably be: https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory There is also no such thing as a 'backup' DC, All DCs are equal apart from the FSMO roles and they can be on any DC. Rowland From lperoma at icloud.com Wed May 8 08:46:57 2024 From: lperoma at icloud.com (Luis Peromarta) Date: Wed, 8 May 2024 10:46:57 +0200 Subject: [Samba] Wiki - Best Practise to install a 2nd AD-DC or "backup"-DC In-Reply-To: <20240508092344.6453d259@devstation.samdom.example.com> References: <95617452-1a87-4b90-8618-bef3f0cca30d@zxt10d.de> <20240508092344.6453d259@devstation.samdom.example.com> Message-ID: This is a stripped down (simpler) version of the same process you may find useful: http://samba.bigbird.es/doku.php?id=samba:aditional-dc LP On May 8, 2024 at 10:24 +0200, Rowland Penny via samba , wrote: > On Wed, 8 May 2024 09:48:48 +0200 > lists--- via samba wrote: > > > Hello list, > > > > I searched the wiki, but couldn't find any article on this topic - > > maybe I used the wrong terms ... > > > > Is there a "Best Practise" documentation how to install a 2nd AD-DC > > (or "backup"-DC)? > > > > Cheers, > > Torsten > > > > That will probably be: > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory > > There is also no such thing as a 'backup' DC, All DCs are equal apart > from the FSMO roles and they can be on any DC. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From lists at zxt10d.de Wed May 8 10:35:03 2024 From: lists at zxt10d.de (lists at zxt10d.de) Date: Wed, 8 May 2024 12:35:03 +0200 Subject: [Samba] Wiki - Best Practise to install a 2nd AD-DC or "backup"-DC In-Reply-To: <95617452-1a87-4b90-8618-bef3f0cca30d@zxt10d.de> References: <95617452-1a87-4b90-8618-bef3f0cca30d@zxt10d.de> Message-ID: <87d7b629-a2c4-4c28-88a5-0c7946ef0906@zxt10d.de> Thanks a lot Ingo, Rowland and Luis! [...] INFO 2024-05-08 12:33:25,196 pid:2355 /usr/lib/python3/dist-packages/samba/join.py #1324: Sending DsReplicaUpdateRefs for all the replicated partitions INFO 2024-05-08 12:33:25,261 pid:2355 /usr/lib/python3/dist-packages/samba/join.py #1354: Setting isSynchronized and dsServiceName INFO 2024-05-08 12:33:25,281 pid:2355 /usr/lib/python3/dist-packages/samba/join.py #1369: Setting up secrets database INFO 2024-05-08 12:33:25,418 pid:2355 /usr/lib/python3/dist-packages/samba/join.py #1631: Joined domain SAMPLE (SID S-1-5-21-358581295-2627552491-3057451940) as a DC Seems it worked ;) Cheers, Torsten Am 08.05.2024 um 09:48 schrieb lists--- via samba: > Hello list, > > I searched the wiki, but couldn't find any article on this topic - maybe > I used the wrong terms ... > > Is there a "Best Practise" documentation how to install a 2nd AD-DC (or > "backup"-DC)? > > Cheers, > Torsten > From foren at asche-rz.de Wed May 8 11:05:14 2024 From: foren at asche-rz.de (Ingo Asche) Date: Wed, 8 May 2024 13:05:14 +0200 Subject: [Samba] Wiki - Best Practise to install a 2nd AD-DC or "backup"-DC In-Reply-To: <87d7b629-a2c4-4c28-88a5-0c7946ef0906@zxt10d.de> References: <95617452-1a87-4b90-8618-bef3f0cca30d@zxt10d.de> <87d7b629-a2c4-4c28-88a5-0c7946ef0906@zxt10d.de> Message-ID: <2b2548f2-d5fd-44bb-b574-94b946fa568d@asche-rz.de> Hi Torsten, By the way: If you want to use GPOs, don't forget, there's no automatic Sysvol replication in Samba at the moment. You have to create something for that. I myself am using the rsync based variant: https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround Regards Ingo https://github.com/WAdama lists--- via samba schrieb am 08.05.2024 um 12:35: > Thanks a lot Ingo, Rowland and Luis! > > [...] > INFO 2024-05-08 12:33:25,196 pid:2355 > /usr/lib/python3/dist-packages/samba/join.py #1324: Sending > DsReplicaUpdateRefs for all the replicated partitions > INFO 2024-05-08 12:33:25,261 pid:2355 > /usr/lib/python3/dist-packages/samba/join.py #1354: Setting > isSynchronized and dsServiceName > INFO 2024-05-08 12:33:25,281 pid:2355 > /usr/lib/python3/dist-packages/samba/join.py #1369: Setting up secrets > database > INFO 2024-05-08 12:33:25,418 pid:2355 > /usr/lib/python3/dist-packages/samba/join.py #1631: Joined domain > SAMPLE (SID S-1-5-21-358581295-2627552491-3057451940) as a DC > > Seems it worked ;) > > Cheers, > Torsten > > From mjt at tls.msk.ru Fri May 10 11:00:11 2024 From: mjt at tls.msk.ru (Michael Tokarev) Date: Fri, 10 May 2024 14:00:11 +0300 Subject: [Samba] samba debian & ubuntu builds Message-ID: Hi! After providing samba builds for several debian and ubuntu releases for over 1.5 years, I see this service is quite popular still. However, I'd love to understand how useful it is still, and which releases should be provided in the future. For example, samba 4.16.x series is end-of-life, there has been no updates for it for quite some time and none planned, either. Yet people do have it in their sources.list still, and the package list is being queried on regular basis, getting the same list each time obviously. I removed this release from my repository some time ago and someone asked on the list for it the next day. But I think this becomes a mis-service, - when people see the repository for 4.16 is up and running, they think this release is supported and will receive updates and fixes (or else there would be no need to query the updated list of packages), while this is not the case anymore. So, I think I'll remove at least 4.16 packages (for all distributions), and 4.17 too (due to the same reason). Now, Ubuntu 20.04 Focal Fossa and Debian 10 Buster are old too. Samba 4.19 and up can't be built for these easily anymore (required dependencies are missing). So we do have 4.18 packages for these distributions still (after removing 4.16 and 4.17), - maybe I'll keep this for a while, but their days are numbered anyway. On the plus side, I added Ubuntu 24.04 Noble Numbat to the list of distributions, - this only have samba 4.20.x since it ships 4.19 out of the box already, and hopefully will keep it updated in the future (if not, it's not a big deal to add 4.19 too, as long as it is supported still). Dunno yet if these will be useful. Also, I haven't looked at further changes made to samba by ubuntu for 24.04, - I haven't heard anything from them at all, so don't know what they're doing. This is JFYI, and please watch out which parts of the repository you're using and why. I still see some access URLs which were used at the very first test of this repository (for a week or so in autumn of 2022), - I renamed the paths within to simplify things, but quite some people still request old URLs every day 1.5 years later, apparently not caring at all what their systems are doing... Thanks, /mjt -- GPG Key transition (from rsa2048 to rsa4096) since 2024-04-24. New key: rsa4096/61AD3D98ECDF2C8E 9D8B E14E 3F2A 9DD7 9199 28F1 61AD 3D98 ECDF 2C8E Old key: rsa2048/457CE0A0804465C5 6EE1 95D1 886E 8FFB 810D 4324 457C E0A0 8044 65C5 Transition statement: http://www.corpit.ru/mjt/gpg-transition-2024.txt From samba at pegasusnz.com Fri May 10 11:19:32 2024 From: samba at pegasusnz.com (Samba @ Pegasusnz) Date: Fri, 10 May 2024 23:19:32 +1200 Subject: [Samba] kinit failure Message-ID: <240BC23E-F264-44C2-BDFC-483A21A5F41A@pegasusnz.com> Hi Due to putting a DVD in my Virtual Machine Host Computer which then filled the logs with errors and subsequently filled the drive crashing all vms. Luckily I had a backup of the DC image which I restored and some machines just worked and some can?t find KDC kinit: Cannot contact any KDC for realm 'BALEWAN.UNICORN.COM' while getting initial credentials I have tried leaving the domain and deleting computer if it still remained on DC I have installed samba and friends But on some machines this has not fixed the problem DC2 is online 192.168.50.15 DC9 is offline 192.168.50.17 DC4 is trashed On the machine that fail to rejoin they normally time out and give this error ERROR(runtime): uncaught exception - (31, 'Failed to set machine spn: Time limit exceeded\nDo you have sufficient permissions to create machine accounts?') File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 279, in _run return self.run(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/samba/netcmd/domain/join.py", line 121, in run (sid, domain_name) = s3_net.join_member(netbios_name, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Joining the domain partial log Bind RPC Pipe: host dc2.balewan.unicorn.com auth_type 0, auth_level 1 rpc_api_pipe: host dc2.balewan.unicorn.com signed SMB2 message (sign_algo_id=2) rpc_read_send: data_to_read: 52 check_bind_response: accepted! rpc_api_pipe: host dc2.balewan.unicorn.com signed SMB2 message (sign_algo_id=2) rpc_read_send: data_to_read: 32 rpc_api_pipe: host dc2.balewan.unicorn.com signed SMB2 message (sign_algo_id=2) rpc_read_send: data_to_read: 232 rpc_api_pipe: host dc2.balewan.unicorn.com signed SMB2 message (sign_algo_id=2) rpc_read_send: data_to_read: 32 signed SMB2 message (sign_algo_id=2) saf_fetch: failed to find server for "balewan.unicorn.com" domain get_dc_list: preferred server list: ", *" resolve_ads: Attempting to resolve KDCs for balewan.unicorn.com using DNS dns_rr_srv_fill_done: async DNS A lookup for dc2.balewan.unicorn.com [0] got dc2.balewan.unicorn.com -> 192.168.50.15 dns_rr_srv_fill_done: async DNS AAAA lookup for dc2.balewan.unicorn.com returned 0 addresses. dns_rr_srv_fill_done: async DNS A lookup for dc4.balewan.unicorn.com returned DNS code 3 dns_rr_srv_fill_done: async DNS AAAA lookup for dc4.balewan.unicorn.com returned DNS code 3 dns_rr_srv_fill_done: async DNS A lookup for dc9.balewan.unicorn.com [0] got dc9.balewan.unicorn.com -> 192.168.50.17 dns_rr_srv_fill_done: async DNS AAAA lookup for dc9.balewan.unicorn.com [0] got dc9.balewan.unicorn.com -> fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad check_negative_conn_cache returning result 0 for domain balewan.unicorn.com server 192.168.50.15 check_negative_conn_cache returning result 0 for domain balewan.unicorn.com server 192.168.50.17 check_negative_conn_cache returning result 0 for domain balewan.unicorn.com server fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad get_dc_list: returning 3 ip addresses in an ordered list get_dc_list: 192.168.50.15 192.168.50.17 fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad saf_fetch: failed to find server for "balewan.unicorn.com" domain get_dc_list: preferred server list: ", *" resolve_ads: Attempting to resolve KDCs for balewan.unicorn.com using DNS dns_rr_srv_fill_done: async DNS A lookup for dc2.balewan.unicorn.com [0] got dc2.balewan.unicorn.com -> 192.168.50.15 dns_rr_srv_fill_done: async DNS AAAA lookup for dc2.balewan.unicorn.com returned 0 addresses. dns_rr_srv_fill_done: async DNS A lookup for dc4.balewan.unicorn.com returned DNS code 3 dns_rr_srv_fill_done: async DNS AAAA lookup for dc4.balewan.unicorn.com returned DNS code 3 dns_rr_srv_fill_done: async DNS A lookup for dc9.balewan.unicorn.com [0] got dc9.balewan.unicorn.com -> 192.168.50.17 dns_rr_srv_fill_done: async DNS AAAA lookup for dc9.balewan.unicorn.com [0] got dc9.balewan.unicorn.com -> fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad check_negative_conn_cache returning result 0 for domain balewan.unicorn.com server 192.168.50.15 check_negative_conn_cache returning result 0 for domain balewan.unicorn.com server 192.168.50.17 check_negative_conn_cache returning result 0 for domain balewan.unicorn.com server fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad get_dc_list: returning 3 ip addresses in an ordered list get_dc_list: 192.168.50.15 192.168.50.17 fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad cldap_multi_netlogon_send: cldap_socket_init failed for ipv6:fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad:389 error NT_STATUS_ADDRESS_NOT_ASSOCIATED create_local_private_krb5_conf_for_domain: wrote file /run/samba/smb_krb5/krb5.conf.BALEWAN with realm BALEWAN.unicorn.COM KDC list: kdc = 192.168.50.15 sitename_fetch: Returning sitename for realm 'BALEWAN.unicorn.COM': "Balewan-Stable" namecache_fetch: name dc2.balewan.unicorn.com#20 found. ads_try_connect: ads_try_connect: sending CLDAP request to 192.168.50.15 (realm: balewan.unicorn.com) Successfully contacted LDAP server 192.168.50.15 Connecting to 192.168.50.15 at port 389 Connected to LDAP server dc2.balewan.unicorn.com KDC time offset is 0 seconds Found SASL mechanism GSS-SPNEGO ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 kerberos_kinit_password Administrator at BALEWAN.unicorn.COM failed: Cannot contact any KDC for requested realm ads_sasl_spnego_bind: SASL bind with Kerberos failed for ldap/dc2.balewan.unicorn.com - user[Administrator], realm[BALEWAN.unicorn.COM]: Cannot contact any KDC for requested realm, try to fallback to NTLMSSP Starting GENSEC mechanism spnego Starting GENSEC submechanism ntlmssp Thanks for any help Callum From rpenny at samba.org Fri May 10 11:55:32 2024 From: rpenny at samba.org (Rowland Penny) Date: Fri, 10 May 2024 12:55:32 +0100 Subject: [Samba] kinit failure In-Reply-To: <240BC23E-F264-44C2-BDFC-483A21A5F41A@pegasusnz.com> References: <240BC23E-F264-44C2-BDFC-483A21A5F41A@pegasusnz.com> Message-ID: <20240510125532.1c6e1402@devstation.samdom.example.com> On Fri, 10 May 2024 23:19:32 +1200 "Samba @ Pegasusnz via samba" wrote: > Hi > > Due to putting a DVD in my Virtual Machine Host Computer which then > filled the logs with errors and subsequently filled the drive > crashing all vms. So, to all intents and purposes, your domain was dead. > Luckily I had a backup of the DC image which I > restored In an instance like this, you should be backing up the domain with samba-tool, not backing up an individual DC. If you had a domain backup, you could recreate your domain. But you have what you have. > and some machines just worked and some can?t find KDC > kinit: Cannot contact any KDC for realm 'BALEWAN.UNICORN.COM' while > getting initial credentials I have tried leaving the domain and > deleting computer if it still remained on DC I have installed samba > and friends But on some machines this has not fixed the problem > > DC2 is online 192.168.50.15 I suggest you do this: Seize all the FSMO roles to DC2, if it doesn't already hold them. Forcibly demote any other DCs and then join new ones to replace them. > DC9 is offline 192.168.50.17 > DC4 is trashed > > On the machine that fail to rejoin they normally time out and give > this error > > ERROR(runtime): uncaught exception - (31, 'Failed to set machine spn: > Time limit exceeded\nDo you have sufficient permissions to create > machine accounts?') File > "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 279, > in _run return self.run(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^ > File "/usr/lib/python3/dist-packages/samba/netcmd/domain/join.py", > line 121, in run (sid, domain_name) = > s3_net.join_member(netbios_name, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Any domain clients that are not working should be removed by running 'net ads leave -U administrator' and then joined again with 'net ads join -U administrator' (after you have checked that they can connect to a DC) > > Joining the domain partial log > > Bind RPC Pipe: host dc2.balewan.unicorn.com auth_type 0, auth_level 1 > rpc_api_pipe: host dc2.balewan.unicorn.com > signed SMB2 message (sign_algo_id=2) > rpc_read_send: data_to_read: 52 > check_bind_response: accepted! > rpc_api_pipe: host dc2.balewan.unicorn.com > signed SMB2 message (sign_algo_id=2) > rpc_read_send: data_to_read: 32 > rpc_api_pipe: host dc2.balewan.unicorn.com > signed SMB2 message (sign_algo_id=2) > rpc_read_send: data_to_read: 232 > rpc_api_pipe: host dc2.balewan.unicorn.com > signed SMB2 message (sign_algo_id=2) > rpc_read_send: data_to_read: 32 > signed SMB2 message (sign_algo_id=2) > saf_fetch: failed to find server for "balewan.unicorn.com" domain > get_dc_list: preferred server list: ", *" > resolve_ads: Attempting to resolve KDCs for balewan.unicorn.com using > DNS dns_rr_srv_fill_done: async DNS A lookup for > dc2.balewan.unicorn.com [0] got dc2.balewan.unicorn.com -> > 192.168.50.15 dns_rr_srv_fill_done: async DNS AAAA lookup for > dc2.balewan.unicorn.com returned 0 addresses. dns_rr_srv_fill_done: > async DNS A lookup for dc4.balewan.unicorn.com returned DNS code 3 > dns_rr_srv_fill_done: async DNS AAAA lookup for > dc4.balewan.unicorn.com returned DNS code 3 dns_rr_srv_fill_done: > async DNS A lookup for dc9.balewan.unicorn.com [0] got > dc9.balewan.unicorn.com -> 192.168.50.17 dns_rr_srv_fill_done: async > DNS AAAA lookup for dc9.balewan.unicorn.com [0] got > dc9.balewan.unicorn.com -> fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad > check_negative_conn_cache returning result 0 for domain > balewan.unicorn.com server 192.168.50.15 check_negative_conn_cache > returning result 0 for domain balewan.unicorn.com server > 192.168.50.17 check_negative_conn_cache returning result 0 for domain > balewan.unicorn.com server fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad > get_dc_list: returning 3 ip addresses in an ordered list get_dc_list: > 192.168.50.15 192.168.50.17 fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad > saf_fetch: failed to find server for "balewan.unicorn.com" domain > get_dc_list: preferred server list: ", *" resolve_ads: Attempting to > resolve KDCs for balewan.unicorn.com using DNS dns_rr_srv_fill_done: > async DNS A lookup for dc2.balewan.unicorn.com [0] got > dc2.balewan.unicorn.com -> 192.168.50.15 dns_rr_srv_fill_done: async > DNS AAAA lookup for dc2.balewan.unicorn.com returned 0 addresses. > dns_rr_srv_fill_done: async DNS A lookup for dc4.balewan.unicorn.com > returned DNS code 3 dns_rr_srv_fill_done: async DNS AAAA lookup for > dc4.balewan.unicorn.com returned DNS code 3 dns_rr_srv_fill_done: > async DNS A lookup for dc9.balewan.unicorn.com [0] got > dc9.balewan.unicorn.com -> 192.168.50.17 dns_rr_srv_fill_done: async > DNS AAAA lookup for dc9.balewan.unicorn.com [0] got > dc9.balewan.unicorn.com -> fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad > check_negative_conn_cache returning result 0 for domain > balewan.unicorn.com server 192.168.50.15 check_negative_conn_cache > returning result 0 for domain balewan.unicorn.com server > 192.168.50.17 check_negative_conn_cache returning result 0 for domain > balewan.unicorn.com server fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad > get_dc_list: returning 3 ip addresses in an ordered list get_dc_list: > 192.168.50.15 192.168.50.17 fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad > cldap_multi_netlogon_send: cldap_socket_init failed for > ipv6:fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad:389 error > NT_STATUS_ADDRESS_NOT_ASSOCIATED > create_local_private_krb5_conf_for_domain: wrote file > /run/samba/smb_krb5/krb5.conf.BALEWAN with realm BALEWAN.unicorn.COM > KDC list: kdc = 192.168.50.15 > > sitename_fetch: Returning sitename for realm 'BALEWAN.unicorn.COM': > "Balewan-Stable" namecache_fetch: name dc2.balewan.unicorn.com#20 > found. ads_try_connect: ads_try_connect: sending CLDAP request to > 192.168.50.15 (realm: balewan.unicorn.com) Successfully contacted > LDAP server 192.168.50.15 Connecting to 192.168.50.15 at port 389 > Connected to LDAP server dc2.balewan.unicorn.com > KDC time offset is 0 seconds > Found SASL mechanism GSS-SPNEGO > ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 > kerberos_kinit_password Administrator at BALEWAN.unicorn.COM failed: > Cannot contact any KDC for requested realm ads_sasl_spnego_bind: SASL > bind with Kerberos failed for ldap/dc2.balewan.unicorn.com - > user[Administrator], realm[BALEWAN.unicorn.COM]: Cannot contact any > KDC for requested realm, try to fallback to NTLMSSP Starting GENSEC > mechanism spnego Starting GENSEC submechanism ntlmssp > > Thanks for any help > > Callum I think your problem is that your AD dns is still supplying records for DCs that no longer work. Rowland From zhongdong.sun at yale.edu Fri May 10 19:02:04 2024 From: zhongdong.sun at yale.edu (Sun, Zhongdong) Date: Fri, 10 May 2024 19:02:04 +0000 Subject: [Samba] Samba domain name in short format In-Reply-To: <20240508064223.4bd1d7d8@devstation.samdom.example.com> References: <20240506210532.1fe40448@devstation.samdom.example.com>

<20240507064331.3ea34f0f@devstation.samdom.example.com> <20240507192000.35406f55@devstation.samdom.example.com> <20240508064223.4bd1d7d8@devstation.samdom.example.com> Message-ID: Hi Rowland, Thanks for your advice. I discussed this with my manager and we will plan to upgrade the old system. But this will not be finished with short time. After reading many old emails in this forum, I made some changes in our Samba settings. First, we turned on winbind and added all necessary packages and setup for winbind. Finally, we can login with the short format, such as YALE\zs24. Thanks a lot for everyone in this forum. However, I meet with another very strange problem in the Samba. I can map most shares from this server, but some folders cannot be accessed. I compare this with other folders, and find these folders have special permissions. One example is the folder /data1/petfaculty/ which has this permission. drwxrwx--- 93 hrrt petfaculty 12288 May 7 21:34 /data1/petfaculty/ In other words, it only allows users in petfaculty group access it. I'm sure my account is in this group. Actually, I can access this folder in Linux machine, but cannot access it via Samba. The smb status command shows some error messages like this. chdir_current_service: vfs_ChDir(/data1/petfaculty) failed: Permission denied. Current token: uid=504, gid=505, 4 groups: 10003 10004 50054 10001 Here, 504 is my uid and 505 is my primary gid in the Linux system. For some reason, Samba cannot understand my other groups. [root at hecate etc]# id zs24 uid=504(zs24) gid=505(pet) groups=505(pet),3525(CITlab),3505(admins),3528(calendar),3529(data16_private_folder),3527(deepimage),3521(draco),3523(git),3531(hecate),3535(nxtool),3517(orion),3526(pcfh),3524(petchem),3516(petfaculty),3530(pisces),3534(sagitta),3532(scorpio),3520(svn),3522(tech),502(xeons) I tried to change this line in smb.conf file since someone said winbind didn't like sss. I tried ad, nss, nis, but they had no difference. idmap config YALE : backend = sss Could you or someone else provide more advice on what's going wrong here? Thanks. Zhongdong -----Original Message----- From: samba On Behalf Of Rowland Penny via samba Sent: Wednesday, May 8, 2024 1:42 AM To: samba at lists.samba.org Cc: Rowland Penny Subject: Re: [Samba] Samba domain name in short format On Tue, 7 May 2024 22:19:38 +0000 "Sun, Zhongdong" wrote: > Hi Rowland, > > You are right. We are running some old software here, such as NIS. > All these started in 20 years ago when I joined the group and we had > about 20-30 workstations running Linux. NIS was chosen at that time to > manage user accounts. Some users were not familiar with Linux, so we > provided Samba to them so that they could map Linux file systems to > their computers. I know NIS is old technology and can be replaced with > others, such as LDAP. But this is clinical research environment and is > very difficult to change system. We have to live with this system. Even 20 years ago NIS was dying and I have since found out that NIS has been removed from RHEL 9. I really think you need to seriously consider upgrading your setup. > > Fortunately, NIS is only used to manage account. And user > authentication occurs in AD. Samba, if used correctly, can manage the account, but you would have to join it to the AD domain and probably use the 'ad' idmap backend with RFC2307 attributes, that is if the current ID numbers must be used. > So there is not too much security > concern here. I'll say it's not easy to manage such a complicated and > a little outdated system in a production environment, because we > cannot shut down the system for upgrade or maintenance. For the Samba > server, I just leave the production server running, and use another > server to test new version of Samba. If it works, we may switch the > new server as production system. Otherwise, we have to keep the > current Samba server running. > > For the test Samba server, I followed the instructions to setup Samba, > but without winbind. In my test, everything works except that it > cannot recognize the short domain name YALE. If I use the full domain > name yu.yale.edu, everything works well. But it's difficult to ask all > users to use the long format. As I think, this seems a DNS issue. But > I don't know how to tell Samba server to resolve the short name YALE > as long name yu.yale.edu. I wonder if you or any experts here can > provide any advice on this. If you run Samba without winbind, then it cannot be joined to a domain and can only be a standalone server. When it comes to the domain names, 'yu.yale.edu' looks like it is the AD dns domain (which means the kerberos realm will be 'YU.YALE.EDU'), 'YALE' will be the NetBIOS domain name, which is also known as the workgroup name or 'pre-windows 2000' domain name. So, while 'yu.yale.edu' seems to be working for you, I do not think 'YALE' not working is a dns problem, NetBIOS doesn't use dns. Here is what I suggest you do, setup a test VM using Debian 12 and I will then talk you through joining that to your AD using Samba. You can then test its capabilities to see if you could use it instead of your present setup. The only 'problem' I can see is the NFS shares, it isn't a good idea to re-share them via Samba to Windows, you would probably be better off getting the Linux machines to use Samba instead. My rule of thumb is: All Linux machines, use NFS A mixture of Linux and Windows machines, use Samba. A side affect of using Samba is that your users will be able to logon using 'username' instead of 'YALE\username' or 'yu.yale.edu\username' if required. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba From rpenny at samba.org Fri May 10 20:07:20 2024 From: rpenny at samba.org (Rowland Penny) Date: Fri, 10 May 2024 21:07:20 +0100 Subject: [Samba] Samba domain name in short format In-Reply-To: References: <20240506210532.1fe40448@devstation.samdom.example.com>

<20240507064331.3ea34f0f@devstation.samdom.example.com> <20240507192000.35406f55@devstation.samdom.example.com> <20240508064223.4bd1d7d8@devstation.samdom.example.com> Message-ID: <20240510210720.3f60b713@devstation.samdom.example.com> On Fri, 10 May 2024 19:02:04 +0000 "Sun, Zhongdong" wrote: > Hi Rowland, > > Thanks for your advice. I discussed this with my manager and we will > plan to upgrade the old system. But this will not be finished with > short time. > > After reading many old emails in this forum, I made some changes in > our Samba settings. First, we turned on winbind and added all > necessary packages and setup for winbind. Finally, we can login with > the short format, such as YALE\zs24. Thanks a lot for everyone in > this forum. > > However, I meet with another very strange problem in the Samba. I can > map most shares from this server, but some folders cannot be > accessed. I compare this with other folders, and find these folders > have special permissions. One example is the folder > /data1/petfaculty/ which has this permission. drwxrwx--- 93 hrrt > petfaculty 12288 May 7 21:34 /data1/petfaculty/ In other words, it > only allows users in petfaculty group access it. I'm sure my account > is in this group. Actually, I can access this folder in Linux > machine, but cannot access it via Samba. The smb status command shows > some error messages like this. chdir_current_service: > vfs_ChDir(/data1/petfaculty) failed: Permission denied. Current > token: uid=504, gid=505, 4 groups: 10003 10004 50054 10001 Here, 504 > is my uid and 505 is my primary gid in the Linux system. For some > reason, Samba cannot understand my other groups. [root at hecate etc]# > id zs24 uid=504(zs24) gid=505(pet) > groups=505(pet),3525(CITlab),3505(admins),3528(calendar),3529(data16_private_folder),3527(deepimage),3521(draco),3523(git),3531(hecate),3535(nxtool),3517(orion),3526(pcfh),3524(petchem),3516(petfaculty),3530(pisces),3534(sagitta),3532(scorpio),3520(svn),3522(tech),502(xeons) I suggest you read the relevant mampages: man idmap_* Where '*' is one of 'rid', 'autorid', 'ad', 'nss' There isn't a 'nis' idmap backend. The 'rid' and 'autorid' both use the AD user or group RID and the DOMAIN low range you set in the smb.conf file. The 'rid' backend uses this formula: ID = RID - BASE_RID + LOW_RANGE_ID The 'BASE_RID' defaults to '0', it is really: ID = RID + LOW_RANGE_ID 'autorid' uses a similar formula. The 'ad' backend relies on RFC2307 attributes being added to AD, they are not there by default. The 'nss' backend requires both an AD user or group and a Unix user or group, both with the same name. There is also a parameter 'min domain uid' which defaults to '1000', try setting 'min domain uid = 500' in smb.conf > > I tried to change this line in smb.conf file since someone said > winbind didn't like sss. I tried ad, nss, nis, but they had no > difference. idmap config YALE : backend = sss Could you or someone > else provide more advice on what's going wrong here? It isn't that the sss idmap backend isn't liked by winbind, it is that it's only really used by sssd and if you are using winbind with Samba (and if you set 'security = ADS' or 'server role = member server', you must), then you do not need sssd, in fact, in my opinion, you will better off without it. Rowland From contactdarin at posteo.net Sun May 12 02:31:39 2024 From: contactdarin at posteo.net (contactdarin at posteo.net) Date: Sun, 12 May 2024 02:31:39 +0000 Subject: [Samba] New Lemmy federated community for everything Samba (Unofficial) Message-ID: Hello all, I have taken the liberty of creating a new Samba software community over on Lemmy. I realize that mailing lists are the traditional way projects communicate but I wanted a place more public and easier to use. For those who do not know, Lemmy is a federated forms platform. Here are the links to the community: Lemmy form: !sambasoftware at lemmy.sdf.org lemmy,sdf.org: https://lemmy.sdf.org/c/sambasoftware [1] Lemmy.world: https://lemmy.world/c/sambasoftware at lemmy.sdf.org [2] If you are confused as to what or why this is you can safely ignore this email. Additionally, THIS COMMUNITY IS NOT OFFICIAL AND HAS NO AFFILIATION WITH SAMBA. This community was created by me as I do not like mailing lists. Thank you, Darin Links: ------ [1] https://lemmy.sdf.org/c/sambasoftware [2] https://lemmy.world/c/sambasoftware at lemmy.sdf.org From tygre.chingu at gmail.com Mon May 13 02:00:58 2024 From: tygre.chingu at gmail.com (Tygre) Date: Sun, 12 May 2024 22:00:58 -0400 Subject: [Samba] Cannot Get Samba to Work Without Encrypted Password with Legacy Client In-Reply-To: <20240310103044.51d2cda8@devstation.samdom.example.com> References: <40a81ec0-9b02-442a-b7a2-d3515f8b0d12@chingu.asia> <363123a3421290178efeacdcbd38717fbc8072c7.camel@samba.org> <236af36b-9036-4912-bd4a-2aaa846dddb6@chingu.asia> <20240310103044.51d2cda8@devstation.samdom.example.com> Message-ID: Hi Rowland, As I explained before, my Amigas are connected via Samba to my Raspberry Pi, thanks to the (Amiga) smbfs client. Yann On 2024-03-10 06:30, Rowland Penny via samba wrote: > On Sat, 9 Mar 2024 15:37:09 -0500 > Tygre via samba wrote: > >> >> Hi there, >> >> Sorry to come back to that, I tried to follow the code at >> https://github.com/samba-team/samba/blob/master/source3/auth/auth.c#L214 >> (and below) but I still can't understand why one Samba client can >> connect, but the other can't. >> >> I can't understand why, with one client, the code would go >> into "check_samsec.c:183" (and return "sam_account_ok") while, with >> the other client, the code would go immediately into "auth.c:251" >> (and fail to login). >> >> Could you help me understand, which could maybe give me an >> idea on configuring Samba for both client to work? >> >> Thanks in advance, >> Yann >> > > I think one of your problems is that you seem to be failing to > understand that when you you run Samba as a standalone server, it is > also a client for other servers, this means that you may have missed > this parameter: lanman auth > > Which defaults to 'no', so your 'server' will only use SMBv1 (at a > minimum and if configured to do so) and, from memory, an Amiga hasn't a > clue what SMB is. > > Rowland > > -- ----------------------------------------- Scientific Progress Goes Boing! http://www.chingu.asia/wiki ----------------------------------------- From tygre.chingu at gmail.com Mon May 13 02:15:14 2024 From: tygre.chingu at gmail.com (Tygre) Date: Sun, 12 May 2024 22:15:14 -0400 Subject: [Samba] Cannot Get Samba to Work Without Encrypted Password with Legacy Client In-Reply-To: References: <40a81ec0-9b02-442a-b7a2-d3515f8b0d12@chingu.asia> <363123a3421290178efeacdcbd38717fbc8072c7.camel@samba.org> <236af36b-9036-4912-bd4a-2aaa846dddb6@chingu.asia> Message-ID: <5b9393a7-6186-437b-8bfa-6b6fab6f8352@chingu.asia> Hi Andrew and thank you for your advice, it pointed at the right direction. I was in a catch-22, to use rumba (the NeXT Samba client), I needed non-encrypted passwords, but to use smbfs (the Amiga Samba client), I needed encrypted passwords (as with my other Windows computers, anyway). So the "next best thing", is to configure my Samba server with "map to guest" and allow "guests" on certain shares. Best! Tygre PS. For the record, my smb.conf looks like: [global] # Definition of the server server role = standalone server workgroup = GIB dos charset = CP850 unix charset = UTF-8 # Security settings of the server # For Amiga SMBFS clients: ntlm auth = ntlmv1-permitted # For NeXT Station client: # (In short, the authentication with "rumba" always fails, # the "bad user" is logged in as "smbuser" to access shares. map to guest = bad user guest account = smbuser [Music] path = /media/WWW/Music writeable = yes create mask = 0777 directory mask = 0777 [MusicRO] # Needed for the NeXT Station guest ok = yes writeable = no path = /media/WWW/Music On 2024-03-10 16:29, Andrew Bartlett wrote: > The logs below still look like Samba is configured for encrypted passwords. > > As to your other mail, please, please use a more recent version than Samba 4.9 > > Andrew Bartlett > > On Sat, 2024-03-09 at 15:37 -0500, Tygre via samba wrote: >> Hi there, >> >> Sorry to come back to that, I tried to follow the code at >> https://github.com/samba-team/samba/blob/master/source3/auth/auth.c#L214 >> >> (and below) but I still can't understand why one Samba client can connect, but the other can't. >> >> I can't understand why, with one client, the code would go into "check_samsec.c:183" (and return "sam_account_ok") while, with the other client, the code would go immediately into "auth.c:251" (and fail to login). >> >> Could you help me understand, which could maybe give me an idea on configuring Samba for both client to work? >> >> Thanks in advance, >> Yann >> >> PS. I'm running >> >> *** CAN CONNECT: >> >> [2024/03/09 15:16:09.376816, 10, pid=5930, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:237(auth_check_ntlm_password) >> auth_check_ntlm_password: anonymous had nothing to say >> [2024/03/09 15:16:09.383493, 4, pid=5930, effective(0, 0), real(0, 0), class=auth] ../source3/auth/check_samsec.c:183(sam_account_ok) >> sam_account_ok: Checking SMB password for user smbuser >> [2024/03/09 15:16:09.386622, 5, pid=5930, effective(0, 0), real(0, 0), class=auth] ../source3/auth/check_samsec.c:165(logon_hours_ok) >> logon_hours_ok: user smbuser allowed to logon at this time (Sat Mar 9 20:16:09 2024 >> ) >> [2024/03/09 15:16:09.393510, 5, pid=5930, effective(0, 0), real(0, 0), class=auth] ../source3/auth/server_info_sam.c:122(make_server_info_sam) >> make_server_info_sam: made server info for user smbuser -> smbuser >> [2024/03/09 15:16:09.397225, 3, pid=5930, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:256(auth_check_ntlm_password) >> auth_check_ntlm_password: sam_ignoredomain authentication for user [SMBUSER] succeeded >> >> *** CANNOT CONNECT: >> >> [2024/03/09 15:16:15.178909, 10, pid=5931, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:237(auth_check_ntlm_password) >> auth_check_ntlm_password: anonymous had nothing to say >> [2024/03/09 15:16:15.187847, 5, pid=5931, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:251(auth_check_ntlm_password) >> auth_check_ntlm_password: sam_ignoredomain authentication for user [SMBUSER] FAILED with error NT_STATUS_WRONG_PASSWORD, authoritative=1 >> >> On 2024-03-04 20:24, Andrew Bartlett wrote: >>> On Mon, 2024-03-04 at 20:10 -0500, Tygre via samba wrote: >>>> Hi there, >>>> >>>> I have looked for a solution to my problem on the Internet (and in particular this mailing list), but couldn't find one, probably due to searching for the wrong thing :-) >>>> >>>> I have an RPI running Samba version 4.9.5-Debian. "pdbedit -L" shows that the user "smbuser" exists. I used "smbpassword" to set the password of "smbuser". I also have several "old" computers that I want to connect to this RPI using Samba. I managed to get an Amiga connected to the Samba server, by adding the directive "ntlm auth = yes" to "smb.conf". >>>> >>>> But, I cannot get a NeXTstation to connect to the server. It seems to me that, because the client on the NeXTstation only deals with unencrypted passwords, the server is unable to verify the username/password. I tried using the directive "encrypt passwords = no", but then neither the Amiga nor the NeXTstation can connect, with the error: "FAILED with error NT_STATUS_LOGON_FAILURE". >>>> >>>> I don't understand why, by forcing unencrypted passwords, the server cannot find the username/password (anymore). I must be missing to allow the Samba server to work with unencrypted password. Could anyone help? >>>> >>>> Thanks in advance! >>>> Tygre >>>> >>>> PS. I do know that unencrypted passwords are unsecure and a bad idea but, right now, I'd like both my Amiga and NeXTstation to connect, before "hardening" the server. >>>> PPS. I join my "smb.conf", working with the Amiga (not the NeXTstation) and the log when trying to connect from the NeXTstation. >>> >>> You would be best to just use guest access and IP restrictions, but if you want a password it will be checking it against PAM, not the smbpasswd file. >>> >>> >>> Andrew Bartlett >>> >>> >>> -- >>> >>> Andrew Bartlett (he/him) >>> https://samba.org/~abartlet/ >>> >>> < >>> https://samba.org/~abartlet/ >>> >>> > >>> Samba Team Member (since 2001) >>> https://samba.org >>> >>> < >>> https://samba.org >>> >>> > >>> Samba Team Lead >>> https://catalyst.net.nz/services/samba >>> >>> < >>> https://catalyst.net.nz/services/samba >>> >>> > >>> Catalyst.Net Ltd >>> >>> Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company >>> >>> Samba Development and Support: >>> https://catalyst.net.nz/services/samba >>> >>> < >>> https://catalyst.net.nz/services/samba >>> >>> > >>> >>> Catalyst IT - Expert Open Source Solutions >>> >>> >> >> -- >> ----------------------------------------- >> Scientific Progress Goes Boing! >> >> http://www.chingu.asia/wiki >> >> >> ----------------------------------------- >> >> > -- > > Andrew Bartlett (he/him) https://samba.org/~abartlet/ > Samba Team Member (since 2001) https://samba.org > Samba Team Lead https://catalyst.net.nz/services/samba > Catalyst.Net Ltd > > Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company > > Samba Development and Support: https://catalyst.net.nz/services/samba > > Catalyst IT - Expert Open Source Solutions > > -- ----------------------------------------- Scientific Progress Goes Boing! http://www.chingu.asia/wiki ----------------------------------------- From aflorent at iris-tech.fr Mon May 13 08:18:08 2024 From: aflorent at iris-tech.fr (Arnaud FLORENT) Date: Mon, 13 May 2024 10:18:08 +0200 Subject: [Samba] samba debian & ubuntu builds In-Reply-To: References: Message-ID: <252a9bc0-14ca-4786-8d1e-aceaa42e39cb@iris-tech.fr> Hi Michael For us, we now update to 4.18 so we do not need 4.16 series anymore I understand you want to remove older release, but i think you should always keep published releases available even if they are outdated. Some config are sometimes not always compatible with next samba release and it can take some times to fix. For exemple, we recently have to deal with %I variable not set in root preexec script. Additionally, if someone needs to reinstall a 20.04 server for example, he may need to be able to reinstall 4.16 4.17 or 4.18. ubuntu 20.04 is old but it is a LTS version, so event if you can not build 4.19 and up, admins may need to install latest samba release available. Ubuntu LTS is maintained for 10 years total: 5 years of standard support + 5 years of ESM so you should at least not remove ubuntu/ debian release before... once again thank you very much for your work, it really helps us. Le 10/05/2024 ? 13:00, Michael Tokarev via samba a ?crit?: > Hi! > > After providing samba builds for several debian and ubuntu releases > for over 1.5 years, > I see this service is quite popular still. > > However, I'd love to understand how useful it is still, and which > releases should be > provided in the future. > > For example, samba 4.16.x series is end-of-life, there has been no > updates for it for > quite some time and none planned, either.? Yet people do have it in > their sources.list > still, and the package list is being queried on regular basis, getting > the same list > each time obviously.? I removed this release from my repository some > time ago and > someone asked on the list for it the next day.? But I think this > becomes a mis-service, - > when people see the repository for 4.16 is up and running, they think > this release is > supported and will receive updates and fixes (or else there would be > no need to query > the updated list of packages), while this is not the case anymore. > > So, I think I'll remove at least 4.16 packages (for all > distributions), and 4.17 too > (due to the same reason). > > Now, Ubuntu 20.04 Focal Fossa and Debian 10 Buster are old too. Samba > 4.19 and up > can't be built for these easily anymore (required dependencies are > missing).? So we > do have 4.18 packages for these distributions still (after removing > 4.16 and 4.17), - > maybe I'll keep this for a while, but their days are numbered anyway. > > On the plus side, I added Ubuntu 24.04 Noble Numbat to the list of > distributions, - > this only have samba 4.20.x since it ships 4.19 out of the box > already, and hopefully > will keep it updated in the future (if not, it's not a big deal to add > 4.19 too, as > long as it is supported still).? Dunno yet if these will be useful.? > Also, I haven't > looked at further changes made to samba by ubuntu for 24.04, - I > haven't heard > anything from them at all, so don't know what they're doing. > > This is JFYI, and please watch out which parts of the repository > you're using and > why.? I still see some access URLs which were used at the very first > test of this > repository (for a week or so in autumn of 2022), - I renamed the paths > within to > simplify things, but quite some people still request old URLs every > day 1.5 years > later, apparently not caring at all what their systems are doing... > > Thanks, > > /mjt -- Arnaud FLORENT IRIS Technologies From gregs at sloop.net Tue May 14 00:10:20 2024 From: gregs at sloop.net (Gregory Sloop) Date: Mon, 13 May 2024 17:10:20 -0700 Subject: [Samba] Samba DC and alternate sudo login Message-ID: <18810472213.20240513171020@sloop.net> I feel like this should be super easy, and that I must be doing something dumb, but I need to create another sudo user for the VM's the DC's are running on. I've created a "domain admin" equivalent user in AD - and perhaps this account can be used. I also attempted to create a local user and add them to the local sudo group, but that didn't seem to work. ? But I don't *need* an AD account. I can simply create a local user on each DC for sudo use, but I'll need a way that works. (When I attempt to create the local user, it prompts for the password, and then an NT password. And when I try to SSH/login to that local account, it fails.) ? What's the most straight-forward approach to this? ? Other details: OS: Ubuntu 20.04 MJT packages: 4.16.11 (Yeah, I know there are newer packages, but haven't moved to 4.18/19/20 yet. It's on the list tho.) ? TIA ? -Greg ? From samba at pegasusnz.com Tue May 14 05:18:28 2024 From: samba at pegasusnz.com (Samba @ Pegasusnz) Date: Tue, 14 May 2024 17:18:28 +1200 Subject: [Samba] kinit failure In-Reply-To: <20240510125532.1c6e1402@devstation.samdom.example.com> References: <240BC23E-F264-44C2-BDFC-483A21A5F41A@pegasusnz.com> <20240510125532.1c6e1402@devstation.samdom.example.com> Message-ID: <3B6E1743-3F52-4948-B7D5-EC09F9B2194E@pegasusnz.com> > On 10 May 2024, at 11:55?PM, Rowland Penny via samba wrote: > > On Fri, 10 May 2024 23:19:32 +1200 > "Samba @ Pegasusnz via samba" > wrote: > >> Luckily I had a backup of the DC image which I >> restored > > In an instance like this, you should be backing up the domain with > samba-tool, not backing up an individual DC. If you had a domain > backup, you could recreate your domain. > But you have what you have. I do have a backup of the domain but since I was moving VMs around I thought this option would be easier > >> and some machines just worked and some can?t find KDC >> kinit: Cannot contact any KDC for realm 'BALEWAN.UNICORN.COM ' while >> getting initial credentials I have tried leaving the domain and >> deleting computer if it still remained on DC I have installed samba >> and friends But on some machines this has not fixed the problem >> >> DC2 is online 192.168.50.15 > > I suggest you do this: > > Seize all the FSMO roles to DC2, if it doesn't already hold them. > Forcibly demote any other DCs and then join new ones to replace them. That is what I had already done > >> DC9 is offline 192.168.50.17 >> DC4 is trashed >> >> On the machine that fail to rejoin they normally time out and give >> this error >> >> ERROR(runtime): uncaught exception - (31, 'Failed to set machine spn: >> Time limit exceeded\nDo you have sufficient permissions to create >> machine accounts?') File >> "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 279, >> in _run return self.run(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^ >> File "/usr/lib/python3/dist-packages/samba/netcmd/domain/join.py", >> line 121, in run (sid, domain_name) = >> s3_net.join_member(netbios_name, ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > Any domain clients that are not working should be removed by running > 'net ads leave -U administrator' and then joined again with 'net ads > join -U administrator' (after you have checked that they can connect to > a DC) It turns out that there is strange behaviour in Virtual Box Debian 12 Virtual box servers running on the same host seem to have problems talking securely It seems if they have established a connection with a previous version they will continue to chat Not only does it effect kinit but ssh hangs as well I reset the mtu with Ip link set mtu 1400 dev enp0s3 And boom kinit and ssh suddenly works Also I wanted to deploy a new DC with a updated domain name but Debian 12 Samba 4.16 would hang on deploy maybe the same reason When I installed the back ports version everything was fine HTH Some poor sole in the future > >> >> Joining the domain partial log >> >> Bind RPC Pipe: host dc2.balewan.unicorn.com auth_type 0, auth_level 1 >> rpc_api_pipe: host dc2.balewan.unicorn.com >> signed SMB2 message (sign_algo_id=2) >> rpc_read_send: data_to_read: 52 >> check_bind_response: accepted! >> rpc_api_pipe: host dc2.balewan.unicorn.com >> signed SMB2 message (sign_algo_id=2) >> rpc_read_send: data_to_read: 32 >> rpc_api_pipe: host dc2.balewan.unicorn.com >> signed SMB2 message (sign_algo_id=2) >> rpc_read_send: data_to_read: 232 >> rpc_api_pipe: host dc2.balewan.unicorn.com >> signed SMB2 message (sign_algo_id=2) >> rpc_read_send: data_to_read: 32 >> signed SMB2 message (sign_algo_id=2) >> saf_fetch: failed to find server for "balewan.unicorn.com" domain >> get_dc_list: preferred server list: ", *" >> resolve_ads: Attempting to resolve KDCs for balewan.unicorn.com using >> DNS dns_rr_srv_fill_done: async DNS A lookup for >> dc2.balewan.unicorn.com [0] got dc2.balewan.unicorn.com -> >> 192.168.50.15 dns_rr_srv_fill_done: async DNS AAAA lookup for >> dc2.balewan.unicorn.com returned 0 addresses. dns_rr_srv_fill_done: >> async DNS A lookup for dc4.balewan.unicorn.com returned DNS code 3 >> dns_rr_srv_fill_done: async DNS AAAA lookup for >> dc4.balewan.unicorn.com returned DNS code 3 dns_rr_srv_fill_done: >> async DNS A lookup for dc9.balewan.unicorn.com [0] got >> dc9.balewan.unicorn.com -> 192.168.50.17 dns_rr_srv_fill_done: async >> DNS AAAA lookup for dc9.balewan.unicorn.com [0] got >> dc9.balewan.unicorn.com -> fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad >> check_negative_conn_cache returning result 0 for domain >> balewan.unicorn.com server 192.168.50.15 check_negative_conn_cache >> returning result 0 for domain balewan.unicorn.com server >> 192.168.50.17 check_negative_conn_cache returning result 0 for domain >> balewan.unicorn.com server fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad >> get_dc_list: returning 3 ip addresses in an ordered list get_dc_list: >> 192.168.50.15 192.168.50.17 fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad >> saf_fetch: failed to find server for "balewan.unicorn.com" domain >> get_dc_list: preferred server list: ", *" resolve_ads: Attempting to >> resolve KDCs for balewan.unicorn.com using DNS dns_rr_srv_fill_done: >> async DNS A lookup for dc2.balewan.unicorn.com [0] got >> dc2.balewan.unicorn.com -> 192.168.50.15 dns_rr_srv_fill_done: async >> DNS AAAA lookup for dc2.balewan.unicorn.com returned 0 addresses. >> dns_rr_srv_fill_done: async DNS A lookup for dc4.balewan.unicorn.com >> returned DNS code 3 dns_rr_srv_fill_done: async DNS AAAA lookup for >> dc4.balewan.unicorn.com returned DNS code 3 dns_rr_srv_fill_done: >> async DNS A lookup for dc9.balewan.unicorn.com [0] got >> dc9.balewan.unicorn.com -> 192.168.50.17 dns_rr_srv_fill_done: async >> DNS AAAA lookup for dc9.balewan.unicorn.com [0] got >> dc9.balewan.unicorn.com -> fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad >> check_negative_conn_cache returning result 0 for domain >> balewan.unicorn.com server 192.168.50.15 check_negative_conn_cache >> returning result 0 for domain balewan.unicorn.com server >> 192.168.50.17 check_negative_conn_cache returning result 0 for domain >> balewan.unicorn.com server fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad >> get_dc_list: returning 3 ip addresses in an ordered list get_dc_list: >> 192.168.50.15 192.168.50.17 fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad >> cldap_multi_netlogon_send: cldap_socket_init failed for >> ipv6:fd8e:3a44:f7a7:d347:a00:27ff:fe9f:7dad:389 error >> NT_STATUS_ADDRESS_NOT_ASSOCIATED >> create_local_private_krb5_conf_for_domain: wrote file >> /run/samba/smb_krb5/krb5.conf.BALEWAN with realm BALEWAN.unicorn.COM >> KDC list: kdc = 192.168.50.15 >> >> sitename_fetch: Returning sitename for realm 'BALEWAN.unicorn.COM': >> "Balewan-Stable" namecache_fetch: name dc2.balewan.unicorn.com#20 >> found. ads_try_connect: ads_try_connect: sending CLDAP request to >> 192.168.50.15 (realm: balewan.unicorn.com) Successfully contacted >> LDAP server 192.168.50.15 Connecting to 192.168.50.15 at port 389 >> Connected to LDAP server dc2.balewan.unicorn.com >> KDC time offset is 0 seconds >> Found SASL mechanism GSS-SPNEGO >> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 >> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 >> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 >> kerberos_kinit_password Administrator at BALEWAN.unicorn.COM failed: >> Cannot contact any KDC for requested realm ads_sasl_spnego_bind: SASL >> bind with Kerberos failed for ldap/dc2.balewan.unicorn.com - >> user[Administrator], realm[BALEWAN.unicorn.COM]: Cannot contact any >> KDC for requested realm, try to fallback to NTLMSSP Starting GENSEC >> mechanism spnego Starting GENSEC submechanism ntlmssp >> >> Thanks for any help >> >> Callum > > I think your problem is that your AD dns is still supplying records for > DCs that no longer work. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba From rpenny at samba.org Tue May 14 07:21:28 2024 From: rpenny at samba.org (Rowland Penny) Date: Tue, 14 May 2024 08:21:28 +0100 Subject: [Samba] kinit failure In-Reply-To: <3B6E1743-3F52-4948-B7D5-EC09F9B2194E@pegasusnz.com> References: <240BC23E-F264-44C2-BDFC-483A21A5F41A@pegasusnz.com> <20240510125532.1c6e1402@devstation.samdom.example.com> <3B6E1743-3F52-4948-B7D5-EC09F9B2194E@pegasusnz.com> Message-ID: <20240514082128.7fbd514b@devstation.samdom.example.com> On Tue, 14 May 2024 17:18:28 +1200 "Samba @ Pegasusnz via samba" wrote: > > > > On 10 May 2024, at 11:55?PM, Rowland Penny via samba > > wrote: > > > > On Fri, 10 May 2024 23:19:32 +1200 > > "Samba @ Pegasusnz via samba" > > wrote: > > > >> Luckily I had a backup of the DC image which I > >> restored > > > > In an instance like this, you should be backing up the domain with > > samba-tool, not backing up an individual DC. If you had a domain > > backup, you could recreate your domain. > > But you have what you have. > > I do have a backup of the domain but since I was moving VMs around I > thought this option would be easier If you have a catastrophic failure, then I would suggest rebuilding the domain from a domain backup is the best option. To be honest, I would never restore a single DC from a backup, I would forcibly demote the dead DC and create a new one. > > > >> and some machines just worked and some can?t find KDC > >> kinit: Cannot contact any KDC for realm 'BALEWAN.UNICORN.COM > >> ' while getting initial credentials I > >> have tried leaving the domain and deleting computer if it still > >> remained on DC I have installed samba and friends But on some > >> machines this has not fixed the problem > >> > >> DC2 is online 192.168.50.15 > > > > I suggest you do this: > > > > Seize all the FSMO roles to DC2, if it doesn't already hold them. > > Forcibly demote any other DCs and then join new ones to replace > > them. > > That is what I had already done > > > > >> DC9 is offline 192.168.50.17 > >> DC4 is trashed > >> > >> On the machine that fail to rejoin they normally time out and give > >> this error > >> > >> ERROR(runtime): uncaught exception - (31, 'Failed to set machine > >> spn: Time limit exceeded\nDo you have sufficient permissions to > >> create machine accounts?') File > >> "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line > >> 279, in _run return self.run(*args, **kwargs) > >> ^^^^^^^^^^^^^^^^^^^^^^^^^ File > >> "/usr/lib/python3/dist-packages/samba/netcmd/domain/join.py", line > >> 121, in run (sid, domain_name) = s3_net.join_member(netbios_name, > >> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > > > Any domain clients that are not working should be removed by running > > 'net ads leave -U administrator' and then joined again with 'net ads > > join -U administrator' (after you have checked that they can > > connect to a DC) > > It turns out that there is strange behaviour in Virtual Box Debian 12 > Virtual box servers running on the same host seem to have problems > talking securely It seems if they have established a connection with > a previous version they will continue to chat > > Not only does it effect kinit but ssh hangs as well I wasn't aware of that, will have to look into it. > > I reset the mtu with > Ip link set mtu 1400 dev enp0s3 > > And boom kinit and ssh suddenly works > > Also I wanted to deploy a new DC with a updated domain name but Samba doesn't support changing the domain name. Rowland From rpenny at samba.org Tue May 14 07:29:01 2024 From: rpenny at samba.org (Rowland Penny) Date: Tue, 14 May 2024 08:29:01 +0100 Subject: [Samba] Samba DC and alternate sudo login In-Reply-To: <18810472213.20240513171020@sloop.net> References: <18810472213.20240513171020@sloop.net> Message-ID: <20240514082901.220d5bd5@devstation.samdom.example.com> On Mon, 13 May 2024 17:10:20 -0700 Gregory Sloop via samba wrote: > I feel like this should be super easy, and that I must be doing > something dumb, but I need to create another sudo user for the VM's > the DC's are running on. > > I've created a "domain admin" equivalent user in AD - and perhaps > this account can be used. I also attempted to create a local user and > add them to the local sudo group, but that didn't seem to work. > But I don't *need* an AD account. I can simply create a local user on > each DC for sudo use, but I'll need a way that works. (When I attempt > to create the local user, it prompts for the password, and then an NT > password. And when I try to SSH/login to that local account, it > fails.) It shouldn't ask you for an NT password, how are you creating the 'local' user ? Rowland From varigergo07 at gmail.com Tue May 14 07:29:25 2024 From: varigergo07 at gmail.com (=?UTF-8?B?R2VyZ8WRIFbDoXJp?=) Date: Tue, 14 May 2024 07:29:25 +0000 Subject: [Samba] Samba with external SSO Message-ID: Hi! My goal is to connect Authentik to Samba (running on Ubuntu). What I tried (with no success): - Samba directly to the LDAP outpost (as Authentik can expose it's internal DB like that): this would/will work but Authentik can't use the Samba scheme at the moment. - Samba -> PAM -> sssd -> LDAP outpost: in theory this worked a long time ago (SMBv1?) but as the password is not sent in the clear (as I understand it's nonce-based) this is not a possible solution (+ somewhere it was explicitly stated sssd support was dropped) - Samba + (sssd) + Winbind + LDAP? Couldn't try this one, as I seen that basically sssd=Winbind (yet there WAS a module for Winbind to use sssd?) ...and this is where I got stuck. What would I need to connect Authentik and Samba together without AD being the central place where I store users? (As two-way sync isn't in Authentik atm. with AD) (Ideally I'd avoid AD, but at this point I'm open to many things.) (I've followed the mailing list etiquette to the best of my abilities: this is my first message on any of them.) From rpenny at samba.org Tue May 14 07:58:24 2024 From: rpenny at samba.org (Rowland Penny) Date: Tue, 14 May 2024 08:58:24 +0100 Subject: [Samba] Samba with external SSO In-Reply-To: References: Message-ID: <20240514085824.04243955@devstation.samdom.example.com> On Tue, 14 May 2024 07:29:25 +0000 Gerg? V?ri via samba wrote: > Hi! > > My goal is to connect Authentik to Samba (running on Ubuntu). > > What I tried (with no success): > - Samba directly to the LDAP outpost (as Authentik can expose it's > internal DB like that): this would/will work but Authentik can't use > the Samba scheme at the moment. I wouldn't rely on the samba ldap schema anyway, it is mainly meant for the old NT4-style PDCs and they rely on SMBv1 and there is a good chance they will be removed at some point, they are deprecated already. > - Samba -> PAM -> sssd -> LDAP outpost: in theory this worked a long > time ago (SMBv1?) but as the password is not sent in the clear (as I > understand it's nonce-based) this is not a possible solution (+ > somewhere it was explicitly stated sssd support was dropped) That should tell you something. > - Samba + (sssd) + Winbind + LDAP? Couldn't try this one, as I seen > that basically sssd=Winbind (yet there WAS a module for Winbind to > use sssd?) The winbind daemon came first and is used to connect Samba to AD, from my understanding it was mostly written by one person. That person then went on to work for redhat, where they wrote sssd to connect to freeipa, using the winbind code as a base, in fact, sssd still requires some of the Samba packages to function. > > ...and this is where I got stuck. > > What would I need to connect Authentik and Samba together without AD > being the central place where I store users? (As two-way sync isn't > in Authentik atm. with AD) There is your (and Authentiks) problem, AD is the source of truth, it is where users, groups and computers etc are stored, it is where passwords are stored (in an unreadable unicode hash). In other words, AD must be in charge. This is not to say that you could not setup an external ldap server and sync users & passwords between it and AD, but it will be, in my opinion, a lot of work for little return, especially as there are other SSO providers that work with AD directly. Rowland From varigergo07 at gmail.com Tue May 14 08:39:58 2024 From: varigergo07 at gmail.com (=?UTF-8?B?R2VyZ8WRIFbDoXJp?=) Date: Tue, 14 May 2024 08:39:58 +0000 Subject: [Samba] Samba with external SSO In-Reply-To: <20240514085824.04243955@devstation.samdom.example.com> References: <20240514085824.04243955@devstation.samdom.example.com> Message-ID: <205B472B-8075-4D89-8C3A-7F1B19159E91@gmail.com> >That should tell you something. You're absolutely right on that. >> - Samba + (sssd) + Winbind + LDAP? Couldn't try this one, as I seen >> that basically sssd=Winbind (yet there WAS a module for Winbind to >> use sssd?) > >The winbind daemon came first and is used to connect Samba to AD, from >my understanding it was mostly written by one person. That person then >went on to work for redhat, where they wrote sssd to connect to >freeipa, using the winbind code as a base, in fact, sssd still requires >some of the Samba packages to function. Thanks for clearing that up! >> >> ...and this is where I got stuck. >> >> What would I need to connect Authentik and Samba together without AD >> being the central place where I store users? (As two-way sync isn't >> in Authentik atm. with AD) > >There is your (and Authentiks) problem, AD is the source of truth, it >is where users, groups and computers etc are stored, it is where >passwords are stored (in an unreadable unicode hash). In other words, >AD must be in charge. This is not to say that you could not setup an >external ldap server and sync users & passwords between it and AD, but >it will be, in my opinion, a lot of work for little return, especially >as there are other SSO providers that work with AD directly. I see, there's the reason that I struggle with this so much: so this idea has to be put on hold for now. ...but thinking of the broader picture: are there any plans to make this even work or AD will "have to be in charge" in the foreseeable future too? Thanks for your answer. Greg. From rpenny at samba.org Tue May 14 08:48:25 2024 From: rpenny at samba.org (Rowland Penny) Date: Tue, 14 May 2024 09:48:25 +0100 Subject: [Samba] Samba with external SSO In-Reply-To: <205B472B-8075-4D89-8C3A-7F1B19159E91@gmail.com> References: <20240514085824.04243955@devstation.samdom.example.com> <205B472B-8075-4D89-8C3A-7F1B19159E91@gmail.com> Message-ID: <20240514094825.5e47d940@devstation.samdom.example.com> On Tue, 14 May 2024 08:39:58 +0000 Gerg? V?ri via samba wrote: > > >That should tell you something. > > You're absolutely right on that. > > >> - Samba + (sssd) + Winbind + LDAP? Couldn't try this one, as I seen > >> that basically sssd=Winbind (yet there WAS a module for Winbind to > >> use sssd?) > > > >The winbind daemon came first and is used to connect Samba to AD, > >from my understanding it was mostly written by one person. That > >person then went on to work for redhat, where they wrote sssd to > >connect to freeipa, using the winbind code as a base, in fact, sssd > >still requires some of the Samba packages to function. > > Thanks for clearing that up! > > >> > >> ...and this is where I got stuck. > >> > >> What would I need to connect Authentik and Samba together without > >> AD being the central place where I store users? (As two-way sync > >> isn't in Authentik atm. with AD) > > > >There is your (and Authentiks) problem, AD is the source of truth, it > >is where users, groups and computers etc are stored, it is where > >passwords are stored (in an unreadable unicode hash). In other words, > >AD must be in charge. This is not to say that you could not setup an > >external ldap server and sync users & passwords between it and AD, > >but it will be, in my opinion, a lot of work for little return, > >especially as there are other SSO providers that work with AD > >directly. > > I see, there's the reason that I struggle with this so much: so this > idea has to be put on hold for now. > > ...but thinking of the broader picture: are there any plans to make > this even work or AD will "have to be in charge" in the foreseeable > future too? > You would have to take that up with Microsoft. Samba is trying to be fully compatible with Microsoft AD and that has been the source of truth for nearly 25 years, so I do not realistically expect it to change. Rowland From eflorac at intellique.com Tue May 14 09:48:14 2024 From: eflorac at intellique.com (Emmanuel Florac) Date: Tue, 14 May 2024 11:48:14 +0200 Subject: [Samba] New Lemmy federated community for everything Samba (Unofficial) In-Reply-To: References: Message-ID: <20240514114814.55032096@harpe.intellique.com> Le Sun, 12 May 2024 02:31:39 +0000 Darin via samba ?crivait: > Hello all, > > I have taken the liberty of creating a new Samba software community > over on Lemmy. I realize that mailing lists are the traditional way > projects communicate but I wanted a place more public and easier to > use. For those who do not know, Lemmy is a federated forms platform. > > Here are the links to the community: > > Lemmy form: !sambasoftware at lemmy.sdf.org > > lemmy,sdf.org: https://lemmy.sdf.org/c/sambasoftware [1] > > Lemmy.world: https://lemmy.world/c/sambasoftware at lemmy.sdf.org [2] > > If you are confused as to what or why this is you can safely ignore > this email. Additionally, THIS COMMUNITY IS NOT OFFICIAL AND HAS NO > AFFILIATION WITH SAMBA. This community was created by me as I do not > like mailing lists. Hello, I've just subscribed, I hope it will be active :) -- ------------------------------------------------------------------------ Emmanuel Florac | Direction technique ------------------------------------------------------------------------ https://intellique.com +33 6 16 30 15 95 ------------------------------------------------------------------------ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: Signature digitale OpenPGP URL: From gregs at sloop.net Tue May 14 13:11:01 2024 From: gregs at sloop.net (Gregory Sloop) Date: Tue, 14 May 2024 06:11:01 -0700 Subject: [Samba] Samba DC and alternate sudo login In-Reply-To: <20240514082901.220d5bd5@devstation.samdom.example.com> References: <18810472213.20240513171020@sloop.net> <20240514082901.220d5bd5@devstation.samdom.example.com> Message-ID: <15910052719.20240514061101@sloop.net> > On Mon, 13 May 2024 17:10:20 -0700 > Gregory Sloop via samba wrote: >> I feel like this should be super easy, and that I must be doing >> something dumb, but I need to create another sudo user for the VM's >> the DC's are running on. >> I've created a "domain admin" equivalent user in AD - and perhaps >> this account can be used. I also attempted to create a local user and >> add them to the local sudo group, but that didn't seem to work.? >> But I don't *need* an AD account. I can simply create a local user on >> each DC for sudo use, but I'll need a way that works. (When I attempt >> to create the local user, it prompts for the password, and then an NT >> password. And when I try to SSH/login to that local account, it >> fails.)? > It shouldn't ask you for an NT password, how are you creating the > 'local' user ? As root I use; adduser ? I tried it again as a test. In the add-user process, I get a prompt for the "Current Kerberos password:" (I didn't pay a lot of attention the first time, when it asked for an NT password - so I'm not sure where that came up.) ? If I give it null passwords (just hit enter), I get passwd: Authentication token manipulation error passwd: password unchanged ? So, I'm a little puzzled. ? -Greg ? From rpenny at samba.org Tue May 14 13:21:12 2024 From: rpenny at samba.org (Rowland Penny) Date: Tue, 14 May 2024 14:21:12 +0100 Subject: [Samba] Samba DC and alternate sudo login In-Reply-To: <15910052719.20240514061101@sloop.net> References: <18810472213.20240513171020@sloop.net> <20240514082901.220d5bd5@devstation.samdom.example.com> <15910052719.20240514061101@sloop.net> Message-ID: <20240514142112.48ee9a0a@devstation.samdom.example.com> On Tue, 14 May 2024 06:11:01 -0700 Gregory Sloop via samba wrote: > > > > On Mon, 13 May 2024 17:10:20 -0700 > > Gregory Sloop via samba wrote: > > >> I feel like this should be super easy, and that I must be doing > >> something dumb, but I need to create another sudo user for the VM's > >> the DC's are running on. > > >> I've created a "domain admin" equivalent user in AD - and perhaps > >> this account can be used. I also attempted to create a local user > >> and add them to the local sudo group, but that didn't seem to > >> work. But I don't *need* an AD account. I can simply create a > >> local user on each DC for sudo use, but I'll need a way that > >> works. (When I attempt to create the local user, it prompts for > >> the password, and then an NT password. And when I try to SSH/login > >> to that local account, it fails.)? > > > It shouldn't ask you for an NT password, how are you creating the > > 'local' user ? > > As root I use; > adduser > > ? > I tried it again as a test. > In the add-user process, I get a prompt for the "Current Kerberos > password:" (I didn't pay a lot of attention the first time, when it > asked for an NT password - so I'm not sure where that came up.) If I > give it null passwords (just hit enter), I get passwd: Authentication > token manipulation error passwd: password unchanged > ? > So, I'm a little puzzled. > ? > -Greg > ? I asked because before I replied to your post, I tried to create a user and got this: adminuser at tmpdc1:~ $ sudo adduser testadmin Adding user `testadmin' ... Adding new group `testadmin' (1001) ... Adding new user `testadmin' (1001) with group `testadmin (1001)' ... Creating home directory `/home/testadmin' ... Copying files from `/etc/skel' ... New password: Retype new password: passwd: password updated successfully Changing the user information for testadmin Enter the new value, or press ENTER for the default Full Name []: Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [Y/n] y Adding new user `testadmin' to supplemental / extra groups `users' ... Adding user `testadmin' to group `users' ... Now I was doing this on one of my DCs, which runs Raspberry pi OS, but that is really just Debian 12 tweaked. Can I ask if you have libpam-krb5 installed ? Rowland From gregs at sloop.net Tue May 14 13:35:24 2024 From: gregs at sloop.net (Gregory Sloop) Date: Tue, 14 May 2024 06:35:24 -0700 Subject: [Samba] Samba DC and alternate sudo login In-Reply-To: <20240514142112.48ee9a0a@devstation.samdom.example.com> References: <18810472213.20240513171020@sloop.net> <20240514082901.220d5bd5@devstation.samdom.example.com> <15910052719.20240514061101@sloop.net> <20240514142112.48ee9a0a@devstation.samdom.example.com> Message-ID: <98796651.20240514063524@sloop.net> > adminuser at tmpdc1:~ $ sudo adduser testadmin > Adding user `testadmin' ... > Adding new group `testadmin' (1001) ... > Adding new user `testadmin' (1001) with group `testadmin (1001)' ... > Creating home directory `/home/testadmin' ... > Copying files from `/etc/skel' ... ? It's at this point I get the Kerberos password prompt BTW. ? > New password:? > Retype new password:? > passwd: password updated successfully > Changing the user information for testadmin > Enter the new value, or press ENTER for the default > ? ? ? ? Full Name []:? > ? ? ? ? Room Number []:? > ? ? ? ? Work Phone []:? > ? ? ? ? Home Phone []:? > ? ? ? ? Other []:? > Is the information correct? [Y/n] y > Adding new user `testadmin' to supplemental / extra groups `users' ... > Adding user `testadmin' to group `users' ... > Now I was doing this on one of my DCs, which runs Raspberry pi OS, but > that is really just Debian 12 tweaked. > Can I ask if you have libpam-krb5 installed ? Yes. From gaio at lilliput.linux.it Tue May 14 13:51:01 2024 From: gaio at lilliput.linux.it (Marco Gaiarin) Date: Tue, 14 May 2024 15:51:01 +0200 Subject: [Samba] Win11 22H2 and Point'n'Print status... Message-ID: <3r6chk-0661.ln1@leia.lilliput.linux.it> I'm still using Point'n'Print, but now i'm introducing some Win11 22H2 computer, having many trouble. After the last security patchs, installing drivers was a nightmare, so i'm currently using other mean (normally, WPKG) to deploy printer driver to PC, and using Point'n'Print for printer management and configuration. But in windows 11 printers does not install, and if installed (because the user came from an Win10 profile), they appear 'half installed': application see them, while printer control panel not, but does NOT work anyway (no, settings, no printing). If i try to install the printer, i catch this error: Windows cannot connect to the printer. Check the printer name and try again. If this is a network printer, make sure that the printer is turned on and that the printer address is correct. Seems not a driver problem; i can install drivers and connect printers to the IPP cups queue, and work; unfortunately, some printer require some particular configuration and i cannot do by hand for 200+ users. I've trying to google for, finding these: https://www.techrepublic.com/article/how-to-fix-printer-connection/ https://support.microsoft.com/en-us/topic/managing-deployment-of-printer-rpc-binding-changes-for-cve-2021-1678-kb4599464-12a69652-30b9-3d61-d9f7-7201623a8b25 but setting the specified registry keys does not solve. To set/solve previous issue i do (in Win7, 10 and 11): and specifically for win10 and 11: I've tried some info on windows event viewer and on samba logs, but there's nothing, no error, warnings, whatsoever... There's something i can do? Someone have dome document to point on? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) From keesvanvloten at gmail.com Tue May 14 15:49:45 2024 From: keesvanvloten at gmail.com (Kees van Vloten) Date: Tue, 14 May 2024 17:49:45 +0200 Subject: [Samba] Samba DC and alternate sudo login In-Reply-To: <15910052719.20240514061101@sloop.net> References: <18810472213.20240513171020@sloop.net> <20240514082901.220d5bd5@devstation.samdom.example.com> <15910052719.20240514061101@sloop.net> Message-ID: <8c938933-9c6d-4cb7-ba78-e9dc8a810464@gmail.com> On 14-05-2024 15:11, Gregory Sloop via samba wrote: > >> On Mon, 13 May 2024 17:10:20 -0700 >> Gregory Sloop via samba wrote: >>> I feel like this should be super easy, and that I must be doing >>> something dumb, but I need to create another sudo user for the VM's >>> the DC's are running on. >>> I've created a "domain admin" equivalent user in AD - and perhaps >>> this account can be used. I also attempted to create a local user and >>> add them to the local sudo group, but that didn't seem to work. >>> But I don't *need* an AD account. I can simply create a local user on >>> each DC for sudo use, but I'll need a way that works. (When I attempt >>> to create the local user, it prompts for the password, and then an NT >>> password. And when I try to SSH/login to that local account, it >>> fails.) >> It shouldn't ask you for an NT password, how are you creating the >> 'local' user ? > As root I use; > adduser > > > I tried it again as a test. > In the add-user process, I get a prompt for the "Current Kerberos password:" (I didn't pay a lot of attention the first time, when it asked for an NT password - so I'm not sure where that came up.) > > If I give it null passwords (just hit enter), I get > passwd: Authentication token manipulation error > passwd: password unchanged I would suspect you pam is configured to use winbind as well... > > So, I'm a little puzzled. if you install libuser (apt-get install libuser) you get a set of tools that will always and only operate on local accounts, e.g. commands like this: lchsh, lchfn, lid, lnewusers, lgroupadd, luseradd, lgroupdel, luserdel, lusermod, lgroupmod, lchage, lpasswd - Kees. > > -Greg > From gregs at sloop.net Tue May 14 16:23:48 2024 From: gregs at sloop.net (Greg Sloop ) Date: Tue, 14 May 2024 09:23:48 -0700 Subject: [Samba] Samba DC and alternate sudo login In-Reply-To: <8c938933-9c6d-4cb7-ba78-e9dc8a810464@gmail.com> References: <18810472213.20240513171020@sloop.net> <20240514082901.220d5bd5@devstation.samdom.example.com> <15910052719.20240514061101@sloop.net> <8c938933-9c6d-4cb7-ba78-e9dc8a810464@gmail.com> Message-ID: Wow. Cool. Learn something new every day! :) I'll try that! Thanks so much. On Tue, May 14, 2024 at 8:51?AM Kees van Vloten via samba < samba at lists.samba.org> wrote: > > On 14-05-2024 15:11, Gregory Sloop via samba wrote: > > > >> On Mon, 13 May 2024 17:10:20 -0700 > >> Gregory Sloop via samba wrote: > >>> I feel like this should be super easy, and that I must be doing > >>> something dumb, but I need to create another sudo user for the VM's > >>> the DC's are running on. > >>> I've created a "domain admin" equivalent user in AD - and perhaps > >>> this account can be used. I also attempted to create a local user and > >>> add them to the local sudo group, but that didn't seem to work. > >>> But I don't *need* an AD account. I can simply create a local user on > >>> each DC for sudo use, but I'll need a way that works. (When I attempt > >>> to create the local user, it prompts for the password, and then an NT > >>> password. And when I try to SSH/login to that local account, it > >>> fails.) > >> It shouldn't ask you for an NT password, how are you creating the > >> 'local' user ? > > As root I use; > > adduser > > > > > > I tried it again as a test. > > In the add-user process, I get a prompt for the "Current Kerberos > password:" (I didn't pay a lot of attention the first time, when it asked > for an NT password - so I'm not sure where that came up.) > > > > If I give it null passwords (just hit enter), I get > > passwd: Authentication token manipulation error > > passwd: password unchanged > I would suspect you pam is configured to use winbind as well... > > > > So, I'm a little puzzled. > if you install libuser (apt-get install libuser) you get a set of tools > that will always and only operate on local accounts, e.g. commands like > this: > > lchsh, lchfn, lid, lnewusers, lgroupadd, luseradd, lgroupdel, luserdel, > lusermod, lgroupmod, lchage, lpasswd > > - Kees. > > > > > > -Greg > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From rpenny at samba.org Tue May 14 16:32:59 2024 From: rpenny at samba.org (Rowland Penny) Date: Tue, 14 May 2024 17:32:59 +0100 Subject: [Samba] Samba DC and alternate sudo login In-Reply-To: <98796651.20240514063524@sloop.net> References: <18810472213.20240513171020@sloop.net> <20240514082901.220d5bd5@devstation.samdom.example.com> <15910052719.20240514061101@sloop.net> <20240514142112.48ee9a0a@devstation.samdom.example.com> <98796651.20240514063524@sloop.net> Message-ID: <20240514173259.50851b7d@devstation.samdom.example.com> On Tue, 14 May 2024 06:35:24 -0700 Gregory Sloop via samba wrote: > > > Can I ask if you have libpam-krb5 installed ? > > Yes. Ah, that is your problem, if you are using winbind, you do not need it. Rowland From gregs at sloop.net Tue May 14 16:48:47 2024 From: gregs at sloop.net (Greg Sloop ) Date: Tue, 14 May 2024 09:48:47 -0700 Subject: [Samba] Samba DC and alternate sudo login In-Reply-To: <20240514173259.50851b7d@devstation.samdom.example.com> References: <18810472213.20240513171020@sloop.net> <20240514082901.220d5bd5@devstation.samdom.example.com> <15910052719.20240514061101@sloop.net> <20240514142112.48ee9a0a@devstation.samdom.example.com> <98796651.20240514063524@sloop.net> <20240514173259.50851b7d@devstation.samdom.example.com> Message-ID: > Ah, that is your problem, if you are using winbind, you do not need it. It's been a while since I did the setup, but IIRC, Louis' setup walk-through installed it. (But yeah, it's been a long while - so I could certainly be wrong.) I don't know that it really matters though. Is there any other undesirable impacts from having it installed? -Greg On Tue, May 14, 2024 at 9:34?AM Rowland Penny via samba < samba at lists.samba.org> wrote: > On Tue, 14 May 2024 06:35:24 -0700 > Gregory Sloop via samba wrote: > > > > > Can I ask if you have libpam-krb5 installed ? > > > > Yes. > > Ah, that is your problem, if you are using winbind, you do not need it. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From rpenny at samba.org Tue May 14 17:02:54 2024 From: rpenny at samba.org (Rowland Penny) Date: Tue, 14 May 2024 18:02:54 +0100 Subject: [Samba] Samba DC and alternate sudo login In-Reply-To: References: <18810472213.20240513171020@sloop.net> <20240514082901.220d5bd5@devstation.samdom.example.com> <15910052719.20240514061101@sloop.net> <20240514142112.48ee9a0a@devstation.samdom.example.com> <98796651.20240514063524@sloop.net> <20240514173259.50851b7d@devstation.samdom.example.com> Message-ID: <20240514180254.7fa0ddb1@devstation.samdom.example.com> On Tue, 14 May 2024 09:48:47 -0700 "Greg Sloop wrote: > > Ah, that is your problem, if you are using winbind, you do not need > > it. > > It's been a while since I did the setup, but IIRC, Louis' setup > walk-through installed it. > (But yeah, it's been a long while - so I could certainly be wrong.) > > I don't know that it really matters though. Is there any other > undesirable impacts from having it installed? > That would be my fault, I initially thought libpam-krb5 was required on a Unix domain member, but it isn't. I haven't installed it in years. Rowland From gregs at sloop.net Tue May 14 17:05:46 2024 From: gregs at sloop.net (Greg Sloop ) Date: Tue, 14 May 2024 10:05:46 -0700 Subject: [Samba] Samba DC and alternate sudo login In-Reply-To: <20240514180254.7fa0ddb1@devstation.samdom.example.com> References: <18810472213.20240513171020@sloop.net> <20240514082901.220d5bd5@devstation.samdom.example.com> <15910052719.20240514061101@sloop.net> <20240514142112.48ee9a0a@devstation.samdom.example.com> <98796651.20240514063524@sloop.net> <20240514173259.50851b7d@devstation.samdom.example.com> <20240514180254.7fa0ddb1@devstation.samdom.example.com> Message-ID: Any harm in removing it now? On Tue, May 14, 2024, 10:04?AM Rowland Penny via samba < samba at lists.samba.org> wrote: > On Tue, 14 May 2024 09:48:47 -0700 > "Greg Sloop wrote: > > > > Ah, that is your problem, if you are using winbind, you do not need > > > it. > > > > It's been a while since I did the setup, but IIRC, Louis' setup > > walk-through installed it. > > (But yeah, it's been a long while - so I could certainly be wrong.) > > > > I don't know that it really matters though. Is there any other > > undesirable impacts from having it installed? > > > > That would be my fault, I initially thought libpam-krb5 was required on > a Unix domain member, but it isn't. I haven't installed it in years. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > From rpenny at samba.org Tue May 14 17:19:07 2024 From: rpenny at samba.org (Rowland Penny) Date: Tue, 14 May 2024 18:19:07 +0100 Subject: [Samba] Samba DC and alternate sudo login In-Reply-To: References: <18810472213.20240513171020@sloop.net> <20240514082901.220d5bd5@devstation.samdom.example.com> <15910052719.20240514061101@sloop.net> <20240514142112.48ee9a0a@devstation.samdom.example.com> <98796651.20240514063524@sloop.net> <20240514173259.50851b7d@devstation.samdom.example.com> <20240514180254.7fa0ddb1@devstation.samdom.example.com> Message-ID: <20240514181907.1a3a6f45@devstation.samdom.example.com> On Tue, 14 May 2024 10:05:46 -0700 "Greg Sloop " wrote: > Any harm in removing it now? > > No, just make sure everything is removed. Rowland From paul.szabo at sydney.edu.au Wed May 15 07:27:53 2024 From: paul.szabo at sydney.edu.au (Paul Szabo) Date: Wed, 15 May 2024 17:27:53 +1000 Subject: [Samba] Group write does not allow delete or rename? Message-ID: Dear Samba list, I have an issue with what seems to be group permissions, when using a stand-alone Samba file server. I have a directory where files are meant to be writable to a group of users. The permissions on Linux are: root# ls -ld /users/misc/teaching /users/misc/teaching/* drwxrws--- 2 teaching csos 4096 May 15 08:47 /users/misc/teaching -rw-rw---- 1 teaching csos 17 May 15 08:23 /users/misc/teaching/test.txt so the users in that group: root# grep csos /etc/group csos:*:113:bruce,mike,psz can do anything to the files: read, write, delete, or create new files. (Newly created files would be owned by the creator and might end up with "wrong" permissions, I have a CRON job to "fix" owner and permissions.) This scheme works well on Linux. To make these (and some other) file accessible to Windows users, I run a stand-alone Samba server, and Windows users (in the group) can read and write the files (e.g. can edit with notepad); can also create new files. But, they cannot delete or rename (pre-existing) files! I wonder whether this oddity is caused by some setting in my smb.conf (shown below); or there is some bug in Samba; or my expectations are wrong and this is a "sorry no can't do" issue. An observation, that seems an oddity. When on Windows and checking permissions of the file, I see "Unix User\teaching" to have full control; while "Unix Group\teaching" only has Read&Execute, Read and Write, and no FullControl or Modify permissions; checking advanced permissions, the group misses FullControl, Delete, ChangePermissions and TakeOwnership rights. It seems odd that the Linux "rw-" for the user translates into full control, while for the group it translates into just Read and Write, and also Read&Execute. Thanks in advance for any ideas or help you may provide. Thanks, Paul My smb.conf file (comments within deleted for brevity): [global] workgroup = ENNAGROUP passdb backend = smbpasswd:/var/lib/samba/private/smbpasswd hostname lookups = yes invalid users = root wide links = yes guest account = smbguest load printers = no utmp = yes mangled names = no map archive = no preexec = /usr/bin/logger -pdaemon.info -t 'samba[%d]' 'Connect %S for %u from %m (%M, %I)' postexec = /usr/bin/logger -pdaemon.info -t 'samba[%d]' 'Disconnect %S for %u from %m (%M, %I)' debug pid = yes debug uid = yes strict locking = no unix extensions = no dont descend = /proc,/dev socket options = TCP_NODELAY server min protocol = NT1 ntlm auth = ntlmv1-permitted log file = /var/log/samba/log.%M max log size = 1000 logging = file panic action = /usr/share/samba/panic-action %d server role = standalone server obey pam restrictions = yes unix password sync = no passwd program = /bin/false pam password change = no map to guest = never client signing = mandatory restrict anonymous = 2 usershare max shares = 0 usershare allow guests = no vfs objects = acl_xattr acl_xattr:ignore system acls = yes create mask = 0744 directory mask = 0755 [home] path = /users/%g/%u create mask = 0700 directory mask = 0700 writeable = Yes posix locking = No veto files = /$RECYCLE.BIN/ [teaching] path = /users/misc/teaching create mask = 0700 directory mask = 0700 writeable = Yes posix locking = No -- Paul Szabo psz at maths.usyd.edu.au www.maths.usyd.edu.au/u/psz School of Mathematics and Statistics University of Sydney Australia From rpenny at samba.org Wed May 15 07:50:56 2024 From: rpenny at samba.org (Rowland Penny) Date: Wed, 15 May 2024 08:50:56 +0100 Subject: [Samba] Group write does not allow delete or rename? In-Reply-To: References: Message-ID: <20240515085056.2e0e497f@devstation.samdom.example.com> On Wed, 15 May 2024 17:27:53 +1000 Paul Szabo via samba wrote: > Dear Samba list, > > I have an issue with what seems to be group permissions, when using a > stand-alone Samba file server. > > I have a directory where files are meant to be writable to a group of > users. The permissions on Linux are: > > root# ls -ld /users/misc/teaching /users/misc/teaching/* > drwxrws--- 2 teaching csos 4096 May 15 08:47 /users/misc/teaching > -rw-rw---- 1 teaching csos 17 May 15 08:23 > /users/misc/teaching/test.txt > It doesn't matter what you have set there, those permissions will be ignored by Samba because you also have 'acl_xattr:ignore system acls = yes' set. Setting that does exactly what it says on the tin, Samba will ignore the system permissions. Rowland From infractory at gmail.com Wed May 15 08:36:03 2024 From: infractory at gmail.com (mathias dufresne) Date: Wed, 15 May 2024 10:36:03 +0200 Subject: [Samba] file sharing using native NFS4 ACLs on Linux Message-ID: Hi everyone, Is it possible on Linux systems to share through SMB managed by Samba some NFS4 mounted FS and that Samba is using NFS4 ACLs only? The point would be to not store anything on Samba regarding ACLs... Best regards, mathias From gaio at lilliput.linux.it Wed May 15 09:40:24 2024 From: gaio at lilliput.linux.it (Marco Gaiarin) Date: Wed, 15 May 2024 11:40:24 +0200 Subject: [Samba] Win11 22H2 and Point'n'Print status... In-Reply-To: <3r6chk-0661.ln1@leia.lilliput.linux.it>; from SmartGate on Wed, May 15, 2024 at 12:06:02PM +0200 References: <3r6chk-0661.ln1@leia.lilliput.linux.it> Message-ID: <6hcehk-jqr.ln1@leia.lilliput.linux.it> Mandi! Marco Gaiarin In chel di` si favelave... > There's something i can do? Someone have dome document to point on? Evidently i've had some google-panic attack. ;-) https://learn.microsoft.com/en-us/troubleshoot/windows-client/printing/windows-11-rpc-connection-updates-for-print Doing: suffices. Sorry to all. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) From rpenny at samba.org Wed May 15 10:31:02 2024 From: rpenny at samba.org (Rowland Penny) Date: Wed, 15 May 2024 11:31:02 +0100 Subject: [Samba] file sharing using native NFS4 ACLs on Linux In-Reply-To: References: Message-ID: <20240515113102.508e52aa@devstation.samdom.example.com> On Wed, 15 May 2024 10:36:03 +0200 mathias dufresne via samba wrote: > Hi everyone, > > Is it possible on Linux systems to share through SMB managed by Samba > some NFS4 mounted FS and that Samba is using NFS4 ACLs only? Re sharing an NFS filesystem by Samba isn't a good idea. > > The point would be to not store anything on Samba regarding ACLs... And the point to that would be ??? You might be able to do this on one of the BSDs, but not on Linux and as I already mentioned, sharing an NFS filesystem via Samba isn't a good idea. Rowland From paul.szabo at sydney.edu.au Wed May 15 11:00:01 2024 From: paul.szabo at sydney.edu.au (Paul Szabo) Date: Wed, 15 May 2024 21:00:01 +1000 Subject: [Samba] Group write does not allow delete or rename? In-Reply-To: <20240515085056.2e0e497f@devstation.samdom.example.com> References: <20240515085056.2e0e497f@devstation.samdom.example.com> Message-ID: <376ffee2-1361-4ab0-ad51-717cff3a7f21@sydney.edu.au> Dear Rowland, Thanks for the hint, it sounds like I should get rid of the line "acl_xattr:ignore system acls = yes" in smb.conf. I think I read that there was a change in its meaning, around version 4.5 or so. Thanks, this gives me something to experiment with. Could you please tell me what I would "lose" if I also dropped the "vfs objects = acl_xattr" line? I do not remember why I have it there. Thanks, Paul On 15/5/24 17:50, Rowland Penny via samba wrote: > On Wed, 15 May 2024 17:27:53 +1000 > Paul Szabo via samba wrote: > >> Dear Samba list, >> >> I have an issue with what seems to be group permissions, when using a >> stand-alone Samba file server. >> >> I have a directory where files are meant to be writable to a group of >> users. The permissions on Linux are: >> >> root# ls -ld /users/misc/teaching /users/misc/teaching/* >> drwxrws--- 2 teaching csos 4096 May 15 08:47 /users/misc/teaching >> -rw-rw---- 1 teaching csos 17 May 15 08:23 >> /users/misc/teaching/test.txt >> > > It doesn't matter what you have set there, those permissions will be > ignored by Samba because you also have 'acl_xattr:ignore system acls = > yes' set. Setting that does exactly what it says on the tin, Samba will > ignore the system permissions. > > Rowland -- Paul Szabo psz at maths.usyd.edu.au www.maths.usyd.edu.au/u/psz School of Mathematics and Statistics University of Sydney Australia Join the Union and fight for a better University: www.nteu.au/join From infractory at gmail.com Wed May 15 11:02:24 2024 From: infractory at gmail.com (mathias dufresne) Date: Wed, 15 May 2024 13:02:24 +0200 Subject: [Samba] file sharing using native NFS4 ACLs on Linux In-Reply-To: <20240515113102.508e52aa@devstation.samdom.example.com> References: <20240515113102.508e52aa@devstation.samdom.example.com> Message-ID: Le mer. 15 mai 2024 ? 12:32, Rowland Penny via samba a ?crit : > On Wed, 15 May 2024 10:36:03 +0200 > mathias dufresne via samba wrote: > > > Hi everyone, > > > > Is it possible on Linux systems to share through SMB managed by Samba > > some NFS4 mounted FS and that Samba is using NFS4 ACLs only? > > Re sharing an NFS filesystem by Samba isn't a good idea. > Agreed. But I'm not necessarily the one who decides... > > > > > The point would be to not store anything on Samba regarding ACLs... > > And the point to that would be ??? > > The point is to share twice the same space. Even though that does not sound like a great idea to me, it is the same remark as previously written. There are other options than NFS but the blocking point is still the lack of NFS4 ACLs support on Linux. > You might be able to do this on one of the BSDs, but not on Linux and > as I already mentioned, sharing an NFS filesystem via Samba isn't a > good idea. > What's missing to get Samba on Linux systems to be able to fully use NFS4 ACLs? - some code in Samba - some improvements in NFS4 ACLs implementations (at least one) - a bit of both? > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba Best regards, mathias From rpenny at samba.org Wed May 15 12:01:28 2024 From: rpenny at samba.org (Rowland Penny) Date: Wed, 15 May 2024 13:01:28 +0100 Subject: [Samba] Group write does not allow delete or rename? In-Reply-To: <376ffee2-1361-4ab0-ad51-717cff3a7f21@sydney.edu.au> References: <20240515085056.2e0e497f@devstation.samdom.example.com> <376ffee2-1361-4ab0-ad51-717cff3a7f21@sydney.edu.au> Message-ID: <20240515130128.1e3f960f@devstation.samdom.example.com> On Wed, 15 May 2024 21:00:01 +1000 Paul Szabo via samba wrote: > Dear Rowland, > > Thanks for the hint, it sounds like I should get rid of the line > "acl_xattr:ignore system acls = yes" in smb.conf. I think I read > that there was a change in its meaning, around version 4.5 or so. > Thanks, this gives me something to experiment with. Not that I am aware, it has always meant the same thing, ignore the system permissions if set to yes. > > Could you please tell me what I would "lose" if I also dropped the > "vfs objects = acl_xattr" line? I do not remember why I have it there. > You would lose the ability to set finer permissions using setfacl and to easily set permissions from Windows. Rowland From rpenny at samba.org Wed May 15 12:04:42 2024 From: rpenny at samba.org (Rowland Penny) Date: Wed, 15 May 2024 13:04:42 +0100 Subject: [Samba] file sharing using native NFS4 ACLs on Linux In-Reply-To: References: <20240515113102.508e52aa@devstation.samdom.example.com> Message-ID: <20240515130442.65e40f80@devstation.samdom.example.com> On Wed, 15 May 2024 13:02:24 +0200 mathias dufresne via samba wrote: > Le mer. 15 mai 2024 ? 12:32, Rowland Penny via samba > a ?crit : > > > On Wed, 15 May 2024 10:36:03 +0200 > > mathias dufresne via samba wrote: > > > > > Hi everyone, > > > > > > Is it possible on Linux systems to share through SMB managed by > > > Samba some NFS4 mounted FS and that Samba is using NFS4 ACLs only? > > > > Re sharing an NFS filesystem by Samba isn't a good idea. > > > > Agreed. But I'm not necessarily the one who decides... > > > > > > > > > > The point would be to not store anything on Samba regarding > > > ACLs... > > > > And the point to that would be ??? > > > > The point is to share twice the same space. Even though that does > > not > sound like a great idea to me, it is the same remark as previously > written. > > There are other options than NFS but the blocking point is still the > lack of NFS4 ACLs support on Linux. > > > > You might be able to do this on one of the BSDs, but not on Linux > > and as I already mentioned, sharing an NFS filesystem via Samba > > isn't a good idea. > > > > What's missing to get Samba on Linux systems to be able to fully use > NFS4 ACLs? > - some code in Samba > - some improvements in NFS4 ACLs implementations (at least one) > - a bit of both? No, If I understand it right, you need to convince someone called Linus to allow them into the Linux kernel, good luck with that ;-) Rowland From keesvanvloten at gmail.com Wed May 15 12:13:33 2024 From: keesvanvloten at gmail.com (Kees van Vloten) Date: Wed, 15 May 2024 14:13:33 +0200 Subject: [Samba] file sharing using native NFS4 ACLs on Linux In-Reply-To: <20240515130442.65e40f80@devstation.samdom.example.com> References: <20240515113102.508e52aa@devstation.samdom.example.com> <20240515130442.65e40f80@devstation.samdom.example.com> Message-ID: <43960f0c-7789-43ba-b942-d3b0264b752b@gmail.com> Op 15-05-2024 om 14:04 schreef Rowland Penny via samba: > On Wed, 15 May 2024 13:02:24 +0200 > mathias dufresne via samba wrote: > >> Le mer. 15 mai 2024 ? 12:32, Rowland Penny via samba >> a ?crit : >> >>> On Wed, 15 May 2024 10:36:03 +0200 >>> mathias dufresne via samba wrote: >>> >>>> Hi everyone, >>>> >>>> Is it possible on Linux systems to share through SMB managed by >>>> Samba some NFS4 mounted FS and that Samba is using NFS4 ACLs only? >>> Re sharing an NFS filesystem by Samba isn't a good idea. >>> >> Agreed. But I'm not necessarily the one who decides... >> >> >>>> The point would be to not store anything on Samba regarding >>>> ACLs... >>> And the point to that would be ??? >>> >>> The point is to share twice the same space. Even though that does >>> not >> sound like a great idea to me, it is the same remark as previously >> written. >> >> There are other options than NFS but the blocking point is still the >> lack of NFS4 ACLs support on Linux. >> >> >>> You might be able to do this on one of the BSDs, but not on Linux >>> and as I already mentioned, sharing an NFS filesystem via Samba >>> isn't a good idea. >>> >> What's missing to get Samba on Linux systems to be able to fully use >> NFS4 ACLs? >> - some code in Samba >> - some improvements in NFS4 ACLs implementations (at least one) >> - a bit of both? > No, If I understand it right, you need to convince someone called Linus > to allow them into the Linux kernel, good luck with that ;-) This indeed the situation for the nfs4-kernel-server. The Linux nfs4-client does support nfs4acls, according to https://wiki.samba.org/index.php/NFS4_ACL_overview As a result Samba stores ntacls (very similar to nfs4acls) in an extend attribute instead, that is if you have acl_xattr enabled in vfs_objects. - Kees. > > Rowland >