[Samba] upgrade samba

Fabrizio Monti thefantaman at gmail.com
Wed Jan 30 04:19:38 MST 2013


Sorry for previous mail, I click on "send" to error.

Hi,
@Nico
I fixed smbldap-tools, I have installed the package and correct
smb.conf, the new file is

[global]
        workgroup = GIS
        passdb backend = ldapsam:ldap://192.0.200.2/
        map untrusted to domain = Yes
        log level = 4
        log file = /var/log/samba/log.%U
        time server = Yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
        add user script = /usr/bin/smbldap-useradd -a -m -P "%u"
        delete user script = /usr/bin/smbldap-userdel -r "%u"
        add group script = /usr/bin/smbldap-groupadd -p "%g"
        delete group script = /usr/bin/smbldap-groupdel "%g"
        add user to group script = /usr/bin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /usr/bin/smbldap-groupmod -x "%u" "%g"
        set primary group script = /usr/bin/smbldap-usermod -g "%g" "%u"
        add machine script = /usr/bin/smbldap-useradd -w "%u"
        #add user script = /usr/local/bin/smbldap-useradd -a -m -P "%u"
        #delete user script = /usr/local/bin/smbldap-userdel -r "%u"
        #add group script = /usr/local/bin/smbldap-groupadd -p "%g"
        #delete group script = /usr/local/bin/smbldap-groupdel "%g"
        #add user to group script = /usr/local/bin/smbldap-groupmod -m "%u" "%g"
        #delete user from group script =
/usr/local/bin/smbldap-groupmod -x "%u" "%g"
        #set primary group script = /usr/local/bin/smbldap-usermod -g "%g" "%u"
        #add machine script = /usr/local/bin/smbldap-useradd -w "%u"
        logon path =
        logon home =
        domain logons = Yes
        os level = 33
        preferred master = Auto
        domain master = Yes
        enable privileges = yes
        ldap admin dn = cn=Manager,dc=sigesgroup,dc=intra
        ldap delete dn = Yes
        ldap group suffix = ou=group
        ldap machine suffix = ou=machines
        ldap passwd sync = yes
        ldap suffix = dc=sigesgroup,dc=intra
        ldap ssl = no
        ldap user suffix = ou=People
        idmap config * : range =
        idmap config * : ldap_url = ldap://192.0.200.2/
        ldapsam:editposix = yes
        ldapsam:trusted = yes
        idmap config * : backend = ldapsam:ldap://192.0.200.2/
        idmap config * : range = 5000 - 50000
        idmap config * : default = yes

[netlogon]
        comment = Network Logon Service
        path = /home/netlogon
        guest ok = Yes

[profiles]
        path = /home/profiles
        read only = No
        create mask = 0600
        directory mask = 0700



@Harry Jede
I fixed sid, now

SID for local machine VMPDC is: S-1-5-21-3564791867-1010203101-2143723903
SID for domain GIS is: S-1-5-21-3564791867-1010203101-2143723903
SambaSID for user Manager: S-1-5-21-3564791867-1010203101-2143723903-500
sambaPrimaryGroupSID for user MAnager:
S-1-5-21-3564791867-1010203101-2143723903-2025


Now the problem is (I write only the problem) /var/log/samba/log.manager

[2013/01/30 12:11:20.546770,  4] lib/privileges.c:97(get_privileges)
  get_privileges: No privileges assigned to SID
[S-1-5-21-3564791867-1010203101-2143723903-500]
[2013/01/30 12:11:20.546816,  4] lib/privileges.c:97(get_privileges)
  get_privileges: No privileges assigned to SID
[S-1-5-21-3564791867-1010203101-2143723903-2089]
[2013/01/30 12:11:20.546862,  4] lib/privileges.c:97(get_privileges)
  get_privileges: No privileges assigned to SID [S-1-5-2]
[2013/01/30 12:11:20.546901,  4] lib/privileges.c:97(get_privileges)
  get_privileges: No privileges assigned to SID [S-1-5-11]

[2013/01/30 12:11:20.551429,  4] passdb/pdb_ldap.c:2543(ldapsam_getgroup)
  ldapsam_getgroup: Did not find group, filter was
(&(objectClass=sambaGroupMapping)(sambaSID=S-1-1-0))

[2013/01/30 12:11:20.552023,  4] passdb/pdb_ldap.c:2543(ldapsam_getgroup)
  ldapsam_getgroup: Did not find group, filter was
(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-2))

[2013/01/30 12:11:20.552556,  4] passdb/pdb_ldap.c:2543(ldapsam_getgroup)
  ldapsam_getgroup: Did not find group, filter was
(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-11))

[2013/01/30 12:11:21.006618,  4] rpc_server/srv_pipe.c:1611(api_rpcTNP)
  api_rpcTNP: \lsarpc op 0x2c - api_rpcTNP: rpc command: LSA_OPENPOLICY2
[2013/01/30 12:11:21.006627,  4]
rpc_server/srv_access_check.c:83(access_check_object)
  _lsa_OpenPolicy2: ACCESS should be DENIED  (requested: 0x000f0fff)
  but overritten by euid == sec_initial_uid()


[2013/01/30 12:11:36.943971,  1] smbd/process.c:457(receive_smb_talloc)
  receive_smb_raw_talloc failed for client 192.0.200.149 read error =
NT_STATUS_CONNECTION_RESET.






2013/1/28 Nico Kadel-Garcia <nkadel at gmail.com>:
> On Mon, Jan 28, 2013 at 3:38 AM, Fabrizio Monti <thefantaman at gmail.com> wrote:
>> Hi Nico Kadel-Garcia,
>> thanks for reply. Path for smbldap is correct. Other log file have
>
> Then you have a manually built and installed smbldap-tools, and you
> should probably replace it with the one from Red Hat or your Red Hat
> rebuild provider. For consistence and compatibility with your RPM
> supplied Samba, I urge you to use the distribution provided
> smbldap-tools package and move aside the hand-built versions you  have
> in /usr/local/bin.
>
> While this won't necessarily solve your problem, it gives all of us a
> consistent reference as to what tools and versions of tools you're
> using. It's also why I spend so much time RPM bundling software, so
> both people I support and I are using the same package from the same,
> clean build environment.
>
>                        Nico Kadel-Garcia <nkadel at gmail.com>
>
>
>
>
>> 2013/01/25 17:20:13.974204,  1] auth/server_info.c:386(samu_to_SamInfo3)
>>   The primary group domain
>> sid(S-1-5-21-3564791867-1010203101-2143723903-513) does not match the
>> domain sid(S-1-5-21-2427793829-1009842549-3523806979) for
>> Manager(S-1-5-21-2427793829-1009842549-3523806979-500)
>> [2013/01/25 17:20:13.974250,  4] smbd/sec_ctx.c:422(pop_sec_ctx)
>>  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2013/01/25 17:20:13.974286,  0] auth/check_samsec.c:491(check_sam_security)
>>   check_sam_security: make_server_info_sam() failed with
>> 'NT_STATUS_UNSUCCESSFUL'
>> [2013/01/25 17:20:13.974506,  3] auth/auth_winbind.c:60(check_winbind_security)
>>   check_winbind_security: Not using winbind, requested domain [gis]
>> was for this SAM.
>> [2013/01/25 17:20:13.974542,  2] auth/auth.c:319(check_ntlm_password)
>>   check_ntlm_password:  Authentication for user [Manager] -> [Manager]
>> FAILED with error NT_STATUS_UNSUCCESSFUL
>> [2013/01/25 17:20:13.974610,  3] smbd/error.c:81(error_packet_set)
>>   error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX)
>> NT_STATUS_UNSUCCESSFUL
>> [2013/01/25 17:20:24.885770,  1] smbd/process.c:457(receive_smb_talloc)
>>   receive_smb_raw_talloc failed for client 192.0.200.149 read error =
>> NT_STATUS_CONNECTION_RESET.
>> [2013/01/25 17:20:24.885923,  4] smbd/sec_ctx.c:314(set_sec_ctx)
>>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2013/01/25 17:20:24.886102,  3] smbd/server_exit.c:181(exit_server_common)
>>   Server exit (failed to receive smb request)
>>
>>
>> Then the problem is sid, samba-3.3 probabily do not check sid. Ldap is
>> workin so it is possible disable sid check in samba-3.6?
>>
>> Fabrizio.
>>
>> Well, for one thing, if you updated to samba3x  your binaries for
>>>
>>> things like "smbldap-usermod" are all going to be in /usr/bin, not
>>> /usr/local/bin.
>>
>> path is correct, files smbldap are in /usr/local/bin.
>>
>>>
>>> Did you have an old hand-built Samba lying around? If
>>> you did, you need to clear it.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>>
>>>
>>> > Jan 24 17:53:03 VmPDC smbd[15115]: [2013/01/24 17:53:03.371837,  0]
>>> > auth/check_samsec.c:491(check_sam_security)
>>> > Jan 24 17:53:03 VmPDC smbd[15115]:   check_sam_security:
>>> > make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL'
>>> > Jan 24 17:53:04 VmPDC smbd[15115]: [2013/01/24 17:53:04.413597,  0]
>>> > auth/check_samsec.c:491(check_sam_security)
>>> > Jan 24 17:53:04 VmPDC smbd[15115]:   check_sam_security:
>>> > make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL'
>>> >
>>> > This configuration of samba
>>> >
>>> > [root at VmPDC ~]# testparm
>>> > Load smb config files from /etc/samba/smb.conf
>>> > Processing section "[netlogon]"
>>> > Processing section "[profiles]"
>>> > Loaded services file OK.
>>> > Server role: ROLE_DOMAIN_PDC
>>> > Press enter to see a dump of your service definitions
>>> >
>>> > [global]
>>> >         workgroup = GIS
>>> >         passdb backend = ldapsam:ldap://192.0.200.2/
>>> >         log file = /var/log/samba/log.%U
>>> >         time server = Yes
>>> >         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>> > SO_KEEPALIVE
>>> >         add user script = /usr/local/bin/smbldap-useradd -a -m -P "%u"
>>> >         delete user script = /usr/local/bin/smbldap-userdel -r "%u"
>>> >         add group script = /usr/local/bin/smbldap-groupadd -p "%g"
>>> >         delete group script = /usr/local/bin/smbldap-groupdel "%g"
>>> >         add user to group script = /usr/local/bin/smbldap-groupmod -m "%u"
>>> > "%g"
>>> >         delete user from group script = /usr/local/bin/smbldap-groupmod -x
>>> > "%u" "%g"
>>> >         set primary group script = /usr/local/bin/smbldap-usermod -g "%g"
>>> > "%u"
>>> >         add machine script = /usr/local/bin/smbldap-useradd -w "%u"
>>> >         logon path =
>>> >         logon home =
>>> >         domain logons = Yes
>>> >         os level = 33
>>> >         preferred master = Auto
>>> >         domain master = Yes
>>> >         ldap admin dn = cn=Manager,dc=sigesgroup,dc=intra
>>> >         ldap delete dn = Yes
>>> >         ldap group suffix = ou=group
>>> >         ldap machine suffix = ou=machines
>>> >         ldap passwd sync = yes
>>> >         ldap suffix = dc=sigesgroup,dc=intra
>>> >         ldap ssl = no
>>> >         ldap user suffix = ou=People
>>> >         idmap config * :range = 5000 - 50000
>>> >         ldapsam:editposix = yes
>>> >         ldapsam:trusted = yes
>>> >         idmap config * : backend = ldap:ldap://192.0.200.2/
>>> >
>>> > [netlogon]
>>> >         comment = Network Logon Service
>>> >         path = /home/netlogon
>>> >         guest ok = Yes
>>> >
>>> > [profiles]
>>> >         path = /home/profiles
>>> >         read only = No
>>> >         create mask = 0600
>>> >         directory mask = 0700
>>> >
>>> > why is not it working?
>>> > --
>>> > To unsubscribe from this list go to the following URL and read the
>>> > instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list