[Samba] samba Digest, Vol 139, Issue 40
Claudio Renato Cardoso
claudiocardoso60 at gmail.com
Wed Jul 30 12:21:26 MDT 2014
From: Rowland Penny <rowlandpenny at googlemail.com>
To: samba at lists.samba.org
Cc:
Date: Wed, 30 Jul 2014 15:03:54 +0100
Subject: Re: [Samba] I getting some erros about SPNs and main process
ended, respawning
On 30/07/14 14:38, Claudio Renato Cardoso wrote:
> Please I getting some erros about SPNs and main process ended respawing,
> bellow the erros that ia m getting at messages log
>
>
> 5 or more machines are getting "Failed to modify SPNs on
> CN=PC-2902194,OU=XXXXX ,DC=ABC,DC=com,DC=br: error in module acl:
> Constraint violation (19)"
>
>
> another problem is more serious ... I really need help because the main
> process of Samba4 is respawing...
>
> ad init: tty (/dev/tty1) main process ended, respawning
>
> I need some help.
>
> Thanks !!!
>
Well, if you want somebody to help, you are going to have to provide a lot
more info, what OS ? have you modified smb.conf on the Samba4 server ? what
clients are you using, if linux, what is their smb.conf etc etc.
Rowland
I am running my Samba version 4.1.4 on a CENTOS 6.5 with modified smb.conf
as described bellow, and I do not have linux machines on Samba (only 81
machines with windows yet) ... Thanks...
# Global parameters
[global]
workgroup = ABC
realm = ABC.COM.BR
netbios name = AD
server role = active directory domain controller
dns forwarder = 192.168.192.1
idmap_ldb:use rfc2307 = yes
interfaces = eth0
log level = 3
time server = yes
[netlogon]
path = /usr/local/samba/var/locks/sysvol/cnpasa.embrapa.br/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
2014-07-30 15:00 GMT-03:00 <samba-request at lists.samba.org>:
> Send samba mailing list submissions to
> samba at lists.samba.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.samba.org/mailman/listinfo/samba
> or, via email, send a message with subject or body 'help' to
> samba-request at lists.samba.org
>
> You can reach the person managing the list at
> samba-owner at lists.samba.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of samba digest..."
>
> Today's Topics:
>
> 1. Re: Samba 4 AD share: Access denied (Rowland Penny)
> 2. Re: S4-Winbind dumping core on password (smk_va)
> 3. Re: tdb_rec_read bad magic (Andrew Bartlett)
> 4. Re: SID transfer to fresh DC (Andrew Bartlett)
> 5. nested groups on samba 3.6 server broken (Gaiseric Vandal)
> 6. winbind rid changing user's UID and GID numbers - Samba 3.6
> (Robert Martel)
> 7. Re: Winbind rid + SID History creating duplicate per-user
> groups (Josh Kelley)
> 8. Re: Winbind rid + SID History creating duplicate per-user
> groups (Josh Kelley)
> 9. open: /var/lib/samba/private/named.conf: permission denied
> (Carlos Ibrahim Arias)
> 10. Re: dsacls (Stuart Naylor)
> 11. [Announce] Samba 4.0.20 Available for Download (Karolin Seeger)
> 12. Re: Winbind rid + SID History creating duplicate per-user
> groups (steve)
> 13. Re: winbind rid changing user's UID and GID numbers - Samba
> 3.6 (steve)
> 14. Re: Samba 4 AD share: Access denied (steve)
> 15. Re: winbind rid changing user's UID and GID numbers - Samba
> 3.6 (Dale Schroeder)
> 16. Re: open: /var/lib/samba/private/named.conf: permission
> denied (Davor Vusir)
> 17. I getting some erros about SPNs and main process ended,
> respawning (Claudio Renato Cardoso)
> 18. Re: I getting some erros about SPNs and main process ended,
> respawning (Rowland Penny)
> 19. Re: Samba 4 AD share: Access denied (Ryan Ashley)
> 20. Re: I getting some erros about SPNs and main process ended,
> respawning (Marc Muehlfeld)
>
>
> ---------- Mensagem encaminhada ----------
> From: Rowland Penny <rowlandpenny at googlemail.com>
> To: samba at lists.samba.org
> Cc:
> Date: Tue, 29 Jul 2014 19:47:53 +0100
> Subject: Re: [Samba] Samba 4 AD share: Access denied
> On 29/07/14 18:42, steve wrote:
>
>> On Tue, 2014-07-29 at 18:18 +0100, Rowland Penny wrote:
>>
>>> On 29/07/14 18:01, Ryan Ashley wrote:
>>>
>>>> Yes, I see all domain users and groups, getent works with passwd and
>>>> with any domain group, and shows things as they should be. Every group
>>>> has a unique gid.
>>>>
>>> OK, then on paper everything is working as it should be, I cannot think
>>> of anything else to do, anybody else have any input ???
>>>
>>> If nobody else has any input, it may be time to file a bug against samba.
>>>
>> Hi
>> Our money is on the builtin acl which has started appearing in recent
>> samba versions and explained earlier in this thread. winbind maps this
>> group to a number in the idmap * range. This number does not coincide
>> with the hard wired xidNumber in the separate idmap db on the DC.
>>
>> Otherwise, have one final check on winbind:
>> http://linuxcostablanca.blogspot.com.es/2014/06/
>> samba4-winbind-desperation.html
>>
>> If still nothing, go back to 4.1.6 or use sssd.
>> HTH,
>> Steve
>>
>>
>> Hi Steve, how about bug 10508 ??
>
> https://bugzilla.samba.org/show_bug.cgi?id=10508
>
> Rowland
>
>
>
>
> ---------- Mensagem encaminhada ----------
> From: smk_va <smk_va at yahoo.com>
> To: Andrew Bartlett <abartlet at samba.org>
> Cc: "samba at lists.samba.org" <samba at lists.samba.org>
> Date: Tue, 29 Jul 2014 12:04:17 -0700
> Subject: Re: [Samba] S4-Winbind dumping core on password
> I'm still having the issue that password authentication to a domain
> account appears to cause sernet-samba-winbind to dump core. I've attached
> output from reproducing the error with "valgrind --trace-children=yes
> winbindd", but this time with the debuginfo package installed (which
> appears to give more informtaion). Help getting samba-4.1 working in our
> AD environment would be much appreciated.
>
> Thanks,
> Murthy
>
>
>
>
>
> On Wednesday, November 20, 2013 6:47 PM, smk_va <smk_va at yahoo.com> wrote:
> To follow up, I've tried with later versions of sernet-samba-4.0, and
> today with sernet-samba-4.1.1. The issue persists.
>
>
> No problems logging in from windows with gssapi, and using services with
> credentials from the ticket cahce -- ssh, smbclient -k, etc. work just
> fine. Logging in with a password, sudo su, etc. all fail on password
> exchange between pam and winbind.
>
> Thanks for looking into this,
> Murthy
>
>
>
>
>
>
> On Monday, September 23, 2013 2:11 PM, smk_va <smk_va at yahoo.com> wrote:
> Andrew,
>
> Thanks for looking into this.
>
> The attached captures the output from valgrind as requested, for two
> failed attempts to "sudo su" with password from a domain account. (I tried
> adding the '-v' option to valgrind to display the "suppressed" errors, but
> that didn't have the desired effect.)
>
> Let me know if there's more I can add, and I'll do my best to get you the
> information.
>
> Thanks,
> Murthy
>
>
>
> ----- Original Message -----
> From: Andrew Bartlett <abartlet at samba.org>
> To: S Murthy Kambhampaty <smk_va at yahoo.com>
> Cc: "samba at lists.samba.org" <samba at lists.samba.org>
> Sent: Sunday, September 22, 2013 11:44 AM
> Subject: Re: [Samba] S4-Winbind dumping core on password
>
> On Tue, 2013-09-17 at 15:31 -0700, S Murthy Kambhampaty wrote:
> > Samba4-winbind (sernet-samba-4.0.9) on RHEL 6.4 dumps core on password
> authentication for a domain user (su/sudo), and so domain password
> authentication fails. The machine is a standalone server in a Windows AD
> (2008R2) domain.
>
> Are you able to reproduce this with winbindd running under valgrind?
> eg:
>
> valgrind --trace-children=yes winbindd
>
> Thanks,
>
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
>
> ---------- Mensagem encaminhada ----------
> From: Andrew Bartlett <abartlet at samba.org>
> To: "Michał Półrolniczak" <michal.polrolniczak at warp.org.pl>
> Cc: samba at lists.samba.org
> Date: Wed, 30 Jul 2014 08:07:56 +1200
> Subject: Re: [Samba] tdb_rec_read bad magic
> On Thu, 2014-07-24 at 17:53 +0200, Michał Półrolniczak wrote:
> > I think I know what happed to corrupt dns.
> > Im thinking that sysadmin did copy samba/dns/private when samba was
> running.
> > And when something broken restore to that version.
> >
> > I know that at Backup wiki there is a info about not doing backup of
> > running samba, but mayby adding "why" not to do that would open some
> eyes.
>
> The only way to get some of your data out of such a corrupt database
> would be to use the 'ldbdump' tool, which is a low-level tool that will
> walk the database looking for possibly valid records.
>
> I wrote this with the help of 'Rusty' when dealing with a corrupt
> database at another site.
>
> The other option would be to try and re-create these databases. Being
> 'just' DNS, you might be able to make that work, particularly if you
> were to create a BIND9_FLATFILE based zone, and then use
> samba_upgradedns to re-import it. Not trivial, and a fair bit of work,
> but you should be able to save the rest of your database.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba
>
>
>
>
>
> ---------- Mensagem encaminhada ----------
> From: Andrew Bartlett <abartlet at samba.org>
> To: "Michał Półrolniczak" <michal.polrolniczak at warp.org.pl>
> Cc: samba at lists.samba.org
> Date: Wed, 30 Jul 2014 08:09:04 +1200
> Subject: Re: [Samba] SID transfer to fresh DC
> On Thu, 2014-07-24 at 17:51 +0200, Michał Półrolniczak wrote:
> > thanks for link, I readed it but my problem was to take SIDs from samba4
> > to new samba4.
> > I end up adding them manualy.
>
> Be careful that if you force SIDs into Samba without reserving space for
> them with the --next-rid parameter to provision, or without changing the
> rid pools in the database, then adding future users will fail.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba
>
>
>
>
>
> ---------- Mensagem encaminhada ----------
> From: Gaiseric Vandal <gaiseric.vandal at gmail.com>
> To: Samba <samba at lists.samba.org>
> Cc:
> Date: Tue, 29 Jul 2014 16:32:22 -0400
> Subject: [Samba] nested groups on samba 3.6 server broken
> I am running a Samba 3.6.20 for my primary domain controller (+ main file
> server) and my back up domain controller. Each domain controller has an
> LDAP backend- the LDAP servers configured for multimaster replication.
>
>
>
>
> I have domain trusts established with a Windows 2003 AD domain
> ("WINDOMAIN") . I have enabled nested groups in smb.conf. Winbind is
> enabled to support domain trusts. It isn't need to for users in the local
> samba domain ("SAMBADOMAIN") since the LDAP backend stores unix uid's and
> gid's as well as samba user SID's.
>
>
> I had a shared directory on the primary server that I wanted to make for
> easily accessible to members from the trusted Win 2003 domain. Domain
> trusts worked, and the trusted users had access to the parent directory .
> But the problem was that every time someone in samba domain created a few
> new file in the directory, the trusted users did not automatically have
> access. The new file would inherit the primary group for the file from
> the parent directory, but none of the ACE's for the trusted domain users.
> Who ever create the new file could add the trusted domain users to that
> file's ACL but they usually forgot to.
>
>
>
> The shared directory is owned by "projectX" group. Originally the
> directory was a domain group for the samba domain. In the example below,
> the users thomas , richard and harold are members of the samba domain.
>
>
> e.g.
>
> version: 1
>
> dn: cn=projectx,ou=group,o=mydomain.com
> objectClass: sambaGroupMapping
> objectClass: posixGroup
> objectClass: top
> cn: staff_planning
> gidNumber: 123
> sambaGroupType: 2
> sambaSID: S-1-5-21-111111-222222-333333-10123
> description: projectx
> displayName: projectx
> memberUid: thomas
> memberUid: richard
> memberUid: harold
> entrydn: cn=projectx,ou=group,o=mydomain.com
>
>
> I wanted to be able to add users from the trusted domain to this group.
> Adding a "WINDOMAIN\user" as a memberUid was not sufficient. So I
> changed the group to a local "local" (aka "nested" group) - basically
> by changing the group type from 2 to 4. I could then use the net command
> to add users from the trusted domain
>
>
>
> e.g
>
> net rpc group addmem projectX "WINDOMAIN\peter " -U
> "SAMBADOMAIN\Administrator"
>
>
>
> This would add the sambasidlist attribute to the LDAP entry.
>
> e.g.
>
>
> version: 1
>
> dn: cn=projectx,ou=group,o=mydomain.com
> objectClass: sambaGroupMapping
> objectClass: posixGroup
> objectClass: top
> cn: staff_planning
> gidNumber: 123
> sambaGroupType: 4
> sambaSID: S-1-5-21-111111-222222-333333-10123
> description: projectX
> displayName: projectX
> memberUid: thomas
> memberUid: richard
> memberUid: harold
> entrydn: cn=projectx,ou=group,o=mydomain.com
> sambasidlist: S-1-5-21-88888-99999-00000-10001
> sambasidlist: S-1-5-21-88888-99999-00000-10002
> sambasidlist: S-1-5-21-88888-99999-00000-10003
>
>
> I can also add users and groups from the samba domain to the group with
> the net command, but there isn't much benefit to this.
>
> I can verify the members with "net rpc group members projectX."
>
> This worked fine for maybe 6 months. Last week (maybe 2 weeks ago) users
> from the trusted domain reported that this no longer worked. (If they
> explicitly have permissions to the file, then they have access but the
> group membership functionality no longer works.)
>
>
> The "net rpc user info" command only works for local users- but that had
> always been the ase.
>
> E.g.
>
> # net rpc user info thomas -U Administrator
> Enter Administrator's password:
> Domain Users
> projectX
>
>
> # net rpc user info "SAMBADOMAIN\thomas" -U Administrator
> Failed to get groups for 'SAMBADOMAIN\thomas' with error: Could not map
> names to SIDs.
>
> # net rpc user info "WINDOMAIN\peter " -U Administrator
> Failed to get groups for 'WINDOMAIN\peter' with error: Could not map names
> to SIDs.
>
>
> A few months ago I updated from Samba 3.5.x to Samba 3.6.20. I do not
> think this corresponds to the nested groups breaking, since the problem was
> not reported until months later.
>
>
> The "net rpc group delmem" also no longer works, tho this may be related
> to the samba upgrade. I can still delete sambasidlist entries with ldap
> tools.
>
>
>
> wbinfo shows that the user id's, sids and names are all consistent for
> trusted users. The getent and id commands work with trusted users. I can
> make a trusted user the owner of a file.
>
>
> Samba logs show the trusted users being denied access to the files, so it
> seems clear that the group membership is just not being recognized.
>
>
> Any help is appreciated.
>
> Thanks
>
>
>
>
>
>
>
>
>
>
> ---------- Mensagem encaminhada ----------
> From: Robert Martel <r.martel at csuohio.edu>
> To: Samba mailing list <samba at lists.samba.org>
> Cc:
> Date: Tue, 29 Jul 2014 16:28:22 -0400
> Subject: [Samba] winbind rid changing user's UID and GID numbers - Samba
> 3.6
> Greetings,
>
> For a number of samba iterations I've been using Samba with winbind to
> keep AD users's UNIX UIDs and GIDs the same across several systems. I
> don't run the Active Directory set-up and those that do are NOT going to
> make any alterations to make my life easier. So i have always used
> idmap_rid to keep consistent UID/GID numbers across all my UNIX machines.
>
> This has worked very well, and the UIDs and GIDs were consistent across
> the different hosts...until I upgraded one of the Solaris 10 boxes to Samba
> 3.6.24 from 3.5.8. Now it seems that user's UIDs and GIDs are getting
> altered on some random (to me) basis....but not all of them and not all at
> the same time. Where I had seen a user that always received 101888 as
> their UID for years and "Domain Users" had a GID of 10513 for years now
> they receive something different.
>
> Three other Solaris hosts have been running Samba 3.6.x for some time and
> never exhibited this sort of behavior. Something up with winbind or some
> change in behavior that I over looked? Documentation for winbind
> configuration for AD member servers using rid has always seems a bit thin
> to me so I'd not be surprised to see that I am missing something. With so
> many older examples of smb.conf out there it can ve difficult to figure out
> which are current/correct.
>
> Any thoughts/help would be appreciated.
>
>
> -------------------------------
> # 3.6.24 IDMAP settings
> winbind use default domain = yes
> template homedir = /home/%U
> template shell = /usr/bin/bash
> idmap config * : range = 10000-100000000
> idmap config * : backend = tdb
> idmap config CSUNET: default = yes
> idmap config CSUNET: backend = rid
> idmap config CSUNET: range = 10000-100000000
>
> -------------------------------
> --
> ***********************************************************************
> Robert M. Martel I met someone who looks a lot like you
> System Administrator She does the things you do
> Levin College of Urban Affairs But she is an IBM
> Cleveland State University -Jeff Lynne
> (216) 687-2214
> r.martel at csuohio.edu
> ***********************************************************************
>
>
>
> ---------- Mensagem encaminhada ----------
> From: Josh Kelley <joshkel at gmail.com>
> To: steve <steve at steve-ss.com>
> Cc: "samba at lists.samba.org" <samba at lists.samba.org>
> Date: Tue, 29 Jul 2014 16:50:08 -0400
> Subject: Re: [Samba] Winbind rid + SID History creating duplicate per-user
> groups
> On Tue, Jul 29, 2014 at 4:17 AM, steve <steve at steve-ss.com> wrote:
> > Hi
> > You need both
> > 1. the *
> > and the
> > 2. MYDOMAIN
> > ranges listed in [global]
> > and
> > 3. Those ranges must not overlap.
>
> Thanks. I thought I had the MYDOMAIN working by itself, but I think
> my mistake was that I'd failed to clear winbind's caches and was
> seeing old info. (I don't know if there's a recommended way of
> testing winbind configs besides deleting winbind*.tdb and
> gencache*.tdb between tests.)
>
> > If you want consistent id mapping across the whole of the domain you
> > must put your uid:gid pairs in AD and use the AD backend. It may be
> > possible without but after years of trying, we've never achieved it.
>
> We've been using rid for consistent mapping for several years now.
> Prior to upgrading to Samba 4.x, it never caused problems.
>
> --
> Josh Kelley
>
>
>
> ---------- Mensagem encaminhada ----------
> From: Josh Kelley <joshkel at gmail.com>
> To: Rowland Penny <rowlandpenny at googlemail.com>
> Cc: "samba at lists.samba.org" <samba at lists.samba.org>
> Date: Tue, 29 Jul 2014 17:15:53 -0400
> Subject: Re: [Samba] Winbind rid + SID History creating duplicate per-user
> groups
> On Mon, Jul 28, 2014 at 11:42 AM, Rowland Penny
> <rowlandpenny at googlemail.com> wrote:
> > There is quite a lot of your smb.conf that is not really required any
> more,
> > have a look here:
> >
> > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
> Thanks. I'll work on cleaning it up.
>
> > I do not think that winbind itself can create users and groups,
> simplifying
> > things a lot, it just pulls info from somewhere, in this case the AD
> > database, so if your users have a group with the same name as their
> > username, somebody or something is creating them.
>
> Maybe my choice of terminology was poor? Winbind creates Unix users
> and groups that correspond to the info that it pulls from Active
> Directory.
>
> After spending far too much time experimenting with old versions, I
> discovered that winbind *does* create per-user groups (sometimes
> referred to as "user private groups"), starting with 4.0.5. More
> info:
>
>
> http://git.samba.org/?p=samba.git;a=commit;h=d2360fe56c860fa20051f6373eb2fcc3e4def6b6
> https://lists.samba.org/archive/samba-technical/2013-July/093986.html
>
> User private groups is apparently a feature and cannot be disabled. I
> don't know (or don't know the intricacies of user/group mapping and AD
> compatibility well enough to understand) why it was added, but it
> should generally be harmless for a Unix environment.
>
> I believe that the fact that SID history can cause duplicate groups to
> be created is a bug, and I've logged it at
> https://bugzilla.samba.org/show_bug.cgi?id=10753.
>
> Thanks for your help.
>
> --
> Josh Kelley
>
>
>
> ---------- Mensagem encaminhada ----------
> From: Carlos Ibrahim Arias <carlos at braimtec.com>
> To: samba at lists.samba.org
> Cc:
> Date: Wed, 30 Jul 2014 01:06:35 +0100
> Subject: [Samba] open: /var/lib/samba/private/named.conf: permission denied
> Hello everyone,
>
> I’m deploying samba on a CenOS Server following the guide 'Samba AD DC
> How To' at wiki.samba.org. Everything has gone right till I got to the
> section 'Configuring Bind as Samba Active Directory backend’.
>
> Firstly Bind could not access '/var/lib/samba/private/named.conf’ when
> adding the option 'include "/var/lib/samba/private/named.conf”;’ to
> /etc/named.conf. I got the error message of the subject.
>
> I “solved” this adding the content to the named.conf file at
> /etc/named.conf but it did not work neither. I got the following message:
>
> Jul 30 00:33:27 braimone named[2299]: loading configuration from
> '/etc/named.conf'
> Jul 30 00:33:27 braimone named[2299]: using default UDP/IPv4 port range:
> [1024, 65535]
> Jul 30 00:33:27 braimone named[2299]: using default UDP/IPv6 port range:
> [1024, 65535]
> Jul 30 00:33:27 braimone named[2299]: listening on IPv4 interface lo,
> 127.0.0.1#53
> Jul 30 00:33:27 braimone named[2299]: listening on IPv4 interface eth1,
> 192.168.2.1#53
> Jul 30 00:33:27 braimone named[2299]: generating session key for dynamic
> DNS
> Jul 30 00:33:27 braimone named[2299]: sizing zone task pool based on 5
> zones
> Jul 30 00:33:27 braimone named[2299]: Loading 'AD DNS Zone' using driver
> dlopen
> Jul 30 00:33:29 braimone named[2299]: samba_dlz: Failed to connect to
> /var/lib/samba/private/dns/sam.ldb
> Jul 30 00:33:29 braimone named[2299]: dlz_dlopen of 'AD DNS Zone' failed
> Jul 30 00:33:29 braimone named[2299]: SDLZ driver failed to load.
> Jul 30 00:33:29 braimone named[2299]: DLZ driver failed to load.
> Jul 30 00:33:29 braimone named[2299]: loading configuration: failure
> Jul 30 00:33:29 braimone named[2299]: exiting (due to fatal error)
>
> SElinux is set to enforced but I’m not getting any error, the permissions
> are properly set and I don’t know what else I can do.
>
> Can anyone help?
>
> Thanks in advanced!
>
>
> ---------- Mensagem encaminhada ----------
> From: "Stuart Naylor" <stuartiannaylor at thursbygarden.org>
> To: "Quentin Gibeaux" <qgibeaux at iris-tech.fr>, "samba at lists.samba.org" <
> samba at lists.samba.org>
> Cc:
> Date: Wed, 30 Jul 2014 04:06:20 +0100
> Subject: Re: [Samba] dsacls
> Many Thanks
>
> So much of samba-tool is undocumented but my bad.
>
> Any examples to allow administrators only and the owner user?
>
>
>
> -----Original message-----
> > From:Quentin Gibeaux <qgibeaux at iris-tech.fr>
> > Sent: Tuesday 29th July 2014 11:17
> > To: samba at lists.samba.org
> > Subject: Re: [Samba] dsacls
> >
> > On 29/07/2014 12:05, Stuart Naylor wrote:
> > > Are there any deny tools with samba4? Like the below example?
> > >
> > > To set the permission to deny read access of the homePhone attribute
> on a single user object, you can use this command:
> > >
> > > dsacls <DN of object> /D <security principal>:RP;homePhone
> > > For our example, the command would look like this:
> > >
> > > dsacls "CN=Doe\, John,OU=newOU,DC=root,DC=net" /D root\
> > >
> > > non-HR-users:RP;homePhone
> > >
> > >
> > >
> > It seems samba-tool do this :
> >
> > ~# samba-tool dsacl
> > Usage: samba-tool dsacl <subcommand>
> >
> > DS ACLs manipulation.
> >
> >
> > Options:
> > -h, --help show this help message and exit
> >
> >
> > Available subcommands:
> > set - Modify access list on a directory object.
> >
> >
> >
>
>
>
> ---------- Mensagem encaminhada ----------
> From: Karolin Seeger <kseeger at samba.org>
> To: samba-announce at samba.org, samba at samba.org, samba-technical at samba.org
> Cc:
> Date: Wed, 30 Jul 2014 11:44:12 +0200
> Subject: [Samba] [Announce] Samba 4.0.20 Available for Download
> =======================================================================
> "I told Mario Goetze, 'go out and show
> the world you are better than Messi!'"
>
> Joachim Loew
> =======================================================================
>
> Release Announcements
> ---------------------
>
> This is the latest stable release of the Samba 4.0 release series.
>
>
> Changes since 4.0.19:
> ---------------------
>
> o Jeremy Allison <jra at samba.org>
> * BUG 3124: s3: smb2: Fix 'xcopy /d' with samba shares.
> * BUG 10653: Samba won't start on a machine configured with only IPv4.
> * BUG 10673: s3: SMB2: Fix leak of blocking lock records in the
> database.
> * BUG 10684: SMB1 blocking locks can fail notification on unlock,
> causing
> client timeout.
> * BUG 10685: s3: smbd: Locking, fix off-by one calculation in
> brl_pending_overlap().
> * BUG 10692: wbcCredentialCache fails if challenge_blob is not first.
>
>
> o Andrew Bartlett <abartlet at samba.org>
> * BUG 10627: rid_array used before status checked - segmentation fault
> due
> to null pointer dereference.
>
>
> o David Disseldorp <ddiss at samba.org>
> * BUG 10612: printing: Fix purge of all print jobs.
>
>
> o Björn Jacke <bj at sernet.de>
> * BUG 3263: net/doc: Make clear that net vampire is for NT4 domains
> only.
> * BUG 10657: autobuild: Delete $NSS_MODULES in "make clean".
>
>
> o Volker Lendecke <vl at samba.org>
> * BUG 10663: msg_channel: Fix a 100% CPU loop.
> * BUG 10680: smbstatus: Fix an uninitialized variable.
> * BUG 10687: 'RW2' smbtorture test fails when -N <numprocs> is set to
> 2 due
> to the invalid status check in the second client.
> * BUG 10699: smbd: Avoid double-free in get_print_db_byname.
>
>
> o Stefan Metzmacher <metze at samba.org>
> * BUG 10469: ldb-samba: fix a memory leak in
> ldif_canonicalise_objectCategory().
> * BUG 10692: wbcCredentialCache fails if challenge_blob is not first.
> * BUG 10696: Backport autobuild/selftest fixes from master.
> * BUG 10706: s3:smb2_read: let smb2_sendfile_send_data() behave like
> send_file_readX().
>
>
> #######################################
> Reporting bugs & Development Discussion
> #######################################
>
> Please discuss this release on the samba-technical mailing list or by
> joining the #samba-technical IRC channel on irc.freenode.net.
>
> If you do report problems then please try to send high quality
> feedback. If you don't provide vital information to help us track down
> the problem then you will probably be ignored. All bug reports should
> be filed under the Samba 4.0 product in the project's Bugzilla
> database (https://bugzilla.samba.org/).
>
>
> ======================================================================
> == Our Code, Our Bugs, Our Responsibility.
> == The Samba Team
> ======================================================================
>
> ================
> Download Details
> ================
>
> The uncompressed tarballs and patch files have been signed
> using GnuPG (ID 6568B7EA). The source code can be downloaded
> from:
>
> http://download.samba.org/samba/ftp/stable/
>
> The release notes are available online at:
>
> http://www.samba.org/samba/history/samba-4.0.20.html
>
> Binary packages will be made available on a volunteer basis from
>
> http://download.samba.org/samba/ftp/Binary_Packages/
>
> Our Code, Our Bugs, Our Responsibility.
> (https://bugzilla.samba.org/)
>
> --Enjoy
> The Samba Team
>
>
>
> ---------- Mensagem encaminhada ----------
> From: steve <steve at steve-ss.com>
> To: Josh Kelley <joshkel at gmail.com>
> Cc: "samba at lists.samba.org" <samba at lists.samba.org>
> Date: Wed, 30 Jul 2014 11:47:48 +0200
> Subject: Re: [Samba] Winbind rid + SID History creating duplicate per-user
> groups
> On Tue, 2014-07-29 at 16:50 -0400, Josh Kelley wrote:
> > On Tue, Jul 29, 2014 at 4:17 AM, steve <steve at steve-ss.com> wrote:
> > > Hi
> > > You need both
> > > 1. the *
> > > and the
> > > 2. MYDOMAIN
> > > ranges listed in [global]
> > > and
> > > 3. Those ranges must not overlap.
> >
> > Thanks. I thought I had the MYDOMAIN working by itself, but I think
> > my mistake was that I'd failed to clear winbind's caches and was
> > seeing old info. (I don't know if there's a recommended way of
> > testing winbind configs besides deleting winbind*.tdb and
> > gencache*.tdb between tests.)
> Hi
> We use:
> net cache flush
> HTH,
> Steve
>
> >
> > > If you want consistent id mapping across the whole of the domain you
> > > must put your uid:gid pairs in AD and use the AD backend. It may be
> > > possible without but after years of trying, we've never achieved it.
> >
> > We've been using rid for consistent mapping for several years now.
> > Prior to upgrading to Samba 4.x, it never caused problems.
> >
>
>
>
>
>
> ---------- Mensagem encaminhada ----------
> From: steve <steve at steve-ss.com>
> To: samba at lists.samba.org
> Cc:
> Date: Wed, 30 Jul 2014 11:50:38 +0200
> Subject: Re: [Samba] winbind rid changing user's UID and GID numbers -
> Samba 3.6
> On Tue, 2014-07-29 at 16:28 -0400, Robert Martel wrote:
>
> >
> > Any thoughts/help would be appreciated.
> >
> >
> > -------------------------------
> > # 3.6.24 IDMAP settings
> > winbind use default domain = yes
> > template homedir = /home/%U
> > template shell = /usr/bin/bash
> > idmap config * : range = 10000-100000000
> > idmap config * : backend = tdb
> > idmap config CSUNET: default = yes
> > idmap config CSUNET: backend = rid
> > idmap config CSUNET: range = 10000-100000000
>
> Hi
> Overlapping ranges.
> HTH,
> Steve
>
>
>
>
>
> ---------- Mensagem encaminhada ----------
> From: steve <steve at steve-ss.com>
> To: samba at lists.samba.org
> Cc:
> Date: Wed, 30 Jul 2014 12:01:07 +0200
> Subject: Re: [Samba] Samba 4 AD share: Access denied
> On Tue, 2014-07-29 at 19:47 +0100, Rowland Penny wrote:
> > On 29/07/14 18:42, steve wrote:
> > > On Tue, 2014-07-29 at 18:18 +0100, Rowland Penny wrote:
> > >> On 29/07/14 18:01, Ryan Ashley wrote:
> > >>> Yes, I see all domain users and groups, getent works with passwd and
> > >>> with any domain group, and shows things as they should be. Every
> group
> > >>> has a unique gid.
> > >> OK, then on paper everything is working as it should be, I cannot
> think
> > >> of anything else to do, anybody else have any input ???
> > >>
> > >> If nobody else has any input, it may be time to file a bug against
> samba.
> > > Hi
> > > Our money is on the builtin acl which has started appearing in recent
> > > samba versions and explained earlier in this thread. winbind maps this
> > > group to a number in the idmap * range. This number does not coincide
> > > with the hard wired xidNumber in the separate idmap db on the DC.
> > >
> > > Otherwise, have one final check on winbind:
> > >
> http://linuxcostablanca.blogspot.com.es/2014/06/samba4-winbind-desperation.html
> > >
> > > If still nothing, go back to 4.1.6 or use sssd.
> > > HTH,
> > > Steve
> > >
> > >
> > Hi Steve, how about bug 10508 ??
> >
> > https://bugzilla.samba.org/show_bug.cgi?id=10508
> >
> > Rowland
> >
> Hi Rowland,
> Yes, it looks possible.
> Could OP tell us if his ntadmins is local to /etc/group? Also, the what
> does:
> wbinfo --uid-to-sid=70028
> give us?
> Steve
>
>
>
>
>
> ---------- Mensagem encaminhada ----------
> From: Dale Schroeder <dale at BriannasSaladDressing.com>
> To: Robert Martel <r.martel at csuohio.edu>, Samba mailing list <
> samba at lists.samba.org>
> Cc:
> Date: Tue, 29 Jul 2014 16:08:47 -0500
> Subject: Re: [Samba] winbind rid changing user's UID and GID numbers -
> Samba 3.6
> Robert,
>
> You have the same range for * and CSUNET. Those ranges cannot overlap, so
> fixing those would be the place to start.
>
> Dale
>
> On 07/29/2014 3:28 PM, Robert Martel wrote:
>
>> Greetings,
>>
>> For a number of samba iterations I've been using Samba with winbind to
>> keep AD users's UNIX UIDs and GIDs the same across several systems. I
>> don't run the Active Directory set-up and those that do are NOT going to
>> make any alterations to make my life easier. So i have always used
>> idmap_rid to keep consistent UID/GID numbers across all my UNIX machines.
>>
>> This has worked very well, and the UIDs and GIDs were consistent across
>> the different hosts...until I upgraded one of the Solaris 10 boxes to Samba
>> 3.6.24 from 3.5.8. Now it seems that user's UIDs and GIDs are getting
>> altered on some random (to me) basis....but not all of them and not all at
>> the same time. Where I had seen a user that always received 101888 as
>> their UID for years and "Domain Users" had a GID of 10513 for years now
>> they receive something different.
>>
>> Three other Solaris hosts have been running Samba 3.6.x for some time and
>> never exhibited this sort of behavior. Something up with winbind or some
>> change in behavior that I over looked? Documentation for winbind
>> configuration for AD member servers using rid has always seems a bit thin
>> to me so I'd not be surprised to see that I am missing something. With so
>> many older examples of smb.conf out there it can ve difficult to figure out
>> which are current/correct.
>>
>> Any thoughts/help would be appreciated.
>>
>>
>> -------------------------------
>> # 3.6.24 IDMAP settings
>> winbind use default domain = yes
>> template homedir = /home/%U
>> template shell = /usr/bin/bash
>> idmap config * : range = 10000-100000000
>> idmap config * : backend = tdb
>> idmap config CSUNET: default = yes
>> idmap config CSUNET: backend = rid
>> idmap config CSUNET: range = 10000-100000000
>>
>> -------------------------------
>>
>
>
>
>
> ---------- Mensagem encaminhada ----------
> From: Davor Vusir <davortvusir at gmail.com>
> To: Carlos Ibrahim Arias <carlos at braimtec.com>
> Cc: samba at lists.samba.org
> Date: Wed, 30 Jul 2014 15:19:42 +0200
> Subject: Re: [Samba] open: /var/lib/samba/private/named.conf: permission
> denied
> Den 30 jul 2014 02:07 skrev "Carlos Ibrahim Arias" <carlos at braimtec.com>:
> >
> > Hello everyone,
> >
> > I’m deploying samba on a CenOS Server following the guide 'Samba AD DC
> How To' at wiki.samba.org. Everything has gone right till I got to the
> section 'Configuring Bind as Samba Active Directory backend’.
> >
> > Firstly Bind could not access '/var/lib/samba/private/named.conf’ when
> adding the option 'include "/var/lib/samba/private/named.conf”;’ to
> /etc/named.conf. I got the error message of the subject.
> >
> > I “solved” this adding the content to the named.conf file at
> /etc/named.conf but it did not work neither. I got the following message:
> >
> > Jul 30 00:33:27 braimone named[2299]: loading configuration from
> '/etc/named.conf'
> > Jul 30 00:33:27 braimone named[2299]: using default UDP/IPv4 port range:
> [1024, 65535]
> > Jul 30 00:33:27 braimone named[2299]: using default UDP/IPv6 port range:
> [1024, 65535]
> > Jul 30 00:33:27 braimone named[2299]: listening on IPv4 interface lo,
> 127.0.0.1#53
> > Jul 30 00:33:27 braimone named[2299]: listening on IPv4 interface eth1,
> 192.168.2.1#53
> > Jul 30 00:33:27 braimone named[2299]: generating session key for dynamic
> DNS
> > Jul 30 00:33:27 braimone named[2299]: sizing zone task pool based on 5
> zones
> > Jul 30 00:33:27 braimone named[2299]: Loading 'AD DNS Zone' using driver
> dlopen
>
> Replace 'AD DNS Zone' with your DNS domain in Sambas private/named.conf.
> And restart bind.
>
> Regards
> Davor
>
> > Jul 30 00:33:29 braimone named[2299]: samba_dlz: Failed to connect to
> /var/lib/samba/private/dns/sam.ldb
> > Jul 30 00:33:29 braimone named[2299]: dlz_dlopen of 'AD DNS Zone' failed
> > Jul 30 00:33:29 braimone named[2299]: SDLZ driver failed to load.
> > Jul 30 00:33:29 braimone named[2299]: DLZ driver failed to load.
> > Jul 30 00:33:29 braimone named[2299]: loading configuration: failure
> > Jul 30 00:33:29 braimone named[2299]: exiting (due to fatal error)
> >
> > SElinux is set to enforced but I’m not getting any error, the permissions
> are properly set and I don’t know what else I can do.
> >
> > Can anyone help?
> >
> > Thanks in advanced!
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
>
>
> ---------- Mensagem encaminhada ----------
> From: Claudio Renato Cardoso <claudiocardoso60 at gmail.com>
> To: samba at lists.samba.org
> Cc:
> Date: Wed, 30 Jul 2014 10:38:43 -0300
> Subject: [Samba] I getting some erros about SPNs and main process ended,
> respawning
> Please I getting some erros about SPNs and main process ended respawing,
> bellow the erros that ia m getting at messages log
>
>
> 5 or more machines are getting "Failed to modify SPNs on
> CN=PC-2902194,OU=XXXXX ,DC=ABC,DC=com,DC=br: error in module acl:
> Constraint violation (19)"
>
>
> another problem is more serious ... I really need help because the main
> process of Samba4 is respawing...
>
> ad init: tty (/dev/tty1) main process ended, respawning
>
> I need some help.
>
> Thanks !!!
>
>
>
> ---------- Mensagem encaminhada ----------
> From: Rowland Penny <rowlandpenny at googlemail.com>
> To: samba at lists.samba.org
> Cc:
> Date: Wed, 30 Jul 2014 15:03:54 +0100
> Subject: Re: [Samba] I getting some erros about SPNs and main process
> ended, respawning
> On 30/07/14 14:38, Claudio Renato Cardoso wrote:
>
>> Please I getting some erros about SPNs and main process ended respawing,
>> bellow the erros that ia m getting at messages log
>>
>>
>> 5 or more machines are getting "Failed to modify SPNs on
>> CN=PC-2902194,OU=XXXXX ,DC=ABC,DC=com,DC=br: error in module acl:
>> Constraint violation (19)"
>>
>>
>> another problem is more serious ... I really need help because the main
>> process of Samba4 is respawing...
>>
>> ad init: tty (/dev/tty1) main process ended, respawning
>>
>> I need some help.
>>
>> Thanks !!!
>>
> Well, if you want somebody to help, you are going to have to provide a lot
> more info, what OS ? have you modified smb.conf on the Samba4 server ? what
> clients are you using, if linux, what is their smb.conf etc etc.
>
> Rowland
>
>
>
> ---------- Mensagem encaminhada ----------
> From: Ryan Ashley <ryana at reachtechfp.com>
> To: samba at lists.samba.org
> Cc:
> Date: Wed, 30 Jul 2014 10:18:15 -0400
> Subject: Re: [Samba] Samba 4 AD share: Access denied
> Sorry for the delay. I am in eastern time and have been busy with another
> project. I cannot convert that ID to SID. In Windows however, this shows as
> "SYSTEM". How do I know? Simple, there are only three things listed. Those
> are "Domain Admins", "Administration", and "SYSTEM". Also, what do you mean
> by "ntadmins" being local? I have added no groups to the Linux systems, so
> if you're asking if it is a local group on the Linux box, no it is not. I
> can remove the SYSTEM account from the share if needed, but it is on all
> Windows shares as well and causes no issues.
>
> failed to call wbcUidToSid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not convert uid 70028 to sid
>
> On 7/30/2014 6:01 AM, steve wrote:
>
>> On Tue, 2014-07-29 at 19:47 +0100, Rowland Penny wrote:
>>
>>> On 29/07/14 18:42, steve wrote:
>>>
>>>> On Tue, 2014-07-29 at 18:18 +0100, Rowland Penny wrote:
>>>>
>>>>> On 29/07/14 18:01, Ryan Ashley wrote:
>>>>>
>>>>>> Yes, I see all domain users and groups, getent works with passwd and
>>>>>> with any domain group, and shows things as they should be. Every group
>>>>>> has a unique gid.
>>>>>>
>>>>> OK, then on paper everything is working as it should be, I cannot think
>>>>> of anything else to do, anybody else have any input ???
>>>>>
>>>>> If nobody else has any input, it may be time to file a bug against
>>>>> samba.
>>>>>
>>>> Hi
>>>> Our money is on the builtin acl which has started appearing in recent
>>>> samba versions and explained earlier in this thread. winbind maps this
>>>> group to a number in the idmap * range. This number does not coincide
>>>> with the hard wired xidNumber in the separate idmap db on the DC.
>>>>
>>>> Otherwise, have one final check on winbind:
>>>> http://linuxcostablanca.blogspot.com.es/2014/06/
>>>> samba4-winbind-desperation.html
>>>>
>>>> If still nothing, go back to 4.1.6 or use sssd.
>>>> HTH,
>>>> Steve
>>>>
>>>>
>>>> Hi Steve, how about bug 10508 ??
>>>
>>> https://bugzilla.samba.org/show_bug.cgi?id=10508
>>>
>>> Rowland
>>>
>>> Hi Rowland,
>> Yes, it looks possible.
>> Could OP tell us if his ntadmins is local to /etc/group? Also, the what
>> does:
>> wbinfo --uid-to-sid=70028
>> give us?
>> Steve
>>
>>
>>
>
>
>
> ---------- Mensagem encaminhada ----------
> From: Marc Muehlfeld <mmuehlfeld at samba.org>
> To: Claudio Renato Cardoso <claudiocardoso60 at gmail.com>,
> samba at lists.samba.org
> Cc:
> Date: Wed, 30 Jul 2014 17:37:41 +0200
> Subject: Re: [Samba] I getting some erros about SPNs and main process
> ended, respawning
> Hello Claudio,
>
> Am 30.07.2014 15:38, schrieb Claudio Renato Cardoso:
> > Please I getting some erros about SPNs and main process ended respawing,
> > bellow the erros that ia m getting at messages log
> >
> > 5 or more machines are getting "Failed to modify SPNs on
> > CN=PC-2902194,OU=XXXXX ,DC=ABC,DC=com,DC=br: error in module acl:
> > Constraint violation (19)"
>
> That's nothing serious and a known bug:
> https://bugzilla.samba.org/show_bug.cgi?id=9316
>
>
>
>
> > another problem is more serious ... I really need help because the main
> > process of Samba4 is respawing...
> >
> > ad init: tty (/dev/tty1) main process ended, respawning
> >
> > I need some help.
>
> Provide more details and I'm sure, we can help. ;-)
>
>
> Regards,
> Marc
>
>
>
>
> _______________________________________________
> samba mailing list
> samba at lists.samba.org
> https://lists.samba.org/mailman/listinfo/samba
>
>
More information about the samba
mailing list