[Samba] samba Digest, Vol 139, Issue 40
Rowland Penny
rowlandpenny at googlemail.com
Wed Jul 30 13:03:22 MDT 2014
On 30/07/14 19:21, Claudio Renato Cardoso wrote:
> From: Rowland Penny <rowlandpenny at googlemail.com>
> To: samba at lists.samba.org
> Cc:
> Date: Wed, 30 Jul 2014 15:03:54 +0100
> Subject: Re: [Samba] I getting some erros about SPNs and main process
> ended, respawning
> On 30/07/14 14:38, Claudio Renato Cardoso wrote:
>
>> Please I getting some erros about SPNs and main process ended respawing,
>> bellow the erros that ia m getting at messages log
>>
>>
>> 5 or more machines are getting "Failed to modify SPNs on
>> CN=PC-2902194,OU=XXXXX ,DC=ABC,DC=com,DC=br: error in module acl:
>> Constraint violation (19)"
>>
>>
>> another problem is more serious ... I really need help because the main
>> process of Samba4 is respawing...
>>
>> ad init: tty (/dev/tty1) main process ended, respawning
>>
>> I need some help.
>>
>> Thanks !!!
>>
> Well, if you want somebody to help, you are going to have to provide a lot
> more info, what OS ? have you modified smb.conf on the Samba4 server ? what
> clients are you using, if linux, what is their smb.conf etc etc.
>
> Rowland
>
> I am running my Samba version 4.1.4 on a CENTOS 6.5 with modified smb.conf
> as described bellow, and I do not have linux machines on Samba (only 81
> machines with windows yet) ... Thanks...
>
> # Global parameters
> [global]
> workgroup = ABC
> realm = ABC.COM.BR
> netbios name = AD
> server role = active directory domain controller
> dns forwarder = 192.168.192.1
> idmap_ldb:use rfc2307 = yes
> interfaces = eth0
> log level = 3
> time server = yes
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/cnpasa.embrapa.br/scripts
> read only = No
>
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
>
>
>
> 2014-07-30 15:00 GMT-03:00 <samba-request at lists.samba.org>:
>
>> Send samba mailing list submissions to
>> samba at lists.samba.org
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> https://lists.samba.org/mailman/listinfo/samba
>> or, via email, send a message with subject or body 'help' to
>> samba-request at lists.samba.org
>>
>> You can reach the person managing the list at
>> samba-owner at lists.samba.org
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of samba digest..."
>>
>> Today's Topics:
>>
>> 1. Re: Samba 4 AD share: Access denied (Rowland Penny)
>> 2. Re: S4-Winbind dumping core on password (smk_va)
>> 3. Re: tdb_rec_read bad magic (Andrew Bartlett)
>> 4. Re: SID transfer to fresh DC (Andrew Bartlett)
>> 5. nested groups on samba 3.6 server broken (Gaiseric Vandal)
>> 6. winbind rid changing user's UID and GID numbers - Samba 3.6
>> (Robert Martel)
>> 7. Re: Winbind rid + SID History creating duplicate per-user
>> groups (Josh Kelley)
>> 8. Re: Winbind rid + SID History creating duplicate per-user
>> groups (Josh Kelley)
>> 9. open: /var/lib/samba/private/named.conf: permission denied
>> (Carlos Ibrahim Arias)
>> 10. Re: dsacls (Stuart Naylor)
>> 11. [Announce] Samba 4.0.20 Available for Download (Karolin Seeger)
>> 12. Re: Winbind rid + SID History creating duplicate per-user
>> groups (steve)
>> 13. Re: winbind rid changing user's UID and GID numbers - Samba
>> 3.6 (steve)
>> 14. Re: Samba 4 AD share: Access denied (steve)
>> 15. Re: winbind rid changing user's UID and GID numbers - Samba
>> 3.6 (Dale Schroeder)
>> 16. Re: open: /var/lib/samba/private/named.conf: permission
>> denied (Davor Vusir)
>> 17. I getting some erros about SPNs and main process ended,
>> respawning (Claudio Renato Cardoso)
>> 18. Re: I getting some erros about SPNs and main process ended,
>> respawning (Rowland Penny)
>> 19. Re: Samba 4 AD share: Access denied (Ryan Ashley)
>> 20. Re: I getting some erros about SPNs and main process ended,
>> respawning (Marc Muehlfeld)
>>
>>
>> ---------- Mensagem encaminhada ----------
>> From: Rowland Penny <rowlandpenny at googlemail.com>
>> To: samba at lists.samba.org
>> Cc:
>> Date: Tue, 29 Jul 2014 19:47:53 +0100
>> Subject: Re: [Samba] Samba 4 AD share: Access denied
>> On 29/07/14 18:42, steve wrote:
>>
>>> On Tue, 2014-07-29 at 18:18 +0100, Rowland Penny wrote:
>>>
>>>> On 29/07/14 18:01, Ryan Ashley wrote:
>>>>
>>>>> Yes, I see all domain users and groups, getent works with passwd and
>>>>> with any domain group, and shows things as they should be. Every group
>>>>> has a unique gid.
>>>>>
>>>> OK, then on paper everything is working as it should be, I cannot think
>>>> of anything else to do, anybody else have any input ???
>>>>
>>>> If nobody else has any input, it may be time to file a bug against samba.
>>>>
>>> Hi
>>> Our money is on the builtin acl which has started appearing in recent
>>> samba versions and explained earlier in this thread. winbind maps this
>>> group to a number in the idmap * range. This number does not coincide
>>> with the hard wired xidNumber in the separate idmap db on the DC.
>>>
>>> Otherwise, have one final check on winbind:
>>> http://linuxcostablanca.blogspot.com.es/2014/06/
>>> samba4-winbind-desperation.html
>>>
>>> If still nothing, go back to 4.1.6 or use sssd.
>>> HTH,
>>> Steve
>>>
>>>
>>> Hi Steve, how about bug 10508 ??
>> https://bugzilla.samba.org/show_bug.cgi?id=10508
>>
>> Rowland
>>
>>
>>
>>
>> ---------- Mensagem encaminhada ----------
>> From: smk_va <smk_va at yahoo.com>
>> To: Andrew Bartlett <abartlet at samba.org>
>> Cc: "samba at lists.samba.org" <samba at lists.samba.org>
>> Date: Tue, 29 Jul 2014 12:04:17 -0700
>> Subject: Re: [Samba] S4-Winbind dumping core on password
>> I'm still having the issue that password authentication to a domain
>> account appears to cause sernet-samba-winbind to dump core. I've attached
>> output from reproducing the error with "valgrind --trace-children=yes
>> winbindd", but this time with the debuginfo package installed (which
>> appears to give more informtaion). Help getting samba-4.1 working in our
>> AD environment would be much appreciated.
>>
>> Thanks,
>> Murthy
>>
>>
>>
>>
>>
>> On Wednesday, November 20, 2013 6:47 PM, smk_va <smk_va at yahoo.com> wrote:
>> To follow up, I've tried with later versions of sernet-samba-4.0, and
>> today with sernet-samba-4.1.1. The issue persists.
>>
>>
>> No problems logging in from windows with gssapi, and using services with
>> credentials from the ticket cahce -- ssh, smbclient -k, etc. work just
>> fine. Logging in with a password, sudo su, etc. all fail on password
>> exchange between pam and winbind.
>>
>> Thanks for looking into this,
>> Murthy
>>
>>
>>
>>
>>
>>
>> On Monday, September 23, 2013 2:11 PM, smk_va <smk_va at yahoo.com> wrote:
>> Andrew,
>>
>> Thanks for looking into this.
>>
>> The attached captures the output from valgrind as requested, for two
>> failed attempts to "sudo su" with password from a domain account. (I tried
>> adding the '-v' option to valgrind to display the "suppressed" errors, but
>> that didn't have the desired effect.)
>>
>> Let me know if there's more I can add, and I'll do my best to get you the
>> information.
>>
>> Thanks,
>> Murthy
>>
>>
>>
>> ----- Original Message -----
>> From: Andrew Bartlett <abartlet at samba.org>
>> To: S Murthy Kambhampaty <smk_va at yahoo.com>
>> Cc: "samba at lists.samba.org" <samba at lists.samba.org>
>> Sent: Sunday, September 22, 2013 11:44 AM
>> Subject: Re: [Samba] S4-Winbind dumping core on password
>>
>> On Tue, 2013-09-17 at 15:31 -0700, S Murthy Kambhampaty wrote:
>>> Samba4-winbind (sernet-samba-4.0.9) on RHEL 6.4 dumps core on password
>> authentication for a domain user (su/sudo), and so domain password
>> authentication fails. The machine is a standalone server in a Windows AD
>> (2008R2) domain.
>>
>> Are you able to reproduce this with winbindd running under valgrind?
>> eg:
>>
>> valgrind --trace-children=yes winbindd
>>
>> Thanks,
>>
>> --
>> Andrew Bartlett http://samba.org/~abartlet/
>> Authentication Developer, Samba Team http://samba.org
>>
>> ---------- Mensagem encaminhada ----------
>> From: Andrew Bartlett <abartlet at samba.org>
>> To: "Michał Półrolniczak" <michal.polrolniczak at warp.org.pl>
>> Cc: samba at lists.samba.org
>> Date: Wed, 30 Jul 2014 08:07:56 +1200
>> Subject: Re: [Samba] tdb_rec_read bad magic
>> On Thu, 2014-07-24 at 17:53 +0200, Michał Półrolniczak wrote:
>>> I think I know what happed to corrupt dns.
>>> Im thinking that sysadmin did copy samba/dns/private when samba was
>> running.
>>> And when something broken restore to that version.
>>>
>>> I know that at Backup wiki there is a info about not doing backup of
>>> running samba, but mayby adding "why" not to do that would open some
>> eyes.
>>
>> The only way to get some of your data out of such a corrupt database
>> would be to use the 'ldbdump' tool, which is a low-level tool that will
>> walk the database looking for possibly valid records.
>>
>> I wrote this with the help of 'Rusty' when dealing with a corrupt
>> database at another site.
>>
>> The other option would be to try and re-create these databases. Being
>> 'just' DNS, you might be able to make that work, particularly if you
>> were to create a BIND9_FLATFILE based zone, and then use
>> samba_upgradedns to re-import it. Not trivial, and a fair bit of work,
>> but you should be able to save the rest of your database.
>>
>> Andrew Bartlett
>>
>> --
>> Andrew Bartlett http://samba.org/~abartlet/
>> Authentication Developer, Samba Team http://samba.org
>> Samba Developer, Catalyst IT
>> http://catalyst.net.nz/services/samba
>>
>>
>>
>>
>>
>> ---------- Mensagem encaminhada ----------
>> From: Andrew Bartlett <abartlet at samba.org>
>> To: "Michał Półrolniczak" <michal.polrolniczak at warp.org.pl>
>> Cc: samba at lists.samba.org
>> Date: Wed, 30 Jul 2014 08:09:04 +1200
>> Subject: Re: [Samba] SID transfer to fresh DC
>> On Thu, 2014-07-24 at 17:51 +0200, Michał Półrolniczak wrote:
>>> thanks for link, I readed it but my problem was to take SIDs from samba4
>>> to new samba4.
>>> I end up adding them manualy.
>> Be careful that if you force SIDs into Samba without reserving space for
>> them with the --next-rid parameter to provision, or without changing the
>> rid pools in the database, then adding future users will fail.
>>
>> Andrew Bartlett
>>
>> --
>> Andrew Bartlett http://samba.org/~abartlet/
>> Authentication Developer, Samba Team http://samba.org
>> Samba Developer, Catalyst IT
>> http://catalyst.net.nz/services/samba
>>
>>
>>
>>
>>
>> ---------- Mensagem encaminhada ----------
>> From: Gaiseric Vandal <gaiseric.vandal at gmail.com>
>> To: Samba <samba at lists.samba.org>
>> Cc:
>> Date: Tue, 29 Jul 2014 16:32:22 -0400
>> Subject: [Samba] nested groups on samba 3.6 server broken
>> I am running a Samba 3.6.20 for my primary domain controller (+ main file
>> server) and my back up domain controller. Each domain controller has an
>> LDAP backend- the LDAP servers configured for multimaster replication.
>>
>>
>>
>>
>> I have domain trusts established with a Windows 2003 AD domain
>> ("WINDOMAIN") . I have enabled nested groups in smb.conf. Winbind is
>> enabled to support domain trusts. It isn't need to for users in the local
>> samba domain ("SAMBADOMAIN") since the LDAP backend stores unix uid's and
>> gid's as well as samba user SID's.
>>
>>
>> I had a shared directory on the primary server that I wanted to make for
>> easily accessible to members from the trusted Win 2003 domain. Domain
>> trusts worked, and the trusted users had access to the parent directory .
>> But the problem was that every time someone in samba domain created a few
>> new file in the directory, the trusted users did not automatically have
>> access. The new file would inherit the primary group for the file from
>> the parent directory, but none of the ACE's for the trusted domain users.
>> Who ever create the new file could add the trusted domain users to that
>> file's ACL but they usually forgot to.
>>
>>
>>
>> The shared directory is owned by "projectX" group. Originally the
>> directory was a domain group for the samba domain. In the example below,
>> the users thomas , richard and harold are members of the samba domain.
>>
>>
>> e.g.
>>
>> version: 1
>>
>> dn: cn=projectx,ou=group,o=mydomain.com
>> objectClass: sambaGroupMapping
>> objectClass: posixGroup
>> objectClass: top
>> cn: staff_planning
>> gidNumber: 123
>> sambaGroupType: 2
>> sambaSID: S-1-5-21-111111-222222-333333-10123
>> description: projectx
>> displayName: projectx
>> memberUid: thomas
>> memberUid: richard
>> memberUid: harold
>> entrydn: cn=projectx,ou=group,o=mydomain.com
>>
>>
>> I wanted to be able to add users from the trusted domain to this group.
>> Adding a "WINDOMAIN\user" as a memberUid was not sufficient. So I
>> changed the group to a local "local" (aka "nested" group) - basically
>> by changing the group type from 2 to 4. I could then use the net command
>> to add users from the trusted domain
>>
>>
>>
>> e.g
>>
>> net rpc group addmem projectX "WINDOMAIN\peter " -U
>> "SAMBADOMAIN\Administrator"
>>
>>
>>
>> This would add the sambasidlist attribute to the LDAP entry.
>>
>> e.g.
>>
>>
>> version: 1
>>
>> dn: cn=projectx,ou=group,o=mydomain.com
>> objectClass: sambaGroupMapping
>> objectClass: posixGroup
>> objectClass: top
>> cn: staff_planning
>> gidNumber: 123
>> sambaGroupType: 4
>> sambaSID: S-1-5-21-111111-222222-333333-10123
>> description: projectX
>> displayName: projectX
>> memberUid: thomas
>> memberUid: richard
>> memberUid: harold
>> entrydn: cn=projectx,ou=group,o=mydomain.com
>> sambasidlist: S-1-5-21-88888-99999-00000-10001
>> sambasidlist: S-1-5-21-88888-99999-00000-10002
>> sambasidlist: S-1-5-21-88888-99999-00000-10003
>>
>>
>> I can also add users and groups from the samba domain to the group with
>> the net command, but there isn't much benefit to this.
>>
>> I can verify the members with "net rpc group members projectX."
>>
>> This worked fine for maybe 6 months. Last week (maybe 2 weeks ago) users
>> from the trusted domain reported that this no longer worked. (If they
>> explicitly have permissions to the file, then they have access but the
>> group membership functionality no longer works.)
>>
>>
>> The "net rpc user info" command only works for local users- but that had
>> always been the ase.
>>
>> E.g.
>>
>> # net rpc user info thomas -U Administrator
>> Enter Administrator's password:
>> Domain Users
>> projectX
>>
>>
>> # net rpc user info "SAMBADOMAIN\thomas" -U Administrator
>> Failed to get groups for 'SAMBADOMAIN\thomas' with error: Could not map
>> names to SIDs.
>>
>> # net rpc user info "WINDOMAIN\peter " -U Administrator
>> Failed to get groups for 'WINDOMAIN\peter' with error: Could not map names
>> to SIDs.
>>
>>
>> A few months ago I updated from Samba 3.5.x to Samba 3.6.20. I do not
>> think this corresponds to the nested groups breaking, since the problem was
>> not reported until months later.
>>
>>
>> The "net rpc group delmem" also no longer works, tho this may be related
>> to the samba upgrade. I can still delete sambasidlist entries with ldap
>> tools.
>>
>>
>>
>> wbinfo shows that the user id's, sids and names are all consistent for
>> trusted users. The getent and id commands work with trusted users. I can
>> make a trusted user the owner of a file.
>>
>>
>> Samba logs show the trusted users being denied access to the files, so it
>> seems clear that the group membership is just not being recognized.
>>
>>
>> Any help is appreciated.
>>
>> Thanks
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> ---------- Mensagem encaminhada ----------
>> From: Robert Martel <r.martel at csuohio.edu>
>> To: Samba mailing list <samba at lists.samba.org>
>> Cc:
>> Date: Tue, 29 Jul 2014 16:28:22 -0400
>> Subject: [Samba] winbind rid changing user's UID and GID numbers - Samba
>> 3.6
>> Greetings,
>>
>> For a number of samba iterations I've been using Samba with winbind to
>> keep AD users's UNIX UIDs and GIDs the same across several systems. I
>> don't run the Active Directory set-up and those that do are NOT going to
>> make any alterations to make my life easier. So i have always used
>> idmap_rid to keep consistent UID/GID numbers across all my UNIX machines.
>>
>> This has worked very well, and the UIDs and GIDs were consistent across
>> the different hosts...until I upgraded one of the Solaris 10 boxes to Samba
>> 3.6.24 from 3.5.8. Now it seems that user's UIDs and GIDs are getting
>> altered on some random (to me) basis....but not all of them and not all at
>> the same time. Where I had seen a user that always received 101888 as
>> their UID for years and "Domain Users" had a GID of 10513 for years now
>> they receive something different.
>>
>> Three other Solaris hosts have been running Samba 3.6.x for some time and
>> never exhibited this sort of behavior. Something up with winbind or some
>> change in behavior that I over looked? Documentation for winbind
>> configuration for AD member servers using rid has always seems a bit thin
>> to me so I'd not be surprised to see that I am missing something. With so
>> many older examples of smb.conf out there it can ve difficult to figure out
>> which are current/correct.
>>
>> Any thoughts/help would be appreciated.
>>
>>
>> -------------------------------
>> # 3.6.24 IDMAP settings
>> winbind use default domain = yes
>> template homedir = /home/%U
>> template shell = /usr/bin/bash
>> idmap config * : range = 10000-100000000
>> idmap config * : backend = tdb
>> idmap config CSUNET: default = yes
>> idmap config CSUNET: backend = rid
>> idmap config CSUNET: range = 10000-100000000
>>
>> -------------------------------
>> --
>> ***********************************************************************
>> Robert M. Martel I met someone who looks a lot like you
>> System Administrator She does the things you do
>> Levin College of Urban Affairs But she is an IBM
>> Cleveland State University -Jeff Lynne
>> (216) 687-2214
>> r.martel at csuohio.edu
>> ***********************************************************************
>>
>>
>>
>> ---------- Mensagem encaminhada ----------
>> From: Josh Kelley <joshkel at gmail.com>
>> To: steve <steve at steve-ss.com>
>> Cc: "samba at lists.samba.org" <samba at lists.samba.org>
>> Date: Tue, 29 Jul 2014 16:50:08 -0400
>> Subject: Re: [Samba] Winbind rid + SID History creating duplicate per-user
>> groups
>> On Tue, Jul 29, 2014 at 4:17 AM, steve <steve at steve-ss.com> wrote:
>>> Hi
>>> You need both
>>> 1. the *
>>> and the
>>> 2. MYDOMAIN
>>> ranges listed in [global]
>>> and
>>> 3. Those ranges must not overlap.
>> Thanks. I thought I had the MYDOMAIN working by itself, but I think
>> my mistake was that I'd failed to clear winbind's caches and was
>> seeing old info. (I don't know if there's a recommended way of
>> testing winbind configs besides deleting winbind*.tdb and
>> gencache*.tdb between tests.)
>>
>>> If you want consistent id mapping across the whole of the domain you
>>> must put your uid:gid pairs in AD and use the AD backend. It may be
>>> possible without but after years of trying, we've never achieved it.
>> We've been using rid for consistent mapping for several years now.
>> Prior to upgrading to Samba 4.x, it never caused problems.
>>
>> --
>> Josh Kelley
>>
>>
>>
>> ---------- Mensagem encaminhada ----------
>> From: Josh Kelley <joshkel at gmail.com>
>> To: Rowland Penny <rowlandpenny at googlemail.com>
>> Cc: "samba at lists.samba.org" <samba at lists.samba.org>
>> Date: Tue, 29 Jul 2014 17:15:53 -0400
>> Subject: Re: [Samba] Winbind rid + SID History creating duplicate per-user
>> groups
>> On Mon, Jul 28, 2014 at 11:42 AM, Rowland Penny
>> <rowlandpenny at googlemail.com> wrote:
>>> There is quite a lot of your smb.conf that is not really required any
>> more,
>>> have a look here:
>>>
>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>> Thanks. I'll work on cleaning it up.
>>
>>> I do not think that winbind itself can create users and groups,
>> simplifying
>>> things a lot, it just pulls info from somewhere, in this case the AD
>>> database, so if your users have a group with the same name as their
>>> username, somebody or something is creating them.
>> Maybe my choice of terminology was poor? Winbind creates Unix users
>> and groups that correspond to the info that it pulls from Active
>> Directory.
>>
>> After spending far too much time experimenting with old versions, I
>> discovered that winbind *does* create per-user groups (sometimes
>> referred to as "user private groups"), starting with 4.0.5. More
>> info:
>>
>>
>> http://git.samba.org/?p=samba.git;a=commit;h=d2360fe56c860fa20051f6373eb2fcc3e4def6b6
>> https://lists.samba.org/archive/samba-technical/2013-July/093986.html
>>
>> User private groups is apparently a feature and cannot be disabled. I
>> don't know (or don't know the intricacies of user/group mapping and AD
>> compatibility well enough to understand) why it was added, but it
>> should generally be harmless for a Unix environment.
>>
>> I believe that the fact that SID history can cause duplicate groups to
>> be created is a bug, and I've logged it at
>> https://bugzilla.samba.org/show_bug.cgi?id=10753.
>>
>> Thanks for your help.
>>
>> --
>> Josh Kelley
>>
>>
>>
>> ---------- Mensagem encaminhada ----------
>> From: Carlos Ibrahim Arias <carlos at braimtec.com>
>> To: samba at lists.samba.org
>> Cc:
>> Date: Wed, 30 Jul 2014 01:06:35 +0100
>> Subject: [Samba] open: /var/lib/samba/private/named.conf: permission denied
>> Hello everyone,
>>
>> I’m deploying samba on a CenOS Server following the guide 'Samba AD DC
>> How To' at wiki.samba.org. Everything has gone right till I got to the
>> section 'Configuring Bind as Samba Active Directory backend’.
>>
>> Firstly Bind could not access '/var/lib/samba/private/named.conf’ when
>> adding the option 'include "/var/lib/samba/private/named.conf”;’ to
>> /etc/named.conf. I got the error message of the subject.
>>
>> I “solved” this adding the content to the named.conf file at
>> /etc/named.conf but it did not work neither. I got the following message:
>>
>> Jul 30 00:33:27 braimone named[2299]: loading configuration from
>> '/etc/named.conf'
>> Jul 30 00:33:27 braimone named[2299]: using default UDP/IPv4 port range:
>> [1024, 65535]
>> Jul 30 00:33:27 braimone named[2299]: using default UDP/IPv6 port range:
>> [1024, 65535]
>> Jul 30 00:33:27 braimone named[2299]: listening on IPv4 interface lo,
>> 127.0.0.1#53
>> Jul 30 00:33:27 braimone named[2299]: listening on IPv4 interface eth1,
>> 192.168.2.1#53
>> Jul 30 00:33:27 braimone named[2299]: generating session key for dynamic
>> DNS
>> Jul 30 00:33:27 braimone named[2299]: sizing zone task pool based on 5
>> zones
>> Jul 30 00:33:27 braimone named[2299]: Loading 'AD DNS Zone' using driver
>> dlopen
>> Jul 30 00:33:29 braimone named[2299]: samba_dlz: Failed to connect to
>> /var/lib/samba/private/dns/sam.ldb
>> Jul 30 00:33:29 braimone named[2299]: dlz_dlopen of 'AD DNS Zone' failed
>> Jul 30 00:33:29 braimone named[2299]: SDLZ driver failed to load.
>> Jul 30 00:33:29 braimone named[2299]: DLZ driver failed to load.
>> Jul 30 00:33:29 braimone named[2299]: loading configuration: failure
>> Jul 30 00:33:29 braimone named[2299]: exiting (due to fatal error)
>>
>> SElinux is set to enforced but I’m not getting any error, the permissions
>> are properly set and I don’t know what else I can do.
>>
>> Can anyone help?
>>
>> Thanks in advanced!
>>
>>
>> ---------- Mensagem encaminhada ----------
>> From: "Stuart Naylor" <stuartiannaylor at thursbygarden.org>
>> To: "Quentin Gibeaux" <qgibeaux at iris-tech.fr>, "samba at lists.samba.org" <
>> samba at lists.samba.org>
>> Cc:
>> Date: Wed, 30 Jul 2014 04:06:20 +0100
>> Subject: Re: [Samba] dsacls
>> Many Thanks
>>
>> So much of samba-tool is undocumented but my bad.
>>
>> Any examples to allow administrators only and the owner user?
>>
>>
>>
>> -----Original message-----
>>> From:Quentin Gibeaux <qgibeaux at iris-tech.fr>
>>> Sent: Tuesday 29th July 2014 11:17
>>> To: samba at lists.samba.org
>>> Subject: Re: [Samba] dsacls
>>>
>>> On 29/07/2014 12:05, Stuart Naylor wrote:
>>>> Are there any deny tools with samba4? Like the below example?
>>>>
>>>> To set the permission to deny read access of the homePhone attribute
>> on a single user object, you can use this command:
>>>> dsacls <DN of object> /D <security principal>:RP;homePhone
>>>> For our example, the command would look like this:
>>>>
>>>> dsacls "CN=Doe\, John,OU=newOU,DC=root,DC=net" /D root\
>>>>
>>>> non-HR-users:RP;homePhone
>>>>
>>>>
>>>>
>>> It seems samba-tool do this :
>>>
>>> ~# samba-tool dsacl
>>> Usage: samba-tool dsacl <subcommand>
>>>
>>> DS ACLs manipulation.
>>>
>>>
>>> Options:
>>> -h, --help show this help message and exit
>>>
>>>
>>> Available subcommands:
>>> set - Modify access list on a directory object.
>>>
>>>
>>>
>>
>>
>> ---------- Mensagem encaminhada ----------
>> From: Karolin Seeger <kseeger at samba.org>
>> To: samba-announce at samba.org, samba at samba.org, samba-technical at samba.org
>> Cc:
>> Date: Wed, 30 Jul 2014 11:44:12 +0200
>> Subject: [Samba] [Announce] Samba 4.0.20 Available for Download
>> =======================================================================
>> "I told Mario Goetze, 'go out and show
>> the world you are better than Messi!'"
>>
>> Joachim Loew
>> =======================================================================
>>
>> Release Announcements
>> ---------------------
>>
>> This is the latest stable release of the Samba 4.0 release series.
>>
>>
>> Changes since 4.0.19:
>> ---------------------
>>
>> o Jeremy Allison <jra at samba.org>
>> * BUG 3124: s3: smb2: Fix 'xcopy /d' with samba shares.
>> * BUG 10653: Samba won't start on a machine configured with only IPv4.
>> * BUG 10673: s3: SMB2: Fix leak of blocking lock records in the
>> database.
>> * BUG 10684: SMB1 blocking locks can fail notification on unlock,
>> causing
>> client timeout.
>> * BUG 10685: s3: smbd: Locking, fix off-by one calculation in
>> brl_pending_overlap().
>> * BUG 10692: wbcCredentialCache fails if challenge_blob is not first.
>>
>>
>> o Andrew Bartlett <abartlet at samba.org>
>> * BUG 10627: rid_array used before status checked - segmentation fault
>> due
>> to null pointer dereference.
>>
>>
>> o David Disseldorp <ddiss at samba.org>
>> * BUG 10612: printing: Fix purge of all print jobs.
>>
>>
>> o Björn Jacke <bj at sernet.de>
>> * BUG 3263: net/doc: Make clear that net vampire is for NT4 domains
>> only.
>> * BUG 10657: autobuild: Delete $NSS_MODULES in "make clean".
>>
>>
>> o Volker Lendecke <vl at samba.org>
>> * BUG 10663: msg_channel: Fix a 100% CPU loop.
>> * BUG 10680: smbstatus: Fix an uninitialized variable.
>> * BUG 10687: 'RW2' smbtorture test fails when -N <numprocs> is set to
>> 2 due
>> to the invalid status check in the second client.
>> * BUG 10699: smbd: Avoid double-free in get_print_db_byname.
>>
>>
>> o Stefan Metzmacher <metze at samba.org>
>> * BUG 10469: ldb-samba: fix a memory leak in
>> ldif_canonicalise_objectCategory().
>> * BUG 10692: wbcCredentialCache fails if challenge_blob is not first.
>> * BUG 10696: Backport autobuild/selftest fixes from master.
>> * BUG 10706: s3:smb2_read: let smb2_sendfile_send_data() behave like
>> send_file_readX().
>>
>>
>> #######################################
>> Reporting bugs & Development Discussion
>> #######################################
>>
>> Please discuss this release on the samba-technical mailing list or by
>> joining the #samba-technical IRC channel on irc.freenode.net.
>>
>> If you do report problems then please try to send high quality
>> feedback. If you don't provide vital information to help us track down
>> the problem then you will probably be ignored. All bug reports should
>> be filed under the Samba 4.0 product in the project's Bugzilla
>> database (https://bugzilla.samba.org/).
>>
>>
>> ======================================================================
>> == Our Code, Our Bugs, Our Responsibility.
>> == The Samba Team
>> ======================================================================
>>
>> ================
>> Download Details
>> ================
>>
>> The uncompressed tarballs and patch files have been signed
>> using GnuPG (ID 6568B7EA). The source code can be downloaded
>> from:
>>
>> http://download.samba.org/samba/ftp/stable/
>>
>> The release notes are available online at:
>>
>> http://www.samba.org/samba/history/samba-4.0.20.html
>>
>> Binary packages will be made available on a volunteer basis from
>>
>> http://download.samba.org/samba/ftp/Binary_Packages/
>>
>> Our Code, Our Bugs, Our Responsibility.
>> (https://bugzilla.samba.org/)
>>
>> --Enjoy
>> The Samba Team
>>
>>
>>
>> ---------- Mensagem encaminhada ----------
>> From: steve <steve at steve-ss.com>
>> To: Josh Kelley <joshkel at gmail.com>
>> Cc: "samba at lists.samba.org" <samba at lists.samba.org>
>> Date: Wed, 30 Jul 2014 11:47:48 +0200
>> Subject: Re: [Samba] Winbind rid + SID History creating duplicate per-user
>> groups
>> On Tue, 2014-07-29 at 16:50 -0400, Josh Kelley wrote:
>>> On Tue, Jul 29, 2014 at 4:17 AM, steve <steve at steve-ss.com> wrote:
>>>> Hi
>>>> You need both
>>>> 1. the *
>>>> and the
>>>> 2. MYDOMAIN
>>>> ranges listed in [global]
>>>> and
>>>> 3. Those ranges must not overlap.
>>> Thanks. I thought I had the MYDOMAIN working by itself, but I think
>>> my mistake was that I'd failed to clear winbind's caches and was
>>> seeing old info. (I don't know if there's a recommended way of
>>> testing winbind configs besides deleting winbind*.tdb and
>>> gencache*.tdb between tests.)
>> Hi
>> We use:
>> net cache flush
>> HTH,
>> Steve
>>
>>>> If you want consistent id mapping across the whole of the domain you
>>>> must put your uid:gid pairs in AD and use the AD backend. It may be
>>>> possible without but after years of trying, we've never achieved it.
>>> We've been using rid for consistent mapping for several years now.
>>> Prior to upgrading to Samba 4.x, it never caused problems.
>>>
>>
>>
>>
>>
>> ---------- Mensagem encaminhada ----------
>> From: steve <steve at steve-ss.com>
>> To: samba at lists.samba.org
>> Cc:
>> Date: Wed, 30 Jul 2014 11:50:38 +0200
>> Subject: Re: [Samba] winbind rid changing user's UID and GID numbers -
>> Samba 3.6
>> On Tue, 2014-07-29 at 16:28 -0400, Robert Martel wrote:
>>
>>> Any thoughts/help would be appreciated.
>>>
>>>
>>> -------------------------------
>>> # 3.6.24 IDMAP settings
>>> winbind use default domain = yes
>>> template homedir = /home/%U
>>> template shell = /usr/bin/bash
>>> idmap config * : range = 10000-100000000
>>> idmap config * : backend = tdb
>>> idmap config CSUNET: default = yes
>>> idmap config CSUNET: backend = rid
>>> idmap config CSUNET: range = 10000-100000000
>> Hi
>> Overlapping ranges.
>> HTH,
>> Steve
>>
>>
>>
>>
>>
>> ---------- Mensagem encaminhada ----------
>> From: steve <steve at steve-ss.com>
>> To: samba at lists.samba.org
>> Cc:
>> Date: Wed, 30 Jul 2014 12:01:07 +0200
>> Subject: Re: [Samba] Samba 4 AD share: Access denied
>> On Tue, 2014-07-29 at 19:47 +0100, Rowland Penny wrote:
>>> On 29/07/14 18:42, steve wrote:
>>>> On Tue, 2014-07-29 at 18:18 +0100, Rowland Penny wrote:
>>>>> On 29/07/14 18:01, Ryan Ashley wrote:
>>>>>> Yes, I see all domain users and groups, getent works with passwd and
>>>>>> with any domain group, and shows things as they should be. Every
>> group
>>>>>> has a unique gid.
>>>>> OK, then on paper everything is working as it should be, I cannot
>> think
>>>>> of anything else to do, anybody else have any input ???
>>>>>
>>>>> If nobody else has any input, it may be time to file a bug against
>> samba.
>>>> Hi
>>>> Our money is on the builtin acl which has started appearing in recent
>>>> samba versions and explained earlier in this thread. winbind maps this
>>>> group to a number in the idmap * range. This number does not coincide
>>>> with the hard wired xidNumber in the separate idmap db on the DC.
>>>>
>>>> Otherwise, have one final check on winbind:
>>>>
>> http://linuxcostablanca.blogspot.com.es/2014/06/samba4-winbind-desperation.html
>>>> If still nothing, go back to 4.1.6 or use sssd.
>>>> HTH,
>>>> Steve
>>>>
>>>>
>>> Hi Steve, how about bug 10508 ??
>>>
>>> https://bugzilla.samba.org/show_bug.cgi?id=10508
>>>
>>> Rowland
>>>
>> Hi Rowland,
>> Yes, it looks possible.
>> Could OP tell us if his ntadmins is local to /etc/group? Also, the what
>> does:
>> wbinfo --uid-to-sid=70028
>> give us?
>> Steve
>>
>>
>>
>>
>>
>> ---------- Mensagem encaminhada ----------
>> From: Dale Schroeder <dale at BriannasSaladDressing.com>
>> To: Robert Martel <r.martel at csuohio.edu>, Samba mailing list <
>> samba at lists.samba.org>
>> Cc:
>> Date: Tue, 29 Jul 2014 16:08:47 -0500
>> Subject: Re: [Samba] winbind rid changing user's UID and GID numbers -
>> Samba 3.6
>> Robert,
>>
>> You have the same range for * and CSUNET. Those ranges cannot overlap, so
>> fixing those would be the place to start.
>>
>> Dale
>>
>> On 07/29/2014 3:28 PM, Robert Martel wrote:
>>
>>> Greetings,
>>>
>>> For a number of samba iterations I've been using Samba with winbind to
>>> keep AD users's UNIX UIDs and GIDs the same across several systems. I
>>> don't run the Active Directory set-up and those that do are NOT going to
>>> make any alterations to make my life easier. So i have always used
>>> idmap_rid to keep consistent UID/GID numbers across all my UNIX machines.
>>>
>>> This has worked very well, and the UIDs and GIDs were consistent across
>>> the different hosts...until I upgraded one of the Solaris 10 boxes to Samba
>>> 3.6.24 from 3.5.8. Now it seems that user's UIDs and GIDs are getting
>>> altered on some random (to me) basis....but not all of them and not all at
>>> the same time. Where I had seen a user that always received 101888 as
>>> their UID for years and "Domain Users" had a GID of 10513 for years now
>>> they receive something different.
>>>
>>> Three other Solaris hosts have been running Samba 3.6.x for some time and
>>> never exhibited this sort of behavior. Something up with winbind or some
>>> change in behavior that I over looked? Documentation for winbind
>>> configuration for AD member servers using rid has always seems a bit thin
>>> to me so I'd not be surprised to see that I am missing something. With so
>>> many older examples of smb.conf out there it can ve difficult to figure out
>>> which are current/correct.
>>>
>>> Any thoughts/help would be appreciated.
>>>
>>>
>>> -------------------------------
>>> # 3.6.24 IDMAP settings
>>> winbind use default domain = yes
>>> template homedir = /home/%U
>>> template shell = /usr/bin/bash
>>> idmap config * : range = 10000-100000000
>>> idmap config * : backend = tdb
>>> idmap config CSUNET: default = yes
>>> idmap config CSUNET: backend = rid
>>> idmap config CSUNET: range = 10000-100000000
>>>
>>> -------------------------------
>>>
>>
>>
>>
>> ---------- Mensagem encaminhada ----------
>> From: Davor Vusir <davortvusir at gmail.com>
>> To: Carlos Ibrahim Arias <carlos at braimtec.com>
>> Cc: samba at lists.samba.org
>> Date: Wed, 30 Jul 2014 15:19:42 +0200
>> Subject: Re: [Samba] open: /var/lib/samba/private/named.conf: permission
>> denied
>> Den 30 jul 2014 02:07 skrev "Carlos Ibrahim Arias" <carlos at braimtec.com>:
>>> Hello everyone,
>>>
>>> I’m deploying samba on a CenOS Server following the guide 'Samba AD DC
>> How To' at wiki.samba.org. Everything has gone right till I got to the
>> section 'Configuring Bind as Samba Active Directory backend’.
>>> Firstly Bind could not access '/var/lib/samba/private/named.conf’ when
>> adding the option 'include "/var/lib/samba/private/named.conf”;’ to
>> /etc/named.conf. I got the error message of the subject.
>>> I “solved” this adding the content to the named.conf file at
>> /etc/named.conf but it did not work neither. I got the following message:
>>> Jul 30 00:33:27 braimone named[2299]: loading configuration from
>> '/etc/named.conf'
>>> Jul 30 00:33:27 braimone named[2299]: using default UDP/IPv4 port range:
>> [1024, 65535]
>>> Jul 30 00:33:27 braimone named[2299]: using default UDP/IPv6 port range:
>> [1024, 65535]
>>> Jul 30 00:33:27 braimone named[2299]: listening on IPv4 interface lo,
>> 127.0.0.1#53
>>> Jul 30 00:33:27 braimone named[2299]: listening on IPv4 interface eth1,
>> 192.168.2.1#53
>>> Jul 30 00:33:27 braimone named[2299]: generating session key for dynamic
>> DNS
>>> Jul 30 00:33:27 braimone named[2299]: sizing zone task pool based on 5
>> zones
>>> Jul 30 00:33:27 braimone named[2299]: Loading 'AD DNS Zone' using driver
>> dlopen
>>
>> Replace 'AD DNS Zone' with your DNS domain in Sambas private/named.conf.
>> And restart bind.
>>
>> Regards
>> Davor
>>
>>> Jul 30 00:33:29 braimone named[2299]: samba_dlz: Failed to connect to
>> /var/lib/samba/private/dns/sam.ldb
>>> Jul 30 00:33:29 braimone named[2299]: dlz_dlopen of 'AD DNS Zone' failed
>>> Jul 30 00:33:29 braimone named[2299]: SDLZ driver failed to load.
>>> Jul 30 00:33:29 braimone named[2299]: DLZ driver failed to load.
>>> Jul 30 00:33:29 braimone named[2299]: loading configuration: failure
>>> Jul 30 00:33:29 braimone named[2299]: exiting (due to fatal error)
>>>
>>> SElinux is set to enforced but I’m not getting any error, the permissions
>> are properly set and I don’t know what else I can do.
>>> Can anyone help?
>>>
>>> Thanks in advanced!
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>> ---------- Mensagem encaminhada ----------
>> From: Claudio Renato Cardoso <claudiocardoso60 at gmail.com>
>> To: samba at lists.samba.org
>> Cc:
>> Date: Wed, 30 Jul 2014 10:38:43 -0300
>> Subject: [Samba] I getting some erros about SPNs and main process ended,
>> respawning
>> Please I getting some erros about SPNs and main process ended respawing,
>> bellow the erros that ia m getting at messages log
>>
>>
>> 5 or more machines are getting "Failed to modify SPNs on
>> CN=PC-2902194,OU=XXXXX ,DC=ABC,DC=com,DC=br: error in module acl:
>> Constraint violation (19)"
>>
>>
>> another problem is more serious ... I really need help because the main
>> process of Samba4 is respawing...
>>
>> ad init: tty (/dev/tty1) main process ended, respawning
>>
>> I need some help.
>>
>> Thanks !!!
>>
>>
>>
>> ---------- Mensagem encaminhada ----------
>> From: Rowland Penny <rowlandpenny at googlemail.com>
>> To: samba at lists.samba.org
>> Cc:
>> Date: Wed, 30 Jul 2014 15:03:54 +0100
>> Subject: Re: [Samba] I getting some erros about SPNs and main process
>> ended, respawning
>> On 30/07/14 14:38, Claudio Renato Cardoso wrote:
>>
>>> Please I getting some erros about SPNs and main process ended respawing,
>>> bellow the erros that ia m getting at messages log
>>>
>>>
>>> 5 or more machines are getting "Failed to modify SPNs on
>>> CN=PC-2902194,OU=XXXXX ,DC=ABC,DC=com,DC=br: error in module acl:
>>> Constraint violation (19)"
>>>
>>>
>>> another problem is more serious ... I really need help because the main
>>> process of Samba4 is respawing...
>>>
>>> ad init: tty (/dev/tty1) main process ended, respawning
>>>
>>> I need some help.
>>>
>>> Thanks !!!
>>>
>> Well, if you want somebody to help, you are going to have to provide a lot
>> more info, what OS ? have you modified smb.conf on the Samba4 server ? what
>> clients are you using, if linux, what is their smb.conf etc etc.
>>
>> Rowland
>>
>>
>>
>> ---------- Mensagem encaminhada ----------
>> From: Ryan Ashley <ryana at reachtechfp.com>
>> To: samba at lists.samba.org
>> Cc:
>> Date: Wed, 30 Jul 2014 10:18:15 -0400
>> Subject: Re: [Samba] Samba 4 AD share: Access denied
>> Sorry for the delay. I am in eastern time and have been busy with another
>> project. I cannot convert that ID to SID. In Windows however, this shows as
>> "SYSTEM". How do I know? Simple, there are only three things listed. Those
>> are "Domain Admins", "Administration", and "SYSTEM". Also, what do you mean
>> by "ntadmins" being local? I have added no groups to the Linux systems, so
>> if you're asking if it is a local group on the Linux box, no it is not. I
>> can remove the SYSTEM account from the share if needed, but it is on all
>> Windows shares as well and causes no issues.
>>
>> failed to call wbcUidToSid: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not convert uid 70028 to sid
>>
>> On 7/30/2014 6:01 AM, steve wrote:
>>
>>> On Tue, 2014-07-29 at 19:47 +0100, Rowland Penny wrote:
>>>
>>>> On 29/07/14 18:42, steve wrote:
>>>>
>>>>> On Tue, 2014-07-29 at 18:18 +0100, Rowland Penny wrote:
>>>>>
>>>>>> On 29/07/14 18:01, Ryan Ashley wrote:
>>>>>>
>>>>>>> Yes, I see all domain users and groups, getent works with passwd and
>>>>>>> with any domain group, and shows things as they should be. Every group
>>>>>>> has a unique gid.
>>>>>>>
>>>>>> OK, then on paper everything is working as it should be, I cannot think
>>>>>> of anything else to do, anybody else have any input ???
>>>>>>
>>>>>> If nobody else has any input, it may be time to file a bug against
>>>>>> samba.
>>>>>>
>>>>> Hi
>>>>> Our money is on the builtin acl which has started appearing in recent
>>>>> samba versions and explained earlier in this thread. winbind maps this
>>>>> group to a number in the idmap * range. This number does not coincide
>>>>> with the hard wired xidNumber in the separate idmap db on the DC.
>>>>>
>>>>> Otherwise, have one final check on winbind:
>>>>> http://linuxcostablanca.blogspot.com.es/2014/06/
>>>>> samba4-winbind-desperation.html
>>>>>
>>>>> If still nothing, go back to 4.1.6 or use sssd.
>>>>> HTH,
>>>>> Steve
>>>>>
>>>>>
>>>>> Hi Steve, how about bug 10508 ??
>>>> https://bugzilla.samba.org/show_bug.cgi?id=10508
>>>>
>>>> Rowland
>>>>
>>>> Hi Rowland,
>>> Yes, it looks possible.
>>> Could OP tell us if his ntadmins is local to /etc/group? Also, the what
>>> does:
>>> wbinfo --uid-to-sid=70028
>>> give us?
>>> Steve
>>>
>>>
>>>
>>
>>
>> ---------- Mensagem encaminhada ----------
>> From: Marc Muehlfeld <mmuehlfeld at samba.org>
>> To: Claudio Renato Cardoso <claudiocardoso60 at gmail.com>,
>> samba at lists.samba.org
>> Cc:
>> Date: Wed, 30 Jul 2014 17:37:41 +0200
>> Subject: Re: [Samba] I getting some erros about SPNs and main process
>> ended, respawning
>> Hello Claudio,
>>
>> Am 30.07.2014 15:38, schrieb Claudio Renato Cardoso:
>>> Please I getting some erros about SPNs and main process ended respawing,
>>> bellow the erros that ia m getting at messages log
>>>
>>> 5 or more machines are getting "Failed to modify SPNs on
>>> CN=PC-2902194,OU=XXXXX ,DC=ABC,DC=com,DC=br: error in module acl:
>>> Constraint violation (19)"
>> That's nothing serious and a known bug:
>> https://bugzilla.samba.org/show_bug.cgi?id=9316
>>
>>
>>
>>
>>> another problem is more serious ... I really need help because the main
>>> process of Samba4 is respawing...
>>>
>>> ad init: tty (/dev/tty1) main process ended, respawning
>>>
>>> I need some help.
>> Provide more details and I'm sure, we can help. ;-)
>>
>>
>> Regards,
>> Marc
>>
>>
>>
>>
>> _______________________________________________
>> samba mailing list
>> samba at lists.samba.org
>> https://lists.samba.org/mailman/listinfo/samba
>>
>>
As Marc has already said, there is a bug report open for your first
problem and after considering it, I do not think that your second
problem has anything to do with Samba, it is possibly a problem with
initscripts.
Rowland
More information about the samba
mailing list