[Samba] Bug found in Samba 4 ?
Ricky Nance
ricky.nance at gmail.com
Mon Jan 5 12:36:45 MST 2015
On Sun, Jan 4, 2015 at 8:55 AM, Denis BUCHER <dbucherml at hsolutions.ch>
wrote:
> Le 31.12.2014 17:19, Ricky Nance a écrit :
>
>
>
> On Wed, Dec 31, 2014 at 3:02 AM, Denis BUCHER <dbucherml at hsolutions.ch>
> wrote:
>
>> Le 29.12.2014 20:46, Ricky Nance a écrit :
>>
>>
>> On Sat, Dec 27, 2014 at 8:39 AM, Denis BUCHER <dbucherml at hsolutions.ch>
>> wrote:
>>
>>> Dear Ricky,
>>>
>>> Yes, in my original post, below, I gave some details about smb.conf, but
>>> to summarize:
>>>
>>> - I am using Samba 4.1.11.
>>> - server role = classic primary domain controller
>>> - domain logons = yes
>>> - domain master = yes
>>>
>>>
>>> - When I define a fixed-name as logon script in smb.conf, it works :
>>> - logon script = employee.bat
>>> - But if I try either %g.bat or %G.bat, or even "%G.bat", it doesn't
>>> work :
>>>
>>>
>>> - logon script = %g.bat
>>> - logon script = %G.bat
>>> - logon script = "%G.bat"
>>>
>>> I can give more details, now:
>>>
>>> -
>>>
>>> I tried this, which proves that while only %U is working, all others (%G, %g, %u) are broken :
>>> logon script = %G%g%U%u.bat
>>> And the associated logs :
>>>
>>> [2014/12/26 10:58:44.958812, 5] ../source3/smbd/filename.c:258(unix_convert)
>>> unix_convert called on file "%G%gdbucher%u.bat"
>>> [2014/12/26 10:58:44.958863, 5] ../source3/smbd/filename.c:421(unix_convert)
>>> unix_convert begin: name = %G%gdbucher%u.bat, dirpath = , start = %G%gdbucher%u.bat
>>> [2014/12/26 10:58:44.958956, 5] ../source3/smbd/filename.c:816(unix_convert)
>>> New file %G%gdbucher%u.bat
>>> [2014/12/26 10:58:44.959002, 3] ../source3/smbd/vfs.c:1137(check_reduced_name)
>>> check_reduced_name [%G%gdbucher%u.bat] [/data/shares/netlogon]
>>> [2014/12/26 10:58:44.959052, 3] ../source3/smbd/vfs.c:1267(check_reduced_name)
>>> check_reduced_name: %G%gdbucher%u.bat reduced to /data/shares/netlogon/%G%gdbucher%u.bat
>>> [2014/12/26 10:58:44.959106, 5] ../lib/dbwrap/dbwrap.c:187(dbwrap_check_lock_order)
>>> check lock order 1 for /var/run/samba/smbXsrv_open_global.tdb
>>> [2014/12/26 10:58:44.959185, 5] ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor)
>>> release lock order 1 for /var/run/samba/smbXsrv_open_global.tdb
>>> [2014/12/26 10:58:44.959230, 5] ../source3/smbd/files.c:128(file_new)
>>> allocated file structure fnum 491426714 (5 used)
>>> [2014/12/26 10:58:44.959276, 3] ../source3/smbd/dosmode.c:163(unix_mode)
>>> unix_mode(%G%gdbucher%u.bat) returning 0744
>>>
>>>
>>> Denis
>>>
>>> Le 26.12.2014 23:41, Ricky Nance a écrit :
>>>
>>> Sorry for not replying earlier Dennis, but its been a bit crazy the last
>>> week or two with the holidays. Can you explain more about your
>>> configuration setup (smb.conf would be handy)?
>>>
>>> Thanks,
>>> Ricky
>>>
>>>
>>> On Fri, Dec 26, 2014 at 3:13 AM, Denis BUCHER <dbucherml at hsolutions.ch>
>>> wrote:
>>>
>>>>
>>>>
>>>> Dear all,
>>>>
>>>> As nobody seems to know what the problem could be, I think it must be an
>>>> important bug in Samba 4 that "forget" to replace %G or %g with the
>>>> group name.
>>>>
>>>> Could someone confirm that it is a bug and that I should fill one, in
>>>> samba bugzilla ?
>>>>
>>>> Thank you very much,
>>>>
>>>> Denis
>>>>
>>>> -------- Message original --------
>>>>
>>>> OBJET:
>>>> Re: [Samba] Samba "%G" replacement not working in
>>>> "Logon script" ?
>>>>
>>>> DATE:
>>>> 24.12.2014 00:33
>>>>
>>>> DE:
>>>> Denis BUCHER <dbucherml at hsolutions.ch>
>>>>
>>>> À:
>>>> samba at lists.samba.org
>>>>
>>>> Dear all,
>>>>
>>>> Do you think I should fill a bug report about this problem or does
>>>> someone has experienced the same problem ?
>>>>
>>>> Thanks a lot for any help :-)
>>>>
>>>> Denis
>>>>
>>>> Le 21.12.2014 02:06, Denis BUCHER a écrit :
>>>>
>>>> > P. S. I tried to display %ACCOUNTNAME% and %WORKGROUP% in cmd.exe on
>>>> a logged PC (User in domain, roaming profile) but both values were unset :
>>>> >
>>>> >> echo %ACCOUNTNAME% %ACCOUNTNAME%
>>>> > Denis Le 21.12.2014 01:25, Denis BUCHER a écrit :
>>>> >
>>>> >> Dear Ricky, Thanks a lot for your answer. But I still have two
>>>> problems: 1. I am not using samba as AD DC but as PDC. 2. What I would need
>>>> is the primary group... Do you thinks %WORKGROUP% could work ? 3. And
>>>> should I use %WORKGROUP% in smb.conf or in batch login script... Thanks a
>>>> lot in advance for your help... Denis Le 18.12.2014 21:58, Ricky Nance a
>>>> écrit : Dennis, if you are running samba as an AD DC, you will need to use
>>>> the new variable names %ACCOUNTNAME% and %WORKGROUP%. Ricky On Tue, Dec 16,
>>>> 2014 at 1:23 PM, Denis BUCHER <dbucherml at hsolutions.ch>wrote: Dear
>>>> all, I experience now a strange bug with Samba 4.1.11 : When I define a
>>>> fixed-name as logon script in smb.conf, it works : logon script =
>>>> employee.bat But if I try either %g.bat or %G.bat, or even "%G.bat", it
>>>> doesn't work : * logon script = %g.bat * logon script = %G.bat * logon
>>>> script = "%G.bat" In the logs, there was a message showing that Samba was
>>>> trying to open the "%G.bat" file and that the file was no
>>>>
>>>> t found
>>>> on the disk. (Of course) Denis P.S. Logfiles: [2014/11/21
>>>> 20:53:36.616573, 5] ../source3/smbd/filename.c:258(unix_convert)
>>>> unix_convert called on file "%g.bat" [2014/11/21 20:53:36.616622, 5]
>>>> ../source3/smbd/filename.c:421(unix_convert) unix_convert begin: name =
>>>> %g.bat, dirpath = , start = %g.bat [2014/11/21 20:53:36.616705, 5]
>>>>
>>>> > ../source3/smbd/filename.c:816(unix_convert) New file %g.bat
>>>> [2014/11/21 20:53:36.616747, 3]
>>>> ../source3/smbd/vfs.c:1137(check_reduced_name) check_reduced_name [%g.bat]
>>>> [/data/shares/netlogon] [2014/11/21 20:53:36.616794, 3]
>>>> ../source3/smbd/vfs.c:1267(check_reduced_name) check_reduced_name: %g.bat
>>>> reduced to /data/shares/netlogon/%g.bat [2014/11/21 20:53:36.616838, 5]
>>>> ../lib/dbwrap/dbwrap.c:187(dbwrap_check_lock_order) check lock order 1 for
>>>> /var/run/samba/smbXsrv_open_global.tdb [2014/11/21 20:53:36.616906, 5]
>>>> ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor) release lock
>>>> order 1 for /var/run/samba/smbXsrv_open_global.tdb [2014/11/21
>>>> 20:53:36.616950, 5] ../source3/smbd/files.c:128(file_new) allocated file
>>>> structure fnum 2158460712 (2 used) [2014/11/21 20:53:36.616995, 3]
>>>> ../source3/smbd/dosmode.c:163(unix_mode) unix_mode(%g.bat) returning 0744
>>>> [2014/11/21 20:53:36.617034, 5]
>>>> ../source3/smbd/open.c:2168(open_file_ntcreate) open_file_ntcreate:
>>>> FILE_OPEN requested
>>>>
>>>> f
>>>>
>>>> > or file %g.bat and file doesn't exist. -- To unsubscribe from this
>>>> list go to the following URL and read the instructions:
>>>> https://lists.samba.org/mailman/options/samba [1] [1] [1] [1] Links:
>>>> ------ [1] https://lists.samba.org/mailman/options/samba [1] [1] [1]
>>>> Links: ------ [1] https://lists.samba.org/mailman/options/samba [1] [1]
>>>>
>>>> Links:
>>>> ------
>>>> [1] https://lists.samba.org/mailman/options/samba [1]
>>>>
>>>>
>>>>
>>>> Links:
>>>> ------
>>>> [1] https://lists.samba.org/mailman/options/samba
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>>>
>>>
>>
>>
>> Denis,
>>
>> Can you provide us with either a full smb.conf or at a minimum the
>> [global] section, you can mask the names and ip's if you need to. I am
>> interested in the backend as well as a couple of other things.
>>
>> Ricky
>>
>>
>>
>> Dear Ricky,
>>
>> Yes of course !
>>
>> I just replaced domainname, servername and ourdomain.
>>
>> [global]
>> log level = 2
>> workgroup = DOMAINNAME
>> netbios name = SERVERNAME
>> wins support = yes
>> dns proxy = no
>> interfaces = 127.0.0.0/8 eth0
>> bind interfaces only = yes
>> allow insecure wide links = yes
>> wide links = yes
>> log file = /var/log/samba/log.%m
>> max log size = 1000
>> syslog = 0
>> panic action = /usr/share/samba/panic-action %d
>> server role = classic primary domain controller
>> security = user
>> domain logons = yes
>> domain master = yes
>> local master = yes
>> preferred master = yes
>> os level = 255
>> remote announce = 172.16.7.255/domainname
>> passdb backend = ldapsam:ldap://172.16.1.232
>> ldap suffix = dc=ourdomain,dc=ch
>> ldap machine suffix = ou=machines
>> ldap user suffix = ou=users
>> ldap group suffix = ou=groups
>> ldap admin dn = cn=admin,dc=ourdomain,dc=ch
>> ldap delete dn = no
>> ldap ssl = no
>> obey pam restrictions = yes
>> unix password sync = no
>> passwd program = /usr/bin/passwd %u
>> passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
>> %n\n *password\supdated\ssuccessfully* .
>> pam password change = yes
>> map to guest = bad user
>> map acl inherit = yes
>> logon path = \\servername\profiles
>> logon home = \\servername\profiles
>> logon drive = Z:
>> logon script = employees.bat
>>
>> [netlogon]
>> comment = Network Logon Service
>> path = /data/shares/netlogon
>> guest ok = no
>> read only = yes
>> writeable = no
>> browseable = no
>>
>> Denis
>>
>>
>>
>>
>
> Ok, can you also show us your /etc/nsswitch.conf as well.
>
> Thanks,
> Ricky
>
>
>
> Yes of course, it's the standard/unchanged Debian file:
>
>
> # /etc/nsswitch.conf
> passwd: compat ldap
> group: compat ldap
> shadow: compat ldap
> hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
> networks: files
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
> netgroup: nis
>
> Denis
>
>
>
>
So far this all looks good, what kind of output do you see if you do the
command 'id ldapgroupname' (where ldapgroupname is a group that exists in
ldap). If this command doesn't work, the problem could lie in your
ldap.conf, I am also trying to get a test environment setup here to see if
I can duplicate your results.
Ricky
More information about the samba
mailing list