gmane.network.samba.general

Re: Samba fsmo/demote/unjoin trouble after crash

Giedrius — 2013-05-21T06:43:08

Hi Andrew,
2013.05.21 00:46, Andrew Bartlett rašė:
Ok, but something is still wrong: drs kcc gives this:
Wrong username or password: kinit for <DC_NAME>$< at ><REALM> failed
(Preauthentication failed)

SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
Consistency check on <hostname> successful.

Some computers lost trust relationship - rejoin was necessary.
To be exact, somehow I have 2 DC's on the same site, but there never
were 2 of them. Some workstations try to use the other DC as a logon
server, although it is clearly offline and not announced on the lan.
Helps, if i set netbios aliases in smb.conf

What should be done next? Launch another samba instance and join with
the other name ?

Re: Samba 4 Admt to other Domain Windows Server 2008

wong lmark — 2013-05-21T06:33:41

I had added the Windows 08 DC in Samba 4 domain. But I cannot migrate the
SID when I tick "Migrate User SID", it will show "Could not verify auditing
and TcpipClientSupport on domains. Will not be able to migrate Sid's."

2013/5/21 Pekka L.J. Jalkanen <pekka.jalkanen< at >vihreat.fi>

Re: Windows 7 + Samba 3.5.6 = abject misery...

Andrew Bartlett — 2013-05-21T05:50:20

The sernet folks maintain enterprisesamba.com with packages, but the
packages in Debian currently (even experimenetal) are not complete
packages of Samba 4.0 as an AD DC.  I'm actively working with them to
prepare a better solution for the next debian release, and users of
unstable or experimental.


https://wiki.samba.org/index.php/Capture_Packets

A network trace may provide more of an indication.

Andrew Bartlett

Re: Samba 4 Admt to other Domain Windows Server 2008

Pekka L.J. Jalkanen — 2013-05-21T05:47:54

Also, it is good to note that even if you can't avoid ADMT (in the case
you must migrate your users to another _existing_ domain) you'd still
need to do as Andrew says and add a Windows DC to the _source_ domain
first, because the target domain needs to be trusted by the source for
ADMT to work at all.

While Samba can be trusted by others, it currently cannot itself trust
other domains, so ADMT simply cannot work without a Windows DC in the
source.

Pekka L.J. Jalkanen

Re: Windows 7 + Samba 3.5.6 = abject misery...

Steve Holdoway — 2013-05-21T05:32:23

It's certainly something I'm working on as a part of the squeeze ->
wheezy upgrade, but am trying to keep within standard repos for squeeze
at the moment. Do you have a samba one? I haven't looked.

As it happens, I think the message has changed... it now can't find a
logon server.

Progress??

Cheers,

Steve

Re: Samba 4 Admt to other Domain Windows Server 2008

Andrew Bartlett — 2013-05-21T04:07:11

Then simply remove the Samba DC using the windows tools, and seize any
roles left on that DC.  If you tell windows it is permanently off-line,
it should do the right thing.  If you keep the Samba DC off during this
process, then if it doesn't work, you can still just power windows off,
and Samba on, and it should still be working. 


You will have to transfer GPO files manually - we do not support the
replication protocol used for GPO files (sorry). 

Andrew Bartlett

Re: Samba 4 Admt to other Domain Windows Server 2008

wong lmark — 2013-05-21T04:02:15

Hi Andrew,

I have tried to transfer fsmo. But I cannot sure that can transfer or not.
In windows, I typed netdom query fsmo but it shown parameter is incorrect.
And then, I found that my win 08 ad cannot open the GPO.

Thanks for your help.

Best Regards,
Mark

2013/5/21 Andrew Bartlett <abartlet< at >samba.org>

Re: Samba 4 Admt to other Domain Windows Server 2008

Andrew Bartlett — 2013-05-21T03:56:35

Why do you want to use ADMT?

If you just need to move to Windows, then just join a Windows DC to the
Samba domain as DC, transfer the FSMO roles, and then offline the Samba
DC.

Andrew Bartlett

Re: Windows 7 + Samba 3.5.6 = abject misery...

Andrew Bartlett — 2013-05-21T03:54:47

One different avenue you might persue is upgrading to Samba 4.0 as an AD
DC.  This will bring Windows 7 back to a server it is much happier with
than the current situation.

Or at the very least, consider upgrading the domain as-is to Samba 4.0,
running it as a classic DC.

Andrew Bartlett

Re: Windows 7 + Samba 3.5.6 = abject misery...

Stev e Holdoway — 2013-05-21T03:35:41

I've found a howto to enable local admin via recovery/regedit, and have 
now enabled it.

I can leave and re-join the domain with no problem at all, BUT STILL 
CAN'T LOG IN, even using the same account that I used to leave/join the 
domain.

Hair long gone ):

Steve
On 21/05/13 15:06, Dewayne Geraghty wrote:

Samba 4 Admt to other Domain Windows Server 2008

wong lmark — 2013-05-21T03:19:42

Hi,

I have a Samba 4 domain created and now I need to transfer all users and
groups to other Windows 2008 Domain.
How can I use the ADMT?

Thanks for your help.

Best Regards,
Mark

Re: Continued compilation errors with samba 3.6.15

Linda W — 2013-05-21T02:46:27




kiko seis wrote:


Are you sure your configure parameters are all on 1 line... since the
way you have
it typed in, it looks like the lines after the 1st are possible on another
line.

2nd, for the =no case , aren't those supposed to be "--without-libxxxx"?

(just some random thoughts...)

Re: Windows 7 + Samba 3.5.6 = abject misery...

Linda Walsh — 2013-05-21T02:41:59




Stev e Holdoway wrote:


Can you try to use the remote "net DOM" feature...on the server?

Re: Windows 7 + Samba 3.5.6 = abject misery...

Stev e Holdoway — 2013-05-21T02:05:03

The problem is that I'm descending further into the mire. Can't log on 
to the PC as local administrator account is disabled, can't log on in 
safe mode without arriving at the domain login screen, can't seem to 
find anything on the server side to fix this.

Remembering well why I chose the dark side years ago, and losing the 
will to live...


Steve

On 20/05/13 19:22, Dewayne Geraghty wrote:

Re: Samba fsmo/demote/unjoin trouble after crash

Andrew Bartlett — 2013-05-20T21:46:28

Just re-join it with the same name, that does as much as we can do.  It
isn't perfectly ideal, but it should be good enough. 

Andrew Bartlett

Re: samba-tool of delegation of permissions

Andrew Bartlett — 2013-05-20T21:43:28

You can download trail versions of Windows 2008r2 for testing and
evaluation purposes. 


We need far, far more detail - using this ACL, this attribute is
visible/modified on windows but not on Samba - to be able to address
this. 

Andrew Bartlett

Re: [Samba4] modifying attributes: no write access to self

Michael De Groote — 2013-05-20T20:32:02

[*update*]

I've modified the sssd config to use Administrator as the default
principal, and i've also done a "*kinit Administrator*"... and now i'm able
to add and modify group and user attributes...
seems like i need to either delegate this to a specific user or keep the
"administrator does all" config

One question tho: i _was_ able to create/delete users and groups and also
add users to and delete them from a group... (with the DC computer account
as default principal)
Why then doesn't this work with the attribute stufff?

(last but not least: i *really* need to look into these things called
"principals" ... i honestly don't know what i'm playing with here, and i'm
kinda ashamed to do so.. so next days i'll be reading up :)

micahel


2013/5/20 Michael De Groote <ict< at >sint-pietersschool.be>

Re: (force) default security mask

?icro MEGAS — 2013-05-20T20:24:54

That was a type error in my previous post, the line in my smb.conf is of course:

read only = No

Вск 19 Май 2013 14:58:39 +0400, ?icro MEGAS  написал:

Hello folks,

Samba 3.5.6 running and I have following share:

[public]
path = /data/public
              read onlyXSSCleaned= No
              create mask = 0777
              directory mask = 0777
directory security mask = 0750
              vfs object = acl_xattr
              nt acl support = yes
              dos filemode = yes

My filesystem ext4 which is mounted to /data supports acl,user_xattr and setfacl/getfacl works fine.

ls -ld /data/public shows unix mode 0755 with owner=admin and group="Domain Users"

All users have full access to the share \\samba\public and therefore are allowed to create,modify,delete directories and files. My aim is that I want to have a directory called "special" which is in /data/public/special. Only restricted users and groups are allowed full access to this directory, the "Domain Users" should only be able

Samba 3.6 winbind issues

David Noriega — 2013-05-20T19:29:22

I've been using samba for several years now and so my configuration
hasnt changed much in that time. We've setup a samba pdc+ldap backend
and previously using smbldap-tools. I haven't had to add a new machine
in a long while until recently a new user said they couldn't remote
desktop to a windows server I have part of our domain. Older users
still were able to access it.

I decided to leave then join the domain, but that ran into another
issue. I cant add the server back to the domain since I was getting
'no challanage send to client' messages. Searching this I found I
needed to use winbind and setup idmap settings. Following the wiki, I
set this up, but still unable to join to the domain.

Now it says its unable to allocate a uid to create the machine entry
in ldap. I'm not sure what to do next. wbinfo is able to report info
on users, but wbinfo -g returns nothing. In the logs for winbind I see
errors saying for gid 0 got 0 entries, and for a few other gids.

I tried wbinfo --allocate-uid/gid and get the fo

Re: samba-tool of delegation of permissions

Marc Muehlfeld — 2013-05-20T18:04:38

Hello Andrew,

Am 19.05.2013 13:39, schrieb Andrew Bartlett:

The bug report about that, already exists:
https://bugzilla.samba.org/show_bug.cgi?id=9788

Because I don't have Windows servers, I have no way to find out how 
Windows react.

But when I wrote the "Join machines to the Domain as non-Domain-Admin" 
Howto, I take over the steps from MS:
http://support.microsoft.com/kb/932455/en-us

That's why I think, samba is still doing something different on 
delegation, than MS in that case, if I have to use 'acl:search=false'.


Regards,
Marc

Re: Migrate samba3 to samba4

Marc Muehlfeld — 2013-05-20T17:52:37

Hello Natalia,

Am 20.05.2013 19:18, schrieb Natália Vaz:

Did you read
http://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO

If you already followed this guide, then please provide some more 
information, what went wrong on this way, to find a working migration 
solution for you.


Regards,
Marc

gmane.network.samba.general

Re: Samba fsmo/demote/unjoin trouble after crash

Re: Samba 4 Admt to other Domain Windows Server 2008

Re: Windows 7 + Samba 3.5.6 = abject misery...

Re: Samba 4 Admt to other Domain Windows Server 2008

Re: Windows 7 + Samba 3.5.6 = abject misery...

Re: Samba 4 Admt to other Domain Windows Server 2008

Re: Samba 4 Admt to other Domain Windows Server 2008

Re: Samba 4 Admt to other Domain Windows Server 2008

Re: Windows 7 + Samba 3.5.6 = abject misery...

Re: Windows 7 + Samba 3.5.6 = abject misery...

Samba 4 Admt to other Domain Windows Server 2008

Re: Continued compilation errors with samba 3.6.15

Re: Windows 7 + Samba 3.5.6 = abject misery...

Re: Windows 7 + Samba 3.5.6 = abject misery...

Re: Samba fsmo/demote/unjoin trouble after crash

Re: samba-tool of delegation of permissions

Re: [Samba4] modifying attributes: no write access to self

Re: (force) default security ­mask

Samba 3.6 winbind issues

Re: samba-tool of delegation of permissions

Re: Migrate samba3 to samba4

Re: (force) default security mask