jd at ionica.lv
2015-Apr-12 09:32 UTC
[Samba] Samba as AD member can not validate domain user
Hi! the previous problems were solved (thank you, Rowland!), but few issues remains: I get such msg in log: 0. Is it possible to tell samba to output messages in logs as one line per message (even if it is long one?) 1. 2015/04/12 11:32:39.293583, 3] ../source3/smbd/msdfs.c:971(get_referred_path) get_referred_path: |shareX| in dfs path \FS\shareX is not a dfs root. (seems it is not making problems as access to other shares giving such error not influences anything) 2. 2015/04/12 11:32:18.852138, 3] ../libcli/security/dom_sid.c:209(dom_sid_parse_endp) string_to_sid: SID @INTERNAL\\group is not in a valid format such messages I get after attempt to open a share (from smb.conf): [shareX] comment = What it serves path = /home/shares/data/sharex browseable = yes read only = no valid users = @"INTERNAL\\group" force group = @"INTERNAL\\group" force create mode = 0660 force directory mode = 0770 the directory is owned by a domain user, which is not the member of INTERNAL\\group and group ownership of the dir is INTERNAl\\group. I do not understand why in that particular case it is important, because the other, working shares, has the same domain user as owner having their own specific domain group ownership. At the moment I have two non working shares for the specific group and one - with Domain Users. In all cases Windows client argues that group name can not be found. If for the first two cases it could have some salt, for the other - not at all, because other shares accessible to Domain Users and having respective group ownership works. getent group INTERNAL\\group gives correct domain group information. The other issue I have - if the user is not a member of particular domain group, but has the right to accees the share, it is requested to enter username/pw, but can not access it anyway: [shareY] comment = Other share path=/home/shares/data/shareY browseable = yes read only = no valid users = @INTERNAL\\group1, @INTERNAL\\otheruser force group = @INTERNAL\\group1 force create mode = 0660 force directory mode = 0770 Janis
jd at ionica.lv
2015-Apr-12 10:19 UTC
[Samba] Samba as AD member can not validate domain user
Cit?ju jd at ionica.lv:> Hi! > > the previous problems were solved (thank you, Rowland!), but few > issues remains: > > I get such msg in log: > 0. Is it possible to tell samba to output messages in logs as one > line per message (even if it is long one?) > > 1. 2015/04/12 11:32:39.293583, 3] > ../source3/smbd/msdfs.c:971(get_referred_path) > get_referred_path: |shareX| in dfs path \FS\shareX is not a dfs root. > (seems it is not making problems as access to other shares giving > such error not influences anything) > > > 2. 2015/04/12 11:32:18.852138, 3] > ../libcli/security/dom_sid.c:209(dom_sid_parse_endp) string_to_sid: > SID @INTERNAL\\group is not in a valid format > > such messages I get after attempt to open a share (from smb.conf): > [shareX] > comment = What it serves > path = /home/shares/data/sharex > browseable = yes > read only = no > valid users = @"INTERNAL\\group" > force group = @"INTERNAL\\group" > force create mode = 0660 > force directory mode = 0770SOLVED: the line valid users shuold look as such: valid users = @INTERNAL\\group That one remains> The other issue I have - if the user is not a member of particular > domain group, but has the right to accees the share, it is requested > to enter username/pw, but can not access it anyway: > > [shareY] > comment = Other share > path=/home/shares/data/shareY > browseable = yes > read only = no > valid users = @INTERNAL\\group1, @INTERNAL\\otheruser > force group = @INTERNAL\\group1 > force create mode = 0660 > force directory mode = 0770I found one additional problem - when I request Domain Users group information, no users are listed gentent group "INTERNAL\\Domain Users" returns plain domain_users:x:10000: the same goes on DC. Do I need to create alternative Domain Users group?
Rowland Penny
2015-Apr-12 11:49 UTC
[Samba] Samba as AD member can not validate domain user
On 12/04/15 11:19, jd at ionica.lv wrote:> > Cit?ju jd at ionica.lv: > >> Hi! >> >> the previous problems were solved (thank you, Rowland!), but few >> issues remains: >> >> I get such msg in log: >> 0. Is it possible to tell samba to output messages in logs as one >> line per message (even if it is long one?) >> >> 1. 2015/04/12 11:32:39.293583, 3] >> ../source3/smbd/msdfs.c:971(get_referred_path) >> get_referred_path: |shareX| in dfs path \FS\shareX is not a dfs root. >> (seems it is not making problems as access to other shares giving >> such error not influences anything) >> >> >> 2. 2015/04/12 11:32:18.852138, 3] >> ../libcli/security/dom_sid.c:209(dom_sid_parse_endp) string_to_sid: >> SID @INTERNAL\\group is not in a valid format >> >> such messages I get after attempt to open a share (from smb.conf): >> [shareX] >> comment = What it serves >> path = /home/shares/data/sharex >> browseable = yes >> read only = no >> valid users = @"INTERNAL\\group" >> force group = @"INTERNAL\\group" >> force create mode = 0660 >> force directory mode = 0770 > > SOLVED: > > the line valid users shuold look as such: > valid users = @INTERNAL\\group > > That one remains > >> The other issue I have - if the user is not a member of particular >> domain group, but has the right to accees the share, it is requested >> to enter username/pw, but can not access it anyway: >> >> [shareY] >> comment = Other share >> path=/home/shares/data/shareY >> browseable = yes >> read only = no >> valid users = @INTERNAL\\group1, @INTERNAL\\otheruser >> force group = @INTERNAL\\group1 >> force create mode = 0660 >> force directory mode = 0770 > > I found one additional problem - when I request Domain Users group > information, no users are listed > > gentent group "INTERNAL\\Domain Users" returns plain > domain_users:x:10000: > the same goes on DC. > > Do I need to create alternative Domain Users group? > >No, "INTERNAL\\Domain Users" is the same group as 'domain_users', you probably have 'winbind normalize names = Yes' in smb.conf Rowland
Mario Pio Russo
2015-Apr-27 15:35 UTC
[Samba] [Samba4] List of Distro currently with 4.2.X samba package
Good Day All we have are planning to upgrade our samba 3 PDC to a new samba 4 AD-DC. We want to go directly to Samba 4.2.X because we must have the "user account password lockout" feature. Also for internal policy we cannot compile the source tarball for a prod environment. so my question is: do you know which distros currently provide their own pacakge samba4.2.0 ? Ubutu server, Cent0S, RedHat do not ship it yet, any other idea? thanks
Daniel Carrasco MarĂn
2015-Apr-27 17:27 UTC
[Samba] [Samba4] List of Distro currently with 4.2.X samba package
I'm using Archlinux on my work computer and have almost the latest version of samba (4.2.0) and cups (2.0.2), but I don't know if is good as server distro. Greetings!! 2015-04-27 17:35 GMT+02:00 Mario Pio Russo <mariopiorusso at ie.ibm.com>:> Good Day All > > we have are planning to upgrade our samba 3 PDC to a new samba 4 AD-DC. We > want to go directly to Samba 4.2.X because we must have the "user account > password lockout" feature. > > Also for internal policy we cannot compile the source tarball for a prod > environment. so my question is: do you know which distros currently provide > their own pacakge samba4.2.0 ? Ubutu server, Cent0S, RedHat do not ship it > yet, any other idea? > > thanks > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Tim
2015-Apr-27 19:26 UTC
[Samba] [Samba4] List of Distro currently with 4.2.X samba package
Hey Mario, I would consider to have a look at sernet packages. I use them on my own with centos 7 and samba 4.1. They also have 4.2. Regards Tim Am 27. April 2015 17:35:28 MESZ, schrieb Mario Pio Russo <mariopiorusso at ie.ibm.com>:>Good Day All > >we have are planning to upgrade our samba 3 PDC to a new samba 4 AD-DC. >We >want to go directly to Samba 4.2.X because we must have the "user >account >password lockout" feature. > >Also for internal policy we cannot compile the source tarball for a >prod >environment. so my question is: do you know which distros currently >provide >their own pacakge samba4.2.0 ? Ubutu server, Cent0S, RedHat do not >ship it >yet, any other idea? > >thanks > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba
Nico Kadel-Garcia
2015-Apr-28 04:11 UTC
[Samba] [Samba4] List of Distro currently with 4.2.X samba package
On Mon, Apr 27, 2015 at 11:35 AM, Mario Pio Russo <mariopiorusso at ie.ibm.com> wrote:> Good Day All > > we have are planning to upgrade our samba 3 PDC to a new samba 4 AD-DC. We > want to go directly to Samba 4.2.X because we must have the "user account > password lockout" feature. > > Also for internal policy we cannot compile the source tarball for a prod > environment. so my question is: do you know which distros currently provide > their own pacakge samba4.2.0 ? Ubutu server, Cent0S, RedHat do not ship it > yet, any other idea?CentOS and RHEL are not going to get it for some time, unless RHEL decides to assemble a "samba42" package in their "exras" repositories. They'll be staying at 4.1.x for stability's sake. Fedora 22 release candidate has samba-4.2.0, but that's not a development OS, not a production stable OS. I personally publish hooks and patches to get Samba 4.2.x compiled as RPM's on RHEL 7 and Fedora 21, at github.com/nkadel/samba4repo/. You're certainly welcome to them. But if you need a pre-built binary, for now, you'll need to decide if you want a full domain controller or not. The RHEL/CentOS/Fedora builds disable that, by default, in order to use the operating systems's incompatible Kerberos. I've not been using the sernet packages, partially because I *loathe* having to register to download an open source or freeware package, partly because I've been building Samba for.... well almost 20 years.> thanks > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba