Samba

HOWTO: Troubleshoot
http://www.softpanorama.org/Net/Application_layer/Samba/troubleshooting_samba_problems.shtml

HOWTO: Test Host Access To Shares
Usage: testparm /path/to/configfile '''machinename ipaddress  testparm /etc/samba/smb.conf dt01 192.168.0.101''' Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Processing section "[shared]" Loaded services file OK. Server role: ROLE_STANDALONE Allow connection from dt01 (192.168.0.101) to homes Allow connection from dt01 (192.168.0.101) to shared

HOWTO: Find SMB Hosts On A Network
sudo findsmb

http://docs.fedoraproject.org/en-US/Fedora/13/html/Deployment_Guide/s1-samba-programs.html

SAMBA4
https://wiki.samba.org/index.php/Samba_4/OS_Requirements#Gentoo

eselect python set python2.7 python-updater emerge --unmerge --ask app-crypt/mit-krb5 emerge --ask --quiet app-crypt/heimdal revdep-rebuild -- -ask echo "net-dns/bind berkdb dlz gssapi" >>/etc/portage/package.use echo "net-dns/bind-tools gssapi" >>/etc/portage/package.use emerge --ask --quiet net-dns/bind net-dns/bind-tools nano /etc/portage/package.keywords sys-libs/tevent ~amd64 sys-libs/tdb ~amd64 sys-libs/ldb ~amd64 sys-libs/talloc ~amd64 nano /etc/portage/package.use sys-libs/tdb python sys-libs/talloc python emerge --ask --quiet sys-libs/talloc sys-libs/tdb sys-libs/tevent sys-libs/ldb emerge --ask --quiet net-libs/gnutls sys-apps/acl dev-libs/cyrus-sasl dev-python/subunit dev-python/dnspython net-dns/libidn nano /etc/fstab /dev/md4  /home     ext4     user_xattr,acl,barrier=1,noatime         1 1 cd /usr/src/linux make menuconfig make && make modules_install cp -av arch/x86/boot/bzImage /boot/kernel-3.3.8-gentoo cp -av System.map /boot/System.map-3.3.8-gentoo cp -av .config /boot/config-3.3.8-gentoo reboot mkdir /root/misc/ cd /root/misc/ touch test.txt setfattr -n user.test -v test test.txt setfattr -n security.test -v test2 test.txt getfattr -d test.txt getfattr -n security.test -d test.txt touch test3.txt setfacl -m g:adm:rwx test3.txt getfacl test3.txt eselect python set python2.7 mkdir /usr/src/samba4 cd /usr/src/samba4 git clone git://git.samba.org/samba.git samba-master cd samba-master ./configure --enable-debug --enable-selftest make Waf: Leaving directory `/usr/src/samba4/samba-master/bin' 'build' finished successfully (11m54.988s) make install Waf: Leaving directory `/usr/src/samba4/samba-master/bin' 'install' finished successfully (3m15.214s) samba.EXAMPLE.com ~ $ /usr/local/samba/bin/samba-tool domain provision Realm [EXAMPLE.COM]: Domain [EXAMPLE]: Server Role (dc, member, standalone) [dc]: DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: DNS forwarder IP address (write 'none' to disable forwarding) [192.168.0.1]: Administrator password: Retype password: Looking up IPv4 addresses More than one IPv4 address found. Using 172.16.215.1 Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=EXAMPLE,DC=com Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC=EXAMPLE,DC=com Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf Once the above files are installed, your Samba4 server will be ready to use Server Role:          active directory domain controller Hostname:             samba NetBIOS Domain:       EXAMPLE DNS Domain:           EXAMPLE.com DOMAIN SID:           S-1-5-21-1142887457-1374467446-1811036830 cp /usr/local/samba/private/krb5.conf /etc/ cat /etc/resolv.conf domain example.com nameserver 192.168.0.208 cat /usr/local/samba/etc/smb.conf [global] workgroup = EXAMPLE realm = EXAMPLE.COM netbios name = SAMBA server role = active directory domain controller dns forwarder = 192.168.0.1 [netlogon] path = /usr/local/samba/var/locks/sysvol/example.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No /usr/local/samba/sbin/samba -i -M single
 * 1) required by samba4
 * 1) Global parameters

(separate terminal) $ /usr/local/samba/bin/smbclient --version Version 4.1.0pre1-GIT-8aae8b5 $ /usr/local/samba/bin/smbclient -L localhost -U% Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-8aae8b5] Sharename      Type      Comment -            ---        netlogon        Disk sysvol         Disk IPC$           IPC       IPC Service (Samba 4.1.0pre1-GIT-8aae8b5) Domain=[EXAMPLE] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-8aae8b5]

/usr/local/samba/bin/smbclient //localhost/netlogon -UAdministrator%'passW0rd' -c 'ls'

host -t SRV _ldap._tcp.example.com. _ldap._tcp.example.com has SRV record 0 100 389 samba.example.com. host -t SRV _kerberos._udp.example.com. _kerberos._udp.example.com has SRV record 0 100 88 samba.example.com. kinit Administrator@EXAMPLE.COM Administrator@EXAMPLE.COM's Password: klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: Administrator@EXAMPLE.COM Issued               Expires               Principal Apr 10 15:52:04 2013 Apr 11 01:52:04 2013  krbtgt/EXAMPLE.COM@EXAMPLE.COM -= DNS ISSUES / PROBLEMS / HOW TO EDIT SAMBA4_INTERNAL A RECORDS =- host -t A samba.example.com samba.example.com has address 172.16.215.1 samba.example.com has address 172.16.224.1 samba.example.com has address 192.168.0.208 /usr/local/samba/bin/samba-tool dns zonelist 192.168.0.208 /usr/local/samba/bin/samba-tool dns delete samba example.com @ A 172.16.215.1 /usr/local/samba/bin/samba-tool dns delete samba example.com samba.example.com A 172.16.215.1 /usr/local/samba/bin/samba-tool dns delete samba example.com @ A 172.16.224.1 /usr/local/samba/bin/samba-tool dns delete samba example.com samba.example.com A 172.16.224.1

Testing From Windows

ipconfig /release ipconfig /renew ipconfig /all net view /domain:$DOMAIN net view \\$ADHOST nbtstat -A $ADHOST_IP4

0. http://en.gentoo-wiki.com/wiki/Samba4_as_Active_Directory_Server 1. http://wiki.samba.org/index.php/Samba4

2. http://wiki.samba.org/index.php/Samba_4/OS_Requirements

3. http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO

4. http://wiki.samba.org/index.php/Configuring_a_windows_client_for_AD

5. http://wiki.samba.org/index.php/Samba_AD_management_from_windows

6. http://www.alexwyn.com/computer-tips/centos-samba4-active-directory-domain-controller

7. http://wiki.samba.org/index.php/Backup_and_Recovery

SAMBA4 HOWTO: Add New User, Specific Group, Non Expiring Password
samba-tool user create newuser P4ssw0rD --given-name=New --surname=User samba-tool user setexpiry newuser --noexpiry samba-tool group addmembers 'Users' newuser samba-tool group listmembers 'Users' |sort samba-tool group listmembers 'Domain Users' |sort

http://www.samba.org/samba/docs/man/manpages/samba-tool.8.html

https://wiki.samba.org/index.php/Samba-tool-external

SAMBA4 HOWTO: Fix Error In DC Replication
If you are getting these errors in your logs...

[2013/05/31 12:21:57, 0] ../source4/dsdb/repl/drepl_ridalloc.c:43(drepl_new_rid_pool_callback) ../source4/dsdb/repl/drepl_ridalloc.c:43: RID Manager failed RID allocation - WERR_BADFILE - extended_ret[0x0]

...and domain replication does not appear to be working, then you have the glibc (at least 2.17) nss dns resolver bug - where the resolver cannot look up names with an _ underscore.

To find your _msdcs_ name, look it up...

/usr/local/samba/bin/ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' --cross-ncs objectguid

To test this, try to ping the _msdcs_ name. You will receive an unknown host error...

ping 5813325c-fa80-4e0e-b76e-4666f6afe1e2._msdcs.xyz.com

To fix this, first add the _msdcs_ entry to /etc/hosts

127.0.0.1      localhost.localdomain localhost 192.168.0.208  5813325c-fa80-4e0e-b76e-4666f6afe1e2._msdcs.xyz.com samba.xyz.com samba 192.168.0.209  f0605966-1d4f-4fef-8a75-2a24863dbaa9._msdcs.xyz.com samba2.xyz.com samba2
 * 1) 127.0.1.1     samba2.xyz.com  samba2

Second, make sure you add all the correct CNAME and A record entries in your Samba4 DCs DNS... that is, details of the secondary DC2 to _both_ DCs...

/usr/local/samba/bin/samba-tool dns add 192.168.0.208 xyz.com samba2 A 192.168.0.209 /usr/local/samba/bin/samba-tool dns add 192.168.0.209 xyz.com samba2 A 192.168.0.209 /usr/local/samba/bin/samba-tool dns add 192.168.0.208 _msdcs.xyz.com f0605966-1d4f-4fef-8a75-2a24863dbaa9 CNAME samba2.xyz.com -UAdministrator /usr/local/samba/bin/samba-tool dns add 192.168.0.209 _msdcs.xyz.com f0605966-1d4f-4fef-8a75-2a24863dbaa9 CNAME samba2.xyz.com -UAdministrator

Now try to ping the _msdcs_ name. It will work...

ping 5813325c-fa80-4e0e-b76e-4666f6afe1e2._msdcs.xyz.com

And you will see two-way tcp connections in netstat...

tcp       0      0 192.168.0.209:1024      192.168.0.208:36814     ESTABLISHED 582/samba tcp       0      0 192.168.0.209:35246     192.168.0.208:1024      ESTABLISHED 589/samba

Amazingly simple, but it fixes it.

You should see the extra Domain Computers that were not on your Secondary Samba4 Domain Controller.

To confirm all is working, add or edit a user and check it on the DC2...

/usr/local/samba/bin/samba-tool group listmembers "Domain Computers" |sort -f

or

/usr/local/samba/bin/samba-tool user list |sort -f

And look at the Replication status log...

/usr/local/samba/bin/samba-tool drs showrepl Default-First-Site-Name\SAMBA2 DSA Options: 0x00000001 DSA object GUID: f0605966-1d4f-4fef-8a75-2a24863dbaa9 DSA invocationId: d84e13de-4ed4-45e5-ba94-f04954536c51 ==== INBOUND NEIGHBORS ==== CN=Configuration,DC=xyz,DC=com Default-First-Site-Name\SAMBA via RPC DSA object GUID: 5813325c-fa80-4e0e-b76e-4666f6afe1e2 Last attempt @ Fri May 31 13:17:06 2013 BST was successful 0 consecutive failure(s). Last success @ Fri May 31 13:17:06 2013 BST ==== OUTBOUND NEIGHBORS ==== CN=Configuration,DC=xyz,DC=com Default-First-Site-Name\SAMBA via RPC DSA object GUID: 5813325c-fa80-4e0e-b76e-4666f6afe1e2 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) ==== KCC CONNECTION OBJECTS ==== Connection -- Connection name: 32efa02a-2852-45e8-bb49-78f0f3927895 Enabled       : TRUE Server DNS name : samba.xyz.com Server DN name : CN=NTDS Settings,CN=SAMBA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xyz,DC=com TransportType: RPC options: 0x00000001

And check the Active Directory database consistency, etc...

root@samba:~# /usr/local/samba/bin/samba-tool drs kcc Consistency check on samba.xyz.com successful. root@samba2:~# /usr/local/samba/bin/samba-tool drs kcc Consistency check on samba2.xyz.com successful.

/usr/local/samba/bin/samba-tool dbcheck Checking 274 objects Checked 274 objects (0 errors)

Both DC1 and DC2 should give the same number of objects.

SAMBA4 HOWTO: Query / Show All Entries In DNS
/usr/local/samba/bin/samba-tool dns query localhost domain.com @ ALL

SAMBA4 HOWTO: Change Normal User Password
/usr/local/samba/bin/samba-tool user setpassword JoeBloggs --newpassword=MyNewPassword -U Administrator

SAMBA4 HOWTO: Change Administrator Password
kpasswd

and

/usr/local/samba/bin/samba-tool user setpassword Administrator New Password: Enter it again: Password changed.

http://www.golinuxhub.com/2013/03/changing-password-of-administrator-in.html

SAMBA4 TO DO

 * Updating From GIT

Shut down Samba on both DC1 and DC2.

git pull

...but may have to do:-

git clean -x -f -d

Make and Install as above.

Start Samba on both DC1 and DC2.


 * Ubuntu Startup Script

https://wiki.samba.org/index.php/Samba4/InitScript


 * Secondary AD DC

samba-tool rds showrepl

1. On the server you have already installed what you want to match:- $ cd /usr/src/samba4/samba-master $ git log -1

This will show you have HASH revision number.

2. On the server you want to install the same:- $ mkdir /usr/src/samba4 $ cd /usr/src/samba4/ $ git clone git://git.samba.org/samba.git samba-master $ cd samba-master/ $ git checkout 8aae8b5bad167ac732b7f8949dfb40aebb2f26a9 $ git reset --hard

Proceed as above for installing the software.

https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC


 * List Domain Users

/usr/local/samba/bin/samba-tool user list |sort


 * Active Directory Windows Tool

dsa.msc


 * DNS Editing

Adding an A record...

samba-tool dns add server zone name A|AAAA|PTR|CNAME|NS|MX|SRV|TXT data

Example...

samba-tool dns add samba example.com www A 123.456.789.0 Record added successfully

Testing...

nslookup www.example.com samba Server:        samba Address:       192.168.0.208#53 Name:  www.example.com Address: 123.456.789.0


 * Slow Logons

Fixed by deleting multiple incorrect IP addresses for Samba4 server.


 * Add New Users in Linux command-line

/usr/local/samba/bin/samba-tool user add jbloggs joe


 * Non Complex Passwords

/usr/local/samba/bin/samba-tool domain passwordsettings set --complexity=off Password complexity deactivated! All changes applied successfully! /usr/local/samba/bin/samba-tool domain passwordsettings set --min-pwd-length=3 Minimum password length changed! All changes applied successfully!


 * Backup and Restore

https://wiki.samba.org/index.php/Backup_and_Recovery


 * Gentoo Samba4 Startup Script

extra_started_commands="reload" description="The samba daemon init script" description_reload="Reloads the samba daemon" depend { need net } start { ebegin "Starting samba" start-stop-daemon --start --exec /usr/local/samba/sbin/samba eend $? } stop { ebegin "Stopping samba" start-stop-daemon --stop --pidfile /usr/local/samba/var/run/samba.pid eend $? } reload { ebegin "Reloading samba" killall -HUP samba eend $? }
 * 1) !/sbin/runscript
 * 2) Copyright 1999-2011 Gentoo Foundation
 * 3) Distributed under the terms of the GNU General Public License v2
 * 4) $Header: /var/cvsroot/gentoo-x86/net-fs/samba/files/samba4.initd,v 1.3 2011/09/14 22:52:33 polynomial-c Exp  $

HOWTO: Restrict File Sharing To Particular Users or Network Addresses
http://www.cyberciti.biz/faq/samba-user-network-file-sharing-restictions/

Shut Down A Windows PC Remotely
net rpc SHUTDOWN -C "Test of remote shutdown with Samba" -f -I "192.168.0.61" -W DOMAIN -U username%password Shutdown of remote machine succeeded

ERROR: read_data: Accessing Share From Windows 7
Windows PC cannot access Samba Share. This is from Samba log file (/var/log/samba/log.mypc)...

[2012/06/08 12:03:21, 0] lib/util_sock.c:read_data(534) read_data: read failure for 4 bytes to client 192.168.0.55. Error = Connection reset by peer

Fix #1:

Control Panel > System and Security > Administrative Tools > Local Security Policy Local Policies > Security Options > Network Security LAN Manager Authentication Level > Send LM & NTML Responses Uncheck Require 128-bit Encryption on Clients Uncheck Require 128-bit Encryption on Servers Save and Reboot

Fix #2:

Control Panel > Credentials Manager > Browse to Samba Server and check or delete stored usernames and passwords Save and Reboot

Adding And Testing Users
Adding...

smbpasswd -a testuser

or...

pdbedit -a -u testuser

Testing...

grep 'testuser' /etc/passwd testuser:*:1001:1001::0:0:Test User:/home/testuser:/usr/sbin/nologin

pdbedit -u testuser testuser:1001:Test User

pdbedit -v -u testuser

Add Roaming Profile Machine Trust Account
useradd -c "Company 003 Machine Account" -d /dev/null -g machines -s /bin/false company-003$ smbpasswd -a -n -m company-003

You should have entries like the following:

/etc/passwd: company-010$:x:1016:101:Company-010 Machine Account:/dev/null:/bin/false /etc/shadow: company-003$:!:15393:0:99999:7::: /var/lib/samba/private/smbpasswd: company-003$:1035:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:2D6AF5372CEEE519054B3EAA0FC1B9D6:[W         ]:LCT-4F4664C3:

Test Samba Share Via Command Line
server.domain.co.uk ~ $ smbclient -U username //server.domain.co.uk/sharename Password: Domain=[DOAMIN] OS=[Unix] Server=[Samba 3.0.28] smb: \> ls smb: \> quit

Tweaks For Network Browsing
smb port = 139 local master = yes domain master = yes preferred master = yes os level = 35 interfaces = 192.168.0.0/24 127.0.0.1 bind interfaces only = yes

Fix Subnet Interface Errors
If you cannot access your samba server, and in the /var/log/samba/log.nmbd you see this error...

create_subnets: No local IPv4 non-loopback interfaces create_subnets: Waiting for an interface to appear

...then change your interfaces parameter in /etc/samba/smb.conf to match your actual network interface card. For example...

From

interfaces = 192.168.0.0/24 127.0.0.1

To

interfaces = 192.168.0.200/24 127.0.0.1

Weird, but it works. :-/

Windows 7: Domain Log On
There are currently two registry settings required to be added on the Windows 7 client prior to joining a Samba Domain. These are:

HKLM\System\CCS\Services\LanmanWorkstation\Parameters DWORD DomainCompatibilityMode = 1 DWORD DNSNameResolutionRequired = 0

Do not edit any other registry parameters (NETLOGON) that have been seen in the wild. If you have already modified your Windows 7 registry, please make sure to reset the keys to their default values.

If you have changed the NETLOGON Parameters, make sure and turn them back to '1' as shown below:

HKLM\System\CCS\Services\Netlogon\Parameters DWORD RequireSignOrSeal = 1 DWORD RequireStrongKey = 1

Primary Domain Controller
http://en.gentoo-wiki.com/wiki/Samba/Primary_Domain_Controller