Brian O'Mahony

Hey folks

I am quite new to DRBD, and just had two quick questions, if someone could help it would be great.

#1 Is there a downloadable version of the documentation. I don't get very much time to read, so was planning on reading it all offline....

#2 One of the scenarios that I was thinking of using DRBD with is as follows. Please let me know if this would theoretically work, and whether it is ugly, or even just plain wrong.

I have a server with about 500GB of data on its own filesystem. Currently, nightly, we lock this data, use tar to copy it it another volume, unlock it, then use gzip on the copy to compress, and then copy this to a second server for backup. The reason for the multi-step process, is we want to keep data lock time a minimum.
What I was thinking of doing is using DRBD to mirror this volume to the second server. At backup time, on the second system, we stop the process, or stop the packet shipping or likewise, so there will be no updates, lock the data, run tar/gz, unlock, and restart the synchronization.
Is this possible. IE can DRBD deal with a system being unavailable for a few hours, store changes (or do checksums etc) and then replay those changes when the second system comes back online?

Anyways thanks in advance for the replies

Regards

B

The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. If you are not the intended recipient, any disclosure,
copying, distribution or any action taken or omitted to be taken in reliance
on it, is prohibited and may be unlawful. If you are not the intended
addressee please contact the sender and dispose of this e-mail. Thank you.

Read more »

I have set up LDAP/KRB5 access to my active directory network.
If I do a getent passwd, I see the users with a unix UID/GID.
If use kinit, I can get a token.
If I su to a user, it creates a home folder, and shows correct IDs etc.

However the machine will not log in via ssh or the GUI. In secure I see:
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: ccache dir: /tmp
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: keytab: FILE:/etc/krb5.keytab
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: called to authenticate 'ipillion', realm 'MYDOMAIN.COM'
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: authenticating 'ipillion*******'
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: trying previously-entered password for 'ipillion', allowing libkrb5 to prompt for more
Oct 27 11:14:55 rhelads sshd[4190]: pam_krb5[4190]: authenticating 'ipillion*******'
Oct 27 11:14:56 rhelads sshd[4190]: pam_krb5[4190]: krb5_get_init_creds_password(krbtgt/MYDOMAIN.COM*******) returned 0 (Success)
Oct 27 11:14:56 rhelads sshd[4190]: pam_krb5[4190]: validating credentials
Oct 27 11:15:16 rhelads sshd[4190]: pam_krb5[4190]: error guessing name of local host principal
Oct 27 11:15:36 rhelads sshd[4190]: pam_krb5[4190]: TGT failed verification using keytab: Hostname cannot be canonicalized
Oct 27 11:15:36 rhelads sshd[4190]: pam_krb5[4190]: got result 0 (Success)
Oct 27 11:15:36 rhelads sshd[4190]: pam_krb5[4190]: authentication fails for 'ipillion' (ipillion*******): Authentication failure (Success)
Oct 27 11:15:36 rhelads sshd[4190]: pam_krb5[4190]: pam_authenticate returning 7 (Authentication failure)
Oct 27 11:15:38 rhelads sshd[4190]: Failed password for ipillion from 172.16.165.122 port 57518 ssh2
Oct 27 11:15:40 rhelads sshd[4193]: Connection closed by 172.16.165.122

So I try to join the machine to the domain:
libads/sasl.c:ads_sasl_spengo_bind(819)
kinit suceeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
Failed to join domain: failed to connect to AD: Invalid credentials

My smb.conf is here:
[global]
workgroup = ITD2
realm = mydomain.com
security = ads
user kerberos keytab = true

The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. If you are not the intended recipient, any disclosure,
copying, distribution or any action taken or omitted to be taken in reliance
on it, is prohibited and may be unlawful. If you are not the intended
addressee please contact the sender and dispose of this e-mail. Thank you.
--
To unsubscribe from this list go to the following URL and read the
instructions:   https://lists.samba.org/mailman/options/samba

Read more »

Ive recently installed three servers with RHEL5u5. After some messing on the original, I got samba working with ADS authentication. I then went and got it working so that users could log in using their domain name & password to the box. I got this working with both no restriction, and ADS group restriction. I have left it on no restriction wheil I get these systems up and running.

I then copied my configuration files (krb5.conf, samba.conf, system-auth.conf) to the second machine. Everything works.  Rebooted, everything is fine. System running as expected.

I copied to the third machine. Everything worked fine. I was able to log in using two users (mine and a colleagues). Set up some other machine stuff, rebooted, and passed the machine over.

I was then informed (naturally 5mins after I left the office) that there was something wrong. Those two accounts worked from both a samba perspective, and a login perspective. However a third account that was supposed to work, failed with "su: user ccadm does not exist". Now samba doesn't work for any user other than the original too, and the same goes for logins.

I tried net ads leave, kdestory, renaming the system, rebooting. I have rejoined the domain as both that system name, and a new one, with no issues:
[root@akbarTRAP log]# wbinfo -t
checking the trust secret via RPC calls succeeded
[root@akbarTRAP log]# net ads testjoin
Join is OK
[root@akbarTRAP log]# wbinfo -u | grep ccadm
Ccadm

So my questions are:

1.       Where the hell are these accounts being cached, that work.

2.       What the hell has happened to make this no longer work.

3.       Why if I can see all the users & groups can I not log in, or get samba working.

This is really starting to get on my nerves. I just cannot understand why if it can see the users using wbinfo, why it is telling me they don't exist.

Would really appreciate some help on this.

Regards
B

[root*******| grep winbind
passwd:     files winbind
shadow:     files winbind
group:      files winbind

log.winbind:
[2011/03/30 14:29:03,  3] winbindd/winbindd_misc.c:754(winbindd_interface_version)
  [ 7381]: request interface version
[2011/03/30 14:29:03,  3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir)
  [ 7381]: request location of privileged pipe
[2011/03/30 14:29:03,  3] winbindd/winbindd_user.c:438(winbindd_getpwnam)
  [ 7381]: getpwnam ccadm
[2011/03/30 14:29:05,  3] winbindd/winbindd_user.c:438(winbindd_getpwnam)
  [ 7381]: getpwnam ccadm
[2011/03/30 14:29:05,  3] winbindd/winbindd_misc.c:754(winbindd_interface_version)
  [ 7381]: request interface version
[2011/03/30 14:29:05,  3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir)
  [ 7381]: request location of privileged pipe
[2011/03/30 14:29:05,  3] winbindd/winbindd_pam.c:829(winbindd_pam_auth)
  [ 7381]: pam auth ccadm
[2011/03/30 14:29:05,  3] winbindd/winbindd_user.c:438(winbindd_getpwnam)
  [ 7381]: getpwnam ccadm

Secure log:
Mar 30 14:29:03 akbartrap sshd[7381]: Invalid user ccadm from 172.16.165.248
Mar 30 14:29:03 akbartrap sshd[7382]: input_userauth_request: invalid user ccadm
Mar 30 14:29:05 akbartrap sshd[7381]: pam_unix(sshd:auth): check pass; user unknown
Mar 30 14:29:05 akbartrap sshd[7381]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=galvatron.MYDOMAIN.com
Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): getting password (0x00000010)
Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): pam_get_item returned a password
Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password [I know the pass is right here. It works elsewhere]
Mar 30 14:29:05 akbartrap sshd[7381]: pam_winbind(sshd:auth): user 'ccadm' denied access (incorrect password or invalid membership)
Mar 30 14:29:05 akbartrap sshd[7381]: pam_succeed_if(sshd:auth): error retrieving information about user ccadm
Mar 30 14:29:07 akbartrap sshd[7381]: Failed password for invalid user ccadm from 172.16.165.248 port 39699 ssh2

# Global parameters
[global]
        workgroup = GROUP
        realm = MYDOMAIN.COM
        security = ads
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind use default domain = Yes
        winbind separator = /
        encrypt passwords = Yes
        log level = 3
        log file = /var/log/samba/log.%m
        max log size = 50
        socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
        preferred master = No
        dns proxy = No
        wins server = 172.16.164.100
        template homedir = /home/%U
        template shell = /bin/bash

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        sufficient    pam_winbind.so use_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     sufficient    pam_winbind.so use_first_pass
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_winbind.so use_first_pass
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     required      pam_winbind.so use_first_pass
session     required      pam_mkhomedir.so

The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. If you are not the intended recipient, any disclosure,
copying, distribution or any action taken or omitted to be taken in reliance
on it, is prohibited and may be unlawful. If you are not the intended
addressee please contact the sender and dispose of this e-mail. Thank you.
--
To unsubscribe from this list go to the following URL and read the
instructions:   https://lists.samba.org/mailman/options/samba

Read more »