[Samba] Samba anonymous dns forwarding

Post by Johannes Amorosa | Celluloid VFX
Hello,
we're using sambas internal DNS server.
/var/log/samba/log.samba: Not authoritative for
'static.ak.facebook.com', forwarding
/var/log/samba/log.samba: Not authoritative for
's-static.ak.facebook.com', forwarding
/var/log/samba/log.samba: Not authoritative for
's-static.ak.facebook.com', forwarding
/var/log/samba/log.samba: Not authoritative for
's-static.ak.facebook.com', forwarding
/var/log/samba/log.samba: Not authoritative for
'connect.facebook.net', forwarding
Generally I want to keep privacy high for our users - when there is no
technical need of logging this,
without tuning log level.
JA

What log level are you currently using?

--
-James
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Johannes Amorosa | Celluloid VFX

2016-04-18 16:52:49 UTC

Post by Johannes Amorosa | Celluloid VFX
Hello,
we're using sambas internal DNS server.
/var/log/samba/log.samba: Not authoritative for
'static.ak.facebook.com', forwarding
/var/log/samba/log.samba: Not authoritative for
's-static.ak.facebook.com', forwarding
/var/log/samba/log.samba: Not authoritative for
's-static.ak.facebook.com', forwarding
/var/log/samba/log.samba: Not authoritative for
's-static.ak.facebook.com', forwarding
/var/log/samba/log.samba: Not authoritative for
'connect.facebook.net', forwarding
Generally I want to keep privacy high for our users - when there is
no technical need of logging this,
without tuning log level.
JA

What log level are you currently using?

Log level 2, but basically we want to keep log level because we are
debugging.
--
Johannes Amorosa | Celluloid VFX

Celluloid Visual Effects GmbH & Co. KG
Paul-Lincke-Ufer 39/40, 10999 Berlin
phone +49 (0)30 / 54 735 220
fax +49 (0)30 / 54 735 221

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

l***@gmail.com

2016-04-18 17:09:26 UTC

Post by Johannes Amorosa | Celluloid VFX
Hello,
we're using sambas internal DNS server.
/var/log/samba/log.samba: Not authoritative for
'static.ak.facebook.com', forwarding
/var/log/samba/log.samba: Not authoritative for
's-static.ak.facebook.com', forwarding
/var/log/samba/log.samba: Not authoritative for
's-static.ak.facebook.com', forwarding
/var/log/samba/log.samba: Not authoritative for
's-static.ak.facebook.com', forwarding
/var/log/samba/log.samba: Not authoritative for
'connect.facebook.net', forwarding
Generally I want to keep privacy high for our users - when there is
no technical need of logging this,
without tuning log level.
JA

What log level are you currently using?

Log level 2, but basically we want to keep log level because we are
debugging.

I had the same issue. I eventually set up a central rsyslog server. You
can drop them before they are sent.

--
-James
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Johannes Amorosa | Celluloid VFX

2016-04-20 09:14:26 UTC

Post by Johannes Amorosa | Celluloid VFX
Hello,
we're using sambas internal DNS server.
/var/log/samba/log.samba: Not authoritative for
'static.ak.facebook.com', forwarding
/var/log/samba/log.samba: Not authoritative for
's-static.ak.facebook.com', forwarding
/var/log/samba/log.samba: Not authoritative for
's-static.ak.facebook.com', forwarding
/var/log/samba/log.samba: Not authoritative for
's-static.ak.facebook.com', forwarding
/var/log/samba/log.samba: Not authoritative for
'connect.facebook.net', forwarding
Generally I want to keep privacy high for our users - when there is
no technical need of logging this,
without tuning log level.
JA

What log level are you currently using?

Log level 2, but basically we want to keep log level because we are
debugging.

I had the same issue. I eventually set up a central rsyslog server.
You can drop them before they are sent.

Thanks for your reply. We need to centralize our logging anyway. Would
you mind sharing
your smb and rsyslog snippets how you have done this?
--
Johannes Amorosa | Celluloid VFX

Celluloid Visual Effects GmbH & Co. KG
Paul-Lincke-Ufer 39/40, 10999 Berlin

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

l***@gmail.com

2016-04-21 12:26:18 UTC

Post by Johannes Amorosa | Celluloid VFX
Hello,
we're using sambas internal DNS server.
/var/log/samba/log.samba: Not authoritative for
'static.ak.facebook.com', forwarding
/var/log/samba/log.samba: Not authoritative for
's-static.ak.facebook.com', forwarding
/var/log/samba/log.samba: Not authoritative for
's-static.ak.facebook.com', forwarding
/var/log/samba/log.samba: Not authoritative for
's-static.ak.facebook.com', forwarding
/var/log/samba/log.samba: Not authoritative for
'connect.facebook.net', forwarding
Generally I want to keep privacy high for our users - when there
is no technical need of logging this,
without tuning log level.
JA

What log level are you currently using?

Log level 2, but basically we want to keep log level because we are
debugging.

I had the same issue. I eventually set up a central rsyslog server.
You can drop them before they are sent.

Thanks for your reply. We need to centralize our logging anyway. Would
you mind sharing
your smb and rsyslog snippets how you have done this?

Under global section of smb.conf add

log level = 0
logging = ***@1 file

See 'man smb.conf' for additional details on 'logging ='

The rsyslog.conf isn't so simple. It will need to be setup specific to
how you have your central rsyslog server setup. But mine is

:msg, contains, "cron" stop
:msg, contains, "Connection closed by 172.16.232.27" stop

auth,authpriv,daemon,kern,lpr,mail,mark,news,syslog,user,uucp,local0,local1,local2,local3,local4,local5,local6,local7.*
@172.16.232.45:514

Please see 'man rsyslog.conf' for additional details. The key command is
':msg, contains,'. This is how I filter. Google search for 'rsyslog
loganalyzer tutorial'. You can stip messages on the host before being
sent or you can drop them on the server end.

--
-James
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Johannes Amorosa | Celluloid VFX

2016-04-22 08:51:45 UTC

Post by Johannes Amorosa | Celluloid VFX
Hello,
we're using sambas internal DNS server.
/var/log/samba/log.samba: Not authoritative for
'static.ak.facebook.com', forwarding
/var/log/samba/log.samba: Not authoritative for
's-static.ak.facebook.com', forwarding
/var/log/samba/log.samba: Not authoritative for
's-static.ak.facebook.com', forwarding
/var/log/samba/log.samba: Not authoritative for
's-static.ak.facebook.com', forwarding
/var/log/samba/log.samba: Not authoritative for
'connect.facebook.net', forwarding
Generally I want to keep privacy high for our users - when there
is no technical need of logging this,
without tuning log level.
JA

What log level are you currently using?

Log level 2, but basically we want to keep log level because we are
debugging.

I had the same issue. I eventually set up a central rsyslog server.
You can drop them before they are sent.

Thanks for your reply. We need to centralize our logging anyway.
Would you mind sharing
your smb and rsyslog snippets how you have done this?

Under global section of smb.conf add
log level = 0
See 'man smb.conf' for additional details on 'logging ='
The rsyslog.conf isn't so simple. It will need to be setup specific to
how you have your central rsyslog server setup. But mine is
:msg, contains, "cron" stop
:msg, contains, "Connection closed by 172.16.232.27" stop
auth,authpriv,daemon,kern,lpr,mail,mark,news,syslog,user,uucp,local0,local1,local2,local3,local4,local5,local6,local7.*
@172.16.232.45:514
Please see 'man rsyslog.conf' for additional details. The key command
is ':msg, contains,'. This is how I filter. Google search for 'rsyslog
loganalyzer tutorial'. You can stip messages on the host before being
sent or you can drop them on the server end.

Thank you for your info. I will give it a try.
--
Johannes Amorosa | Celluloid VFX

Celluloid Visual Effects GmbH & Co. KG
Paul-Lincke-Ufer 39/40, 10999 Berlin
phone +49 (0)30 / 54 735 220
fax +49 (0)30 / 54 735 221

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Johannes Amorosa | Celluloid VFX

2016-04-20 09:16:31 UTC

Hello Johannes,

Post by l***@gmail.com
What log level are you currently using?

Log level 2, but basically we want to keep log level because we are
debugging.

Was Samba installed through rpm/deb or did you compile it? In that case
you can increase the log level in the sources for these messages and
re-compile.
Regards,
Marc

We are using sernets packages, there is no decisions made if we upgrade
to 4.3 with a sernet
subscription contract or I'll start compiling - if we do the later I
will have a look at the sources and
report back here.
--
Johannes Amorosa | Celluloid VFX

Celluloid Visual Effects GmbH & Co. KG
Paul-Lincke-Ufer 39/40, 10999 Berlin

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Mgr. Peter Tuharsky

2016-04-20 10:22:18 UTC

Hallo

The Debian team was unable to keep 4.1.17 patched, so they switched to
4.2 branch. However, fileserver at this version (4.2.10) is no more able
to communicate with DC at samba 3.5 (unable to authenticate users - got
weird rpc version error in log)

Please, are there any parameters that could make this work for a while now?

Sincerely

Peter

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Dale Schroeder

2016-04-20 18:12:08 UTC

Post by Mgr. Peter Tuharsky
Hallo
The Debian team was unable to keep 4.1.17 patched, so they switched to
4.2 branch. However, fileserver at this version (4.2.10) is no more able
to communicate with DC at samba 3.5 (unable to authenticate users - got
weird rpc version error in log)
Please, are there any parameters that could make this work for a while now?
Sincerely
Peter

Peter,

I've been asking the same basic question periodically for the last two
weeks and have not gotten any replies that make things work. No one has
volunteered that their Samba NT4 domain works with the new versions.

You could start by looking at the "Winbindd/Netlogon improvements"
section here: https://www.samba.org/samba/history/samba-4.2.0.html

None of these parameters made any difference for me, but your luck may
be better than mine. Additionally, you will face the challenges brought
on by the security fixes. It's not looking good for Samba NT4 domains.

Dale

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Mgr. Peter Tuharsky

2016-04-22 06:23:11 UTC

Thank You, Dale

The parameters I understood from documentation did nothing for me too.

I see I must upgrade Samba on DC. I'm reluctant since this is always
quite delicate thing though, don't want break the whole network...

Peter,
I've been asking the same basic question periodically for the last two
weeks and have not gotten any replies that make things work. No one
has volunteered that their Samba NT4 domain works with the new versions.
You could start by looking at the "Winbindd/Netlogon improvements"
section here: https://www.samba.org/samba/history/samba-4.2.0.html
None of these parameters made any difference for me, but your luck may
be better than mine. Additionally, you will face the challenges
brought on by the security fixes. It's not looking good for Samba NT4
domains.
Dale

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

mathias dufresne

2016-04-22 08:31:15 UTC

Hi,

I thought Samba4 was able to do everything what was doing Samba3.

According to that isn't it possible for you to add a new DC into your NT4
domain which runs Samba4? As it is a DC in addition to others DC (those
running Samba3) your domain should continue to work as it did for years.
You would just get another DC running more recent Samba.

I expect that Samba4 as filesrv is able to communicate correctly with
Samba4 as NT4 DC.

If my suppositions are not wrong, this would solve your strange RPC issue
and also give a way to update your NT4 DC which seems an important thing
according to that link which seems to show that samba3 is not supported any
more.
https://wiki.samba.org/index.php/Samba_Release_Planning#General_information

Post by Mgr. Peter Tuharsky
Thank You, Dale
The parameters I understood from documentation did nothing for me too.
I see I must upgrade Samba on DC. I'm reluctant since this is always
quite delicate thing though, don't want break the whole network...

Peter,
I've been asking the same basic question periodically for the last two
weeks and have not gotten any replies that make things work. No one
has volunteered that their Samba NT4 domain works with the new versions.
You could start by looking at the "Winbindd/Netlogon improvements"
section here: https://www.samba.org/samba/history/samba-4.2.0.html
None of these parameters made any difference for me, but your luck may
be better than mine. Additionally, you will face the challenges
brought on by the security fixes. It's not looking good for Samba NT4
domains.
Dale

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Dale Schroeder

2016-04-22 17:58:31 UTC

Mathias,

What you say is true in theory, but after Debian went from 4.1 to 4.3,
my NT4 domain no longer works. The initial error was no logon server
available. I've asked if anyone has a working NT4 domain on 4.3, and no
one has replied that they do; therefore, I assume that there are none.
Additionally, there were specific changes indicated for NT4 domains in
the 4.2 release notes, but when Marc released the NT4 domain wiki page,
there is no mention of these parameters or how they should be applied.
Using them did not improve the domain situation for me. That is why I
said that things don't look good for NT4 domains. With the advent of
Samba4 AD capabilities, NT4 domains are passé. I wish I was wrong.

With the spate of messages on this list since the security updates were
released, I see no reason to rush in the AD direction either. A
workgroup looks better every day...........

Dale

Post by mathias dufresne
Hi,
I thought Samba4 was able to do everything what was doing Samba3.
According to that isn't it possible for you to add a new DC into your
NT4 domain which runs Samba4? As it is a DC in addition to others DC
(those running Samba3) your domain should continue to work as it did
for years. You would just get another DC running more recent Samba.
I expect that Samba4 as filesrv is able to communicate correctly with
Samba4 as NT4 DC.
If my suppositions are not wrong, this would solve your strange RPC
issue and also give a way to update your NT4 DC which seems an
important thing according to that link which seems to show that samba3
is not supported any more.
https://wiki.samba.org/index.php/Samba_Release_Planning#General_information
Thank You, Dale
The parameters I understood from documentation did nothing for me too.
I see I must upgrade Samba on DC. I'm reluctant since this is always
quite delicate thing though, don't want break the whole network...

Post by Mgr. Peter Tuharsky
Hallo
The Debian team was unable to keep 4.1.17 patched, so they

switched to

Post by Mgr. Peter Tuharsky
4.2 branch. However, fileserver at this version (4.2.10) is no

more able

Post by Mgr. Peter Tuharsky
to communicate with DC at samba 3.5 (unable to authenticate

users - got

Post by Mgr. Peter Tuharsky
weird rpc version error in log)
Please, are there any parameters that could make this work for a while now?
Sincerely
Peter

Peter,
I've been asking the same basic question periodically for the

last two

Post by Dale Schroeder
weeks and have not gotten any replies that make things work. No one
has volunteered that their Samba NT4 domain works with the new

versions.

Post by Dale Schroeder
You could start by looking at the "Winbindd/Netlogon improvements"
section here: https://www.samba.org/samba/history/samba-4.2.0.html
None of these parameters made any difference for me, but your

luck may

Post by Dale Schroeder
be better than mine. Additionally, you will face the challenges
brought on by the security fixes. It's not looking good for

Samba NT4

Post by Dale Schroeder
domains.
Dale

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Mgr. Peter Tuharsky

2016-07-07 08:52:16 UTC

For the record, upgrade of DC from Samba 3.6 to (patched) 4.2.10 (debian
6 Squeeze to Debian 8 Jessie) seems to have resolved the problem. I have
then upgraded a single FS from (unpatched) Samba 4.1.17 to (patched)
4.2.10 and it seems working. I'll give it few days of testing and
upgrade the rest of FSs.

Interestingly, the (unpatched) 4.1.17 FSs still work under patched
4.2.10 DC, while patched 4.2.10 FS did not work with unpatched DC. Looks
like the compatibility problem between servers is single-sided, or is
simply related to too old Samba on the side of previous DC that could
not cope with e.q. some protocol negotiations with patched FS.

Post by Dale Schroeder
Mathias,
What you say is true in theory, but after Debian went from 4.1 to 4.3,
my NT4 domain no longer works. The initial error was no logon server
available. I've asked if anyone has a working NT4 domain on 4.3, and
no one has replied that they do; therefore, I assume that there are
none. Additionally, there were specific changes indicated for NT4
domains in the 4.2 release notes, but when Marc released the NT4
domain wiki page, there is no mention of these parameters or how they
should be applied. Using them did not improve the domain situation
for me. That is why I said that things don't look good for NT4
domains. With the advent of Samba4 AD capabilities, NT4 domains are
passé. I wish I was wrong.
With the spate of messages on this list since the security updates
were released, I see no reason to rush in the AD direction either. A
workgroup looks better every day...........
Dale

Post by mathias dufresne
Hi,
I thought Samba4 was able to do everything what was doing Samba3.
According to that isn't it possible for you to add a new DC into your
NT4 domain which runs Samba4? As it is a DC in addition to others DC
(those running Samba3) your domain should continue to work as it did
for years. You would just get another DC running more recent Samba.
I expect that Samba4 as filesrv is able to communicate correctly with
Samba4 as NT4 DC.
If my suppositions are not wrong, this would solve your strange RPC
issue and also give a way to update your NT4 DC which seems an
important thing according to that link which seems to show that
samba3 is not supported any more.
https://wiki.samba.org/index.php/Samba_Release_Planning#General_information
Thank You, Dale
The parameters I understood from documentation did nothing for me too.
I see I must upgrade Samba on DC. I'm reluctant since this is always
quite delicate thing though, don't want break the whole network...

Post by Mgr. Peter Tuharsky
Hallo
The Debian team was unable to keep 4.1.17 patched, so they

switched to

Post by Mgr. Peter Tuharsky
4.2 branch. However, fileserver at this version (4.2.10) is no

more able

Post by Mgr. Peter Tuharsky
to communicate with DC at samba 3.5 (unable to authenticate

users - got