[Samba] issue with mapping BUILTIN on ADS member server
Hello list, Quick summary of the issue (repeated below after the details): Running 'wbinfo --user-info=markc' on either smb ads member server will return identical info. Running 'wbinfo --group-info=BUILTIN\\Users' returns different information on each server. I'd like to make mappings for BUILTIN consistent in case I ever use them. Background and details: I have a production environment with 2 ADS member servers that I'm planning to re-work, and I've found an oversight with how my setup maps items from BUILTIN. I hadn't been using anything from there so it isn't a big deal at the moment, but I'm trying to fix it and/or decide how to simplify my whole idmap setup. Here is some background info, let me know if you need something else: -Native-mode AD, all DCs on 2003R2 SP2 x64. -Two Ubuntu Server x64 8.04.03 LTS AD member servers running Samba 3.0.28a. (samba_3.0.28a-1ubuntu4.10_i386.deb). -I have a few directives that may be considered odd (map to guest, force create/dir) for my type of setup. This is because I'm still getting rid of some XP Home workstations that need guest shares. This was the only way I could get them to play nice (IIRC this was due to ADS mode rejecting the credentials before it realized it was a request for a guest share). Here is my current config: [global] server string = Dallas File Server workgroup = DOMAINNAME realm = DOMAINNAME.COM security = ADS password server = * #password server = dal-dc1.domainname.com #password server = dal-dc1.domainname.com, den-dc1.domainname.com # client schannel = Yes # server schannel = Yes username map = /etc/samba/smbusers obey pam restrictions = Yes enable privileges = Yes map to guest = Bad User # restrict anonymous = 2 allow trusted domains = No # lanman auth = No # ntlm auth = No # client NTLMv2 auth = Yes log level = 4 syslog = 0 # min protocol = NT1 # client signing = Yes # server signing = Yes load printers = No preferred master = No local master = No domain master = No dns proxy = No ldap ssl = no host msdfs = No idmap domains = DOMAINNAME idmap alloc backend = ldap template shell = /bin/false winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind refresh tickets = Yes idmap alloc config:range = 10 - 50 idmap alloc config:ldap_url = ldap://dal-dc1.domainname.com ldap://den-dc1.domainname.com idmap alloc config:ldap_user_dn = cn=idmapmgr,cn=users,dc=domainname,dc=com idmap config DOMAINNAME:range = 10 - 50 idmap config DOMAINNAME:ldap_url = ldap://dal-dc1.domainname.com ldap://den-dc1.domainname.com idmap config DOMAINNAME:ldap_user_dn = cn=idmapmgr,cn=users,dc=domainname,dc=com idmap config DOMAINNAME:ldap_base_dn = ou=idmap,dc=sambaidmap,dc=domainname,dc=com idmap config DOMAINNAME:backend = ldap idmap config DOMAINNAME:default = yes hosts allow = (redacted) map acl inherit = No hide special files = Yes map archive = No map readonly = No map system = No map hidden = No force create mode = 707 force directory mode = 707 ea support = No store dos attributes = No wide links = No follow symlinks = No dos filemode = No add share command=/etc/samba/command_cust.pl delete share command=/etc/samba/command_cust.pl change share command=/etc/samba/command_cust.pl The actual issue/question (as stated above): Running 'wbinfo --user-info=markc' on either smb ads member server will return identical info. Running 'wbinfo --group-info=BUILTIN\\Users' returns different information on each server. I'd like to make mappings for BUILTIN consistent in case I ever use them. I guess it is falling back to tdb since I can grep for relevant info and the tdb for group mapping matches. I've labbed my setup by setting up a third smb server in the same config, and a blank ad partition for mapping...so I can change things for testing there (and I have been). My browser has no fewer than 20 tabs up with various man pages, pdfs, and list posts on idmap but it isn't quite coming together for me on this one aspect that deals with BUILTIN. tia for any assistance you can provide. Thank you, Mark Casey -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fixed! [netlogon] section being ignored
Gaiseric Vandal wrote: Does it work if you specify a *.bat or *.cmd file?I haven't seen *.vbs files used as a logon script before. Once you logon to the PC, are you able to view the netlogon share and logon scripts? Are you trying to have a different logon script for each user? Variables in the script should still allow you to map each user's home directory appropriately. Alternately you could specify the logon script parameter for each user's account. To get Samba working right, I ended up downloading the 3.4 source and installing that. This isn't the first time I've had to do this on Ubuntu server versions. -- Mark Leisher -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] intermittent authentication: check_ntlm_password: Authentication for user [someuser] -> [someuser] FAILED with error NT_STATUS_ACCESS_DENIED
OS: Ubuntu 8.04.3 LTS Kernel: 2.6.24-23-server x86_64 Samba: 3.0.28a-1ubuntu4.9 We are having intermittent authentication issues with some windows clients connecting to our samba server. Sometimes it works fine, sometimes it fails miserably and continually. I'm not sure how to reproduce the issue everytime but it does happen every single day. Looking for some help. testparm -v: [global] dos charset = CP850 unix charset = UTF-8 display charset = LOCALE workgroup = SOMEDOMAIN realm = SOMEDOMAIN.COM netbios name = SAMBASERVER netbios aliases = SMB netbios scope = server string = FileServer interfaces = eth0 bind interfaces only = No security = ADS auth methods = encrypt passwords = Yes update encrypted = No client schannel = Auto server schannel = Auto allow trusted domains = Yes map to guest = Never null passwords = No obey pam restrictions = Yes password server = DC1, DC2, * smb passwd file = /etc/samba/smbpasswd private dir = /etc/samba passdb backend = smbpasswd algorithmic rid base = 1000 root directory = guest account = nobody enable privileges = Yes pam password change = No passwd program = passwd chat = *new*password* %n\n *new*password* %n\n *changed* passwd chat debug = No passwd chat timeout = 2 check password script = username map = password level = 0 username level = 0 unix password sync = No restrict anonymous = 1 lanman auth = Yes ntlm auth = Yes client NTLMv2 auth = No client lanman auth = Yes client plaintext auth = Yes preload modules = use kerberos keytab = No log level = 0 syslog = 1 syslog only = No log file = /var/log/samba/%m.log max log size = 5000 debug timestamp = Yes debug prefix timestamp = No debug hires timestamp = No debug pid = No debug uid = No enable core files = Yes smb ports = 445 139 large readwrite = Yes max protocol = NT1 min protocol = CORE read bmpx = No read raw = Yes write raw = Yes disable netbios = No reset on zero vc = No acl compatibility = auto defer sharing violations = Yes nt pipe support = Yes nt status support = Yes announce version = 4.9 announce as = NT max mux = 50 max xmit = 16644 name resolve order = lmhosts wins host bcast max ttl = 259200 max wins ttl = 518400 min wins ttl = 21600 time server = No unix extensions = No use spnego = Yes client signing = auto server signing = No client use spnego = Yes enable asu support = No svcctl list = deadtime = 0 getwd cache = Yes keepalive = 300 lpq cache time = 30 max smbd processes = 0 paranoid server security = Yes max disk size = 0 max open files = 1 open files database hash size = 10007 socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192 use mmap = Yes hostname lookups = No name cache timeout = 660 load printers = Yes printcap cache time = 750 printcap name = cups cups server = iprint server = disable spoolss = No addport command = enumports command = addprinter command = deleteprinter command = show add printer wizard = Yes os2 driver map = mangling method = hash2 mangle prefix = 1 max stat cache size = 1024 stat cache = Yes machine password timeout = 604800 add user script = rename user script = delete user script = add group script = delete group script = add user to group script = delete user from group script = set primary group script = add machine script = shutdown script = abort shutdown script = username map script = logon script = logon path = \\%N\%U\profile logon drive = logon home = \\%N\%U domain logons = No os level = 20 lm announce = Auto lm interval = 60 preferred master = No local master = No domain master = No browse list = Yes enhanced browsing = Yes dns proxy = Yes wins proxy = No wins server = a.b.c.d wins support = No wins hook = kernel oplocks = Yes lock spin time = 200 oplock break wait time = 0 ldap admin dn = ldap delete dn = No ldap group suffix = ldap idmap suffix = ldap machine suffix = ldap passwd sync = no ldap replication sleep = 1000 ldap suffix = ldap ssl = no ldap timeout = 15 ldap page size = 1024 ldap user suffix = ldap debug level = 0 ldap debug threshold = 10 add share command = change share command = delete share command = eventlog list = config file = preload = lock directory = pid directory = /var/run/samba utmp directory = wtmp directory = utmp = No default service = message command = get quota command = set quota command = remote announce = remote browse sync = socket address = 0.0.0.0 homedir map = auto.home afs username map = afs token lifetime = 604800 log nt token command = time offset =
[Samba] WinVista consider soft limit as hard limit
Hi, We are using samba-3.0.28a on linux-2-6-18 with which WinVista, as CIFS client, see the soft limit as hard limit and doesn't allow data transfer. Is there a fix already available for this? If not, could you pls gimme some pointers to fix this issue? Thanks, Senthil M Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] some clients cannot login
I have a problem that's happening randomly in my network. Starting a couple of weeks ago, some clients (All of my clients are running Windows XP)on my network cannot login to their sessions and windows brings out an error saying that the domain controller is not available or is blocked. I don't understand why this is happening, seeing that other clients can perfectly log in their computers in domain sessions. In the same server I have a dns(bind9) with a dynamic zone that is automatically updated by the dhcp. Does anyone have any experience on this? Can anyone help me solve this? this is the output of testparm: Processing section "[homes]" Processing section "[netlogon]" Processing section "[Profiles]" Processing section "[printers]" Processing section "[print$]" Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions [global] workgroup = OC.QUIMEFA.CU netbios name = PDC interfaces = 127.0.0.0/8, eth2 bind interfaces only = Yes passdb backend = ldapsam:ldap://localhost passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 server signing = auto socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = cups add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/sbin/smbldap-useradd -w '%u' logon path = logon home = domain logons = Yes os level = 35 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap admin dn = cn=admin,dc=oc,dc=quimefa,dc=cu ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ldap passwd sync = yes ldap suffix = dc=oc,dc=quimefa,dc=cu ldap ssl = no ldap user suffix = ou=Users panic action = /usr/share/samba/panic-action %d [homes] comment = Home Directories valid users = %S read only = No browseable = No [netlogon] comment = Network Logon Service path = /home/samba/netlogon admin users = root write list = "@Domain Admins" create mask = 0755 guest ok = Yes browseable = No [Profiles] comment = Roaming Profile Share path = /home/samba/profiles read only = No profile acls = Yes browseable = No [printers] comment = All Printers path = /var/spool/samba admin users = root write list = root read only = No create mask = 0600 guest ok = Yes printable = Yes use client driver = Yes browseable = No [print$] comment = Printer Drivers Share path = /var/lib/samba/printers admin users = root write list = root create mask = 0664 directory mask = 0775 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type [SEC=UNCLASSIFIED]
Hi all, According to this bug report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566977 This particular error is actually a bug in the samba code. Does anyone know if there are patches that fix this ? Adding "allow_weak_crypto = true" to /etc/krb5.conf does not solve this for me :( Has anyone got a working solution for this ? -Alex IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] kerberos - permissions - showacls fails
hi i have a file, owned by heinz_sgv an the permissons are set to 700. # ls -l x.txt -rwx-- 1 heinz_sgv domusers 15 2010-02-11 07:38 x.txt with smbclient i can access to the file, i have full rights and i can see the ACLs # smbclient //localhost/samba -U heinz_sgv%x -c "showacls ;ls tmp/x.txt" Domain=[GVCC.NET] OS=[Unix] Server=[Samba 3.5.0rc2] FILENAME:x.txt MODE:A SIZE:15 MTIME:Thu Feb 11 07:38:19 2010 revision: 1 type: 0x9004: SEC_DESC_DACL_PRESENT SEC_DESC_DACL_PROTECTED SEC_DESC_SELF_RELATIVE DACL ACLNum ACEs:3revision:2 --- ACE type: ACCESS ALLOWED (0) flags: 0x00 Specific bits: 0x1ff Permissions: 0x1e01ff: SYNCHRONIZE_ACCESS WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS SID: S-1-5-21-3234543381-3221305018-1482225196-1002 ACE type: ACCESS ALLOWED (0) flags: 0x00 Specific bits: 0x0 Permissions: 0x0: SID: S-1-5-21-3234543381-3221305018-1482225196-513 ACE type: ACCESS ALLOWED (0) flags: 0x00 Specific bits: 0x0 Permissions: 0x0: SID: S-1-1-0 Owner SID:S-1-5-21-3234543381-3221305018-1482225196-1002 Group SID:S-1-5-21-3234543381-3221305018-1482225196-513 If i connect to samba using kerberos, i can not get the permissions of the file. (principal: heinz_...@gvcc.net) smbclient //probe24.bahnhof.gvcc.net/samba -k -c "showacls ;dir tmp/x.txt" -d 0 Domain=[GVCC.NET] OS=[Unix] Server=[Samba 3.5.0rc2] FILENAME:x.txt MODE:A SIZE:15 MTIME:Thu Feb 11 07:38:19 2010 display_finfo() Failed to open \tmp\x.txt: NT_STATUS_ACCESS_DENIED if i change the permissions to 770 then i can see the permissions of the file also with kerberos: # chmod 770 x.txt # ls -l x.txt -rwxrwx--- 1 heinz_sgv domusers 15 2010-02-11 07:38 x.txt # smbclient //probe24.bahnhof.gvcc.net/samba -k -c "showacls ;dir tmp/x.txt" Domain=[GVCC.NET] OS=[Unix] Server=[Samba 3.5.0rc2] FILENAME:x.txt MODE:AS SIZE:15 MTIME:Thu Feb 11 07:38:19 2010 revision: 1 type: 0x9004: SEC_DESC_DACL_PRESENT SEC_DESC_DACL_PROTECTED SEC_DESC_SELF_RELATIVE DACL ACLNum ACEs:3revision:2 --- ACE type: ACCESS ALLOWED (0) flags: 0x00 Specific bits: 0x1ff Permissions: 0x1e01ff: SYNCHRONIZE_ACCESS WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS SID: S-1-5-21-3234543381-3221305018-1482225196-1002 ACE type: ACCESS ALLOWED (0) flags: 0x00 Specific bits: 0x1ff Permissions: 0x1e01ff: SYNCHRONIZE_ACCESS WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS SID: S-1-5-21-3234543381-3221305018-1482225196-513 ACE type: ACCESS ALLOWED (0) flags: 0x00 Specific bits: 0x0 Permissions: 0x0: SID: S-1-1-0 Owner SID:S-1-5-21-3234543381-3221305018-1482225196-1002 Group SID:S-1-5-21-3234543381-3221305018-1482225196-513 Thank you, heinz my smb.conf: [global] workgroup = GVCC.NET # Kerberos realm = GVCC.NET password server = probe24.bahnhof.gvcc.net kerberos method = system keytab client use spnego = yes use spnego = yes # pdc settings domain logons = yes domain master = yes local master = yes preferred master = yes os level = 65 log level = 3 ### ldapsam:editposix passdb backend = ldapsam:ldap://localhost/ ldapsam:trusted = yes ldapsam:editposix = yes ldap admin dn = cn=admin,dc=gvcc,dc=net ldap user suffix = ou=users ldap group suffix = ou=groups ldap idmap suffix = ou=idmap ldap machine suffix = ou=computers ldap passwd sync = Yes ldap suffix = dc=gvcc,dc=net ldap ssl = no idmap backend = ldap:ldap://localhost/ idmap uid = 100-199 idmap gid = 100-199 idmap alloc backend = ldap idmap alloc config : ldap_url = ldap://localhost/ idmap alloc config : ldap_base_dn = ou=idmap,dc=gvcc,dc=net idmap alloc config : ldap_user_dn = cn=admin,dc=gvcc,dc=net logon path = logon home = \\%N\%U logon drive = k: guest ok = No read only = No case sensitive = no default case = lower preserve case = yes short preserve case = yes create mode = 0660 force create mode = directory mask = 0770 force directory mode = 2000 unix charset = utf8 display charset = utf8 [samba] path=/samba readonly=no guest ok = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
