Re: [Samba] Samba migration to a new server
Hi Gaiseric, > It may actually be easier to move everything including hostname and IP > to > the new server and just shutdown the old (this would have to be off > hours.) > > You should be able to do the following- > - Configure the new server as a BDC. I don't know for use if you > can > configure a BDC with a TDB backend- >From the Samba HowTo (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html#i d2565778 ) it seems that a BDC can be configured only with a LDAP backend. > if not you may have to make the > new > server a PDC. I don't think I can run 2 PDCs on the same Domain , right ? > - Copy the samba private directory (with the tdb files) from the 1st > server to the 2nd server. In effect, this temporarily syncs the two > servers. Is it sufficient ? Do I have to set the local SID of the BDC as the value of the PDC's SID ? i.e. : [oldserver$]net getlocalsid -> ... [newserver$]net setlocalsid > - promote the new server to PDC and the old server to BDC. > - after hours- move the shared directories to the BDC, update login > script if necessary. By "After hours" , do you mean after some sufficient long delay (one day ?) for everyclient to have authenticated with the BDC ? > > Clients will connect to either a PDC or a BDC for authentication.- it > doesn't really matter that much except that clients will prefer a BDC > if > available. > > Once you take the OLD server offline you may need to have clients > reboot to > have them use the new server for authentication. But at least domain > membership will not be broken? This is not a problem, I can easily ask all users to reboot. > > Are you using a WINS server? Yes , samba is also WINS server. Is it important ? I will have to make some heavy testing before doing the actual migration. Having 200 clients breaking their Domain membership will be some kind of a disaster :-( . Thanks a lot for your help. Any additional information welcome. Henri > > -Original Message- > From: samba-boun...@lists.samba.org [mailto:samba- > boun...@lists.samba.org] > On Behalf Of henri > Sent: Wednesday, January 12, 2011 7:26 AM > To: samba@lists.samba.org > Subject: [Samba] Samba migration to a new server > > Hi all, > > Is it possible to migrate Samba to a new server without breaking > Domain > membership of all the clients ? > > I didn't get any info on that issue, is there someone that has > previous > experience of doing that ? Or maybe a link to some relevant info ? > > I have currently a Samba 3.5.6 server that acts as a PDC and print > Server, > with tdbsam backend, no LDAP at all, no roaming profile. I have to > migrate > samba to a new server. Everything (Samba release, Domain Name, shares, > ...) > will remain the same except for the DNS name and IP address of the > server, > and the samba server netbios name. > > What is the best way to proceed to make this migration as seamless as > possible for all users (more than 200 user accounts with more than 200 > PC in > the domain) ? I guess that just moving all the samba configuration > files > from the old machine to the new one will not be enough. > > Thanks in advance. I really need your help. > > Henri > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba migration to a new server
Hi Helmut Thanks for your answer. I have done a similar test some weeks ago without success. The client I tested have lost the Domain membership but I am not sure it was shutdown at the moment I switched from old to new server. In your case, has your new server a different DNS Name , IP address and netbios name from the old one ? Actually, if there are only a few clients that have to be manually rejoinded to the domain, it could be acceptable. The *ABSOLUTE* condition is that every users keep their windows profile (so their Domain SID I guess) once the switch has occurred. Thanks again. Henri > -Message d'origine- > De : samba-boun...@lists.samba.org [mailto:samba- > boun...@lists.samba.org] De la part de Helmut Hullen > Envoyé : mercredi 12 janvier 2011 19:08 > À : samba@lists.samba.org > Objet : Re: [Samba] Samba migration to a new server > > > > Hallo, henri, > > Du meintest am 12.01.11: > > > Is it possible to migrate Samba to a new server without breaking > > Domain membership of all the clients ? > > > I didn?t get any info on that issue, is there someone that has > > previous experience of doing that ? Or maybe a link to some relevant > > info ? > > > I have currently a Samba 3.5.6 server that acts as a PDC and print > > Server, with tdbsam backend, no LDAP at all, no roaming profile. I > > have to migrate samba to a new server. Everything (Samba release, > > Domain Name, shares, ...) will remain the same except for the DNS > > name and IP address of the server, and the samba server netbios > name. > > > What is the best way to proceed to make this migration as seamless > as > > possible for all users (more than 200 user accounts with more than > > 200 PC in the domain) ? > > My usual way: > > - copy/overwrite "/etc/samba" to the new machine > - copy/overwrite all user account and all machine account informations > (especially in "/etc/passwd" and "/etc/shadow") to the new machine > > - Stop samba on both machines > - Shut off all Clients (that may be a bit neurotic ...) > - start samba on the new machine > > - Start one client for testing > > - if ok: start the other clients > > Last friday a colleague and I have done these steps once more, > successfully. > > Viele Gruesse! > Helmut > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error: _netr_ServerAuthenticate2: netlogon_creds_server_check failed.
Hi Christopher! Thank you for that information, I am very much appreciate any deeper information on that issue. Is there a chance that you give me the config of your central (major) ldap server and your smb.conf so we have the chance to compare it with our system, please? We see the same error but our PDC does directly access the main ldap server so it should not be a problem of an update - reference ... It would be nice to know the versions of your system too (we use ubuntu 8.04 and Centos 5.5 with ldap 2.4.XX and Samba 3.5.6) Thank you very much! regards Martin Am 12.01.2011 17:37 schrieb Christopher Springer: I've finally found the solution (or at least in my case) to this problem. After looking at the logs for LDAP (slapd) I found that every time a system on the domain tried to update it's associated account information in the database I would receive the following error: RESULT tag=103 err=53 text=shadow context; no update referral This lead me to find that the account information in LDAP was not being updated...however the machine's domain user accounts would still be able to login so it wasn't a major issue...just EXTREMELY annoying. I added the following line in my slapd.conf file to tell the slapd daemon where to send its updates since it's a read-only local authentication server at the remote plants: updateref ldap://xxx.xxx.xxx.xxx The remote server now sends the account database updates to the central master server and eventually replicates those changes back down to the remote sites...and, thus, eliminating the annoying error message that I was receiving in my samba and system logs. Just for reference, the original error was something similar to the following... _netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting auth request from client machine account $ or _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client machine account $ Thanks all! I hope this helps someone else. Chris On 08/19/2010 03:29 PM, Christopher Springer wrote: My configuration is a multi-subnet, multi-subnet Samba/OpenLDAP configuration. Everything works fine on both subnets but I'm getting the following error in /var/log/messages and in /var/log/samba/log.smbd... _netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting auth request from client XXX30874 machine account XXX30874$ This messages seems to be repeated every time someone logs into their machine or when the machine has to contact the server for authentication purposes. I have not had a chance to go through all of the logs and verify what OS's are the offenders but it appears that a lot of them are old WindowsNT4 machines. Please note that the only server on the subnet in question is the BDC. It has a local, replicated LDAP directory against which logins are authenticated. nmbd/wins is used for host name/netbios visibility. Any ideas to getting rid of this error in the log file? Again, it appears that access to files is working fine...it's just an annoyance because I don't understand why it's happening. Thanks. Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] suppress messages from syslog
Hi. this step I have tried, but without success, samba messages are still sending to syslog. J. From: Michael Wood To: jiri.kout...@rb.cz Cc: sa...@samba.org Date: 12-01-2011 07:58 AM Subject: Re: [Samba] suppress messages from syslog 2011/1/10 : > Hi, > > I would like to suppress samba messagess from central syslog. > Can I ask you to provide the correct description (step-by-step ) how to do > it ? Try setting: syslog = 0 in the [global] section of your smb.conf file. That should stop Samba from sending anything to syslog if I understand the man page correctly. -- Michael Wood -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC
On 1/12/2011 11:18 AM, TAKAHASHI Motonobu wrote: 2011/1/13 Robert Fitzpatrick: OK, I am trying to setup my first Samba PDC on a FreeBSD 8.1 host. When I try to become a member of 'webtent.org' on my Windows 7 Ultimate to the PDC, I get the following error... DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain "webtent.org": (snip) Anyone know what I am or could be doing wrong? Thanks for any help! Read at: http://wiki.samba.org/index.php/Windows7 And remember Samba 3 PDC is compatible with Windows NT Server, not with Active Directory. Thanks, I was able to join the domain, but when trying to logon, I get another error... the trust relationship between this workstation and the primary domain failed What can cause this? I have the computer name in LDAP, it was created when I joined the domain. I found that a properly configured WINS server solved many of these problems for me with Samba3.x/LDAP and Win7. --Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba migration to a new server
Yes it is exactly I have to do : migrate the current Samba setup to a new hardware configuration (new DNS name, IP address and netbios name. Everything else should remain the same). Henri > -Message d'origine- > De : samba-boun...@lists.samba.org [mailto:samba- > boun...@lists.samba.org] De la part de Helmut Hullen > Envoyé : mercredi 12 janvier 2011 20:16 > À : samba@lists.samba.org > Objet : Re: [Samba] Samba migration to a new server > > > > Hallo, Mike, > > Du meintest am 12.01.11: > > > Thank you too, for your kind response. > > Don't mention ... > > By the way: that description assumes that the new server is the new > login server too and runs instead of the old server. > > Viele Gruesse! > Helmut > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba migration to a new server
Hi Helmut Thanks for your answer. I have done a similar test some weeks ago without success. The client I tested have lost the Domain membership but I am not sure it was shutdown at the moment I switched from old to new server. In your case, has your new server a different DNS Name , IP address and netbios name from the old one ? Actually, if there are only a few clients that have to be manually rejoinded to the domain, it could be acceptable. The *ABSOLUTE* condition is that every users keep their windows profile (so their Domain SID I guess) once the switch has occurred. Thanks again. Henri > -Message d'origine- > De : samba-boun...@lists.samba.org [mailto:samba- > boun...@lists.samba.org] De la part de Helmut Hullen > Envoyé : mercredi 12 janvier 2011 19:08 > À : samba@lists.samba.org > Objet : Re: [Samba] Samba migration to a new server > > > > Hallo, henri, > > Du meintest am 12.01.11: > > > Is it possible to migrate Samba to a new server without breaking > > Domain membership of all the clients ? > > > I didn?t get any info on that issue, is there someone that has > > previous experience of doing that ? Or maybe a link to some relevant > > info ? > > > I have currently a Samba 3.5.6 server that acts as a PDC and print > > Server, with tdbsam backend, no LDAP at all, no roaming profile. I > > have to migrate samba to a new server. Everything (Samba release, > > Domain Name, shares, ...) will remain the same except for the DNS > > name and IP address of the server, and the samba server netbios > name. > > > What is the best way to proceed to make this migration as seamless > as > > possible for all users (more than 200 user accounts with more than > > 200 PC in the domain) ? > > My usual way: > > - copy/overwrite "/etc/samba" to the new machine > - copy/overwrite all user account and all machine account informations > (especially in "/etc/passwd" and "/etc/shadow") to the new machine > > - Stop samba on both machines > - Shut off all Clients (that may be a bit neurotic ...) > - start samba on the new machine > > - Start one client for testing > > - if ok: start the other clients > > Last friday a colleague and I have done these steps once more, > successfully. > > Viele Gruesse! > Helmut > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba migration to a new server
Hi Gaiseric, > It may actually be easier to move everything including hostname and IP > to > the new server and just shutdown the old (this would have to be off > hours.) > > You should be able to do the following- > - Configure the new server as a BDC. I don't know for use if you > can > configure a BDC with a TDB backend- >From the Samba HowTo (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html#i d2565778 ) it seems that a BDC can be configured only with a LDAP backend. > if not you may have to make the > new > server a PDC. I don't think I can run 2 PDCs on the same Domain , right ? > - Copy the samba private directory (with the tdb files) from the 1st > server to the 2nd server. In effect, this temporarily syncs the two > servers. Is it sufficient ? Do I have to set the local SID of the BDC as the value of the PDC's SID ? i.e. : [oldserver$]net getlocalsid -> ... [newserver$]net setlocalsid > - promote the new server to PDC and the old server to BDC. > - after hours- move the shared directories to the BDC, update login > script if necessary. By "After hours" , do you mean after some sufficient long delay (one day ?) for everyclient to have authenticated with the BDC ? > > Clients will connect to either a PDC or a BDC for authentication.- it > doesn't really matter that much except that clients will prefer a BDC > if > available. > > Once you take the OLD server offline you may need to have clients > reboot to > have them use the new server for authentication. But at least domain > membership will not be broken? This is not a problem, I can easily ask all users to reboot. > > Are you using a WINS server? Yes , samba is also WINS server. Is it important ? I will have to make some heavy testing before doing the actual migration. Having 200 clients breaking their Domain membership will be some kind of a disaster :-( . Thanks a lot for your help. Any additional information welcome. Henri > > -Original Message- > From: samba-boun...@lists.samba.org [mailto:samba- > boun...@lists.samba.org] > On Behalf Of henri > Sent: Wednesday, January 12, 2011 7:26 AM > To: samba@lists.samba.org > Subject: [Samba] Samba migration to a new server > > Hi all, > > Is it possible to migrate Samba to a new server without breaking > Domain > membership of all the clients ? > > I didn't get any info on that issue, is there someone that has > previous > experience of doing that ? Or maybe a link to some relevant info ? > > I have currently a Samba 3.5.6 server that acts as a PDC and print > Server, > with tdbsam backend, no LDAP at all, no roaming profile. I have to > migrate > samba to a new server. Everything (Samba release, Domain Name, shares, > ...) > will remain the same except for the DNS name and IP address of the > server, > and the samba server netbios name. > > What is the best way to proceed to make this migration as seamless as > possible for all users (more than 200 user accounts with more than 200 > PC in > the domain) ? I guess that just moving all the samba configuration > files > from the old machine to the new one will not be enough. > > Thanks in advance. I really need your help. > > Henri > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC
On 1/12/2011 11:18 AM, TAKAHASHI Motonobu wrote: 2011/1/13 Robert Fitzpatrick: OK, I am trying to setup my first Samba PDC on a FreeBSD 8.1 host. When I try to become a member of 'webtent.org' on my Windows 7 Ultimate to the PDC, I get the following error... DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain "webtent.org": (snip) Anyone know what I am or could be doing wrong? Thanks for any help! Read at: http://wiki.samba.org/index.php/Windows7 And remember Samba 3 PDC is compatible with Windows NT Server, not with Active Directory. Thanks, I was able to join the domain, but when trying to logon, I get another error... the trust relationship between this workstation and the primary domain failed What can cause this? I have the computer name in LDAP, it was created when I joined the domain. --Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Problem: how to make users use unique passwords
Hello, To harden security, I've modified the smbldap-passwd script so that it update sambaPwdMustChange, sambaKickoffTime and shadowExpire fields; also, a simple script notifying users with expiration date approaching has been set up. I have also added a call to cracklib to check password strength prior to applying it. It all works well, but the task it to force users to use unique password every time they have to change it. A typical scenario I must prevent is this: user change the password for anything temporary, then changes it back to the one it used (or to a password slightly different from the one having been used). Could someone suggest an existing tool to integrate into smbldap-passwd to prevent using similar or the same passwords? I can store password hashes somewhere, but it won't prevent me from the problem when passwords differ just a little. Any suggestions? Thanks in advance! Sincerely, Konstantin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] can connect to 2 samba servers by name but to one by IPonly
Adding pdc1 to the hosts file (c:\windows\system32\drivers\etc\hosts) did not make a difference. After adding pdc1 to lmhosts, "net use \\pdc1" did work. So in the case of pdc1 one, the name is being resolved as a netbios name (i.e. via lmhosts) not a tcp/ip type name (i.e. via dns or hosts) But then why does "net use" work with all the other windows or samba servers? As far as I can tell, DNS is the only method by which the names are being resolved. I did notice that "nbtstat -c" shows the following What does nbtstat -r show? SonicWALL VPN Connection: Node IpAddress: [x.x.x.x.] Scope Id: [] NetBIOS Remote Cache Name Table Name Type Host AddressLife [sec] BDC1 <20> UNIQUE x.x.x.x.10522 BDC2 <20> UNIQUE x.x.x.x.11560 SOMEMACHINE <20> UNIQUE x.x.x.x.12597 PDC1 is not in cache- which I guess makes sense since it is explicitly listed in lmhosts. The "nbtstat -r" command only shows machine on my home network, nothing on the corporate network, so this really does indicate that there is no netbios broadcasts going on crossing the VPN link. Thanks -Original Message- From: TAKAHASHI Motonobu [mailto:mo...@monyo.com] Sent: Thursday, January 06, 2011 8:09 AM To: gaiseric.van...@gmail.com Cc: samba@lists.samba.org Subject: Re: [Samba] can connect to 2 samba servers by name but to one by IP only 2011/1/6 Gaiseric Vandal : In fact this seems to work for any samba or windows machine on the network EXCEPT the Samba 3.4.x PDC. It seems to work for Win 2003 machines, Samba 3.4.x member servers, XP machines, etc. To analyze the problem, first put the entry for PDC1 into both LMHOSTS and hosts files and try: net use \\pdc1. If you still meet the 67 error, something other than name resolution will cause this problem. Look at the Samba log and network capture. My understanding is that XP (and Win 2000/2003) machines are "smart" enough to use DNS look ups to resolve a windows "netbios" name to IP in the case that legacy (archaic) "Netbios" name resolution (WINS, lmhosts, broadcast) methods don't work. NetBIOS name whose prefix is only #20 ,#00 (and #1C in some case) can be resolved by DNS. --- TAKAHASHI Motonobu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] can connect to 2 samba servers by name but to one by IP only
Adding pdc1 to the hosts file (c:\windows\system32\drivers\etc\hosts) did not make a difference. After adding pdc1 to lmhosts, "net use \\pdc1" did work. So in the case of pdc1 one, the name is being resolved as a netbios name (i.e. via lmhosts) not a tcp/ip type name (i.e. via dns or hosts) But then why does "net use" work with all the other windows or samba servers? As far as I can tell, DNS is the only method by which the names are being resolved. I did notice that "nbtstat -c" shows the following SonicWALL VPN Connection: Node IpAddress: [x.x.x.x.] Scope Id: [] NetBIOS Remote Cache Name Table Name Type Host AddressLife [sec] BDC1 <20> UNIQUE x.x.x.x.10522 BDC2 <20> UNIQUE x.x.x.x.11560 SOMEMACHINE <20> UNIQUE x.x.x.x.12597 PDC1 is not in cache- which I guess makes sense since it is explicitly listed in lmhosts. The "nbtstat -r" command only shows machine on my home network, nothing on the corporate network, so this really does indicate that there is no netbios broadcasts going on crossing the VPN link. Thanks -Original Message- From: TAKAHASHI Motonobu [mailto:mo...@monyo.com] Sent: Thursday, January 06, 2011 8:09 AM To: gaiseric.van...@gmail.com Cc: samba@lists.samba.org Subject: Re: [Samba] can connect to 2 samba servers by name but to one by IP only 2011/1/6 Gaiseric Vandal : > In fact this seems to work for any samba or windows > machine on the network EXCEPT the Samba 3.4.x PDC. It seems to work for > Win 2003 machines, Samba 3.4.x member servers, XP machines, etc. To analyze the problem, first put the entry for PDC1 into both LMHOSTS and hosts files and try: net use \\pdc1. If you still meet the 67 error, something other than name resolution will cause this problem. Look at the Samba log and network capture. > My understanding is that XP (and Win 2000/2003) machines are "smart" enough > to use DNS look ups to resolve a windows "netbios" name to IP in the case > that legacy (archaic) "Netbios" name resolution (WINS, lmhosts, broadcast) > methods don't work. NetBIOS name whose prefix is only #20 ,#00 (and #1C in some case) can be resolved by DNS. --- TAKAHASHI Motonobu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba migration to a new server
On Wed, Jan 12, 2011 at 11:16 AM, Helmut Hullen wrote: > > By the way: that description assumes that the new server is the new > login server too and runs instead of the old server. > Yes definitely: migration and replacement of old PDC to new PDC. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ubuntu doesn't daemonize smbd
On Wed, Jan 12, 2011 at 4:20 PM, William E Jojo wrote: > It's similar to the way you can use startsrc or stopsrc on AIX. > > -F > If specified, this parameter causes the main smbd process to not > daemonize, i.e. double-fork and disassociate with the terminal. > Child processes are still created as normal to service each > connection request, but the main process does not exit. This > operation mode is suitable for running smbd under process > supervisors such as supervise and svscan from Daniel J. Bernstein´s > daemontools package, or the AIX process monitor. I've seen the man page :) AFAIK, running it as a daemon is preferable, and I've always run it that way. If you had read further up the man page you would have found: "Operating the server as a daemon is the recommended way of running smbd for servers that provide more than casual use file and print services. This switch is assumed if smbd is executed on the command line of a shell." >> On the plus side, I am thankful that I have continued to avoid Ubuntu >> as a candidate in any critical server role. > > Really, why? Is it unstable for you in some way? Just curious as I've not had > any issues thus far and Canonical support is very responsive. The problem with needed to restart nmbd manually (or via an additional script) that I alluded is one reason. Choosing to not run smbd as a daemon seems to be mistake in one way or another - you can set daemon or inetd mode in /etc/default/samba but the smbd.conf upstart script is hardcoded to run "smbd -F" and just as oddly the nmbd.conf script is hardcoded to run "nmbd -D", both ignoring the setting in /etc/default/samba. And I have seen reported instances of Samba issues on Ubuntu being resolved by avoiding the distro packages and compiling from source. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error: _netr_ServerAuthenticate2: netlogon_creds_server_check failed.
OS Fedora 13 rpm -qa | grep openldap openldap-clients-2.4.21-4.fc13.i686 openldap-2.4.21-4.fc13.i686 openldap-servers-2.4.21-4.fc13.i686 openldap-devel-2.4.21-4.fc13.i686 rpm -qa | grep samba samba-common-3.5.4-62.fc13.i686 samba-3.5.4-62.fc13.i686 samba-winbind-clients-3.5.2-60.fc13.i686 samba-doc-3.5.4-62.fc13.i686 samba-client-3.5.4-62.fc13.i686 (Note: for our config...winbind is unneeded slapd.conf - Master Server - # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/corba.schema include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/ppolicy.schema include /etc/openldap/schema/collective.schema include /etc/openldap/schema/samba.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pid argsfile/var/run/openldap/slapd.args # Load dynamic backend modules: # modulepath/usr/lib/openldap # or /usr/lib64/openldap # moduleload accesslog.la # moduleload auditlog.la # moduleload back_sql.la # moduleload denyop.la # moduleload dyngroup.la # moduleload dynlist.la # moduleload lastmod.la # moduleload pcache.la # moduleload ppolicy.la # moduleload refint.la # moduleload retcode.la # moduleload rwm.la moduleload syncprov.la # moduleload translucent.la # moduleload unique.la # moduleload valsort.la # The next three lines allow use of TLS for encrypting connections using a # dummy test certificate which you can generate by changing to # /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read it. Your client software # may balk at self-signed certificates, however. # TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt # TLSCertificateFile /etc/pki/tls/certs/slapd.pem # TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! ### # ldbm and/or bdb database definitions ### databasebdb suffix "dc=example,dc=com" checkpoint 1024 15 rootdn "cn=Manager,dc=example,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw rootpass # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShelleq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntryeq,pres,sub # Replicas of this database #replogfile /var/lib/ldap/openldap-master-replog #replica host=ldap-1.example.com:389 starttls=critical # bindmethod=sasl saslmech=GSSAPI #authcId=host/ldap-master.example@example.com overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 # enable monitoring # database monitor # allow onlu rootdn to read the monitor #access to * #by dn.exact="cn=Manager,dc=example,dc=com" write #by * none access to attrs=userPassword,shadowLastChange,shadowM
Re: [Samba] Solaris 10 winbind authentication with ADS
Thanks for the replies. I got this resolved. It was case of my eyes not seeing what was in front of my face. The solaris upgrade DID replaced my /usr/lib/nss_winbind.so.1 link with Solaris's on library of same name. So I just had to rename that and recreate my link to the samba compiled libnss_winbind.so file. This is how I have the links done in /usr/lib -r-xr-xr-x 1 root root 50880 Dec 27 13:14 libnss_winbind.so lrwxrwxrwx 1 root root 17 Dec 17 15:29 libnss_winbind.so.1 -> libnss_winbind.so lrwxrwxrwx 1 root root 17 Jan 12 13:58 nss_winbind.so.1 -> libnss_winbind.so On 1/7/11 5:36 AM, Michael Wood wrote: Hi On 6 January 2011 01:11, CJ Keist wrote: Well, I did smart thing and upgraded my Solaris box to Solaris 10 update 9. And now my winbind authentication has broken. I have checked all my /usr/lib/*winbind* and /usr/lib/security/*winbind* libs and all are still good from my last install. /etc/pam.conf, nsswitch.conf are still intact. wbinfo seems to work fine. getent passwd username just returns empty. This is what I'm getting in my /var/samba/log/log.winbindd file: [2011/01/05 16:04:00.061446, 2] winbindd/winbindd.c:819(winbind_client_request_read) Could not read client request from fd 22: I/O error I don't run Solaris and am not using winbind, so this is just a guess, but I hope it helps. winbind communicates via a socket, which I think is put in /tmp by default (/tmp/.winbindd/ or something like that). Can you check what "fd 22" is? e.g. using lsof. Maybe it's the socket. It might be that Solaris 10 changes something about /tmp that interferes with winbind's socket? Maybe try putting the socket somewhere else. I think you're supposed to be able to do this with "winbind:socket dir = ...". It seems the "winbind:socket dir" option was introduced in Samba 3.2.0. -- C. J. Keist Email: cj.ke...@colostate.edu Systems Group Manager Phone: 970-491-0630 Engineering Network ServicesFax: 970-491-5569 College of Engineering, CSU Ft. Collins, CO 80523-1301 All I want is a chance to prove 'Money can't buy happiness' -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ubuntu doesn't daemonize smbd
- Original Message - > From: "Chris Smith" > To: "Samba List" > Sent: Wednesday, January 12, 2011 1:14:07 PM > Subject: [Samba] ubuntu doesn't daemonize smbd > OK, not exactly a samba issue but maybe the Ubuntu maintainer reads > this list and can provide some input. > > Problem: Ubuntu doesn't daemonize smbd. > > System: Ubuntu Lucid where a recent update moved many startup scripts > into the "upstart" system. > > Now smbd is started and runs as "smbd -F". If I edit the upstart > script (/etc/init/smbd.conf) so that it runs as "smbd -D" (the default > and what I would like) it doesn't work. I see no inet.d running so I > have no clue how it works at all like this. > It's similar to the way you can use startsrc or stopsrc on AIX. -F If specified, this parameter causes the main smbd process to not daemonize, i.e. double-fork and disassociate with the terminal. Child processes are still created as normal to service each connection request, but the main process does not exit. This operation mode is suitable for running smbd under process supervisors such as supervise and svscan from Daniel J. Bernstein´s daemontools package, or the AIX process monitor. > Also this change to upstart did not resolve the problem of nmbd not > starting correctly, it just nullified the script I had in rc.local to > restart nmbd (guess I will rewrite this). > Sorry, can't speak to that. > On the plus side, I am thankful that I have continued to avoid Ubuntu > as a candidate in any critical server role. > Really, why? Is it unstable for you in some way? Just curious as I've not had any issues thus far and Canonical support is very responsive. Cheers, Bill > Chris > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] server signing broken for non-kerberos auth
I'm working with the Solaris bundled version of samba 3.5.5 and having a problem with server signing. samba is configured into an active directory domain with security = ads. With signing enabled, connections from clients in the domain work fine. However, connections from clients not in the domain fail: - >net use /user:WIN\henson \\ike.unx.csupomona.edu\henson Enter the password for 'WIN\henson' to connect to 'ike.unx.csupomona.edu': System error 64 has occurred. The specified network name is no longer available. - Similarly, with smbclient, signed kerberos authentication works, but signed non-kerberos authentication fails: - $ smbclient --signing=required -U 'WIN\henson' '\\ike.unx.csupomona.edu\henson' Enter WIN\henson's password: signing_good: BAD SIG: seq 1 session setup failed: NT_STATUS_OK - If I enable debugging for smbclient it spits out: - Mandatory SMB signing enabled! SMB signing enabled! cli_simple_set_signing: user_session_key cli_simple_set_signing: NULL response_data simple_packet_signature: sequence number 0 client_sign_outgoing_message: sent SMB signature of [] 1E F5 1B 99 6C D0 80 5Al..Z store_sequence_for_reply: stored seq = 1 mid = 3 get_sequence_for_reply: found seq = 1 mid = 3 simple_packet_signature: sequence number 1 client_check_incoming_message: BAD SIG: wanted SMB signature of [] DF 9D 91 B0 77 C5 E5 CDw... client_check_incoming_message: BAD SIG: got SMB signature of [] 4E 74 FD EE B2 55 62 54Nt...UbT simple_packet_signature: sequence number 4294967292 simple_packet_signature: sequence number 4294967293 simple_packet_signature: sequence number 4294967294 simple_packet_signature: sequence number 4294967295 simple_packet_signature: sequence number 0 simple_packet_signature: sequence number 1 simple_packet_signature: sequence number 2 simple_packet_signature: sequence number 3 simple_packet_signature: sequence number 4 simple_packet_signature: sequence number 5 signing_good: BAD SIG: seq 1 SPNEGO login failed: Access denied - It seems the server is sending bad signatures. Any thoughts on this? Thanks... -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | hen...@csupomona.edu California State Polytechnic University | Pomona CA 91768 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] working with the net commands... trouble.
So, to make it simple, my domain is KRH, I am successfully joined, and
can issue wbinfo -u or wbinfo -g and get expected results. Every query
I make about the domain works
However, I'm trying to add a domain user (me) to my local Print
Operators group on this freebsd machine.
Using Samba 3.5.6, FreeBSD 8.1 Clean install of everything yesterday.
So, I'm trying to add KRH\jdown to the Print Operators group. It acts
as if the command completed successfully, however, when asked to list
the members of the group, it chops off the domain portion.
freecups-2# net sam delmem 'Administrators' KRH\\jdown
Deleted KRH\jdown from BUILTIN\Administrators
freecups-2# net sam delmem 'Print Operators' KRH\\jdown
Deleted KRH\jdown from BUILTIN\Print Operators
freecups-2# net sam addmem 'Print Operators' 'KRH\jdown'
Added KRH\jdown to BUILTIN\Print Operators
freecups-2# net sam listmem 'Print Operators'
BUILTIN\Print Operators has 1 members
\jdown
freecups-2# net sam delmem 'Print Operators' KRH\\jdown
Deleted KRH\jdown from BUILTIN\Print Operators
freecups-2# net sam listmem 'Print Operators'
BUILTIN\Print Operators has 0 members
freecups-2# net sam delmem 'Print Operators' jdown
Could not find member jdown
freecups-2# net sam delmem 'Print Operators' KRH+jdown
Could not find member KRH+jdown
freecups-2# net sam delmem 'Print Operators' KRH/jdown
Could not find member KRH/jdown
freecups-2# net sam delmem 'Print Operators' KRH/\jdown
Could not find member KRH/jdown
freecups-2# net sam delmem 'Print Operators' "KRH\jdown"
Deleting local group member failed with NT_STATUS_ACCESS_DENIED
freecups-2# net sam addmem 'Print Operators' "KRH\jdown"
Added KRH\jdown to BUILTIN\Print Operators
freecups-2# net sam listmem 'Print Operators'
BUILTIN\Print Operators has 1 members
\jdown
My smb.conf:
[global]
log level = 5
workgroup = KRH
realm = KRH.INT
netbios aliases = freecups-2
server string = FreeCUPS-2
security = ADS
password server = kal-dc3.krh.int, kal-dc4.krh.int,
kal-dc2.krh.int, *
ntlm auth = No
client NTLMv2 auth = Yes
smb ports = 139
printcap cache time = 10
printcap name = cups
cups server = localhost
addprinter command = /usr/local/sbin/smbaddprinter.pl
deleteprinter command = /usr/local/sbin/smbdelprinter.pl
local master = No
domain master = No
browse list = No
wins server = 10.6.1.21
idmap uid = 1-2
idmap gid = 1-2
winbind cache time = 300
winbind use default domain = Yes
winbind refresh tickets = Yes
guest ok = Yes
cups options = raw
[homes]
comment = PDF files
read only = No
browseable = No
browsable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
browsable = No
[print$]
comment = Printer Drivers
path = /usr/home/KRH_drivers
write list = root, printserver,KRH\jdown
force user = printserver
force group = printserver
guest ok = No
my krb5.conf
[logging]
default = SYSLOG:INFO:LOCAL7
[libdefaults]
ticket_lifetime = 24000
clock_skew = 300
default_realm = KRH.INT
[realms]
domain.LOCAL = {
kdc = kal-dc3.krh.int:88
kdc = kal-dc4.krh.int:88
kdc = kal-dc2.krh.int:88
admin_server = kal-dc4.krh.int:464
admin_server = kal-dc3.krh.int:464
admin_server = kal-dc2.krh.int:464
default_domain = krh.int
}
[domain_realm]
.domain.local = KRH.INT
domain.local = KRH.INT
Now, it's almost working, and I'm hoping it's just a missed punctual
mark, but... probably not.
Can anyone assist?
thanks,
Jack
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error: _netr_ServerAuthenticate2: netlogon_creds_server_check failed.
Hi Christopher! Thank you for that information, I am very much appreciate any deeper information on that issue. Is there a chance that you give me the config of your central (major) ldap server and your smb.conf so we have the chance to compare it with our system, please? We see the same error but our PDC does directly access the main ldap server so it should not be a problem of an update - reference ... It would be nice to know the versions of your system too (we use ubuntu 8.04 and Centos 5.5 with ldap 2.4.XX and Samba 3.5.6) Thank you very much! regards Martin Am 12.01.2011 17:37 schrieb Christopher Springer: I've finally found the solution (or at least in my case) to this problem. After looking at the logs for LDAP (slapd) I found that every time a system on the domain tried to update it's associated account information in the database I would receive the following error: RESULT tag=103 err=53 text=shadow context; no update referral This lead me to find that the account information in LDAP was not being updated...however the machine's domain user accounts would still be able to login so it wasn't a major issue...just EXTREMELY annoying. I added the following line in my slapd.conf file to tell the slapd daemon where to send its updates since it's a read-only local authentication server at the remote plants: updateref ldap://xxx.xxx.xxx.xxx The remote server now sends the account database updates to the central master server and eventually replicates those changes back down to the remote sites...and, thus, eliminating the annoying error message that I was receiving in my samba and system logs. Just for reference, the original error was something similar to the following... _netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting auth request from client machine account $ or _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client machine account $ Thanks all! I hope this helps someone else. Chris On 08/19/2010 03:29 PM, Christopher Springer wrote: My configuration is a multi-subnet, multi-subnet Samba/OpenLDAP configuration. Everything works fine on both subnets but I'm getting the following error in /var/log/messages and in /var/log/samba/log.smbd... _netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting auth request from client XXX30874 machine account XXX30874$ This messages seems to be repeated every time someone logs into their machine or when the machine has to contact the server for authentication purposes. I have not had a chance to go through all of the logs and verify what OS's are the offenders but it appears that a lot of them are old WindowsNT4 machines. Please note that the only server on the subnet in question is the BDC. It has a local, replicated LDAP directory against which logins are authenticated. nmbd/wins is used for host name/netbios visibility. Any ideas to getting rid of this error in the log file? Again, it appears that access to files is working fine...it's just an annoyance because I don't understand why it's happening. Thanks. Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Reloading smb.conf smdb only
Hi everyone, I'm new in this list and I hope I'll write my problem in a right way. So, this is my problem: Every an undefined time (It could be 5 min or 20 min) my pc restarts the samba service and It writes this line on the screen: "Reloading /etc/samba/smb.conf smdb only" I have Ubuntu Server 9.10 x32. I am looking for fix this problem for a long time but I don't know how. If It helps I can attach a photo to the mail. Please help me... -- Andrea Ciani cianiandre...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error: _netr_ServerAuthenticate2: netlogon_creds_server_check failed.
Hi Christopher! Thank you for that information, I am very much appreciate any deeper information on that issue. Is there a chance that you give me the config of your central (major) ldap server and your smb.conf so we have the chance to compare it with our system, please? We see the same error but our PDC does directly access the main ldap server so it should not be a problem of an update - reference ... It would be nice to know the versions of your system too (we use ubuntu 8.04 and Centos 5.5 with ldap 2.4.XX and Samba 3.5.6) Thank you very much! regards Martin Am 12.01.2011 17:37 schrieb Christopher Springer: I've finally found the solution (or at least in my case) to this problem. After looking at the logs for LDAP (slapd) I found that every time a system on the domain tried to update it's associated account information in the database I would receive the following error: RESULT tag=103 err=53 text=shadow context; no update referral This lead me to find that the account information in LDAP was not being updated...however the machine's domain user accounts would still be able to login so it wasn't a major issue...just EXTREMELY annoying. I added the following line in my slapd.conf file to tell the slapd daemon where to send its updates since it's a read-only local authentication server at the remote plants: updateref ldap://xxx.xxx.xxx.xxx The remote server now sends the account database updates to the central master server and eventually replicates those changes back down to the remote sites...and, thus, eliminating the annoying error message that I was receiving in my samba and system logs. Just for reference, the original error was something similar to the following... _netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting auth request from client machine account $ or _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client machine account $ Thanks all! I hope this helps someone else. Chris On 08/19/2010 03:29 PM, Christopher Springer wrote: My configuration is a multi-subnet, multi-subnet Samba/OpenLDAP configuration. Everything works fine on both subnets but I'm getting the following error in /var/log/messages and in /var/log/samba/log.smbd... _netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting auth request from client XXX30874 machine account XXX30874$ This messages seems to be repeated every time someone logs into their machine or when the machine has to contact the server for authentication purposes. I have not had a chance to go through all of the logs and verify what OS's are the offenders but it appears that a lot of them are old WindowsNT4 machines. Please note that the only server on the subnet in question is the BDC. It has a local, replicated LDAP directory against which logins are authenticated. nmbd/wins is used for host name/netbios visibility. Any ideas to getting rid of this error in the log file? Again, it appears that access to files is working fine...it's just an annoyance because I don't understand why it's happening. Thanks. Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ubuntu doesn't daemonize smbd
On Wed, Jan 12, 2011 at 1:14 PM, Chris Smith wrote: > Now smbd is started and runs as "smbd -F". If I edit the upstart > script (/etc/init/smbd.conf) so that it runs as "smbd -D" (the default > and what I would like) it doesn't work. Must have been a fluke - it does appear now that editing smbd.conf to start as -D is working except the "service smbd stop" command no longer functions. Guess this should really be on an Ubuntu forum. Sorry for the noise. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 3.5.6 + chmod g+s not working on some clients
Hi, I have a problem, I upgraded to samba 3.5.6 recently and since then when someone copies a directory to a folder that has been set with chmod g+s *some* of the clients do not keep the setting. For example Windows 7 x64 will work but both Mac 10.6.5 * 10.6.6 do not work when coping files into folders. > /home/CHEMENG/student1/public_html > humboldt public_html # ls -la > drwxr-sr-x 2 student1 apache 33 Jan 12 10:28 Windows7 > drwxr-xr-x 2 student1 apache 63 Jan 12 10:04 testperms-10.6.5 > drwxr-xr-x 2 student1 apache 63 Jan 12 10:04 testperms-10.6.6 > humboldt public_html # cd testperms-10.6.5 > humboldt testperms-10.6.5 # ls -la > -rw-r--r-- 1 student1 domain users0 Jan 12 09:27 testfileBG-1.txt > humboldt public_html # cd Windows7/ > humboldt Windows7 # ls -la > -rwxr--r-- 1 student1 apache 0 Jan 12 10:28 testwindows7.txt So what the above is showing: - Copy a file to public_html mac 10.6.* = works - Copy a file to public_html windows 7 = works - Create folder on mac 10.6.* copy to public_html = does not work - Create file on mac 10.6.* copy to above copied folder = does not work - Create a folder on windows 7 copy to public_html = works - Create file on windows 7, copy to above copied folder = works Works/Does not works is defined by does the chmod g+s command work, so in my case is "apache" the group on all newly created files/folders and is the "s" bit set on the group. This is my smb.conf: > [global] > workgroup = CHEMENG > netbios name= humboldt > realm = CHEMENG.UTAH.EDU > server string = CHE humboldt file server > security= ADS > preferred master= no > client use spnego = yes > server signing = auto > encrypt passwords = yes > nt acl support = yes > acl map full control= yes > socket options = TCP_NODELAY SO_RCVBUF=8192 > SO_SNDBUF=8192 > template shell = /bin/false > password server = * > log level = 6 > log file= /var/log/samba/%m > max log size= 100 > preferred master= No > dns proxy = No > strict allocate = yes > wins server = 192.168.1.100 192.168.1.101 > winbind cache time = 30 > winbind nested groups = yes > allow trusted domains = no > winbind offline logon = yes > idmap backend = tdb > idmap uid = 500-1 > idmap gid = 500-1 > idmap config CHEMENG : backend = rid > idmap config CHEMENG : range= 500-5000 > idmap config USERS: backend = rid > idmap config USERS: range = 5001-1 > winbind use default domain = Yes > winbind separator = + > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > obey pam restrictions = yes > template homedir= /home/%D/%U > unix extensions = no Any help would be appreciated I am not really sure where to look. Thanks, -- Brian Gregorcy IT Manager University of Utah Department of Chemical Engineering -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ubuntu doesn't daemonize smbd
OK, not exactly a samba issue but maybe the Ubuntu maintainer reads this list and can provide some input. Problem: Ubuntu doesn't daemonize smbd. System: Ubuntu Lucid where a recent update moved many startup scripts into the "upstart" system. Now smbd is started and runs as "smbd -F". If I edit the upstart script (/etc/init/smbd.conf) so that it runs as "smbd -D" (the default and what I would like) it doesn't work. I see no inet.d running so I have no clue how it works at all like this. Also this change to upstart did not resolve the problem of nmbd not starting correctly, it just nullified the script I had in rc.local to restart nmbd (guess I will rewrite this). On the plus side, I am thankful that I have continued to avoid Ubuntu as a candidate in any critical server role. Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Resolved] Reestablishing trust with PDC
I will give this a shot. Thanks. On 1/11/2011 7:00 PM, Taso Hatzi wrote: On Wed, Jan 12, 2011 at 6:24 AM, wrote: I also tried this to no avail: Disabled the machine password change on all win7 clients by setting HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters DisablePasswordChange = dword:1 If Win 7 is ignoring that setting, it might honor the one which sets the password change period. MaximumPasswordAge determines when the computer password needs to be changed. Key = HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters Value = MaximumPasswordAge REG_DWORD Default = 30 Range = 1 to 1,000,000 (in days) Group policy setting: Computer Configuration\windows Settings\Security settings\Local Policies\Security Options Domain member: Maximum machine account Password age To clear things up, it is 7 days on Windows NT by default, and 30 days on Windows 2000 and up. The trust password follows the same setting. So Trust between two NT 4 domains is 7 days. Trusts between Windows 2000 and up and anything else is 30 days. So what this means is if 2000 and NT4 trust password is 30 days. 2000 to 2000 is 30 days. 2000 to 2003 is 30 days. 2003 to 2003 is 30 days. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] idmap GID range became full without reason
You might want to check this bug, could be affecting you. https://bugzilla.samba.org/show_bug.cgi?id=6537 Cheers. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error: _netr_ServerAuthenticate2: netlogon_creds_server_check failed.
I've finally found the solution (or at least in my case) to this problem. After looking at the logs for LDAP (slapd) I found that every time a system on the domain tried to update it's associated account information in the database I would receive the following error: RESULT tag=103 err=53 text=shadow context; no update referral This lead me to find that the account information in LDAP was not being updated...however the machine's domain user accounts would still be able to login so it wasn't a major issue...just EXTREMELY annoying. I added the following line in my slapd.conf file to tell the slapd daemon where to send its updates since it's a read-only local authentication server at the remote plants: updateref ldap://xxx.xxx.xxx.xxx The remote server now sends the account database updates to the central master server and eventually replicates those changes back down to the remote sites...and, thus, eliminating the annoying error message that I was receiving in my samba and system logs. Just for reference, the original error was something similar to the following... _netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting auth request from client machine account $ or _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client machine account $ Thanks all! I hope this helps someone else. Chris On 08/19/2010 03:29 PM, Christopher Springer wrote: My configuration is a multi-subnet, multi-subnet Samba/OpenLDAP configuration. Everything works fine on both subnets but I'm getting the following error in /var/log/messages and in /var/log/samba/log.smbd... _netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting auth request from client XXX30874 machine account XXX30874$ This messages seems to be repeated every time someone logs into their machine or when the machine has to contact the server for authentication purposes. I have not had a chance to go through all of the logs and verify what OS's are the offenders but it appears that a lot of them are old WindowsNT4 machines. Please note that the only server on the subnet in question is the BDC. It has a local, replicated LDAP directory against which logins are authenticated. nmbd/wins is used for host name/netbios visibility. Any ideas to getting rid of this error in the log file? Again, it appears that access to files is working fine...it's just an annoyance because I don't understand why it's happening. Thanks. Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbldap-tools security: how to keep passwords in smbldap_bind.conf secure?
01/12/2011 09:56 PM, TAKAHASHI Motonobu пишет: > 2011/1/12 Konstantin Boyandin : >> smbldap-passwd may be called by non-root; thus, >> /etc/smbldap-tools/smbldap_bind>conf >> must be world-readable, and it keeps the passwords as plain text. > > smbldap-passwd accesses to LDAP as a user who invoked itself. > > This behavior is different from Samba itself as always accesses as > a user defined with "ldap admin dn". > > So simply set 600 to smbldap_bind.conf will solve the problem. Yes, that did the trick, thank you! I thought the bind configuration should also be world readable. > Also you need to add "by self write" to both sambaLMPassword > and sambaNTPassword. Yes, that has been set up and tested before I posted the question. Sincerely, Konstantin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba migration to a new server
Hallo, Mike, Du meintest am 12.01.11: > Thank you too, for your kind response. Don't mention ... By the way: that description assumes that the new server is the new login server too and runs instead of the old server. Viele Gruesse! Helmut -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC
2011/1/13 Robert Fitzpatrick : > OK, I am trying to setup my first Samba PDC on a FreeBSD 8.1 host. When I > try to become a member of 'webtent.org' on my Windows 7 Ultimate to the PDC, > I get the following error... > >> DNS was successfully queried for the service location (SRV) resource >> record used to locate a domain controller for domain "webtent.org": (snip) >Anyone know what I am or could be doing wrong? Thanks for any help! Read at: http://wiki.samba.org/index.php/Windows7 And remember Samba 3 PDC is compatible with Windows NT Server, not with Active Directory. --- TAKAHASHI Motonobu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba PDC
OK, I am trying to setup my first Samba PDC on a FreeBSD 8.1 host. When
I try to become a member of 'webtent.org' on my Windows 7 Ultimate to
the PDC, I get the following error...
DNS was successfully queried for the service location (SRV) resource record used to
locate a domain controller for domain "webtent.org":
The query was for the SRV record for _ldap._tcp.dc._msdcs.webtent.org
The following domain controllers were identified by the query:
mail.webtent.org
However no domain controllers could be contacted.
Common causes of this error include:
- Host (A) or () records that map the names of the domain controllers to
their IP addresses are missing or contain incorrect addresses.
- Domain controllers registered in DNS are not connected to the network or are
not running.
I have Samba working well in the network and have setup the server as a
PDC...
mail# net domain
Enter root's password:
Enumerating domains:
Domain name Server name of Browse Master
-
WEBTENT MAIL
I have DNS setup as I believe correct as well as my Samba config...
mail# dig mail.webtent.org
; <<>> DiG 9.4-ESV-R2 <<>> mail.webtent.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20308
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;mail.webtent.org. IN A
;; ANSWER SECTION:
mail.webtent.org. 38400 IN A 192.168.1.21
mail# dig -x 192.168.1.21
; <<>> DiG 9.4-ESV-R2 <<>> -x 192.168.1.21
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32497
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;21.1.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
21.1.168.192.in-addr.arpa. 38400 IN PTR mail.webtent.org.
mail# cat /var/named/etc/namedb/dynamic/webtent.org.hosts
$ttl 38400
webtent.org.IN SOA mx1.webtent.org. admin.webtent.org. (
1281254209
10800
3600
604800
38400 )
webtent.org.IN NS mx1.webtent.org.
mail.webtent.org. IN A 192.168.1.21
$ORIGIN webtent.org.
_kerberos TXT "WEBTENT"
$ORIGIN _tcp.webtent.org.
_kerberos SRV 1 0 88 mail.webtent.org.
_kerberos-adm SRV 1 0 749 mail.webtent.org.
$ORIGIN _udp.webtent.org.
_kerberos SRV 1 0 88 mail.webtent.org.
_kpasswdSRV 1 0 464 mail.webtent.org.
kerberosCNAME mail.
localhost A 127.0.0.1
mail A 192.168.1.21
_ldap._tcp.webtent.org. SRV 0 0 389 mail.webtent.org.
_kerberos._tcp.webtent.org. SRV 0 0 88 mail.webtent.org.
_ldap._tcp.dc._msdcs.webtent.org. IN SRV 0 0 389
mail.webtent.org.
_kerberos._tcp.dc._msdcs.webtent.org. IN SRV 0 0 88 mail.webtent.org.
mail# cat smb.conf
# Global parameters
[global]
workgroup = WEBTENT
server string = Samba Server
netbios name = mail
hosts allow = 192.168.1. 127.
# interfaces = bge0, lo
# bind interfaces only = Yes
# passwd backend
encrypt passwords = yes
passdb backend = ldapsam:ldap://mail.webtent.org/
enable privileges = yes
pam password change= Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %nn *ReType*new*UNIX*password* %nn *
passwd:*all*authentication*tokens*updated*successfully*
unix password sync = Yes
# Log options
log level = 1
log file = /var/log/samba/%m
max log size = 50
syslog = 0
# Name resolution
name resolve order = wins bcast host
# misc
timeserver = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
use sendfile = yes
veto files = /*.eml/*.nws/*.{*}/
veto oplock files = /*.doc/*.xls/*.mdb/
deadtime = 120
# Dos-Attribute
map hidden = No
map system = No
map archive = No
map read only = No
store dos attributes = Yes
dos charset = 850
# printers - configured to use CUPS and automatically load them
load printers = Yes
printcap name = CUPS
printing = cups
cups options = Raw
show add printer wizard = No
# scripts invoked by samba
add user script = /usr/local/sbin/smbldap-useradd -m %u
delete user script= /usr/local/sbin/smbldap-userdel %u
add group script = /usr/local/sbin/smbldap-groupadd -p %g
delete group script = /usr/local/sbin/smbldap-groupdel %g
add user to group script = /usr/local/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/local/sbin/smbldap-groupmod -x %u %g
set primary group script = /usr/local/sbin/smbldap-usermod -g %g %u
add machine script=
[Samba] Windows and Linux account locking with an LDAP backend
I thought I would ask here to see if anyone has had a similar situation and a solution. We've got a SunOne Directory Server set up to authenticate our users on Linux. To get shared authentication with Windows, we set up Samba (2.0.33 as ships with CentOS 5) and the smbldap-tools. What we need to do is get account locking to work across the board...such that if a user fails 5 times on a Windows machine, they will be locked out on the Linux systems as welland vice versa. Here's what I'm seeing: On windows, failing authentication updates the "Bad Password Count" in Samba, additionally it adds a "pwdfailuretime" to the LDAP server. This is good, and is what we would like to see. Fail 2, similar Fail 3, similar Fail 4, similar On Fail 5, what seems to be happening is that the LDAP server puts in its 5th pwdfailuretime item, thereby locking the account, and essentially preventing Windows/samba from updating the final sambabadpasswordcount numberso Windows is eternally stuck at 4 failures. Entering a bad password on the Windows side says "There is a problem with the account", but entering the correct password lets the user right in. That's problem one. I can clarify any of this if needed. The other thing we want to be able to do is that if a user fails 5 times on Linux that it will lock out the Windows accounts. Any idea how to do that? Thanks for any hints or conversations we can start about this. :) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbldap-tools security: how to keep passwords in smbldap_bind.conf secure?
2011/1/12 Konstantin Boyandin : > smbldap-passwd may be called by non-root; thus, > /etc/smbldap-tools/smbldap_bind>conf > must be world-readable, and it keeps the passwords as plain text. smbldap-passwd accesses to LDAP as a user who invoked itself. This behavior is different from Samba itself as always accesses as a user defined with "ldap admin dn". So simply set 600 to smbldap_bind.conf will solve the problem. Also you need to add "by self write" to both sambaLMPassword and sambaNTPassword. --- TAKAHASHI Motonobu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba migration to a new server
Helmut, Thank you too, for your kind response. I asked the same question on the list a week ago, but no response then. The guidance is much appreciated and I hope to perform a test at the end of the week. Mike -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba migration to a new server
Hallo, henri, Du meintest am 12.01.11: > Is it possible to migrate Samba to a new server without breaking > Domain membership of all the clients ? > I didn?t get any info on that issue, is there someone that has > previous experience of doing that ? Or maybe a link to some relevant > info ? > I have currently a Samba 3.5.6 server that acts as a PDC and print > Server, with tdbsam backend, no LDAP at all, no roaming profile. I > have to migrate samba to a new server. Everything (Samba release, > Domain Name, shares, ...) will remain the same except for the DNS > name and IP address of the server, and the samba server netbios name. > What is the best way to proceed to make this migration as seamless as > possible for all users (more than 200 user accounts with more than > 200 PC in the domain) ? My usual way: - copy/overwrite "/etc/samba" to the new machine - copy/overwrite all user account and all machine account informations (especially in "/etc/passwd" and "/etc/shadow") to the new machine - Stop samba on both machines - Shut off all Clients (that may be a bit neurotic ...) - start samba on the new machine - Start one client for testing - if ok: start the other clients Last friday a colleague and I have done these steps once more, successfully. Viele Gruesse! Helmut -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] log.smbd filled with same message after 3.2.4 -> 3.5.4 update
We had been running SUSE 11.0 since 2008, and recently updated to SUSE 11.3. This also brought an update from Samba 3.2.4 to 3.5.4. Immediately after updating the servers, configurations unchanged, the messages log and log.smbd became flooded with the same message repeated constantly. The logging system is archiving both log files almost daily now, and up to the update it took over a year to generate enough log messages for it to archive. The message from log.smbd [2011/01/12 09:01:37.439591, 0] lib/util_sock.c:675(write_data) [2011/01/12 09:01:37.439906, 0] lib/util_sock.c:1432(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected write_data: write failure in writing to client 0.0.0.0. Error Connection reset by peer [2011/01/12 09:01:37.440317, 0] smbd/process.c:79(srv_send_smb) Error writing 4 bytes to client. -1. (Transport endpoint is not connected) [2011/01/12 09:01:37.560436, 0] lib/util_sock.c:1432(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected [2011/01/12 09:01:37.797474, 0] lib/util_sock.c:675(write_data) SUSE is writing the same exact log messages to other log files as well. There has been no errors experienced from the clients, logging on, transferring files, etc. Any help would be appreciated. smb.conf [global] workgroup = DOMAIN server string = SERVER pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = "New Password:" %n\n "Reenter New Password:" %n\n "Password changed" unix password sync = Yes load printers = No printcap name = /etc/printcap add machine script = /usr/sbin/useradd -g 1000 -c Machine -d /var/lib/nobody -s /bin/false %m$ logon script = netlogon.bat logon path = "" domain logons = Yes os level = 65 preferred master = Yes domain master = Yes [homes] comment = Home Directories path = /home/%u valid users = %S read only = No create mask = 0700 directory mask = 0700 browseable = No vfs objects = recycle recycle:maxsize = 0 recycle:versions = yes recycle:touch_mtime = yes recycle:touch = yes recycle:keeptree = yes recycle:repository = .recycle [netlogon] comment = Network Logon Service path = /home/netlogon browseable = No -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba migration to a new server
It may actually be easier to move everything including hostname and IP to the new server and just shutdown the old (this would have to be off hours.) You should be able to do the following- - Configure the new server as a BDC. I don't know for use if you can configure a BDC with a TDB backend- if not you may have to make the new server a PDC. - Copy the samba private directory (with the tdb files) from the 1st server to the 2nd server. In effect, this temporarily syncs the two servers. - promote the new server to PDC and the old server to BDC. - after hours- move the shared directories to the BDC, update login script if necessary. Clients will connect to either a PDC or a BDC for authentication.- it doesn't really matter that much except that clients will prefer a BDC if available. Once you take the OLD server offline you may need to have clients reboot to have them use the new server for authentication. But at least domain membership will not be broken? Are you using a WINS server? -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of henri Sent: Wednesday, January 12, 2011 7:26 AM To: samba@lists.samba.org Subject: [Samba] Samba migration to a new server Hi all, Is it possible to migrate Samba to a new server without breaking Domain membership of all the clients ? I didnt get any info on that issue, is there someone that has previous experience of doing that ? Or maybe a link to some relevant info ? I have currently a Samba 3.5.6 server that acts as a PDC and print Server, with tdbsam backend, no LDAP at all, no roaming profile. I have to migrate samba to a new server. Everything (Samba release, Domain Name, shares, ...) will remain the same except for the DNS name and IP address of the server, and the samba server netbios name. What is the best way to proceed to make this migration as seamless as possible for all users (more than 200 user accounts with more than 200 PC in the domain) ? I guess that just moving all the samba configuration files from the old machine to the new one will not be enough. Thanks in advance. I really need your help. Henri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Share Access Delay !
Supriya Kher wrote: windows machine writes to \\\output. It has been observed consistently that accessing the shared folder from windows using UNC as \\\output takes a very long time. Each access takes around 45 to 50 seconds ! though there are no network issues. Any directions on how to get around this problem ? Can it controlled via specific share level/global settings in smb.conf ? --- I had something *like* this, but not quite this bad -- it was very persistent -- no matter what program I ran, my max xfer speed was about 2MB/s (read & write). Nothing I tried fixed it -- until I rebooted. Then it went mysteriously away (back to full speed of 119M/125MB read/write). I looked at the the wireshark traces for the bad-case -- the only odd thing I saw (which wouldn't explain the whole thing) was that my max window size had dropped to under 64k (normal is 1M). It hasn't repeated. It _sorta_, *looked* like something was inserting itself to look at the packets in and out and doing a really bad job of being 'transparent'. But since it hasn't re-occurred, I haven't thought much about it. In my case, it *appeared* to affect all network traffic (I kept checking the sync rate on the line, figuring it had to be syncing at 10Mb and not 1Gb, but wasn't the case). You might try a 'wireshark' trace? Try to see who is doing the 'lagging' -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba migration to a new server
Hi all, Is it possible to migrate Samba to a new server without breaking Domain membership of all the clients ? I didnt get any info on that issue, is there someone that has previous experience of doing that ? Or maybe a link to some relevant info ? I have currently a Samba 3.5.6 server that acts as a PDC and print Server, with tdbsam backend, no LDAP at all, no roaming profile. I have to migrate samba to a new server. Everything (Samba release, Domain Name, shares, ...) will remain the same except for the DNS name and IP address of the server, and the samba server netbios name. What is the best way to proceed to make this migration as seamless as possible for all users (more than 200 user accounts with more than 200 PC in the domain) ? I guess that just moving all the samba configuration files from the old machine to the new one will not be enough. Thanks in advance. I really need your help. Henri -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbldap-tools security: how to keep passwords in smbldap_bind.conf secure?
Hello Daniel, I don't talk about Windows users. I talk about Unix (Linux) users that have shell access to the server where they can run smbldap-passwd. I am afraid you answered the wrong question. I ask how to prevent users with shell access to where smnldap-passwd is installed from viewing the file smbldap_bind.conf. Revoking shell access/setting smbldap-passwd as shell is out of question. Sincerely, Konstantin 12.01.2011 14:29, Daniel Müller пишет: > > On your windows client strg+alt+entf > Change password. > The users will never see this password in smbldap_bind.conf. > > > > --- > EDV Daniel Müller > > Leitung EDV > Tropenklinik Paul-Lechler-Krankenhaus > Paul-Lechler-Str. 24 > 72076 Tübingen > > Tel.: 07071/206-463, Fax: 07071/206-499 > eMail: muel...@tropenklinik.de > Internet: www.tropenklinik.de > --- > > -Ursprüngliche Nachricht- > Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im > Auftrag von Konstantin Boyandin > Gesendet: Mittwoch, 12. Januar 2011 08:50 > An: samba@lists.samba.org > Betreff: [Samba] smbldap-tools security: how to keep passwords in > smbldap_bind.conf secure? > > Hello, > > On > http://wiki.samba.org/index.php/4.0:_User_Management > it is described how to set up and use smbldap-tools package. The > question is, how to hide master passwords in such a case? > > smbldap-passwd may be called by non-root; thus, > /etc/smbldap-tools/smbldap_bind>conf > must be world-readable, and it keeps the passwords as plain text. > > How can I allow users to change their passwords with smbldap-passwd > without compromising the security? > > Thanks. > Sincerely, > Konstantin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] suppress messages from syslog
On 12 January 2011 10:19, wrote: > > Hi. > > this step I have tried, but without success, samba messages are still sending > to syslog. Does testparm show that it is set to 0? If so and it still doesn't work, then perhaps someone else on the list can help. -- Michael Wood -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Share Access Delay !
Be shure it is no firewall issue!?? Seems you have a problem resolving the ip of the linux. You can put the ip and name of the linux in the host file of your w2003 and vice versa in the host file of your linux. Or you use dns or wins to do so --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Supriya Kher Gesendet: Mittwoch, 12. Januar 2011 09:01 An: samba@lists.samba.org Betreff: [Samba] Samba Share Access Delay ! > Hello Samba Users, > > > > I am using Samba for our project needs to share folders between a Windows > Server 2003 machine and a > > RedHat Linux machine. I am facing issues with Samba shares (Samba Version > 3.5.5 for RHEL 4 x86_64). The scenario is as below > > > The windows machine has a couple of shared folders, one of them being * ** > C:\output* The windows shares are mounted onto corresponding mount points > in linux > and the same are exposed to the external world via samba running on the > Linux machine. > > > > Now, the Windows machine kicks off a few jobs and as a part of those jobs > it writes to the *output *shared folder. This write request is directed > via Samba as the > windows machine writes to \\\output. It has been observed consistently that accessing the shared folder from windows using UNC as \\\output takes a very long time. Each access takes around 45 to 50 seconds ! though there are no network issues. > Any directions on how to get around this problem ? Can it controlled via > specific share level/global settings in smb.conf ? > > > > > - Supriya > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbldap-tools security: how to keep passwords in smbldap_bind.conf secure?
On your windows client strg+alt+entf Change password. The users will never see this password in smbldap_bind.conf. --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Konstantin Boyandin Gesendet: Mittwoch, 12. Januar 2011 08:50 An: samba@lists.samba.org Betreff: [Samba] smbldap-tools security: how to keep passwords in smbldap_bind.conf secure? Hello, On http://wiki.samba.org/index.php/4.0:_User_Management it is described how to set up and use smbldap-tools package. The question is, how to hide master passwords in such a case? smbldap-passwd may be called by non-root; thus, /etc/smbldap-tools/smbldap_bind>conf must be world-readable, and it keeps the passwords as plain text. How can I allow users to change their passwords with smbldap-passwd without compromising the security? Thanks. Sincerely, Konstantin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba Share Access Delay !
> Hello Samba Users, > > > > I am using Samba for our project needs to share folders between a Windows > Server 2003 machine and a > > RedHat Linux machine. I am facing issues with Samba shares (Samba Version > 3.5.5 for RHEL 4 x86_64). The scenario is as below – > > > The windows machine has a couple of shared folders, one of them being * ** > C:\output* The windows shares are mounted onto corresponding mount points > in linux > and the same are exposed to the external world via samba running on the > Linux machine. > > > > Now, the Windows machine kicks off a few jobs and as a part of those jobs > it writes to the *output *shared folder. This write request is directed > via Samba as the > windows machine writes to \\\output. It has been observed consistently that accessing the shared folder from windows using UNC as \\\output takes a very long time. Each access takes around 45 to 50 seconds ! though there are no network issues. > Any directions on how to get around this problem ? Can it controlled via > specific share level/global settings in smb.conf ? > > > > > - Supriya > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
