Re: [Samba] Group membership updates
On Thu, Feb 16, 2012 at 10:38:05AM +0100, Luis Marqueta wrote: > Hi, list. > > I'm running samba-3.5.4 + winbind on a RHEL 5 server. I'm trying to > allow ssh logins to users in a particular Active Directory group in the > TESTDOMAIN domain. > > My problem is that group membership seems to be updated when the user > logs in. So, if a remove a user from the allowed group, the first login > attempt is successful. H. I see. Is this a generic pam issue ? Doesn't pam get the group list for the user after a successful authentication (would seem like no sense doing it before) ? Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] acl's, Samba4 and rw shares
Hi Aaron, hi everyone We gave it a go. And yes, we had a little chuckle wrt your references as to the output of samba-tool ntacl. We still have not sorted it 100% but at least it's workable. One of the conclusions we came to was that we don't think Samba4 is taking the acl from the disk. Here are our findings which of course, include the output from ntacl (worth a click just to see that!): http://linuxcostablanca.blogspot.com/2012/02/samba4-shares.html If anyone can help plz post. Thanks for your patience, Steve On 16/02/12 19:39, Aaron E. wrote: Setting the Permissions in windows is easy, browse to your server like so..start> run \\server right click share > properties,> security tab -- if your unfamiliar with windows permissions I would read up on those.. being doable in linux,, hmm I'm sure it is but as I said I would create a share change windows permissions and look at them through linux, do that and you'll get the idea of what I'm talking about... Someone can correct me here if I step out of bounds but I don't think the samba team has gotten this far yet to make the samba-tool ntacl tree practical to use.. as far as how the perms are shared is relative to file-system support, that's what the user_xattr support on the mount point is for.. so it adds the support for the Linux mount to store the NTACLS , Hi Thanks for taking the time to explain this. Just thinking out loud, but since windows will be storing stuff on an ext4 filesystem, whatever the ntacl does must be doable in Linux too no? Or am I missing the point here? Anyway, the next stage is to find where to set the ntacl from the windows side. Is it a case of searching or is it buried deep inside the registry somewhere? BTW, we have setup the S4 users with posix attrs and files are stored correctly on both Linux and windows. We map via nss-pam-ldapd on Linux. Not set any ntacls there, so far that is since we've only just started to experiment with rw shares.. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to Force Domain Clients to use new PDC
Thanks for the response I appreciate it! I haven't had any exposure to the NT4 Wins manager tool,I'll hunt around for it as far as querying the Wins servers I usually use NSLookup and I've look at the output of tdbdump. I'll be researching the samba4wins available parameters around midweek next week, (just in case there are any further developments or replies on this) during the weekend. I've got a 4 day weekend .and I may not get to those config life parameters for Samba4wins till then. Date: Fri, 17 Feb 2012 10:14:26 -0500 From: gaiseric.van...@gmail.com To: wikk...@hotmail.com CC: samba@lists.samba.org Subject: Re: [Samba] How to Force Domain Clients to use new PDC You could try stopping the wins service, backing up and deleting the wins.tdb and wins.dat file, then starting the wins server again. (this is for the wins service from samba 3- I don't know how samba4wins handles this.) This should make sure that only the new PDC registers itself in the WINS db. Before you do so, you may want to look at the existing wins db. I don't remember if the wins.dat file is created from the wins.tdb file or the other way around. You can use the tdbdump command on a TDB file. The wins database should list whether a machine is a logon server or browser. I suspect your existing wins database still has entries for the old DC's. I don't know how lonh the WINS database will keep old entries- it could be for days or weeks. There is also a tdbedit command that you could use to try to edit the wins TBD file (if applicable.) the only reason you might want to use lmhosts on a machine is to verify, with a single machine, that the new PDC really can handle the authentication/login from a client PC. Can you use the NT4 Wins Manager tool to query your WINS server? On 02/17/12 08:17, Wikked One wrote: All systems are joined to the same domain and have the same SID,confirmed. I'm using the NT4 Server manager to look at status of all domain members, it displays the hierarchy of the domain, (I figure if an XP workstation (domain member,logged in as the domain admin) is picking up the change (it does indicate the change usually within 15 minutes of the BDC to PDC and vice versa). Workstations still report the old PDC when issuing an echo %logonserver% at the command line,which I understand from the old NT4 Server days,the BDC usually handles logon requests, but since I'm trying to make the shift to a TLS communication with the LDAP backend I stop the samba service on the non-TLS BDC and promote the BDC to PDC using the OS level and a couple other parameters. When it comes to the WINS servers,what I'm asking is IF I can make a change on them to recognize the new PDC faster by changing a parameter on them so that WINS "leases" (for lack of the parameter name at the moment) are refreshed and the new PDC recognize by all members of the domain faster? The two seem to be connected so if I can get WINS to distribute the new PDC to the rest of the domain faster. The Domain wide recognition of the new PDC takes too long the Hosts (LMHOSTS) file is not a good option in this case > Date: Thu, 16 Feb 2012 11:59:00 -0500 > From: gaiseric.van...@gmail.com > To: samba@lists.samba.org > Subject: Re: [Samba] How to Force Domain Clients to use new PDC > > Are all DC's truly in the same domain? ("net getdomainsid" command > should show the same domain sid on all DC's.) Were the new servers > joined to the existing domain when setting up or did you just configure > the same domain name. > > What exactly are you using the NT4 server manager tool for? > > Presumably all samba DC's and clients are pointing to the same WINS > server. Windows machines by default will prefer to authenticate > against a BDC. You can try to change this by increasing the "announce > version" and "os level" parameters in the smb.conf file. The only way > to really force it is to NOT use wins and configure the client to use an > lmhosts file to find the DC. > > > > On 02/16/12 09:37, Wikked One wrote: > > > > > > Good Morning Samba Team, > > > > We’ve been using Samba 3.4.8 and > > OpenLda
Re: [Samba] How to Force Domain Clients to use new PDC
You could try stopping the wins service, backing up and deleting the wins.tdb and wins.dat file, then starting the wins server again. (this is for the wins service from samba 3- I don't know how samba4wins handles this.) This should make sure that only the new PDC registers itself in the WINS db. Before you do so, you may want to look at the existing wins db. I don't remember if the wins.dat file is created from the wins.tdb file or the other way around. You can use the tdbdump command on a TDB file. The wins database should list whether a machine is a logon server or browser. I suspect your existing wins database still has entries for the old DC's. I don't know how lonh the WINS database will keep old entries- it could be for days or weeks. There is also a tdbedit command that you could use to try to edit the wins TBD file (if applicable.) the only reason you might want to use lmhosts on a machine is to verify, with a single machine, that the new PDC really can handle the authentication/login from a client PC. Can you use the NT4 Wins Manager tool to query your WINS server? On 02/17/12 08:17, Wikked One wrote: All systems are joined to the same domain and have the same SID,confirmed. I'm using the NT4 Server manager to look at status of all domain members, it displays the hierarchy of the domain, (I figure if an XP workstation (domain member,logged in as the domain admin) is picking up the change (it does indicate the change usually within 15 minutes of the BDC to PDC and vice versa). Workstations still report the old PDC when issuing an echo %logonserver% at the command line,which I understand from the old NT4 Server days,the BDC usually handles logon requests, but since I'm trying to make the shift to a TLS communication with the LDAP backend I stop the samba service on the non-TLS BDC and promote the BDC to PDC using the OS level and a couple other parameters. When it comes to the WINS servers,what I'm asking is IF I can make a change on them to recognize the new PDC faster by changing a parameter on them so that WINS "leases" (for lack of the parameter name at the moment) are refreshed and the new PDC recognize by all members of the domain faster? The two seem to be connected so if I can get WINS to distribute the new PDC to the rest of the domain faster. The Domain wide recognition of the new PDC takes too long the Hosts (LMHOSTS) file is not a good option in this case > Date: Thu, 16 Feb 2012 11:59:00 -0500 > From: gaiseric.van...@gmail.com > To: samba@lists.samba.org > Subject: Re: [Samba] How to Force Domain Clients to use new PDC > > Are all DC's truly in the same domain? ("net getdomainsid" command > should show the same domain sid on all DC's.) Were the new servers > joined to the existing domain when setting up or did you just configure > the same domain name. > > What exactly are you using the NT4 server manager tool for? > > Presumably all samba DC's and clients are pointing to the same WINS > server. Windows machines by default will prefer to authenticate > against a BDC. You can try to change this by increasing the "announce > version" and "os level" parameters in the smb.conf file. The only way > to really force it is to NOT use wins and configure the client to use an > lmhosts file to find the DC. > > > > On 02/16/12 09:37, Wikked One wrote: > > > > > > Good Morning Samba Team, > > > > We’ve been using Samba 3.4.8 and > > OpenLdap as an NT domain PDC for a number of years, running on CentOS 5.7 64 bit. In the > > meantime I’ve been configuring other systems to use a multimaster OpenLdap > > backend and implement TLS. Obviously the > > first system does not communicate with the other 2 systems (now registered as > > BDC system on the same domain). > > > > I have imported the user,group and computer groups into the > > newer systems so that all password and user information is synchronized. > > > > We are also use Samba4Wins as our WINS server….. > > > > Now my question: I > > can “promote” the target system I want to as the PDC by making a few changes to > > the smb.conf as well as the config file on the current PDC. > > > > When I use the old NT4 server manager tool the domain change > > seems to take a few minutes to register, however many of the domain member > > client systems (almost exclusively Windows XP Pro) are failing to recognize the > > change and still use the old PDC to login. > > > > > > How can I force the client systems to recognize the new PDC > > ?Is this dependent on the WINS servers? > > > > > > Thanks! > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to Force Domain Clients to use new PDC
All systems are joined to the same domain and have the same SID,confirmed. I'm using the NT4 Server manager to look at status of all domain members, it displays the hierarchy of the domain, (I figure if an XP workstation (domain member,logged in as the domain admin) is picking up the change (it does indicate the change usually within 15 minutes of the BDC to PDC and vice versa). Workstations still report the old PDC when issuing an echo %logonserver% at the command line,which I understand from the old NT4 Server days,the BDC usually handles logon requests, but since I'm trying to make the shift to a TLS communication with the LDAP backend I stop the samba service on the non-TLS BDC and promote the BDC to PDC using the OS level and a couple other parameters. When it comes to the WINS servers,what I'm asking is IF I can make a change on them to recognize the new PDC faster by changing a parameter on them so that WINS "leases" (for lack of the parameter name at the moment) are refreshed and the new PDC recognize by all members of the domain faster? The two seem to be connected so if I can get WINS to distribute the new PDC to the rest of the domain faster. The Domain wide recognition of the new PDC takes too long the Hosts (LMHOSTS) file is not a good option in this case > Date: Thu, 16 Feb 2012 11:59:00 -0500 > From: gaiseric.van...@gmail.com > To: samba@lists.samba.org > Subject: Re: [Samba] How to Force Domain Clients to use new PDC > > Are all DC's truly in the same domain? ("net getdomainsid" command > should show the same domain sid on all DC's.)Were the new servers > joined to the existing domain when setting up or did you just configure > the same domain name. > > What exactly are you using the NT4 server manager tool for? > > Presumably all samba DC's and clients are pointing to the same WINS > server.Windows machines by default will prefer to authenticate > against a BDC. You can try to change this by increasing the "announce > version" and "os level" parameters in the smb.conf file.The only way > to really force it is to NOT use wins and configure the client to use an > lmhosts file to find the DC. > > > > On 02/16/12 09:37, Wikked One wrote: > > > > > > Good Morning Samba Team, > > > > We’ve been using Samba 3.4.8 and > > OpenLdap as an NT domain PDC for a number of years, running on CentOS 5.7 > > 64 bit. In the > > meantime I’ve been configuring other systems to use a multimaster OpenLdap > > backend and implement TLS. Obviously the > > first system does not communicate with the other 2 systems (now registered > > as > > BDC system on the same domain). > > > > I have imported the user,group and computer groups into the > > newer systems so that all password and user information is synchronized. > > > > We are also use Samba4Wins as our WINS server….. > > > > Now my question: I > > can “promote” the target system I want to as the PDC by making a few > > changes to > > the smb.conf as well as the config file on the current PDC. > > > > When I use the old NT4 server manager tool the domain change > > seems to take a few minutes to register, however many of the domain member > > client systems (almost exclusively Windows XP Pro) are failing to recognize > > the > > change and still use the old PDC to login. > > > > > > How can I force the client systems to recognize the new PDC > > ?Is this dependent on the WINS servers? > > > > > > Thanks! > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 internal dns server cannot find ldap
Interfaces= 192.168.1.3 --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: steve [mailto:st...@steve-ss.com] Gesendet: Freitag, 17. Februar 2012 08:46 An: muel...@tropenklinik.de Cc: samba@lists.samba.org Betreff: Re: AW: [Samba] Samba4 internal dns server cannot find ldap On 02/17/2012 08:05 AM, Daniel Müller wrote: > [global] > server role = domain controller > workgroup = CACTUS > realm = hh3.site > netbios name = HH3 > passdb backend = samba4 > template shell = /bin/bash > > interfaces= xxx.yyy.zzz #< I think this is missing, in my > case I need to set this for the internal dns to work. > > --- > EDV Daniel Müller > ./provision --realm= hh3.site --domain=CACTUS --adminpass=Abc@1234 > --server-role='domain controller' --dns-backend=SAMBA_INTERNAL Hi Daniel What's the syntax of the xxx.yyy.zzz? my fqdn is hh3.hh3.site with IP 192.168.1.3 I'm on Ubuntu with bind9.9.0 beta at the moment. It's a test setup but to save fiddling around, can we keep what we already have? I thought of: tar /private /somewhere mv samba.conf smb.conf.steve provision --dns-backind=SAMBA_INTERNAL cp smb.conf.steve back to smb.conf add your interfaces=??? to it and hope for the best. Or are we talking about a clean install from nothing? Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ddns in samba4
On 02/16/2012 09:27 PM, fe...@epepm.cupet.cu wrote: I followed this http://linuxcostablanca.blogspot.com/2012/01/samba-4-ubuntu.html and got dynamic dns updates working in forward zone. any ideas to get it working in the reverse zone too? By the way, nice article Steve. Best regards, Felix. Hi Felix. Not tried. Maybe Kai and the dns gurus can confirm if the s4 internal dns server will get you there: ./provision --realm= YOUR.REALM --domain=grupodetrabajo --adminpass=Abc@1234 --server-role='domain controller' --dns-backend=SAMBA_INTERNAL Salu2, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba