[Samba] Samba 4 - SWAT
Is SWAT integrated into samba 4? Is it even working? Blessings, Jason -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Winbind Issues with Server 2003/2008
Good morning all, I really hate emailing lists, but I've come to a wall that I just cant work out how to get past at the moment, so am hoping for some community assistance if possible. Some background: We are running Windows Server 2003 on all of our domain controllers, and are in the middle of migrating to server 2008 R2. We have unix exentions enabled (rfc2307 I believe), and manage all of our uids/shell/home via this. Our linux servers are a mix of RHEL 5.1, 5.4 and 5.5. We were using Samba 3.0.33-3.29.el5_5.1 or equivalent on most of our servers, but we hit a stone wall when trying to get them to co-exist with a domain controller that was running Server 2008. So we upgraded to the redhat package Samba3x which I believe is 3.3.8 on some of the hosts and 3.5.10 on the others. However then we hit the snafu that the servers running samba3x wouldn't talk to the domain controllers running server 2003 still. To combat that, we null routed the server 2003 servers, and only let the Linux servers talk to AD servers running 2008. This was working fine, except that some servers stopped being able to run "getent passwd" or "getent group" and would just return nothing from winbind. As a test, I converted over to RID as the idmap backend away from ADS, and this appears to have almost worked perfectly. Except now that a users UID isn't being returned from the AD unixattributes tab, but instead has what I assume is the RID ID for the user. Other attributes seem to be coming down ok For example on a production host that is still running samba 3.0.33, returns: [nathan_adm@qbtdbsprd01 ~]$ getent passwd nathan_adm nathan_adm:*:310:900:Nathan Frankish - Admin:/unixshared/home/nathan_adm:/bin/bash But on an upgraded host its returning [root@qdrbinppz01 ~]# getent passwd nathan_adm nathan_adm:*:9071:900:Nathan Frankish - Admin:/unixshared/home/nathan_adm:/bin/bash Likewise with group look ups, im getting simular results. Ive tried converting back to ADS from RID to see if that will help, but after updating smb.conf and restarting winbind, it still appears to be getting its info from RID and not from ADS. Below I have two config files.. One of the upgraded hosts, one of the not upgraded hosts. Is there any way I can rid to do what I want? Or get ADS to play nicely on the domain? Or should I just convert to RID entirely and fix all the users permissions on directories etc **upgraded hosts config** #=== Global Settings = [global] interfaces = 10.8.52.0/24 10.8.57.0/24 10.30.52.0/24 10.8.78.0/24 10.8.0.0/22 10.30.0.0/22 10.8.103.0/24 bind interfaces only = yes workgroup = QLDMOTORWAYS local master = no passdb backend = tdbsam password server = QB2DC-PRD01.QLDMOTORWAYS.COM.AU realm = QLDMOTORWAYS.COM.AU domain master = no local master = no preferred master = no os level = 0 server string = qdrbinppz01 Linux server security = ads encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 idmap backend = ad idmap uid = 100-200 idmap gid = 100-200 idmap config QLDMOTORWAYS : schema_mode =rfc2307 idmap config QLDMOTORWAYS : backend = ADs idmap config QLDMOTORWAYS : range = 300-200 winbind separator = + template shell = /bin/bash winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind nss info = rfc2307 winbind cache time = 1 load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes **non upgraded host** #=== Global Settings = [global] workgroup = QLDMOTORWAYS local master = no passdb backend = tdbsam password server = * realm = QLDMOTORWAYS.COM.AU domain master = no local master = no preferred master = no os level = 0 server string = qbtdbsprd01 Linux server security = ads encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 idmap backend = ad idmap uid = 100-200 idmap gid = 100-200 winbind separator = + template shell = /bin/bash winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind nested groups = yes winbind nss info = rfc2307 winbind cache time = 1 load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes Much appreciate any help that can be provided.. Nathan Frankish | Systems Engineer -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] LDAP Account Manager 3.7.RC1 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 LDAP Account Manager (LAM) 3.7.RC1 - March 11th, 2012 = LAM is a web frontend for managing accounts stored in an LDAP directory. Announcement: - - This release adds basic support for Heimdal Kerberos (LAM Pro). It also fixes several bugs and includes lots of detail enhancements. The Zarafa module (LAM Pro) now supports the archiving options. This is a test release. Please do not use on production servers. Please report any bugs until 2012-03-23. Full changelog: http://www.ldap-account-manager.org/lamcms/changelog Download: http://www.ldap-account-manager.org/lamcms/releases Features: - - * management of various account types * Unix * Samba 3 * Kolab 2 * Asterisk * Zarafa * DHCP * SSH keys * profiles for account creation * account creation via file upload * automatic creation/deletion of home directories * setting quotas * PDF output for all accounts * editor for organizational units * schema browser * tree view * multiple configuration files * multi-language support: Catalan, Chinese (Traditional + Simplified), Czech, Dutch, English, French, German, Hungarian, Italian, Japanese, Polish, Portuguese, Russian and Spanish * support for LDAP+SSL/TLS Demo installation: - -- You can try our demo installation online. http://www.ldap-account-manager.org/lamcms/liveDemo Support: - If you find a bug please file a bug report. For questions or implementing new features please use the mailinglist and feature request tracker at our homepage http://www.ldap-account-manager.org. Authors & Copyright: - Copyright (C) 2003 - 2012: Roland Gruber LAM is published under the GNU General Public License. The complete list of licenses can be found in the copyright file. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9dEqEACgkQq/ywNCsrGZ5MdwCfVVDjZhZuxfqKcDPveaslaOb3 HWIAn1KubsWPGzZbtqTQ7gjUiKwWXwUG =5ZmK -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] The trust relationship between this workstation and the primary domain failed. (After SAMBA upgrade)
Hi folks I am writing to this list because Google was unable to provide me with a solution for my problem (neither did the samba list archives ; as far as I can see). I know that the topic "The trust relationship between this workstation and the primary domain failed." is not unknown and a lot of people are suffering from it but I have the feeling that my problem is different. I am not using SAMBA as DC and try to join Windows 7 to it; but let me explain. I had a working configuration which looked as follows: - Windows 2008 R2 SP1 Domain Controller (Forest functional Level 2008 R2; so highest possible) (DNS Server, Global Catalog etc. It is only this ONE DC) - Windows 7 Workstation as a domain member of this domain (Works great; no Problems) - SAMBA 3.x running on Fedora 13 (+ updates so not the newest SAMBA3.5/3.6 releases but somwehere in the 3.1 - 3.3 releases) The SAMBA Box was joined to the domain and some directories on the Fedora box were shared. I was able to access them from my Windows 7 Box without any problems. So SAMBA was a perfectc ADS member. Everything was running fine until . I decided to upgrade (reinstall) my box with Fedora 16 The Fedora Box now has the newest SAMBA release (samba-3.6.3-78.fc16.i686) installed. I reconfigured SAMBA by - re-created the same users with the same uid/gid on the box - configuring DNS as it was before - copied back /etc/krb5.conf - copied back /etc/samba/smb.conf and /etc/samba/smbusers (Basically I used the new smb.conf and replaced the necessary information. I have an include file ads.conf for my ADS configuration which I inject into smb.conf. So no typos or mssing something) - Did a: kinit administra...@mydomain.com (successful) - Did a: net ads join -U Administrator (successful) - Did a: net ads testjoin (-> Join is OK) - Did a: smbclient mydc\\myshare -U Administrator (could access the share) (OK. smbclient does not use the local Samba-Daemon but directly connects to the DC. So not really a test) So everyting was as it was before with the execption that when I try to access the SAMBA box from my Windows 7 Box I get: - The trust relationship between this workstation and the primary domain failed. - /var/log/samba/log.win7box shows error messages: [2012/03/11 13:33:07.281548, 0] rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel) cli_rpc_pipe_open_schannel: failed to get schannel session key from server MYDC.MYDOMAIN.COM for domain MYDOMAIN. [2012/03/11 13:33:07.281867, 0] auth/auth_domain.c:193(connect_to_domain_password_server) connect_to_domain_password_server: unable to open the domain client session to machine MYDC.MYDOMAIN.COM. Error was : NT_STATUS_ACCESS_DENIED. [2012/03/11 13:33:07.284289, 0] rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel) cli_rpc_pipe_open_schannel: failed to get schannel session key from server MYDC.MYDOMAIN.COM for domain MYDOMAIN. [2012/03/11 13:33:07.284665, 0] auth/auth_domain.c:193(connect_to_domain_password_server) connect_to_domain_password_server: unable to open the domain client session to machine MYDC.MYDOMAIN.COM. Error was : NT_STATUS_ACCESS_DENIED. [2012/03/11 13:33:07.285166, 0] auth/auth_domain.c:292(domain_client_validate) domain_client_validate: Domain password server not available. When I do a Wireshark trace on the Linux system I see the SAMBA Daemon communicates with my domain Controller (MYDC) and gets some errors (when accessing the SAMBA Box from Win 7). No. TimeSourceDestination Protocol Info 9245 45.548203 192.168.1.131 192.168.1.3 SMB Negotiate Protocol Request 9247 45.584079 192.168.1.3 192.168.1.131 SMB Negotiate Protocol Response 9248 45.690020 192.168.1.131 192.168.1.3 SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE 9249 45.690874 192.168.1.3 192.168.1.131 SMB Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED 9250 45.691254 192.168.1.131 192.168.1.3 SMB Session Setup AndX Request, NTLMSSP_AUTH, User: MYDOMAIN\Snoopy 9257 45.760270 192.168.1.3 192.168.1.4 SMB Negotiate Protocol Request 9258 45.760989 192.168.1.4 192.168.1.3 SMB Negotiate Protocol Response 9260 45.761266 192.168.1.3 192.168.1.4 SMB Session Setup AndX Request, User: anonymous 9261 45.761586 192.168.1.4 192.168.1.3 SMB Session Setup AndX Response 9262 45.763317 192.168.1.3 192.168.1.4 SMB Tree Connect AndX Request, Path: \\MYDC.MYDOMAIN.COM\IPC$ 9264 45.763683 192.168.1.4 192.168.1.3 SMB Tree Connect AndX Response 9265 45.763883 192.168.1.3 192.168.1.4 SMB NT Cr
Re: [Samba] samba PDC/NIS client
On Sunday 11 March 2012 05:31:35 Simon Matthews wrote: > On Sat, Mar 10, 2012 at 4:24 PM, Gaiseric Vandal > > wrote: > > Do you have password sync enabled?If password sync is > > enabled, samba will try to use the passwd command to set the > > unix password. But with nis, you probably might need something > > nis specific. On solaris it was “passwd –r nis” - not sure > > about linux.Probably better to just disable password sync. > I've got a very similar setup to you. Except I use a smbpasswd file. > No, I don't have this option enabled. I am not sure how it is > relevant. Problem summary: > The samba PDC is an NIS client > "getent passwd" retruns the passwd data. > The user's SAMBA password was set using smbpasswd > The user's NIS passwd was set using yppasswd So far all the same. > ALL I had to do to allow domain logins was: > ypcat passwd | grep >> /etc/passwd Why duplicate the password entries. I just have them in NIS and /etc/passwd just has the system passwords. > Note that after copying the user details to /etc/passwd, the > password that was set with "smbpasswd" was the password that was > used with the successful domain login. Don't really uinderstand what you mean by "domain logins" 1. Create the user under linux first 2. Use smbpasswd to add the user to samba You now have a user in both linux and samba but remember the passwords are stored separately, changing one does not change the other. 3. Edit /etc/nsswitch.conf. Set passwd:files nis shdow: files That works for me. YMMV Tony > > Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] allow trusted domains
On Sun, 2012-03-11 at 09:26 +0700, Victor Sudakov wrote: > Andrew Bartlett wrote: > > > > > > Is there a way to map all trusted domain users to the guest account? > > > > > > As if they were nonexistent users or users from untrusted domains. > > > If I could maintain a list of domains for the samba server to trust, > > > it would be fine too. > > > > Try 'map to guest = bad uid'. > > Will it not interfere with "add user script"? No idea. As simo has suggested, what you are doing is essentially unsupported. If it happens to work, great, if it does not, then we really can't do anything more. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
