Re: [Samba] XP Administrator has no access to shares
On 17/08/12 13:17, Gémes Géza wrote: 2012-08-17 11:44 keltezéssel, steve írta: Hi S4 DC with S3 fileserver. smb.conf on the fileserver: [global] workgroup = ALTEA realm = HH3.SITE security = ADS kerberos method = secrets and keytab winbind enum users = Yes winbind enum groups = Yes idmap config *:backend = tdb idmap config *:range = 3000-4000 idmap config ALTEA:backend = ad idmap config ALTEA:range = 2-4000 idmap config ALTEA:schema_mode = rfc2307 winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes usershare allow guests = No winbind refresh tickets = yes [home] path = /home2/home read only = No [staff] path = /home2/staff read only = No [profiles] path = /home2/profiles read only = No store dos attributes = Yes create mask = 0600 directory mask = 0700 [dropbox] path = /home2/dropbox force create mode = 0660 force directory mode = 0770 read only = No wbinfo -u lists Administrator but getent passwd lists only those users with a uidNumber and gidNumber. The latter users can login to xp and enter the shares fine. Administrator can login but gets a password prompt each time he hits a share. Giving the correct password results in XP stating the he has no permission to access the share. How do I get Administrator to enter and manipulate the shares. I thought that that was his purpose. Cheers, Steve First: the Windows in the security model Administrator=root from the Unix world it is just a predefined account memeber of the Administrators or in a domain of the Domain Admins group and that gives access , so you could do all the management operation from any other user account member of the Domain Admins group. Second: samba3 smbd and thus s3fs (I think ntvfs not, but I could be wrong) needs that the connected user have a valid uid/gidnumber in order to be able to check the posix acl permissions, so if you want to connect to a Samba3 box with Administrator, first give it all the posix attributes you've give to the other user accounts (however it doesn't need a unixHomedirectory or loginshell if you won't login e.g. via ssh as Administrator) Regards Geza Gemes Hi Geza OK. Domain Admins and Domain Users have posixGroup and gidNumber. They show on getent passwd I login to XP as Administrator. I can do stuff like unjoin the domain and change the DNS address but I cannot access the shares. Is there a user in m$ that is like the root user in Linux? Should domain admins have a gidNumber of 0 (zero)? Should domain admins also have a posixAccount with a uidNumber of 0 (zero)? What am I missing? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem with heaps of sleeping smb processes due to panic action
On Tue, 2012-08-14 at 15:21 +0200, Dieter Modig wrote: > Hi! > > We're running Samba4 (Version 4.0.0beta4) and are experiencing problems with > smb_panic actions which result in loads of sleep processes in the end taking > down the entire machine. This problem did not exist in prior builds for us > (upgraded from alpha17 to beta3 and then beta4). Are there any specific log > extracts I can supply that can help someone pinpoint the problem? log.smbd > seems to indicate the following: > > [2012/07/06 13:52:36.425367, 0] ../source3/lib/util.c:974(log_stack_trace) > BACKTRACE: 27 stack frames: > #0 /usr/local/samba/lib/libsmbconf.so.0(log_stack_trace+0x1f) > [0x7f37c35011df] > #1 /usr/local/samba/lib/libsmbconf.so.0(smb_panic_s3+0x6d) [0x7f37c350105d] > #2 /usr/local/samba/lib/libsamba-util.so.0(smb_panic+0x28) [0x7f37c5323aee] > #3 /usr/local/samba/lib/private/libsmbd_base.so(+0x129b89) [0x7f37c4ac6b89] > #4 /usr/local/samba/lib/private/libsmbd_base.so(+0x129ea9) [0x7f37c4ac6ea9] > #5 /usr/local/samba/lib/private/libsmbd_base.so(+0x12c769) [0x7f37c4ac9769] > #6 /usr/local/samba/lib/private/libsmbd_base.so(+0x130045) [0x7f37c4acd045] > #7 /usr/local/samba/lib/private/libsmbd_base.so(create_file_default+0x2f8) > [0x7f37c4acdb7f] > #8 /usr/local/samba/lib/private/libsmbd_base.so(+0x23f813) [0x7f37c4bdc813] > #9 > /usr/local/samba/lib/private/libsmbd_base.so(smb_vfs_call_create_file+0xcb) > [0x7f37c4ad8fc8] > #10 /usr/local/samba/lib/private/libsmbd_base.so(+0x1771b2) [0x7f37c4b141b2] > #11 > /usr/local/samba/lib/private/libsmbd_base.so(smbd_smb2_request_process_create+0x7ac) > [0x7f37c4b1224c] > #12 > /usr/local/samba/lib/private/libsmbd_base.so(smbd_smb2_request_dispatch+0x6fe) > [0x7f37c4b0a42d] > #13 /usr/local/samba/lib/private/libsmbd_base.so(+0x1781ce) [0x7f37c4b151ce] > #14 > /usr/local/samba/lib/private/libtevent.so.0(tevent_common_loop_immediate+0x1f9) > [0x7f37c376a090] > #15 /usr/local/samba/lib/libsmbconf.so.0(run_events_poll+0x57) > [0x7f37c351d23f] > #16 /usr/local/samba/lib/libsmbconf.so.0(+0x44ac2) [0x7f37c351dac2] > #17 /usr/local/samba/lib/private/libtevent.so.0(_tevent_loop_once+0xe8) > [0x7f37c376918f] > #18 /usr/local/samba/lib/private/libsmbd_base.so(smbd_process+0x10ed) > [0x7f37c4af4569] > #19 /usr/local/samba/sbin/smbd() [0x409c48] > #20 /usr/local/samba/lib/libsmbconf.so.0(run_events_poll+0x71a) > [0x7f37c351d902] > #21 /usr/local/samba/lib/libsmbconf.so.0(+0x44ba2) [0x7f37c351dba2] > #22 /usr/local/samba/lib/private/libtevent.so.0(_tevent_loop_once+0xe8) > [0x7f37c376918f] > #23 /usr/local/samba/sbin/smbd() [0x40a838] > #24 /usr/local/samba/sbin/smbd(main+0x14b9) [0x40be42] > #25 /lib/libc.so.6(__libc_start_main+0xfd) [0x7f37c1e02c8d] > #26 /usr/local/samba/sbin/smbd() [0x405969] > [2012/07/06 13:52:36.430994, 0] ../source3/lib/util.c:875(smb_panic_s3) > > but I'm honestly not good enough to dissect the problem. In developer mode, the default panic action is to run 'sleep' so you can attach with a debugger (see testparm -v output). To instead produce a stack trace that we can use, get 'gdb_backtrace' from selftest/gdb_backtrace and set in your smb.conf: panic action = /path/to/gdb_backtrace %d I've CC'ed metze, one of the key developers working on the smbd file server to see if he wants to persue this with you further on beta4. Otherwise, please update to current master as this is a fast-moving area that may have already been fixed. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] About s3fs in samba4
On Fri, 2012-08-17 at 20:14 +0200, Gémes Géza wrote: > 2012-08-17 17:31 keltezéssel, fe...@epepm.cupet.cu írta: > > Reading Whatsnew.txt in samba I understand that If I use s3fs, as it is > > set by default in the provision step, I won't be able to modify GPOs > > later, right? > > So I have a couple of questions: > > > > - What's the advantage of using s3fs over ntvfs in new installations? > > - If I'm planning to deploy a new Domain, probably needing to change GPOs > > later, should I select ntvfs??? > > > > Best regards, > > Felix > > > If you use s3fs, the only thing you may need to do (first test if it is > still necessary it was with the git version a week ago) is to give group > Domain Admins, full access to the sysvol share (and recursively all > subfolders) from a Windows domain member computer (loged in of course as > a member of the Domain Admins group). > The major problem with ntvfs is that it isn't actively developed anymore > and hasn't received those protocol dialect updates (smb2-3) which were > introduced in Vista and 7, and thus it may have compatibility problems > later (no known problem exist so far) Thanks Geza Gemes! This describes the issue and workaround very nicely! Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] After upgrade samba4 to beta version i've got "network path not found"
On Thu, 2012-08-16 at 16:09 +0300, h2...@yahoo.com wrote: > Hello, > > > > I'm using samba4 as domain controller with new forest domain (not existing > domain) and everything is fine but.. one day when I usually do upgrades of > my system I saw samba4 will be upgraded to beta version. Everything went > fine after upgrade, but I cannot join new computers to the AD anymore. I got > "network path not found" when I try to join Windows XP. With Linux I got > "connection refused". > > > > I also try to make new installation of Debian stable, then upgrade to wheezy > and make Samba4 provision as active directory. Everything the same. I cannot > join to the Active Directory. > > > > Only one difference, in first case I have Windows XP successfully joined, > and I can manage the Active Directory. > > Can somebody help me with debugging that? If this is a debian system, you may need to set: server services = +smb -s3fs dcerpc endpoint servers = +winreg +srvsvc see: https://wiki.samba.org/index.php/Samba4/s3fs#Using_it Debian ships with only part of Samba4, not including the smbd file server that is now the default. The above restores the use of the included ntvfs file server. If this fixed it for you, you will need to file a bug with debian for them to deal with this properly on upgrade. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.4.3 and DOS read only
Am Samstag, 18. August 2012, 00:38:09 schrieb Jim Gallagher: > I added "dos filemode = yes", but it still does not work. Rats... what kind of clients are you using? I'm wondering why you use "username = jim" With latest samba git tree I just tried legacy OS/2 and also the OS/2 DOS Window - in both all works as expected. I'm only using: ea support = no store dos attributes = no map readonly = yes You are using "log level = 3", so you should see "unix_mode() returning 0xxx" lines in your smbd debug logfile. What do you get there? Cheers, Günter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to migrate Active Directory from one Samba4 server to another
On Mon, 2012-08-13 at 19:56 +0200, x-dimens...@gmx.net wrote: > Original-Nachricht > > Datum: Mon, 13 Aug 2012 17:47:35 +1000 > > Von: Andrew Bartlett > > An: x-dimens...@gmx.net > > CC: samba@lists.samba.org > > Betreff: Re: [Samba] How to migrate Active Directory from one Samba4 server > > to another > > > On Sat, 2012-08-11 at 22:03 +0200, x-dimens...@gmx.net wrote: > > > Hello! > > > > > > We are using a Samba4.0.0alpha19 (Resara 1.1.2) based domain controller > > in a small production environment and because the Resara development has > > ended we want to switch to a plain Samba4 beta based Ubuntu 12.04/Zentyal > > Server. > > > I have installed and configured the new server with the same domain-name > > and the same hostname like the old server. > > > How can i export the Active Directory from the old server and import it > > to the new Samba4 server? > > > > Something like this (unstested): > > > > Use a different hostname, then run 'samba-tool domain join' to join it > > to the first domain. Then you can use the > > source4/scripting/bin/renamedc script to rename it back to the name of > > the first DC, after running 'samba-tool domain demote' on it. > > > > You may need to seize FSMO roles from one DC to the other with > > 'samba-tool domain fsmo'. > > > > > Do i need to rejoin the clients to the domain, after this? > > > > No. > > > > Additional complications may include DNS configuration. You may need to > > use --dns-backend=none on the join command. > > > > This is just a series of hints to get you started. Hopefully you can > > work it out from here. > > > > Andrew Bartlett > > > > -- > > Andrew Bartletthttp://samba.org/~abartlet/ > > Authentication Developer, Samba Team http://samba.org > > > > > Thank you Andrew, this was very helpful! > Joining the new Samba4 Server to the old one replicates the Active Directory > without a problem! After shutting down the old server, renaming the new > server and restore smb.conf and krb5.conf i can access the new server with > RSAT now. :-) > > What does not work is the dns-backend! :-( > After the AD replication the DNS snap-in from RSAT does not work anymore. > The join option "--dns-backend=none" is not available here (Samba4.0.0beta2 > Zentyal package) > Is there another way to get DNS working after the replication from the old > server? > > I have also another question: What does the "renamedc" script do? > When i start it, it always tells me that there are opened transactions and so > it can't run. > Because of this i simple change the hostname in /etc/hostname/ and /etc/hosts > and run hostname -F /etc/hostname. After a restart all looks good so far. > (but i haven't tested it very much) If you don't rename it in the database, then it won't be able to accept kerberos tickets under it's new name, and other bad things will happen, particularly once you decommission the old name (particularly to do with replication). We may need to work out why the script fails for you (and probably promote it to be a samba-tool command). Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.4.3 and DOS read only
I added "dos filemode = yes", but it still does not work. Rats... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.4.3 and DOS read only
On Fri, Aug 17, 2012 at 02:06:22PM -0700, Jim Gallagher wrote: > Jeremy, > > Thanks for the reply! Unfortunately, it did not work. Here is the global > section from smb.conf and the section for the share that I tested with: Hmmm. I just tested with top-of-tree 3.6.x and the settings: store dos attributes = no dos filemode = yes map readonly = yes and using smbclient "setmode" command I can toggle the user "w" bit on the server by doing : smb: \> setmode filename +r smb: \> setmode filename -r Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.4.3 and DOS read only
Jeremy, Thanks for the reply! Unfortunately, it did not work. Here is the global section from smb.conf and the section for the share that I tested with: [global] workgroup = AD realm = COMPANY.COM netbios name = server01 server string = server01 Samba Server log file = /var/opt/samba/server01/log.%m log level = 3 lock directory = /var/opt/samba/server01/locks private dir = /var/opt/samba/server01/private pid directory = /var/opt/samba/server01/locks state directory = /var/opt/samba/server01/locks cache directory = /var/opt/samba/server01/locks #root directory = /nothing include = /etc/opt/samba/server01/server01.conf.%m socket address = interfaces = bind interfaces only = yes max log size = 1000 username map = /etc/opt/samba/server01/smbusers.map # Security mode. Use 'ads' for configuring with W2K domain and # use Kerberos as authentication protocol. security = domain local master = no #password server = * password server = wins server = dns proxy = yes encrypt passwords = yes smb passwd file = /var/opt/samba/server01/private/smbpasswd preserve case = yes short preserve case = yes dos filetime resolution = yes read only = no syslog = 0 kernel oplocks = no oplocks = no level2 oplocks = no guest account = smbguest # mmap =no is necessary to prevent a smbd crash use mmap = no unix extensions = no [Test] comment = Setup to test dos RO attribute browseable = No path = /home/jim writeable = yes username = jim ea support = no store dos attributes = no map readonly = yes All help appreciated! Thanks, Jim -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] About s3fs in samba4
> 2012-08-17 17:31 keltezéssel, fe...@epepm.cupet.cu írta: >> Reading Whatsnew.txt in samba I understand that If I use s3fs, as it is >> set by default in the provision step, I won't be able to modify GPOs >> later, right? >> So I have a couple of questions: >> >> - What's the advantage of using s3fs over ntvfs in new installations? >> - If I'm planning to deploy a new Domain, probably needing to change >> GPOs >> later, should I select ntvfs??? >> >> Best regards, >> Felix >> > If you use s3fs, the only thing you may need to do (first test if it is > still necessary it was with the git version a week ago) is to give group > Domain Admins, full access to the sysvol share (and recursively all > subfolders) from a Windows domain member computer (loged in of course as > a member of the Domain Admins group). > The major problem with ntvfs is that it isn't actively developed anymore > and hasn't received those protocol dialect updates (smb2-3) which were > introduced in Vista and 7, and thus it may have compatibility problems > later (no known problem exist so far) > > Regards > > Geza Gemes > -- Thanks a lot for your answer! I'll give it a try to s3fs. Best regards, Felix. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] About s3fs in samba4
2012-08-17 17:31 keltezéssel, fe...@epepm.cupet.cu írta: Reading Whatsnew.txt in samba I understand that If I use s3fs, as it is set by default in the provision step, I won't be able to modify GPOs later, right? So I have a couple of questions: - What's the advantage of using s3fs over ntvfs in new installations? - If I'm planning to deploy a new Domain, probably needing to change GPOs later, should I select ntvfs??? Best regards, Felix If you use s3fs, the only thing you may need to do (first test if it is still necessary it was with the git version a week ago) is to give group Domain Admins, full access to the sysvol share (and recursively all subfolders) from a Windows domain member computer (loged in of course as a member of the Domain Admins group). The major problem with ntvfs is that it isn't actively developed anymore and hasn't received those protocol dialect updates (smb2-3) which were introduced in Vista and 7, and thus it may have compatibility problems later (no known problem exist so far) Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Access denied behaviour on samba
Hi, I'm trying to configure samba to act as the default behaviour of a Windows Server when user is not authorized to access to a share. Let me explain : - Connecting to a samba share using an account which is not in the "valid user" section in smb.conf, Windows client prompts a login/password window - Connecting to a Windows share using an account which is not listed in share permission properties, Windows client prompts an "Access Denied" window. I'd like to have Windows behaviour in order to script drive mapping without caring about user permissions. With default samba behaviour, script is waiting for a login/pass and doesn't run other drive mappings. Best regards, Matthieu ROGER -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] About s3fs in samba4
Reading Whatsnew.txt in samba I understand that If I use s3fs, as it is set by default in the provision step, I won't be able to modify GPOs later, right? So I have a couple of questions: - What's the advantage of using s3fs over ntvfs in new installations? - If I'm planning to deploy a new Domain, probably needing to change GPOs later, should I select ntvfs??? Best regards, Felix -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] XP Administrator has no access to shares
2012-08-17 11:44 keltezéssel, steve írta: Hi S4 DC with S3 fileserver. smb.conf on the fileserver: [global] workgroup = ALTEA realm = HH3.SITE security = ADS kerberos method = secrets and keytab winbind enum users = Yes winbind enum groups = Yes idmap config *:backend = tdb idmap config *:range = 3000-4000 idmap config ALTEA:backend = ad idmap config ALTEA:range = 2-4000 idmap config ALTEA:schema_mode = rfc2307 winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes usershare allow guests = No winbind refresh tickets = yes [home] path = /home2/home read only = No [staff] path = /home2/staff read only = No [profiles] path = /home2/profiles read only = No store dos attributes = Yes create mask = 0600 directory mask = 0700 [dropbox] path = /home2/dropbox force create mode = 0660 force directory mode = 0770 read only = No wbinfo -u lists Administrator but getent passwd lists only those users with a uidNumber and gidNumber. The latter users can login to xp and enter the shares fine. Administrator can login but gets a password prompt each time he hits a share. Giving the correct password results in XP stating the he has no permission to access the share. How do I get Administrator to enter and manipulate the shares. I thought that that was his purpose. Cheers, Steve First: the Windows in the security model Administrator=root from the Unix world it is just a predefined account memeber of the Administrators or in a domain of the Domain Admins group and that gives access , so you could do all the management operation from any other user account member of the Domain Admins group. Second: samba3 smbd and thus s3fs (I think ntvfs not, but I could be wrong) needs that the connected user have a valid uid/gidnumber in order to be able to check the posix acl permissions, so if you want to connect to a Samba3 box with Administrator, first give it all the posix attributes you've give to the other user accounts (however it doesn't need a unixHomedirectory or loginshell if you won't login e.g. via ssh as Administrator) Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Delete pending after open in M.Office
This is pretty much like our setup - AD member (W2k-Domain) - Windows 7 x64 Office 2010 - max protocol = smb2 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] XP Administrator has no access to shares
Hi S4 DC with S3 fileserver. smb.conf on the fileserver: [global] workgroup = ALTEA realm = HH3.SITE security = ADS kerberos method = secrets and keytab winbind enum users = Yes winbind enum groups = Yes idmap config *:backend = tdb idmap config *:range = 3000-4000 idmap config ALTEA:backend = ad idmap config ALTEA:range = 2-4000 idmap config ALTEA:schema_mode = rfc2307 winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes usershare allow guests = No winbind refresh tickets = yes [home] path = /home2/home read only = No [staff] path = /home2/staff read only = No [profiles] path = /home2/profiles read only = No store dos attributes = Yes create mask = 0600 directory mask = 0700 [dropbox] path = /home2/dropbox force create mode = 0660 force directory mode = 0770 read only = No wbinfo -u lists Administrator but getent passwd lists only those users with a uidNumber and gidNumber. The latter users can login to xp and enter the shares fine. Administrator can login but gets a password prompt each time he hits a share. Giving the correct password results in XP stating the he has no permission to access the share. How do I get Administrator to enter and manipulate the shares. I thought that that was his purpose. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Delete pending after open in M.Office
Hi Am 16.08.2012 17:33, schrieb Volker Lendecke: > O > Seems so. We have tried to reproduce the problem here > without success. Are there exact instructions out there > somewhere (smb.conf, Windows versions etc) to reproduce the > issue reliably? the logs I provided in the bugzilla report are from samba 3.6.6 on Centos-6.3 x86_64 as AD member smb.conf below But I habe also problem reports from opensuse 11.x and Centos 5 as PDC In the case below clients are Windows 7 x64 and max protocol = smb2 regards Hansjörg [global] workgroup = XXX realm = INTRA.XXX.DE netbios name = FTPSERVER server string = RM-FTP-Server interfaces = 127.0.0.1, eth0 bind interfaces only = Yes security = ADS password server = * username map = /etc/samba/smbusers log level = 1 syslog = 0 log file = /var/log/samba/log.%m printcap name = /dev/null machine password timeout = 604800 os level = 25 preferred master = No local master = No domain master = No dns proxy = No encrypt passwords = yes idmap config * : backend = tdb idmap config * : range = 101-199 idmap config XXX : backend = ad idmap config XXX : schema_mode = rfc2307 idmap config XXX : readonly = yes idmap config XXX : range = 1000-100 max protocol = smb2 wins server = create mask = 0664 directory mask = 0775 use sendfile = Yes hide dot files = No map archive = No dont descend = lost+found load printers= no printing = bsd printcap name = /dev/null [tmp] path = /home_local/tmp comment = tmp-Share browseable = yes writeable = yes wide links = no > > Volker > -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] net ads user add: Can we prompt for a password?
On 17/08/12 08:47, steve wrote: Hi In a script I have this: net ads user add $1 net ads password $1 some-pwd -UAdministrator%admin-pwd 1. Can I get net ads to prompt for a new password? 2. Is there any way I can avoid having the admin-pwd in the script? Administrator has a ticket but still it fails if I do not supply the pwd. Cheers, Steve Hi again When I create a user, it says his account is disabled. If I go to the DC and:ç samba-tool user setexpiry steve10 --noexpiry It still says that the user is disabled. Why is this? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba