[Samba] Re: Samba PDC autolocking domain administrator account

[Stefan Oberwahrenbrock]

Stefan Oberwahrenbrock  wrote in
news:xns9c26809018cb9oberwahrenbrocktr...@80.91.229.13: 


Hello!

It turned out, that after all there were differences in the setup of the 
test and production system - I just was not aware of them at first:

The test system was built installing a plain default NT PDC. The default 
NT PDC installation does not make use of a "lockout after bad login 
attempts" policy at all - if you want to use such policy, you have to 
enable and configure it. The production system was configurered to use 
this policy with defaults (LogoutThreshold 5). During migration of both 
systems thesettings were also correctly migrated...

Thus, with e. g. disabed account policy "bad lockout attempt" (pdbedit), 
the domain-administrator does not get locked any more.

Nevertheless, Samba locking down the administrator is unexpected and 
unwanted - in my eyes. With NT the administrator account is not affected 
by the automatic locking mechanism. I think especially for users with 
migration background (NT 4.0 -> Samba), it would be nice, to have the 
same behaviour with Samba PDC.
In our case, the problem ist not, that the admins do not remember the 
password of the domain-admin. Instead, some users have the password for 
the local administrator on their local PC. If they logon as local 
administrator and try to connect to a share on some other machine, the 
Samba PDC obviously tries to authenticate the password(hash) of the 
local-admin-session against the domain-administrator account. With "bad 
lockout attempt" set to 5, the result is a lockeddown domain-
administrator account (Password of local and domain administrator differ 
of course!). The only workaround I know, is do disable "bad lockout 
attempt" completely or to set it the a relativ high value (e. g. 15). 
With these settings, the local-admin-users users trying to connect to a 
share do get a new window where they can provide a correct login, after 
windows noticed, that the first "automatical" connect attempts did not 
work.

Does anyone know, if the special handling of the domain-administrator-
account is a topic for future releases of Samba? Is there someone else, 
who sees the problem like I do (Or am I still just to NT4.0-affected ;-))

Greetings,
Stefan

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Re: Samba PDC (and Users/Machines) join Server 2003 Domain

[Mike]

On Jan 28, 2008 6:18 PM, Mike <[EMAIL PROTECTED]> wrote:

> I've been reading the Official How-To, Chap. 6, Joining an NT4-type Domain
> with Samba-3 because I want to join my current Samba3 PDC server and all its
> users (on Win XP Pro machines) to an MS Server 2003 domain.
>
> What I want to accomplish is --- Maintain the same Samba PDC and user
> account setup, and also make it possible for the Samba users to access data
> in a directory on Server 2003.
>
>
I was going to move forward with an interdomain trust relationship, but the
beginning of Ch. 19 in the TOSHARG suggests, "Given that Samba-3 can
function with a scalable backend authentication database such as LDAP, . . .
the administrator would be well-advised to consider alternatives to the use
of interdomain trusts simply because, by the very nature of how trusts
function, this system is fragile."

A question before I begin with LDAP and kerberos -- If I make my Samba3
server act as a domain member on the MS 2003 server domain, can I continue
to have all WinXP Pro clients login and authenticate to Samba3, or do I need
to make them join, login, and authenticate to the MS 2003 server, and then
give them access to Samba3 server after joining it (Samba3 box) to the MS
2003 domain?

Thanks for your time and patience.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba PDC Ldap integration

[Andy]

Thanks guys I fixed the problem, it was not actually a software problem. The
switch the server was on was stuffed, It kept dropping out.

Thanks for all your help

On Jan 3, 2008 3:01 PM, Andy <[EMAIL PROTECTED]> wrote:

> Hello all
>
> I have set up a Debian etch server with a samba and ldap integration.
>
>domain master = yes
>domain logons = yes
>os level = 33
>preferred master = yes
>local master = yes
>passdb backend = ldapsam:ldap://localhost/
>
>ldap admin dn = cn=admin,dc=test,dc=net
>
>ldap suffix =dc=test,dc=net
>ldap user suffix = ou=users
>ldap machine suffix = ou=machines
>ldap group suffix = ou=groups
>
>ldap password sync = yes
>
> I have added the machine into LDAP as a samba 3 machine.
> I have added a user to the domain admins group.
>
> When I try to connect a PC to the domain a error message pops up saying
> "the following error occurred attempting to join the domain "test": The
> specific network name is no longer available"
>
> Would some know the cause of this?
>
> --
> REGARDS,
> Andy Z
>
>


-- 
REGARDS,
Andy Z
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: Samba PDC issue

[Tarak Ranjan]

Charles Marcus wrote:

On 11/16/2007, Tarak Ranjan ([EMAIL PROTECTED]) wrote:

Hi,
As my user's profile store in /home//profile

if i use logon home = \\%L\home\%U\profile

that will fine or not


As I learned recently, this is not advised.

User profiles should always be stored in an entirely separate share, ie:

homes in:

\server\home\user

and profiles in:

\server\profiles$\user

I use the $ at the end of the profiles share to hide it...



If i want to upgrade from 2.2 to 3.0.26a, and if i have to stores the 
user's profile into separate location as you mentioned ... so what are 
the things have to do,


--


Thanks & Warm Regards,
_
Tarak Ranjan Mukherjee

E@: [EMAIL PROTECTED]
IM: [EMAIL PROTECTED]

Online Learning|Certifications|Learning Solutions :
www.liqwidkrystal.com


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba PDC issue

[Charles Marcus]

On 11/16/2007, Tarak Ranjan ([EMAIL PROTECTED]) wrote:

Hi,
As my user's profile store in /home//profile

if i use logon home = \\%L\home\%U\profile

that will fine or not


As I learned recently, this is not advised.

User profiles should always be stored in an entirely separate share, ie:

homes in:

\server\home\user

and profiles in:

\server\profiles$\user

I use the $ at the end of the profiles share to hide it...

--

Best regards,

Charles
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: samba PDC and lan printer

[Michael Lueck]

satish patel wrote:

I have configured samba with print services and my printer is LAN printer 
Ethernet jack and my PDC on another subnet so is it possible share printer from 
other subnet ??


What sort of issues with that configuration are you anticipating? MS Domain 
Browsing issues maybe?

I use CUPS with all Samba implementations I have done. CUPS just needs to know the hostname of the printer to send the print jobs to. Once CUPS is configured properly, it is a simple task to get Samba 
to share the print queue.


I make a few pointers in my presentation:
"Samba 3 PDC for Windows Clients and Samba 3 Book Review"
http://www.lueckdatasystems.com/pub/presentations/iccm2007.pdf

Sincerely,
--
Michael Lueck
Lueck Data Systems
http://www.lueckdatasystems.com/

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: samba pdc/bdc and trust relationship

[Josh Kelley]

On 8/2/07, Mohammad Zohny <[EMAIL PROTECTED]> wrote:
> kindly try to help me in this problem, I need the solution urgently!
>
> On 7/31/07, Mohammad Zohny <[EMAIL PROTECTED]> wrote:
> >
> > Hi all,
> > My environment consists of 2 locations. the first has a windows NT4 PDC
> > (for domain EGVLE) and another SLES10 PDC server (for VLE domain).with a
> > bi-directional trust relationship between them.
> > the second location will have SLES10 server that will work as a BDC for
> > the samba VLE domain.
> > I want to know how the bdc server will take the trust relationship from
> > the PDC server?
> > and what is the optimum solution to do that?

Domain trusts are explained in the Samba HOWTO Collection
(http://samba.org/samba/docs/man/Samba-HOWTO-Collection/) and may also
be covered in Samba By Example
(http://samba.org/samba/docs/man/Samba-Guide/).  Do you have specific
questions not addressed in the docs?

Josh Kelley
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: samba pdc/bdc and trust relationship

[Mohammad Zohny]

kindly try to help me in this problem, I need the solution urgently!

On 7/31/07, Mohammad Zohny <[EMAIL PROTECTED]> wrote:
>
> Hi all,
> My environment consists of 2 locations. the first has a windows NT4 PDC
> (for domain EGVLE) and another SLES10 PDC server (for VLE domain).with a
> bi-directional trust relationship between them.
> the second location will have SLES10 server that will work as a BDC for
> the samba VLE domain.
> I want to know how the bdc server will take the trust relationship from
> the PDC server?
> and what is the optimum solution to do that?
>
> Thanks
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba PDC, OpenLDAP: "net groupmap list" and Login doesnt work

[Jens Schmidt]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello together,

i found the (my) bug :-).

"net groupmap list" didnt work in version 3.0.23 because samba changed
something:

http://samba.org/samba/docs/man/Samba-HOWTO-Collection/ChangeNotes.html#id314632

Futhermore i cant login with a testuser because i had a typo in my smb.conf:

http://209.85.135.104/search?q=cache:oyrXRA7BVmAJ:www.silug.org/lists/silug-discuss/200704/msg6.html+init_services_keys:+key+lookup+failed&hl=de&ct=clnk&cd=13&gl=de

Thanks for your help. Now everything is working fine.

Bye, Jens


Jens Schmidt wrote on 09.05.2007:
> Hello List,
> 
> after i installed Samba and the OpenLDAP, i configured this "Team" with
> some Howtos in the internet.
> 
> So, now i populated the data into the LDAP with
> $ smbldap-populate -u 1550 -g 1500
> which worked well.
> 
> Now i can see groups and users and machines in the LDAP Database.
> 
> Then i added a new Testuser with "smbldap-useradd -m -a jens" (which i
> can see in the database, too).
> 
> But if i want to connect over ssh or to the Samba i get a error messages
> "permission denied".
> 
> Then i want to try to list the groupmaps and get the following error:
> 
> [EMAIL PROTECTED] ~# net groupmap list
> [2007/05/09 14:41:44, 0] passdb/pdb_ldap.c:ldapsam_setsamgrent(3051)
>   ldapsam_setsamgrent: LDAP search failed: No such object
> [2007/05/09 14:41:44, 0] passdb/pdb_ldap.c:ldapsam_enum_group_mapping(3123)
>   ldapsam_enum_group_mapping: Unable to open passdb
> [EMAIL PROTECTED] ~#
> 
> Can Anyone help me, with that Problem? I think, if i can solve this
> error message, i get closer to the "permission denied" problem  :-) .
> 
> Thanks in advance.
> 
> Jens

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBRkMb8InNy9K3Yw0FAQIAgQ//QH9YoxEN6SRJnoxaw+h7stOCW8piJ5NJ
oat7V71mtSRCkC2v+BS6tB6x35nHFev/+Hxv5OwZVYR6s/tWK16uvqehrWGi9+qT
rGLChx6C8IAVJD06rwhOmtKvtOsKnE/ZBZ/kEUGkcJpnOrr8GswuR8C5Lr0G9xqq
8Vy31t+fUtG/izoPdTNiviBWG2PEXCLc9l2ma1TaEmM2KfiA2XKNl780e3XAv2X7
Z+unez85liaXIsEMuJY+OY2bAQ8JlsVw02zmX8TWDn72HVCYKdSpX0CoJTlBnN4a
1Rs+bCeIh7Y6E1xSCQXrwUE/ugGacRI7CmIiNaTW3/eeCOUCh4fcjs4fJjH9KQUv
BHxgJWCSBnIlrZdHgc9Wnzp7W29uCNexRDOlkudly3IiO+Jesx1LiwE2Oh9vqk1h
5pOP7/kl5yblww5gi3CapJI94uEvOOi75+DsxhoTsqTAj9+moQ8nQJyhN/icUGSZ
m24voPLUNFraT/quRpLOEg0RsXJ4ujXs8kE8M/Xkqnz32bbN0PhHD5Yu7sWbbHcG
+Cg51iDC3NAO16fV4a00covhiHsxqyEv89dKJ6DpjHM7Wbf1IvcF9Gu+KtSg1FfA
dXjwPhTk7YR6JTfVPPihExsxNdEGOfEEV1gHkAWtLLjyollztFcgwwczsVmuntPy
e5OjnlMMD2g=
=SIbu
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba PDC roaming profiles problem

[Daniel O'Connor]

On Friday 19 January 2007 23:49, Daniel O'Connor wrote:
>   Windows cannot copy the file \\midget\profiles\darius\Application
>   Data\Ventrilo to location C:\Documents and Settings\darius\Application
>   Data\Ventrilo. Possible causes include network problems or insufficient
>   security rights. If this problem persists, contact your network
>   administrator.
>
>   DETAIL - Configuration information could not be read from the domain
>   controller, either because the machine is unavailable, or access has been
>   denied.

I just got this one again and had another look through the log file and
found this.
[2007/01/21 21:42:31, 0] lib/util_sock.c:read_data(534)
  read_data: read failure for 4 bytes to client 10.0.2.88. Error = Operation 
timed out

A quick search shows it happens a number of times and always for 4 bytes.

I am guessing this corresponds with the failures to log in and out.. Now to
 work out what the cause is :)

-- 
Daniel O'Connor software and network engineer
for Genesis Software - http://www.gsoft.com.au
"The nice thing about standards is that there
are so many of them to choose from."
  -- Andrew Tanenbaum
GPG Fingerprint - 5596 B766 97C0 0E94 4347 295E E593 DC20 7B3F CE8C


pgpHz0JF4g64h.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: samba pdc and notebook in domain

[bob_bipbip]

never mind, my test were not good: i've logged into a client pc's just  
afeter stopping down samba services on the pdc. afeter a reboot of the  
client, logging without pdc just work ...


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: samba pdc and notebook in domain

[bob_bipbip]

yes, on others windows domain with windows pdc, it works, but with my  
samba, even if i've logged before to this machine, when my pdc is down,  
i'm not able to log in 



On Wed, 09 Aug 2006 23:19:38 +0200, Logan Shaw <[EMAIL PROTECTED]> wrote:


On Wed, 9 Aug 2006, bob_bipbip wrote:
hello, when my computer's client is not connected to network (and so  
cannot connect to pdc), they are not able to log in, they have a  
message telling us that the system can't log in because the domain is  
unavailable, how to permit people to log in even if they are not  
connected to network?


By default, Windows supports up to 10 (I think) cached logons.
That means if you user abc logs on while the domain controller
IS available, then they can log on later when the domain
controller is NOT available, assuming there haven't been 10
people who have logged on since then.

So, with a little planning (always be sure to logon before you
disconnect, so that your identity is in the cache), you can
use only the network user accounts without having to create
separate local accounts.  That makes things a lot cleaner and
simpler, I think.

   - Logan




--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: samba pdc & ldap without roaming profiles

[Alexander Kretschmer]

Theres a difference between whats in the smb.conf and whats stored with 
the user entries in the ldap backend.

Thanks anyway.

bob_bipbip schrieb:


to disable roaming profile for everybody, i'd use this un smb.conf:
logon drive =
logon home =
yes, it's blank ;)



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: samba pdc & ldap without roaming profiles

[bob_bipbip]

to disable roaming profile for everybody, i'd use this un smb.conf:
logon drive =
logon home =
yes, it's blank ;)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: samba pdc and samba domain member server

[éric le hénaff]

I have this strange line at the end of the log.winbindd after restart :
[2006/08/03 19:33:31, 0] rpc_parse/parse_prs.c:prs_mem_get(530)
  prs_mem_get: reading data of size 14549202 would overrun buffer.



Miguel Da Silva - Servicio de Informática a écrit :

On Thu, 03 Aug 2006 18:54:57 +0200
éric le hénaff <[EMAIL PROTECTED]> wrote:


hello
is it possible to have a samba pdc and a samba domain member connected 
to that samba pdc ?
i installed a samba pdc. it replaced an NT4 pdc. there is a samba domain 
member with winbind which worked fine with the NT4 pdc. but it doesnt 
work anymore.

elh

--
Éric LE HÉNAFF
École normale supérieure - Centre de ressources informatiques
Informaticien, Ingénieur développements et systèmes auprès des bibliothèques de 
l'ENS



Sure, it's very possible.

What kind of problem you have?

Greetings.



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: samba pdc and samba domain member server

[éric le hénaff]

> Sure, it's very possible.
>
> What kind of problem you have?

The problem is
# wbinfo -u
Error looking up domain users


The PDC is debian sarge with samba 3.0.22 , openldap 2.2.23, 
smbldap-tools 0.8.7

The domain member is debian sarge with samba 3.0.2a

i may clean all tdbs ?

tesparm gives :
Load smb config files from /etc/samba/smb.conf
Processing section "[echanges]"
Processing section "[devechanges]"
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

# Global parameters
[global]
workgroup = DOM_
server string = Serveur %h (Samba %v)
security = DOMAIN
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n .

log level = 2
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = No
panic action = /usr/share/samba/panic-action %d
idmap uid = 1-2
idmap gid = 1-2
winbind separator = +
invalid users = root
oplocks = No
level2 oplocks = No

[echanges]
path = /share/echanges
read only = No
create mask = 0770
force create mode = 0770
directory mask = 0770
force directory mode = 0770
browseable = No



Miguel Da Silva - Servicio de Informática a écrit :

On Thu, 03 Aug 2006 18:54:57 +0200
éric le hénaff <[EMAIL PROTECTED]> wrote:


hello
is it possible to have a samba pdc and a samba domain member connected 
to that samba pdc ?
i installed a samba pdc. it replaced an NT4 pdc. there is a samba domain 
member with winbind which worked fine with the NT4 pdc. but it doesnt 
work anymore.

elh

--
Éric LE HÉNAFF
École normale supérieure - Centre de ressources informatiques
Informaticien, Ingénieur développements et systèmes auprès des bibliothèques de 
l'ENS



Sure, it's very possible.

What kind of problem you have?

Greetings.



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: samba pdc and samba domain member server

[Miguel Da Silva - Servicio de Informática]

On Thu, 03 Aug 2006 19:29:39 +0200
éric le hénaff <[EMAIL PROTECTED]> wrote:

>  > Sure, it's very possible.
>  >
>  > What kind of problem you have?
> 
> The problem is
> # wbinfo -u
> Error looking up domain users
> 
> 
> The PDC is debian sarge with samba 3.0.22 , openldap 2.2.23, 
> smbldap-tools 0.8.7
> The domain member is debian sarge with samba 3.0.2a
> 
> i may clean all tdbs ?
> 
> tesparm gives :
> Load smb config files from /etc/samba/smb.conf
> Processing section "[echanges]"
> Processing section "[devechanges]"
> Loaded services file OK.
> 'winbind separator = +' might cause problems with group membership.
> Server role: ROLE_DOMAIN_MEMBER
> Press enter to see a dump of your service definitions
> 
> # Global parameters
> [global]
>  workgroup = DOM_
>  server string = Serveur %h (Samba %v)
>  security = DOMAIN
>  passwd program = /usr/bin/passwd %u
>  passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
> *Retype\snew\sUNIX\spassword:* %n\n .
>  log level = 2
>  syslog = 0
>  log file = /var/log/samba/log.%m
>  max log size = 1000
>  socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>  dns proxy = No
>  panic action = /usr/share/samba/panic-action %d
>  idmap uid = 1-2
>  idmap gid = 1-2
>  winbind separator = +
>  invalid users = root
>  oplocks = No
>  level2 oplocks = No
> 
> [echanges]
>  path = /share/echanges
>  read only = No
>  create mask = 0770
>  force create mode = 0770
>  directory mask = 0770
>  force directory mode = 0770
>  browseable = No
> 
> 
> 
> Miguel Da Silva - Servicio de Informática a écrit :
> > On Thu, 03 Aug 2006 18:54:57 +0200
> > éric le hénaff <[EMAIL PROTECTED]> wrote:
> > 
> >> hello
> >> is it possible to have a samba pdc and a samba domain member connected 
> >> to that samba pdc ?
> >> i installed a samba pdc. it replaced an NT4 pdc. there is a samba domain 
> >> member with winbind which worked fine with the NT4 pdc. but it doesnt 
> >> work anymore.
> >> elh
> >>
> >> -- 
> >> Éric LE HÉNAFF
> >> École normale supérieure - Centre de ressources informatiques
> >> Informaticien, Ingénieur développements et systèmes auprès des 
> >> bibliothèques de l'ENS
> >>
> > 
> > Sure, it's very possible.
> > 
> > What kind of problem you have?
> > 
> > Greetings.
> > 
> 

Are you using "winbind separator = +"?. If it's true, it could be the problem.

And what about the logs of smbd and nmbd?

-- 
Miguel Da Silva.
Servicio de Informatica.
Facultad de Ciencias.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba PDC + OpenLDAP replica

[paul kölle]

Jukka Hienola wrote:
> Nov  4 17:37:39 slave smbd[18093]:   fetch_ldap_pw: neither ldap secret
> retrieved!
> Nov  4 17:37:39 slave smbd[18093]: [2005/11/04 17:37:39, 0]
> lib/smbldap.c:smbldap_connect_system(813)
> Nov  4 17:37:39 slave smbd[18093]:   ldap_connect_system: Failed to
> retrieve password from secrets.tdb
> 
> so I assume that Samba can now bind to LDAP directory, but fails when
> trying to get user's data. I don't know
> why Samba is trying to retrieve data from secrets.tdb, because in
> smb.conf I have set
> passdb backend = ldapsam:"ldap://slave.ldap.server
> ldap://master.ldap.server";
For ldap binds, samba needs the password for the DN you have in your
"ldap admin dn" directive. The password should have been set with
"smbpasswd -w".

hth
 Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: wiki.samba.org ? [was Re: [Samba] Re: SAMBA/PDC + LDAP HELP please?=> For your profiles.]

[Louis van Belle]

Ok, ill see if i can setup a wiki which i will maintain, i'v got the servers 
etc, but i'm not so in to buildin a web site, i'll notify the samba list when 
ready. 

I use only debian for my servers and setup,
i have lots of experience with login scrips etc.
atm on windows and novell platforms, i have running debian with samba, ldap, 
cups, acl,etc3, pnp print setup (raw printing), fax is in progress, kix login 
script, use of usrmgr, and ldapadmin.
Im trying to integrate postfix and exchange 4linux into it, and also i'mlokking 
at the hula project. 
When ready i'll put a howto for this on my  wiki.

Greetz  louis

-Original Message-
   >From: "Gerald (Jerry) Carter"<[EMAIL PROTECTED]>
   >Sent: 07-10-05 18:15:01
   >To: "Craig White"<[EMAIL PROTECTED]>
   >Cc: "samba@lists.samba.org"
   >Subject: wiki.samba.org ? [was Re: [Samba] Re: SAMBA/PDC + LDAP HELP 
please?=> For your profiles.]
 >-BEGIN PGP SIGNED MESSAGE-
   >Hash: SHA1
   >
   >Craig White wrote:
   >
   >> I wonder if having some sort of wiki on samba web site wouldn't be
   >> useful for things like logon scripts and registry settings to be
   >> shared/discussed so they had their own longevity and current
   >> appropriateness as email archives don't often reflect the changing
   >> nature of things and sometimes the samba documentation has different
   >> objectives.
   >
   >We've talked about it before but there is a fear that a
   >wiki would turn into a propogation mechanism for Samba
   >urban legends.  Someone (or a team of people) would need
   >act as editors.  Truthfully, if it were done right, it
   >would be probably be a good thing.  But if it weren't
   >it would be a really bad thing.
   >
   >It's definitley too much for the developers to take on.
   >
   >
   >
   >cheers, jerry
   >=
   >Alleviating the pain of Windows(tm)  --- http://www.samba.org
   >GnuPG Key- http://www.plainjoe.org/gpg_public.asc
   >"There's an anonymous coward in all of us."   --anonymous
   >-BEGIN PGP SIGNATURE-
   >Version: GnuPG v1.4.0 (GNU/Linux)
   >Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
   >
   >iD8DBQFDRp8FIR7qMdg1EfYRApmYAJ9CrvBqWk/ZMHgAmfLGAoBm6jlrIACfcMxD
   >VUqUozi8hudDVzpivApFjyM=
   >=EQBj
   >-END PGP SIGNATURE-
   >-- 
   >To unsubscribe from this list go to the following URL and read the
   >instructions:  https://lists.samba.org/mailman/listinfo/samba
   >

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: wiki.samba.org ? [was Re: [Samba] Re: SAMBA/PDC + LDAP HELP please? => For your profiles.]

[Tomasz Chmielewski]

Gerald (Jerry) Carter schrieb:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Tomasz Chmielewski wrote:


Gerald (Jerry) Carter schrieb:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Craig White wrote:




I wonder if having some sort of wiki on samba web site wouldn't be
useful for things like logon scripts and registry settings to be
shared/discussed so they had their own longevity and current
appropriateness as email archives don't often reflect the changing
nature of things and sometimes the samba documentation has different
objectives.



We've talked about it before but there is a fear that a
wiki would turn into a propogation mechanism for Samba
urban legends.  Someone (or a team of people) would need
act as editors.  Truthfully, if it were done right, it
would be probably be a good thing.  But if it weren't
it would be a really bad thing.

It's definitley too much for the developers to take on.


IMHO Samba wiki could be a great source of info for both new and
advanced users.

Why should Samba wiki turn into something bad, if lots of other open
source projects have wikis too, and they are useful?



:-) We have a tremendous amount of urban legend on this list.
Just count the number of times someone as suggested the
sign-n-seal registry file for XP clients using a Samba 3.0.x
server.


baah, some time ago I asked the same question :) when I couldn't join XP 
machines to the domain (where Windows 2000 was working fine) - I spent a 
couple of hours trying to figure out what's wrong (some old wins.dat / 
browse.dat on that test server was the cause).




But we have at least one volunteer, Craig.  And I told him I
would look into it.  So we'll see what happens.  Anyone else
interested in monitoring/editing a wiki to ensure accurate
information?


that's the whole beauty of wiki (at least mediawiki I used, and which is 
used by wikipedia.org):


- you can easily see "recent changes" (new pages/articles, changes on 
pages, who made them etc.)


- you can easily compare changes (i.e. compare the state of an 
article/page we have now with the state we had previously) - so it's 
just a matter of seconds to spot if someone posted crap or something 
valuable



I think the most important thing (and the hardest, too) would be to 
design good categories to post articles in (some articles would be of 
course in multiple categories), like:


- different Samba versions (2, 3, 4...)
- backends
- printing
- configuration
- installation

etc.

Basically, lots of categories could come from Samba HOWTO, but wouldn't 
be just the articles copied/pasted from the HOWTO, but something posted 
by the users, and eventually commented, corrected etc.


I could imagine myself commenting the sign'n'seal hack :)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: wiki.samba.org ? [was Re: [Samba] Re: SAMBA/PDC + LDAP HELP please? => For your profiles.]

[Tomasz Chmielewski]

Gerald (Jerry) Carter schrieb:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Craig White wrote:
>
>
>> I wonder if having some sort of wiki on samba web site wouldn't be
>> useful for things like logon scripts and registry settings to be
>> shared/discussed so they had their own longevity and current
>> appropriateness as email archives don't often reflect the changing
>> nature of things and sometimes the samba documentation has different
>> objectives.
>
>
>
> We've talked about it before but there is a fear that a
> wiki would turn into a propogation mechanism for Samba
> urban legends.  Someone (or a team of people) would need
> act as editors.  Truthfully, if it were done right, it
> would be probably be a good thing.  But if it weren't
> it would be a really bad thing.
>
> It's definitley too much for the developers to take on.


IMHO Samba wiki could be a great source of info for both new and 
advanced users.


Why should Samba wiki turn into something bad, if lots of other open 
source projects have wikis too, and they are useful?



--
Tomek
http://wpkg.org
WPKG - software deployment and upgrades with Samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: wiki.samba.org ? [was Re: [Samba] Re: SAMBA/PDC + LDAP HELP please? => For your profiles.]

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Tomasz Chmielewski wrote:
> Gerald (Jerry) Carter schrieb:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Craig White wrote:
>>
>>
>>> I wonder if having some sort of wiki on samba web site wouldn't be
>>> useful for things like logon scripts and registry settings to be
>>> shared/discussed so they had their own longevity and current
>>> appropriateness as email archives don't often reflect the changing
>>> nature of things and sometimes the samba documentation has different
>>> objectives.
>>
>>
>> We've talked about it before but there is a fear that a
>> wiki would turn into a propogation mechanism for Samba
>> urban legends.  Someone (or a team of people) would need
>> act as editors.  Truthfully, if it were done right, it
>> would be probably be a good thing.  But if it weren't
>> it would be a really bad thing.
>>
>> It's definitley too much for the developers to take on.
> 
> IMHO Samba wiki could be a great source of info for both new and
> advanced users.
> 
> Why should Samba wiki turn into something bad, if lots of other open
> source projects have wikis too, and they are useful?

:-) We have a tremendous amount of urban legend on this list.
Just count the number of times someone as suggested the
sign-n-seal registry file for XP clients using a Samba 3.0.x
server.

But we have at least one volunteer, Craig.  And I told him I
would look into it.  So we'll see what happens.  Anyone else
interested in monitoring/editing a wiki to ensure accurate
information?




cheers, jerry
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDRsHpIR7qMdg1EfYRAqDnAKC2y+4gW5ZawOjSQ4V/h9RFEAlWkgCg1h4I
5KHpupjaqWNbMKZa95guBJ0=
=tieJ
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: SAMBA/PDC + LDAP HELP please? => For your profiles.

[John H Terpstra]

On Friday 07 October 2005 07:51, Louis van Belle wrote:
> realy,
>
> thank you for notifing me..
>
> but why is this then in the manual
> http://us2.samba.org/samba/docs/man/Samba-HOWTO-Collection/ProfileMgmt.html
> Windows XP Service Pack 1
> There is a security check new to Windows XP (or maybe only Windows XP
> service pack 1).
> It can be disabled via a group policy in the Active Directory. The policy
> is called:
> Computer Configuration\Administrative Templates\System\User Profiles\
>   Do not check for user ownership of Roaming Profile Folders
> ( is same as  CompatibleRUPSecurity"=dword:0001 )
> And yes this is also in SP2.

This was user contributed documentation. The HOWTO document is a broad 
collection of tips, explanations, hints, and detailed explanations of the 
inner workings of Samba. I have re-read the chapter and believe the 
information is still useful, though it could do with some updating. Please 
take note though, the HOWTO is NOT a deployment guide.

Is anyone volunteering to review and revise this chapter? I do not have time 
right now.

Detailed example configurations for Samba, support software and Windows 
clients is provided in the book "Samba-3 by Example" ISBN 013188221X, 
available from Amazon.Com and in PDF from:

http://www.samba.org/samba/docs/Samba3-ByExample.pdf

"Samba3 by Example" is a prescriptive guidance document that provides 
detailed, step-by-step, deployment information for complete networking 
solutions. The book, "The Official Samba-3 HOWTO and Reference Guide" is NOT 
a deployment guide, but it provides detailed documentation of the various 
capabilities and components of Samba - without showing detailed deployment 
steps.

Cheers,
John T.

>
> I used this to avoid problems, and it works for me.
> As i see in the sambalist lots of people have the same problems and
> questions
> so therefor i give them my working config, And this is what i did.
> that of the requiresignorseal / signsecurechannel i didnt know,
> so im going to test this in my 2e office location. thank you voor notifing
> me for that.
>
> the "ExcludeProfileDirs" is used in my default user profile.
> and this are the default directories :
> Geschiedenis, Local Settings, Temp en Temporary Internet Files
>
> default there is also "Local Settings".. and i want these to move also
> in to the profile dir on the server, there are files in i need
> when users move to an other pc.
> for example.
> %USERPROFILE%\Local Settings\Application Data\Microsoft\Outlook  (
> extend.dat )
> Stores a reference to which extensions (addins) you have loaded.
>
> %USERPROFILE%\Local Settings\Application Data\Microsoft\Credentials
> Contains setting of my users, so i excluded this out of the
> excludeprofiledir
>
> just some comment..
>
> Louis
>
> >-Oorspronkelijk bericht-----
> >Van: [EMAIL PROTECTED]
> >[mailto:[EMAIL PROTECTED]
> >Namens Craig White
> >Verzonden: vrijdag 7 oktober 2005 14:39
> >Aan: samba@lists.samba.org
> >Onderwerp: RE: [Samba] Re: SAMBA/PDC + LDAP HELP please? =>
> >For your profiles.
> >
> >On Fri, 2005-10-07 at 08:54 +0200, Louis van Belle wrote:
> >> when this is done.
> >>
> >> add 2 registry keys.
> >> /cut_here
> >> REGEDIT4
> >> ; do not roam the following folders
> >> [HKEY_CURRENT_USER\Software\Microsoft\Windows
> >
> >NT\CurrentVersion\Winlogon]
> >
> >> "ExcludeProfileDirs"="Temporary Internet Files;History;Temp"
> >
> >;--
> >---
> >
> >> ; force Windows XP Professional clients to accept Samba as a PDC
> >
> >[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\
> >Parameters]
> >
> >> "requiresignorseal"=dword:
> >> "signsecurechannel"=dword:
> >
> >;--
> >---
> >
> >> ; Do not check for user ownership of Roaming Profile Folders
> >> [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
> >> "CompatibleRUPSecurity"=dword:0001
> >> /cut_here
> >
> >-
> >I hate to see people encouraged to apply unnecessary fixes that were
> >suggested to work around issues that were created as temporary
> >solutions
> >to the moving target of Windows.
> >
> >requiresignorseal / signsecurechannel issues have long since been fixed
> >in Samba - no need for those registry changes - this was a Samba 2.x
> >issue.
> >
&

wiki.samba.org ? [was Re: [Samba] Re: SAMBA/PDC + LDAP HELP please? => For your profiles.]

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Craig White wrote:

> I wonder if having some sort of wiki on samba web site wouldn't be
> useful for things like logon scripts and registry settings to be
> shared/discussed so they had their own longevity and current
> appropriateness as email archives don't often reflect the changing
> nature of things and sometimes the samba documentation has different
> objectives.

We've talked about it before but there is a fear that a
wiki would turn into a propogation mechanism for Samba
urban legends.  Someone (or a team of people) would need
act as editors.  Truthfully, if it were done right, it
would be probably be a good thing.  But if it weren't
it would be a really bad thing.

It's definitley too much for the developers to take on.



cheers, jerry
=
Alleviating the pain of Windows(tm)  --- http://www.samba.org
GnuPG Key- http://www.plainjoe.org/gpg_public.asc
"There's an anonymous coward in all of us."   --anonymous
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDRp8FIR7qMdg1EfYRApmYAJ9CrvBqWk/ZMHgAmfLGAoBm6jlrIACfcMxD
VUqUozi8hudDVzpivApFjyM=
=EQBj
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Re: SAMBA/PDC + LDAP HELP please? => For your profiles.

[Craig White]

On Fri, 2005-10-07 at 15:51 +0200, Louis van Belle wrote:
> realy, 
> 
> thank you for notifing me.. 
> 
> but why is this then in the manual 
> http://us2.samba.org/samba/docs/man/Samba-HOWTO-Collection/ProfileMgmt.html 
> Windows XP Service Pack 1
> There is a security check new to Windows XP (or maybe only Windows XP
> service pack 1). 
> It can be disabled via a group policy in the Active Directory. The policy is
> called: 
> Computer Configuration\Administrative Templates\System\User Profiles\
>   Do not check for user ownership of Roaming Profile Folders
> ( is same as  CompatibleRUPSecurity"=dword:0001 ) 
> And yes this is also in SP2.
> 
> I used this to avoid problems, and it works for me.
> As i see in the sambalist lots of people have the same problems and
> questions
> so therefor i give them my working config, And this is what i did.
> that of the requiresignorseal / signsecurechannel i didnt know, 
> so im going to test this in my 2e office location. thank you voor notifing 
> me for that.
> 
> the "ExcludeProfileDirs" is used in my default user profile.
> and this are the default directories : 
> Geschiedenis, Local Settings, Temp en Temporary Internet Files 
> 
> default there is also "Local Settings".. and i want these to move also 
> in to the profile dir on the server, there are files in i need 
> when users move to an other pc.
> for example. 
> %USERPROFILE%\Local Settings\Application Data\Microsoft\Outlook  (
> extend.dat ) 
> Stores a reference to which extensions (addins) you have loaded.
> 
> %USERPROFILE%\Local Settings\Application Data\Microsoft\Credentials
> Contains setting of my users, so i excluded this out of the
> excludeprofiledir
> 
> just some comment.. 
-
good points - perhaps John Terpstra might want to comment on the
'CompatibleRUPSecurity' registry setting and continuity of this setting.
I haven't bothered with it and haven't had any issues.

I wonder if having some sort of wiki on samba web site wouldn't be
useful for things like logon scripts and registry settings to be
shared/discussed so they had their own longevity and current
appropriateness as email archives don't often reflect the changing
nature of things and sometimes the samba documentation has different
objectives.

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Re: SAMBA/PDC + LDAP HELP please? => For your profiles.

[Louis van Belle]

realy, 

thank you for notifing me.. 

but why is this then in the manual 
http://us2.samba.org/samba/docs/man/Samba-HOWTO-Collection/ProfileMgmt.html 
Windows XP Service Pack 1
There is a security check new to Windows XP (or maybe only Windows XP
service pack 1). 
It can be disabled via a group policy in the Active Directory. The policy is
called: 
Computer Configuration\Administrative Templates\System\User Profiles\
  Do not check for user ownership of Roaming Profile Folders
( is same as  CompatibleRUPSecurity"=dword:0001 ) 
And yes this is also in SP2.

I used this to avoid problems, and it works for me.
As i see in the sambalist lots of people have the same problems and
questions
so therefor i give them my working config, And this is what i did.
that of the requiresignorseal / signsecurechannel i didnt know, 
so im going to test this in my 2e office location. thank you voor notifing 
me for that.

the "ExcludeProfileDirs" is used in my default user profile.
and this are the default directories : 
Geschiedenis, Local Settings, Temp en Temporary Internet Files 

default there is also "Local Settings".. and i want these to move also 
in to the profile dir on the server, there are files in i need 
when users move to an other pc.
for example. 
%USERPROFILE%\Local Settings\Application Data\Microsoft\Outlook  (
extend.dat ) 
Stores a reference to which extensions (addins) you have loaded.

%USERPROFILE%\Local Settings\Application Data\Microsoft\Credentials
Contains setting of my users, so i excluded this out of the
excludeprofiledir

just some comment.. 

Louis




>-Oorspronkelijk bericht-
>Van: [EMAIL PROTECTED] 
>[mailto:[EMAIL PROTECTED] 
>Namens Craig White
>Verzonden: vrijdag 7 oktober 2005 14:39
>Aan: samba@lists.samba.org
>Onderwerp: RE: [Samba] Re: SAMBA/PDC + LDAP HELP please? => 
>For your profiles.
>
>On Fri, 2005-10-07 at 08:54 +0200, Louis van Belle wrote:
>
>> when this is done. 
>> 
>> add 2 registry keys.
>> /cut_here
>> REGEDIT4
>> ; do not roam the following folders
>> [HKEY_CURRENT_USER\Software\Microsoft\Windows 
>NT\CurrentVersion\Winlogon]
>> "ExcludeProfileDirs"="Temporary Internet Files;History;Temp"
>> 
>> 
>;--
>---
>> ; force Windows XP Professional clients to accept Samba as a PDC
>> 
>[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\
>Parameters]
>> "requiresignorseal"=dword:
>> "signsecurechannel"=dword: 
>> 
>> 
>;--
>---
>> ; Do not check for user ownership of Roaming Profile Folders
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
>> "CompatibleRUPSecurity"=dword:0001
>> /cut_here
>> 
>-
>I hate to see people encouraged to apply unnecessary fixes that were
>suggested to work around issues that were created as temporary 
>solutions
>to the moving target of Windows.
>
>requiresignorseal / signsecurechannel issues have long since been fixed
>in Samba - no need for those registry changes - this was a Samba 2.x
>issue.
>
>I am pretty certain that the 'CompatibleRUPSecurity' registry patch
>isn't needed any longer as well, I think that was an issue created from
>original release of WinXP SP1
>
>The 'ExcludeProfileDirs' - those folders should have been excluded
>automatically.
>
>Craig
>
>
>-- 
>This message has been scanned for viruses and
>dangerous content by MailScanner, and is
>believed to be clean.
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/listinfo/samba
>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Re: SAMBA/PDC + LDAP HELP please? => For your profiles.

[Craig White]

On Fri, 2005-10-07 at 08:54 +0200, Louis van Belle wrote:

> when this is done. 
> 
> add 2 registry keys.
> /cut_here
> REGEDIT4
> ; do not roam the following folders
> [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
> "ExcludeProfileDirs"="Temporary Internet Files;History;Temp"
> 
> ;-
> ; force Windows XP Professional clients to accept Samba as a PDC
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
> "requiresignorseal"=dword:
> "signsecurechannel"=dword: 
> 
> ;-
> ; Do not check for user ownership of Roaming Profile Folders
> [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
> "CompatibleRUPSecurity"=dword:0001
> /cut_here
> 
-
I hate to see people encouraged to apply unnecessary fixes that were
suggested to work around issues that were created as temporary solutions
to the moving target of Windows.

requiresignorseal / signsecurechannel issues have long since been fixed
in Samba - no need for those registry changes - this was a Samba 2.x
issue.

I am pretty certain that the 'CompatibleRUPSecurity' registry patch
isn't needed any longer as well, I think that was an issue created from
original release of WinXP SP1

The 'ExcludeProfileDirs' - those folders should have been excluded
automatically.

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Re: SAMBA/PDC + LDAP HELP please? => For your profiles.

[Louis van Belle]

Hi, For the profile problems. 

This is my working config.

in the smb.conf
(global setting ) 
## MISC PROFILE
logon script = logon.cmd
logon home = \\%L\%U
logon path = \\%L\profiles\%U
logon drive = P:

and 

[profiles]
path = /home/samba/profiles
comment = Profiel omgeving
read only = no
create mask = 0600
directory mask = 0700
## browseable = yes can be no also, but i need it to be browsable.
## if you want it browsable but not shown, add a $ behind [profiles$] 
## and same in the logon path above.
browseable = Yes
guest ok = Yes
csc policy = disable 
# next line is a great way to secure the profiles
force user = %U
# next line allows administrator to access all profiles
valid users = %U @"Domain Admins"

when this is done. 

add 2 registry keys.
/cut_here
REGEDIT4
; do not roam the following folders
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"ExcludeProfileDirs"="Temporary Internet Files;History;Temp"

;-
; force Windows XP Professional clients to accept Samba as a PDC
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"requiresignorseal"=dword:
"signsecurechannel"=dword: 

;-
; Do not check for user ownership of Roaming Profile Folders
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"CompatibleRUPSecurity"=dword:0001
/cut_here

this wil work, and many thanks for who help me out some time ago ;-) 

Louis

>-Oorspronkelijk bericht-
>Van: [EMAIL PROTECTED] 
>[mailto:[EMAIL PROTECTED] 
>Namens Ryan Taylor
>Verzonden: donderdag 6 oktober 2005 17:56
>Aan: samba@lists.samba.org
>Onderwerp: [Samba] Re: SAMBA/PDC + LDAP HELP please?
>
>Ok, I figured it out!! Thank you for the help and for others 
>the change was
>in /etc/ldap.conf and I had:
>rootbinddn = cn=root,ou=???,dc=beefylinux,dc=com
>i removed the ou=group after root and changed "rootbinddn" to 
>just "binddn"
>and that did it..
>
>Everything works great except for the profiles which the 
>windows machine
>doesn't seem to know about
>%L variable. I imagine this is because I am on Samba 3.0.10 
>not 3.0.20a so
>maybe its a new variable...
>
>Anyway, just wanted to say Thank you to everyone for the help. 
>The microsoft
>rep. assigned to out company
>is not going to be happy next week when time to renew!! ha, i love it.
>
>--Ryan Taylor
>[EMAIL PROTECTED]
>Micro Consultants
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/listinfo/samba
>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: SAMBA/PDC + LDAP HELP please?

[Ryan Taylor]

Ok, I figured it out!! Thank you for the help and for others the change was
in /etc/ldap.conf and I had:
rootbinddn = cn=root,ou=???,dc=beefylinux,dc=com
i removed the ou=group after root and changed "rootbinddn" to just "binddn"
and that did it..

Everything works great except for the profiles which the windows machine
doesn't seem to know about
%L variable. I imagine this is because I am on Samba 3.0.10 not 3.0.20a so
maybe its a new variable...

Anyway, just wanted to say Thank you to everyone for the help. The microsoft
rep. assigned to out company
is not going to be happy next week when time to renew!! ha, i love it.

--Ryan Taylor
[EMAIL PROTECTED]
Micro Consultants
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: samba PDC -- really stuck here

[David . Grudek]

Under your smb.conf file change the

logon path = \\%N\profiles\%u

to

logon path = 

and this will have it use the local machine.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba PDC + Openldap (no database connection established after reboot)

[Charles Marcus]

Finally, one I can answer!

Hi, all.  I really need your helps in determing what I did wrong.  I have 
been trying to setup Samba PDC (not using TLS at this initial stage yet) by 
hand on SLES 9.1 and did not use YAST because somehow it just did not work.


I followed all the steps from the "The Linux Samba-OpenLDAP Howto (1.10) 
from IDEALX.org) and Chapter 5 Making Happy Users from the book and a bunch 
of other papers, and finally I got something working.  I was able to do:




Basically many steps recommended for testing and all the outputs are correct 
according to the example outputs.   I did turn on debbuging values for all 
components and everything seems to work ok without any errors.


So I rebooted the server and then after everything came up, I tried to do 
these testings again,
Now slapcat, ldsearch would show no outputs and the log show no error of any 
kinds (from my intepretation).


I set up everything again and backup all the config files just in case.  I 
rebooted the server and the same problem happened.


Are you by any chance using ReiserFS?

There is a bug in the SuSE kernel in SLES9 (there is no SLES9.1 by the 
way, though SLES9 is up to sp2 now). SuSE just issued an update 
yesterday for this bug, so all you need to do is run YAST and update 
your kernel and you're good to go.


--

Charles
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba + PDC + LDAP (Sun One DS 5.2, Messaging and Identity)

[Michal Kurowski]

Hafiz Abdul Rehman [EMAIL PROTECTED] wrote:
> 
> I am planing to install Samba as PDC for Windows XP Machines and LDAP
> (Sun ONE DS 5.2 + Messaging + Identity ) as backend sam
> if some one have already setup this kind of environment and can write
> down the steps in which order i have to install and configure products
> what would be great

I'd suggest thinking about the design a bit more - the basic question
is: what is the purpose of Sun Messaging and Identity Servers ?

The latter might be highly useful (at least judging from specs) when
integrating with legacy MS Active Directory but I can't think of any
use of the former ;-) 

The Directory Server is a very solid and feature rich Ldap
implementation though. What you will need to "tweak":

- uploading the samba schema 
- configuring the TLS for secure communication with samba

If you're going to deploy samba on Solaris I'd suggest compiling with
openldap libraries. But do not switch the whole solaris ldap client
side to it. The native tools are very mature and can be configured
easily with DS in a secure way (because of "proxyagent").

Let us know if you have any specific problem.

Cheers,
 
-- 
Michal Kurowski
<[EMAIL PROTECTED]>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba PDC setting up user groups and policies (Help)

[Dana Forte]

Sounds like your users are not being mapped to the "Domain Users" ntgroup.

'net groupmap list' on the PDC will tell you what unixgroup the "Domain 
Users" ntgroup is being mapped to.  Then just make sure your samba users are 
a member of that unixgroup.



"jonlists" <[EMAIL PROTECTED]> wrote in message 
news:[EMAIL PROTECTED]
> Ouch I assume that your XP Workstations are domain members, then,
> right?
>
> Jon Johnston
> Creative Business Solutions
> IBM,Microsoft, Novell/Suse, Sophos Consultants
> http://www.cbsol.com
> 952-544-1108
> Blog: http://bingo.cbsol.com
>
> [EMAIL PROTECTED] wrote on 01/28/2005
> 01:08:29 PM:
>
>> I have a Samba PDC, and have problems setting up user
>> groups to limit activity and access to file folders in
>> Windows XP. I have administrative users that work fine.
>> New users added as power users or regular users can log
>> into machine client but dont even have access to the local
>> C: drive. Cant change backgrounds or even unlock the
>> taskbar. As long as they are added as user to the machine
>> with admin priveleges or added to admin group the account
>> works fine.
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/listinfo/samba
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> 



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba PDC Server Local SID, Domain SID, and GROUP RID Question

[Bryan K. Walton]

On Mon, Dec 13, 2004 at 09:32:27AM -0600, bryanw wrote:

>   My samba PDC is using the tdbsam backend and, for the most part
> is working flawlessly.  However, when using smbpasswd to add samba accounts,
> I always get the following error:
> 
> tdb_update_sam: Failing to store a SAM_ACCOUNT for [userid] without a primary
> group RID
> 
> Now, I've googled a lot on this and have read through the mailing list
> archives and know that this often has to do with people not having
> group mapping setup.  But I do:
> 
> jerry:~# net groupmap list | grep users
> Users (S-1-5-32-545) -> users
> Domain Users (S-1-5-21-1590455367-7305976-751859383-513) -> users
> 

As it turns out, I had group mapping set up, but "too" thoroughly. 
Found this in the archives:

-- snip --

The problem can be also caused if you already have 'Domain Users ->
users' and add 'Users -> users' since Samba mapps gid -> SID by finding
the first SID -> gid mapping with the right gid and will fail if 'Users
-> users' is the first map it encounters.

-- end snip --


Thanks,
Bryan Walton
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba PDC print share

[Florin Vlaicu]

I am trying to share a printer from samba to windows clients. I am
using the cups subsystem.
As a printer I am using Canon LBP 1120. I have found and installed the
drivers from the japanese site, and I can print from linux directly on
it.

I managed to add the CUPS postscript drivers to the print$ share, and
the printer installs on the clients without any problems. I have also
set up the default preferneces of the printer to initiialize it.

The problem is that after I print something from the clients I cannot
print anything on the printer. I can see the job in the que but it
doesn't do anything.

I can't print on linux either after this.

PS. sorry for the first message instead if saving it I pressed send :P
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: SAMBA PDC

[Jim C.]

Excuse me for lating answear, but I am ill now and have no possibillity to 
test this.
If I am feeling better tommorow, I will test it.
I hope you will be feeling better soon.  I also hope that my latest 
advice is of some use to you as I've not encountered anything else that 
would cause this kind of trouble.

Jim C.
--
-
| I can be reached on the following Instant Messenger services: |
|---|
| MSN: j_c_llings @ hotmail.com  AIM: WyteLi0n  ICQ: 123291844  |
|---|
| Y!: j_c_llingsJabber: jcllings @ njs.netlab.cz|
-
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: SAMBA PDC

[Yovko Yovkov]

Excuse me for lating answear, but I am ill now and have no possibillity to 
test this.
If I am feeling better tommorow, I will test it.

Yet again - thank you for helping me!

On Thursday 04 November 2004 22:20, Jim C. wrote:
> Just delete the values for these two and then give it a try.  GQ is good
> for this.  I believe these can be set using smbldap-tools but as I
> recall, the tools will not accept a blank setting which is what you
>
> probably need if you want the default settings in smb.conf:
> > sambaProfilePath: \\PDC\profiles\yyovkov
> > sambaHomePath: \\PDC\homes
>
> Jim C.
> --
> -
>
> | I can be reached on the following Instant Messenger services: |
> |---|
> | MSN: j_c_llings @ hotmail.com  AIM: WyteLi0n  ICQ: 123291844  |
> |---|
> | Y!: j_c_llingsJabber: jcllings @ njs.netlab.cz |
>
> -
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: SAMBA PDC

[Jim C.]

Just delete the values for these two and then give it a try.  GQ is good 
for this.  I believe these can be set using smbldap-tools but as I 
recall, the tools will not accept a blank setting which is what you 
probably need if you want the default settings in smb.conf:

sambaProfilePath: \\PDC\profiles\yyovkov
sambaHomePath: \\PDC\homes
Jim C.
--
-
| I can be reached on the following Instant Messenger services: |
|---|
| MSN: j_c_llings @ hotmail.com  AIM: WyteLi0n  ICQ: 123291844  |
|---|
| Y!: j_c_llingsJabber: jcllings @ njs.netlab.cz|
-
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: SAMBA PDC

[Yovko Yovkov]

ÐÐ, you have already smb.conf, so here I will put export LDIF from one of the 
users I have created in LDAP:

dn: uid=yyovkov, ou=People, dc=reycon,dc=com
sambaLMPassword: 13670ACF22F45FEEAAD3B435B51404EE
sambaPrimaryGroupSID: S-1-5-21-1952575153-1713921984-2977106978-513
displayName: System User
sambaLogonScript: yyovkov.cmd
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSamAccount
userPassword:: e01ENX1yR0xxN0czRDZCMm9iZnUxSlN3UC9BPT0=
sambaLogonTime: 0
sambaHomeDrive: H:
uid: yyovkov
uidNumber: 1000
cn: yyovkov
sambaLogoffTime: 2147483647
sambaPwdLastSet: 1099499816
sambaAcctFlags: [U  ]
loginShell: /bin/bash
sambaProfilePath: \\PDC\profiles\yyovkov
gidNumber: 513
sambaPwdMustChange: 2147483647
sambaPwdCanChange: 1099499816
sambaNTPassword: 9AAD35A15F8A1C96621CAFC578846E51
gecos: System User
sambaSID: S-1-5-21-1952575153-1713921984-2977106978-3000
description: System User
homeDirectory: /home/users/yyovkov
sambaKickoffTime: 2147483647
sn: yyovkov
sambaHomePath: \\PDC\homes



On Thursday 04 November 2004 09:32, Jim C. wrote:
> > When the problem occure, on the Windows machine I find that %LOGONSERVER%
> > variable is changed... So I think that the problem is near WINS, but I
> > can not find where...
>
> OK, then let's look at something else that might be relevant.  What
> settings do you have for the user's sambaHomePath and sambaProfilePath
> in the database?  I believe these will be used by default over the
> "logon path" and "logon home" settings in smb.conf.
>
> I set mine to blank in the user's record just after adding a user. That
> way the system defaults to the smb.conf settings.
>
> Jim C.
> --
> -
>
> | I can be reached on the following Instant Messenger services: |
> |---|
> | MSN: j_c_llings @ hotmail.com  AIM: WyteLi0n  ICQ: 123291844  |
> |---|
> | Y!: j_c_llingsJabber: jcllings @ njs.netlab.cz |
>
> -
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: SAMBA PDC

[Jim C.]

When the problem occure, on the Windows machine I find that %LOGONSERVER% 
variable is changed... So I think that the problem is near WINS, but I can 
not find where...
OK, then let's look at something else that might be relevant.  What 
settings do you have for the user's sambaHomePath and sambaProfilePath 
in the database?  I believe these will be used by default over the 
"logon path" and "logon home" settings in smb.conf.

I set mine to blank in the user's record just after adding a user. That 
way the system defaults to the smb.conf settings.

Jim C.
--
-
| I can be reached on the following Instant Messenger services: |
|---|
| MSN: j_c_llings @ hotmail.com  AIM: WyteLi0n  ICQ: 123291844  |
|---|
| Y!: j_c_llingsJabber: jcllings @ njs.netlab.cz|
-
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: SAMBA PDC

[Yovko Yovkov]

No, I have not problems with this... 
The profile is created normaly...

When the problem occure, on the Windows machine I find that %LOGONSERVER% 
variable is changed... So I think that the problem is near WINS, but I can 
not find where...

Could you send me some smb.conf example which works fine?

On Wednesday 03 November 2004 22:47, Jim C. wrote:
> > Thanks for help.
> > OK there is attached output from $ testparm -vs
> > I have heard something about using SRV records in DDNS, are they
> > necessary in this case?
>
> I doubt it.  I've never used them before and mine runs fine.
>
> This could be a profile permissions issue. Is your system having any
> trouble createing a profile with the correct perms/ownerships? To find
> out, use:
>
> ls -l /var/lib/samba/profiles | grep [username]
>
> Like so:
>
> [EMAIL PROTECTED] 0 samba]$ ls -l /var/lib/samba/profiles | grep njim
> drwx--  19 njim  Domain Users  4096 Nov  2 23:55 njim
>
> Assumeing you want roaming profiles and not mandatory profiles, it may
>
> be best to omit the profdata share. My profiles section looks like this:
> > [profiles]
> > comment = Profile Share
> > path = /var/lib/samba/profiles
> > read only = No
> > profile acls = Yes
> > browseable = No
> > hide dot files = Yes
> > root preexec = PROFILE=/var/lib/samba/profiles/%u; if [ ! -e $PROFILE ];
> > \ then mkdir -pm700 $PROFILE; chown "%u"."%g" $PROFILE; fi
>
> Now for a test, you can create the users profile directory by hand using
> the correct permissions and ownerships.  Then log in and if the problem
> goes away, you know that this is the issue.
>
> The root preexec statement mentioned above causes a short script to be
> executed before user login.  The script I've specified above will check
> to see if the user has a valid profile and if not it will create one
> with the appropriate permissions and ownerships. One would expect this
> to be automatic but what I found was that permissions for the parent
> directory nescesary for automatic profile directory creation were
> unexceptable (i.e. the user could save or delete files in the directory
> beneath thier own which is /var/lib/samba/profiles).
>
> Of course this is a bit of overhead each time someone logs in.  If you
> want a little more of a scaleable solution, write a short script that
> creates the directory as the user is added to the system.
>
> Let me know if this works for you.
>
>
>
> Jim C.
> --
> -
>
> | I can be reached on the following Instant Messenger services: |
> |---|
> | MSN: j_c_llings @ hotmail.com  AIM: WyteLi0n  ICQ: 123291844  |
> |---|
> | Y!: j_c_llingsJabber: jcllings @ njs.netlab.cz  |
>
> -
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: SAMBA PDC

[Jim C.]

Thanks for help.
OK there is attached output from $ testparm -vs
I have heard something about using SRV records in DDNS, are they necessary in 
this case?
I doubt it.  I've never used them before and mine runs fine.
This could be a profile permissions issue. Is your system having any 
trouble createing a profile with the correct perms/ownerships? To find 
out, use:

ls -l /var/lib/samba/profiles | grep [username]
Like so:
[EMAIL PROTECTED] 0 samba]$ ls -l /var/lib/samba/profiles | grep njim
drwx--  19 njim  Domain Users  4096 Nov  2 23:55 njim
Assumeing you want roaming profiles and not mandatory profiles, it may 
be best to omit the profdata share. My profiles section looks like this:

[profiles]
comment = Profile Share
path = /var/lib/samba/profiles
read only = No
profile acls = Yes
browseable = No
hide dot files = Yes
root preexec = PROFILE=/var/lib/samba/profiles/%u; if [ ! -e $PROFILE ]; \
then mkdir -pm700 $PROFILE; chown "%u"."%g" $PROFILE; fi
Now for a test, you can create the users profile directory by hand using 
the correct permissions and ownerships.  Then log in and if the problem 
goes away, you know that this is the issue.

The root preexec statement mentioned above causes a short script to be 
executed before user login.  The script I've specified above will check 
to see if the user has a valid profile and if not it will create one 
with the appropriate permissions and ownerships. One would expect this 
to be automatic but what I found was that permissions for the parent 
directory nescesary for automatic profile directory creation were 
unexceptable (i.e. the user could save or delete files in the directory 
beneath thier own which is /var/lib/samba/profiles).

Of course this is a bit of overhead each time someone logs in.  If you 
want a little more of a scaleable solution, write a short script that 
creates the directory as the user is added to the system.

Let me know if this works for you.

Jim C.
--
-
| I can be reached on the following Instant Messenger services: |
|---|
| MSN: j_c_llings @ hotmail.com  AIM: WyteLi0n  ICQ: 123291844  |
|---|
| Y!: j_c_llingsJabber: jcllings @ njs.netlab.cz|
-
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: SAMBA PDC

[Yovko Yovkov]

Thanks for help.
OK there is attached output from $ testparm -vs
I have heard something about using SRV records in DDNS, are they necessary in 
this case?


On Wednesday 03 November 2004 20:46, Jim C. wrote:
> > OK, I still have problems to run samba as PDC.
>
> ...
>
> > Can some help me, please!
>
> We'll need some data first.  To start with, post the output of the
> "testparm" command. This will tell us much about your setup and will
> also test smb.conf for syntax errors.
>
>
> Jim C.
> --
> -
>
> | I can be reached on the following Instant Messenger services: |
> |---|
> | MSN: j_c_llings @ hotmail.com  AIM: WyteLi0n  ICQ: 123291844  |
> |---|
> | Y!: j_c_llingsJabber: jcllings @ njs.netlab.cz |
>
> -
# Global parameters
[global]
dos charset = CP850
unix charset = UTF8
display charset = LOCALE
workgroup = REYCON-1
realm = 
netbios name = PDC
netbios aliases = 
netbios scope = 
server string = Samba 3.0.5
interfaces = eth0, lo
bind interfaces only = Yes
security = USER
auth methods = 
encrypt passwords = Yes
update encrypted = No
client schannel = Auto
server schannel = Auto
allow trusted domains = Yes
hosts equiv = 
min passwd length = 5
map to guest = Never
null passwords = No
obey pam restrictions = No
password server = *
smb passwd file = /etc/samba/smbpasswd
private dir = /etc/samba
passdb backend = ldapsam:ldap://pdc.reycon.com
algorithmic rid base = 1000
root directory = 
guest account = nobody
pam password change = No
passwd program = 
passwd chat = *new*password* %n\n *new*password* %n\n *changed*
passwd chat debug = No
passwd chat timeout = 2
username map = /etc/samba/smbusers
password level = 0
username level = 0
unix password sync = No
restrict anonymous = 0
lanman auth = Yes
ntlm auth = Yes
client NTLMv2 auth = No
client lanman auth = Yes
client plaintext auth = Yes
preload modules = 
log level = 1
syslog = 0
syslog only = No
log file = /var/log/samba/%m
max log size = 50
timestamp logs = Yes
debug hires timestamp = No
debug pid = No
debug uid = No
smb ports = 139 445
protocol = NT1
large readwrite = Yes
max protocol = NT1
min protocol = CORE
read bmpx = No
read raw = Yes
write raw = Yes
disable netbios = No
acl compatibility = 
nt pipe support = Yes
nt status support = Yes
announce version = 4.9
announce as = NT
max mux = 50
max xmit = 16644
name resolve order = wins bcast hosts
max ttl = 259200
max wins ttl = 518400
min wins ttl = 21600
time server = Yes
unix extensions = Yes
use spnego = Yes
client signing = auto
server signing = No
client use spnego = Yes
change notify timeout = 60
deadtime = 0
getwd cache = Yes
keepalive = 300
kernel change notify = Yes
lpq cache time = 10
max smbd processes = 0
paranoid server security = Yes
max disk size = 0
max open files = 1
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
use mmap = Yes
hostname lookups = No
name cache timeout = 660
load printers = Yes
printcap name = cups
disable spoolss = No
enumports command = 
addprinter command = 
deleteprinter command = 
show add printer wizard = No
os2 driver map = 
mangling method = hash2
mangle prefix = 1
stat cache = Yes
machine password timeout = 604800
add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u'
delete user script = /var/lib/samba/sbin/smbldap-userdel.pl %u
add group script = /var/lib/samba/sbin/smbldap-groupadd.pl -p '%g'
delete group script = /var/lib/samba/sbin/smbldap-groupdel.pl '%g'
add user to group script = /var/lib/samba/sbin/smbldap-groupmod.pl -m '%u' '%g'
delete user from group script = /var/lib/samba/sbin/smbldap-groupmod.pl -x 
'%u' '%g'
set primary group script = /var/lib/samba/sbin/smbldap-usermod.pl -g '%g' '%u'
add machine script = /var/lib/samba/sbin/smbldap-useradd.pl -w '%u'
shutdown script = 
abort shutdown script = 
logon script = scripts\logon.bat
logo

[Samba] Re: SAMBA PDC

[Jim C.]

OK, I still have problems to run samba as PDC.
...
Can some help me, please!
We'll need some data first.  To start with, post the output of the 
"testparm" command. This will tell us much about your setup and will 
also test smb.conf for syntax errors.

Jim C.
--
-
| I can be reached on the following Instant Messenger services: |
|---|
| MSN: j_c_llings @ hotmail.com  AIM: WyteLi0n  ICQ: 123291844  |
|---|
| Y!: j_c_llingsJabber: jcllings @ njs.netlab.cz|
-
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: Samba PDC Problem

[Paul Gienger]

The last one is well-documented: on XP you need to set certain registry
parameter, which I don't rember now, to zero.
 

This was only an issue for samba pre 3.0, since the 3.0 release it is no 
longer needed.  You're most likely referring to the SignOrSeal registry 
patch.

Hope this helps.
-- Kang
"Kiryl Hakhovich" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
 

Hey Michael,
thanks for a quick response.
When i try to use BCHECKUP\Administrator it says "The parameter is
incorrect" and does not work with ldap at all.
(BCHECKUP is my domain name)
I guess something wacky about my configs?
Thanks.
Michael Wray wrote:
   

Sounds like Samba SID doesn't match SID being sent by XP workstation,
 

which
 

btw is what is being sent, not USERNAME Administrator.  TO make sure it
works for Admin's user name send sambamachinename\Administrator as the
username...then the sid's should match.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Kiryl
Hakhovich
Sent: Monday, July 26, 2004 10:45 AM
To: [EMAIL PROTECTED]
Subject: [Samba] Samba PDC Problem
Hello guys,
I have a Samba 3.0.4 on FC2, it has LDAP backend. Machine authenticate
users with no problem.
However when i try to add XP client to domain, from that workstation, it
asking for Administrator password to join to the Domain and them says
"Login failure: unknown user name or bad password". And at the same time
 record does inserts into the LDAP!? I can see it right after i got
message on the screen about error.
Now here is a part from server log:
--
Jul 26 11:34:13 fileserver smbd[27897]: [2004/07/26 11:34:13, 0]
passdb/pdb_ldap.c:ldapsam_add_sam_account(1587)
Jul 26 11:34:13 fileserver smbd[27897]:   ldapsam_add_sam_account: SID
'S-1-5-21-299320441-2527492060-3102699668-3000' already in the base,
 

with
 

samba attributes
Jul 26 11:34:13 fileserver smbd[27897]: [2004/07/26 11:34:13, 0]
rpc_server/srv_samr_nt.c:_samr_create_user(2267)
Jul 26 11:34:13 fileserver smbd[27897]:   could not add user/computer
kiryha$
to passdb.  Check permissions?
--
Note: i can login to linux server with name 'Administrator' and have
root's privileges, since ldap has uid 0 for Administrator.
smb.conf has line admin users = Administrator
What do i missing?
Any ideas?
Thank you!
Sincerely,
Kiryl Hakhovich.
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba
   


 

--
Paul Gienger Office: 701-281-1884
Applied Engineering Inc. 
Information Systems Consultant   Fax:701-281-1322
URL: www.ae-solutions.commailto: [EMAIL PROTECTED]

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba PDC Problem

[Kang Sun]

If you tried different configurations for testing, it might ends up with
inconsistent SIDs.

net getlocalsid

will show what SID samba thinks and see if it is the consistent with your
users accounts' SID or administrators SID in LDAP server. If not, then you
know where your problem is.

If all your accounts in ldap has consistent SID but the samba SID is
different, the easist fix is
net setlocalsid 

Another consideration, have you join your PDC server into your domain? I
know it is wired but your PDC will not be in your LDAP unless you join it
into the domain. I don't know if this has anything to do with your problem.

The last one is well-documented: on XP you need to set certain registry
parameter, which I don't rember now, to zero.

Hope this helps.

-- Kang

"Kiryl Hakhovich" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Hey Michael,
>
> thanks for a quick response.
>
> When i try to use BCHECKUP\Administrator it says "The parameter is
> incorrect" and does not work with ldap at all.
>
> (BCHECKUP is my domain name)
>
> I guess something wacky about my configs?
>
> Thanks.
>
>
> Michael Wray wrote:
>
> > Sounds like Samba SID doesn't match SID being sent by XP workstation,
which
> > btw is what is being sent, not USERNAME Administrator.  TO make sure it
> > works for Admin's user name send sambamachinename\Administrator as the
> > username...then the sid's should match.
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] Behalf Of Kiryl
> > Hakhovich
> > Sent: Monday, July 26, 2004 10:45 AM
> > To: [EMAIL PROTECTED]
> > Subject: [Samba] Samba PDC Problem
> >
> >
> > Hello guys,
> >
> > I have a Samba 3.0.4 on FC2, it has LDAP backend. Machine authenticate
> > users with no problem.
> > However when i try to add XP client to domain, from that workstation, it
> > asking for Administrator password to join to the Domain and them says
> > "Login failure: unknown user name or bad password". And at the same time
> >   record does inserts into the LDAP!? I can see it right after i got
> > message on the screen about error.
> >
> > Now here is a part from server log:
> > --
> > Jul 26 11:34:13 fileserver smbd[27897]: [2004/07/26 11:34:13, 0]
> > passdb/pdb_ldap.c:ldapsam_add_sam_account(1587)
> > Jul 26 11:34:13 fileserver smbd[27897]:   ldapsam_add_sam_account: SID
> > 'S-1-5-21-299320441-2527492060-3102699668-3000' already in the base,
with
> > samba attributes
> > Jul 26 11:34:13 fileserver smbd[27897]: [2004/07/26 11:34:13, 0]
> > rpc_server/srv_samr_nt.c:_samr_create_user(2267)
> > Jul 26 11:34:13 fileserver smbd[27897]:   could not add user/computer
> > kiryha$
> > to passdb.  Check permissions?
> > --
> >
> > Note: i can login to linux server with name 'Administrator' and have
> > root's privileges, since ldap has uid 0 for Administrator.
> >
> > smb.conf has line admin users = Administrator
> >
> > What do i missing?
> > Any ideas?
> >
> >
> > Thank you!
> >
> > Sincerely,
> > Kiryl Hakhovich.
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  http://lists.samba.org/mailman/listinfo/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: samba PDC

[Kang Sun]

something like
net rpc join -W  -U Administrator%

-- KS

"my diva" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> hi...mailers
>
> i have s PDC server. and i have two client using windows and Linux. In
windows client no problem but in Linux client i have the problem. so...how
to join linux client in my PDC server?
>
> i need help because this is my project.
> thanks..
>
> regards
>
> Rian
>
>
>
> -
> Do you Yahoo!?
> New and Improved Yahoo! Mail - Send 10MB messages!
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Fw: [Samba] Re: samba PDC 3.0.4 - windows xp

[The Zeidlers]

I did that but it adds the machine as:
smbpasswd file:
warthog$:510::315D482542BE4B0285508C948101DE
E2:[W  ]:LCT-21DADA59:

and in the log there is :
  check_ntlm_password:  authentication for user [root] -> [root] -> [root]
succeeded
[1988/01/01 01:17:07, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2477)
  Returning domain sid for domain AD.BIGFIVE.COM ->
S-1-5-21-1362158826-3051921941-2490910359
[1988/01/01 01:17:07, 2] rpc_parse/parse_samr.c:samr_io_userinfo_ctr(6432)
  samr_io_userinfo_ctr: unknown switch level 0x1a
[1988/01/01 01:17:07, 0] rpc_server/srv_samr.c:api_samr_set_userinfo(786)
  api_samr_set_userinfo: Unable to unmarshall SAMR_Q_SET_USERINFO.

and in windows xp it says:
 trust relationship between this workstation and the primary domain
controller failed.





- Original Message - 
From: "Jim C." <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, July 05, 2004 1:00 AM
Subject: [Samba] Re: samba PDC 3.0.4 - windows xp


> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> The Zeidlers wrote:
>
> I think this line is your problem.
>
> |add machine script = /usr/sbin/adduser -n -g machines -c Machine -d
> /dev/null -s /bin/false -M %u
>
> This line probably creates a new user without a password.
>
> I suggest you use smbpasswd to create the machine account record
> instead. Something like:
>
> add machine script = /usr/bin/smbpasswdb -m -a %u
>
> - -m is for createing machine accounts and should also generate an
> appropriate password.
>
> - --
>
> - -
> | I can be reached on the following Instant Messenger services: |
> |---|
> | MSN: [EMAIL PROTECTED]  AIM: WyteLi0n  ICQ: 123291844 |
> |---|
> | Y!: j_c_llings   Jabber: [EMAIL PROTECTED] |
> - -
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.2.3-nr1 (Windows XP)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFA6IwK57L0B7uXm9oRAoW9AJ4jXYydznvmXKsuaDekHCzI5f+adQCfQAUh
> F6o+C+NubjYPzqeX8hU/qXg=
> =Dyo1
> -END PGP SIGNATURE-
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: samba PDC 3.0.4 - windows xp

[Jim C.]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
The Zeidlers wrote:
I think this line is your problem.
|add machine script = /usr/sbin/adduser -n -g machines -c Machine -d
/dev/null -s /bin/false -M %u
This line probably creates a new user without a password.
I suggest you use smbpasswd to create the machine account record
instead. Something like:
add machine script = /usr/bin/smbpasswdb -m -a %u
- -m is for createing machine accounts and should also generate an
appropriate password.
- --
- -
| I can be reached on the following Instant Messenger services: |
|---|
| MSN: [EMAIL PROTECTED]  AIM: WyteLi0n  ICQ: 123291844 |
|---|
| Y!: j_c_llings   Jabber: [EMAIL PROTECTED]|
- -
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3-nr1 (Windows XP)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFA6IwK57L0B7uXm9oRAoW9AJ4jXYydznvmXKsuaDekHCzI5f+adQCfQAUh
F6o+C+NubjYPzqeX8hU/qXg=
=Dyo1
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: Samba PDC + WinXP = problems fetching remote profiles

[dendik]

Hi.

>Hi Dendik congrats on solving your problem.
Thanks.

>are you using samba3 ?i
Yes, i am.

> How did you go with group policies on Xp?
Hmm... The most correct answer would be
"i don't know". After i fixed the hardware
problem, the only thing i did on client
machines was to enter the domain -- and
there were no problems with roaming profiles.
Could you describe your problem better --
i digged a lot of info and can be of some
help, probably.

Dendik.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba PDC + WinXP = problems fetching remote profiles

[Dendik N.F.]

Hi.

Finally!!! I got it working!!!
The only thing i did was to replace
server's builtin 3Com Gigabit network
card with SMC1255(100Mb. I tried to force
settings of 3Com -- to half duplex mode,
or to other speed -- but it did not let me
exceed autodetection, and autodetection
was half duplex/100Mb. I still can not
figure out, why such low-level hardware
replacement cured such high-level software
problems -- but this makes no matter for
me right now, since it works, and it works
fine.

Special thanks to Dragan Krnic, who was
almost the only one trying to help me on
this list.

Dendik.

PS. I confirm: recent WinXP's do not require
either RequireSignOrSeal, or mmc, or WebClient
service, or EAP patches. (Though some of these
patches -- e.g. group policies in mmc and one
of registry patches, which Dragan sent me --
are useful for making things smoother)
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba PDC + WinXP = problems fetching remote profiles

[dendik]

Hi.

The situation turned out even more mysterious i
seemed before.

I got two new XP boxes, obviously those are XP/pro
without SP1 (did not check that, but it required
much more updates than other XP boxes, and ver
tells it's the same XP/2002/2600).  So i tried out
carefully step-by-step installation of those
machines. I stopped when they were in domain mode,
before any RequireSignOrSeal/WebClient/ EAP
patches and they worked fine, a few seconds per
log in, no trouble with downloading/uploading,
just perfect!!!

So i reinstalled XP on one of other 20 machines.
And nothing changed -- files still wont download
even before entering domain mode.

More fun: there are several samba servers in other
networks, and all (now 22) machines can access them
without any problems. I did try to port their smb.conf
to my server, but they have samba 2.2 and i did not
decide yet to make that big retract.

Now i decided to run diff on XP distribs and find
out what the difference is in to see if i can fix
it. Will report after i complete. Anyway, it's
at least very strange behaviour!!

Dendik.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba PDC + WinXP = problems fetching remote profiles

[Dragan Krnic]

> More than one week of fighting -- and still no 
> result. I'm stuck at the very same point. Right 
> now i had to make the system work just any way 
> -- at least like file server for window$ clients.
> But the problem with file downloading still 
> persists. And i really have no idea of what i do 
> wrong.

You still have the problem! So sorry.

I installed an XP yesterday. All I had to do was set
network properties and register the SignOrSeal 
patch (WinXP_SignOrSeal.reg). I left the default
IEEE 802.1X EAP setting ("Smartcard or other...") and
didn't disable the Web client service either, just 
to see what kind of problems other people have. 
Well, I had no problem whatsoever. I can login in
and out in a couple of seconds. I can transfer the
Win2K-SP4 (137 MB) in both directions under 15 sec.

I don't know what your problem is but in your shoes
I would try from scratch, with a very uncomplicated
setup - just the server and a freshly installed client 
connected via a crossed cable and build from there. 
Chances are that something completely different is 
your problem, but you need to find it out slowly
and systematically.

>>> Sounds like symptoms of activated Web Client 
>>> service.
>> Maybe the point is about EAP -- i did not quite 

> Still no help. I even tried to select each prorocol,
> deselect each of their checkboxes and then deselect 
> IEEE 802.1x, as someone reported this may help -- no 
> result.

I wonder what other problem in client network 
configuration can be masked by switching EAP and 
Web client off. I've seen the problem only on an
XP client, a laptop. It wasn't severe. Opening a
share or a shared subdirectory would stall for several
seconds although it takes no time on other clients.
When I disabled Web client and EAP those symptoms
were gone.

With my new XP box I also tried and disabled both
EAP and Web client. No difference. Same login and
transfer speed.

EAP and Web client obviously do not need to be a 
problem on an otherwise correctly set up server
and clients communicating through decent wires and
switches.

I'm afraid no one can help you but you yourself.
Go slowly from simple to more complex. Be sure what
works and you'll find out what the problem was.
Perhaps you should first test how fast ftp client
works.



Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail!
http://login.mail.lycos.com/r/referral?aid=27005
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba PDC + WinXP = problems fetching remote profiles

[Dendik N.F.]

Hi.

More than one week of fighting -- and still no result.
I'm stuck at the very same point. Right now i had to
make the system work just any way -- at least like
file server for window$ clients. But the problem with
file downloading still persists. And i really have
no idea of what i do wrong.

>>> Sounds like symptoms of activated Web Client service.
>> Maybe the point is about EAP -- i did not quite 
Still no help. I even tried to select each prorocol,
deselect each of their checkboxes and then deselect IEEE
802.1x, as someone reported this may help -- no result.

Dendik.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba PDC + WinXP = problems fetching remote profiles

[Dragan Krnic]

>> Sounds like symptoms of activated Web Client 
>> service.
> Probably, i even found the message you were talking 
> about, and the symptoms really look the same, but 
> strangely, disabling WebClient did not help -- 
> maybe there is some result, but the one i do not 
> notice :). There HAVE to be something Damian Gerow 
> have done, that he did not tell...
>
> Maybe the point is about EAP -- i did not quite 
> understand it. If anyone knows, what are symptoms 
> of EAP being turned on/off (and where to turn it 
> on/off -- is it in properties of network connection 
> and called $(regexp 'IEEE [0-9]{3}.[0-9]') ), 
> please tell me.

You can choose between 3 EAPs: PEAP, MD5 challenge
and SmartCard or other certificate in LAN Link 
properties under the tab Authentication if you
enable IEEE 802.1X Authentication. I switched it off
altogether when I killed Web client service. 

>> Yes, of course. How silly of me. 
>> You're domain is .ru
> Hmm. It was twice as strange for me because by your 
> name i thought that you are from either one of post-
> USSR republics, or from one of their neighbour 
> republics, where cyrillic is also ofen used.

Close. We used to use both before we started fighting
about it. Very few typewriters had cyrillic and in IT 
the standard is not to use cyrillic.



Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail!
http://login.mail.lycos.com/r/referral?aid=27005
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba PDC + WinXP = problems fetching remote profiles

[Dendik]

Hi!

> Sounds like symptoms of activated Web Client service.
Probably, i even found the message you were talking about,
and the symptoms really look the same, but strangely,
disabling WebClient did not help -- maybe there is some
result, but the one i do not notice :). There HAVE to be
something Damian Gerow have done, that he did not tell...

Maybe the point is about EAP -- i did not quite understand
it. If anyone knows, what are symptoms of EAP being turned
on/off (and where to turn it on/off -- is it in properties
of network connection and called $(regexp
'IEEE [0-9]{3}.[0-9]') ), please tell me.

> Yes, of course. How silly of me. You're domain is .ru
Hmm. It was twice as strange for me because by your name
i thought that you are from either one of post-USSR
republics, or from one of their neighbour republics, where
cyrillic is also ofen used.

Dendik.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba PDC + WinXP = problems fetching remote profiles

[Dragan Krnic]

>>> [global]
>>...
>>> dos charset = CP866
>>> display charset = KOI8-R
>>> unix charset = KOI8-R
>>Probably just a matter of taste.
>Actually, not a taste, but a language -- russian.

Yes, of course. How silly of me. You're domain is .ru

>>> ; preferred master = No
>>> ; local master = Yes
>>My smb.conf has both set to Yes. In addition to that
>My also had some time ago. It's the result of
>me experimenting in hope to make it work.
>
>>I set this registry on all clients:
>>   HKEY_LOCAL_MACHINE\System\CurrentControlSet\
>>   \Services\Browser\Parameters\
>>   \MaintainServerList="No"
>>instead of default "Auto".
>Never seen a link to this patch. Thanx.

It's not a panacea but it keeps the clients from 
initiating browser elections, if you know they'll lose
it every time. It's an old trick. It probably only
makes a significant impact with large number of 
clients.



Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail!
http://login.mail.lycos.com/r/referral?aid=27005
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba PDC + WinXP = problems fetching remote profiles

[dendik]

Hi!

Thanks for advices you gave, hopefully they'll help.
(right now i can't reach the computer class)

>Sounds like symptoms of activated Web Client service.
>...
I found some references about Web Client somewhere (don't
remember where right now), ant even tried to turn it off,
but mistakenly i turned off Win support for IPC$ (after
a day of digging info on the Web and trying to fix it :),
and after i recognized what exactly i've done, i stopped
considering turning off Web Client as a way to solve the
problem.

Definitely i missed this topic a few months ago, since i
started ANY using of samba only in July this year. But
probably several of links i googled about Web Client were
on the Samba mailing list.

>By the way, I still can't figure out what FAR is.
FAR is File Manager, like WinExplorer, but styled like
old DOS-time file managers -- Norton Commander, Volkov
Commander, Dos Navigator. Differences from WinExplorer
are mainly having two panels for keyboad-friendlyness
and having support for many tools and actions (like
archivers, not using win file aliases and even mostly
not using win extracters) and having may builtin tool
on their own.

Hmm. This seems really offtopic, but if it gave
you a tiny bit of useful knowlege, i'm happy :).


>> [global]
>...
>> dos charset = CP866
>> display charset = KOI8-R
>> unix charset = KOI8-R
>Probably just a matter of taste.
Actually, not a taste, but a language -- russian.

>> ; preferred master = No
>> ; local master = Yes
>My smb.conf has both set to Yes. In addition to that
My also had some time ago. It's the result of
me experimenting in hope to make it work.

>I set this registry on all clients:
>   HKEY_LOCAL_MACHINE\System\CurrentControlSet\
>   \Services\Browser\Parameters\
>   \MaintainServerList="No"
>instead of default "Auto".
Never seen a link to this patch. Thanx.

Dendik.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba PDC + WinXP = problems fetching remote profiles

[Dragan Krnic]

> I have recently recogized that the problem of domain
> logons is at least closely connected to the problem 
> of downloading "big" files (i.e. files larger than
> something about 4k or even 2k). The symptoms are the
> following:
>  1. There are two differently behaving groups of
>  programs: network neighbourhood (or something
>  like that) and windows explorer, FAR, (i suppose
>  that Window Commander -- for those who don't know
>  what FAR is) and so on.
>  2. Network Neighbourhood almost refuses to do
>  anything on Samba shares -- it has long stall
>  upon entering directories with names longer
>  than 8 chars, and i don't remember it to
>  be able to perform any file download/upload
>  operations at all.
>  3. WinExplorer can browse shares freely, unless
>  it encounters directory containing more than
>  25 entries (very strange limit -- but i checked,
>  the limit is 25), where it stalls for 2 minutes.
>  Also downloading files larger than something
>  about 2 or 4 K always stalls for two minutes,
>  and (under some unclear circumstances) sometimes
>  fail completely.
>

Sounds like symptoms of activated Web Client service. 
If you have missed it a few days ago, it appears that
the new, XP-specific service called Web Client, 
automatically enabled by default, creates all kinds
of performance and access problems. I only have 1 XP 
client in my network but it suddenly started acting 
normally, just like any other Win2K clients, after 
I disabled this service.

By the way, I still can't figure out what FAR is.


> [global]
...
> dos charset = CP866
> display charset = KOI8-R
> unix charset = KOI8-R

Probably just a matter of taste.

> ; preferred master = No
> ; local master = Yes

My smb.conf has both set to Yes. In addition to that
I set this registry on all clients:

   HKEY_LOCAL_MACHINE\System\CurrentControlSet\
   \Services\Browser\Parameters\
   \MaintainServerList="No"

instead of default "Auto".



Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail!
http://login.mail.lycos.com/r/referral?aid=27005
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba PDC + WinXP = problems fetching remote profiles

[Dendik]

Hi!

Thanks for answering, but unfortunately, this seems to
be of no help. I already had [netlogon] service in my
config (to avoid further confusion, i add my smb.conf
at the end of this file), the only option i did not
have was "inherit permissions = No", which does not seem
to be useful for solving the problem (and did not help
also).

I have recently recogized that the problem of domain
logons is at least closely connected to the problem of
downloading "big" files (i.e. files larger than
something about 4k or even 2k). The symptoms are the
following:
  1. There are two differently behaving groups of
  programs: network neighbourhood (or something
  like that) and windows explorer, FAR, (i suppose
  that Window Commander -- for those who don't know
  what FAR is) and so on.
  2. Network Neighbourhood almost refuses to do
  anything on Samba shares -- it has long stall
  upon entering directories with names longer
  than 8 chars, and i don't remember it to
  be able to perform any file download/upload
  operations at all.
  3. WinExplorer can browse shares freely, unless
  it encounters directory containing more than
  25 entries (very strange limit -- but i checked,
  the limit is 25), where it stalls for 2 minutes.
  Also downloading files larger than something
  about 2 or 4 K always stalls for two minutes,
  and (under some unclear circumstances) sometimes
  fail completely.

I seem to be really stuck with these errors, and
i feel like i just "look in wrong direction", so
any genious ideas will be gratefully accepted :).
(Even any ideas that will help me to fix the thing :).

On Thu, Aug 22, Dragan Krnic <[EMAIL PROTECTED]> wrote:

> Many problems result in this message. One is you need
> a [profiles] share with a subdir named after each 
> user. That user needs to have full access to it,
> for example 0700, belongs to user:users. You also need
> a [netlogon] share even if you don't use it.

> Sometimes an already existing profile is the problem.
> Try removing it (save it first for reference) and 
> logging in afresh.

#
### Here go the most important parts from my smb.conf

[global]
; Network names and alike
workgroup = COMPUTER_CLASS
netbios name = kodomo
server string = Kodomo Samba %v
comment = BoiInformatic Computer Class

; Charset convertion
dos charset = CP866
display charset = KOI8-R
unix charset = KOI8-R

; Security
security = user
encrypt passwords = Yes
min passwd length = 6
null passwords = Yes
wide links = No
passdb backend = smbpasswd

log level = 1
log file = /var/log/samba/log.smbd.%m
max log size = 1

; Netlogon
domain logons = Yes
logon script = logon.bat
logon path = \\kodomo\profiles\%U
logon drive = H:
logon home = \\kodomo\%u

; Browse master
; preferred master = No
; local master = Yes
domain master = Yes
os level = 64
[netlogon]
path = /home/export/samba/netlogon
write list = root
read only = Yes
; browseable = No
public = No
veto oplock files = /NTUSER.DAT /ntuser.ini

[profiles]
path = /home/export/samba/profiles
read only = No
create mask = 0600
directory mask = 0700
; browsable = No

[homes]
comment = Home directory for %u
invalid users = root
browseable = No
read only = No
#

Dendik.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba PDC + WinXP = problems fetching remote profiles

[Dragan Krnic]

> But when i tried to log in with that very account 
> from another machine, i got Win hanging up for about 
> two minutes and blaming approximately the following 
> way: "Windows can't log you on with local profile,
> using temporary profile. Changes done to this 
> profile will be lost after you log off" (phrase 
> `local profile` seemed strange to me, but Win really 
> does what it should do, except not down/up loading 
> the profiles). After the message disappears or i hit 
> OK, Win loggs in normally, downloads logon.bat and 
> seems to behave fine, but the profile is really 
> removed after log off.

Many problems result in this message. One is you need
a [profiles] share with a subdir named after each 
user. That user needs to have full access to it,
for example 0700, belongs to user:users. You also need
a [netlogon] share even if you don't use it. Try
this scheme:

   [global]
  
  logon path = \\samba-srv\profiles\%U
  
   [netlogon]
  path = /some-existing-path/netlogon
  write list = ntadmin
  browseable = No

   [profiles]
  path = /some-existing-path/profiles
  valid users = %U
  read only = No
  browseable = No
  inherit permissions = No

Sometimes an already existing profile is the problem.
Try removing it (save it first for reference) and 
logging in afresh.



Get advanced SPAM filtering on Webmail or POP Mail ... Get Lycos Mail!
http://login.mail.lycos.com/r/referral?aid=27005
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: samba-PDC problem

[Jamrock]

Your post says that you can access the profiles directory on the server.
Make sure you can write to it as well. The Linux file permissions need to be
correct.

The following document has some good info. on setting up roaming profiles.
Note that it deals with Samba 2.x but the info. may still be relevant to
Samba 3.x.

http://www-1.ibm.com/servers/esdd/tutorials/samba/index.html


<[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> I am trying to get roaming profiles working for my Win2K workstation and
> run a group login script at logon. My user account (traxx) can join and
> logon to the domain (DATA) but I get 2 error messages after
> authentication:
> 1 'Windows cannot create profile directory \\henry\dcarter\profile.pds.
> You will be loggeed on with a local profile only. Changes to the profile
> will not be propogated to the server. Contact your network administrator.'
>
> 2-'Windows cannot find the local profile & is logging you on with a
> temporary profile. Changes you make to this profile will be lost when you
> log off.'
>
> These are the relevant lines from my smb.conf:
>
> workgroup=DATA
> netbios name=DATASERVER
> logon script=%g.bat
> domain logons=yes
> [Profiles]
> path=/home/profiles
> create mask=0777
> read only=no
> browseable=no
>
> I can access \\henry\profiles from the run command okay I have also tried:
>
> path=/home/users/%u
>
> to store profiles in home directories e.g. mine would be /home/users/traxx
> but I get the same error messages.
>
> By the way my samba logs also says:
>
> [2003/07/27 14:56:31, 0] rpc_server/srv_netlog.c:api_net_sam_logon(206)
>   api_net_sam_logon: Failed to marshall NET_R_SAM_LOGON.
> [2003/07/27 14:56:31, 0] rpc_server/srv_pipe.c:api_rpcTNP(1200)
>   api_rpcTNP: api_netlog_rpc: NET_SAMLOGON failed.
> [2003/07/27 14:56:35, 0] smbd/service.c:make_connection(248)
>   traxx (192.168.0.55) couldn't find service profiles
>
>
> Can anybody help?
>
> Thank you
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: samba pdc problem

[WinXperts]

You need to add the line
domain admin group = user1 user2 @group1 @group2




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba PDC & Windows XP

[Zef]

try in reg do xp alterar:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netlogon\parameters
"RequireSignOrSeal"=dword:"Jose Gabriel Garcia Araujo"
<[EMAIL PROTECTED]> escreveu na mensagem
news:[EMAIL PROTECTED]
> I have configured Samba as a PDC and I have 2 Xp computers
> I can logon in the domain
> I see the shares of the samba server from the windows XP machines
> but I cant see the shares of the  Windows XP machines from the Samba
> server.
> I always get the sema error:
>
> added interface ip=192.168.0.3 bcast=192.168.0.255 nmask=255.255.255.0
> Got a positive name query response from 192.168.0.3 ( 192.168.0.1 )
> Password:
> session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
>
> Any Ideas?
> --
> Jose Gabriel Garcia Araujo <[EMAIL PROTECTED]>
> Adicora.net
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: SAMBA PDC User Permissions, Admin Settings, and Logon?

[Brent Torrenga]

I think the administrator group issue is not going to be resolved when we
get real support for mapping groups to windows, isn't it?


"Jason Norred" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> I'm having a similiar problem on my 2.2.7 PDC. If my users are not
> listed in the domain admin group, then they have very restricted access
> to the windows registry when the login. Most of their programs will not
> work at all. I'm not sure at this point what the solution is. I want to
> see if there is a way to do something like add their DOMAIN user account
> to the LOCAL machines POWER USER group. I'm going to give it a shot in
> the morning.
>
> Do you have your /home issue fixed yet? I would be happy to help you
> with that if you are still having problems.
>
> If anyone has any ideas or suggestions about my registry permissions,
> let me know...
>
> Thanks,
> Jason N.
>
>
>
>
> On Tue, 2003-02-25 at 05:51, richard wrote:
>
> > Hi, Don't know if this is relevant but I read somewhere that including
> > below in [global] makes Samba do strange things? I believe this is a
> > "share" parameter? If this helps please post your results.
> >
> > profile acls = Yes
> >
> > Richard.
> >
> > On Tue, 2003-02-25 at 04:48, Nolan Garrett wrote:
> > > Hi all! First off, I'd like to thank you for the help you've
previously
> > > given me. I'd like to state a few of the problems I am now
experiencing,
> > > and you all can provide insight. I've read all the documentation I can
find
> > > and have surfed the archives for this newsgroup, but to no avail. Any
help
> > > would be greatly appreciated!
> > >
> > > (I am using SAMBA 2.2.7)
> > >
> > > Issue 1: If I don't have every user listed in the admin users =
section that
> > > I want to allow logon access, they cannot log on. I usually get a
domain
> > > unavailable error.
> > >
> > > Issue 2: If I don't set up each user account (w/ domain) on the WinXP
> > > machine I want to logon to, I get some kind of very, very limited
logon. It
> > > almost seems to be corrupted.
> > >
> > > Issue 3: This is my main frustration - I cannot seem to block access
to
> > > other peoples shares! EG user chrisg can access the nolan share, etc.
> > >
> > > Final Issue: Not a big problem, but I can't figure out how to set up
the
> > > CUPS drivers for the pdf-generator.
> > >
> > > Is it a winbind problem, bad config, or am I just a moron?
> > >
> > > Attached is my smb.conf
> > >
> > > # Samba config file created using SWAT
> > > # from gridlock.workgroup.net (192.168.0.5)
> > > # Date: 2003/02/24 18:08:30
> > >
> > > # Global parameters
> > > [global]
> > > netbios name = MAIN
> > > server string = Samba Server %v
> > > encrypt passwords = Yes
> > > passwd program = /usr/bin/passwd %u
> > > passwd chat = *New*UNIX*password* %n\n
*Retype*new*UNIX*password
> > > * %n\n *Enter*new*UNIX*password* %n\n *Retype*new*UNIX*password* %n\n
*p
> > > asswd: *all*authentication*tokens*updated*succesfully*
> > > unix password sync = Yes
> > > log level = 1
> > > log file = /var/log/samba/log.%m
> > > max log size = 50
> > > socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
SO_RCVBU
> > > F=8192 SO_SNDBUF=8192
> > > printcap name = cups
> > > domain admin group = @admins
> > > add user script = /usr/sbin/useradd -d /dev/null -g
machines -s /bin
> > > /false -M %u
> > > logon script = %U.bat
> > > logon path = \\main\profiles\%U
> > > logon drive = Z:
> > > logon home = \\main\%U\.profile
> > > domain logons = Yes
> > > os level = 99
> > > domain master = Yes
> > > dns proxy = No
> > > wins support = Yes
> > > winbind uid = 1-2
> > > winbind gid = 1-2
> > > ;   valid users = ahayes root danielleg chrisg rickg nolan
> > > admin users = root nolan chrisg rickg danielleg alyssag
> > > printer admin = nolan root
> > > hosts allow = 192.168.0. 127.
> > > ;   profile acls = Yes
> > > printing = cups
> > >
> > > [homes]
> > > comment = Home Directory for %u
> > > read only = No
> > > create mask = 0660
> > > directory mask = 0770
> > > browseable = No
> > > oplocks = No
> > > level2 oplocks = No
> > >
> > > [netlogon]
> > > comment = Network Logon Service
> > > path = /var/lib/samba/netlogon
> > > write list = root nolan
> > >
> > > [profiles]
> > > path = /var/lib/samba/profiles
> > > read only = No
> > > create mask = 0600
> > > directory mask = 0700
> > > guest ok = Yes
> > > browseable = No
> > > csc policy = disable
> > >
> > > [printers]
> > > comment = All Printers
> > > path = /var/spool/samba
> > > printer admin = root nolan
> > > guest ok = Yes
> > > printable = Yes
> 

[Samba] RE: SAMBA PDC User Permissions, Admin Settings, and Logon?

[Nolan Garrett]

Thank you! This definitely fixed the mapping problem. Now if I could only 
make my logons TRULY roaming...

Nolan

Rob Savage wrote:

> Hey Nolan,
> 
> I can easily give you an answer to I3
> 
>>Issue 3: This is my main frustration - I cannot seem to block access to
>>other peoples shares! EG user chrisg can access the nolan share, etc.
>>
>>
>>[homes]
>>comment = Home Directory for %u
>>read only = No
>>create mask = 0660
>>directory mask = 0770
>>browseable = No
>>oplocks = No
>>level2 oplocks = No
> 
> Try adding these:
> 
> Valid users = %U
> Path = /home/%u
> Guest ok = No
> ---
> Have an excellent day,
> 
> Rob Savage
> 
> 
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Nolan
> Garrett
> Sent: February 24, 2003 11:49 AM
> To: [EMAIL PROTECTED]
> Subject: [Samba] SAMBA PDC User Permissions, Admin Settings, and Logon?
> 
> Hi all! First off, I'd like to thank you for the help you've previously
> given me. I'd like to state a few of the problems I am now experiencing,
> and you all can provide insight. I've read all the documentation I can
> find and have surfed the archives for this newsgroup, but to no avail. Any
> help would be greatly appreciated!
> 
> (I am using SAMBA 2.2.7)
> 
> Issue 1: If I don't have every user listed in the admin users = section
> that I want to allow logon access, they cannot log on. I usually get a
> domain unavailable error.
> 
> Issue 2: If I don't set up each user account (w/ domain) on the WinXP
> machine I want to logon to, I get some kind of very, very limited logon.
> It almost seems to be corrupted.
> 
> Issue 3: This is my main frustration - I cannot seem to block access to
> other peoples shares! EG user chrisg can access the nolan share, etc.
> 
> Final Issue: Not a big problem, but I can't figure out how to set up the
> CUPS drivers for the pdf-generator.
> 
> Is it a winbind problem, bad config, or am I just a moron?
> 
> Attached is my smb.conf
> 
> # Samba config file created using SWAT
> # from gridlock.workgroup.net (192.168.0.5)
> # Date: 2003/02/24 18:08:30
> 
> # Global parameters
> [global]
> netbios name = MAIN
> server string = Samba Server %v
> encrypt passwords = Yes
> passwd program = /usr/bin/passwd %u
> passwd chat = *New*UNIX*password* %n\n *Retype*new*UNIX*password
> * %n\n *Enter*new*UNIX*password* %n\n *Retype*new*UNIX*password* %n\n *p
> asswd: *all*authentication*tokens*updated*succesfully*
> unix password sync = Yes
> log level = 1
> log file = /var/log/samba/log.%m
> max log size = 50
> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBU
> F=8192 SO_SNDBUF=8192
> printcap name = cups
> domain admin group = @admins
> add user script = /usr/sbin/useradd -d /dev/null -g machines -s
> /bin
> /false -M %u
> logon script = %U.bat
> logon path = \\main\profiles\%U
> logon drive = Z:
> logon home = \\main\%U\.profile
> domain logons = Yes
> os level = 99
> domain master = Yes
> dns proxy = No
> wins support = Yes
> winbind uid = 1-2
> winbind gid = 1-2
> ;   valid users = ahayes root danielleg chrisg rickg nolan
> admin users = root nolan chrisg rickg danielleg alyssag
> printer admin = nolan root
> hosts allow = 192.168.0. 127.
> ;   profile acls = Yes
> printing = cups
> 
> [homes]
> comment = Home Directory for %u
> read only = No
> create mask = 0660
> directory mask = 0770
> browseable = No
> oplocks = No
> level2 oplocks = No
> 
> [netlogon]
> comment = Network Logon Service
> path = /var/lib/samba/netlogon
> write list = root nolan
> 
> [profiles]
> path = /var/lib/samba/profiles
> read only = No
> create mask = 0600
> directory mask = 0700
> guest ok = Yes
> browseable = No
> csc policy = disable
> 
> [printers]
> comment = All Printers
> path = /var/spool/samba
> printer admin = root nolan
> guest ok = Yes
> printable = Yes
> browseable = No
> 
> [print$]
> comment = Printer Drivers
> path = /etc/samba/drivers
> write list = root nolan
> 
> [pdf-generator]
> comment = PDF Generator (only valid users!)
> path = /var/tmp
> printable = Yes
> print command = /usr/share/samba/scripts/print-pdf %s ~%u
> %L
> %u %m &
> 
> [public]
> comment = Public
> path = /home/samba/public
> read only = No
> guest ok = Yes
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 


-- 
To unsubscribe from this 

[Samba] Re: SAMBA PDC User Permissions, Admin Settings, and Logon?

[Nolan Garrett]

Correct that - On Issue 2, I get no access at all.

Nolan

Nolan Garrett wrote:

> Hi all! First off, I'd like to thank you for the help you've previously
> given me. I'd like to state a few of the problems I am now experiencing,
> and you all can provide insight. I've read all the documentation I can
> find and have surfed the archives for this newsgroup, but to no avail. Any
> help would be greatly appreciated!
> 
> (I am using SAMBA 2.2.7)
> 
> Issue 1: If I don't have every user listed in the admin users = section
> that I want to allow logon access, they cannot log on. I usually get a
> domain unavailable error.
> 
> Issue 2: If I don't set up each user account (w/ domain) on the WinXP
> machine I want to logon to, I get some kind of very, very limited logon.
> It almost seems to be corrupted.
> 
> Issue 3: This is my main frustration - I cannot seem to block access to
> other peoples shares! EG user chrisg can access the nolan share, etc.
> 
> Final Issue: Not a big problem, but I can't figure out how to set up the
> CUPS drivers for the pdf-generator.
> 
> Is it a winbind problem, bad config, or am I just a moron?
> 
> Attached is my smb.conf
> 
> # Samba config file created using SWAT
> # from gridlock.workgroup.net (192.168.0.5)
> # Date: 2003/02/24 18:08:30
> 
> # Global parameters
> [global]
> netbios name = MAIN
> server string = Samba Server %v
> encrypt passwords = Yes
> passwd program = /usr/bin/passwd %u
> passwd chat = *New*UNIX*password* %n\n *Retype*new*UNIX*password
> * %n\n *Enter*new*UNIX*password* %n\n *Retype*new*UNIX*password* %n\n *p
> asswd: *all*authentication*tokens*updated*succesfully*
> unix password sync = Yes
> log level = 1
> log file = /var/log/samba/log.%m
> max log size = 50
> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBU
> F=8192 SO_SNDBUF=8192
> printcap name = cups
> domain admin group = @admins
> add user script = /usr/sbin/useradd -d /dev/null -g machines -s
> /bin
> /false -M %u
> logon script = %U.bat
> logon path = \\main\profiles\%U
> logon drive = Z:
> logon home = \\main\%U\.profile
> domain logons = Yes
> os level = 99
> domain master = Yes
> dns proxy = No
> wins support = Yes
> winbind uid = 1-2
> winbind gid = 1-2
> ;   valid users = ahayes root danielleg chrisg rickg nolan
> admin users = root nolan chrisg rickg danielleg alyssag
> printer admin = nolan root
> hosts allow = 192.168.0. 127.
> ;   profile acls = Yes
> printing = cups
> 
> [homes]
> comment = Home Directory for %u
> read only = No
> create mask = 0660
> directory mask = 0770
> browseable = No
> oplocks = No
> level2 oplocks = No
> 
> [netlogon]
> comment = Network Logon Service
> path = /var/lib/samba/netlogon
> write list = root nolan
> 
> [profiles]
> path = /var/lib/samba/profiles
> read only = No
> create mask = 0600
> directory mask = 0700
> guest ok = Yes
> browseable = No
> csc policy = disable
> 
> [printers]
> comment = All Printers
> path = /var/spool/samba
> printer admin = root nolan
> guest ok = Yes
> printable = Yes
> browseable = No
> 
> [print$]
> comment = Printer Drivers
> path = /etc/samba/drivers
> write list = root nolan
> 
> [pdf-generator]
> comment = PDF Generator (only valid users!)
> path = /var/tmp
> printable = Yes
> print command = /usr/share/samba/scripts/print-pdf %s ~%u
> %L
> %u %m &
> 
> [public]
> comment = Public
> path = /home/samba/public
> read only = No
> guest ok = Yes
> 
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] re: Samba PDC shared applications and a default start menuprofile (Kevin S. Brackett)

[Edmund J. Sutcliffe]

Hi
I'm currently doing exactly this for several sites. Within Win2K
and above it is possible to configure Local Group Policy Objects, so that
the ALLUSERPROFILES value is pointed to 
%LOGONSERVER%\Software\Documents and Settings\All Users\Start Menu

Thus when a user logs in, they see the the menus stored in their profile,
overlayed by these on the Network Drives.

The using the same techniques used by tools such as SMS, and InstallRite,
applications are wrapped and installed onto a Network only Drive.

When a user clicks on the Application Icon, pointed to by the
ALLUSERPROFILE Menu tree, the application is installed.

So far, we've been able to wrapp most applications this way,
from vendors such as Borland, Adobe, MacroMedia and Microsoft. For details
of this  has more details of how to do this.

Please note this doesn't work for all applications, for instance
MicroSoft Office need some neat tricks to ensure that it installs a few
things which need to be on the local C: 

Hopes this helps
Edmund
 -- 

Edmund J. Sutcliffe Thoughtful Solutions; Creatively 
<[EMAIL PROTECTED]>   Implemented and Communicated
+44 (0) 7976 938841


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: samba PDC and windows xp profiles...

[D. Aaron McCaleb]

OK, after downloading the entire source for Samba 2.2.7a and compiling,
instead of simply patching up to 2.2.7a, I no longer have the issue of
writing to the Cookies folder in the win9x profile.  There is an issue with
the win9x machine not shutting down, but that may be a machine issue, so I
will troubleshoot that some more.

However, the winXP is getting a new error which I am not 100% sure about:

"Windows did not load your roaming profile and is attempting to log you on
with your local profile.  Changes to profile will not be copied to the
server when you log off.  Windows did not load your profile because a server
copy of the profile folder already exists that does not have the correct
security.  Either the current user or the Administrator's group must be the
owner of the folder.  Contact your network administrator."

Again, here is the smb.conf and ls -l of the profiles folder:

drwxrwxrwt4 root users4096 Dec  9 16:28 profiles

and profiles/

drwxrwxrwx2 banderso geo  4096 Dec  6 17:05 banderson

(Obviously, the username is banderson, and the users group is geo (the grp
ownership was root, to begin with, but I changed it to geo and got the same
error)

smb.conf:
# Samba config file created using SWAT
# from 0.0.0.0 (0.0.0.0)
# Date: 2002/11/17 15:45:04

# Global parameters
[global]
; Basic server settings
workgroup = REEDNET
netbios name = REGMAIN
security = USER

; we should act as the domain and local master browser
os level = 65
domain master = yes
local master = yes
preferred master = yes

; encrypted passwords are a requirement for a PDC
encrypt passwords = yes

; support domain logons
domain logons = yes

; where to store user profiles?
logon path = \\%L\profiles\%U

; where is a user's home directory and where should it
; be mounted at?
logon drive = x:
logon home = \\%L\%U\.profile

; needed for win9x profiles
preserve case = yes
short preserve case = yes
case sensitive = no

; specify a generic logon script for all users
; this is a relative **DOS** path to (from) the [netlogon] share
logon script = logon.bat

; specific password (lack of) requirements
min passwd length = 0
null passwords = yes

passwd program = /usr/bin/passwd -u %u
unix password sync = yes

; Logging options
log level = 3
log file = /usr/local/samba/var/log.%m
max log size = 50

; Tuning options
deadtime = 15
keepalive = 0

; Special users and handlers
domain admin group = root amccaleb
message command = /bin/mail -s 'message from %f on %m' root < %s; rm
%s
hide local users = no
admin users = root amccaleb
wins support = yes
add user script = /usr/sbin/useradd -d /dev/null -g 110 -s
/bin/false -M
 %u

[homes]
path = %H
valid users = %S
read only = no
guest ok = no
create mask = 0777
directory mask = 0777
browseable = yes
level2 oplocks = yes
dos filetimes = yes

; share for storing nt/2k/xp user profiles
[profiles]
path=/srv/profiles
read only = no
create mask = 0777
directory mask = 0777
nt acl support = no
browseable = yes

[netlogon]
path = /srv/netlogon
read only = yes
write list = root amccaleb


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] re: Samba PDC Problem (Account name security ID mapping blah blah blah)

[Stephen Anthony Jackson]

Yes I know... you will all say... asked and answered but this is
ridiculous... I still cannot add my win 2k wks to my Samba domain...

I have created the machine account, and the root account in smbpasswd I
have checked and they DO exist... I am running Samba 2.2.6-1, the build
which many on these lists claim to fix this win2k problem but as of
yet... no luck...

here is my smb.conf if anyone can find a problem in it

# Samba config file created using SWAT
# from duar (127.0.0.1)
# Date: 2002/11/16 11:58:30

# Global parameters
[global]
workgroup = KRONOS
netbios name = DUAR
netbios aliases = DUAR
server string =
encrypt passwords = Yes
update encrypted = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
passwd chat debug = Yes
username map = /etc/samba/smbusers
unix password sync = Yes
admin log = Yes
log file = /var/log/samba/log.%m
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
domain admin group = @DomainAdmins
domain guest group = @DomainGuests
domain logons = Yes
os level = 33
lm announce = Yes
preferred master = Yes
domain master = Yes
dns proxy = No
winbind use default domain = Yes
alternate permissions = Yes
valid users = root
admin users = root
printer admin = root
printing = lprng

[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0664
directory mask = 0775
browseable = No


Yours Hopefully

Steve Jackson
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba PDC.... no mapping between account names and security IDswas done

[Stephen Anthony Jackson]

Yes I know... you will all say... asked and answered but this is
ridiculous... I still cannot add my win 2k wks to my Samba domain...

I have created the machine account, and the root account in smbpasswd I
have checked and they DO exist... I am running Samba 2.2.6-1, the build
which many on these lists claim to fix this win2k problem but as of
yet... no luck...

here is my smb.conf if anyone can find a problem in it

# Samba config file created using SWAT
# from duar (127.0.0.1)
# Date: 2002/11/16 11:58:30

# Global parameters
[global]
workgroup = KRONOS
netbios name = DUAR
netbios aliases = DUAR
server string =
encrypt passwords = Yes
update encrypted = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
passwd chat debug = Yes
username map = /etc/samba/smbusers
unix password sync = Yes
admin log = Yes
log file = /var/log/samba/log.%m
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
domain admin group = @DomainAdmins
domain guest group = @DomainGuests
domain logons = Yes
os level = 33
lm announce = Yes
preferred master = Yes
domain master = Yes
dns proxy = No
winbind use default domain = Yes
alternate permissions = Yes
valid users = root
admin users = root
printer admin = root
printing = lprng

[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0664
directory mask = 0775
browseable = No


Yours Hopefully

Steve Jackson

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: Samba PDC and Kerberos(MIT or SEAM in Uinx, withoutmicrosoft ADS)

[Donald Saltarelli]

Yongjun-

Right now, you cannot get Samba to authenticate the user using the
kerberos credentials he gets when logging in to the Kerberos Realm on
the workstation. What you can do:

1. Run MIT kerberos 5 on UNIX.
2. Setup pam_krb5 in Solaris to authenticate off of the UNIX kdc. (We
use the one supplied with Solaris 8. We couldn't get the Solaris 9 one
to work, however. You could always replace it with the open source stuff
though.)
3. Setup a Windows 2000 AD domain. Mixed or Native mode shouldn't
matter.
4. Create an account/password for the AD server in the UNIX kerberos
domain and trust the UNIX kerberos realm from AD with it.
5. Create accounts in AD that match the ones in the UNIX kdc and
whatever you're using for passwd/group/shadow (nis, nss_ldap, etc.) with
the 'username mapping' set to the username@KERBEROSREALM. The passwords
can be randomized. If you need it, I have a vbscript for creating the
accounts to help automate this. We're using NIS with no passwords in NIS
except for the usual administrative ones since we don't control the
kerberos domain here.
6. Setup Samba 2.2.6 --with-pam and in User mode. Samba will
authenticate off of kerberos through pam.
7. Setup the Windows 2000 workstations via a group policy object or with
a registry editor to Enable "Send clear-text passwords to thrid-party
SMB servers".
8. On the Windows 2000 workstations run 'ksetup.exe /addkdc REALMNAME
fqdn.of.your.server'. ksetup is in the Windows 2000 resource kit.

That'll work.

*** However, in this configuration, you cannot get drives mapped to
shares on the Samba server without the user typing in the password
interactively.*** You'll need to create a script for the users to use
for this purpose. ('net use U: \\server\%username% /persistent:no')

Hopefully by 3.0 release the kerberos authentication will work in this
setup and drive mapping can be done automatically and we can do things
like Folder Redirection to samba shares!

Additional cool things would involve editing the resources in the
MSGINA.DLL to add some more explanatory info for users so that they know
to login to the '(Kerberos Realm)' and not the local workstation or AD
domain.

Donald Saltarelli

On Thu, 2002-10-31 at 12:28, Yongjun Rong wrote:
> Hi, Andrew, 
>Thank you very much for your answer.
>Now our case is as below:
>1, our client machine is the windows 2000 
>2, We want our Kerberos run in the Unix box.
>3, We also want the samba as PDC for all windows user and machine.
>4, We want integrate the Kerberos Authentication with samba authentication.
>So in this situation, can we get the kerberos login from the windows 2000 client 
> because the windows 2000 is support kerberos authenctication. If it can, where can I 
> start?
>I have already setup the environment for windows 2000 client auhtenticating 
> himself to the Kerberos Realm in the Solaris and authenticate the samba domain user 
> to the local windows 2k machine. But this two cases are seperated from each other 
> which means the kerberos authentication use the kerberos password and samba PDC 
> authentication use the smbpasswd. And I can also map(using Ksetup /mapuser) the 
> kerberos user to the local or samba domain user and then do the authentication to 
> the kerberos. So we really want is, when we do the samba PDC authentication we can 
> use the kerberos password. I don't know if it right. PLS correct me .
>   Thank you very much.
>   John
> 
>  Original Message 
> From: Andrew Bartlett
> Date: Mon 10/28/02 17:24
> To:   Yongjun Rong
> Cc:   [EMAIL PROTECTED]
> Subject:  Re: Samba and Kerberos(MIT or SEAM, without microsoft ADS)
> 
> Yongjun Rong wrote:
> > 
> > Hi, Andrew,
> >This is John from Texas Tech University.I have read your reply about samba and
> > kerberos. May I ask you some question about samba and Kerberos.
> >1, Is the samba can use the kerberos(Not with ADS, Just MIT or SEAM in Solaris)
> > as the authentication services and store samba user and passwd in the kerberos
> > database directly but not using OpenLDAP?
> 
> If you can get the clients to send you a kerberos login without using
> ADS, then the modification is realitivly simple, and is part of the work
> towards an Active Directory replacement.
> 
> >2, If it cannot, I know the samba has support the Kerberos with Microsoft ADS.
> > Where can start to change the source to enable the support for MIT or SEAM in
> > solaris? How can I do it? I have download the source of samba3.0alpha20. And I also
> > have configure the samba as a PDC for my win2k client.
> 
> You can't do PDC stuff with this kind of setup, not until we get a *lot*
> more Active Directory work done.
> 
> >3, You said that samba should support the MIT kerberos. But not at this moment.
> > Did it support keberos in the older version or not? which version? If it was not
> > support. I wish I can do something for it.
> >Thank you very much for your help.
>

Re: [Samba] Re: Samba PDC and Kerberos(MIT or SEAM in Uinx,without microsoft ADS)

[Yura Pismerov]

Jonathan Higgins wrote:
> 
> A few more questions and comments... related to this topic
> 
> If Kerberos is the back-end to LDAP.. there is no need to synchronize or store a 
>>password in the LDAP tree.. just the principal for the user in the userpassword 
>>attribute: userpassword = {kerberos}name@domain

That is correct. I did not mean sync between Kerberos and LDAP, I mean
sync between Kerberos and Samba passwords stored in LDAP. 


> 
> in the smb.conf file do I need stuff like this?
> Unix password sync = yes
> passwd program = /some-path/to-a/script-which/synchronize-kerb-smb %u

Yes. 

> 
> in this program "synchronize-kerb-smb"
> %u is the username and comes in as an argument, then request the password and read 
>it >in from STDIN.. ... then run a smbpasswd %u feeding the password.. and  then get 
>a >valid user/admin ticket using kinit for an account validated by a keytab .. then 
>run >kadmin.local -q 'cpw -pw $password $username' to synchronize with Kerberos

Easier (not yet more secure though) way is creating a separate Kerberos
principal with permissions for password change, saving the key (with
ktadd -k "file") in separate keytab and using the key with kadmin -k -t
/path/keytab -p "principal_name". Then "cpw user@DOMAIN" will change
password for the user. The cpw command can be passed to kadmin via
expect script or via STDIN (less secure though).


> 
> this has the potential to work(I think)but... im missing a few parts.. can a script 
>>like this synchronize passwords when they are forced to change their password at the 
>>client level.. say expire the users password?  And what happens if they change there 


Kerberos has his own password expiration mechanizm. You can write a
script tha will 
scan prinipals in KDC, extract password expire dates and compare it with
current date.
Then, let's say 5 days before the expiration, it can start sending
notifications to users. The warning message can contain a link to a
webpage for the password change.


>password using kpassword.. that has the potential to unsyncronize the passwords..

Yes, if user changes password with kpassword, there is no way to
synchronize it with Samba password. So users must be instructed to use
either standard Windows way to change the passwords, or a webpage. The
CGI script will take care of changing passwords in Kerberos and Samba
(via smbldap utilities, for example) realms.

> 
> Also.. what about the adding machines trusts to the samba domain?.. I've seen where 
>people use the:
> add user script = /some/adduserscript -n -g machines -c Machine -d /dev/null -s 
>/bin/false $m$
> 
> is there any way to change the LDAP suffix before adding a machine to the LDAP 
>tree?.. >In my current setup I have all users in an ou=people area.. and so my LDAP 
>suffix = >"ou=people, dc=domain".. but I don't want to add machines to this 
>container.. I would >rather put them in something like "ou=hosts, dc=domain"..

Yes, you can do it with the mentioned smbldap scripts where People and
Computers DNs can be configured. Then you use add user
script=/path/smbldap-useradd.pl -w %m$


> I have many more questions but don't want to change the topic too much...

:)

> 
> Jonathan Higgins
> Network Service Specialist IV
> [EMAIL PROTECTED]
> 
> >>> Yura Pismerov <[EMAIL PROTECTED]> 10/31/02 07:38PM >>>
> 
> Here what you could use:
> 
> LDAP with Kerberos password backend.
> Samba 2.2.6 PDC with LDAP backend.
> 
> Windows passwords are stored in LDAP in samba object, not in Kerberos
> KDC since they use incompatible encryption methods.
> 
> Use Kerberos passwords as primary source and synchronize Windows
> passwords with them when user changes his password or administrator
> reset it.
> 
> This setup will allow to use the same password across the board for Unix
> shell access and email (via pam_ldap, nss_ldap and pam_krb5) and for
> Windows access (via Samba PDC), and the same name space will be used
> everywhere (via LDAP), so no mapping needed.
> 
> Of course it will require quite a few scripts to synchronize passwords,
> create users in LDAP and Kerberos, etc. But it works...
> 
> 
> 
> Yongjun Rong wrote:
> >
> > Hi, Andrew,
> >Thank you very much for your answer.
> >Now our case is as below:
> >1, our client machine is the windows 2000
> >2, We want our Kerberos run in the Unix box.
> >3, We also want the samba as PDC for all windows user and machine.
> >4, We want integrate the Kerberos Authentication with samba authentication.
> >So in this situation, can we get the kerberos login from the windows 2000 client
> > because the windows 2000 is support kerberos authenctication. If it can, where can 
>I
> > start?
> >I have already setup the environment for windows 2000 client auhtenticating
> > himself to the Kerberos Realm in the Solaris and authenticate the samba domain user
> > to the local windows 2k machine. But this two cases are seperated from each other
> >

Re: [Samba] Re: Samba PDC and Kerberos(MIT or SEAM in Uinx,without microsoft ADS)

[Jonathan Higgins]

A few more questions and comments... related to this topic

If Kerberos is the back-end to LDAP.. there is no need to synchronize or store a 
password in the LDAP tree.. just the principal for the user in the userpassword 
attribute: userpassword = {kerberos}name@domain

in the smb.conf file do I need stuff like this?
Unix password sync = yes
passwd program = /some-path/to-a/script-which/synchronize-kerb-smb %u

in this program "synchronize-kerb-smb"
%u is the username and comes in as an argument, then request the password and read it 
in from STDIN.. ... then run a smbpasswd %u feeding the password.. and  then get a 
valid user/admin ticket using kinit for an account validated by a keytab .. then run 
kadmin.local -q 'cpw -pw $password $username' to synchronize with Kerberos

this has the potential to work(I think)but... im missing a few parts.. can a script 
like this synchronize passwords when they are forced to change their password at the 
client level.. say expire the users password?  And what happens if they change there 
password using kpassword.. that has the potential to unsyncronize the passwords..

Also.. what about the adding machines trusts to the samba domain?.. I've seen where 
people use the:
add user script = /some/adduserscript -n -g machines -c Machine -d /dev/null -s 
/bin/false $m$

is there any way to change the LDAP suffix before adding a machine to the LDAP tree?.. 
In my current setup I have all users in an ou=people area.. and so my LDAP suffix = 
"ou=people, dc=domain".. but I don't want to add machines to this container.. I would 
rather put them in something like "ou=hosts, dc=domain"..
I have many more questions but don't want to change the topic too much...


Jonathan Higgins
Network Service Specialist IV
[EMAIL PROTECTED]


>>> Yura Pismerov <[EMAIL PROTECTED]> 10/31/02 07:38PM >>>

Here what you could use:

LDAP with Kerberos password backend.
Samba 2.2.6 PDC with LDAP backend.

Windows passwords are stored in LDAP in samba object, not in Kerberos
KDC since they use incompatible encryption methods.

Use Kerberos passwords as primary source and synchronize Windows
passwords with them when user changes his password or administrator
reset it.

This setup will allow to use the same password across the board for Unix
shell access and email (via pam_ldap, nss_ldap and pam_krb5) and for
Windows access (via Samba PDC), and the same name space will be used
everywhere (via LDAP), so no mapping needed.

Of course it will require quite a few scripts to synchronize passwords,
create users in LDAP and Kerberos, etc. But it works...



Yongjun Rong wrote:
> 
> Hi, Andrew,
>Thank you very much for your answer.
>Now our case is as below:
>1, our client machine is the windows 2000
>2, We want our Kerberos run in the Unix box.
>3, We also want the samba as PDC for all windows user and machine.
>4, We want integrate the Kerberos Authentication with samba authentication.
>So in this situation, can we get the kerberos login from the windows 2000 client
> because the windows 2000 is support kerberos authenctication. If it can, where can I
> start?
>I have already setup the environment for windows 2000 client auhtenticating
> himself to the Kerberos Realm in the Solaris and authenticate the samba domain user
> to the local windows 2k machine. But this two cases are seperated from each other
> which means the kerberos authentication use the kerberos password and samba PDC
> authentication use the smbpasswd. And I can also map(using Ksetup /mapuser) the
> kerberos user to the local or samba domain user and then do the authentication to
> the kerberos. So we really want is, when we do the samba PDC authentication we can
> use the kerberos password. I don't know if it right. PLS correct me .
>   Thank you very much.
>   John
> 
>  Original Message 
> From:   Andrew Bartlett
> Date:   Mon 10/28/02 17:24
> To: Yongjun Rong
> Cc: [EMAIL PROTECTED] 
> Subject:Re: Samba and Kerberos(MIT or SEAM, without microsoft ADS)
> 
> Yongjun Rong wrote:
> >
> > Hi, Andrew,
> >This is John from Texas Tech University.I have read your reply about samba and
> > kerberos. May I ask you some question about samba and Kerberos.
> >1, Is the samba can use the kerberos(Not with ADS, Just MIT or SEAM in Solaris)
> > as the authentication services and store samba user and passwd in the kerberos
> > database directly but not using OpenLDAP?
> 
> If you can get the clients to send you a kerberos login without using
> ADS, then the modification is realitivly simple, and is part of the work
> towards an Active Directory replacement.
> 
> >2, If it cannot, I know the samba has support the Kerberos with Microsoft ADS.
> > Where can start to change the source to enable the support for MIT or SEAM in
> > solaris? How can I do it? I have download the source of samba3.0alpha20. And I also
> > have configure the samba as a PDC f

Re: [Samba] Re: Samba PDC and Kerberos(MIT or SEAM in Uinx, without microsoft ADS)

[Yongjun Rong]

Hi, Thank you very much for you reply.
  Some people think storing the sensitive information in the LDAP is not very 
secure.They think the sensitive information and the public information should be 
stored in seperate place.So we want the samba PDC authentication can integrete the 
Kerberos authentication directly.
  John

 Original Message 
From:   Yura Pismerov
Date:   Thu 10/31/02 18:39
To: Yongjun Rong, [EMAIL PROTECTED]
Subject:Re: [Samba] Re: Samba PDC and Kerberos(MIT or SEAM in Uinx, without  
microsoft ADS)


Here what you could use:

LDAP with Kerberos password backend.
Samba 2.2.6 PDC with LDAP backend.

Windows passwords are stored in LDAP in samba object, not in Kerberos
KDC since they use incompatible encryption methods.

Use Kerberos passwords as primary source and synchronize Windows
passwords with them when user changes his password or administrator
reset it.

This setup will allow to use the same password across the board for Unix
shell access and email (via pam_ldap, nss_ldap and pam_krb5) and for
Windows access (via Samba PDC), and the same name space will be used
everywhere (via LDAP), so no mapping needed.

Of course it will require quite a few scripts to synchronize passwords,
create users in LDAP and Kerberos, etc. But it works...



Yongjun Rong wrote:
> 
> Hi, Andrew,
>Thank you very much for your answer.
>Now our case is as below:
>1, our client machine is the windows 2000
>2, We want our Kerberos run in the Unix box.
>3, We also want the samba as PDC for all windows user and machine.
>4, We want integrate the Kerberos Authentication with samba authentication.
>So in this situation, can we get the kerberos login from the windows 2000 client
> because the windows 2000 is support kerberos authenctication. If it can, where can 
I
> start?
>I have already setup the environment for windows 2000 client auhtenticating
> himself to the Kerberos Realm in the Solaris and authenticate the samba domain user
> to the local windows 2k machine. But this two cases are seperated from each other
> which means the kerberos authentication use the kerberos password and samba PDC
> authentication use the smbpasswd. And I can also map(using Ksetup /mapuser) the
> kerberos user to the local or samba domain user and then do the authentication to
> the kerberos. So we really want is, when we do the samba PDC authentication we can
> use the kerberos password. I don't know if it right. PLS correct me .
>   Thank you very much.
>   John
> 
>  Original Message 
> From:   Andrew Bartlett
> Date:   Mon 10/28/02 17:24
> To: Yongjun Rong
> Cc: [EMAIL PROTECTED]
> Subject:Re: Samba and Kerberos(MIT or SEAM, without microsoft ADS)
> 
> Yongjun Rong wrote:
> >
> > Hi, Andrew,
> >This is John from Texas Tech University.I have read your reply about samba and
> > kerberos. May I ask you some question about samba and Kerberos.
> >1, Is the samba can use the kerberos(Not with ADS, Just MIT or SEAM in 
Solaris)
> > as the authentication services and store samba user and passwd in the kerberos
> > database directly but not using OpenLDAP?
> 
> If you can get the clients to send you a kerberos login without using
> ADS, then the modification is realitivly simple, and is part of the work
> towards an Active Directory replacement.
> 
> >2, If it cannot, I know the samba has support the Kerberos with Microsoft ADS.
> > Where can start to change the source to enable the support for MIT or SEAM in
> > solaris? How can I do it? I have download the source of samba3.0alpha20. And I 
also
> > have configure the samba as a PDC for my win2k client.
> 
> You can't do PDC stuff with this kind of setup, not until we get a *lot*
> more Active Directory work done.
> 
> >3, You said that samba should support the MIT kerberos. But not at this 
moment.
> > Did it support keberos in the older version or not? which version? If it was not
> > support. I wish I can do something for it.
> >Thank you very much for your help.
> >John.
> 
> In a very old version, we used the host keytab.  Now we use our own
> secrets.tdb file, which we maintain.  This is becouse in an ADS
> environment, we need to do both NT authentication and Kerberos.
> 
> Please put questions to the list, so that others may see the replies.
> CC me if you want me to actually read it however :-)
> 
> Andrew Bartlett
> 
> --
> Andrew Bartlett [EMAIL PROTECTED]
> Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
> Student Network Administrator, Hawker College   [EMAIL PROTECTED]
> http://samba.org http://bu

Re: [Samba] Re: Samba PDC and Kerberos(MIT or SEAM in Uinx, without microsoft ADS)

[Yura Pismerov]

Here what you could use:

LDAP with Kerberos password backend.
Samba 2.2.6 PDC with LDAP backend.

Windows passwords are stored in LDAP in samba object, not in Kerberos
KDC since they use incompatible encryption methods.

Use Kerberos passwords as primary source and synchronize Windows
passwords with them when user changes his password or administrator
reset it.

This setup will allow to use the same password across the board for Unix
shell access and email (via pam_ldap, nss_ldap and pam_krb5) and for
Windows access (via Samba PDC), and the same name space will be used
everywhere (via LDAP), so no mapping needed.

Of course it will require quite a few scripts to synchronize passwords,
create users in LDAP and Kerberos, etc. But it works...



Yongjun Rong wrote:
> 
> Hi, Andrew,
>Thank you very much for your answer.
>Now our case is as below:
>1, our client machine is the windows 2000
>2, We want our Kerberos run in the Unix box.
>3, We also want the samba as PDC for all windows user and machine.
>4, We want integrate the Kerberos Authentication with samba authentication.
>So in this situation, can we get the kerberos login from the windows 2000 client
> because the windows 2000 is support kerberos authenctication. If it can, where can I
> start?
>I have already setup the environment for windows 2000 client auhtenticating
> himself to the Kerberos Realm in the Solaris and authenticate the samba domain user
> to the local windows 2k machine. But this two cases are seperated from each other
> which means the kerberos authentication use the kerberos password and samba PDC
> authentication use the smbpasswd. And I can also map(using Ksetup /mapuser) the
> kerberos user to the local or samba domain user and then do the authentication to
> the kerberos. So we really want is, when we do the samba PDC authentication we can
> use the kerberos password. I don't know if it right. PLS correct me .
>   Thank you very much.
>   John
> 
>  Original Message 
> From:   Andrew Bartlett
> Date:   Mon 10/28/02 17:24
> To: Yongjun Rong
> Cc: [EMAIL PROTECTED]
> Subject:Re: Samba and Kerberos(MIT or SEAM, without microsoft ADS)
> 
> Yongjun Rong wrote:
> >
> > Hi, Andrew,
> >This is John from Texas Tech University.I have read your reply about samba and
> > kerberos. May I ask you some question about samba and Kerberos.
> >1, Is the samba can use the kerberos(Not with ADS, Just MIT or SEAM in Solaris)
> > as the authentication services and store samba user and passwd in the kerberos
> > database directly but not using OpenLDAP?
> 
> If you can get the clients to send you a kerberos login without using
> ADS, then the modification is realitivly simple, and is part of the work
> towards an Active Directory replacement.
> 
> >2, If it cannot, I know the samba has support the Kerberos with Microsoft ADS.
> > Where can start to change the source to enable the support for MIT or SEAM in
> > solaris? How can I do it? I have download the source of samba3.0alpha20. And I also
> > have configure the samba as a PDC for my win2k client.
> 
> You can't do PDC stuff with this kind of setup, not until we get a *lot*
> more Active Directory work done.
> 
> >3, You said that samba should support the MIT kerberos. But not at this moment.
> > Did it support keberos in the older version or not? which version? If it was not
> > support. I wish I can do something for it.
> >Thank you very much for your help.
> >John.
> 
> In a very old version, we used the host keytab.  Now we use our own
> secrets.tdb file, which we maintain.  This is becouse in an ADS
> environment, we need to do both NT authentication and Kerberos.
> 
> Please put questions to the list, so that others may see the replies.
> CC me if you want me to actually read it however :-)
> 
> Andrew Bartlett
> 
> --
> Andrew Bartlett [EMAIL PROTECTED]
> Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
> Student Network Administrator, Hawker College   [EMAIL PROTECTED]
> http://samba.org http://build.samba.org http://hawkerc.net
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba PDC and Kerberos(MIT or SEAM in Uinx, without microsoft ADS)

[Yongjun Rong]

Hi, Andrew, 
   Thank you very much for your answer.
   Now our case is as below:
   1, our client machine is the windows 2000 
   2, We want our Kerberos run in the Unix box.
   3, We also want the samba as PDC for all windows user and machine.
   4, We want integrate the Kerberos Authentication with samba authentication.
   So in this situation, can we get the kerberos login from the windows 2000 client 
because the windows 2000 is support kerberos authenctication. If it can, where can I 
start?
   I have already setup the environment for windows 2000 client auhtenticating 
himself to the Kerberos Realm in the Solaris and authenticate the samba domain user 
to the local windows 2k machine. But this two cases are seperated from each other 
which means the kerberos authentication use the kerberos password and samba PDC 
authentication use the smbpasswd. And I can also map(using Ksetup /mapuser) the 
kerberos user to the local or samba domain user and then do the authentication to 
the kerberos. So we really want is, when we do the samba PDC authentication we can 
use the kerberos password. I don't know if it right. PLS correct me .
  Thank you very much.
  John

 Original Message 
From:   Andrew Bartlett
Date:   Mon 10/28/02 17:24
To: Yongjun Rong
Cc: [EMAIL PROTECTED]
Subject:Re: Samba and Kerberos(MIT or SEAM, without microsoft ADS)

Yongjun Rong wrote:
> 
> Hi, Andrew,
>This is John from Texas Tech University.I have read your reply about samba and
> kerberos. May I ask you some question about samba and Kerberos.
>1, Is the samba can use the kerberos(Not with ADS, Just MIT or SEAM in Solaris)
> as the authentication services and store samba user and passwd in the kerberos
> database directly but not using OpenLDAP?

If you can get the clients to send you a kerberos login without using
ADS, then the modification is realitivly simple, and is part of the work
towards an Active Directory replacement.

>2, If it cannot, I know the samba has support the Kerberos with Microsoft ADS.
> Where can start to change the source to enable the support for MIT or SEAM in
> solaris? How can I do it? I have download the source of samba3.0alpha20. And I also
> have configure the samba as a PDC for my win2k client.

You can't do PDC stuff with this kind of setup, not until we get a *lot*
more Active Directory work done.

>3, You said that samba should support the MIT kerberos. But not at this moment.
> Did it support keberos in the older version or not? which version? If it was not
> support. I wish I can do something for it.
>Thank you very much for your help.
>John.

In a very old version, we used the host keytab.  Now we use our own
secrets.tdb file, which we maintain.  This is becouse in an ADS
environment, we need to do both NT authentication and Kerberos.

Please put questions to the list, so that others may see the replies. 
CC me if you want me to actually read it however :-)

Andrew Bartlett

-- 
Andrew Bartlett [EMAIL PROTECTED]
Manager, Authentication Subsystems, Samba Team  [EMAIL PROTECTED]
Student Network Administrator, Hawker College   [EMAIL PROTECTED]
http://samba.org http://build.samba.org http://hawkerc.net

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba