Re: [Samba] Samba PDC not in network environment (Windows 7/8)

[Jörg Nissen]

Something weird...

I connected one notbook to another samba (v3.5.5) network. Logged in as
a local user on the notebook and guess what. The complete network 
environment is shown. 
The main difference between these two networks, apart form the version
number of smbd, is that the working network is based on ldap while the
not working network is based on tdb.

Another small difference in smb.conf:

3.5.5:  name resolve order = bcast lmhosts host
3.6.12: name resolve order = wins bcast lmhosts hosts


Going to check if it has any impact if I remove "wins" from 
"name resolve order".

And another small difference:

In v3.5.5 computers are members of "Domain Users" while v3.6.12 
lists them in "Domain Computers". Also going to check if this makes 
any difference.

The last thing I will check is if it makes any difference when 
I login to a local account on my client.

Will keep you updated.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC not in network environment (Windows 7/8)

[Jörg Nissen]

Jörg Nissen  nissen.de.hm> writes:

Looks like I'm talking to myself all the time. 
Anyway, solved this small problem.
Accidentally the parameter "client use spnego" was set to "no" during testing. 
Setting it back to "yes" made the client tools on the server behave normally.

Still looking for help on my starting post.



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC not in network environment (Windows 7/8)

[Jörg Nissen]

Something I came across. Don't know if it is related. Trying to connect to a 
Windows 8 share from my PDC results in

cli_session_setup: NT1 session setup failed: NT_STATUS_INVALID_PARAMETER
session setup failed: NT_STATUS_INVALID_PARAMETER

when "client NTLMv2 auth = yes" set in smb.conf. "smbtree" executed by a domain 
admin user lists all shares on PDC and nas but only the name of the client.

Changing settings to

client NTLMv2 auth = no
client lanman auth = yes

gives access to shares on the Windows 8 client. "smbtree" lists all 
adminstrative shares (C$, D$, etc.) on Windows 8 client.

---
There are some entries in the samba logfile for client "JOGO" which seem to be 
problem related:

[2013/02/21 12:17:27.638163,  0] rpc_server/srv_pipe.c:500(pipe_schannel_auth_bi
nd)
  pipe_schannel_auth_bind: Attempt to bind using schannel without successful ser
verauth2
[2013/02/21 12:17:27.762403,  2] rpc_server/samr/srv_samr_nt.c:4071(_samr_Lookup
Domain)
  Returning domain sid for domain  -> S-1-5-21-3406496673-
2355577635-1274
693878
[2013/02/21 12:17:32.774569,  2] ../libcli/auth/credentials.c:308(netlogon_creds
_server_check_internal)
  credentials check failed
[2013/02/21 12:17:32.774681,  0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_S
erverAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth
request from client JOGO machine account JOGO$
[2013/02/21 12:17:32.777495,  2] rpc_server/samr/srv_samr_nt.c:4071(_samr_Lookup
Domain)
  Returning domain sid for domain  -> S-1-5-21-3406496673-
2355577635-1274
693878
[2013/02/21 12:17:45.665467,  2] smbd/smb2_server.c:2628(smbd_smb2_request_incom
ing)
  smbd_smb2_request_incoming: client read error NT_STATUS_CONNECTION_RESET
[2013/02/21 12:18:03.168300,  2] smbd/smb2_server.c:2628(smbd_smb2_request_incom
ing)
  smbd_smb2_request_incoming: client read error NT_STATUS_CONNECTION_RESET
[2013/02/21 12:18:50.279081,  2] smbd/smb2_server.c:2628(smbd_smb2_request_incom
ing)
  smbd_smb2_request_incoming: client read error NT_STATUS_CONNECTION_RESET
[2013/02/21 12:21:36.293203,  2] smbd/smb2_server.c:2628(smbd_smb2_request_incom
ing)
  smbd_smb2_request_incoming: client read error NT_STATUS_CONNECTION_RESET


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC group list empty

[Andrej Šimko]

 I give all of your indexes in my conf but nothing changed:

ls -l *bdb
-rw--- 1 openldap openldap  61440 Dec  3 14:22 cn.bdb
-rw--- 1 openldap openldap   8192 Dec  3 14:22 dc.bdb
-rw--- 1 openldap openldap  28672 Dec  3 14:22 displayName.bdb
-rw--- 1 openldap openldap  40960 Dec  3 12:29 dn2id.bdb
-rw--- 1 openldap openldap   8192 Nov 22 10:42 entryCSN.bdb
-rw--- 1 openldap openldap   8192 Nov 22 10:42 entryUUID.bdb
-rw--- 1 openldap openldap   8192 Dec  3 14:22 gidNumber.bdb
-rw--- 1 openldap openldap  36864 Dec  3 14:22 givenName.bdb
-rw--- 1 openldap openldap 294912 Dec  3 13:10 id2entry.bdb
-rw--- 1 openldap openldap   8192 Dec  3 14:22 loginShell.bdb
-rw--- 1 openldap openldap  45056 Dec  3 14:22 mail.bdb
-rw--- 1 openldap openldap  69632 Dec  3 14:22 memberUid.bdb
-rw--- 1 openldap openldap  36864 Dec  3 14:22 objectClass.bdb
-rw--- 1 openldap openldap   8192 Dec  3 14:22 ou.bdb
-rw--- 1 openldap openldap   8192 Dec  3 14:22 sambaDomainName.bdb
-rw--- 1 openldap openldap   8192 Dec  3 14:22 sambaGroupType.bdb
-rw--- 1 openldap openldap   8192 Dec  3 14:22 sambaPrimaryGroupSID.bdb
-rw--- 1 openldap openldap   8192 Dec  3 14:22 sambaSID.bdb
-rw--- 1 openldap openldap   8192 Dec  3 14:22 sambaSIDList.bdb
-rw--- 1 openldap openldap  40960 Dec  3 14:22 sn.bdb
-rw--- 1 openldap openldap  45056 Dec  3 14:22 uid.bdb
-rw--- 1 openldap openldap   8192 Dec  3 14:22 uidNumber.bdb
-rw--- 1 openldap openldap   8192 Nov 20 17:03 uniqueMember.bdb


Any other suggestion?


On Fri, Nov 30, 2012 at 6:16 PM, Harry Jede  wrote:

> Am Donnerstag, 29. November 2012 schrieben Sie:
> > I still dont understand why ldap search filter generated by samba ( i
> > have this from samba log ) cannot find anything in database:
> > smbldap_search_paged: base => [dc=gymsnv,dc=sk], filter =>
> > [(&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-
> > 21-2390795950-2727105968-4008069955*))],scope => [2], pagesize =>
> > [1024] [2012/11/29 18:15:14.227560,  3]
> > lib/smbldap.c:1591(smbldap_search_paged) smbldap_search_paged:
> > search was successful
> > [2012/11/29 18:15:14.227647,  3]
> > rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context:
> > destroying talloc pool of size 0
> >
> > If I remove sambaSID and try to find it in ldap, I will get all my
> > groups. Filter =
> > (&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=*))
> >
> > Is this normal behavior or my ldap configuration can be incorrect?
> That's not normal.
>
> What indexes have you set?
> # ldapsearch -LLLY external -H ldapi:///  -b cn=config "(objectclass=*)"
>  olcDBIndex
>
> This are my indexes:
> dn: olcDatabase={1}hdb,cn=config
> olcDbIndex: objectClass eq
> olcDbIndex: uidNumber eq
> olcDbIndex: gidNumber eq
> olcDbIndex: loginShell eq
> olcDbIndex: uid eq,pres,sub
> olcDbIndex: memberUid eq,pres,sub
> olcDbIndex: uniqueMember eq,pres
> olcDbIndex: sambaSID eq
> olcDbIndex: sambaPrimaryGroupSID eq
> olcDbIndex: sambaGroupType eq
> olcDbIndex: sambaSIDList eq
> olcDbIndex: sambaDomainName eq
> olcDbIndex: displayName eq,sub
> olcDbIndex: givenName eq,sub
> olcDbIndex: mail eq,sub
> olcDbIndex: dhcpHWAddress eq
> olcDbIndex: dhcpClassData eq
> olcDbIndex: cn eq,pres,sub
> olcDbIndex: sn eq,pres,sub
> olcDbIndex: ou eq
> olcDbIndex: dc eq
> olcDbIndex: default sub
>
> And this shows the files:
> # cd /var/lib/ldap/
> # ls -l *bdb
> -rw--- 1 openldap openldap 32768 18. Nov 15:49 cn.bdb
> -rw--- 1 openldap openldap  8192  1. Jan 2012  dc.bdb
> -rw--- 1 openldap openldap  8192 18. Nov 15:49 dhcpHWAddress.bdb
> -rw--- 1 openldap openldap 24576 23. Aug 10:08 displayName.bdb
> -rw--- 1 openldap openldap 24576 18. Nov 15:49 dn2id.bdb
> -rw--- 1 openldap openldap  8192 23. Aug 10:08 gidNumber.bdb
> -rw--- 1 openldap openldap  8192  1. Jun 21:57 givenName.bdb
> -rw--- 1 openldap openldap 98304 27. Nov 22:54 id2entry.bdb
> -rw--- 1 openldap openldap  8192 23. Aug 10:08 loginShell.bdb
> -rw--- 1 openldap openldap  8192  1. Jun 21:57 mail.bdb
> -rw--- 1 openldap openldap  8192  1. Jun 2012  memberUid.bdb
> -rw--- 1 openldap openldap 16384 27. Nov 22:54 objectClass.bdb
> -rw--- 1 openldap openldap  8192  1. Jun 19:57 ou.bdb
> -rw--- 1 openldap openldap  8192 23. Aug 08:54 sambaDomainName.bdb
> -rw--- 1 openldap openldap  8192 10. Mai 2012  sambaGroupType.bdb
> -rw--- 1 openldap openldap  8192 23. Aug 08:54 sambaPrimaryGroupSID.bdb
> -rw--- 1 openldap openldap  8192 23. Aug 10:08 sambaSID.bdb
> -rw--- 1 openldap openldap  8192 27. Nov 22:54 sambaSIDList.bdb
> -rw--- 1 openldap openldap  8192  1. Jun 21:57 sn.bdb
> -rw--- 1 openldap openldap  8192 23. Aug 10:08 uid.bdb
> -rw--- 1 openldap openldap  8192 23. Aug 10:08 uidNumber.bdb
> -rw--- 1 openldap openldap  8192  1. Jan 2012  uniqueMember.bdb
> root@capella:/var/lib/ldap#
>
> --
>
> Gruss
> Harry Jede

Re: [Samba] Samba PDC group list empty

[Harry Jede]

Am Donnerstag, 29. November 2012 schrieben Sie:
> I still dont understand why ldap search filter generated by samba ( i
> have this from samba log ) cannot find anything in database:
> smbldap_search_paged: base => [dc=gymsnv,dc=sk], filter =>
> [(&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-
> 21-2390795950-2727105968-4008069955*))],scope => [2], pagesize =>
> [1024] [2012/11/29 18:15:14.227560,  3]
> lib/smbldap.c:1591(smbldap_search_paged) smbldap_search_paged:
> search was successful
> [2012/11/29 18:15:14.227647,  3]
> rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context:
> destroying talloc pool of size 0
> 
> If I remove sambaSID and try to find it in ldap, I will get all my
> groups. Filter =
> (&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=*))
> 
> Is this normal behavior or my ldap configuration can be incorrect?
That's not normal.

What indexes have you set?
# ldapsearch -LLLY external -H ldapi:///  -b cn=config "(objectclass=*)"  
olcDBIndex

This are my indexes:
dn: olcDatabase={1}hdb,cn=config
olcDbIndex: objectClass eq
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: displayName eq,sub
olcDbIndex: givenName eq,sub
olcDbIndex: mail eq,sub
olcDbIndex: dhcpHWAddress eq
olcDbIndex: dhcpClassData eq
olcDbIndex: cn eq,pres,sub
olcDbIndex: sn eq,pres,sub
olcDbIndex: ou eq
olcDbIndex: dc eq
olcDbIndex: default sub

And this shows the files:
# cd /var/lib/ldap/
# ls -l *bdb
-rw--- 1 openldap openldap 32768 18. Nov 15:49 cn.bdb
-rw--- 1 openldap openldap  8192  1. Jan 2012  dc.bdb
-rw--- 1 openldap openldap  8192 18. Nov 15:49 dhcpHWAddress.bdb
-rw--- 1 openldap openldap 24576 23. Aug 10:08 displayName.bdb
-rw--- 1 openldap openldap 24576 18. Nov 15:49 dn2id.bdb
-rw--- 1 openldap openldap  8192 23. Aug 10:08 gidNumber.bdb
-rw--- 1 openldap openldap  8192  1. Jun 21:57 givenName.bdb
-rw--- 1 openldap openldap 98304 27. Nov 22:54 id2entry.bdb
-rw--- 1 openldap openldap  8192 23. Aug 10:08 loginShell.bdb
-rw--- 1 openldap openldap  8192  1. Jun 21:57 mail.bdb
-rw--- 1 openldap openldap  8192  1. Jun 2012  memberUid.bdb
-rw--- 1 openldap openldap 16384 27. Nov 22:54 objectClass.bdb
-rw--- 1 openldap openldap  8192  1. Jun 19:57 ou.bdb
-rw--- 1 openldap openldap  8192 23. Aug 08:54 sambaDomainName.bdb
-rw--- 1 openldap openldap  8192 10. Mai 2012  sambaGroupType.bdb
-rw--- 1 openldap openldap  8192 23. Aug 08:54 sambaPrimaryGroupSID.bdb
-rw--- 1 openldap openldap  8192 23. Aug 10:08 sambaSID.bdb
-rw--- 1 openldap openldap  8192 27. Nov 22:54 sambaSIDList.bdb
-rw--- 1 openldap openldap  8192  1. Jun 21:57 sn.bdb
-rw--- 1 openldap openldap  8192 23. Aug 10:08 uid.bdb
-rw--- 1 openldap openldap  8192 23. Aug 10:08 uidNumber.bdb
-rw--- 1 openldap openldap  8192  1. Jan 2012  uniqueMember.bdb
root@capella:/var/lib/ldap# 

-- 

Gruss
Harry Jede
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC group list empty

[Andrej Šimko]

Hello again,

I do not know what

On Tue, Nov 27, 2012 at 9:08 PM, Harry Jede  wrote:

> On 20:15:56 wrote Andrej Šimko:
> > net getdomainsid
> > SID for local machine HOST is:
> > S-1-5-21-2390795950-2727105968-4008069955 SID for domain EXAMPLE is:
> > S-1-5-21-2390795950-2727105968-4008069955
> >
> > I compared my smb.conf with yours. I have "ldap suffix" before
> >  "ldap group suffix".
> >
> > I switched that but result still the same.
> >
> >  ldapsearch -LLLY external -H ldapi:/// cn=admin dn 2>/dev/null
> > dn: cn=admin,dc=example,dc=sk
> >
> > tdbdump /var/lib/samba/secrets.tdb - looks ok ( the password too )
> >
> > ldapsearch -LLLY external -H ldapi:///
> > "(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)(uid
> > =users)))" 2>/dev/null
> > dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk
> > objectClass: sambaSidEntry
> > objectClass: sambaGroupMapping
> > sambaSID: S-1-5-32-545
> > sambaGroupType: 4
> > displayName: Users
> > gidNumber: 1
> > sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513
>
> Sorry, that I haven't seen this in your mail at 09:07
>
> This is a working group object:
>
> # ldapsearch -LLLY external -H ldapi:///
> "(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)
> (uid=users)))"  2>/dev/null
> dn: cn=users,ou=groups,dc=europa,dc=xx
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 545
> cn: users
> description: Netbios Domain Users
> sambaSID: S-1-5-32-545
> sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-513
> sambaGroupType: 4
> displayName: Users
>
>
> The main difference ist the objectclass posixGroup instead of
> sambaSidEntry.
> Samba Group Mapping is not a simple task. Your definition with
> objectclass=sambasidentry is not totally wrong, but the intended use is
> that you store your posixgroups in /etc/group or in NIS.
> With an LDAP backend that is not the best approach.
>
>
I dont understand what are you trying to say :(
Do you think that if I have all necessary groups in /etc/group or in NIS,
than the windows computer will find grups in domain?


I still dont understand why ldap search filter generated by samba ( i have
this from samba log ) cannot find anything in database:
  smbldap_search_paged: base => [dc=gymsnv,dc=sk], filter =>
[(&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-21-2390795950-2727105968-4008069955*))],scope
=> [2], pagesize => [1024]
[2012/11/29 18:15:14.227560,  3] lib/smbldap.c:1591(smbldap_search_paged)
  smbldap_search_paged: search was successful
[2012/11/29 18:15:14.227647,  3]
rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
  free_pipe_context: destroying talloc pool of size 0

If I remove sambaSID and try to find it in ldap, I will get all my groups.
Filter = (&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=*))

Is this normal behavior or my ldap configuration can be incorrect?





> Here the three standard definitions with objectclass=posixgroup
>
> ###
> A primary group: posix and windows primary
> members should NOT stored here
>
> dn: cn=teachers,ou=groups,dc=europa,dc=xx
> cn: teachers
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 1001
> sambaSID: S-1-5-21-3958726613-3318811842-4132420312-3003
> sambaGroupType: 2
> displayName: teachers
>
> # getent group teachers
> teachers:*:1001:
>
> # net  rpc group members teachers
> # 
>
>
>
> ###
> A regular group in posix, a global group in windows
> members are stored in memberUid
>
> dn: cn=DomainAdmins,ou=groups,dc=europa,dc=xx
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 512
> cn: DomainAdmins
> memberUid: Administrator
> memberUid: root
> description: Netbios Domain Administrators
> sambaSID: S-1-5-21-3958726613-3318811842-4132420312-512
> sambaGroupType: 2
> displayName: Domain Admins
>
> # getent group domainadmins
> DomainAdmins:*:512:Administrator,root
>
>
> # Asking for the Windows name, which is stored in "displayName"
> # net rpc group members "domain admins"
> EUROPA\Administrator
> EUROPA\root
>
> # Asking for the posix name, which is stored in "cn"
> # net rpc group members domainadmins
> EUROPA\Administrator
> EUROPA\root
>
>
> ###
> A windows/samba builtin group
> no posix members
> Windows members must be stored in sambaSIDList. These type of groups
> will be used in Windows OS (client and/or server)
>
> # ldapsearch -LLLY external -H ldapi:///
> "(&(objectclass=sambaGroupMapping)(cn=administrators))"  2>/dev/null
> dn: cn=Administrators,ou=groups,dc=europa,dc=xx
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 544
> cn: Administrators
> description: Netbios Domain Members can fully administer the computer
> sambaSID: S-1-5-32-544
> sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-512
> sambaGroupType: 4
> displayName: Administrators
>
>
> # getent group administrators
> Administrators:*:544:
>
> # net rpc g

Re: [Samba] Samba PDC group list empty

[Harry Jede]

On 20:15:56 wrote Andrej Šimko:
> net getdomainsid
> SID for local machine HOST is:
> S-1-5-21-2390795950-2727105968-4008069955 SID for domain EXAMPLE is:
> S-1-5-21-2390795950-2727105968-4008069955
> 
> I compared my smb.conf with yours. I have "ldap suffix" before
>  "ldap group suffix".
> 
> I switched that but result still the same.
> 
>  ldapsearch -LLLY external -H ldapi:/// cn=admin dn 2>/dev/null
> dn: cn=admin,dc=example,dc=sk
> 
> tdbdump /var/lib/samba/secrets.tdb - looks ok ( the password too )
> 
> ldapsearch -LLLY external -H ldapi:///
> "(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)(uid
> =users)))" 2>/dev/null
> dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk
> objectClass: sambaSidEntry
> objectClass: sambaGroupMapping
> sambaSID: S-1-5-32-545
> sambaGroupType: 4
> displayName: Users
> gidNumber: 1
> sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513

Sorry, that I haven't seen this in your mail at 09:07

This is a working group object:

# ldapsearch -LLLY external -H ldapi:///  
"(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)
(uid=users)))"  2>/dev/null
dn: cn=users,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 545
cn: users
description: Netbios Domain Users
sambaSID: S-1-5-32-545
sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-513
sambaGroupType: 4
displayName: Users


The main difference ist the objectclass posixGroup instead of 
sambaSidEntry.
Samba Group Mapping is not a simple task. Your definition with 
objectclass=sambasidentry is not totally wrong, but the intended use is 
that you store your posixgroups in /etc/group or in NIS.
With an LDAP backend that is not the best approach.

Here the three standard definitions with objectclass=posixgroup

###
A primary group: posix and windows primary
members should NOT stored here

dn: cn=teachers,ou=groups,dc=europa,dc=xx
cn: teachers
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 1001
sambaSID: S-1-5-21-3958726613-3318811842-4132420312-3003
sambaGroupType: 2
displayName: teachers

# getent group teachers
teachers:*:1001:

# net  rpc group members teachers
# 



###
A regular group in posix, a global group in windows
members are stored in memberUid

dn: cn=DomainAdmins,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: DomainAdmins
memberUid: Administrator
memberUid: root
description: Netbios Domain Administrators
sambaSID: S-1-5-21-3958726613-3318811842-4132420312-512
sambaGroupType: 2
displayName: Domain Admins

# getent group domainadmins
DomainAdmins:*:512:Administrator,root


# Asking for the Windows name, which is stored in "displayName"
# net rpc group members "domain admins"
EUROPA\Administrator
EUROPA\root

# Asking for the posix name, which is stored in "cn"
# net rpc group members domainadmins
EUROPA\Administrator
EUROPA\root


###
A windows/samba builtin group
no posix members
Windows members must be stored in sambaSIDList. These type of groups 
will be used in Windows OS (client and/or server)

# ldapsearch -LLLY external -H ldapi:///  
"(&(objectclass=sambaGroupMapping)(cn=administrators))"  2>/dev/null
dn: cn=Administrators,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 544
cn: Administrators
description: Netbios Domain Members can fully administer the computer
sambaSID: S-1-5-32-544
sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-512
sambaGroupType: 4
displayName: Administrators


# getent group administrators
Administrators:*:544:

# net rpc group members administrators
EUROPA\Domain Admins

###
-- 

Gruss
Harry Jede
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC group list empty

[Andrej Šimko]

net getdomainsid
SID for local machine HOST is: S-1-5-21-2390795950-2727105968-4008069955
SID for domain EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955

I compared my smb.conf with yours. I have "ldap suffix" before
 "ldap group suffix".

I switched that but result still the same.

 ldapsearch -LLLY external -H ldapi:/// cn=admin dn 2>/dev/null
dn: cn=admin,dc=example,dc=sk

tdbdump /var/lib/samba/secrets.tdb - looks ok ( the password too )

ldapsearch -LLLY external -H ldapi:///
"(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)(uid=users)))"
2>/dev/null
dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk
objectClass: sambaSidEntry
objectClass: sambaGroupMapping
sambaSID: S-1-5-32-545
sambaGroupType: 4
displayName: Users
gidNumber: 1
sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513

ldapsearch -xLLL
"(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)(uid=users)))"
dn
dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk


I do not see anything bad, I do not have installed windbindd


On Tue, Nov 27, 2012 at 2:46 PM, Harry Jede  wrote:

> (displayname=users)(uid=users)))"  dn
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC group list empty

[Harry Jede]

Hi Simo,
please post to the list !!!

> On Tue, Nov 27, 2012 at 9:56 AM, Harry Jede  wrote:
> > Hi Simo,
> > 
> > > Hi this is my listing:
> > > 
> > > net -U administrator rpc group members Administrators
> > > Enter administrator's password:
> > > Couldn't list alias members
> > 
> > Your samba server WILL not list the members of this global group,
> > mostly a security issue.
> 
> User administrator has all rights, so I dont think it is a security
> issue. Or do you know some checks that I could try?
> 
> > > ldapsearch -xLLL
> > > '(&(objectclass=sambaGroupMapping)(sambaGroupType=4)
> > > (sambaSID=S-1-5-32*))'
> > > 
> > > ldapsearch -xLLL
> > > '(&(objectclass=sambaGroupMapping)(sambaGroupType=4)
> > > (sambaSID=*))'
> > > dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk
> > > objectClass: sambaSidEntry
> > > objectClass: sambaGroupMapping
> > > sambaSID: S-1-5-32-545
> > > sambaGroupType: 4
> > > displayName: Users
> > > gidNumber: 1
> > > sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513
> > 
> > Your LDAP client WILL list the group members.
> > 
> > > Do you know what does this mean?
> > 
> > The reason is often "wrong configured" smbldap-tools. Check the
> > /etc/smbldap-tools/smbldap.conf file for the wrong SID entry.
> 
> > SID in smbldap.conf is:
> SID="S-1-5-21-2390795950-2727105968-4008069955"
> 
> So that is correct.
> 
> > > > > net getdomainsid
> > > > > SID for local machine HOST is:
> > > > > S-1-5-21-2242576961-186067218-2214866780 SID for domain
> > > > > EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955
> > 
> > Your server and your domain have different SIDs, that may be is yor
> > problem. Try:
> > # net setlocalsid S-1-5-21-2390795950-2727105968-4008069955
> > 
> > and restart samba.
> 
> Tried that, nothing changed.
Post:
net getdomainsid


Do the following steps (enclosed with ###) in order
###

I compared my smb.conf with yours. I have "ldap suffix" before
 "ldap group suffix".

ldap suffix  = dc=europa,dc=xx
ldap admin dn= cn=admin,dc=europa,dc=xx
ldap group suffix= ou=groups
ldap user suffix = ou=people,ou=accounts
ldap machine suffix  = ou=machines,ou=accounts

and I have NOT installed winbindd!

###
Check if you have the groups defined in LDAP and in /etc/groups. The 
groups should only be in LDAP.

###
check the admin account in ldap:

# ldapsearch -LLLY external -H ldapi:/// cn=admin dn 2>/dev/null
dn: cn=admin,dc=europa,dc=xx

Check that your ldap admin password is OK.
# tdbdump /var/lib/samba/secrets.tdb

look for:
{
key(45) = "SECRETS/LDAP_BIND_PW/cn=admin,dc=europa,dc=xx"
data(12) = "ThePassword\00"
}



Try to bind with this password:
# ldapsearch -xLLL -D "cn=admin,dc=europa,dc=xx" -w ThePassword 
"(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)
(uid=users)))"


Check if root get the same result:
# ldapsearch -LLLY external -H ldapi:///  
"(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)
(uid=users)))"  2>/dev/null

###

at last, search for duplicate names:
# ldapsearch -xLLL "(&(objectclass=sambaGroupMapping)(|(cn=users)
(displayname=users)(uid=users)))"  dn



You should get one result.
> 
> > > Thanks.
> > 
> > --
> > 
> > regards
> > 
> > Harry Jede
> > 
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba


-- 

Gruss
Harry Jede
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC group list empty

[Harry Jede]

Hi Simo,
> Hi this is my listing:
> 
> net -U administrator rpc group members Administrators
> Enter administrator's password:
> Couldn't list alias members
Your samba server WILL not list the members of this global group, mostly 
a security issue.

> ldapsearch -xLLL '(&(objectclass=sambaGroupMapping)(sambaGroupType=4)
> (sambaSID=S-1-5-32*))'
> 
> ldapsearch -xLLL '(&(objectclass=sambaGroupMapping)(sambaGroupType=4)
> (sambaSID=*))'
> dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk
> objectClass: sambaSidEntry
> objectClass: sambaGroupMapping
> sambaSID: S-1-5-32-545
> sambaGroupType: 4
> displayName: Users
> gidNumber: 1
> sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513
Your LDAP client WILL list the group members.

> Do you know what does this mean?
The reason is often "wrong configured" smbldap-tools. Check the 
/etc/smbldap-tools/smbldap.conf file for the wrong SID entry.

> > > net getdomainsid
> > > SID for local machine HOST is:
> > > S-1-5-21-2242576961-186067218-2214866780 SID for domain EXAMPLE
> > > is: S-1-5-21-2390795950-2727105968-4008069955
Your server and your domain have different SIDs, that may be is yor 
problem. Try:
# net setlocalsid S-1-5-21-2390795950-2727105968-4008069955

and restart samba.



> Thanks.

-- 

regards
Harry Jede
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC group list empty

[L . P . H . van Belle]

Hai, 

The debian 3.5.6 is buggy, use de 3.6.6 version from backports, fixed my 
problems also. 

Louis


 

>-Oorspronkelijk bericht-
>Van: andrej.si...@gmail.com 
>[mailto:samba-boun...@lists.samba.org] Namens Andrej Šimko
>Verzonden: vrijdag 23 november 2012 9:11
>Aan: samba@lists.samba.org
>Onderwerp: [Samba] Samba PDC group list empty
>
>Dear samba users,
>
>I have very strange problem. I have Samba PDC up and running, but only
>thing is missing. I cannot see any Domain Groups at all.
>Here is my config:
>
>Debian Squeeze:
>ii  samba   2:3.5.6~dfsg-3squeeze8
>SMB/CIFS file, print, and login server for Unix
>ii  samba-common2:3.5.6~dfsg-3squeeze8 
>  common
>files used by both the Samba server and client
>ii  samba-common-bin2:3.5.6~dfsg-3squeeze8 
>  common
>files used by both the Samba server and client
>ii  samba-doc   2:3.5.6~dfsg-3squeeze8 
>  Samba
>documentation
>
>/etc/samba/smb.conf
>[global]
>dos charset = CP852
>unix charset = UTF8
>display charset = UTF8
>workgroup = EXAMPLE
>server string = %h server
>map to guest = Bad User
>passdb backend = ldapsam:ldap://127.0.0.1/
>pam password change = Yes
>passwd program = /usr/sbin/smbldap-passwd -u %u
>passwd chat = *New*password* %n\n *Retype*new*password* %n\n
>*all*authentication*tokens*updated*
>syslog = 0
>time server = Yes
>log file = /var/log/samba/samba.log
>log level = 3
>max log size = 1000
>socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>add user script = /usr/sbin/smbldap-useradd -m %u -d /home/%u %u
>delete user script = /usr/sbin/smbldap-userdel %u -r %u
>add group script = /usr/sbin/smbldap-groupadd -p %g
>delete group script = /usr/sbin/smbldap-groupdel %g
>add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
>delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
>set primary group script = /usr/sbin/smbldap-usermod -g %g %u
>add machine script = /usr/sbin/smbldap-useradd -w %u
>logon script = logon.bat
>domain logons = Yes
>os level = 10
>preferred master = Yes
>domain master = Yes
>dns proxy = No
>wins support = Yes
>ldap admin dn = cn=admin,dc=example,dc=sk
>ldap delete dn = Yes
>ldap group suffix = ou=Groups
>ldap idmap suffix = ou=Idmap
>ldap machine suffix = ou=Computers
>ldap suffix = dc=example,dc=sk
>ldap ssl = no
>ldap user suffix = ou=Users
>panic action = /usr/share/samba/panic-action %d
>map acl inherit = Yes
>case sensitive = No
>hide unreadable = Yes
>map hidden = Yes
>map system = Yes
>
>[homes]
>comment = Home Directories
>valid users = %S
>read only = No
>create mask = 0644
>directory mask = 0700
>browseable = No
>path = /data/samba/homes
>
>[netlogon]
>comment = Network Logon Service
>path = /data/samba/netlogon
>read only = No
>guest ok = Yes
>locking = No
>share modes = No
>
>[profiles]
>comment = Users profiles
>path = /data/samba/profiles
>read only = No
>create mask = 0600
>directory mask = 0700
>hide files = /desktop.ini/
>browseable = No
>
>/etc/nsswitch.conf
># /etc/nsswitch.conf
>#
># Example configuration of GNU Name Service Switch functionality.
># If you have the `glibc-doc-reference' and `info' packages 
>installed, try:
># `info libc "Name Service Switch"' for information about this file.
>
>passwd: compat ldap
>group:  compat ldap
>shadow: compat ldap
>
>hosts:  files dns
>networks:   files
>
>protocols:  db files
>services:   db files
>ethers: db files
>rpc:db files
>
>netgroup:   nis
>
>/etc/ldap/ldap.conf
>#
># LDAP Defaults
>#
>
># See ldap.conf(5) for details
># This file should be world readable but not world writable.
>host 127.0.0.1
>base dc=example,dc=sk
>binddn cn=admin,dc=example,dc=sk
>bindpw secret
>bind_policy soft
>pam_password exop
>timelimit 15
>
>nss_base_passwd ou=Users,dc=example,dc=sk
>nss_base_shadow ou=Users,dc=example,dc=sk
>nss_base_group  ou=Groups,dc=example,dc=sk
>
>net getdomainsid
>SID for local machine HOST is: S-1-5-21-2242576961-186067218-2214866780
>SID for domain EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955
>
>net groupmap list
>Domain Admins (S-1-5-21-2390795950-2727105968-4008069955-512) -> Domain
>Admins
>Domain Users (S-1-5-21-2390795950-2727105968-4008069955-513) 
>-> Domain Users
>Domain Guests (S-1-5-21-2390795950-2727105968-4008069955-514) -> Domain
>Guests
>Domain Computers 
>(S-1-5-21-2390795950-2727105968-4008069955-515) -> Domain
>Computers
>Administrators (S-1-5-32-544) -> Administrators
>Account Operators (S-1-5-32-548) -> Account Operators
>Print Operators (S-1-5-32-550) -> Print Operators
>Backup Operators (S-1-5-32-551) -> Backup Operators
>Replicators (S-1-5-32-552) -> Replicators
>
>
>The strange thing is, if I try on Win XP to search groups, i 
>see in logs:
>smbldap_search_paged: base => [dc=example,dc=sk], filter =>
>[(&(objectclass=sambaGr

Re: [Samba] Samba PDC group list empty

[Harry Jede]

On 18:32:29 wrote Andrej Šimko:
> Dear samba users,
> 
> I have very strange problem. I have Samba PDC up and running, but
> only thing is missing. I cannot see any Domain Groups at all.

...

> net getdomainsid
> SID for local machine HOST is:
> S-1-5-21-2242576961-186067218-2214866780 SID for domain EXAMPLE is:
> S-1-5-21-2390795950-2727105968-4008069955
> 
> net groupmap list
> Domain Admins (S-1-5-21-2390795950-2727105968-4008069955-512) ->
> Domain Admins
> Domain Users (S-1-5-21-2390795950-2727105968-4008069955-513) ->
> Domain Users Domain Guests
> (S-1-5-21-2390795950-2727105968-4008069955-514) -> Domain Guests
> Domain Computers (S-1-5-21-2390795950-2727105968-4008069955-515) ->
> Domain Computers
> Administrators (S-1-5-32-544) -> Administrators
> Account Operators (S-1-5-32-548) -> Account Operators
> Print Operators (S-1-5-32-550) -> Print Operators
> Backup Operators (S-1-5-32-551) -> Backup Operators
> Replicators (S-1-5-32-552) -> Replicators
> 
> 
> The strange thing is, if I try on Win XP to search groups, i see in
> logs: smbldap_search_paged: base => [dc=example,dc=sk], filter =>
> [(&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-2
> 1-2390795950-2727105968-4008069955*))],scope => [2], pagesize =>
> [1024]
>   smbldap_search_paged: base => [dc=example,dc=sk], filter =>
> [(&(objectclass=sambaGroupMapping)(sambaGroupType=4)(sambaSID=S-1-5-2
> 1-2390795950-2727105968-4008069955*))],scope => [2], pagesize =>
> [1024]
>   smbldap_search_paged: base => [dc=example,dc=sk], filter =>
> [(&(objectclass=sambaGroupMapping)(sambaGroupType=4)(sambaSID=S-1-5-3
# net help rpc group 
Usage:
net rpc group
Alias for net rpc group list global local builtin
net rpc group add
Create specified group
net rpc group delete
Delete specified group
net rpc group addmem
Add member to group
net rpc group delmem
Remove member from group
net rpc group list
List groups
net rpc group members
List group members
net rpc group rename
Rename group

# net -U root rpc group members Administrators
EUROPA\Domain Admins


view this output:

# ldapsearch -xLLL '(&(objectclass=sambaGroupMapping)(sambaGroupType=4)
(sambaSID=S-1-5-32*))'
dn: cn=Administrators,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 544
cn: Administrators
memberUid: Administrator
description: Netbios Domain Members can fully administer the computer
sambaSID: S-1-5-32-544
sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-512
sambaGroupType: 4
displayName: Administrators

dn: cn=users,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 545
cn: users
description: Netbios Domain Users
sambaSID: S-1-5-32-545
sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-513
sambaGroupType: 4
displayName: Users

dn: cn=guests,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 546
cn: guests
memberUid: nobody
description: Netbios Domain Guests
sambaSID: S-1-5-32-546
sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-514
sambaGroupType: 4
displayName: Guests

dn: cn=AccountOperators,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 548
cn: AccountOperators
description: Netbios Domain Users to manipulate users accounts
sambaSID: S-1-5-32-548
sambaGroupType: 4
displayName: Account Operators

dn: cn=PrintOperators,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 550
cn: PrintOperators
description: Netbios Domain Print Operators
sambaSID: S-1-5-32-550
sambaGroupType: 4
displayName: Print Operators

dn: cn=BackupOperators,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 551
cn: BackupOperators
description: Netbios Domain Members can bypass file security to back up 
files
sambaSID: S-1-5-32-551
sambaGroupType: 4
displayName: Backup Operators

dn: cn=Replicators,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 552
cn: Replicators
description: Netbios Domain Supports file replication in a 
sambaDomainName
sambaSID: S-1-5-32-552
sambaGroupType: 4
displayName: Replicators


> If I try to search in ldap with that filter, I always get zero
> matches.
> 
> I also tried to use wbinfo, wbinfo -u list all my users, wbinfo -g
> list is empty. If I try getent passwd and getent group I see all my
> users and groups.
> Can somebody help me with this?
> 
> Thank you!


-- 

Gruss
Harry Jede
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC: Admin tools?

[steve]

On 30/08/12 18:57, Gaiseric Vandal wrote:

I use apache directory studio for LDAP management.  It is not samba
specific but  it is easy enough to use existing user, group or machine
objects as templates for new ones.  It runs on Windows and Linux (and
maybe on Mac.)



On 08/25/12 16:39, John Drescher wrote:

On Sat, Aug 25, 2012 at 4:34 PM, Alberto Moreno  wrote:

  Guys.

  I have use smbldap-tools to handle my accounts for my PDC with samba+openldap.

  Now, I ask here because a lot of people have PDC running on their
networks, what tools do u use to manage your openldap db for samba:
users, machines, groups?

  Working with Centos 6.x.

  Any input will be appreciated, thanks!!!


I use ldap account manager to manage my users / machines / group accounts.

John




Hi
openSUSE's yast has a really nice and little known frontend to LDAP 
which handles samba objects too. You can point and click your way 
through adding/deleting samba specific users and groups. It also has an 
LDAP browser similar to phpldapadmin. I'm not sure if Yast will fire up 
on Centos but may be worth a look.

Cheers,
Steve

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC: Admin tools?

[Gaiseric Vandal]

I use apache directory studio for LDAP management.  It is not samba
specific but  it is easy enough to use existing user, group or machine
objects as templates for new ones.  It runs on Windows and Linux (and
maybe on Mac.)



On 08/25/12 16:39, John Drescher wrote:
> On Sat, Aug 25, 2012 at 4:34 PM, Alberto Moreno  wrote:
>>  Guys.
>>
>>  I have use smbldap-tools to handle my accounts for my PDC with 
>> samba+openldap.
>>
>>  Now, I ask here because a lot of people have PDC running on their
>> networks, what tools do u use to manage your openldap db for samba:
>> users, machines, groups?
>>
>>  Working with Centos 6.x.
>>
>>  Any input will be appreciated, thanks!!!
>>
> I use ldap account manager to manage my users / machines / group accounts.
>
> John


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC: Admin tools?

[John Drescher]

On Sat, Aug 25, 2012 at 4:34 PM, Alberto Moreno  wrote:
>  Guys.
>
>  I have use smbldap-tools to handle my accounts for my PDC with 
> samba+openldap.
>
>  Now, I ask here because a lot of people have PDC running on their
> networks, what tools do u use to manage your openldap db for samba:
> users, machines, groups?
>
>  Working with Centos 6.x.
>
>  Any input will be appreciated, thanks!!!
>
I use ldap account manager to manage my users / machines / group accounts.

John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC and Local Group Policies on XP

[Daniel Müller]

What did you use kixtart,poledit...?
It seems that you did not set the rights on your netlogon the right way!?

---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---
-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im
Auftrag von benedikt.wies...@bw-systems.net
Gesendet: Montag, 30. Juli 2012 18:39
An: samba@lists.samba.org
Betreff: [Samba] Samba PDC and Local Group Policies on XP

Hi *,

I have reinstalled a server with the newest version of samba and configured
it as PDC based on this tutorial
(http://www.nicht-blau.de/2010/12/28/howto-samba-3-5-6-pdc-primary-domain-co
ntroller-und-windows-7-2/).

I then copied the old profiles folder onto the new server and set the
permissions. But however before the reinstallation every Domainuser in the
Domain accepted the Group Policies I set up at every Win XP computer (i.e.
Setting a specific Wallpaper, Setting a specific design, deny access to
system controls) and now they are consequently ignored.

Example:

I log on as Administrator (locally):
- I have no access to system controls
- I have my Wallpaper
- I have my Design
(Group policies are working)

I log on as Domainuser:
- I have full rights, I can do everything
- I have a blue Wallpaper
- Nothing happened to the design

What the hell is going wrong? Why does a Domainuser has more rights than the
administrator and why does the group policies do nothing?

I hope somebody can help me.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC with Windows 7 support request

[Gaiseric Vandal]

On 02/16/12 06:21, Dermot wrote:
> 2012/1/31 Jiří Procházka :
>> Dear Samba support team,
>>
>> I have a question on Samba 3.5.8 please, which is not solved by searching
>> the forums. I tried all suggested solutions, but nothing take effect.
>>
> ...
>> Domain users experience a slow login performance on Windows 7 clients that
>> are
>> joined into a samba domain (Samba version 3.5.4). The Windows 7 client was
>> joined successfully into the domain with the Windows 7 registry settings
>> adjusted according to http://wiki.samba.org/index.php/Windows7
>> (DomainCompatibilityMode = 0 and DNSNameResolutionRequired = 0).
> ...
>
> I have had similar problems. I was referred to the message in the
> mailing list archive [1]. I have applied what was described - used
> gpedit.msc -  this but I am still experiencing slow login times,
> exactly 40 seconds on each workstation.
>
> I just checked on one workstation where the user had a jpeg as his
> desktop background, I mention this because there are references to a
> Window7 bug about slow login and a plain desktop, and that has the
> correct group policy setting and still the login time was exactly 40
> seconds.
>
> I too be interested in hearing what others have to say on this.
> Thanks,
> Dermot.
>
> 1) http://www.mail-archive.com/samba@lists.samba.org/msg104494.html


Are you using roaming profiles ? 
Are you using offline folders-  I had problems with offline folders and
Windows 7-  it could break offline authentication. 

Does the Windows event log show anything about problems locating a
domain controller? 



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba PDC/NIS client

[Tony Molloy]

On Monday 12 March 2012 17:33:28 Simon Matthews wrote:
> On Sun, Mar 11, 2012 at 4:09 AM, Tony Molloy  
wrote:
> > On Sunday 11 March 2012 05:31:35 Simon Matthews wrote:
> > > On Sat, Mar 10, 2012 at 4:24 PM, Gaiseric Vandal
> > > 
> > > wrote:
> > > > Do you have password sync enabled?If password sync is
> > > > enabled, samba will try to use the passwd command to set the
> > > > unix password.  But with nis, you probably might need
> > > > something nis specific. On solaris it was “passwd –r nis” - 
> > > > not sure about linux.Probably better to just disable
> > > > password sync.
> > 
> > I've got a very similar setup to you. Except I use a smbpasswd
> > file.
> > 
> > > No, I don't have this option enabled. I am not sure how it is
> > > relevant. Problem summary:
> > > The samba PDC is an NIS client
> > > "getent passwd" retruns the passwd data.
> > > The user's SAMBA password was set  using smbpasswd
> > > The user's NIS passwd was set using yppasswd
> > 
> > So far all the same.
> > 
> > > ALL I had to do to allow domain logins was:
> > > ypcat passwd | grep  >> /etc/passwd
> > 
> > Why duplicate the password entries. I just have them in NIS and
> > /etc/passwd just has the system passwords.
> > 
> > > Note that after copying the user details to /etc/passwd, the
> > > password that was set with "smbpasswd" was the password that
> > > was used with the successful domain login.
> > 
> > Don't really uinderstand what you mean by "domain logins"
> > 
> > 1.  Create the user under linux first
> > 2.  Use smbpasswd to add the user to samba
> > 
> > You now have a user in both linux and samba but remember the
> > passwords are stored separately, changing one does not change
> > the other.
> > 
> > 3.   Edit /etc/nsswitch.conf. Set
> > 
> > passwd:files nis
> > shdow:  files
> 
> Removing the "nis" entry from "shadow:" in /etc/nsswitch.conf
> solved the issue. I don't understand why, but it did .
> 
> Simon


The shadow file /etc/shadow stores the passwords associated with the 
entries in the password file /etc/passwd.

It has nothing to do with the NIS password database which stores the 
passwords in the actual database entries.

Tony
> 
> > That works for me. YMMV
> > 
> > Tony
> > 
> > > Simon
> > 
> > --
> > To unsubscribe from this list go to the following URL and read
> > the instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba PDC/NIS client

[Gaiseric Vandal]

If your NIS passwd file did NOT have a valid password, maybe samba or 
unix was rejecting logins as a security measure.




On 03/12/12 13:33, Simon Matthews wrote:

On Sun, Mar 11, 2012 at 4:09 AM, Tony Molloy  wrote:


On Sunday 11 March 2012 05:31:35 Simon Matthews wrote:

On Sat, Mar 10, 2012 at 4:24 PM, Gaiseric Vandal

wrote:

Do you have password sync enabled?If password sync is
enabled, samba will try to use the passwd command to set the
unix password.  But with nis, you probably might need something
nis specific. On solaris it was “passwd –r nis” -  not sure
about linux.Probably better to just disable password sync.

I've got a very similar setup to you. Except I use a smbpasswd file.


No, I don't have this option enabled. I am not sure how it is
relevant. Problem summary:
The samba PDC is an NIS client
"getent passwd" retruns the passwd data.
The user's SAMBA password was set  using smbpasswd
The user's NIS passwd was set using yppasswd

So far all the same.


ALL I had to do to allow domain logins was:
ypcat passwd | grep  >>  /etc/passwd

Why duplicate the password entries. I just have them in NIS and
/etc/passwd just has the system passwords.


Note that after copying the user details to /etc/passwd, the
password that was set with "smbpasswd" was the password that was
used with the successful domain login.

Don't really uinderstand what you mean by "domain logins"

1.  Create the user under linux first
2.  Use smbpasswd to add the user to samba

You now have a user in both linux and samba but remember the passwords
are stored separately, changing one does not change the other.

3.   Edit /etc/nsswitch.conf. Set

passwd:files nis
shdow:  files



Removing the "nis" entry from "shadow:" in /etc/nsswitch.conf solved the
issue. I don't understand why, but it did .

Simon


That works for me. YMMV

Tony


Simon

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba PDC/NIS client

[Simon Matthews]

On Sun, Mar 11, 2012 at 4:09 AM, Tony Molloy  wrote:

> On Sunday 11 March 2012 05:31:35 Simon Matthews wrote:
> > On Sat, Mar 10, 2012 at 4:24 PM, Gaiseric Vandal
> >
> > wrote:
> > > Do you have password sync enabled?If password sync is
> > > enabled, samba will try to use the passwd command to set the
> > > unix password.  But with nis, you probably might need something
> > > nis specific. On solaris it was “passwd –r nis” -  not sure
> > > about linux.Probably better to just disable password sync.
> >
>
> I've got a very similar setup to you. Except I use a smbpasswd file.
>
> > No, I don't have this option enabled. I am not sure how it is
> > relevant. Problem summary:
> > The samba PDC is an NIS client
> > "getent passwd" retruns the passwd data.
> > The user's SAMBA password was set  using smbpasswd
> > The user's NIS passwd was set using yppasswd
>
> So far all the same.
>
> > ALL I had to do to allow domain logins was:
> > ypcat passwd | grep  >> /etc/passwd
>
> Why duplicate the password entries. I just have them in NIS and
> /etc/passwd just has the system passwords.
>
> > Note that after copying the user details to /etc/passwd, the
> > password that was set with "smbpasswd" was the password that was
> > used with the successful domain login.
>
> Don't really uinderstand what you mean by "domain logins"
>
> 1.  Create the user under linux first
> 2.  Use smbpasswd to add the user to samba
>
> You now have a user in both linux and samba but remember the passwords
> are stored separately, changing one does not change the other.
>
> 3.   Edit /etc/nsswitch.conf. Set
>
> passwd:files nis
> shdow:  files
>


Removing the "nis" entry from "shadow:" in /etc/nsswitch.conf solved the
issue. I don't understand why, but it did .

Simon

>
> That works for me. YMMV
>
> Tony
>
> >
> > Simon
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba PDC/NIS client

[Tony Molloy]

On Sunday 11 March 2012 05:31:35 Simon Matthews wrote:
> On Sat, Mar 10, 2012 at 4:24 PM, Gaiseric Vandal
> 
> wrote:
> > Do you have password sync enabled?If password sync is
> > enabled, samba will try to use the passwd command to set the
> > unix password.  But with nis, you probably might need something
> > nis specific. On solaris it was “passwd –r nis” -  not sure
> > about linux.Probably better to just disable password sync.
> 

I've got a very similar setup to you. Except I use a smbpasswd file.

> No, I don't have this option enabled. I am not sure how it is
> relevant. Problem summary:
> The samba PDC is an NIS client
> "getent passwd" retruns the passwd data.
> The user's SAMBA password was set  using smbpasswd
> The user's NIS passwd was set using yppasswd

So far all the same.

> ALL I had to do to allow domain logins was:
> ypcat passwd | grep  >> /etc/passwd

Why duplicate the password entries. I just have them in NIS and 
/etc/passwd just has the system passwords.

> Note that after copying the user details to /etc/passwd, the
> password that was set with "smbpasswd" was the password that was
> used with the successful domain login.

Don't really uinderstand what you mean by "domain logins"

1.  Create the user under linux first
2.  Use smbpasswd to add the user to samba

You now have a user in both linux and samba but remember the passwords 
are stored separately, changing one does not change the other.

3.   Edit /etc/nsswitch.conf. Set

passwd:files nis
shdow:  files

That works for me. YMMV

Tony

> 
> Simon

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba PDC/NIS client

[Simon Matthews]

On Sat, Mar 10, 2012 at 4:24 PM, Gaiseric Vandal
wrote:

> Do you have password sync enabled?If password sync is enabled, samba
> will try to use the passwd command to set the unix password.  But with
> nis, you probably might need something nis specific. On solaris it was
> “passwd –r nis” -  not sure about linux.Probably better to just disable
> password sync.
>

No, I don't have this option enabled. I am not sure how it is relevant.
Problem summary:
The samba PDC is an NIS client
"getent passwd" retruns the passwd data.
The user's SAMBA password was set  using smbpasswd
The user's NIS passwd was set using yppasswd
ALL I had to do to allow domain logins was:
ypcat passwd | grep  >> /etc/passwd
Note that after copying the user details to /etc/passwd, the password that
was set with "smbpasswd" was the password that was used with the successful
domain login.

Simon



> 
>
> ** **
>
> ** **
>
> ** **
>
> *From:* Simon Matthews [mailto:simon.d.matth...@gmail.com]
> *Sent:* Friday, March 09, 2012 4:04 PM
> *To:* gaiseric.van...@gmail.com
> *Cc:* samba@lists.samba.org
> *Subject:* Re: [Samba] samba PDC/NIS client
>
> ** **
>
> ** **
>
> On Fri, Mar 9, 2012 at 6:15 AM, Gaiseric Vandal 
> wrote:
>
> I don't think is this a samba issue.   Samba accounts need to have a
> corresponding unix account.   Shouldn't matter if they are in NIS or
> /etc/passwd.   If you have users in both it could get a problem.
>
> Is "getent passwd" really showing the users from NIS?
>
> ** **
>
> Yes.  In fact, for those users who are in both the /etc/passwd and nis
> tables, it shows both entries (and the details match between both entries)
> 
>
> ** **
>
>  How about "getent shadow" (assuming a linux machine and not solaris,
>
>  
>
> No, this only shows the users with entries in /etc/shadow. However:
>
> 1. getent passwd includes the hashed passwords of users in the nis tables*
> ***
>
> 2. It was not necessary to add the user to /etc/shadow in order to allow
> samba domain logins. All I had to do was add the user to /etc/passwd.
>
>  
>
> and probably doesn't matter anyway.)   Do you have an /etc/nsswitch.conf
> entry for
>
>shadow:  files nis
>
> Yes 
>
>
>
> Are you missing the : in the nsswitch.conf entries?
>
> No. 
>
>
> Are your user names all in lower case?  Are they all 8 characters or under.
> 
>
> ** **
>
>  Yes. 
>
> ** **
>
> Simon
>
>
>
>
>
>
>
>
> On 03/08/12 22:46, Simon Matthews wrote:
>
> I have a server which is a samba PDC and has recently been converted to an
> NIS client. For historic reasons, many users login information is in the
> local machine's /etc/passwd and /etc/shadow files.
>
> samba is set up to use a tdbsam database.
>
> I got the first indication of problems when I tried to add a user using the
> smbpasswd -a command. I found that smbpasswd would not recognize the user
> unless either the username was in the /etc/passwd file, or I changed
> /etc/nsswitch.conf from
> passwd compat
> TO:
> passwd files nis
>
> However, if I make the latter change, the user cannot log into any Windows
> machines that are controlled by my PDC. To allow logins, all I have to do
> is
> ypcat passwd | grep  >>  /etc/passwd
> After this, the user can log in.
>
> Is there any configuration of samba that will allow it to properly
> recognize user data from the NIS map and not require the user to be listed
> in the /etc/passwd file?
>
> Simon
>
> ** **
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
> ** **
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba PDC/NIS client

[Gaiseric Vandal]

Do you have password sync enabled?If password sync is enabled, samba
will try to use the passwd command to set the unix password.  But with  nis,
you probably might need something nis specific. On solaris it was "passwd -r
nis" -  not sure about linux.Probably better to just disable password
sync.

 

 

 

From: Simon Matthews [mailto:simon.d.matth...@gmail.com] 
Sent: Friday, March 09, 2012 4:04 PM
To: gaiseric.van...@gmail.com
Cc: samba@lists.samba.org
Subject: Re: [Samba] samba PDC/NIS client

 

 

On Fri, Mar 9, 2012 at 6:15 AM, Gaiseric Vandal 
wrote:

I don't think is this a samba issue.   Samba accounts need to have a
corresponding unix account.   Shouldn't matter if they are in NIS or
/etc/passwd.   If you have users in both it could get a problem.

Is "getent passwd" really showing the users from NIS?

 

Yes.  In fact, for those users who are in both the /etc/passwd and nis
tables, it shows both entries (and the details match between both entries)

 

 How about "getent shadow" (assuming a linux machine and not solaris,

 

No, this only shows the users with entries in /etc/shadow. However:

1. getent passwd includes the hashed passwords of users in the nis tables

2. It was not necessary to add the user to /etc/shadow in order to allow
samba domain logins. All I had to do was add the user to /etc/passwd.

 

and probably doesn't matter anyway.)   Do you have an /etc/nsswitch.conf
entry for

   shadow:  files nis

Yes 



Are you missing the : in the nsswitch.conf entries?

No. 


Are your user names all in lower case?  Are they all 8 characters or under.

 

 Yes. 

 

Simon








On 03/08/12 22:46, Simon Matthews wrote:

I have a server which is a samba PDC and has recently been converted to an
NIS client. For historic reasons, many users login information is in the
local machine's /etc/passwd and /etc/shadow files.

samba is set up to use a tdbsam database.

I got the first indication of problems when I tried to add a user using the
smbpasswd -a command. I found that smbpasswd would not recognize the user
unless either the username was in the /etc/passwd file, or I changed
/etc/nsswitch.conf from
passwd compat
TO:
passwd files nis

However, if I make the latter change, the user cannot log into any Windows
machines that are controlled by my PDC. To allow logins, all I have to do is
ypcat passwd | grep  >>  /etc/passwd
After this, the user can log in.

Is there any configuration of samba that will allow it to properly
recognize user data from the NIS map and not require the user to be listed
in the /etc/passwd file?

Simon

 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba PDC/NIS client

[Simon Matthews]

On Fri, Mar 9, 2012 at 6:15 AM, Gaiseric Vandal
wrote:

> I don't think is this a samba issue.   Samba accounts need to have a
> corresponding unix account.   Shouldn't matter if they are in NIS or
> /etc/passwd.   If you have users in both it could get a problem.
>
> Is "getent passwd" really showing the users from NIS?


Yes.  In fact, for those users who are in both the /etc/passwd and nis
tables, it shows both entries (and the details match between both entries)

 How about "getent shadow" (assuming a linux machine and not solaris,


No, this only shows the users with entries in /etc/shadow. However:
1. getent passwd includes the hashed passwords of users in the nis tables
2. It was not necessary to add the user to /etc/shadow in order to allow
samba domain logins. All I had to do was add the user to /etc/passwd.


> and probably doesn't matter anyway.)   Do you have an /etc/nsswitch.conf
> entry for
>
>shadow:  files nis
>
Yes

>
>
> Are you missing the : in the nsswitch.conf entries?
>
No.

>
> Are your user names all in lower case?  Are they all 8 characters or under.


 Yes.

Simon

>
>
>
>
>
>
>
> On 03/08/12 22:46, Simon Matthews wrote:
>
>> I have a server which is a samba PDC and has recently been converted to an
>> NIS client. For historic reasons, many users login information is in the
>> local machine's /etc/passwd and /etc/shadow files.
>>
>> samba is set up to use a tdbsam database.
>>
>> I got the first indication of problems when I tried to add a user using
>> the
>> smbpasswd -a command. I found that smbpasswd would not recognize the user
>> unless either the username was in the /etc/passwd file, or I changed
>> /etc/nsswitch.conf from
>> passwd compat
>> TO:
>> passwd files nis
>>
>> However, if I make the latter change, the user cannot log into any Windows
>> machines that are controlled by my PDC. To allow logins, all I have to do
>> is
>> ypcat passwd | grep  >>  /etc/passwd
>> After this, the user can log in.
>>
>> Is there any configuration of samba that will allow it to properly
>> recognize user data from the NIS map and not require the user to be listed
>> in the /etc/passwd file?
>>
>> Simon
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  
> https://lists.samba.org/**mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba PDC/NIS client

[Gaiseric Vandal]

I don't think is this a samba issue.   Samba accounts need to have a 
corresponding unix account.   Shouldn't matter if they are in NIS or 
/etc/passwd.   If you have users in both it could get a problem.


Is "getent passwd" really showing the users from NIS?  How about 
"getent shadow" (assuming a linux machine and not solaris, and probably 
doesn't matter anyway.)   Do you have an /etc/nsswitch.conf entry for


shadow:  files nis


Are you missing the : in the nsswitch.conf entries?

Are your user names all in lower case?  Are they all 8 characters or under.






On 03/08/12 22:46, Simon Matthews wrote:

I have a server which is a samba PDC and has recently been converted to an
NIS client. For historic reasons, many users login information is in the
local machine's /etc/passwd and /etc/shadow files.

samba is set up to use a tdbsam database.

I got the first indication of problems when I tried to add a user using the
smbpasswd -a command. I found that smbpasswd would not recognize the user
unless either the username was in the /etc/passwd file, or I changed
/etc/nsswitch.conf from
passwd compat
TO:
passwd files nis

However, if I make the latter change, the user cannot log into any Windows
machines that are controlled by my PDC. To allow logins, all I have to do is
ypcat passwd | grep  >>  /etc/passwd
After this, the user can log in.

Is there any configuration of samba that will allow it to properly
recognize user data from the NIS map and not require the user to be listed
in the /etc/passwd file?

Simon


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC with Windows 7 support request

[Cain, Marc]

Have you tried these settings (posted here about a year ago)?


When the following local GPO is left in its default setting Samba domain logons 
are delayed for 30 seconds: "Computer Configuration\Administrative 
Templates\System\User Profiles\Set maximum wait time for the network if the 
user has a roaming user profile or remote home directory."  

Enable this and set the value to 0 to work around this timeout.  The timeout 
does not occur when logging into an Active Directory PDC running Server 2008 
R2.  I have not tested this with w2k8 R2 client.

In addition, if the user's desktop is set to a solid background color logons of 
any kind (local, AD, samba) will be delayed by 30 seconds.  Set the background 
to any .jpg image or apply Microsoft's hotfix to work around this issue.  This 
is a cumulative timeout; that is, if the above timeout is in affect and the 
solid background color timeout is also in affect the delay is 60 seconds.

I also experienced a 30 second timeout when I set the local GPO to "Run logon 
scripts synchronously".  This problem has inexplicably vanished and I can't 
replicate it though I don't see it listed in any Windows 7 updates.  Might have 
been happening to me with Windows 7 PRO.  I'll check that if anyone is 
interested. The fix was to apply an old Vista reg setting.  Can be Googled as 
"Vista Run logon scripts synchronously".

Marc Cain

On Jan 31, 2012, at 11:45 AM, Jiří Procházka wrote:

> Dear Samba support team,
> 
> I have a question on Samba 3.5.8 please, which is not solved by searching
> the forums. I tried all suggested solutions, but nothing take effect.
> 
> 
> 
> Situation: 
> 
> - small public school
> 
> - We have Ubuntu Server 11.04 64-bit
> 
> - Samba 3.5.8 as PDC
> 
> - Windows XP and Windows 7 Pro SP1 clients
> 
> - On Windows XP everything works. Login is quick and reliable there.
> 
> 
> 
> Problem:
> 
> But our problem is with Windows 7 domain clients, where login and logout
> takes more than 1,5 minute with clear user profile. Yes, we have only 100
> Mbit LAN, but why XP can operate so much faster? We are using Aero with
> background images, but logon locally is very fast. Only using travel
> profiles is very slow.
> 
> 
> 
> I have tried:
> 
> -  Disable IPv6, 
> 
> -  Disabled UAC
> 
> -  set policies time to wait on server, 
> 
> -  I applied all performace recommended settings suggested at
> samba.org for Windows 7 (http://wiki.samba.org/index.php/Windows7)
> 
> 
> 
> 
> 
> 
> 
> Very similar post I have found here:
> 
> https://bugzilla.samba.org/show_bug.cgi?id=8300
> 
> 
> 
> Domain users experience a slow login performance on Windows 7 clients that
> are
> joined into a samba domain (Samba version 3.5.4). The Windows 7 client was
> joined successfully into the domain with the Windows 7 registry settings
> adjusted according to http://wiki.samba.org/index.php/Windows7
> (DomainCompatibilityMode = 0 and DNSNameResolutionRequired = 0).
> 
> 
> 
> 
> 
> We need solve this bug, in other case we can’t use Samba as PDC and we must
> change the platform. Please put this request on free support boards or send
> me an offer for paid support.
> 
> 
> 
> Can help adding this to GLOBAL section?
> 
>   domain master = yes
> 
>   local master = yes
> 
>   preffered master = yes
> 
>   os level = 64
> 
> 
> 
> 
> 
> Thanks a lot,
> 
> I hope I’m not disturbing main Samba developers,
> 
> 
> 
> With best regards,
> 
> Jiri Prochazka
> 
> Teacher from Waldorf high school in Prague
> 
> 
> 
> 
> 
> Czech and English only :-)
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC with Windows 7 support request

[Dermot]

2012/1/31 Jiří Procházka :
> Dear Samba support team,
>
> I have a question on Samba 3.5.8 please, which is not solved by searching
> the forums. I tried all suggested solutions, but nothing take effect.
>
...
>
> Domain users experience a slow login performance on Windows 7 clients that
> are
> joined into a samba domain (Samba version 3.5.4). The Windows 7 client was
> joined successfully into the domain with the Windows 7 registry settings
> adjusted according to http://wiki.samba.org/index.php/Windows7
> (DomainCompatibilityMode = 0 and DNSNameResolutionRequired = 0).
...

I have had similar problems. I was referred to the message in the
mailing list archive [1]. I have applied what was described - used
gpedit.msc -  this but I am still experiencing slow login times,
exactly 40 seconds on each workstation.

I just checked on one workstation where the user had a jpeg as his
desktop background, I mention this because there are references to a
Window7 bug about slow login and a plain desktop, and that has the
correct group policy setting and still the login time was exactly 40
seconds.

I too be interested in hearing what others have to say on this.
Thanks,
Dermot.

1) http://www.mail-archive.com/samba@lists.samba.org/msg104494.html
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC cluster with RHCS

[Daniel Müller]

If you running samba3 you will need  to setup a bdc to take over business of
your pdc. Or a real time synced pdc copy on the other node that starts up
when the real pdc is going down.
In cases of ha I made also best experiences with samba4 in replication mode.

Good Luck
Daniel

---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---
-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im
Auftrag von Md. Shyfur Rahman
Gesendet: Sonntag, 11. Dezember 2011 19:04
An: ob...@samba.org
Cc: samba@lists.samba.org
Betreff: [Samba] Samba PDC cluster with RHCS

Dear Sir,

I have implemented Samba PDC. Its working fine. But o do Highly Available,
I have been trying to make it in 2 node cluster. Everything is running
fine. But facing a problem, which I want to share.

When I shift PDC to another cluster node. Everything is shifting fine. But
my existing user can not log in. The can logged in again if I rejoined that
mechine again to domain. I am explaining little bit more.

Suppose user X can log in to my ClusterNode 1 PDC from a machine Y. If my
ClusterNode 1 goes down all the resources are shifting to the ClusterNode
2. When user X try to log in from the same machine Y. X cant. I need to
rejoined machine Y to the ClusterNode 2 then user X can log in.

My believe. I will get a solution from you. Please.

-- 
Rgds.
*Shyfur*
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba PDC disabling roaming profiles

[ESGLinux]

Hi all,

I have tested it with several users (with winxp and win7) and it works
fine.

Hope that helps anyone who has this problem,

Greetings,

ESG

2011/10/11 ESGLinux 

> Hi again,
>
> I have found this:
>
>
> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ProfileMgmt.html#id2660484
>
> In smb.conf
>
> Affect the following settings and ALL clients will be forced to use a local
> profile: logon home =
> and
>  logon
> path =
> 
>
> The arguments to these parameters must be left blank. It is necessary to
> include the = sign to specifically assign the empty value.
>
>
> Anyone can confirm that this is right? can I have problems with existing
> profiles?
>
> Thanks,
>
> ESG
>
> 2011/10/11 ESGLinux 
>
>> Hi All,
>>
>> I recently have updated my samba server to 3.3.7-1. I use this server as
>> PDC of my Windows Domain,
>>
>> The problem is that the profiles of the server are saved in the home dir
>> of the users. The users have a lot of GigaB so I want to disable this
>> feature.
>>
>> I have read (
>> http://www.linuxquestions.org/questions/linux-general-1/samba-pdc-without-roaming-profiles-2-a-47604/,
>> for example) that this feature is disabled in the client side but I have a
>> lof of them. So my question is if is there any way to disable it on the
>> server side,
>>
>> Thanks in advance
>>
>> ESG
>>
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba PDC disabling roaming profiles

[ESGLinux]

Hi again,

I have found this:

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ProfileMgmt.html#id2660484

In smb.conf

Affect the following settings and ALL clients will be forced to use a local
profile: logon home =
and
logon
path =


The arguments to these parameters must be left blank. It is necessary to
include the = sign to specifically assign the empty value.


Anyone can confirm that this is right? can I have problems with existing
profiles?

Thanks,

ESG

2011/10/11 ESGLinux 

> Hi All,
>
> I recently have updated my samba server to 3.3.7-1. I use this server as
> PDC of my Windows Domain,
>
> The problem is that the profiles of the server are saved in the home dir of
> the users. The users have a lot of GigaB so I want to disable this feature.
>
> I have read (
> http://www.linuxquestions.org/questions/linux-general-1/samba-pdc-without-roaming-profiles-2-a-47604/,
> for example) that this feature is disabled in the client side but I have a
> lof of them. So my question is if is there any way to disable it on the
> server side,
>
> Thanks in advance
>
> ESG
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC 3.4 + wins server

[Daniel Müller]

So, your samba PDC is acting as WINS (better way samba4wins=full working
wins server oan a sanba basis). Why don't you set the wins settings in your
windows 7 clients?
Why do you need "remote announce=..."?

On Wed, 27 Jul 2011 16:42:28 +0200, Jubacca  wrote:
> Linux Ubuntu 10.04 LTS - I used the package of distribution.
> 
> 
> On 27/07/2011 16.18, Gaiseric Vandal wrote:
>>
>>
>> On 07/27/2011 05:52 AM, Jubacca wrote:
>>> Hi , I use Samba 3.4.7 PDC + ldap backend . I can't put the machine 
>>> if I don't specify
>>> the wins server on Pc-client. I try different name resolve order , 
>>> but nothing change ? Can you help me ?
>>> My global is :
>>>
>>> [global]
>>>workgroup = workgroup
>>>netbios name = SERVER
>>>server string = Server Samba
>>>wins support = yes
>>>browse list = Yes
>>>remote announce = 10.0.0.255/workgroup
>>>lm announce = yes
>>>lm interval = 30
>>>dns proxy = yes
>>>hosts allow = 127.0.0.1 10.0.0.1/255.255.255.0
>>>name resolve order = wins lmhosts host bcast
>>> #   name resolve order = bcast host lmhosts wins
>>>interfaces = bond0 , eth1 ,lo
>>>bind interfaces only = no
>>>log file = /var/log/samba/%U.%m.log
>>>log level = 0 passdb:6 auth:10 vfs:5 acls:3 msdfs:3
>>>max log size = 5000
>>>syslog = 0
>>>panic action = /usr/share/samba/panic-action %d
>>>security = user
>>>username map = /etc/samba/usermap
>>>case sensitive = no
>>>encrypt passwords = true
>>>enable privileges = yes
>>>passdb backend = ldapsam:ldap://server:389/
>>>ldap admin dn = cn=admin,dc=domain,dc=com
>>>ldap suffix = dc=domain,dc=com
>>>ldap user suffix = ou=users
>>>ldap group suffix = ou=groups
>>>ldap machine suffix = ou=computers
>>>ldap idmap suffix = ou=idmap
>>>ldap ssl = off
>>>ldap delete dn = nomap to guest = bad user
>>>domain logons = yes
>>>domain master = yes
>>>local master = yes
>>>preferred master = yes
>>>os level = 255
>>>logon path = \\%N\profiles\%U
>>>logon drive = S:
>>>logon home = \\%N\%U
>>>logon script = logon.bat
>>>add user script = /usr/sbin/smbldap-useradd -a -m %u
>>>delete user script = /usr/sbin/smbldap-userdel %u
>>>add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
>>>delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
>>>set primary group script = /usr/sbin/smbldap-usermod -g %g %u
>>>add machine script  = /usr/sbin/smbldap-useradd -t 0 -w %u
>>>add group script = /usr/sbin/smbldap-groupadd -p %g
>>>delete group script = /usr/sbin/smbldap-groupdel %g
>>>printing = cups
>>>socket options = TCP_NODELAY
>>>idmap uid = 1-2
>>>idmap gid = 1-2
>>>time server = yes
>>>null passwords = no
>>>idmap backend = ldap:ldap://server:389/
>>>obey pam restrictions = yes
>>>ldap passwd sync = yes
>>>unix password sync = no
>>>passwd program = /usr/sbin/smbldap-passwd %u
>>>passwd chat = *Enter\snew\s*\spassword:* %n\n 
>>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>>>pam password change = yes
>>>
>>
>> What OS?
>>
>> Did you compile from source?   I ran into the following weird issue
once:
>>   Two servers with samba bundled with the OS.
>>   One server with samba compiled from source.
>>   Windows machines connecting from VPN-  with the firewall 
>> blocking netbios traffic.
>>   The Windows clients could connect by name to the 1st 2 servers, 
>> but only by IP to the 3rd one, even tho DNS name resolution worked.  
>> (I could add an lmhosts entry on the client but this is clunky.)
>>
>>
>> This indicated to be that the server does try to resolve client names 
>> or ip's and that something I did when I compiled samba broke this 
>> functionality.  Snooping traffic DID show the client reaching the 
>> server but some sort of handshaking NOT completing.
>>
>> I would turn up the general log level.  I would also snoop traffic for 
>> a client with out WINS to see if it is even locating the samba server.
>>
>>
>>
>>
>>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC 3.4 + wins server

[Jubacca]

Linux Ubuntu 10.04 LTS - I used the package of distribution.


On 27/07/2011 16.18, Gaiseric Vandal wrote:



On 07/27/2011 05:52 AM, Jubacca wrote:
Hi , I use Samba 3.4.7 PDC + ldap backend . I can't put the machine 
if I don't specify
the wins server on Pc-client. I try different name resolve order , 
but nothing change ? Can you help me ?

My global is :

[global]
   workgroup = workgroup
   netbios name = SERVER
   server string = Server Samba
   wins support = yes
   browse list = Yes
   remote announce = 10.0.0.255/workgroup
   lm announce = yes
   lm interval = 30
   dns proxy = yes
   hosts allow = 127.0.0.1 10.0.0.1/255.255.255.0
   name resolve order = wins lmhosts host bcast
#   name resolve order = bcast host lmhosts wins
   interfaces = bond0 , eth1 ,lo
   bind interfaces only = no
   log file = /var/log/samba/%U.%m.log
   log level = 0 passdb:6 auth:10 vfs:5 acls:3 msdfs:3
   max log size = 5000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = user
   username map = /etc/samba/usermap
   case sensitive = no
   encrypt passwords = true
   enable privileges = yes
   passdb backend = ldapsam:ldap://server:389/
   ldap admin dn = cn=admin,dc=domain,dc=com
   ldap suffix = dc=domain,dc=com
   ldap user suffix = ou=users
   ldap group suffix = ou=groups
   ldap machine suffix = ou=computers
   ldap idmap suffix = ou=idmap
   ldap ssl = off
   ldap delete dn = nomap to guest = bad user
   domain logons = yes
   domain master = yes
   local master = yes
   preferred master = yes
   os level = 255
   logon path = \\%N\profiles\%U
   logon drive = S:
   logon home = \\%N\%U
   logon script = logon.bat
   add user script = /usr/sbin/smbldap-useradd -a -m %u
   delete user script = /usr/sbin/smbldap-userdel %u
   add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
   delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
   set primary group script = /usr/sbin/smbldap-usermod -g %g %u
   add machine script  = /usr/sbin/smbldap-useradd -t 0 -w %u
   add group script = /usr/sbin/smbldap-groupadd -p %g
   delete group script = /usr/sbin/smbldap-groupdel %g
   printing = cups
   socket options = TCP_NODELAY
   idmap uid = 1-2
   idmap gid = 1-2
   time server = yes
   null passwords = no
   idmap backend = ldap:ldap://server:389/
   obey pam restrictions = yes
   ldap passwd sync = yes
   unix password sync = no
   passwd program = /usr/sbin/smbldap-passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

   pam password change = yes



What OS?

Did you compile from source?   I ran into the following weird issue once:
  Two servers with samba bundled with the OS.
  One server with samba compiled from source.
  Windows machines connecting from VPN-  with the firewall 
blocking netbios traffic.
  The Windows clients could connect by name to the 1st 2 servers, 
but only by IP to the 3rd one, even tho DNS name resolution worked.  
(I could add an lmhosts entry on the client but this is clunky.)



This indicated to be that the server does try to resolve client names 
or ip's and that something I did when I compiled samba broke this 
functionality.  Snooping traffic DID show the client reaching the 
server but some sort of handshaking NOT completing.


I would turn up the general log level.  I would also snoop traffic for 
a client with out WINS to see if it is even locating the samba server.








--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC 3.4 + wins server

[Gaiseric Vandal]

On 07/27/2011 05:52 AM, Jubacca wrote:
Hi , I use Samba 3.4.7 PDC + ldap backend . I can't put the machine if 
I don't specify
the wins server on Pc-client. I try different name resolve order , but 
nothing change ? Can you help me ?

My global is :

[global]
   workgroup = workgroup
   netbios name = SERVER
   server string = Server Samba
   wins support = yes
   browse list = Yes
   remote announce = 10.0.0.255/workgroup
   lm announce = yes
   lm interval = 30
   dns proxy = yes
   hosts allow = 127.0.0.1 10.0.0.1/255.255.255.0
   name resolve order = wins lmhosts host bcast
#   name resolve order = bcast host lmhosts wins
   interfaces = bond0 , eth1 ,lo
   bind interfaces only = no
   log file = /var/log/samba/%U.%m.log
   log level = 0 passdb:6 auth:10 vfs:5 acls:3 msdfs:3
   max log size = 5000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = user
   username map = /etc/samba/usermap
   case sensitive = no
   encrypt passwords = true
   enable privileges = yes
   passdb backend = ldapsam:ldap://server:389/
   ldap admin dn = cn=admin,dc=domain,dc=com
   ldap suffix = dc=domain,dc=com
   ldap user suffix = ou=users
   ldap group suffix = ou=groups
   ldap machine suffix = ou=computers
   ldap idmap suffix = ou=idmap
   ldap ssl = off
   ldap delete dn = nomap to guest = bad user
   domain logons = yes
   domain master = yes
   local master = yes
   preferred master = yes
   os level = 255
   logon path = \\%N\profiles\%U
   logon drive = S:
   logon home = \\%N\%U
   logon script = logon.bat
   add user script = /usr/sbin/smbldap-useradd -a -m %u
   delete user script = /usr/sbin/smbldap-userdel %u
   add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
   delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
   set primary group script = /usr/sbin/smbldap-usermod -g %g %u
   add machine script  = /usr/sbin/smbldap-useradd -t 0 -w %u
   add group script = /usr/sbin/smbldap-groupadd -p %g
   delete group script = /usr/sbin/smbldap-groupdel %g
   printing = cups
   socket options = TCP_NODELAY
   idmap uid = 1-2
   idmap gid = 1-2
   time server = yes
   null passwords = no
   idmap backend = ldap:ldap://server:389/
   obey pam restrictions = yes
   ldap passwd sync = yes
   unix password sync = no
   passwd program = /usr/sbin/smbldap-passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

   pam password change = yes



What OS?

Did you compile from source?   I ran into the following weird issue once:
  Two servers with samba bundled with the OS.
  One server with samba compiled from source.
  Windows machines connecting from VPN-  with the firewall blocking 
netbios traffic.
  The Windows clients could connect by name to the 1st 2 servers, 
but only by IP to the 3rd one, even tho DNS name resolution worked.  (I 
could add an lmhosts entry on the client but this is clunky.)



This indicated to be that the server does try to resolve client names or 
ip's and that something I did when I compiled samba broke this 
functionality.  Snooping traffic DID show the client reaching the server 
but some sort of handshaking NOT completing.


I would turn up the general log level.  I would also snoop traffic for a 
client with out WINS to see if it is even locating the samba server.






--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC + OpenLDAP + Windows 7 user name length

[Volker Lendecke]

On Tue, Apr 19, 2011 at 08:54:18AM +0200, Joan Antoni Torres wrote:
> Hello,
> 
> We have the following configuration:
> 
> - OpenLDAP 2.4.21
> - Samba 3.5.2
> - Windows 7 x64
> - Roaming Profiles
> 
> We have 2500 users and format of usernames are:
> 
> name.firtsname.secondname (Spanish has first and second name)
> 
> Windows 7 clients are joined to the Samba domain. Everything works
> fine, users can logon in Samba domain, network volumes (F: , G: ...)
> are mapped correctly and the user profile is stored on the server at
> user logoff.
> 
> What is wrong? We have problems when the username is longer than 19
> characters. These users, can't logon, they see next error in the
> screen:

https://bugzilla.samba.org/show_bug.cgi?id=7343

This is known and sounds VERY much like a Win7 bug. You
might contact Microsoft about this. I've tried without
success.

With best regards,

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-37-0, fax: +49-551-37-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC adding new user, profile dir is not created

[J. Echter]

sorry, forgot to add my smb.conf

[global]
   printing = bsd
   workgroup = workgroup
   map to guest = bad user
   domain logons = yes
   add user script = /usr/sbin/useradd -m '%u' -g ntusers -G ntusers -s
/bin/false
   delete user script = /usr/sbin/userdel -r '%u'
   add group script = /usr/sbin/groupadd '%g'
   delete group script = /usr/sbin/groupdel '%g'
   add user to group script = /usr/sbin/usermod -G '%g' '%u'
   add machine script = /usr/sbin/useradd -s /bin/false -d
/var/lib/nobody '%u' -g machines
   logon path = \\%L\profile\%U
   logon script = %U.bat
   hide files = /desktop.ini/ntuser.ini/NTUSER.*/Thumbs.db/

[homes]
   comment = Home Directories
   browseable = no
   writeable = yes
#   valid users = %S

[profile]
   comment = Profildateien
   path = /home/samba/profile
   guest ok = yes
   browseable = no
   create mask = 0600
   directory mask = 0700
   writeable = yes
   profile acls = yes

[netlogon]
   comment = Network Logon Service
   path = /home/samba/netlogon
   guest ok = yes
   writeable = no
   share modes = no

failure was the commented # line.

cheers.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC adding new user, profile dir is not created

[J. Echter]

Am 16.03.2011 18:00, schrieb TAKAHASHI Motonobu:
> From: "J. Echter" 
> Date: Wed, 16 Mar 2011 17:34:35 +0100
>
>>> You should show us enough information for us to re-produce such as
>>> all content of smb.conf and related settings:
>>>
>>> In my lab, profile dir is successfully created. My env is...
> (snip)
>
>> smb.conf
> (snip)
>
>> ls -lR /home/samba/profile
> (snip)
>
> At first you had better try a simple settings like me.
>
> To look at your smb.conf, I tried with the smb.conf below:
>
> -
> [global]
>   workgroup = SAMBA
>   domain logons = yes
>   add machine script = useradd %u
>   map to guest = bad user
>
>   logon path = \\%L\profiles\%U
>   hide files = /desktop.ini/ntuser.ini/NTUSER.*/Thumbs.db/
>
> [homes]
>   writeable = yes
>   browseable = no
>
> [profiles]
>   path = /var/lib/samba/shares/profiles
>   guest ok = yes
>   browseable = no
>   create mask = 0600
>   directory mask = 0700
>   writeable = yes
>   profile acls = yes
> -
>
> and although still my user can create profile dirs and files...
>
> ---
> TAKAHASHI Motonobu 
>
>
>
>
>
Hi,

i have reduced my smb.conf a bit :) now it works.

is there any option you would recommend to set for an PDC?


Greetings and many many thanks for your hints.

juergen
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC adding new user, profile dir is not created

[J. Echter]

Am 16.03.2011 18:02, schrieb t...@tms3.com:
> You should show us enough information for us to re-produce such as
>>
>>>
>>> all content of smb.conf and related settings:
>>>
>>> In my lab, profile dir is successfully created. My env is...
>>>
>>> - Debian lenny (hostname is "lenny5") + self-compiled Samba 3.5.6
>>> - my smb.conf and shares
>>>
>>> ---
>>> [global]
>>>workgroup = SAMBA
>>>domain logons = yes
>>>add machine script = useradd %u
>>>map to guest = bad user
>>>
>>>logon path = \\lenny5\profiles\%U
>>>
>>> [homes]
>>>writeable = yes
>>>browseable = no
>>>
>>> [profiles]
>>>path = /var/lib/samba/shares/profiles
>>>guest ok = yes
>>>browseable = no
>>>create mask = 0600
>>>directory mask = 0700
>>>writeable = yes
>>> ---
>>>
>>> # ls -lR /var/lib/samba
>>> /var/lib/samba/:
>>> total 4
>>> drwxr-xr-x 6 root root 4096 2011-03-15 20:48 shares
>>>
>>> /var/lib/samba/shares:
>>> total 16
>>> drwxrwxrwx 6 root root 4096 2011-03-17 01:07 profiles
>>>
>>> - Created a user:
>>>
>>> # useradd -d /var/home/test01 test01
>>> # smbpasswd -a test01
>>> # pdbedit -v test01
>>> ...
>>> Profile Path: \\lenny5\profiles\test01
>>> ...
>>>
>>>
>>> - When I logon as test01 from Windows XP workstation which is already
>>>joined to the "SAMBA" domain and logoff, profiles are created
>>> like:
>>>
>>> # ls -lR /var/lib/samba
>>> total 4
>>> drwxr-xr-x 6 root root 4096 2011-03-15 20:48 shares
>>>
>>> /var/lib/samba/shares:
>>> total 16
>>> drwxrwxrwx 6 root root 4096 2011-03-17 01:07 profiles
>>>
>>> /var/lib/samba/shares/profiles:
>>> total 16
>>> drwx-- 13 test01 test01 4096 2011-03-17 01:08 test01
>>>
>>> /var/lib/samba/shares/profiles/test01:
>>> total 568
>>> drwx-- 3 test01 test01   4096 2010-10-11 01:10 Start Menu
>>> drwx-- 2 test01 test01   4096 2010-10-11 01:10 Desktop
>>> drwx-- 4 test01 test01   4096 2011-03-17 01:08 Application Data
>>> drwx-- 2 test01 test01   4096 2010-10-11 01:18 Cookies
>>> drwx-- 3 test01 test01   4096 2011-03-17 01:08 Favorites
>>> drwx-- 4 test01 test01   4096 2011-03-17 01:08 My Documents
>>> drwx-- 2 test01 test01   4096 2010-10-11 01:10 NetHood
>>> -rw--- 1 test01 test01 524288 2011-03-17 01:08 NTUSER.DAT
>>> -rw--- 1 test01 test01   1024 2011-03-17 01:08 ntuser.dat.LOG
>>> -rw--- 1 test01 test01270 2011-03-17 01:08 ntuser.ini
>>> ...
>>>
>>> ---
>>> TAKAHASHI Motonobu
>> smb.conf
>>
>> [global]
>>printing = bsd
>>netbios name = PDC
>>server string = PDC (%h)
>>workgroup = workgroup
>>interfaces = eth0,lo
>>security = user
>>encrypt passwords = true
>>passdb backend = tdbsam
>>obey pam restrictions = yes
>>unix password sync = yes
>>passwd program = /usr/bin/passwd %u
>>passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
>> *Retype\snew\sUNIX\spassword:* %n\n .
>>local master = yes
>>preferred master = yes
>>os level = 200
>>domain master = yes
>>domain logons = yes
>>add user script = /usr/sbin/useradd -m '%u' -g ntusers -G
>> ntusers -s
>> /bin/false
>>delete user script = /usr/sbin/userdel -r '%u'
>>add group script = /usr/sbin/groupadd '%g'
>>delete group script = /usr/sbin/groupdel '%g'
>>delete group script = /usr/sbin/groupdel '%g'
>>add user to group script = /usr/sbin/usermod -G '%g' '%u'
>>add machine script = /usr/sbin/useradd -s /bin/false -d
>> /var/lib/nobody '%u' -g machines
>>logon path = \\%L\profile\%U
>>logon drive = h:
>>logon script = %U.bat
>>profile acls = yes
>>hide files = /desktop.ini/ntuser.ini/NTUSER.*/Thumbs.db/
>>wins support = no
>>log file = /var/log/samba/log.%m
>>max log size = 1000
>>syslog = 0
>>log level = 12
>>panic action = /usr/share/samba/panic-action %d
>>use sendfile = yes
>
> Where is your profile path?
>
>
on /files/samba --> symlinked to /home/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC adding new user, profile dir is not created

[tms3]

You should show us enough information for us to re-produce such as




all content of smb.conf and related settings:

In my lab, profile dir is successfully created. My env is...

- Debian lenny (hostname is "lenny5") + self-compiled Samba 3.5.6
- my smb.conf and shares

---
[global]
   workgroup = SAMBA
   domain logons = yes
   add machine script = useradd %u
   map to guest = bad user

   logon path = \\lenny5\profiles\%U

[homes]
   writeable = yes
   browseable = no

[profiles]
   path = /var/lib/samba/shares/profiles
   guest ok = yes
   browseable = no
   create mask = 0600
   directory mask = 0700
   writeable = yes
---

# ls -lR /var/lib/samba
/var/lib/samba/:
total 4
drwxr-xr-x 6 root root 4096 2011-03-15 20:48 shares

/var/lib/samba/shares:
total 16
drwxrwxrwx 6 root root 4096 2011-03-17 01:07 profiles

- Created a user:

# useradd -d /var/home/test01 test01
# smbpasswd -a test01
# pdbedit -v test01
...
Profile Path: \\lenny5\profiles\test01
...


- When I logon as test01 from Windows XP workstation which is already
   joined to the "SAMBA" domain and logoff, profiles are created 
like:


# ls -lR /var/lib/samba
total 4
drwxr-xr-x 6 root root 4096 2011-03-15 20:48 shares

/var/lib/samba/shares:
total 16
drwxrwxrwx 6 root root 4096 2011-03-17 01:07 profiles

/var/lib/samba/shares/profiles:
total 16
drwx-- 13 test01 test01 4096 2011-03-17 01:08 test01

/var/lib/samba/shares/profiles/test01:
total 568
drwx-- 3 test01 test01   4096 2010-10-11 01:10 Start Menu
drwx-- 2 test01 test01   4096 2010-10-11 01:10 Desktop
drwx-- 4 test01 test01   4096 2011-03-17 01:08 Application Data
drwx-- 2 test01 test01   4096 2010-10-11 01:18 Cookies
drwx-- 3 test01 test01   4096 2011-03-17 01:08 Favorites
drwx-- 4 test01 test01   4096 2011-03-17 01:08 My Documents
drwx-- 2 test01 test01   4096 2010-10-11 01:10 NetHood
-rw--- 1 test01 test01 524288 2011-03-17 01:08 NTUSER.DAT
-rw--- 1 test01 test01   1024 2011-03-17 01:08 ntuser.dat.LOG
-rw--- 1 test01 test01270 2011-03-17 01:08 ntuser.ini
...

---
TAKAHASHI Motonobu

smb.conf

[global]
   printing = bsd
   netbios name = PDC
   server string = PDC (%h)
   workgroup = workgroup
   interfaces = eth0,lo
   security = user
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
   local master = yes
   preferred master = yes
   os level = 200
   domain master = yes
   domain logons = yes
   add user script = /usr/sbin/useradd -m '%u' -g ntusers -G 
ntusers -s

/bin/false
   delete user script = /usr/sbin/userdel -r '%u'
   add group script = /usr/sbin/groupadd '%g'
   delete group script = /usr/sbin/groupdel '%g'
   delete group script = /usr/sbin/groupdel '%g'
   add user to group script = /usr/sbin/usermod -G '%g' '%u'
   add machine script = /usr/sbin/useradd -s /bin/false -d
/var/lib/nobody '%u' -g machines
   logon path = \\%L\profile\%U
   logon drive = h:
   logon script = %U.bat
   profile acls = yes
   hide files = /desktop.ini/ntuser.ini/NTUSER.*/Thumbs.db/
   wins support = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   log level = 12
   panic action = /usr/share/samba/panic-action %d
   use sendfile = yes


Where is your profile path?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC adding new user, profile dir is not created

[TAKAHASHI Motonobu]

From: "J. Echter" 
Date: Wed, 16 Mar 2011 17:34:35 +0100

> > You should show us enough information for us to re-produce such as
> > all content of smb.conf and related settings:
> >
> > In my lab, profile dir is successfully created. My env is...

(snip)

> smb.conf

(snip)

> ls -lR /home/samba/profile

(snip)

At first you had better try a simple settings like me.

To look at your smb.conf, I tried with the smb.conf below:

-
[global]
  workgroup = SAMBA
  domain logons = yes
  add machine script = useradd %u
  map to guest = bad user

  logon path = \\%L\profiles\%U
  hide files = /desktop.ini/ntuser.ini/NTUSER.*/Thumbs.db/

[homes]
  writeable = yes
  browseable = no

[profiles]
  path = /var/lib/samba/shares/profiles
  guest ok = yes
  browseable = no
  create mask = 0600
  directory mask = 0700
  writeable = yes
  profile acls = yes
-

and although still my user can create profile dirs and files...

---
TAKAHASHI Motonobu 





-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC adding new user, profile dir is not created

[J. Echter]

Am 16.03.2011 17:21, schrieb TAKAHASHI Motonobu:


- Created a user:

# useradd -d /var/home/test01 test01
# smbpasswd -a test01
# pdbedit -v test01
...
Profile Path: \\lenny5\profiles\test01
...


- When I logon as test01 from Windows XP workstation which is already
   joined to the "SAMBA" domain and logoff, profiles are created like:

# ls -lR /var/lib/samba
total 4
drwxr-xr-x 6 root root 4096 2011-03-15 20:48 shares

/var/lib/samba/shares:
total 16
drwxrwxrwx 6 root root 4096 2011-03-17 01:07 profiles

/var/lib/samba/shares/profiles:
total 16
drwx-- 13 test01 test01 4096 2011-03-17 01:08 test01

/var/lib/samba/shares/profiles/test01:
total 568
drwx-- 3 test01 test01   4096 2010-10-11 01:10 Start Menu
drwx-- 2 test01 test01   4096 2010-10-11 01:10 Desktop
drwx-- 4 test01 test01   4096 2011-03-17 01:08 Application Data
drwx-- 2 test01 test01   4096 2010-10-11 01:18 Cookies
drwx-- 3 test01 test01   4096 2011-03-17 01:08 Favorites
drwx-- 4 test01 test01   4096 2011-03-17 01:08 My Documents
drwx-- 2 test01 test01   4096 2010-10-11 01:10 NetHood
-rw--- 1 test01 test01 524288 2011-03-17 01:08 NTUSER.DAT
-rw--- 1 test01 test01   1024 2011-03-17 01:08 ntuser.dat.LOG
-rw--- 1 test01 test01270 2011-03-17 01:08 ntuser.ini
...

---
TAKAHASHI Motonobu

sorry again, something missing... i have to handle ringing telephones...

i added a user like you did

pdbedit -v bla

Profile Path: \\pdc\profile\bla

login as this user and logout again, no profile dir is created.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC adding new user, profile dir is not created

[J. Echter]

Am 16.03.2011 17:21, schrieb TAKAHASHI Motonobu:

From: "J. Echter"
Date: Wed, 16 Mar 2011 11:09:59 +0100


i have a Samba PDC (no LDAP) and added add user script to my config.

I can create the user with no problems, login is possible but the
/home/samba/profile/user dir is not created.

Any hints on that?

You should show us enough information for us to re-produce such as
all content of smb.conf and related settings:

In my lab, profile dir is successfully created. My env is...

- Debian lenny (hostname is "lenny5") + self-compiled Samba 3.5.6
- my smb.conf and shares

---
[global]
   workgroup = SAMBA
   domain logons = yes
   add machine script = useradd %u
   map to guest = bad user

   logon path = \\lenny5\profiles\%U

[homes]
   writeable = yes
   browseable = no

[profiles]
   path = /var/lib/samba/shares/profiles
   guest ok = yes
   browseable = no
   create mask = 0600
   directory mask = 0700
   writeable = yes
---

# ls -lR /var/lib/samba
/var/lib/samba/:
total 4
drwxr-xr-x 6 root root 4096 2011-03-15 20:48 shares

/var/lib/samba/shares:
total 16
drwxrwxrwx 6 root root 4096 2011-03-17 01:07 profiles

- Created a user:

# useradd -d /var/home/test01 test01
# smbpasswd -a test01
# pdbedit -v test01
...
Profile Path: \\lenny5\profiles\test01
...


- When I logon as test01 from Windows XP workstation which is already
   joined to the "SAMBA" domain and logoff, profiles are created like:

# ls -lR /var/lib/samba
total 4
drwxr-xr-x 6 root root 4096 2011-03-15 20:48 shares

/var/lib/samba/shares:
total 16
drwxrwxrwx 6 root root 4096 2011-03-17 01:07 profiles

/var/lib/samba/shares/profiles:
total 16
drwx-- 13 test01 test01 4096 2011-03-17 01:08 test01

/var/lib/samba/shares/profiles/test01:
total 568
drwx-- 3 test01 test01   4096 2010-10-11 01:10 Start Menu
drwx-- 2 test01 test01   4096 2010-10-11 01:10 Desktop
drwx-- 4 test01 test01   4096 2011-03-17 01:08 Application Data
drwx-- 2 test01 test01   4096 2010-10-11 01:18 Cookies
drwx-- 3 test01 test01   4096 2011-03-17 01:08 Favorites
drwx-- 4 test01 test01   4096 2011-03-17 01:08 My Documents
drwx-- 2 test01 test01   4096 2010-10-11 01:10 NetHood
-rw--- 1 test01 test01 524288 2011-03-17 01:08 NTUSER.DAT
-rw--- 1 test01 test01   1024 2011-03-17 01:08 ntuser.dat.LOG
-rw--- 1 test01 test01270 2011-03-17 01:08 ntuser.ini
...

---
TAKAHASHI Motonobu

smb.conf

[global]
   printing = bsd
   netbios name = PDC
   server string = PDC (%h)
   workgroup = workgroup
   interfaces = eth0,lo
   security = user
   encrypt passwords = true
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n .

   local master = yes
   preferred master = yes
   os level = 200
   domain master = yes
   domain logons = yes
   add user script = /usr/sbin/useradd -m '%u' -g ntusers -G ntusers -s 
/bin/false

   delete user script = /usr/sbin/userdel -r '%u'
   add group script = /usr/sbin/groupadd '%g'
   delete group script = /usr/sbin/groupdel '%g'
   delete group script = /usr/sbin/groupdel '%g'
   add user to group script = /usr/sbin/usermod -G '%g' '%u'
   add machine script = /usr/sbin/useradd -s /bin/false -d 
/var/lib/nobody '%u' -g machines

   logon path = \\%L\profile\%U
   logon drive = h:
   logon script = %U.bat
   profile acls = yes
   hide files = /desktop.ini/ntuser.ini/NTUSER.*/Thumbs.db/
   wins support = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   log level = 12
   panic action = /usr/share/samba/panic-action %d
   use sendfile = yes

[homes]
   comment = Home Directories
   browseable = no
   valid users = %S
   writeable = yes
   create mode = 0600
   directory mode = 0700

[profile]
   comment = Profildateien
   path = /home/samba/profile
   guest ok = yes
   browseable = no
   create mask = 0600
   directory mask = 0700
   writeable = yes

[netlogon]
   comment = Network Logon Service
   path = /home/samba/netlogon
   guest ok = yes
   writeable = no
   share modes = no


ls -lR /home/samba/profile
/home/samba/profile:
total 60
drwx-- 16 info  root4096 Mar 16 16:48 info
drwx-- 15 root  root4096 Oct 28 11:10 root

all manually added users are logged in fine, and all get their profile 
dir loaded from pdc.



thanks, and greetings.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC adding new user, profile dir is not created

[TAKAHASHI Motonobu]

From: "J. Echter" 
Date: Wed, 16 Mar 2011 11:09:59 +0100

> i have a Samba PDC (no LDAP) and added add user script to my config.
> 
> I can create the user with no problems, login is possible but the 
> /home/samba/profile/user dir is not created.
> 
> Any hints on that?

You should show us enough information for us to re-produce such as 
all content of smb.conf and related settings:

In my lab, profile dir is successfully created. My env is...

- Debian lenny (hostname is "lenny5") + self-compiled Samba 3.5.6
- my smb.conf and shares

---
[global]
  workgroup = SAMBA
  domain logons = yes
  add machine script = useradd %u
  map to guest = bad user

  logon path = \\lenny5\profiles\%U

[homes]
  writeable = yes
  browseable = no

[profiles]
  path = /var/lib/samba/shares/profiles
  guest ok = yes
  browseable = no
  create mask = 0600
  directory mask = 0700
  writeable = yes
---

# ls -lR /var/lib/samba
/var/lib/samba/:
total 4
drwxr-xr-x 6 root root 4096 2011-03-15 20:48 shares

/var/lib/samba/shares:
total 16
drwxrwxrwx 6 root root 4096 2011-03-17 01:07 profiles

- Created a user:

# useradd -d /var/home/test01 test01
# smbpasswd -a test01
# pdbedit -v test01
...
Profile Path: \\lenny5\profiles\test01
...


- When I logon as test01 from Windows XP workstation which is already
  joined to the "SAMBA" domain and logoff, profiles are created like:

# ls -lR /var/lib/samba
total 4
drwxr-xr-x 6 root root 4096 2011-03-15 20:48 shares

/var/lib/samba/shares:
total 16
drwxrwxrwx 6 root root 4096 2011-03-17 01:07 profiles

/var/lib/samba/shares/profiles:
total 16
drwx-- 13 test01 test01 4096 2011-03-17 01:08 test01

/var/lib/samba/shares/profiles/test01:
total 568
drwx-- 3 test01 test01   4096 2010-10-11 01:10 Start Menu
drwx-- 2 test01 test01   4096 2010-10-11 01:10 Desktop
drwx-- 4 test01 test01   4096 2011-03-17 01:08 Application Data
drwx-- 2 test01 test01   4096 2010-10-11 01:18 Cookies
drwx-- 3 test01 test01   4096 2011-03-17 01:08 Favorites
drwx-- 4 test01 test01   4096 2011-03-17 01:08 My Documents
drwx-- 2 test01 test01   4096 2010-10-11 01:10 NetHood
-rw--- 1 test01 test01 524288 2011-03-17 01:08 NTUSER.DAT
-rw--- 1 test01 test01   1024 2011-03-17 01:08 ntuser.dat.LOG
-rw--- 1 test01 test01270 2011-03-17 01:08 ntuser.ini
...

---
TAKAHASHI Motonobu 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC adding new user, profile dir is not created

[J. Echter]

Am 16.03.2011 16:55, schrieb Bruce Richardson:

On Wed, Mar 16, 2011 at 12:01:52PM +, Bruce Richardson wrote:

What do you have in your "logon path" setting in smb.conf?

You never answered this question.  You don't need to have anything
there, because it defaults to "\\%N\%U\profile", but if you do have
something there, what is it?


sorry,

logon path = \\%L\profile\%U

Are you sure you have actually activated domain logins?  It is possible
that you have simply set up a stand-alone file server.  For the PDC to
be working properly, you need

security = user
 domain master = yes
 domain logons = yes


this is all set.

if i add my users manually (adduser, make profile dir), it works.

i also set the permissions to the regarding testuser user profile dir.

drwx--  2 testerroot4096 Mar 16 14:41 tester

greetings.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC adding new user, profile dir is not created

[Bruce Richardson]

On Wed, Mar 16, 2011 at 12:01:52PM +, Bruce Richardson wrote:
> 
> What do you have in your "logon path" setting in smb.conf?

You never answered this question.  You don't need to have anything
there, because it defaults to "\\%N\%U\profile", but if you do have
something there, what is it?

Are you sure you have actually activated domain logins?  It is possible
that you have simply set up a stand-alone file server.  For the PDC to
be working properly, you need 

security = user
domain master = yes
domain logons = yes

-- 
Bruce

A problem shared brings the consolation that someone else is now
feeling as miserable as you.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC adding new user, profile dir is not created

[Bruce Richardson]

On Wed, Mar 16, 2011 at 04:17:05PM +0100, J. Echter wrote:
> Am 16.03.2011 13:01, schrieb Bruce Richardson:
> >On Wed, Mar 16, 2011 at 12:16:52PM +0100, J. Echter wrote:
> >>no, i want to have a profile dir created when a new created user
> >>logs in. that's it. :)
> >
> >If you create these directories manually and then a user logs in, does
> >the user's profile information then appear in their profile directory?
> >
> sorry didn't mention this, nothing is copied to the manually added dir.

Does the manually added dir have the correct ownership?  Has it been
chown-ed to the right user and do they have write access?  If the answer
to those questions yes but nothing is being copied up, then your problem
is that the user workstations are not looking in the correct place.
Either your domain controller is not advertising the correct location,
or it isn't advertising *any* location for profiles.

-- 
Bruce

I see a mouse.  Where?  There, on the stair.  And its clumsy wooden
footwear makes it easy to trap and kill.  -- Harry Hill
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC adding new user, profile dir is not created

[J. Echter]

Am 16.03.2011 13:01, schrieb Bruce Richardson:

On Wed, Mar 16, 2011 at 12:16:52PM +0100, J. Echter wrote:

no, i want to have a profile dir created when a new created user
logs in. that's it. :)


If you create these directories manually and then a user logs in, does
the user's profile information then appear in their profile directory?


sorry didn't mention this, nothing is copied to the manually added dir.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC adding new user, profile dir is not created

[J. Echter]

Am 16.03.2011 13:01, schrieb Bruce Richardson:

On Wed, Mar 16, 2011 at 12:16:52PM +0100, J. Echter wrote:

no, i want to have a profile dir created when a new created user
logs in. that's it. :)

Well, as long as you have the correct acls on the share and permissons
on the directory, the user's workstation should try to create the
user directory on the profiles share when the user first logs in.  As
far as I can see, your share definition and directory permissions are
sufficient.


What do you have in your "logon path" setting in smb.conf?

And can you see anything in the logs?


[netlogon]
   comment = Network Logon Service
   path = /home/samba/netlogon
   guest ok = yes
   writeable = no
   share modes = no

imho nothing belongs to the problem. i increased log level = 12 meanwhile


in my setup it doesnt get created.

permission:

drwxrwxrwx  4 root   root4096 Feb 12 10:51 samba

Um, if that's the /home/samba directory from your
/home/samba/profile/%username profile path, then you've set the
permissions there insecurely; ordinary users don't need to be creating
directories in /home/samba, so you shouldn't need any more than 755 (or
even 751) permissions there.


drwxrwxrwx 16 root   root   4096 Mar 16 11:50 profile

Assuming that is /home/samba/profile, then I would recommend you change
the permissions from 777 to 1777.  It's a minor point and doesn't have
anything to do with your problem.

If you create these directories manually and then a user logs in, does
the user's profile information then appear in their profile directory?


permissions are set :)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC adding new user, profile dir is not created

[Bruce Richardson]

On Wed, Mar 16, 2011 at 11:21:42AM +0100, Marco Ciampa wrote:
> 
> IMHO you have to create it with a script.
> In that script you will create the user (with useradd) and then the profile 
> dir...

I think it is probably a bad idea to do this with a script unless you
have some good reason to need it.  The auto-creation of the directory
shows you that profiles are working properly.

-- 
Bruce

I unfortunately do not know how to turn cheese into gold.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC adding new user, profile dir is not created

[Bruce Richardson]

On Wed, Mar 16, 2011 at 12:16:52PM +0100, J. Echter wrote:
> no, i want to have a profile dir created when a new created user
> logs in. that's it. :)

Well, as long as you have the correct acls on the share and permissons
on the directory, the user's workstation should try to create the
user directory on the profiles share when the user first logs in.  As
far as I can see, your share definition and directory permissions are
sufficient.


What do you have in your "logon path" setting in smb.conf?

And can you see anything in the logs?

> 
> in my setup it doesnt get created.
> 
> permission:
> 
> drwxrwxrwx  4 root   root4096 Feb 12 10:51 samba

Um, if that's the /home/samba directory from your
/home/samba/profile/%username profile path, then you've set the
permissions there insecurely; ordinary users don't need to be creating
directories in /home/samba, so you shouldn't need any more than 755 (or
even 751) permissions there.

> drwxrwxrwx 16 root   root   4096 Mar 16 11:50 profile

Assuming that is /home/samba/profile, then I would recommend you change
the permissions from 777 to 1777.  It's a minor point and doesn't have
anything to do with your problem.

If you create these directories manually and then a user logs in, does
the user's profile information then appear in their profile directory?

-- 
Bruce

Explota!: miles de lemmings no pueden estar equivocados.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC adding new user, profile dir is not created

[J. Echter]

thats what i did.

maybe there's something else wrong with my profiles definition in this case?

[profile]
   comment = Profildateien
   path = /home/samba/profile
   guest ok = yes
   browseable = no
   create mask = 0600
   directory mask = 0700
   writeable = yes
   root preexec = /usr/local/bin/mkprofiles.sh %u %g


Am 16.03.2011 12:16, schrieb Wasil:

You must add  "root preexec" to the Section [profiles]
my section [profiles]:

comment = Network Profiles Service
#path = %H
path = /data2/profiles
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
write list = @DomainUsers @root
root preexec = /usr/local/bin/mkprofile.sh %u %g



Wed, 16 Mar 2011 12:04:40 +0100 письмо от "J. 
Echter":


Am 16.03.2011 11:33, schrieb Wasil:

Hi
You must have something like this:

in smb.conf^
[profiles]
.
root preexec = /usr/local/bin/mkprofile.sh %u %g
   

mkprofile.sh:

#!/bin/sh
PROFILE=/data2/profiles/$1
if [ ! -e $PROFILE ]; then
mkdir -pm700 $PROFILE
chown $1:$2 $PROFILE
fi

Wed, 16 Mar 2011 11:09:59 +0100 письмо от "J.

Echter":

Hi,

i have a Samba PDC (no LDAP) and added add user script to my config.

I can create the user with no problems, login is possible but the
/home/samba/profile/user dir is not created.

Any hints on that?

script commands i added:

add user script = /usr/sbin/useradd -m '%u' -g ntusers -G ntusers -s
/bin/false
delete user script = /usr/sbin/userdel -r '%u'
add group script = /usr/sbin/groupadd '%g'
delete group script = /usr/sbin/groupdel '%g'
add user to group script = /usr/sbin/usermod -G '%g' '%u'
add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody
'%u' -g machines


this is running on Ubuntu 10.04-LTS server


greetings

Juergen.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Hi, thanks for the hint.

but the profile dir doesn't get created.

i edited the path in the script and gave it chmod u+x (to be sure :) )

still nothing created.

if i run the script by hand it works.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC adding new user, profile dir is not created

[Wasil]

You must add  "root preexec" to the Section [profiles]
my section [profiles]:

comment = Network Profiles Service
#path = %H
path = /data2/profiles
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
write list = @DomainUsers @root
root preexec = /usr/local/bin/mkprofile.sh %u %g
 


Wed, 16 Mar 2011 12:04:40 +0100 письмо от "J. Echter" 
:

> Am 16.03.2011 11:33, schrieb Wasil:
> > Hi
> > You must have something like this:
> >
> > in smb.conf^
> > [profiles]
> > .
> > root preexec = /usr/local/bin/mkprofile.sh %u %g
> >   
> >
> > mkprofile.sh:
> >
> > #!/bin/sh
> > PROFILE=/data2/profiles/$1
> > if [ ! -e $PROFILE ]; then
> > mkdir -pm700 $PROFILE
> > chown $1:$2 $PROFILE
> > fi
> >
> > Wed, 16 Mar 2011 11:09:59 +0100 письмо от "J.
> Echter":
> >
> >> Hi,
> >>
> >> i have a Samba PDC (no LDAP) and added add user script to my config.
> >>
> >> I can create the user with no problems, login is possible but the
> >> /home/samba/profile/user dir is not created.
> >>
> >> Any hints on that?
> >>
> >> script commands i added:
> >>
> >> add user script = /usr/sbin/useradd -m '%u' -g ntusers -G ntusers -s
> >> /bin/false
> >> delete user script = /usr/sbin/userdel -r '%u'
> >> add group script = /usr/sbin/groupadd '%g'
> >> delete group script = /usr/sbin/groupdel '%g'
> >> add user to group script = /usr/sbin/usermod -G '%g' '%u'
> >> add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody
> >> '%u' -g machines
> >>
> >>
> >> this is running on Ubuntu 10.04-LTS server
> >>
> >>
> >> greetings
> >>
> >> Juergen.
> >> -- 
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> Hi, thanks for the hint.
> 
> but the profile dir doesn't get created.
> 
> i edited the path in the script and gave it chmod u+x (to be sure :) )
> 
> still nothing created.
> 
> if i run the script by hand it works.
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions: 
> https://lists.samba.org/mailman/options/samba

--
Мой Мир@Mail.Ru в твоем мобильном!
Просто зайди с телефона на m.mail.ru

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC adding new user, profile dir is not created

[J. Echter]

Am 16.03.2011 11:50, schrieb Bruce Richardson:

On Wed, Mar 16, 2011 at 11:09:59AM +0100, J. Echter wrote:

Hi,

i have a Samba PDC (no LDAP) and added add user script to my config.

I can create the user with no problems, login is possible but the
/home/samba/profile/user dir is not created.

It'll be created automatically when the user first logs in, if you have
the right permissions on the profile share.  It is possible to set the
permissions/acls such that this doesn't allow users to read or interfere
with each other's profiles.

You only need to create it yourself if you want to preload it with some
data.  Is this what you need to do?


ah maybe this is interesting too

[profile]
   comment = Profildateien
   path = /home/samba/profile
   guest ok = yes
   browseable = no
   create mask = 0600
   directory mask = 0700
   writeable = yes
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC adding new user, profile dir is not created

[J. Echter]

Am 16.03.2011 11:50, schrieb Bruce Richardson:

On Wed, Mar 16, 2011 at 11:09:59AM +0100, J. Echter wrote:

Hi,

i have a Samba PDC (no LDAP) and added add user script to my config.

I can create the user with no problems, login is possible but the
/home/samba/profile/user dir is not created.

It'll be created automatically when the user first logs in, if you have
the right permissions on the profile share.  It is possible to set the
permissions/acls such that this doesn't allow users to read or interfere
with each other's profiles.

You only need to create it yourself if you want to preload it with some
data.  Is this what you need to do?

no, i want to have a profile dir created when a new created user logs 
in. that's it. :)


in my setup it doesnt get created.

permission:

drwxrwxrwx  4 root   root4096 Feb 12 10:51 samba
drwxrwxrwx 16 root   root   4096 Mar 16 11:50 profile

should be working for automagic creation.

is there an special option on that?
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC adding new user, profile dir is not created

[Bruce Richardson]

On Wed, Mar 16, 2011 at 11:09:59AM +0100, J. Echter wrote:
> Hi,
> 
> i have a Samba PDC (no LDAP) and added add user script to my config.
> 
> I can create the user with no problems, login is possible but the
> /home/samba/profile/user dir is not created.

It'll be created automatically when the user first logs in, if you have
the right permissions on the profile share.  It is possible to set the
permissions/acls such that this doesn't allow users to read or interfere
with each other's profiles.

You only need to create it yourself if you want to preload it with some
data.  Is this what you need to do?

-- 
Bruce

Bitterly it mathinketh me, that I spent mine wholle lyf in the lists
against the ignorant.  -- Roger Bacon, "Doctor Mirabilis"
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC adding new user, profile dir is not created

[J. Echter]

Am 16.03.2011 11:33, schrieb Wasil:

Hi
You must have something like this:

in smb.conf^
[profiles]
.
root preexec = /usr/local/bin/mkprofile.sh %u %g
  

mkprofile.sh:

#!/bin/sh
PROFILE=/data2/profiles/$1
if [ ! -e $PROFILE ]; then
mkdir -pm700 $PROFILE
chown $1:$2 $PROFILE
fi

Wed, 16 Mar 2011 11:09:59 +0100 письмо от "J. 
Echter":


Hi,

i have a Samba PDC (no LDAP) and added add user script to my config.

I can create the user with no problems, login is possible but the
/home/samba/profile/user dir is not created.

Any hints on that?

script commands i added:

add user script = /usr/sbin/useradd -m '%u' -g ntusers -G ntusers -s
/bin/false
delete user script = /usr/sbin/userdel -r '%u'
add group script = /usr/sbin/groupadd '%g'
delete group script = /usr/sbin/groupdel '%g'
add user to group script = /usr/sbin/usermod -G '%g' '%u'
add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody
'%u' -g machines


this is running on Ubuntu 10.04-LTS server


greetings

Juergen.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Hi, thanks for the hint.

but the profile dir doesn't get created.

i edited the path in the script and gave it chmod u+x (to be sure :) )

still nothing created.

if i run the script by hand it works.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC adding new user, profile dir is not created

[J. Echter]

Am 16.03.2011 11:21, schrieb Marco Ciampa:

On Wed, Mar 16, 2011 at 11:09:59AM +0100, J. Echter wrote:

Hi,

i have a Samba PDC (no LDAP) and added add user script to my config.

I can create the user with no problems, login is possible but the
/home/samba/profile/user dir is not created.

Any hints on that?

IMHO you have to create it with a script.
In that script you will create the user (with useradd) and then the profile 
dir...


ok, seems i need to figure out how this has to be done...

greetings.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC adding new user, profile dir is not created

[Wasil]

Hi
You must have something like this:

in smb.conf^
[profiles]
.
root preexec = /usr/local/bin/mkprofile.sh %u %g
 

mkprofile.sh:

#!/bin/sh
PROFILE=/data2/profiles/$1 
if [ ! -e $PROFILE ]; then 
mkdir -pm700 $PROFILE 
chown $1:$2 $PROFILE
fi

Wed, 16 Mar 2011 11:09:59 +0100 письмо от "J. Echter" 
:

> Hi,
> 
> i have a Samba PDC (no LDAP) and added add user script to my config.
> 
> I can create the user with no problems, login is possible but the 
> /home/samba/profile/user dir is not created.
> 
> Any hints on that?
> 
> script commands i added:
> 
> add user script = /usr/sbin/useradd -m '%u' -g ntusers -G ntusers -s 
> /bin/false
> delete user script = /usr/sbin/userdel -r '%u'
> add group script = /usr/sbin/groupadd '%g'
> delete group script = /usr/sbin/groupdel '%g'
> add user to group script = /usr/sbin/usermod -G '%g' '%u'
> add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody 
> '%u' -g machines
> 
> 
> this is running on Ubuntu 10.04-LTS server
> 
> 
> greetings
> 
> Juergen.
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC adding new user, profile dir is not created

[Marco Ciampa]

On Wed, Mar 16, 2011 at 11:09:59AM +0100, J. Echter wrote:
> Hi,
> 
> i have a Samba PDC (no LDAP) and added add user script to my config.
> 
> I can create the user with no problems, login is possible but the
> /home/samba/profile/user dir is not created.
> 
> Any hints on that?

IMHO you have to create it with a script.
In that script you will create the user (with useradd) and then the profile 
dir...

-- 


Marco Ciampa

++
| Linux User  #78271 |
| FSFE fellow   #364 |
++
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC & Exchange 2000 Server

[Andrew Bartlett]

On Sat, 2011-02-05 at 07:18 -0500, Gaiseric Vandal wrote:
> exchange 2000 requires Active Directory.  I would guess MAYBE you could use
> Samba 4.  BUt I don't know if Samba 4 supports all the account attributes
> that Exchange would require.  I would guess not. 

Yes, Samba4 intends to support Exchange.  Any issues with the exchange
install failing are bugs we want to fix.  Certainly we have reports of
exchange-supporting AD environments being imported into Samba4, but I
don't know if folks have used Exchange itself directly against Samba4. 

Andrew Bartlett
-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org
Samba Developer, Cisco Inc.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC & Exchange 2000 Server

[Gaiseric Vandal]

exchange 2000 requires Active Directory.  I would guess MAYBE you could use
Samba 4.  BUt I don't know if Samba 4 supports all the account attributes
that Exchange would require.  I would guess not. 

postfile/amavis/spamassasin/mail relaying would be topics for  forums.

Windows 2000 is no longer supported my Microsoft.





-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
On Behalf Of Dave Wynne
Sent: Saturday, February 05, 2011 6:12 AM
To: 'samba@lists.samba.org'
Subject: [Samba] Samba PDC & Exchange 2000 Server

I presently have a 2 server system a Sambe PDC and a mail server running
Bynari Insight Server and we use Bynari connector to connect our Outlook
2000 clients to the Insight Server. It works well enough. BUT Bynari are
stopping support for Outlook 2000.
For us the upgrade all our copies of Outlook is expensive and we have all
the functionality we need.
So, we have MS Server 2000 and Exchange 2000 which we used to use, but had
all sorts hacking issues etc when we used it for our Domain and Mail. I've
been thinking that we could continue with our Samba PDC and use something
like postfix, with amavis and spamassasin to act as a SMTP relay agent to an
Exchange 2000 stand alone server which is fully isolated behind our firewall
on a protected subnet and use port forwarding to enable Webmail and OpenVPN
server to access the mail from outside.
Does anyone know how to connect Exchange to Samba & Openldap and also what
would I have to do to set up postfix, amavis and spamassasin to act as a
relay?

Any thoughts I'm sure someone has wanted to do this before. I'm loathed to
move away from a linux mail server but costs make it attractive.



Best regards,

Dave Wynne
Senior Engineer
Artimech Pty. Ltd.
MiniFab
1 Dalmore Drive
Scoresby, Vic 3179 Australia
Tel: (03) 9753 3700

Email:d...@artimech.com.au  
Please Visit Our Website  www.artimech.com.au Information Contained Within
This Communication Is Private and In Confidence

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC

[TAKAHASHI Motonobu]

2011/1/14 Daniel Müller :
> For some reasons and tried it many times. I did not have any problems
> joining windows 7 with samba 3.2.15 and up with:

Once I examined,  joining Windows 7 with Samba 3.2 series failed. So I believe
Windows 7 cannot join to Samba 3.2 series domain.

Looking at your post, I examined again. And as you said, Samba 3.2.15
looks good
with Windows 7.

As I examined yesterday,
Windows 7 cannot join to Samba 3.2.11, can join to Samba 3.2.12 and
Samba 3.2.15.

In the registry, modified these 2 entiries only:
"DomainCompatibilityMode"=dword:0001
"DNSNameResolutionRequired"=dword:

smb.conf is:

-
[global]
  workgroup = SAMBADOM
  domain logons = yes
  add machine script = useradd %u

[homes]
 writeable = yes
 browseable = no
-

---
TAKAHASHI Motonobu 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC

[Robert Fitzpatrick]

On 1/13/2011 12:04 PM, TAKAHASHI Motonobu wrote:
> You must not set these 2 entries below:
> 
> -
> DWORD  RequireSignOrSeal = 0
> DWORD  RequireStrongKey = 0
> -

Thanks, I completely overlooked this and that was the trick. All issues
resolved now and have joined my Win7, Win2003 server and Ubuntu Linux
boxes all to my new Samba PDC :)

This Samba PDC seems more robust than any NT4 network I remember,
browsing is flawless, works great, nice work to the team and contributors ;)

--
Robert
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC

[Martin Hochreiter]

Am 2011-01-14 07:55, schrieb Daniel Müller:

For some reasons and tried it many times. I did not have any problems
joining windows 7 with samba 3.2.15 and up with:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Para
meters]
"DomainCompatibilityMode"=dword:0001
"DNSNameResolutionRequired"=dword:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\]
“LmCompatibilityLevel”=dword:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters]
"Update"="no"
"DisablePasswordChange"=dword:
"MaximumPasswordAge"=dword:001e
"RequireSignOrSeal"=dword:0001
"RequireStrongKey"=dword:0001
"SealSecureChannel"=dword:0001
"SignSecureChannel"=dword:0001



Hi Daniel!

Can you tell me what "update=no" does?

regards
Martin
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC

[Daniel Müller]

For some reasons and tried it many times. I did not have any problems
joining windows 7 with samba 3.2.15 and up with:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Para
meters] 
"DomainCompatibilityMode"=dword:0001 
"DNSNameResolutionRequired"=dword: 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\] 
“LmCompatibilityLevel”=dword: 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters] 
"Update"="no" 
"DisablePasswordChange"=dword: 
"MaximumPasswordAge"=dword:001e 
"RequireSignOrSeal"=dword:0001 
"RequireStrongKey"=dword:0001 
"SealSecureChannel"=dword:0001 
"SignSecureChannel"=dword:0001




---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---

-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im
Auftrag von t...@tms3.com
Gesendet: Donnerstag, 13. Januar 2011 18:37
An: TAKAHASHI Motonobu
Cc: Samba; Robert Fitzpatrick
Betreff: Re: [Samba] Samba PDC

2011/1/14 TAKAHASHI Motonobu :
>
>>
>> 2011/1/13 Robert Fitzpatrick :
>>>
>>>>
>>>> If your Samba's version is 3.3.2 - 3.3.4, then the additional settings
>>>> below are needed:
>>>>
>>>>HKLM\System\CCS\Services\Netlogon\Parameters
>>>>DWORD  RequireSignOrSeal = 0
>>>>DWORD  RequireStrongKey = 0
>>>>
>>>
>>> I am using Samba 3.5.6 and the registry entries above are as you show
>>> currently.
>>
>> As I mentioned,
>>
>> -
>> If your Samba's version is 3.3.5 - and the registries above are set,
>> remove them and try again.
>> -
>>
>> You must set these 2 entries below:
>>
>> -
>>HKLM\System\CCS\Services\LanmanWorkstation\Parameters
>>DWORD  DomainCompatibilityMode = 1
>>DWORD  DNSNameResolutionRequired = 0
>> -
>>
>> You must not set these 2 entries below:
>>
>> -
>>DWORD  RequireSignOrSeal = 0
>>DWORD  RequireStrongKey = 0
>> -
>>
>> In my knowledge, your error messages:
>>
>> [2011/01/13 09:24:48.031223,  0]
>> rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3)
>>  _netr_ServerAuthenticate3: netlogon_creds_server_check failed.
>> Rejecting auth request from client COLUMBUS-LAPTOP machine account
>> COLUMBUS-LAPTOP$
>>
>> occurs if you do not correctly set these 4 entries.
>> If you still have problem, I recommend to examine with simple settings
>> (not to use LDAP) like:
>>
>> -
>> [global]
>>   workgroup = WEBTENT
>>  domain logons = yes
>>  add machine script = useradd %u
>>
>> [homes]
>>  writeable = yes
>>  browseable = no
>> -
>>
>> If your Windows 7 can join to Samba domain with the settings above, at
>> least you could know that
>> Windows 7 registries are correctly set.
>
> Sorry, under FreeBSD, use
>
> -
>add machine script = /usr/sbin/pw useradd %u

For smbldap-tools
add machine script = /usr/local/sbin/smbldap-useradd -W '%u'
>
>
> -
>
> instead of
>
> -
>add machine script = useradd %u
> -
>
> ---
> TAKAHASHI Motonobu 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC

[tms3]

2011/1/14 TAKAHASHI Motonobu :




2011/1/13 Robert Fitzpatrick :




If your Samba's version is 3.3.2 - 3.3.4, then the additional settings
below are needed:

   HKLM\System\CCS\Services\Netlogon\Parameters
   DWORD  RequireSignOrSeal = 0
   DWORD  RequireStrongKey = 0



I am using Samba 3.5.6 and the registry entries above are as you show
currently.


As I mentioned,

-
If your Samba's version is 3.3.5 - and the registries above are set,
remove them and try again.
-

You must set these 2 entries below:

-
   HKLM\System\CCS\Services\LanmanWorkstation\Parameters
   DWORD  DomainCompatibilityMode = 1
   DWORD  DNSNameResolutionRequired = 0
-

You must not set these 2 entries below:

-
   DWORD  RequireSignOrSeal = 0
   DWORD  RequireStrongKey = 0
-

In my knowledge, your error messages:

[2011/01/13 09:24:48.031223,  0]
rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3)
 _netr_ServerAuthenticate3: netlogon_creds_server_check failed.
Rejecting auth request from client COLUMBUS-LAPTOP machine account
COLUMBUS-LAPTOP$

occurs if you do not correctly set these 4 entries.
If you still have problem, I recommend to examine with simple settings
(not to use LDAP) like:

-
[global]
  workgroup = WEBTENT
 domain logons = yes
 add machine script = useradd %u

[homes]
 writeable = yes
 browseable = no
-

If your Windows 7 can join to Samba domain with the settings above, at
least you could know that
Windows 7 registries are correctly set.


Sorry, under FreeBSD, use

-
   add machine script = /usr/sbin/pw useradd %u


For smbldap-tools
add machine script = /usr/local/sbin/smbldap-useradd -W '%u'



-

instead of

-
   add machine script = useradd %u
-

---
TAKAHASHI Motonobu 
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC

[TAKAHASHI Motonobu]

2011/1/14 TAKAHASHI Motonobu :
> 2011/1/13 Robert Fitzpatrick :
>>> If your Samba's version is 3.3.2 - 3.3.4, then the additional settings
>>> below are needed:
>>>
>>>        HKLM\System\CCS\Services\Netlogon\Parameters
>>>            DWORD  RequireSignOrSeal = 0
>>>            DWORD  RequireStrongKey = 0
>>>
>>
>> I am using Samba 3.5.6 and the registry entries above are as you show
>> currently.
>
> As I mentioned,
>
> -
> If your Samba's version is 3.3.5 - and the registries above are set,
> remove them and try again.
> -
>
> You must set these 2 entries below:
>
> -
>        HKLM\System\CCS\Services\LanmanWorkstation\Parameters
>            DWORD  DomainCompatibilityMode = 1
>            DWORD  DNSNameResolutionRequired = 0
> -
>
> You must not set these 2 entries below:
>
> -
>            DWORD  RequireSignOrSeal = 0
>            DWORD  RequireStrongKey = 0
> -
>
> In my knowledge, your error messages:
>
> [2011/01/13 09:24:48.031223,  0]
> rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3)
>  _netr_ServerAuthenticate3: netlogon_creds_server_check failed.
> Rejecting auth request from client COLUMBUS-LAPTOP machine account
> COLUMBUS-LAPTOP$
>
> occurs if you do not correctly set these 4 entries.
> If you still have problem, I recommend to examine with simple settings
> (not to use LDAP) like:
>
> -
> [global]
>   workgroup = WEBTENT
>  domain logons = yes
>  add machine script = useradd %u
>
> [homes]
>  writeable = yes
>  browseable = no
> -
>
> If your Windows 7 can join to Samba domain with the settings above, at
> least you could know that
> Windows 7 registries are correctly set.

Sorry, under FreeBSD, use

-
  add machine script = /usr/sbin/pw useradd %u
-

instead of

-
  add machine script = useradd %u
-

---
TAKAHASHI Motonobu 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC

[TAKAHASHI Motonobu]

2011/1/13 Robert Fitzpatrick :
>> If your Samba's version is 3.3.2 - 3.3.4, then the additional settings
>> below are needed:
>>
>>        HKLM\System\CCS\Services\Netlogon\Parameters
>>            DWORD  RequireSignOrSeal = 0
>>            DWORD  RequireStrongKey = 0
>>
>
> I am using Samba 3.5.6 and the registry entries above are as you show
> currently.

As I mentioned,

-
If your Samba's version is 3.3.5 - and the registries above are set,
remove them and try again.
-

You must set these 2 entries below:

-
HKLM\System\CCS\Services\LanmanWorkstation\Parameters
DWORD  DomainCompatibilityMode = 1
DWORD  DNSNameResolutionRequired = 0
-

You must not set these 2 entries below:

-
DWORD  RequireSignOrSeal = 0
DWORD  RequireStrongKey = 0
-

In my knowledge, your error messages:

[2011/01/13 09:24:48.031223,  0]
rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3)
 _netr_ServerAuthenticate3: netlogon_creds_server_check failed.
Rejecting auth request from client COLUMBUS-LAPTOP machine account
COLUMBUS-LAPTOP$

occurs if you do not correctly set these 4 entries.
If you still have problem, I recommend to examine with simple settings
(not to use LDAP) like:

-
[global]
   workgroup = WEBTENT
  domain logons = yes
  add machine script = useradd %u

[homes]
  writeable = yes
  browseable = no
-

If your Windows 7 can join to Samba domain with the settings above, at
least you could know that
Windows 7 registries are correctly set.
---
TAKAHASHI Motonobu 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC

[Robert Fitzpatrick]

On 1/13/2011 6:42 AM, TAKAHASHI Motonobu wrote:

Read at:
http://wiki.samba.org/index.php/Windows7

And remember Samba 3 PDC is compatible with Windows NT Server, not with
Active Directory.


Thanks, I was able to join the domain, but when trying to logon, I get
another error...


the trust relationship between this workstation and the primary domain
failed


What can cause this? I have the computer name in LDAP, it was created when I
joined the domain.


Actually the error message shows that joining the domain is failed,
though joining itself
was succeeded.

If your Samba's version is under 3.3.1, then you cannot avoid this
error message,
upgrading Samba is needed.

If your Samba's version is 3.3.2 - 3.3.4, then the additional settings
below are needed:

HKLM\System\CCS\Services\Netlogon\Parameters
DWORD  RequireSignOrSeal = 0
DWORD  RequireStrongKey = 0



I am using Samba 3.5.6 and the registry entries above are as you show 
currently. I removed the computer and smbldap-userdel the computer name 
from LDAP, restarted the workstation and tried again. This is what I see 
in the workstation log...



[2011/01/13 09:24:48.031223,  0] 
rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth 
request from client COLUMBUS-LAPTOP machine account COLUMBUS-LAPTOP$
[2011/01/13 09:24:48.048892,  0] 
rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth 
request from client COLUMBUS-LAPTOP machine account COLUMBUS-LAPTOP$
[2011/01/13 09:24:58.405131,  0] lib/util_sock.c:474(read_fd_with_timeout)
[2011/01/13 09:24:58.405404,  0] lib/util_sock.c:1432(get_peer_addr_internal)
  getpeername failed. Error was Socket is not connected
  read_fd_with_timeout: client 0.0.0.0 read error = Socket is not connected.


I also get the following in the IP address log, but this may be shortly 
before re-joining...



[2011/01/13 09:24:38.228048,  0] lib/util_sock.c:1626(get_peer_name)
  Matchname failed on COLUMBUS-LAPTOP.WEBTENT 192.168.1.72


Can you help me understand these errors or what else I should check?

Thanks again, Robert

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC

[TAKAHASHI Motonobu]

>> Read at:
>> http://wiki.samba.org/index.php/Windows7
>>
>> And remember Samba 3 PDC is compatible with Windows NT Server, not with
>> Active Directory.
>
> Thanks, I was able to join the domain, but when trying to logon, I get
> another error...
>
>> the trust relationship between this workstation and the primary domain
>> failed
>
> What can cause this? I have the computer name in LDAP, it was created when I
> joined the domain.

Actually the error message shows that joining the domain is failed,
though joining itself
was succeeded.

If your Samba's version is under 3.3.1, then you cannot avoid this
error message,
upgrading Samba is needed.

If your Samba's version is 3.3.2 - 3.3.4, then the additional settings
below are needed:

   HKLM\System\CCS\Services\Netlogon\Parameters
   DWORD  RequireSignOrSeal = 0
   DWORD  RequireStrongKey = 0

If your Samba's version is 3.3.5 - and the registries above are set,
remove them and try again.

---
TAKAHASHI Motonobu 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC

[tms3]

On 1/12/2011 11:18 AM, TAKAHASHI Motonobu wrote:


2011/1/13 Robert Fitzpatrick:


OK, I am trying to setup my first Samba PDC on a FreeBSD 8.1 host. 
When I
try to become a member of 'webtent.org' on my Windows 7 Ultimate to 
the PDC,

I get the following error...



DNS was successfully queried for the service location (SRV) resource
record used to locate a domain controller for domain "webtent.org":

(snip)


Anyone know what I am or could be doing wrong? Thanks for any help!


Read at:
http://wiki.samba.org/index.php/Windows7

And remember Samba 3 PDC is compatible with Windows NT Server, not 
with

Active Directory.



Thanks, I was able to join the domain, but when trying to logon, I get
another error...



the trust relationship between this workstation and the primary domain 
failed


What can cause this? I have the computer name in LDAP, it was created
when I joined the domain.


I found that a properly configured WINS server solved many of these 
problems for me with Samba3.x/LDAP and Win7.




--Robert

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC

[Robert Fitzpatrick]

On 1/12/2011 11:18 AM, TAKAHASHI Motonobu wrote:

2011/1/13 Robert Fitzpatrick:

OK, I am trying to setup my first Samba PDC on a FreeBSD 8.1 host. When I
try to become a member of 'webtent.org' on my Windows 7 Ultimate to the PDC,
I get the following error...


DNS was successfully queried for the service location (SRV) resource
record used to locate a domain controller for domain "webtent.org":

(snip)

Anyone know what I am or could be doing wrong? Thanks for any help!


Read at:
http://wiki.samba.org/index.php/Windows7

And remember Samba 3 PDC is compatible with Windows NT Server, not with
Active Directory.



Thanks, I was able to join the domain, but when trying to logon, I get 
another error...



the trust relationship between this workstation and the primary domain failed


What can cause this? I have the computer name in LDAP, it was created 
when I joined the domain.


--Robert

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC

[TAKAHASHI Motonobu]

2011/1/13 Robert Fitzpatrick :
> OK, I am trying to setup my first Samba PDC on a FreeBSD 8.1 host. When I
> try to become a member of 'webtent.org' on my Windows 7 Ultimate to the PDC,
> I get the following error...
>
>> DNS was successfully queried for the service location (SRV) resource
>> record used to locate a domain controller for domain "webtent.org":
(snip)
>Anyone know what I am or could be doing wrong? Thanks for any help!

Read at:
http://wiki.samba.org/index.php/Windows7

And remember Samba 3 PDC is compatible with Windows NT Server, not with
Active Directory.

---
TAKAHASHI Motonobu 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC and big files

[Linda W]

Pedro Rafael Alves Simoes wrote:

I'm trying to setup a PDC with Samba, but I have the known problem of the
roaming profiles: big files.
Could someone give me some lights in how I can circumvent this problem?


Would quota's help?  


Limit their space in their profiles and they'll manage the
problem ?  



Folder redirection, as someone else mentioned -- put
their desktop in drive "H:\share".  


Might be able to CSC (ClientSideCaching) to speed up
access to their desktop and such...


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC and big files

[Natxo Asenjo]

On Thu, Jun 24, 2010 at 2:04 PM, Pedro Rafael Alves Simoes
 wrote:
> Hello,
>
> I'm trying to setup a PDC with Samba, but I have the known problem of the
> roaming profiles: big files. I think it's difficult to guarantee that a
> inexperienced user will copy is downloaded files, documents, or whatever,
> to a H:\ share instead of is handy desktop. Other problem is the files of
> Outlook or Thunderbird that can get big. The goal is to avoid email
> configuration each time the user changes to another workstation, so I can't
> configure the email client to store the files locally on the workstation.

1. Do not store mail locally, you will lose mail if you do. Use a
central imap server for instance, it's also much easier for backups;

2. I set the user's desktop to readonly with cacls in the logon
scripts, problem solved (get yourself management's approval before you
try this, explain why it is necessary). If they do not want to listen
to you then ...

3. use folder redirection. This is harder to do in a pure samba 3
environment than in AD, but it is certainly doable. Soon, with samba 4
we will have all the group policy goodies :-)

-- 
natxo
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC and big files

[Carl Werner]

Roaming profiles with folder redirection...

Regards

Carl



t...@tms3.com wrote:







--- Original message ---
Subject: [Samba] Samba PDC and big files
From: Pedro Rafael Alves Simoes 
To: 
Date: Thursday, 24/06/2010  5:03 AM

Hello,

I'm trying to setup a PDC with Samba, but I have the known problem of 
the

roaming profiles: big files. I think it's difficult to guarantee that a
inexperienced user will copy is downloaded files, documents, or 
whatever,
to a H:\ share instead of is handy desktop. Other problem is the 
files of

Outlook or Thunderbird that can get big. The goal is to avoid email
configuration each time the user changes to another workstation, so I 
can't
configure the email client to store the files locally on the 
workstation.


Could someone give me some lights in how I can circumvent this problem?


BOFH's Guide to Electrified Keyboards:  101 Tips and tricks to train 
your users.


Cheers,

TMS III

P.S. for email imap is a good idea.




Thanks.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC and big files

[John H Terpstra]

On 06/24/2010 07:04 AM, Pedro Rafael Alves Simoes wrote:
> Hello,
> 
> I'm trying to setup a PDC with Samba, but I have the known problem of the
> roaming profiles: big files. I think it's difficult to guarantee that a
> inexperienced user will copy is downloaded files, documents, or whatever,
> to a H:\ share instead of is handy desktop. Other problem is the files of
> Outlook or Thunderbird that can get big. The goal is to avoid email
> configuration each time the user changes to another workstation, so I can't
> configure the email client to store the files locally on the workstation.
> 
> Could someone give me some lights in how I can circumvent this problem?
> 
> Thanks.

You need folder redirection.  Read chapter 5 of my book
"Samba3-ByExample" http://www.samba.org/samba/docs/Samba3-ByExample.pdf

- John T.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC and big files

[tms3]

--- Original message ---
Subject: [Samba] Samba PDC and big files
From: Pedro Rafael Alves Simoes 
To: 
Date: Thursday, 24/06/2010  5:03 AM

Hello,

I'm trying to setup a PDC with Samba, but I have the known problem of 
the
roaming profiles: big files. I think it's difficult to guarantee that 
a
inexperienced user will copy is downloaded files, documents, or 
whatever,
to a H:\ share instead of is handy desktop. Other problem is the files 
of

Outlook or Thunderbird that can get big. The goal is to avoid email
configuration each time the user changes to another workstation, so I 
can't
configure the email client to store the files locally on the 
workstation.


Could someone give me some lights in how I can circumvent this 
problem?


BOFH's Guide to Electrified Keyboards:  101 Tips and tricks to train 
your users.


Cheers,

TMS III

P.S. for email imap is a good idea.




Thanks.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] SAMBA PDC LOGIN - UPN (u...@realm) to DOM\USER

[tms3]

--- Original message ---
Subject: [Samba] SAMBA PDC LOGIN - UPN (u...@realm) to DOM\USER
From: Andrew Grimmett 
To: 
Date: Tuesday, 15/06/2010  7:01 AM


I have looked and looked but have not been able to find out how to 
allow

UPN authentication to be processed by a Samba PDC?  Is it possible to
strip the "@domain" from the user before authentication at samba or 
map

the UPN user to a dom\username for authentication?


Are you certain Xen's NTLM Auth is not adding this?




Thanks,
Andrew

LOGS

/var/log/samba/log.user:  SAM Logon (Interactive). Domain:[domain].
User:[u...@domain@XENDESKTOP1] Requested Domain:[domain]
/var/log/samba/log.user:  check_ntlm_password:  Checking password for
unmapped user [domain]\[u...@domain]@[XENDESKTOP1] with the new 
password

interface
/var/log/samba/log.user:  check_ntlm_password:  mapped user is:
[domain]\[u...@domain]@[XENDESKTOP1]
/var/log/samba/log.user:  check_sam_security: Couldn't find user
'u...@domain' in passdb.
/var/log/samba/log.user:  check_ntlm_password:  Authentication for 
user
[u...@domain] -> [u...@domain] FAILED with error 
NT_STATUS_NO_SUCH_USER


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC and OpenLdap Debian Lenny, Change IP, Clean cache?

[Jose]

Thanks Olafrv   the log is solve.



2010/5/11  :
> Try rm -rf /var/lib/samba/* ? But make a backup tar.gz before...
>
>
>   "You don't know where your shadow will fall",
>        Somebody.-
> 
>  Olaf Reitmaier Veracierta (BB) 
> 
>            http://olafrv.googlepages.com
> 
>
> -Original Message-
> From: Jose 
> Date: Tue, 11 May 2010 10:48:11
> To: Foro Samba
> Subject: [Samba] Samba PDC and OpenLdap Debian Lenny, Change IP, Clean cache?
>
> Hello
>
> Sorry for my english
>
> I have a PDC with Samba and OpenLdap in Debian 5 lenny.
>
> I am testing group, users,policy, net join workstation bla bla
> bla.   results very good.
>
> Today change ip static the pdc  192.168.56.101  for  new ip address:
> 192.168.56.102 static.
>
> error log in /var/lib/samba/log.nmbd
>
> nx-1:/var/lib/samba# /etc/init.d/samba restart
> Stopping Samba daemons: nmbd[2010/05/10 05:33:50, 0] nmbd/nmbd.c:terminate(68)
> Got SIGTERM: going down...
> smbd.
> Starting Samba daemons: nmbd smbd.
> lnx-1:/var/lib/samba# [2010/05/10 05:33:53, 0] nmbd/nmbd.c:main(849)
> nmbd version 3.2.5 started.
> Copyright Andrew Tridgell and the Samba Team 1992-2008
> [2010/05/10 05:33:53, 0] nmbd/asyncdns.c:start_async_dns(155)
> started asyncdns process 2921
> [2010/05/10 05:33:53, 0] nmbd/nmbd_logonnames.c:add_logon_names(160)
> add_domain_logon_names:
> Attempting to become logon server for workgroup DOMINIO.INT on subnet
> 192.168.56.102
> [2010/05/10 05:33:53, 0] nmbd/nmbd_logonnames.c:add_logon_names(160)
> add_domain_logon_names:
> Attempting to become logon server for workgroup DOMINIO.INT on subnet
> UNICAST_SUBNET
> [2010/05/10 05:33:53, 0]
> nmbd/nmbd_become_dmb.c:become_domain_master_browser_wins(336)
> become_domain_master_browser_wins:
> Attempting to become domain master browser on workgroup DOMINIO.INT,
> subnet UNICAST_SUBNET.
> [2010/05/10 05:33:53, 0]
> nmbd/nmbd_become_dmb.c:become_domain_master_browser_wins(350)
> become_domain_master_browser_wins: querying WINS server from IP
> 127.0.0.1 for domain master browser name DOMINIO.INT<1b> on workgroup
> DOMINIO.INT
> [2010/05/10 05:33:53, 0] 
> nmbd/nmbd_logonnames.c:become_logon_server_success(121)
> become_logon_server_success: Samba is now a logon server for workgroup
> DOMINIO.INT on subnet UNICAST_SUBNET
> [2010/05/10 05:33:53, 0]
> nmbd/nmbd_become_dmb.c:become_domain_master_query_success(234)
> become_domain_master_query_success:
> There is already a domain master browser at IP 192.168.56.101 for
> workgroup DOMINIO.INT registered on subnet UNICAST_SUBNET.
> [2010/05/10 05:33:57, 0] 
> nmbd/nmbd_logonnames.c:become_logon_server_success(121)
> become_logon_server_success: Samba is now a logon server for workgroup
> DOMINIO.INT on subnet 192.168.56.102
>
> [2010/05/10 05:34:16, 0] 
> nmbd/nmbd_become_lmb.c:become_local_master_stage2(395)
> *
>
> Samba name server LNX-1 is now a local master browser for workgroup
> DOMINIO.INT on subnet 192.168.56.102
> *
> lnx-1:/var/lib/samba# [2010/05/10 05:34:37, 0]
> nmbd/nmbd_browsesync.c:domain_master_node_status_fail(247)
> domain_master_node_status_fail:
> Doing a node status request to the domain master browser
> for workgroup DOMINIO.INT at IP 192.168.56.101 failed.
> Cannot sync browser lists.
> [2010/05/10 05:39:07, 0]
> nmbd/nmbd_become_dmb.c:become_domain_master_browser_wins(336)
> become_domain_master_browser_wins:
> Attempting to become domain master browser on workgroup DOMINIO.INT,
> subnet UNICAST_SUBNET.
> [2010/05/10 05:39:07, 0]
> nmbd/nmbd_become_dmb.c:become_domain_master_browser_wins(350)
> become_domain_master_browser_wins: querying WINS server from IP
> 127.0.0.1 for domain master browser name DOMINIO.INT<1b> on workgroup
> DOMINIO.INT
> [2010/05/10 05:39:08, 0]
> nmbd/nmbd_become_dmb.c:become_domain_master_query_success(234)
> become_domain_master_query_success:
> There is already a domain master browser at IP 192.168.56.101 for
> workgroup DOMINIO.INT registered on subnet UNICAST_SUBNET.
>
> [2010/05/10 06:13:33,  0]
> nmbd/nmbd_browsesync.c:domain_master_node_status_fail(247)
>  domain_master_node_status_fail:
>  Doing a node status request to the domain master browser
>  for workgroup DOMINIO.INT at IP 192.168.56.101 failed.
>  Cannot sync browser lists.
>
>
> Old ip 192.168.56.101
> new ip 192.168.56.102
>
>
> How clean cache ip wins in the server pdc?
>
> Thanks.
>
>
>
>
> --
> #
> #   Sistema Operativo: Debian      #
> #        Caracas, Venezuela          #
> #
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
#
#   Sistema Operativo: Debian  #
#Caracas, Venezuela  #
#
-- 
To unsu

Re: [Samba] Samba PDC: Only one User can't log in

[Daniel Spannbauer]

Andy schrieb:
> Hi Daniel,
>
> When the user attempts to login what message does he get?
>   

I only have the Message in German, I try to translate:

"you cant get logged on. please check username and domain and retype your 
password"

have you checked the account flags?

AccountFlag is "UX".

Regards

Daniel


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC: Only one User can't log in

[Andy]

Hi Daniel,

When the user attempts to login what message does he get?
have you checked the account flags?

http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#accountflags


On Thu, Apr 8, 2010 at 1:12 AM, Daniel Spannbauer  wrote:
> Hello,
>
> I have a working Samba-PDC with ldap-Backaend. It works fine for all our
> user, except one user.
> He can't log in. I can't find an error in ldap (compared his entry with
> mine) nor in the logfile.
>
> Can anybody help me to figure out the cause of this?
>
> Here is my smb.conf:
>
> [global]
>workgroup = test
>netbios aliases = homedirs
>server string = apollo
>passdb backend = ldapsam:"ldap://10.3.1.3";
>username map = /etc/samba/smb-user-map
>log level = 15
>log file = /var/log/samba/%m.log
>debug uid = Yes
>smb ports = 139
>name resolve order = wins host bcast
>deadtime = 300
>printcap name = cups
>add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody
> -s /bin/false %m$
>logon script = logon.bat
>logon path = \\%L\%U\.ntprofile
>logon drive = H:
>logon home = \\%L\%U
>domain logons = Yes
>preferred master = Yes
>local master = No
>domain master = Yes
>wins server = gate
>kernel oplocks = No
>ldap admin dn = cn=Administrator,dc=test,dc=de
>ldap group suffix = ou=group
>ldap machine suffix = ou=Computers
>ldap suffix = dc=test,dc=de
>ldap ssl = no
>ldap user suffix = ou=people
>create mask = 0775
>directory mask = 0775
>hide files =
> /Desktop.ini/desktop.ini/ntuser.ini/NTUSER.*/tmp/RECYCLER/
>strict locking = No
>share modes = No
>delete readonly = Yes
>
>
> Please find attached the logfile-snipplet. Sorry, but its to big for
> pastebin.
>
> Regards
>
> Daniel
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
REGARDS,
Andy Z
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC with group using same desktop

[John H Terpstra]

On 03/30/2010 08:54 AM, M. D. wrote:
> My goal is to have a business with multiple locations, all have the same
> desktop for a certain user group. The quick Launch programs, Start Menu
> and Desktop icons should all be the same, and be 'read only' -- meaning
> they can't change them.
> 
> I'm using ClearOS for the PDC, and I have it working already as the PDC,
> but I'm not quite sure how to setup the remote profiles and lock it so
> end users cannot modify it, and how to have some users be able to log
> into that profile and do the changes that are needed.
> 
> This is my first time working with a domain controller, so probably
> that's my shortcoming.  I don't know exactly how/what a domain
> controller can do.
> 
> Any help will be greatly appreciated.
> 
> Regards,
> MD


Samba3 is fully capable of meeting your needs here but this is not in
principal a Samba issue.  What is needed is a clear understanding of how
desktop profiles are used by MS Windows clients.  It also requries an
understanding of how to use default network logon profiles, roaming
profiles, and how to make use of the NT4 policy editor.

Samba3 can emulate many ADS Group Policy effects, but it has to be
engineered through creative use of the network default login profile and
dynamic mapping inside Samba so that the user will obtain the right
group profile.

As for the mandatory aspect, that is done by renaming the NTUser.DAT
file in the profile to NTUser.MAN.

I have responded off-line to the poster with further information.  Some
of the magic here is covered in chapter 5 of my book, Samba3-ByExample -
see http://www.samba.org/samba/docs/Samba3-ByExample.pdf

Cheers,
John T.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba PDC upgrade from 3.2.5 to 3.4.7

[Leonardo Carneiro - Veltrac]

Also, i found out that only users running windows xp in one of the two 
interfaces that samba is being accessed are having this trouble.


Leonardo Carneiro - Veltrac wrote:

Hello everyone.

Yesterday i did an almost painless upgrade from samba pdc from 3.2.5 
to 3.4.7. I'm running in a Debian Lenny (upgraded from the original 
package to the backported one).


After a few tweaks i found on the web my users, including those who 
run win7, where able to log in the domain. But now the cannot access 
the shared folders on the server. Some users can't even open the 
server share list.


There is any major change that prevent users to access the shares that 
i'm skipping it?


Tks in advance and sorry for my poor english.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC and Windows XP clients - login timeout after 15 minutes

[Helmut Hullen]

Hallo, Michael,

Du meintest am 28.12.09:

>> When a user starts his Windows computer and don't login within the
>> next 15 minutes
>> (because he drinks a cup of coffee) and tried to login after that
>> time he get the message,
>> that the server-profile could not be loaded and a temporary profile
>> is used instead.

>> Any ideas what goes wrong?

> Sorry, no idea just like that.

Just to confuse you a bit more ...

I've seen this nasty behaviour on one of my windows clients (on and on);  
"Windows-Anmeldung" (no domain).
I have to rebuild the network neighborhood via "net view \\Se.rv.er.IP".

It's only one machine (Windows 2000); the other machines (Windows 2000,  
Windows XPpro, Windows XP Home) don't lose their neighborhood.

Samba 3.2.13 (Samba 3.4.x makes other problems).

Viele Gruesse!
Helmut
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC and Windows XP clients - login timeout after 15 minutes

[Michael Adam]

Hi,

X-Dimension wrote:
> Hi!
> 
> We are using a Samba PDC with 40 Windows XP clients and have some strange  
> problems.
> When a user starts his Windows computer and don't login within the next 15  
> minutes
> (because he drinks a cup of coffee) and tried to login after that time he  
> get the message,
> that the server-profile could not be loaded and a temporary profile is  
> used instead.
> 
> There are absolutely no problems when a user starts his computer and log  
> in within the next 15 minutes,
> but after this time period he always get the error described above.
> 
> Any ideas what goes wrong?

Sorry, no idea just like that.

I'd need your smb.conf and a log file (level 10 if possible)
of such a logon process that fails to load the profile from the
server.

Cheers - Michael

> THX



pgpOauICl8Qvp.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC LDAP and LDAP Aliases

[Björn Jacke]

On 2009-12-10 at 14:40 +0100 Ivo Steinmann sent off:
> For me it looks right! And it's also working, if People and Group aren't
> aliased. So I guess samba pdc is not resolving aliases.

іn the next samba release (not yet in 3.5 ...) you'll be able to tell samba
whether and how to do alias dereferencing. But you should be able to tell the
ldap library to do that by default, too - see ldap.conf(5). That would also
make your -a option in ldapsearch obsolete.

Cheers
Björn
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC upgrade / hardware replacement results

[Adam Williams]

i think that testparm will show if any options are depreciated.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC + OpenLDAP, Jaunty: Can't join domain

[Christopher Swingley]

> But I can't seem to join a computer to the domain, and I've run out of
> ideas.  I'd like some help trying to identify where I've gone wrong
> and how to get the server to allow desktops to join.

Sorry to reply to my own post.  I figured out my problem:

$ smbclient -L //newserv
Domain=[TESTDOM] OS=[Unix] Server=[Samba 3.3.2]

Server   Comment
----
NEWSERV  newserv server (Samba, Ubuntu)

WorkgroupMaster
----
   -TESTDOM  DESKTOP
   +TESTDOM  NEWSERV

In other words, I had another "test" machine that was acting as the
domain master.  Nothing I did on the new server made any difference
because joining to the domain was going to the wrong place.

Cheers,

Chris
-- 
Christopher S. Swingley
http://swingleydev.com/


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba-PDC: One fresh installed XP-Machine can't load the Profiles

[Daniel Spannbauer]

John Doe schrieb:

From: Daniel Spannbauer 

But one freh installed XP-Machine can't load my profile.


Tried?

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"CompatibleRUPSecurity"=dword:0001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netlogon\parameters]
"RequireSignOrSeal"=dword:


Yes, tried that. But it's the same result. Joining the domian works 
fine, but my profile is not loaded. I always get a temporary Profile.


Regards

Daniel






JD


  



--
Daniel Spannbauer Software Entwicklung
marco Systemanalyse und Entwicklung GmbH  Tel   +49 8333 9233-27 Fax -11
Rechbergstr. 4 - 6, D 87727 Babenhausen   Mobil +49 171 4033220
http://www.marco.de/  Email d...@marco.de
Geschäftsführer Martin Reuter HRB 171775 Amtsgericht München
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba-PDC: One fresh installed XP-Machine can't load the Profiles

[John Doe]

From: Daniel Spannbauer 
> But one freh installed XP-Machine can't load my profile.

Tried?

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
"CompatibleRUPSecurity"=dword:0001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netlogon\parameters]
"RequireSignOrSeal"=dword:

JD


  

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC + OpenLDAP (Debian Lenny)

[Mike Eggleston]

On Sun, 16 Aug 2009, Henrik Dige Semark might have said:

> Hey.
> I'm trying to move my existing MS-AD over to SAMBA, the place I'm 
> working for is changing all servers from MS to Debian, but all the 
> clients is still a mixed environment for now.
> We have MAC, *NIX, and Windows clients, so its imported that everything 
> keeps running in the same or almost the same way as before the change but.
> 
> When I try to join a Windows Vista Ultimate ore Windows XP Pro to the 
> domain it takes 30 sec and then it says "The machine account dos not 
> exist" but as I understand that is what
> "add machine script = /usr/sbin/smbldap-useradd -t 0 -w -i "%u"" has to 
> do right ?
> 
> I have pasted my config + log from OpenLDAP and SAMBA, can anybody see 
> what I have don wrung

I'm not at work and am unable to compare your configuration with
my production configuration. I have a similar environment, though,
and found for windows boxes I needed to create the account in LDAP
first (I use smbldap-adduser ...), then I must also add my samba
server as a WINS server to the windows box, then I can join the
windows box to my samba pdc domain.

Mike
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC + OpenLDAP (Debian Lenny)

[Adam Tauno WIlliams]

> I'm trying to move my existing MS-AD over to SAMBA, the place I'm 

So you have an AD domain?  Samba 3.x does not provide an AD domain, it
provides an NT domains, so your requirement of "everything keeps running
in the same or almost the same way" cannot be met.  Unless you want to
try Samba 4.

> When I try to join a Windows Vista Ultimate ore Windows XP Pro to the 
> domain it takes 30 sec and then it says "The machine account dos not 
> exist" but as I understand that is what
> "add machine script = /usr/sbin/smbldap-useradd -t 0 -w -i "%u"" has to 
> do right ?

It is supposed to, yes.

>socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

Get rid of all the "socket options" stuff.  Are you using an old HOWTO
or some crap Wiki entry from somewhere?  Setting this directive is an
OLD habit and very obsolete.  Use only the Samba HOWTO and By-Example as
provided on Samba docs.  Assume everything else on the Internet is
obsolete and out-of-date, because it most likely is.

> [2009/08/14 18:22:24,  0] passdb/pdb_get_set.c:pdb_get_group_sid(210)
>  pdb_get_group_sid: Failed to find Unix account for DomAdmin
> [2009/08/14 18:22:24,  1] auth/auth_util.c:make_server_info_sam(562)
>  User DomAdmin in passdb, but getpwnam() fails!

I don't know why it is looking for a "DomAdmin" account. Perhaps your
directory is not fully initialized?  Loaded with the required users,
etc...

> Error: modifications require authentication at 
> /usr/share/perl5/smbldap_tools.pm line 1083.
> [2009/08/14 18:22:48,  0] 
> passdb/pdb_interface.c:pdb_default_create_user(336)
>  _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -t 0 
> -w -i "hds$"' gave 127

I don't use smblap-tools but this looks like they don't have sufficient
config to authenticate to the DSA.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC

[Boris Höffgen]

Hi!

Adam Williams schrieb:

what is the output of net getdomainsid?

SID for local machine DC011 is: S-1-5-21-3019101499-2136775595-2697463099
SID for domain BILLE is: S-1-5-21-372180226-160714707-1039276024

The old PDC is DC01 and the samba server (new PDC) is DC011. Thanks!



Boris Höffgen wrote:

Hello,

i migrate the machine and user accounts into a Samba PDC from a 
Windows NT domain with the command "net". After that i generated the 
user passwords with the util smbpasswd. Samba is now the master and 
the domain PDC. But when the users try to login, the following error 
appeares in the logs:

netlogon_creds_server_check failed. Rejecting auth request from client
WS06 machine account WS06$.
What must i do to solve the problem?

pdbedit -Lv WS06$:
Unix username:WS06$
NT username:  WS06$
Account Flags:[W  ]
User SID: S-1-5-21-372180226-160714707-1039276024-1018
Primary Group SID:S-1-5-21-372180226-160714707-1039276024-513
Full Name:
Home Directory:   \\dc011\profiles\98\ws06_
HomeDir Drive:H:
Logon Script: /home/samba/netlogon/ws06_.cmd
Profile Path: \\dc011\profiles\xp\ws06_
Domain:   BILLE
Account desc:
Workstations:
Munged dial:
Logon time:   0
Logoff time:  never
Kickoff time: never
Password last set:Di, 09 Jun 2009 11:46:19 CEST
Password can change:  Di, 09 Jun 2009 11:46:19 CEST
Password must change: Di, 21 Jul 2009 11:46:19 CEST
Last bad password   : 0
Bad password count  : 0
Logon hours : FF


passwd:
WS06$:x:1014:1010::/dev/null:/bin/false

shadow:
WS06$:!:14362:0:9:7:::

Thanks and regards
Boris





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC

[Adam Williams]

what is the output of net getdomainsid?

Boris Höffgen wrote:

Hello,

i migrate the machine and user accounts into a Samba PDC from a 
Windows NT domain with the command "net". After that i generated the 
user passwords with the util smbpasswd. Samba is now the master and 
the domain PDC. But when the users try to login, the following error 
appeares in the logs:

netlogon_creds_server_check failed. Rejecting auth request from client
WS06 machine account WS06$.
What must i do to solve the problem?

pdbedit -Lv WS06$:
Unix username:WS06$
NT username:  WS06$
Account Flags:[W  ]
User SID: S-1-5-21-372180226-160714707-1039276024-1018
Primary Group SID:S-1-5-21-372180226-160714707-1039276024-513
Full Name:
Home Directory:   \\dc011\profiles\98\ws06_
HomeDir Drive:H:
Logon Script: /home/samba/netlogon/ws06_.cmd
Profile Path: \\dc011\profiles\xp\ws06_
Domain:   BILLE
Account desc:
Workstations:
Munged dial:
Logon time:   0
Logoff time:  never
Kickoff time: never
Password last set:Di, 09 Jun 2009 11:46:19 CEST
Password can change:  Di, 09 Jun 2009 11:46:19 CEST
Password must change: Di, 21 Jul 2009 11:46:19 CEST
Last bad password   : 0
Bad password count  : 0
Logon hours : FF


passwd:
WS06$:x:1014:1010::/dev/null:/bin/false

shadow:
WS06$:!:14362:0:9:7:::

Thanks and regards
Boris



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] SAMBA+PDC+Mysql authentication Backend

[Collen Blijenberg]

Hi Pablo,

First i like to mention that the sql backend might not be the smartest 
choice of backends.


in your debug you attached you'll see an mysql error:

[2009/06/12 15:53:01,  0] pdb_mysql.c:mysqlsam_replace_sam_account(415)
 Error executing UPDATE user SET WHERE user_sid = 
'S-1-5-21-2398918909-2979869015-1347180298-1234', You have an error in your SQL 
syntax; check the manual that corresponds to your MySQL server version for the 
right syntax to use near 'WHERE user_sid = 
'S-1-5-21-2398918909-2979869015-1347180298-1234'' at line 1


that is because the query isn't right ('update user set where', it 
should be 'update user set  where user_sid')

try commenting out all the mysql things (in your smb.conf) except the:
- Backend
- host
- user
- pass
and - database.

the rest is pre defined in the backend it's self..

but like i said, the sql backend lacks some good  things and you might 
be better off with ldap or the pdb backend.

also the sql backend only works with 3.0.x and 3.2.x
the project needs new developers to bring it to a higher plan...

good luck with it... Greets. Collen

ps. i think you might post sql related stuff in pdbsql mailing list, 
rather then the samba list...



Pablo Camera wrote:

I ne w in samba world but i was configured a Samba with shares folder linkable 
to users and it was successfull.

Now i try to extend to PDC but the client can't logon into the server:

the log.smbd could this


  [2009/06/12 15:51:21,  0] smbd/server.c:main(1209)
  smbd version 3.2.3 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2008
[2009/06/12 15:51:21,  1] pdb_mysql.c:mysqlsam_init(607)
  Connecting to database server, host: localhost, user: samba, database: 
samba_auth, port: 3306
[2009/06/12 15:52:58,  0] rpc_server/srv_netlog_nt.c:get_md4pw(331)
  get_md4pw: Workstation MULTI$: BDC secure channel requested but not a server 
trust account
[2009/06/12 15:52:58,  0] 
rpc_server/srv_netlog_nt.c:_netr_ServerAuthenticate2(502)
  _netr_ServerAuthenticate2: failed to get machine password for account MULTI$: 
NT_STATUS_NO_TRUST_SAM_ACCOUNT
[2009/06/12 15:52:58,  0] rpc_server/srv_netlog_nt.c:get_md4pw(331)
  get_md4pw: Workstation MULTI$: BDC secure channel requested but not a server 
trust account
[2009/06/12 15:52:58,  0] 
rpc_server/srv_netlog_nt.c:_netr_ServerAuthenticate2(502)
  _netr_ServerAuthenticate2: failed to get machine password for account MULTI$: 
NT_STATUS_NO_TRUST_SAM_ACCOUNT
[2009/06/12 15:53:01,  0] pdb_mysql.c:mysqlsam_replace_sam_account(415)
  Error executing UPDATE user SET WHERE user_sid = 
'S-1-5-21-2398918909-2979869015-1347180298-1234', You have an error in your SQL 
syntax; check the manual that corresponds to your MySQL server version for the 
right syntax to use near 'WHERE user_sid = 
'S-1-5-21-2398918909-2979869015-1347180298-1234'' at line 1

My smb.conf is this.

[global]
workgroup = MULTI
netbios name = MULTI
security = user

#Modificaciones para hacer de samba un PDC
os level = 64
preferred master = yes
domain master = yes
local master = yes
domain logons = yes
logon path = \\%N\%u
logon drive = H:
logon home = \\multi\%u\perfil
logon script = %u.bdat
add user script = /usr/local/samba/bin/./pdbedit -a "%u"
#add user to group script = /usr/sbin/groupmod -m "%u" "%g"
add machine script = /usr/local/samba/bin/./pdbedit -am "%m"
delete user script = /usr/local/samba/bin/./pdbedit -x "%u"
#delete group script = /usr/sbin/groupdel "%g"
#delete user from group script = /usr/sbin/groupmod -x "%u" "%g"
#set primary group script = /usr/sbin/usermod -g "%g" "%u"
passwd program = /usr/local/samba/bin/./pdbedit -am "%u"
passwd chat = *New*password* %n\n *Retype*new*password* %n\n 
*all*authentication*tokens*updated*
idmap uid = 1-15000
idmap gid = 1-15000

#Para enviar password
#lanman auth = Yes
#ntlm auth = No
#lm announce = Yes
#client lanman auth = Yes 
#Fin de password


#Fin de Modificaciones para PDC

#Mapeo de usuarios
username map = /usr/local/samba/lib/smbusers
#Fin de Mapeo de usuarios
 
obey pam restrictions = Yes

#Ultimo cambio de yes a no
encrypt passwords = yes
#fin cambio
update encrypted = no

#client lanman auth = yes
#client plaintext auth = yes

#Para Autenticar usuarios
passdb backend   = mysql:mysql
mysql:mysql host = localhost
mysql:mysql user = samba
mysql:mysql password = 
mysql:mysql database = samba_auth

mysql:fullname column= nt_fullname:
mysql:domain column  = 'multi':
mysql:lanman pass column = NULL:
mysql:nt pass column = NULL:
mysql:plain pass column  = plain_pw:
mysql:unknown_3 column   = NULL
mysql:sid column = user_sid
mysql:nt username column = nt_username
#mysql:nt pass  
smb passwd file = /etc/samba/private/smbpasswd

#Fin de Autenticacion de Usuarios

#Para PDC
[netlogon]
path = /home/netlogon
read only = yes
write list = ntadmin

[profiles]
path = /usr/local/samba/ntprofile
writeable = yes
create mask = 0600
directory mask = 0700

#Fin PDC



[ho

Re: [Samba] Samba PDC & Squid NTLM Auth - Same machine

[Victor Medina]

yeap! no success just yet :(
Victor Medina

Phyllis Diller  - "If it weren't for baseball, many kids wouldn't know
what a millionaire looked like."


On Tue, Mar 31, 2009 at 6:17 PM, Stefan Dengscherz
 wrote:
> Hello Victor,
>
>
> did you try supplying the domain name along with the username? Like
> "DOMAIN\administrator". Or adding "winbind use default domain = yes"
> to your samba configuration.
>
>
> Regards,
>
> -sd
>
> 2009/3/31 Victor Medina :
>> David, it did not work.
>>
>> Any suggestion?
>>
>> Victor Medina
>>
>> Samuel Goldwyn  - "I don't think anyone should write their
>> autobiography until after they're dead."
>>
>>
>> On Wed, Apr 1, 2009 at 12:13 PM, David Wells  wrote:
>>> Victor Medina wrote:

 Hi Guys!


 Probably this is not the best place to ask, I'll try anyway... =)

 I've been trying to configure a Samba PDC and a Squid Porxy server
 with NTLM auth on the same machine but NTML_AUTH keeps complaining
 about: NT_STATUS_INVALID_HANDLE I have others machines running
 Squid and Authenticating against a Samba Server but on different
 machines, this is the first time a try both on the same machine.

 Can I use Squid+NTLM Auth and Samba configured as PDC on the same
 machine? Is there any winbind issue with this kind of configuration?

 I'm using SLES10+SP2
 Samba version as reported by rpm is 3.0.32-0.8
 Squid version as reported by rpm is 2.5.STABLE12-18.13

 -
 This is my smb.conf

 [global]
        dos charset = 850
        unix charset = ISO8859-1
        workgroup = C1.SV
        netbios name = PDCSRVC1SV
        server string =
        interfaces = eth0
        bind interfaces only = Yes
        map to guest = Bad Password
        passdb backend = ldapsam:ldap://127.0.0.1
        guest account = Invitado
        time server = Yes
        deadtime = 20
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        printcap name = cups
        logon path =
        logon home =
        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        ldap admin dn = cn=Administrador,o=Ferreteria EPA
        ldap delete dn = Yes
        ldap group suffix = ou=group
        ldap machine suffix = ou=people
        ldap passwd sync = Yes
        ldap suffix = ou=c1,c=sv,o=Ferreteria EPA
        ldap user suffix = ou=people
        idmap domains = DEFAULT
        idmap alloc backend = ldap
        idmap alloc config:range = 1-10
        idmap alloc config:ldap_url = ldap://127.0.0.1
        idmap alloc config:ldap_user_dn = cn=Administrador,o=Ferreteria EPA
        idmap alloc config:ldap_base_dn = ou=idmap,ou=c1,c=sv,o=Ferreteria
 EPA
        idmap config DEFAULT:range = 1-10
        idmap config DEFAULT:ldap_url = ldap://127.0.0.1
        idmap config DEFAULT:ldap_user_dn = cn=Administrador,o=Ferreteria
 EPA
        idmap config DEFAULT:ldap_base_dn =
 ou=idmap,ou=c1,c=sv,o=Ferreteria EPA
        idmap config DEFAULT:default = yes
        idmap config DEFAULT:readonly = no
        idmap config DEFAULT:backend = ldap
        ldapsam:editposix = yes
        ldapsam:trusted = yes
        create mask = 0640
        force create mode = 0640
        directory mask = 0750
        force directory mode = 0750
        case sensitive = No
        dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd

 My relevant squid.conf lines...

 auth_param ntlm program /usr/bin/ntlm_auth
 --helper-protocol=squid-2.5-ntlmssp C1.SV/PDCSRVC1SV
 auth_param basic program /usr/bin/ntlm_auth
 --helper-protocol=squid-2.5-basic  C1.SV/PDCSRVC1SV
 auth_param ntlm children 100
 auth_param basic children 100
 auth_param basic realm Squid proxy-caching web server
 auth_param basic credentialsttl 2 hours




 The pdc works as expected, machine join works like charm, users and
 groups management works equally right, all accounts are placed in the
 LDAP, getent passwd, groups and shadow shows the ldap accounts

 I also did a few tests with wbinfo

 e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo  -u
 invitado
 usuarioprueba
 e01ggen
 e01glogis
 e01gcont
 e01jcomp1
 e01jcomp2
 e01jcomp3
 e01jcomp4
 e01jrepo
 e01jreclu
 e01rrece
 e01gcom
 e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo  -g
 BUILTIN
 BUILTIN
 domain users
 domain admins
 domain guests
 grupoprueba
 gcentralsv
 gcompras
 gcontrol
 ggerencia
 glogistica
 gmercadeo
 gpersonal
 gventas
 gjefecompras
 gjefecon

Re: [Samba] Samba PDC & Squid NTLM Auth - Same machine

[Stefan Dengscherz]

Hello Victor,


did you try supplying the domain name along with the username? Like
"DOMAIN\administrator". Or adding "winbind use default domain = yes"
to your samba configuration.


Regards,

-sd

2009/3/31 Victor Medina :
> David, it did not work.
>
> Any suggestion?
>
> Victor Medina
>
> Samuel Goldwyn  - "I don't think anyone should write their
> autobiography until after they're dead."
>
>
> On Wed, Apr 1, 2009 at 12:13 PM, David Wells  wrote:
>> Victor Medina wrote:
>>>
>>> Hi Guys!
>>>
>>>
>>> Probably this is not the best place to ask, I'll try anyway... =)
>>>
>>> I've been trying to configure a Samba PDC and a Squid Porxy server
>>> with NTLM auth on the same machine but NTML_AUTH keeps complaining
>>> about: NT_STATUS_INVALID_HANDLE I have others machines running
>>> Squid and Authenticating against a Samba Server but on different
>>> machines, this is the first time a try both on the same machine.
>>>
>>> Can I use Squid+NTLM Auth and Samba configured as PDC on the same
>>> machine? Is there any winbind issue with this kind of configuration?
>>>
>>> I'm using SLES10+SP2
>>> Samba version as reported by rpm is 3.0.32-0.8
>>> Squid version as reported by rpm is 2.5.STABLE12-18.13
>>>
>>> -
>>> This is my smb.conf
>>>
>>> [global]
>>>        dos charset = 850
>>>        unix charset = ISO8859-1
>>>        workgroup = C1.SV
>>>        netbios name = PDCSRVC1SV
>>>        server string =
>>>        interfaces = eth0
>>>        bind interfaces only = Yes
>>>        map to guest = Bad Password
>>>        passdb backend = ldapsam:ldap://127.0.0.1
>>>        guest account = Invitado
>>>        time server = Yes
>>>        deadtime = 20
>>>        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>>        printcap name = cups
>>>        logon path =
>>>        logon home =
>>>        domain logons = Yes
>>>        os level = 65
>>>        preferred master = Yes
>>>        domain master = Yes
>>>        wins support = Yes
>>>        ldap admin dn = cn=Administrador,o=Ferreteria EPA
>>>        ldap delete dn = Yes
>>>        ldap group suffix = ou=group
>>>        ldap machine suffix = ou=people
>>>        ldap passwd sync = Yes
>>>        ldap suffix = ou=c1,c=sv,o=Ferreteria EPA
>>>        ldap user suffix = ou=people
>>>        idmap domains = DEFAULT
>>>        idmap alloc backend = ldap
>>>        idmap alloc config:range = 1-10
>>>        idmap alloc config:ldap_url = ldap://127.0.0.1
>>>        idmap alloc config:ldap_user_dn = cn=Administrador,o=Ferreteria EPA
>>>        idmap alloc config:ldap_base_dn = ou=idmap,ou=c1,c=sv,o=Ferreteria
>>> EPA
>>>        idmap config DEFAULT:range = 1-10
>>>        idmap config DEFAULT:ldap_url = ldap://127.0.0.1
>>>        idmap config DEFAULT:ldap_user_dn = cn=Administrador,o=Ferreteria
>>> EPA
>>>        idmap config DEFAULT:ldap_base_dn =
>>> ou=idmap,ou=c1,c=sv,o=Ferreteria EPA
>>>        idmap config DEFAULT:default = yes
>>>        idmap config DEFAULT:readonly = no
>>>        idmap config DEFAULT:backend = ldap
>>>        ldapsam:editposix = yes
>>>        ldapsam:trusted = yes
>>>        create mask = 0640
>>>        force create mode = 0640
>>>        directory mask = 0750
>>>        force directory mode = 0750
>>>        case sensitive = No
>>>        dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
>>>
>>> My relevant squid.conf lines...
>>>
>>> auth_param ntlm program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-ntlmssp C1.SV/PDCSRVC1SV
>>> auth_param basic program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-basic  C1.SV/PDCSRVC1SV
>>> auth_param ntlm children 100
>>> auth_param basic children 100
>>> auth_param basic realm Squid proxy-caching web server
>>> auth_param basic credentialsttl 2 hours
>>>
>>>
>>>
>>>
>>> The pdc works as expected, machine join works like charm, users and
>>> groups management works equally right, all accounts are placed in the
>>> LDAP, getent passwd, groups and shadow shows the ldap accounts
>>>
>>> I also did a few tests with wbinfo
>>>
>>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo  -u
>>> invitado
>>> usuarioprueba
>>> e01ggen
>>> e01glogis
>>> e01gcont
>>> e01jcomp1
>>> e01jcomp2
>>> e01jcomp3
>>> e01jcomp4
>>> e01jrepo
>>> e01jreclu
>>> e01rrece
>>> e01gcom
>>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo  -g
>>> BUILTIN
>>> BUILTIN
>>> domain users
>>> domain admins
>>> domain guests
>>> grupoprueba
>>> gcentralsv
>>> gcompras
>>> gcontrol
>>> ggerencia
>>> glogistica
>>> gmercadeo
>>> gpersonal
>>> gventas
>>> gjefecompras
>>> gjefecontrol
>>> gjefelogistica
>>> gjefepersonal
>>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo  --all-domains
>>> C1.SV
>>>
>>>
>>> I also made sure squid users can read /var/lib/samba/winbindd_privileged
>>>
>>>
>>> I also noted this error:
>>>
>>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo
>>> --authenticate=administrator%12345678
>>> plaintext pas

Re: [Samba] Samba PDC & Squid NTLM Auth - Same machine

[Victor Medina]

David, it did not work.

Any suggestion?

Victor Medina

Samuel Goldwyn  - "I don't think anyone should write their
autobiography until after they're dead."


On Wed, Apr 1, 2009 at 12:13 PM, David Wells  wrote:
> Victor Medina wrote:
>>
>> Hi Guys!
>>
>>
>> Probably this is not the best place to ask, I'll try anyway... =)
>>
>> I've been trying to configure a Samba PDC and a Squid Porxy server
>> with NTLM auth on the same machine but NTML_AUTH keeps complaining
>> about: NT_STATUS_INVALID_HANDLE I have others machines running
>> Squid and Authenticating against a Samba Server but on different
>> machines, this is the first time a try both on the same machine.
>>
>> Can I use Squid+NTLM Auth and Samba configured as PDC on the same
>> machine? Is there any winbind issue with this kind of configuration?
>>
>> I'm using SLES10+SP2
>> Samba version as reported by rpm is 3.0.32-0.8
>> Squid version as reported by rpm is 2.5.STABLE12-18.13
>>
>> -
>> This is my smb.conf
>>
>> [global]
>>        dos charset = 850
>>        unix charset = ISO8859-1
>>        workgroup = C1.SV
>>        netbios name = PDCSRVC1SV
>>        server string =
>>        interfaces = eth0
>>        bind interfaces only = Yes
>>        map to guest = Bad Password
>>        passdb backend = ldapsam:ldap://127.0.0.1
>>        guest account = Invitado
>>        time server = Yes
>>        deadtime = 20
>>        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>        printcap name = cups
>>        logon path =
>>        logon home =
>>        domain logons = Yes
>>        os level = 65
>>        preferred master = Yes
>>        domain master = Yes
>>        wins support = Yes
>>        ldap admin dn = cn=Administrador,o=Ferreteria EPA
>>        ldap delete dn = Yes
>>        ldap group suffix = ou=group
>>        ldap machine suffix = ou=people
>>        ldap passwd sync = Yes
>>        ldap suffix = ou=c1,c=sv,o=Ferreteria EPA
>>        ldap user suffix = ou=people
>>        idmap domains = DEFAULT
>>        idmap alloc backend = ldap
>>        idmap alloc config:range = 1-10
>>        idmap alloc config:ldap_url = ldap://127.0.0.1
>>        idmap alloc config:ldap_user_dn = cn=Administrador,o=Ferreteria EPA
>>        idmap alloc config:ldap_base_dn = ou=idmap,ou=c1,c=sv,o=Ferreteria
>> EPA
>>        idmap config DEFAULT:range = 1-10
>>        idmap config DEFAULT:ldap_url = ldap://127.0.0.1
>>        idmap config DEFAULT:ldap_user_dn = cn=Administrador,o=Ferreteria
>> EPA
>>        idmap config DEFAULT:ldap_base_dn =
>> ou=idmap,ou=c1,c=sv,o=Ferreteria EPA
>>        idmap config DEFAULT:default = yes
>>        idmap config DEFAULT:readonly = no
>>        idmap config DEFAULT:backend = ldap
>>        ldapsam:editposix = yes
>>        ldapsam:trusted = yes
>>        create mask = 0640
>>        force create mode = 0640
>>        directory mask = 0750
>>        force directory mode = 0750
>>        case sensitive = No
>>        dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
>>
>> My relevant squid.conf lines...
>>
>> auth_param ntlm program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp C1.SV/PDCSRVC1SV
>> auth_param basic program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-basic  C1.SV/PDCSRVC1SV
>> auth_param ntlm children 100
>> auth_param basic children 100
>> auth_param basic realm Squid proxy-caching web server
>> auth_param basic credentialsttl 2 hours
>>
>>
>>
>>
>> The pdc works as expected, machine join works like charm, users and
>> groups management works equally right, all accounts are placed in the
>> LDAP, getent passwd, groups and shadow shows the ldap accounts
>>
>> I also did a few tests with wbinfo
>>
>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo  -u
>> invitado
>> usuarioprueba
>> e01ggen
>> e01glogis
>> e01gcont
>> e01jcomp1
>> e01jcomp2
>> e01jcomp3
>> e01jcomp4
>> e01jrepo
>> e01jreclu
>> e01rrece
>> e01gcom
>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo  -g
>> BUILTIN
>> BUILTIN
>> domain users
>> domain admins
>> domain guests
>> grupoprueba
>> gcentralsv
>> gcompras
>> gcontrol
>> ggerencia
>> glogistica
>> gmercadeo
>> gpersonal
>> gventas
>> gjefecompras
>> gjefecontrol
>> gjefelogistica
>> gjefepersonal
>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo  --all-domains
>> C1.SV
>>
>>
>> I also made sure squid users can read /var/lib/samba/winbindd_privileged
>>
>>
>> I also noted this error:
>>
>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo
>> --authenticate=administrator%12345678
>> plaintext password authentication failed
>> error code was NT_STATUS_NO_SUCH_USER (0xc064)
>> error messsage was: No such user
>> Could not authenticate user administrator%12345678 with plaintext password
>> winbind separator was NULL!
>> challenge/response password authentication failed
>> error code was NT_STATUS_INVALID_HANDLE (0xc008)
>> error messsage was: Invalid handle
>> Could n

Re: [Samba] Samba PDC & Squid NTLM Auth - Same machine

[David Wells]

Victor Medina wrote:

Hi Guys!


Probably this is not the best place to ask, I'll try anyway... =)

I've been trying to configure a Samba PDC and a Squid Porxy server
with NTLM auth on the same machine but NTML_AUTH keeps complaining
about: NT_STATUS_INVALID_HANDLE I have others machines running
Squid and Authenticating against a Samba Server but on different
machines, this is the first time a try both on the same machine.

Can I use Squid+NTLM Auth and Samba configured as PDC on the same
machine? Is there any winbind issue with this kind of configuration?

I'm using SLES10+SP2
Samba version as reported by rpm is 3.0.32-0.8
Squid version as reported by rpm is 2.5.STABLE12-18.13

-
This is my smb.conf

[global]
dos charset = 850
unix charset = ISO8859-1
workgroup = C1.SV
netbios name = PDCSRVC1SV
server string =
interfaces = eth0
bind interfaces only = Yes
map to guest = Bad Password
passdb backend = ldapsam:ldap://127.0.0.1
guest account = Invitado
time server = Yes
deadtime = 20
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = cups
logon path =
logon home =
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=Administrador,o=Ferreteria EPA
ldap delete dn = Yes
ldap group suffix = ou=group
ldap machine suffix = ou=people
ldap passwd sync = Yes
ldap suffix = ou=c1,c=sv,o=Ferreteria EPA
ldap user suffix = ou=people
idmap domains = DEFAULT
idmap alloc backend = ldap
idmap alloc config:range = 1-10
idmap alloc config:ldap_url = ldap://127.0.0.1
idmap alloc config:ldap_user_dn = cn=Administrador,o=Ferreteria EPA
idmap alloc config:ldap_base_dn = ou=idmap,ou=c1,c=sv,o=Ferreteria EPA
idmap config DEFAULT:range = 1-10
idmap config DEFAULT:ldap_url = ldap://127.0.0.1
idmap config DEFAULT:ldap_user_dn = cn=Administrador,o=Ferreteria EPA
idmap config DEFAULT:ldap_base_dn = ou=idmap,ou=c1,c=sv,o=Ferreteria EPA
idmap config DEFAULT:default = yes
idmap config DEFAULT:readonly = no
idmap config DEFAULT:backend = ldap
ldapsam:editposix = yes
ldapsam:trusted = yes
create mask = 0640
force create mode = 0640
directory mask = 0750
force directory mode = 0750
case sensitive = No
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd

My relevant squid.conf lines...

auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp C1.SV/PDCSRVC1SV
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic  C1.SV/PDCSRVC1SV
auth_param ntlm children 100
auth_param basic children 100
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours




The pdc works as expected, machine join works like charm, users and
groups management works equally right, all accounts are placed in the
LDAP, getent passwd, groups and shadow shows the ldap accounts

I also did a few tests with wbinfo

e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo  -u
invitado
usuarioprueba
e01ggen
e01glogis
e01gcont
e01jcomp1
e01jcomp2
e01jcomp3
e01jcomp4
e01jrepo
e01jreclu
e01rrece
e01gcom
e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo  -g
BUILTIN
BUILTIN
domain users
domain admins
domain guests
grupoprueba
gcentralsv
gcompras
gcontrol
ggerencia
glogistica
gmercadeo
gpersonal
gventas
gjefecompras
gjefecontrol
gjefelogistica
gjefepersonal
e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo  --all-domains
C1.SV


I also made sure squid users can read /var/lib/samba/winbindd_privileged


I also noted this error:

e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo
--authenticate=administrator%12345678
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc064)
error messsage was: No such user
Could not authenticate user administrator%12345678 with plaintext password
winbind separator was NULL!
challenge/response password authentication failed
error code was NT_STATUS_INVALID_HANDLE (0xc008)
error messsage was: Invalid handle
Could not authenticate user administrator with challenge/response

Does someone have any idea of could go wrong? When I use squid and
samba on different machines i usually join the squid machine to the
domain using a net join, is this necesary when the pdc and squid are
on the same machine?

Victor Medina

Samuel Goldwyn  - "I don't think anyone should write their
autobiography until after they're dead."
  

I think you should add lo to the interfaces listed in smb.conf

Best regards, David Wells.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://

Re: [Samba] Samba PDC - Kerberised CIFS access

[Shahid M Shaikh]

Hi Eduardo,

M1 is Samba PDC. It is hosting a domain. It also stores domain users.
Though samba password for all the users are invalid in smbpasswd.

M3 is CIFS Server and is part of the domain of Samba PDC. Hence I join M3
into M1 using net rpc join.
For that I have created a machine user account on Samba PDC.

On M3, I have configured smb.conf to accept kerberos tickets. So a client
who wants to access the CIFS shares
needs to have valid kerberos tickets ( user tgt and CIFS service principal
tgs).

Is that clear to you now?

Regards,
Shahid Shaikh.



   
 Eduardo Sachs 
To
   samba@lists.samba.org   
 13-03-09 10:23 PM  cc
   Shahid M Shaikh/India/i...@ibmin 
   Subject
   Re: [Samba] Samba PDC - Kerberised
   CIFS access 
   
   
   
   
   
   




Hi Shahid,

I so sorry, but I don't understand your collocation about your answer.

You managed to join the M3 in Samba PDC, and same time accessing it
through the Kerberos authentication? Was that?

Helmut, I so sorry!

Thanks!

2009/3/13 Shahid M Shaikh :
> Hi Eduardo,
>
> Thanks much for all the information you have shared with us regarding the
> samba issue.
>
> I used net rpc join command to join into the domain hosted by M1.
>
> I was able to join to the domain successfully.
>
> Regards,
> Shahid Shaikh.
>
>
>
>
>             Eduardo Sachs
>                          com>                                                       To
>                                       Shahid M Shaikh/India/i...@ibmin
>             13-03-09 07:19 PM                                          cc
>                                       samba@lists.samba.org, Christian M
>                                       Ambach
>                                       ,
>                                       volker.lende...@sernet.de, Mathias
>                                       Dietz , Ujjwal
>                                       Lanjewar/India/i...@ibmin, Michael
>                                       Diederich ,
>                                       Pankaj S Zanwar/India/i...@ibmin
>                                                                   Subject
>                                       Re: [Samba] Samba PDC - Kerberised
>                                       CIFS access
>
>
>
>
>
>
>
>
>
>
> I so sorry for many emails, but, is necessary:
>
> In my case, the Samba 3.0.x does not cause this problem, only in Samba
> 3.2.x and 3.3.X.
>
> Thanks!
>
> 2009/3/13 Eduardo Sachs :
>> More informations...
>>
>> Example of procedure:
>>
>> 1 - M4 Access M3 with auth Kerberos:
>> M4# smbclient //M3/publico -k
>> OS=[Unix] Server=[Samba 3.2.5]
>> smb: \> ls
>>  .                                   D        0  Wed Mar 11 21:04:19
2009
>>  ..                                  D        0  Wed Mar 11 21:04:19
2009
>>
>>                48444 blocks of size 262144. 36638 blocks available
>> smb: \> quit
>>
>> 2 - M3 Join Samba PDC:
>> M3# net join -U root
>> Enter root's password:
>> Joined domain _LOCAL_.
>>
>> 3 - M4 Access M3 with auth Kerberos fail.
>> M4# smbclient //M3/publico -k
>> cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE)
>> session setup failed: NT_STATUS_LOGON_FAILURE
>>
>> 4 - In M3, delete /var/lib/samba/secrets.tdb and restart Samba Client,
>> M3 is out of Domain Samba PDC because delete secrets.tdb:
>> M3# /var/lib/samba/secrets.tdb && /etc/init.d/samba restart
>>
>> 5 - M4 to back access M3 with auth Kerberos:
>> M4# smbclient //M3/publico -k
>> OS=[Unix] Server=[Samba 3.2.5]
>> smb: \> ls
>>  .                                   D        0  Wed Mar 11 21:04:19
2009
>>  ..                                  D        0  Wed Mar 11 21:04:19
2009
>>
>>                48444 blocks of size 262144. 366