Re: RE : [Samba] domain admin and primarygroupSID
On Fri, 12 Sep 2003, jean-marc pouchoulon wrote: > >I'm using samba-3.0RC3. > >I just figured out that if I wanted a user to be a Domain Admin, his > >primarygroupSID had to be the group mapped to "Domain Admins" > (sid=512). Is there a way to just add the user to the admin >group > without modifying his > >primarygroupSID ? > > If I understand well your question, just add him to the "domain > group" in the /etc/group/ on your unix system. > I've just made a doc in french on sambaRC3. If you want it, I > can send it. If it's in French I can handle that. If it's in encrypted French I may have a problem. In any case would you mail it to me off-list please. I'd like to look it over. Maybe I can glean something to add to the Samba-HOWTO-Collection. :) PS: Would you like to translate that from English to French for me? :) - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE : [Samba] domain admin and primarygroupSID
>I'm using samba-3.0RC3. >I just figured out that if I wanted a user to be a Domain Admin, his >primarygroupSID had to be the group mapped to "Domain Admins" (sid=512). Is there a way to just add the user to the admin >group without modifying his >primarygroupSID ? If I understand well your question, just add him to the "domain group" in the /etc/group/ on your unix system. I've just made a doc in french on sambaRC3. If you want it, I can send it. Jean-marc. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] how can I be a domain admin in 3.0RC3 ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Friday 12 September 2003 08:04, you wrote: > If you want Win NT/2Kx admin rights then you need in /etc/group (example): Yes, this is what I want :) > ntadmins::123:antoine,jht Already done... > Then map ntadmins to NT Group "Domain Admins" Already done... > Alternatively, make "Domain Admins" your primary group in passdb backend. OK, this is the problem here: why do I need "Domain admins" to be my primary group. - --> If my primary group is "Domain admins" , it works, I'm administrator on every windows computer - --> If my primary group is "Domain users", but I'm also part of "Domain admins", it does NOT work, I don't get adminitrative rights on Windows computers... why is that... > Have I understood your question? I think so :) Thanks for being so reactive... Antoine -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/YWVqY3Hnhkr+5cQRAsTzAJ4uR1YpEDIkwQQ3QV3mj31X66um2gCbBmA5 PBHoME7kai0BEsHzc8vWrEo= =tUSO -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] how can I be a domain admin in 3.0RC3 ?
On Fri, 12 Sep 2003, Antoine Jacoutot wrote: > Hash: SHA1 > > On Thursday 11 September 2003 23:56, you wrote: > > The NT Group, Domain Admins, must have the well known RID=512 otherwise it > > is not seen by the Windows client as the Domain Admins group. > > > > PS: The Domain SID + the RID = the user SID. > > I know that :) > But this is not my question. > Basically my question is: how can you be part of "Domain Admins" and "User > Admins", dor exemple ?... since you can't have 2 user SID, right... If you as a domain user want admin rights on the samba server you need to use the "username map" facility. Example: /etc/samba/smbusers: root = Admininistrator jht Antoine Now Administrator, you and I have Domain Admin rights on the Samba server. If you want Win NT/2Kx admin rights then you need in /etc/group (example): ntadmins::123:antoine,jht Then map ntadmins to NT Group "Domain Admins" Alternatively, make "Domain Admins" your primary group in passdb backend. Map "Domain Admins" to the GID=0 group on your system. Now you have achieved effectively the same thing. Have I understood your question? - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Password Expiration
Leif W wrote: (Sorry if this post is a duplicate, but I posted the message two days ago and still have not seen it on the list). Looking in the mail archives [1] I see someone else had a similar problem but I saw no resolution. I got the error: NT_STATUS_PASSWORD_EXPIRED. (btw error RAP2242). I'm 100% positive the user's system password was not expired, I was able to log into the system console, and via ssh. When I changed the password using smbpasswd, it worked again. But I'd like to know where I can change the samba password expiration time, or set it when creating a new samba user, so it will not expire at all, or not in one week, but a year or 6 months instead. as far as i know setting the accountflag X passwords never expire. uli -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] how can I be a domain admin in 3.0RC3 ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 11 September 2003 23:56, you wrote: > The NT Group, Domain Admins, must have the well known RID=512 otherwise it > is not seen by the Windows client as the Domain Admins group. > > PS: The Domain SID + the RID = the user SID. I know that :) But this is not my question. Basically my question is: how can you be part of "Domain Admins" and "User Admins", dor exemple ?... since you can't have 2 user SID, right... Antoine -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/YV7dY3Hnhkr+5cQRApyKAKCL9rrDVtImBMtyMlULQNfrdsxVTQCfTJ3h HPARgRmCm2e1tMdDQTLd3R4= =hqpY -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Home Subdirectory and [homes]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Try a share setup like this: [%U] path=/home/%U/homedir write list=%D+%U read only=no Note that if you're not in a Windows 2k PDC situtation, you'll want write list=%U. - -Tom Raymond wrote: | Installed Samba 3.0RC4 on a RH80 box. | | Need [homes] section to point to a subdirectory of the users home directory. | The aforementioned subdirectory exists in EVERY users home directory. | Defining a path for EACH user is impractical. | | How does one accomplish this? | | Thanks in advance. | | Raymond -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/YTOSRliD/69byygRAv8bAJ94aA7vD4aXU4KjiJdWwCMLfRAsgwCfcFGt bL9ZKI1DCJVl2JBpj8ufiPA= =P9OU -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: check if drive letters are occupied by novell
Marcus Schopen schrieb: And on client side? Is there a method to do that in a batch script on the windows machine. Samba could generate a dynamic batch script, which is executed on the client. And this batch-script checks, if a letter is already mapped. Just an idea, but I don't know the commands on a windows machine to get a list of all novell letters. e.g. if exist c:\ echo ok Marcus -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba3Rc3_LDAP search failed: Insufficient access
On Tue, 9 Sep 2003, Mimic Mimicmike wrote: > (I saw some one post this (BUG) in previous version, but I see at > bugzilla.samba.org this bug is "FIXED" ) It's seems there are several instances of this bug. We fixed all the ones we could reproduce. Can you give me some more details? For example, * smb.conf * operation you are trying to perform when you see the failure (including client details such as OS and SP) * any error messages you see on the client > lib/smbldap.c:smbldap_open(801) > smbldap_open: cannot access LDAP when not root.. > passdb/pdb_ldap.c:ldapsam_setsamgrent(2085) > LDAP search failed: Insufficient access > passdb/pdb_ldap.c:ldapsam_enum_group_mapping(2150) > Unable to open passdb > lib/smbldap.c:smbldap_open(801) Hi, My Samba PDC is Redhat9.0 Client both XPsp1 and win2k Pro. sp3 this error will occure when I find user(and group) for seting security for User in samba domain, on client no error message but quite slow (samba search 10sec. compare with w2kserv. 1-2 sec.) but It can search in finally. smb.conf - [global] netbios name = rod passdb backend = ldapsam, guest ldap suffix = dc=abc,dc=net ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap admin dn = "cn=admin,dc=abc,dc=net" idmap backend = ldap:ldap://xxx.xx.x.xxx ldap idmap suffix = ou=idmap,dc=abc,dc=net workgroup = abc server string = Samba admin test Server allow trusted domains = yes log file = /var/log/samba/log.%m max log size = 50 security = user password server = * password level = 8 username level = 8 encrypt passwords = yes username map = /etc/samba/smbusers socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 65 logon drive = U: logon path = domain logons = yes add machine script = /usr/sbin/useradd -d /dev/null -g 1000 -s /bin/false -M %u wins server = 172.xx.x.x time server = yes winbind separator = + idmap uid = 3-4 idmap gid = 3-4 winbind enum users = yes winbind enum groups = yes [homes] comment = Home Directories browseable = no writable = yes [netlogon] comment = Network Logon Service path = /home/netlogon guest ok = yes writable = no _ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Home Subdirectory and [homes]
Installed Samba 3.0RC4 on a RH80 box. Need [homes] section to point to a subdirectory of the users home directory. The aforementioned subdirectory exists in EVERY users home directory. Defining a path for EACH user is impractical. How does one accomplish this? Thanks in advance. Raymond -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: check if drive letters are occupied by novell
John H Terpstra wrote: On Thu, 11 Sep 2003, Marcus Schopen wrote: Hi, I use Samba's root preexec funktionality to create dynamic logon scripts: root preexec = /usr/local/samba/install/bin/make_logon_script '%m' '%U' '%a' '%g' '%L Who do I check in the by make_logon_script generated logon .bat script, which is executed on the windows clients, if a drive letters is already occupied by novell. The logon.bat script should then select the next free drive letter for the samba share. Possible? How can we make Samba aware of the drive letters that are already mapped on the Windows client? I know of no method to do this. Sorry, put on the never-todo list for now! :) And on client side? Is there a method to do that in a batch script on the windows machine. Samba could generate a dynamic batch script, which is executed on the client. And this batch-script checks, if a letter is already mapped. Just an idea, but I don't know the commands on a windows machine to get a list of all novell letters. Marcus -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: How to find all workgroups being used on a subnet?
John> HAve you checked out 'findsmb' that is supplied as part of Samba? Yes, and I don't think it does what I want. It only does nmblookup '*', which does not return the address of any hybrid mode node that does not have the messenger service (resource "<03>") enabled, which happens to be most of the boxes on our network. If I knew the workgroups of those boxes, I could find the browser and get the registered names. Without the workgroups, I'll never be able to find those boxes. Dave -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Password Expiration
(Sorry if this post is a duplicate, but I posted the message two days ago and still have not seen it on the list). Looking in the mail archives [1] I see someone else had a similar problem but I saw no resolution. I got the error: NT_STATUS_PASSWORD_EXPIRED. (btw error RAP2242). I'm 100% positive the user's system password was not expired, I was able to log into the system console, and via ssh. When I changed the password using smbpasswd, it worked again. But I'd like to know where I can change the samba password expiration time, or set it when creating a new samba user, so it will not expire at all, or not in one week, but a year or 6 months instead. Leif [1] http://www.mail-archive.com/[EMAIL PROTECTED]/msg48708.html -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] sharing folder in clients problem
Hi, I want to ask if anyone is having problems getting the remote user list when try to share a folder in User-level Access Control. When i try to share te folder i get the following error: [2003/09/11 18:36:41, 1] smbd/ipc.c:api_fd_reply(284) api_fd_reply: INVALID PIPE HANDLE: 0 [2003/09/11 18:36:42, 1] smbd/ipc.c:api_fd_reply(284) api_fd_reply: INVALID PIPE HANDLE: 0 [2003/09/11 18:36:42, 1] smbd/ipc.c:api_fd_reply(284) api_fd_reply: INVALID PIPE HANDLE: 0 [2003/09/11 18:36:42, 1] smbd/ipc.c:api_fd_reply(284) api_fd_reply: INVALID PIPE HANDLE: 0 the system installed is debian woody 3.0, kernel 2.4.20, xfs filesystem with quotas, samba version 3.0.0rc3, Openldap 2.1 I previusly use samba 2.2.XX like a PDC working fine for two years and try to install samba 3.0.0rc3 in another server, almost everything work fine, but if a client machine (all machines are windows 98) with a shared folder try to log on the network and the the client machine share a folder, concurrently in all the machines with a shared folder (in User-level Access Control) appears a blue screen with the error 0028:C0004D3F IN VXD VMM(01) + 3D3F, that for a while I atribute to "unknown reasons" of samba. Later I found that the problem was originated in the imposibility of get the user list to validate users accesing the shares. Any advice? PD: Sorry my bad english. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to find all workgroups being used on a subnet?
On Thu, 11 Sep 2003, David Wuertele wrote: > I want to discover all the groups currently in use on a subnet. Is > there a way to do this with a broadcast request? > > I know that I could just run nmblookup on every single host on the > subnet, but that would take forever. I'd like to just make one or > maybe a few calls. I'd like to limit the number of calls I make to no > more than one plus the number of workgroups that are in use. HAve you checked out 'findsmb' that is supplied as part of Samba? - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] how can I be a domain admin in 3.0RC3 ?
On Thu, 11 Sep 2003, Antoine Jacoutot wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Thursday 11 September 2003 22:47, John H Terpstra wrote: > > Please explain precisely what you mean. What exact steps are you > > following? > > OK, I created 1 user, 1 computer and several groups. > One group is called domainadmins. I did a 'net groupmad add' to map it to > SID-512 (Windows Domain admins group). > My user's primarygroupID is SID-2001. > I added my user to domainadmins, which made me believe it then would be > considered as a Windows Domain administrator... but it does not work. However > it does work if instead if I set my user's primarygroupID to SID-512. > So my question is: can I have admin rights if my primarygroupID is not > domainadmins (supposing I'm part of domainadmins as I'm part of other groups > too). The NT Group, Domain Admins, must have the well known RID=512 otherwise it is not seen by the Windows client as the Domain Admins group. PS: The Domain SID + the RID = the user SID. > Is it clearer ? (I'm sorry, English is not my first language) PS: English is not my first language either. Additionally, most who claim to speak English don't either! :) > For information, I'm running FreeBSD-5.1+LDAP+samba-3.0RC3 > > Thanks. - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] smb/cifs protocol thingy
Hello, i have some big dilemas regarding to smb, and i couldn't figure out the following(afer reading the docs): When a client authenticates to a samba server does he send the hash of the password over a clear text connection , or does he send the hash over some kind of encrypted connection ?. When there is a password change from the client, does the password travel in clear text over and encrypted connection, or is the password hashed ? I ask those question beacuse i'm wondering how the: unix password sync = yes is really working(couldn't make it work on a gentoo linux distro, think it was beacuse of the chat script). My goal is to crate a ldap backend for storing samba and unix accounts, and i want to have 1 user and 1 pass for using both services -- Permission to live...DENIED! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] How to find all workgroups being used on a subnet?
I want to discover all the groups currently in use on a subnet. Is there a way to do this with a broadcast request? I know that I could just run nmblookup on every single host on the subnet, but that would take forever. I'd like to just make one or maybe a few calls. I'd like to limit the number of calls I make to no more than one plus the number of workgroups that are in use. Any advice? Dave -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba log
I spotted these entries in a log from samba. They are from a win2k box and it appears that someone mapped a drive to the /tmp directory as the nobody user. In /tmp there are a bunch of empty files owned by the nobody user. Has anybody seen this before or have any hints as to what is going on. Any help would be appreciated. [2003/09/09 10:45:09, 3] smbd/password.c:register_vuid(336) uid 99 registered to name nobody [2003/09/09 10:45:09, 3] smbd/password.c:register_vuid(338) Clearing default real name [2003/09/09 10:45:09, 3] smbd/password.c:register_vuid(340) User name: nobody Real name: Nobody [2003/09/09 10:45:09, 3] smbd/process.c:chain_reply(1023) Chained message [2003/09/09 10:45:09, 3] smbd/process.c:switch_message(685) switch message SMBtconX (pid 6337) [2003/09/09 10:45:09, 3] smbd/sec_ctx.c:set_sec_ctx(328) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/09/09 10:45:09, 3] smbd/password.c:authorise_login(854) authorise_login: ACCEPTED: guest account and guest ok (nobody) [2003/09/09 10:45:09, 3] smbd/service.c:make_connection(487) Connect path is /tmp Thanks -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] A PDC migration postmortem (and SIDs Novell-style)
On Thu, 11 Sep 2003, Dan Gapinski wrote: > Hello, > > I just migrated a Samba PDC from one computer to another without too much > complaining from Samba itself, but had to rejoin my computers (fortunately > this is a small office) to the domain thereafter, which caused a litttle > problem in getting the profiles back to where they were supposed to be. > (Windows, not seeing the proper domain, cannot copy the profile in the > profile manager, listing the old domain profiles as "Account Deleted"). > > My question is: > 1) Aside from having the forethought to offload the previous profiles to a > temp area, was there any way I could have recreated the client account > database to rejoin automatically? Ans is the SID tied directly to the PDC's > hostname? The change of hostname will have changed the SID. Had you saved the SID first, you could restore it and then all your profiles should work correctly again. The domain SID is stored in the profile NTUser.DAT files. > 2) Is there any way to have Samba ignore the workstation SID as Novell does, > which could be a help in this case as well as when an admin might wish to > clone a whole batch of PC's? Nope. But you can recover the SID from the profile NTUser.DAT file using the 'profiles' tool that is part of Samba-3. You will need to compile it separately. Then use it to list the security descriptors. Alternatively you may be able to find the SID using the 'editreg' tool. Once you find the domain SID you can record it and then use the 'net' tool to reset the domain SID. Of course, if you have already rejoined your clients to the domain, then after you revert the domain SID you will have to go through the re-joining process again. :( - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] A PDC migration postmortem (and SIDs Novell-style)
Hello, I just migrated a Samba PDC from one computer to another without too much complaining from Samba itself, but had to rejoin my computers (fortunately this is a small office) to the domain thereafter, which caused a litttle problem in getting the profiles back to where they were supposed to be. (Windows, not seeing the proper domain, cannot copy the profile in the profile manager, listing the old domain profiles as "Account Deleted"). My question is: 1) Aside from having the forethought to offload the previous profiles to a temp area, was there any way I could have recreated the client account database to rejoin automatically? Ans is the SID tied directly to the PDC's hostname? 2) Is there any way to have Samba ignore the workstation SID as Novell does, which could be a help in this case as well as when an admin might wish to clone a whole batch of PC's? Thanks a lot for your input, Dan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] how can I be a domain admin in 3.0RC3 ?
On Thu, 11 Sep 2003, Antoine Jacoutot wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Thursday 11 September 2003 19:22, John H Terpstra wrote: > > Then on each Windows workstation you need to make the "Samba_Domain\Domain > > Admins" group a member of the Local Group called "Adminsitrators" while > > logged on as the Workstation Administrator. > > ... ouch, it measn I have to go on every workstation, right ? > This really is a no-go for me. > Isn't "Domain Admins" a part of the local Administrator by default under > Windows ? Oops! My guffaw! Of course it is. Domain Admins are made a member of the Local Adminstrators group on joining the domain. Sorry to cause you heart failure! - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] how can I be a domain admin in 3.0RC3 ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 11 September 2003 19:22, John H Terpstra wrote: > Then on each Windows workstation you need to make the "Samba_Domain\Domain > Admins" group a member of the Local Group called "Adminsitrators" while > logged on as the Workstation Administrator. ... ouch, it measn I have to go on every workstation, right ? This really is a no-go for me. Isn't "Domain Admins" a part of the local Administrator by default under Windows ? - -- Antoine Jacoutot [EMAIL PROTECTED] http://www.lphp.org PGP/GnuPG key: http://www.lphp.org/ressources/ajacoutot.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/YMS+Y3Hnhkr+5cQRAkMYAJ4hos96wBEE2c4AdnDrGXpM3tDEKgCffAGm AAX3Ih6yS2nwgRsC0oM8OUY= =lv/m -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] domain admin and primarygroupSID
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi ! I'm using samba-3.0RC3. I just figured out that if I wanted a user to be a Domain Admin, his primarygroupSID had to be the group mapped to "Domain Admins" (sid=512). Is there a way to just add the user to the admin group without modifying his primarygroupSID ? Thanks. - -- Antoine Jacoutot [EMAIL PROTECTED] http://www.lphp.org PGP/GnuPG key: http://www.lphp.org/ressources/ajacoutot.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/YMHSY3Hnhkr+5cQRAvyaAKCF9NxiFn3p5vlX2D1wVhcHXctgvwCfWnRW ZEqjexpkDtjkjf2USOWFAi8= =6gmI -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] can't join ads w/ rc3
I googled for help on this, all I found was this cryptic irc chat log http://irc.vernstok.nl/samba-technical.php. It seems to be a kerberos ticket encoding problem. the AD server is giving me a arcfour-hmac-md5 ticket. I'm running mit krb5-1.3.1. Any ideas would be greatly appreciated. -dave david williams wrote: it was working for me with version <= rc2 the end of net ads join -d 10 says: Search for (objectclass=*) gave 1 replies Got error packet 0x7e from kpasswd server parse_setpw_reply failed (Message stream modified) return code = -1 Let me know if you want the whole log/some other debug info. -dave -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Thank You
I wanted to say a big Thank You for the time and work you've put into Samba. This is a fantastic product, and we really appreciate it. Kev. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Configuration-Files
On Thu, 11 Sep 2003, Marc Schoechlin wrote: MArc, Have you read the Samba-HOWTO-Collection.pdf that ships with Samba-3? It has a chapter called "File, Directory and Share Access Controls". IF there are problems with lack of clarity or inadequacy of information please tell me so I can fix this before Samba-3 ships. > Hi ! > > I currently trying out samba-3.0.0rc3 - and i would like to test the following. > > I would like to try out the following: > > * SAMBA-PDC with ACL-Support > > I have a debian-box with xfs-support. > > Is it possible to modify ACLs of directories and files from a win2k-workstation ? Yes, if you have administrative rights. > > * SAMBA_PDC with LDAP-Support Yes! > > * Samba-PPC with Cups-Support Yes! > > Where can i get a tutorial for this ? CUPS is very well documented in the Samba-HOWTO-Collection.pdf. If there is a p[roblem with this documentation please let me know. I want to fix this before Samba-3 ships. > > Where can I get a very complete config-file ? How long is a piece of string Marc? What would you like it to do? The Samba-HOWTO-Collection is being published by Prentice Hall as a book. It will be on the bookshelves by late October. It will have a detailed chapter called "Fast Start: Cure for the Impatient" that has losts of fully documented worked examples for all sorts of server configurations. This chapter will be made open source 4 months after the book ships. It will then be added to the CVS code tree and will eventually appear in the Samba-3 packages. > > I think it would be a good idea to add some sample config-files for this to the > samba-distribution. Yes. I have spent over 5 months working on this, that's how the HOWTO got to where it is. Is it good enough yet? - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] how can I be a domain admin in 3.0RC3 ?
On Thu, 11 Sep 2003, Antoine Jacoutot wrote: > Hi ! > > I'm using samba-3.0RC3 as a PDC (for testing). > I'm using the ldap backend. > I created 1 user, 1 computer and some groups. > > I mapped the unix groups domainadmins to "Domain admins" with > my_personnal_sid-512. > I added my user to domainadmins. > I set "admin users = @domainadmins" in my smb.conf, but I still do not > have domain admin rights on workstations :( That's correct. The parameter "admin users" has been deprecated from Samba-3. You need to add you user to the UNIX domadmins group, then map the UNIX domadmins group to the NT "Domain Admins" group using: net groupmap modify ntgroup="Domain Admins" unixgroup=domadmins Then on each Windows workstation you need to make the "Samba_Domain\Domain Admins" group a member of the Local Group called "Adminsitrators" while logged on as the Workstation Administrator. > > Any idea about what I did wrong ? Hope that helps! - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] check if drive letters are occupied by novell
On Thu, 11 Sep 2003, Marcus Schopen wrote: > Hi, > > I use Samba's root preexec funktionality to create dynamic logon scripts: > > root preexec = /usr/local/samba/install/bin/make_logon_script > '%m' '%U' '%a' '%g' '%L > > Who do I check in the by make_logon_script generated logon .bat script, > which is executed on the windows clients, if a drive letters is already > occupied by novell. The logon.bat script should then select the next > free drive letter for the samba share. Possible? How can we make Samba aware of the drive letters that are already mapped on the Windows client? I know of no method to do this. Sorry, put on the never-todo list for now! :) - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Wierd problem with file sharing over internet.
I've set up a CIPE VPN, between my notebook computer and my Linux based firewall. While the VPN generally works well, I've noticed a strange problem with file sharing from the local network to the notebook. I set up the VPN, with the idea of accessing my systems at home via a dial up ISP, to my home network via cable modem. The VPN works well for most protocols, such as telnet, ssh, ftp, X etc. However, when I try to access files using Samba, about 12 packets are exchanged and then the session stops. A similar problem occurs with NFS. What makes the situation more perplexing, is that if I connect directly to my firewall or via WiFi, Samba and NFS work fine. In all cases, the VPN enters my firewall via eth0. This seems to imply that the problem may be due to the extreme speed difference between the dial up access and my 100 Mb lan. If the problem were due to the firewall or VPN, it should be consistent, no matter what the connection speed. I'm using Red Hat 7.3 on all systems. The problem also occurs, when trying to access files on my OS/2 system. Also, when I try to access files on my notebook (connected via dialup), from my local lan, every is also fine, so the problem appears to be asymetrical. Any ideas? btw, I can provide ethereal or tcpdump records of some attempts. tnx jk -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] starting Cups
On Thu, 11 Sep 2003, emma emma wrote: > can anyone pls tell me how to start Cups b4 starting > samba? > > Thanks in anticipation. That is CUPS implementation dependant. If SuSE Linux use YaST2 to configure it. If Red Hat Linux use chkconfig to configure it. - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] insufficient permissions to open spool file ........
Iyke, You need to configure CUPS to accept the connection. The file you must edit is /etc/cups/cupsd.conf, not Samba's smb.conf. You need to make sure that your cupsd.conf has entries like the following: Order Deny,Allow Deny From All Allow From 127.0.0.1 Have you checked the contents of your CUPS log files to see why it is rejecting the connection from Samba? - John T. On Thu, 11 Sep 2003, iyke Adibe wrote: > > Hi all, > > > > I still have this persistent problem with my Printing. > > Printer state: > > Processing (accepting jobs) > > and Error message from Log: > > unable to connect to CUPS server localhost - Connection refused > > Even though I have modified the smb.conf to include: > > Interfaces = 127.0.0.1 194.180.75.90/255.255.255.0 > > bind interfaces only = yes > > security = Share > > Disable spoolss = yes > > [hplaserjet8100] > > Printcap name = cups > > printing = Cups > > use client driver = yes > > Postscript = Yes > > Ill appreciate any recommendations > > Thanks > > Iyke > > > > - > Do you Yahoo!? > Yahoo! SiteBuilder - Free, easy-to-use web site design software > -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] non-primary group permissions
Mike, CAn you document a test case and then file a bug with https://bugzilla.samba.org please. - John T. -- John H Terpstra Email: [EMAIL PROTECTED]Hi, I have a problem that if I set a file or directory group owner, users that are members of this group can still not access it unless this is their primary group. This is using samba 3.0rc3, all user and group info is coming from winbind and permissions work as expected when using a linux shell but not from a windows client. The problem goes away if I use the 'force group' option on the share, but this still means that ony one group can be of any use for that share. Is this expected behaviour or is something going wrong? Thanks Mike pgp0.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Accessing Samba Shares with AD usernames
On Thu, 11 Sep 2003, Lars Wiberg wrote: > To follow up on this, I have been studying the documentation more > intensively yesterday evening, and have concluded that the current release > of Samba cannot do what I am trying to achieve. > > What I forgot to mention yesterday, was that there is to be no unix accounts > on the Samba server, meaning the only user administration involved is from > the Active Directory (AD), but after doing a more thorough studying of the > documentation, this paragraph came up: That's what I understood from your request. > "In the course of development of Samba-3, a number of requests were received > to provide the ability to migrate MS Windows NT4 SAM accounts to Samba-3 > without the need to provide matching UNIX/Linux accounts. We called this the > Non UNIX Accounts (NUA) capability. The intent was that an administrator > could decide to use the tdbsam backend and by simply specifying passdb > backend = tdbsam_nua this would allow Samba-3 to implement a solution that > did not use UNIX accounts per se. Late in the development cycle, the team > doing this work hit upon some obstacles that prevents this solution from > being used. Given the delays with Samba-3 release a decision was made to NOT > deliver this functionality until a better method of recognising NT Group > SIDs from NT User SIDs could be found. This feature may thus return during > the life cycle for the Samba-3 series." > > If I understand that paragraph correctly, it is currently not possible to > authenticate users on a Samba server solely from an Active Directory. The > only possible way is to create unix accounts on the Samba server - which > means more user administration. No. You are confused it seems. The paragraph you quoted is in respect of Samba being a domain controller or a stand-alone server - NOT - as a domain member. You need to make your Samba server a domain member. If you have Active Directory, you need to configure for "security = ads" as discussed in the "Domain Membership" chapter of the HOWTO. When a machine is a domain member, you do NOT need any local /etc/passwd accounts. Instead, you can use winbind to provide locally mapped users and groups - all from Active Directory. Your questions regarding access to shares is simply answered: 1. You CAN set AD User and Group ACLs on Shares 2. You can control file system permissions from an administratively enabled Windows login using Windows Explorer. 3. You can set additional access restrictions that use AD Users and Groups in the share specification 4. If your UNIX file system has support for POSIX ACLs you can from a Windows NT/2Kx/XP Windows Explorer set ACLs on files and directories. So what have we written that is confusing or not clear to you? Please help us to correct the documentation before Samba-3 ships. > > Thank you all, for your input. > > Can anybody from the Samba team tell me how far into the horizon I have to > look for this feature? From the documentation, it seems to me that a lot of > work has gone into this already. What is missing that you need? Either you want Samba as a Domain Controller with non-UNIX account or you don't? Which is it? IF you are running Active Directory then the paragraph you have quoted is not relevant to you. IF you want to set ACLs (Access Control Lists) on shares, folders (directories) or files and the chapter I referred you to is not clear please help us to get the documentation cleaned up. What suggestions do you have that would help you and others to find the answers they are looking for? I am totally lost, what must I do to fix this? - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Configuration-Files
Hi ! I currently trying out samba-3.0.0rc3 - and i would like to test the following. I would like to try out the following: * SAMBA-PDC with ACL-Support I have a debian-box with xfs-support. Is it possible to modify ACLs of directories and files from a win2k-workstation ? * SAMBA_PDC with LDAP-Support * Samba-PPC with Cups-Support Where can i get a tutorial for this ? Where can I get a very complete config-file ? I think it would be a good idea to add some sample config-files for this to the samba-distribution. Best regards Marc Schoechlin -- Gruss / Best regards | LF.net GmbH| fon +49 711 90074-413 Marc Schoechlin | Ruppmannstr. 27| fax +49 711 90074-33 [EMAIL PROTECTED] | D-70565 Stuttgart | http://www.lf.net -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Problem uploading printer driver on 2.2.8a (FreeBSD 4.8)
Hello, I have an annoying problem. I have declared a printer for which I want Samba to download drivers onto the clients. So I have configured print$ share, the printer itself (by BSD printing), then connect the printer to my W2K client (SP3 with ALL RPC updates applied, including today's one). And it fails : - on the windows side, I have a popup : unable to install driver. Operation could not be completed. - on the samba side, I get an internal error : [2003/09/11 18:09:29, 3] smbd/sec_ctx.c:pop_sec_ctx(436) pop_sec_ctx (1014, 1014) - sec_ctx_stack_ndx = 0 [2003/09/11 18:09:29, 5] printing/nt_printing.c:add_a_printer_driver_3(1654) add_a_printer_driver_3: Adding driver with key DRIVERS/W32X86/2/HP LaserJet 4 Plus [2003/09/11 18:09:29, 0] lib/fault.c:fault_report(38) === [2003/09/11 18:09:29, 0] lib/fault.c:fault_report(39) INTERNAL ERROR: Signal 11 in pid 59048 (2.2.8a) Please read the file BUGS.txt in the distribution [2003/09/11 18:09:29, 0] lib/fault.c:fault_report(41) === [2003/09/11 18:09:29, 0] lib/util.c:smb_panic(1094) PANIC: internal error I must say that some (if not all, I can't say) of the printer driver files _are_ uploaded to the print$ share. But it fails to register, it seems. Samba is in PDC mode (too much hassle with rights before, when beeing a simple 'security=user' server : "service :{{SID}} not found" messages, SID corresponding to "Printers" on the W2K client, according to he registry ). Shares all are accessible with no noticeable messages in the logs. I don't know what to say more. I can provide smb.conf on request if needed. Any ideas about this ? Regards, Jérôme ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. LogicaCMG ** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.0b3+CUPS+server drivers
I'm trying to setup a printer using Cups, using cupsaddsmb It uploads the files ok (smbclient ... -c 'mkdir W32X86;put ...;put ...') It adds the driver ok (rpcclient -c 'adddriver "Windows NT X86" "Canon:file1:file2..." (I have verified this worked from server properties in "printers and faxes" of the linux server: the driver "canon" shows up in the list" Then when it does rpcclient -c 'setdriver Canon Canon' I get: SetPrinter call failed! result was WERR_ACCESS_DENIED At the same time I run this command, I get this in log.smbd: [2003/09/11 13:35:38, 0] smbd/oplock_linux.c:linux_init_kernel_oplocks(289) Failed to setup RT_SIGNAL_LEASE handler I'm adding the CUPS postscript with the foomatic ppd of a Canon BJC-1000, wich is properly configured in CUPS (the print test page works). Any clues? Here's my smb.conf: [global] netbios name = Natsumi server string = Linux Server workgroup = BoogerSoft passdb backend = smbpasswd hosts allow = 192.168.0. 127.0.0.1 ;act as domain and master browser os level = 64 preferred master = yes domain master = yes local master = yes security = user encrypt passwords = yes domain logons = yes ;do not set this to \\%N\%U\{whatever} logon path = \\%N\profile\%u logon drive = H: ;logon script, relative to the [netlogon] share logon script = logon.cmd ;neither of these seem to work with 3.0 ;client code page = 850 ;character set = ISO8859-1 ;printer load printers = yes printing = cups printcap = cups [netlogon] comment = Network Logon Service path = /home/netlogon read only = yes write list = ntadmin [homes] comment = Home Directories browseable = no writable = yes create mask = 0600 directory mask = 0700 [profile] path = /home/profile read only = no create mask = 0600 directory mask = 0700 [print$] comment = Printer Driver Download Area path = /usr/local/samba/drivers browseable = yes guest ok = yes read only = yes write list = root [printers] comment = Printers path = /var/spool/samba browseable = no guest ok = yes writable = no printable = yes use client driver = yes -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] mangle characters (e.g. blank to underline)
Hi File names with blanks are not very useful in Unix scripts. Our Windows users use very often (not allowed) blanks in file names. So I am looking for a possibility to change blanks to underlines. But mangled map = (*\ * *_*) does not work ?!? Best regards Horst Liesinger CAD Coordination (IT) Doppelmayr Seilbahnen GmbH -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Problems with smbsh...
Hello! I have a MBX860 board (MPC860 CPU); I've compiled/installed samba 2-2-8a with Gcc compiler for MPC860 on the board without problems. SMBD and NMBD work fine, but when I start smbsh, I get the following message: ./smbsh Username: Password: load_client_codepage: file /usr/local/samba/lib/codepages/codepage.850 is an incorrect size for a code page file (size=0). load_unicode_map: file /usr/local/samba/lib/codepages/unicode_map.850 is an incorrect size for a unicode map file (size=0). load_unicode_map: file /usr/local/samba/lib/codepages/unicode_map.ISO8859-1 is an incorrect size for a unicode map file (size=0). smbsh$ cd smbsh$ cd / smbsh$ ls -l load_client_codepage: file /usr/local/samba/lib/codepages/codepage.850 is an incorrect size for a code page file (size=0). load_unicode_map: file /usr/local/samba/lib/codepages/unicode_map.850 is an incorrect size for a unicode map file (size=0). load_unicode_map: file /usr/local/samba/lib/codepages/unicode_map.ISO8859-1 is an incorrect size for a unicode map file (size=0). ls: error while loading shared libraries: /usr/local/samba/bin/smbwrapper.so: undefined symbol: real_readdir64 smbsh$ And I cannot do anything but exit! Please, could you help me!!!? Thank you in advance. Bye. Pedro Parrilla Jimena Prodys S. L. R&D,Embedded Systems Trigo,54 e-mail:[EMAIL PROTECTED] Leganes(Madrid) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] domain-logons : w2k clients complains about still existant machines
Hi ! I have problems with samba3.0.0-rc3 to get domain-access :-( Joining the the domain(after doing a sucessful smbpasswd -a -m ) with the user "root" works well, but after I reboot the Win2K Workstation i get on this machine a message which says, that another computer is also using this name. The logfile of the win2k workstation says also that a ip-adress-conflict is present. So I tried out another win2k-machine(with another name) - but the problem also appears on this machine. I´m currently loggin on loglevel 3 - but there are no messages which are suggesting errors.(log.smbd, log.nmbd, log.) In which sequence should i start the different daemons ? I currently starting "nmbd; smbd" . My configuration is: -- [global] workgroup = UML admin users = root server string = Samba Server log level = 3 load printers = yes log file = /usr/local/samba/var/log.%m max log size = 50 security = user encrypt passwords = yes socket options = TCP_NODELAY local master = no os level = 80 domain master = yes preferred master = yes domain logons = yes local master = yes os level = 65 nt acl support = yes [homes] comment = Home Directories browseable = no writable = yes [netlogon] comment = Network Logon Service path = /usr/local/samba/lib/netlogon guest ok = yes writable = no [Profiles] path = /usr/local/samba/profiles browseable = no guest ok = yes [printers] comment = All Printers path = /usr/spool/samba browseable = no guest ok = no writable = no printable = yes public = yes [public] comment = Public Stuff path = /serv/share public = yes writable = yes printable = no write list = @users -- Best regards Marc Schoechlin -- Gruss / Best regards | LF.net GmbH| fon +49 711 90074-413 Marc Schoechlin | Ruppmannstr. 27| fax +49 711 90074-33 [EMAIL PROTECTED] | D-70565 Stuttgart | http://www.lf.net -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba-3 problem joining ws to domain
Howdi, I can't add a w2k workstation to samba3 domain with my username. If I add my username to "admin users" list, then I can add the box to domain (but overritten by euid). My goal is, that joining domain can be done without using "admin users" option. Groupmapping is done and works. When machine is in domain and log in, I get full admin rights on that box. Removing the box from domain works anytime. Error message in windows is: "Logon failure: invalid user name or bad password". In log files (debuglevel 10) appear such lines: ... [2003/09/11 18:09:33, 5] lib/util_seaccess.c:se_access_check(331) se_access_check: access (211) denied. [2003/09/11 18:09:33, 2] rpc_server/srv_samr_nt.c:access_check_samr_object(93) _samr_open_domain: ACCESS DENIED (requested: 0x0211) ... [2003/09/11 18:09:33, 5] rpc_server/srv_samr_nt.c:access_check_samr_function(106) _samr_create_user: access check ((granted: 0x0201; required: 0x0010) [2003/09/11 18:09:33, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(115) _samr_create_user: ACCESS DENIED (granted: 0x0201; required: 0x0010) ... When user is admin users list, then happens this... _samr_open_domain: ACCESS should be DENIED (requested: 0x0211) but overritten by euid == sec_initial_uid() ... after that, access is granted. Whats wrong? Could someone please say, what is wrong with my setup? # smb.conf passdb backend = ldapsam:ldaps://alfa.sf.lan, guest delete user script = /usr/local/sbin/smbldap-userdel.pl %u add group script = /usr/local/sbin/smbldap-groupadd.pl %g add machine script = /usr/local/sbin/smbldap-computeradd.pl %u ldap suffix = dc=ehk,dc=lan ldap machine suffix = ou=Computers,dc=ehk,dc=lan,dc=ehk,dc=lan ldap user suffix = ou=Users,dc=ehk,dc=lan,dc=ehk,dc=lan ldap admin dn = cn=Manager,dc=ehk,dc=lan force user = %U force group = users # Unix username:khk_rauno.tuul User SID: S-1-5-21-1347305728-752463190-2852647101-3000 Primary Group SID:S-1-5-21-1347305728-752463190-2852647101-1443 # net groupmap list Domain Users (S-1-5-21-1347305728-752463190-2852647101-513) -> domain_users Users (S-1-5-21-1347305728-752463190-2852647101-1443) -> users Domain Admins (S-1-5-21-1347305728-752463190-2852647101-512) -> domain_admins Administrators (S-1-5-21-1347305728-752463190-2852647101-1441) -> administrators # domain_admins:x:200:khk_rauno.tuul domain_users:x:201:khk_rauno.tuul administrators:x:220:khk_rauno.tuul users:x:221: (these groups are stored in LDAP). I attached also 2 log files with those messages. Best regards, - Rauno Tuul - ... [2003/09/11 18:09:33, 5] rpc_server/srv_samr_nt.c:access_check_samr_function(106) _samr_open_domain: access check ((granted: 0x0030; required: 0x0020) [2003/09/11 18:09:33, 10] lib/util_seaccess.c:se_access_check(250) se_access_check: requested access 0x0211, for NT token with 15 entries and first sid S-1-5-21-1347305728-752463190-2852647101-3000. [2003/09/11 18:09:33, 3] lib/util_seaccess.c:se_access_check(267) [2003/09/11 18:09:33, 3] lib/util_seaccess.c:se_access_check(268) se_access_check: user sid is S-1-5-21-1347305728-752463190-2852647101-3000 se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1443 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-11 se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1427 se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1431 se_access_check: also S-1-5-21-1347305728-752463190-2852647101-513 se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1447 se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1449 se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1451 se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1407 se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1409 se_access_check: also S-1-5-21-1347305728-752463190-2852647101-512 se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1441 se_access_check: ACE 0: type 0, flags = 0x00, SID = S-1-1-0 mask = 20385, current desired = 211 se_access_check: ACE 1: type 0, flags = 0x00, SID = S-1-5-32-544 mask = f07ff, current desired = 10 se_access_check: ACE 2: type 0, flags = 0x00, SID = S-1-5-32-548 mask = f07ff, current desired = 10 [2003/09/11 18:09:33, 5] lib/util_seaccess.c:se_access_check(331) se_access_check: access (211) denied. [2003/09/11 18:09:33, 2] rpc_server/srv_samr_nt.c:access_check_samr_object(93) _samr_open_domain: ACCESS DENIED (requested: 0x0211) ... [2003/09/11 18:09:33, 5] rpc_server/srv_samr_nt.c:access_check_samr_function(106) _samr_create_user: access check ((granted: 0x0201; required: 0x0010) [2003/09/11 18:09:33, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(115) _samr_create_user: ACCESS DENIED (granted: 0x0201; required: 0x0010)
[Samba] how can I be a domain admin in 3.0RC3 ?
Hi ! I'm using samba-3.0RC3 as a PDC (for testing). I'm using the ldap backend. I created 1 user, 1 computer and some groups. I mapped the unix groups domainadmins to "Domain admins" with my_personnal_sid-512. I added my user to domainadmins. I set "admin users = @domainadmins" in my smb.conf, but I still do not have domain admin rights on workstations :( Any idea about what I did wrong ? Thanks in advance. Antoine -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Is anybody else having trouble with domain joins?
Hi all. We have a setup with a Samba PDC( Samba-3.0.0beta1, Linux Kernel 2.4.22-xfs ), LDAPSAM( OpenLDAP 2.1.22 ). Everything seems to be fine, however we are afraid we can get in trouble because of bugs which have been recently fixed in releases up to RC3, specially panics in multibyte conversion routines. Upgrading to RC2 had the undesirable effect of making every attempt to join a computer to the domain result in a "could not locate user" error. Downgrading to beta1 returned the behaviour to normal. Anybody else has this problem? Suggestions, comments, whatever? If the answer is no, I shall file a bug in Bugzilla, with as much info as i can provide. Thanks in advance. Best, J.L. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Testparm with two arguments in 3.0.0rc3
What should testparm do if you provide only two arguments to it (a config file and either an IP address or a hostname)? According to the manual page, it needs both a hostname and an IP address. With the 3.0.0rc3 testparm, if you provide only two arguments, it ignores the second one. With the testparm in 2.2.7, it performed the access testing, and possibly returned bogus results if a hostname was given, but the access control was by IP address, or vice versa. -- JF -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Fwd: Re: [Samba] Samba writes in wrong file]
Hi, i have searched for typical Samba log entries ( [200[0123]/.\]' ) and found more logfile entries in different files: File: /home/markus/CUECards/markus ELZET80.bakfrom 2003-05-07 [2003/05/07 15:07:52, 1] smbd/service.c:close_cnum(655) cheops (192.168.17.45) closed connection to service markus File: /samba/arev/VERKAUF/REV28819.OV from 2003-02-14 [2003/02/14 12:21:52, 1] smbd/service.c:make_connection(615) chui (192.168.17.55) connect to service main as user walter (uid=500, gid=101) (pid 26489) File: /samba/main/Produktion-Programmer/Produktion_beipackzettel.wpd ??? [2003/02/28 12:48:21, 1] smbd/service.c:close_cnum(655) cheops (192.168.17.45) closed connection to service main -> File can be open by Wordperfect ??!!! File: /samba/team/markus/mCAT-Freigaben/mcat-Freigabe_TSMCPU32H2CP_R108.wpd from 2003-02-10 [2003/02/10 10:29:45, 2] smbd/open.c:open_file(216) markus opened file markus/mCAT-Freigaben/mcat-Freigabe_TSMCPU32H2CP_R108.wpd read=Yes write=Yes (numopen=2) -> File can't be openend with Wordperfect The Samba log under the filename appears inside the files. You can see i have this problem at least from 2003-02-10. The Problem: At this time i used Samba 2.2.3a-12 (Debian stable) From 2003-04-07 i used Samba 2.2.8a Jeremy Allison schrieb: On Wed, Sep 10, 2003 at 06:17:43PM +0200, Markus Ungermann wrote: Hello, i have this problem again. I have samba logs, from log.smbd, inside my Wordperfect-Document: [2003/09/09 16:42:33, 2] smbd/close.c:close_normal_file(229) markus closed file SftemBASIC/Testprogramme/2.9_Structure.b~RFf12cf7.TMP (numopen=4) [2003/09/09 16:42:33, 2] smbd/open.c:open_file(246) markus opened file SftemBASIC/test/m3/M3/workbench/EMBWorkBench.exe read=Yes write=No (numopen=5) [2003/09/09 16:42:33, 2] smbd/close.c:close_normal_file(229) markus closed file SftemBASIC/test/m3/M3/workbench/EMBWorkBench.exe (numopen=4) ä < ” ì D œ ô L ¤/ ÓÔ2 ÔÔ3 ÔÓ The last 3 Lines are the Wordperfect lines. This is right, the samba logs before are wrong. We've seen this on a couple of systems, SuSE and now Debian. We've never been able to reproduce it reliably. Our current best guess is it might be a glibc bug. What version of glibc do you have ? Can you reproduce this ? If so, can you get an strace ? Jeremy -- Mit freundlichen Gruessen / Best regards Markus Ungermann -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba and CUPS Config Issue
We have printing working from our Win2K clients, but the problem we have is that, once a printer is mapped on the client, if we look at that printer in the printers control panel, we don't see the comment or location fields as having any data. Since these fields are blank, our Win9x clients won't be able to map to any printers on this box, as they apparently depend on the comment field from the print server. What we can't figure out is why the comment fields are showing up blank after mapping the printer (if you browse the printers, all the comments are there, though) and how to make them show up. Any ideas where we're missing something? Thanks for your help. :) -- Jason Lee - Programmer Hobby Lobby Stores, Inc. -Original Message- From: John H Terpstra [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 10, 2003 3:13 PM To: Jason D. Lee Cc: '[EMAIL PROTECTED]' Subject: RE: [Samba] Samba and CUPS Config Issue On Wed, 10 Sep 2003, Jason D. Lee wrote: > No takers. Shoot. Is this a better question for the CUPS group? I'm more > than happy to go elsewhere if I need to. I don't want to be obnoxious. ;) > Thanks! If this is not sufficiently covered in the CUPS chapter in the Samba-HOWTO-Collection.pdf that ships with Samba-3.0.0RC3 please let me know. There are links to this document on the Samba web site under documentation. - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] security = share and smbclient
Using the following config file, the command smbclient //share/name -U user returns an error code of instead of working tree connect failed: SUCCESS - 0 - # Samba config file created using SWAT # from 127.0.0.1 (127.0.0.1) # Date: 2003/09/10 17:54:56 # Global parameters [global] workgroup = MYGROUP server string = Samba Server security = SHARE obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* unix password sync = Yes client lanman auth = No client plaintext auth = No log file = /var/log/samba/%m.log max log size = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 preferred master = Yes domain master = Yes dns proxy = No printing = cups [homes] comment = Home Directories valid users = %S read only = No create mask = 0664 directory mask = 0775 [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [stylus] path = /var/spool/samba read only = No printable = Yes printer name = stylus browseable = No oplocks = No [deskjet-duplex] path = /var/spool/samba read only = No guest ok = Yes printable = Yes printer name = deskjet-duplex oplocks = No -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] nmbd -n option is ignored in samba-3.0.0rc3?
One of my users is reporting that his Samba configuration is behaving differently now that I've upgraded to 3.0.0rc3. He is using nmbd -n to set the netbios name of the machine. With samba-2.2.x, this worked as he expected, and the machine name seen when browsing from Windows clients whas the name he set with -n. With 3.0.0rc3, the machine name reverts to the hostname of the machine. Using "netbios name = " in the smb.conf file works as expected with 3.0.0rc3. -- JF -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] check if drive letters are occupied by novell
Hi, I use Samba's root preexec funktionality to create dynamic logon scripts: root preexec = /usr/local/samba/install/bin/make_logon_script '%m' '%U' '%a' '%g' '%L Who do I check in the by make_logon_script generated logon .bat script, which is executed on the windows clients, if a drive letters is already occupied by novell. The logon.bat script should then select the next free drive letter for the samba share. Possible? Thanks, Marcus -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Please release an rc4 ..
On Thu, Sep 11, 2003 at 04:17:09PM +0200, david de leeuw wrote: > To the samba team, > > Our samba 3.0 rc2 ran into troubles > (lots of panics, probably caused by trouble with the domain) > > I tried the 3.0 rc3, but it crashes on all our hebrew docs with > > "OOPS - tried to store stat cache entry for werid length paths " etc. > > As apparently there is a patch for the German umlaut, it might solve this > bug as well. > The whole issue of UNICODE file and directory names should be carefully > tested .. It's planned. I think I've fixed all these issues in CVS btw. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Accessing Samba Shares with AD usernames
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Have you looked at winbind? It allows you to not have to manually create the Unix accounts, as it integrates with nsswitch. - -Tom Lars Wiberg wrote: | To follow up on this, I have been studying the documentation more | intensively yesterday evening, and have concluded that the current release | of Samba cannot do what I am trying to achieve. | | What I forgot to mention yesterday, was that there is to be no unix accounts | on the Samba server, meaning the only user administration involved is from | the Active Directory (AD), but after doing a more thorough studying of the | documentation, this paragraph came up: | | "In the course of development of Samba-3, a number of requests were received | to provide the ability to migrate MS Windows NT4 SAM accounts to Samba-3 | without the need to provide matching UNIX/Linux accounts. We called this the | Non UNIX Accounts (NUA) capability. The intent was that an administrator | could decide to use the tdbsam backend and by simply specifying passdb | backend = tdbsam_nua this would allow Samba-3 to implement a solution that | did not use UNIX accounts per se. Late in the development cycle, the team | doing this work hit upon some obstacles that prevents this solution from | being used. Given the delays with Samba-3 release a decision was made to NOT | deliver this functionality until a better method of recognising NT Group | SIDs from NT User SIDs could be found. This feature may thus return during | the life cycle for the Samba-3 series." | | If I understand that paragraph correctly, it is currently not possible to | authenticate users on a Samba server solely from an Active Directory. The | only possible way is to create unix accounts on the Samba server - which | means more user administration. | | Thank you all, for your input. | | Can anybody from the Samba team tell me how far into the horizon I have to | look for this feature? From the documentation, it seems to me that a lot of | work has gone into this already. | -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/YFtzRliD/69byygRAieYAJ0brB3t1jhAM3bSNIWPjSfg9n93RACeIWJt bozCxFPX7l4MniyGQ8HnS4E= =NgpX -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba 3.0 with ldap / sambaSID
Hello, I'm lloking for a way to convert my company's existing samba2.2 ldap backed service to samba 3.0. What's particulary making me curious is the sambaSID. As I've read it is the unique identifier of a PDC in the windows world. So, how does samba3 generate this? Is it supposed to be changed by the admin or is it determined by samba on the first startup? Any pointer to a doc describing this in more depth would be apreciated. Thank You, -- Regards, Wiktor Wodecki -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Please release an rc4 ..
To the samba team, Our samba 3.0 rc2 ran into troubles (lots of panics, probably caused by trouble with the domain) I tried the 3.0 rc3, but it crashes on all our hebrew docs with "OOPS - tried to store stat cache entry for werid length paths " etc. As apparently there is a patch for the German umlaut, it might solve this bug as well. The whole issue of UNICODE file and directory names should be carefully tested .. Thanks David de Leeuw - Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, September 11, 2003 4:10 PM Subject: [Samba] samba samba-3.0.0rc3 make install error Hi all, I am trying to compile samba-3.0.0rc3 on solaris9 x86 make install booms out with an error. ./configure --prefix=/data4/samba --with-profiling-data --with-quotas --with -sys-quotas --with-acl-support make make install Installing bin/CP850.so as /data4/samba/lib/charset/CP850.so Installing bin/CP437.so as /data4/samba/lib/charset/CP437.so ./install-sh -c bin/libsmbclient.so /data4/samba/lib mksh: Fatal error: Cannot load command `./install-sh': Bad file number Current working directory /data4/samba-3.0.0rc3/source *** Error code 1 (ignored) : bin/libsmbclient.a /data4/samba/lib ./install-sh -c /data4/samba-3.0.0rc3/source/include/libsmbclient.h /data4/samba /include mksh: Fatal error: Cannot load command `./install-sh': Bad file number Current working directory /data4/samba-3.0.0rc3/source *** Error code 1 (ignored) Any help is Appreciated Eli -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba samba-3.0.0rc3 make install error
Hi all, I am trying to compile samba-3.0.0rc3 on solaris9 x86 make install booms out with an error. ./configure --prefix=/data4/samba --with-profiling-data --with-quotas --with-sys-quotas --with-acl-support make make install Installing bin/CP850.so as /data4/samba/lib/charset/CP850.so Installing bin/CP437.so as /data4/samba/lib/charset/CP437.so ./install-sh -c bin/libsmbclient.so /data4/samba/lib mksh: Fatal error: Cannot load command `./install-sh': Bad file number Current working directory /data4/samba-3.0.0rc3/source *** Error code 1 (ignored) : bin/libsmbclient.a /data4/samba/lib ./install-sh -c /data4/samba-3.0.0rc3/source/include/libsmbclient.h /data4/samba /include mksh: Fatal error: Cannot load command `./install-sh': Bad file number Current working directory /data4/samba-3.0.0rc3/source *** Error code 1 (ignored) Any help is Appreciated Eli -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Guest access
I have been trying to get guest access to a share. My smb.conf is as follows... [global] workgroup = DEVSPACE encrypt passwords = yes [test] comment = my first share path = /home/temp read only = no guest ok = yes browseable = yes public = yes guest account = nobody Then on one windows station I execute net view pluto and it works because the user that does the net view has been added to the smb.conf file. Then on another windows station I execute net view pluto and I get System error 5 has occured Access is denied because the user that is accessing the server is not known as a user on the network. The user nobody has been added to the smb.conf file. If I attempt to connect to the network share directly using net use x: \\pluto\test I get an error because it asks me for a user. I looked at the documentation and have tweaked all the combinations of the setting guest ok to yes and no and to setting of public to yes and no. Nothing seems to let the unknown user onto the machine. Both Windows boxes are running W2K. Thanks Christian Gross -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba(PDC, machine A) + LDAP (machine B)?
Hello all, I am wondering if anyone successfully built samba PDC on mahine A and used LDAP on machine B for authentication? Because now before creating a samba account, one must create an unit account, right? My goal is as follows: 1. Master LDAP (server A): responsible for the master copy of the account information 2. Slave LDAP (server B): synchronizing the database with the Master LDAP through LDAP's slurpd 3. Samba PDC server (server C): the option of the ldap server is pointed to server B. Is it doable for current samba? I am using FreeBSD 5.0 If anyone knows how to do it, please instruct me in details. Thank you very much. Long-Sheng Sep. 11, 03 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] starting Cups
can anyone pls tell me how to start Cups b4 starting samba? Thanks in anticipation. Iyke __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] insufficient permissions to open spool file ........
Hi all, I still have this persistent problem with my Printing. Printer state: Processing (accepting jobs) and Error message from Log: unable to connect to CUPS server localhost - Connection refused Even though I have modified the smb.conf to include: Interfaces = 127.0.0.1 194.180.75.90/255.255.255.0 bind interfaces only = yes security = Share Disable spoolss = yes [hplaserjet8100] Printcap name = cups printing = Cups use client driver = yes Postscript = Yes Ill appreciate any recommendations Thanks Iyke - Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] non-primary group permissions
Hi, I have a problem that if I set a file or directory group owner, users that are members of this group can still not access it unless this is their primary group. This is using samba 3.0rc3, all user and group info is coming from winbind and permissions work as expected when using a linux shell but not from a windows client. The problem goes away if I use the 'force group' option on the share, but this still means that ony one group can be of any use for that share. Is this expected behaviour or is something going wrong? Thanks Mike pgp0.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Simple configuration and not working.
>I expect that getpwnam() failed for the user. does > >getent passwd MYAD+mylogon > >succeed? Sorry, i didn't answer to this question : no this command didn't show anything to me : #getent passwd MYAD+mylogon # Regard's vincent -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Simple configuration and not working.
>I would expect this to be 'security = ads' >since you've specified a realm. Yes you're right, i did it now. >Does this apply to you? (From WHATSNEW): > >Changes in Behavior >- --- > >The following issues are known changes in behavior between Samba 2.2 and >Samba 3.0 that may affect certain installations of Samba. > >1) When operating as a member of a Windows domain, Samba 2.2 would >map any users authenticated by the remote DC to the 'guest account' >if a uid could not be obtained via the getpwnam() call. Samba 3.0 >rejects the connection as NT_STATUS_LOGON_FAILURE. There is no >current work around to re-establish the 2.2 behavior. I don't think so since i tried 2 remote connection attempts and auth seems to success: one from a remote linux client, and a log part : # /usr/bin/smbclient //172.26.123.121/myshare -U mylogon -W MYAD Password: tree connect failed: NT_STATUS_ACCESS_DENIED [2003/09/11 11:09:38, 2] auth/auth.c:check_ntlm_password(302) check_ntlm_password: authentication for user [mylogon] -> [mylogon] -> ] succeeded [2003/09/11 11:09:38, 5] auth/auth_util.c:free_user_info(1185) attempting to free (and zero) a user_info structure [2003/09/11 11:09:38, 10] auth/auth_util.c:free_user_info(1188) structure was created for mylogon [2003/09/11 11:09:38, 3] smbd/password.c:register_vuid(207) User name:Real name: [2003/09/11 11:09:38, 3] smbd/password.c:register_vuid(225) UNIX uid 0 is UNIX user, and will be vuid 100 [2003/09/11 11:09:38, 3] smbd/process.c:process_smb(890) Transaction 3 of length 104 [2003/09/11 11:09:38, 3] smbd/process.c:switch_message(685) switch message SMBtconX (pid 9247) [2003/09/11 11:09:38, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/09/11 11:09:38, 2] smbd/service.c:make_connection_snum(384) user ' (from session setup) not permitted to access this share (myshare) [2003/09/11 11:09:38, 3] smbd/error.c:error_packet(113) error packet at smbd/reply.c(274) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED Well, what i understand is that authentication succeeded, a free structure was created, but it seems to be not populate (user name and real name empty), so this is normal that user ' is not allowed to access to the share. Am I wrong in my reasoning? Another attempt, from a windows client now. thing are quite weird to me : First, there is Ticket name is [EMAIL PROTECTED] and after another Ticket with the username. While i don't see any authentifiaction success nor deny, i see that it attempt to see if the username is in the group. Does the failure related to the bad username entry in the struct? [2003/09/11 11:45:40, 3] smbd/password.c:register_vuid(207) User name:^IReal name: ... [2003/09/11 11:45:40, 0] lib/username.c:user_in_winbind_group_list(339) user_in_winbind_group_list: nametogid for group MYAD+SEC_GLOBAL_GROUP failed. [2003/09/11 11:45:40, 0] lib/username.c:user_in_winbind_group_list(339) user_in_winbind_group_list: nametogid for group MYAD+SEC_ANOTHER_GLOBAL_GROUP failed. [2003/09/11 11:45:40, 0] lib/username.c:user_in_winbind_group_list(339) user_in_winbind_group_list: nametogid for group MYAD+THIRD_GLOBAL_GROUP failed. [2003/09/11 11:45:40, 2] smbd/service.c:make_connection_snum(384) user ' (from session setup) not permitted to access this share (secondshare) I obviously checked that permissions are set on the filesystem as well as the user account membership to global groups. Doing thoses test seem to tell me that auth is working, but there is still a small thing that don't work in my case. If needed, i can provide complete log for each of theses test. Thank's again for your help Vincent -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] more roaming profile woes after upgrading to 2.2.8a
I upgraded one of my samba boxes to 2.2.8a after all kinds of problems with roaming profiles not loading corrently. Everybody can now log in (as log as the w2k machine has sp3 or newer) but I still get the following error: Cannot start microsoft outlook. This happens on w2k prof and on my w2k terminal servers. I could fix the workstations by adding their user account to the local administrators group but I cannot do this on terminal server. Does anybody know of a solution. What's sort of stange is that it all worked 100% before - all I changed was the samba version from 2.2.3 then 2.2.5 and now 2.2.8a - the error sounds w2k related but I did not change anything there. The machine SID did change so I had to load sp3 on the machines that did not yet have it and had to rejoin all the machines (340 of them) onm the domain. I tried sp4 but same problem. André de Koning IT Manager Softline VIP Payroll Tel: +27 12 420 7000 [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Accessing Samba Shares with AD usernames
To follow up on this, I have been studying the documentation more intensively yesterday evening, and have concluded that the current release of Samba cannot do what I am trying to achieve. What I forgot to mention yesterday, was that there is to be no unix accounts on the Samba server, meaning the only user administration involved is from the Active Directory (AD), but after doing a more thorough studying of the documentation, this paragraph came up: "In the course of development of Samba-3, a number of requests were received to provide the ability to migrate MS Windows NT4 SAM accounts to Samba-3 without the need to provide matching UNIX/Linux accounts. We called this the Non UNIX Accounts (NUA) capability. The intent was that an administrator could decide to use the tdbsam backend and by simply specifying passdb backend = tdbsam_nua this would allow Samba-3 to implement a solution that did not use UNIX accounts per se. Late in the development cycle, the team doing this work hit upon some obstacles that prevents this solution from being used. Given the delays with Samba-3 release a decision was made to NOT deliver this functionality until a better method of recognising NT Group SIDs from NT User SIDs could be found. This feature may thus return during the life cycle for the Samba-3 series." If I understand that paragraph correctly, it is currently not possible to authenticate users on a Samba server solely from an Active Directory. The only possible way is to create unix accounts on the Samba server - which means more user administration. Thank you all, for your input. Can anybody from the Samba team tell me how far into the horizon I have to look for this feature? From the documentation, it seems to me that a lot of work has gone into this already. -- Lars Wiberg "Lars Wiberg" <[EMAIL PROTECTED]> skrev i en meddelelse news:[EMAIL PROTECTED] > I'm sorry if this post came through already ... > > Hi, > > I'm working on a project where the plan is to place a number of Samba > servers on different locations as file and print servers. The samba server > is supposed to be a part of the AD, which is easily done, but the samba > servers are to contain a number of shares that only people with a valid > logon on the AD will be able to access. > > How can this be achieved? Do I have to promote each Samba server to becoma a > Domain Controller and create a trust between the DC and the Samba DC? I'm > hoping there is a way to make Samba check the login on the DC and based on > that give access to the share. > > I hope I am being clear enough. > > In short: An AD user wishes to access a Samba share, but needs to be > authenticated somehow. > > I hope you can help me out. > > -- > Lars Wiberg > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] OT: Win2k ts - cannot start microsft outlook
Andre de Koning schrieb: This is off-topic so please let me know if it is inappropriate. I thought i'd post here as a lot of people on the list seem to be using samba with ms terminal server. I have profile problem ito roaming profiles from my samba dc not loading when you log onto w2k terminal server. I reloaded one of the servers, installed sp4 and installed ms office 2000 using the termsrvr.mst file. When a normal user now logs in it says : Cannot start microsoft outlook. If I add that user to the administrators group it works fine. It looks like it's trying to create registry entries in the global registry in stead of that specific user's registry file that is saved in his profile. if it's in the global section or else, - maybe... u can modify access rights to the registry with regedt32. giv the office keys free for all users, so u'll see if it's right... I had this on NT4 t/s but can't remember the solution and M$ is, as usual, not very helpfull. maybe this will help: http://support.microsoft.com/default.aspx?scid=kb;en-us;222303 how sensefull this security system is, u can think yourselve. ;-) Does anybody have the solution for this? André de Koning IT Manager Softline VIP Payroll Tel: +27 12 420 7000 [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Fwd: Re: [Samba] Samba writes in wrong file]
Jeremy Allison schrieb: On Wed, Sep 10, 2003 at 06:17:43PM +0200, Markus Ungermann wrote: Hello, i have this problem again. I have samba logs, from log.smbd, inside my Wordperfect-Document: [2003/09/09 16:42:33, 2] smbd/close.c:close_normal_file(229) markus closed file SftemBASIC/Testprogramme/2.9_Structure.b~RFf12cf7.TMP (numopen=4) [2003/09/09 16:42:33, 2] smbd/open.c:open_file(246) markus opened file SftemBASIC/test/m3/M3/workbench/EMBWorkBench.exe read=Yes write=No (numopen=5) [2003/09/09 16:42:33, 2] smbd/close.c:close_normal_file(229) markus closed file SftemBASIC/test/m3/M3/workbench/EMBWorkBench.exe (numopen=4) ä < ” ì D œ ô L ¤/ ÓÔ2 ÔÔ3 ÔÓ The last 3 Lines are the Wordperfect lines. This is right, the samba logs before are wrong. We've seen this on a couple of systems, SuSE and now Debian. We've never been able to reproduce it reliably. Our current best guess is it might be a glibc bug. What version of glibc do you have ? glibc 2.2.5. The Woody-Stable. Kernel 2.4.21 self-compiled Can you reproduce this ? No, sorry i can't. But i try to reproduce it on the Reserve-System. If so, can you get an strace ? Sorry, if the error occurs i have no really logs. The only thing i saw is this: [2003/09/09 16:08:02, 2] smbd/open.c:open_file(246) markus opened file SftemBASIC/Doku/Testprotokoll_M3.wpd read=Yes write=No (numopen=4) [2003/09/09 16:08:02, 2] smbd/close.c:close_normal_file(229) markus closed file SftemBASIC/Doku/Testprotokoll_M3.wpd (numopen=3) [2003/09/09 16:08:02, 2] smbd/open.c:open_file(246) markus opened file SftemBASIC/Doku/Testprotokoll_M3.wpd read=Yes write=Yes (numopen=4) [2003/09/09 16:08:02, 2] smbd/open.c:open_file(246) markus opened file SftemBASIC/Doku/Testprotokoll_M3.wpd read=Yes write=No (numopen=5) [2003/09/09 16:08:02, 2] smbd/close.c:close_normal_file(229) markus closed file SftemBASIC/Doku/Testprotokoll_M3.wpd (numopen=4) Then i opened the file next day, and then it was destroyed: [2003/09/10 13:36:57, 2] smbd/open.c:open_file(246) markus opened file SftemBASIC/Doku/Testprotokoll_M3.wpd read=Yes write=Yes (numopen=4) [2003/09/10 13:36:57, 2] smbd/close.c:close_normal_file(229) markus closed file SftemBASIC/Doku/Testprotokoll_M3.wpd (numopen=3) [2003/09/10 13:36:57, 2] smbd/open.c:open_file(246) markus opened file SftemBASIC/Doku/Testprotokoll_M3.wpd read=Yes write=Yes (numopen=4) [2003/09/10 13:36:57, 2] smbd/open.c:open_file(246) markus opened file SftemBASIC/Doku/Testprotokoll_M3.wpd read=Yes write=No (numopen=5) [2003/09/10 13:36:57, 2] smbd/close.c:close_normal_file(229) markus closed file SftemBASIC/Doku/Testprotokoll_M3.wpd (numopen=4) [2003/09/10 13:36:57, 2] smbd/open.c:open_file(246) markus opened file SftemBASIC/Doku/Testprotokoll_M3.wpd read=Yes write=No (numopen=5) [2003/09/10 13:36:57, 2] smbd/close.c:close_normal_file(229) markus closed file SftemBASIC/Doku/Testprotokoll_M3.wpd (numopen=4) [2003/09/10 13:36:57, 2] smbd/open.c:open_file(246) markus opened file SftemBASIC/Doku/Testprotokoll_M3.wpd read=Yes write=No (numopen=5) [2003/09/10 13:36:57, 2] smbd/close.c:close_normal_file(229) markus closed file SftemBASIC/Doku/Testprotokoll_M3.wpd (numopen=4) [2003/09/10 13:36:57, 2] smbd/open.c:open_file(246) markus opened file SftemBASIC/Doku/Testprotokoll_M3.wpd read=Yes write=No (numopen=5) [2003/09/10 13:36:57, 2] smbd/close.c:close_normal_file(229) markus closed file SftemBASIC/Doku/Testprotokoll_M3.wpd (numopen=4) [2003/09/10 13:36:57, 2] smbd/open.c:open_file(246) markus opened file SftemBASIC/Doku/Testprotokoll_M3.wpd read=Yes write=No (numopen=5) [2003/09/10 13:36:57, 2] smbd/close.c:close_normal_file(229) markus closed file SftemBASIC/Doku/Testprotokoll_M3.wpd (numopen=4) [2003/09/10 13:36:57, 2] smbd/open.c:open_file(246) markus opened file SftemBASIC/Doku/Testprotokoll_M3.wpd read=Yes write=No (numopen=5) [2003/09/10 13:36:57, 2] smbd/close.c:close_normal_file(229) markus closed file SftemBASIC/Doku/Testprotokoll_M3.wpd (numopen=4) [2003/09/10 13:36:57, 2] smbd/open.c:open_file(246) markus opened file SftemBASIC/Doku/Testprotokoll_M3.wpd read=Yes write=No (numopen=5) [2003/09/10 13:36:57, 2] smbd/close.c:close_normal_file(229) markus closed file SftemBASIC/Doku/Testprotokoll_M3.wpd (numopen=4) [2003/09/10 13:36:57, 2] smbd/open.c:open_file(246) markus opened file SftemBASIC/Doku/Testprotokoll_M3.wpd read=Yes write=No (numopen=5) [2003/09/10 13:36:57, 2] smbd/close.c:close_normal_file(229) markus closed file SftemBASIC/Doku/Testprotokoll_M3.wpd (numopen=4) [2003/09/10 13:36:57, 2] smbd/open.c:open_file(246) markus opened file SftemBASIC/Doku/Testprotokoll_M3.wpd read=Yes write=No (numopen=5) [2003/09/10 13:36:57, 2] smbd/close.c:close_normal_file(229) markus closed file SftemBASIC/Doku/Testprotokoll_M3.wpd (numopen=4) [2003/09/10 13:37:02, 2] smbd/close.c:close_normal_file(229) markus closed file SftemBASIC/Doku/Testprotokoll_M3.wpd (numopen=3) I found