Re: RE : [Samba] domain admin and primarygroupSID

[John H Terpstra]

On Fri, 12 Sep 2003, jean-marc pouchoulon wrote:

> >I'm using samba-3.0RC3.
> >I just figured out that if I wanted a user to be a Domain Admin, his
> >primarygroupSID had to be the group mapped to "Domain Admins"
> (sid=512). Is there a way to just add the user to the admin >group
> without modifying his
> >primarygroupSID ?
>
>   If I understand well your question, just add him to the "domain
> group" in the /etc/group/ on your unix system.
>   I've just made a doc in french on sambaRC3. If you want it, I
> can send it.

If it's in French I can handle that. If it's in encrypted French I may
have a problem. In any case would you mail it to me off-list please. I'd
like to look it over. Maybe I can glean something to add to the
Samba-HOWTO-Collection. :)

PS: Would you like to translate that from English to French for me? :)

- John T.
-- 
John H Terpstra
Email: [EMAIL PROTECTED]
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

RE : [Samba] domain admin and primarygroupSID

[jean-marc pouchoulon]

>I'm using samba-3.0RC3.
>I just figured out that if I wanted a user to be a Domain Admin, his 
>primarygroupSID had to be the group mapped to "Domain Admins"
(sid=512). Is there a way to just add the user to the admin >group
without modifying his 
>primarygroupSID ?

If I understand well your question, just add him to the "domain
group" in the /etc/group/ on your unix system.  
I've just made a doc in french on sambaRC3. If you want it, I
can send it.

Jean-marc.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] how can I be a domain admin in 3.0RC3 ?

[Antoine Jacoutot]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Friday 12 September 2003 08:04, you wrote:
> If you want Win NT/2Kx admin rights then you need in /etc/group (example):

Yes, this is what I want :)

> ntadmins::123:antoine,jht

Already done...

> Then map ntadmins to NT Group "Domain Admins"

Already done...

> Alternatively, make "Domain Admins" your primary group in passdb backend.

OK, this is the problem here: why do I need "Domain admins" to be my primary 
group.
- --> If my primary group is  "Domain admins" , it works, I'm administrator on 
every windows computer
- --> If my primary group is "Domain users", but I'm also part of "Domain 
admins", it does NOT work, I don't get adminitrative rights on Windows 
computers... why is that...

> Have I understood your question?

I think so :)
Thanks for being so reactive...

Antoine
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQE/YWVqY3Hnhkr+5cQRAsTzAJ4uR1YpEDIkwQQ3QV3mj31X66um2gCbBmA5
PBHoME7kai0BEsHzc8vWrEo=
=tUSO
-END PGP SIGNATURE-

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] how can I be a domain admin in 3.0RC3 ?

[John H Terpstra]

On Fri, 12 Sep 2003, Antoine Jacoutot wrote:

> Hash: SHA1
>
> On Thursday 11 September 2003 23:56, you wrote:
> > The NT Group, Domain Admins, must have the well known RID=512 otherwise it
> > is not seen by the Windows client as the Domain Admins group.
> >
> > PS: The Domain SID + the RID = the user SID.
>
> I know that :)
> But this is not my question.
> Basically my question is: how can you be part of "Domain Admins" and "User
> Admins", dor exemple ?... since you can't have 2 user SID, right...

If you as a domain user want admin rights on the samba server you need to
use the "username map" facility. Example: /etc/samba/smbusers:

root = Admininistrator jht Antoine


Now Administrator, you and I have Domain Admin rights on the Samba server.

If you want Win NT/2Kx admin rights then you need in /etc/group (example):

ntadmins::123:antoine,jht

Then map ntadmins to NT Group "Domain Admins"


Alternatively, make "Domain Admins" your primary group in passdb backend.
Map "Domain Admins" to the GID=0 group on your system. Now you have
achieved effectively the same thing.

Have I understood your question?

- John T.
-- 
John H Terpstra
Email: [EMAIL PROTECTED]
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Password Expiration

[Uli Iske]

Leif W wrote:
(Sorry if this post is a duplicate, but I posted the message two days ago
and still have not seen it on the list).
Looking in the mail archives [1] I see someone else had a similar problem
but I saw no resolution.  I got the error: NT_STATUS_PASSWORD_EXPIRED. (btw
error RAP2242).  I'm 100% positive the user's system password was not
expired, I was able to log into the system console, and via ssh.  When I
changed the password using smbpasswd, it worked again.  But I'd like to know
where I can change the samba password expiration time, or set it when
creating a new samba user, so it will not expire at all, or not in one week,
but a year or 6 months instead.
as far as i know setting the accountflag X passwords never expire.

uli

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] how can I be a domain admin in 3.0RC3 ?

[Antoine Jacoutot]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thursday 11 September 2003 23:56, you wrote:
> The NT Group, Domain Admins, must have the well known RID=512 otherwise it
> is not seen by the Windows client as the Domain Admins group.
>
> PS: The Domain SID + the RID = the user SID.

I know that :)
But this is not my question.
Basically my question is: how can you be part of "Domain Admins" and "User 
Admins", dor exemple ?... since you can't have 2 user SID, right...

Antoine
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQE/YV7dY3Hnhkr+5cQRApyKAKCL9rrDVtImBMtyMlULQNfrdsxVTQCfTJ3h
HPARgRmCm2e1tMdDQTLd3R4=
=hqpY
-END PGP SIGNATURE-

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Home Subdirectory and [homes]

[Tom Dickson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Try a share setup like this:

[%U]
path=/home/%U/homedir
write list=%D+%U
read only=no
Note that if you're not in a Windows 2k PDC situtation, you'll want
write list=%U.
- -Tom

Raymond wrote:
| Installed Samba 3.0RC4 on a RH80 box.
|
| Need [homes] section to point to a subdirectory of the users home
directory.
| The aforementioned subdirectory exists in EVERY users home directory.
| Defining a path for EACH user is impractical.
|
| How does one accomplish this?
|
| Thanks in advance.
|
| Raymond
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/YTOSRliD/69byygRAv8bAJ94aA7vD4aXU4KjiJdWwCMLfRAsgwCfcFGt
bL9ZKI1DCJVl2JBpj8ufiPA=
=P9OU
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: check if drive letters are occupied by novell

[kurt weiss]

Marcus Schopen schrieb:
And on client side? Is there a method to do that in a batch script on 
the windows machine. Samba could generate a dynamic batch script, which 
is executed on the client. And this batch-script checks, if a letter is 
already mapped. Just an idea, but I don't know the commands on a windows 
machine to get a list of all novell letters.
e.g.
if exist c:\ echo ok
Marcus


--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba3Rc3_LDAP search failed: Insufficient access

[Mimic Mimicmike]

On Tue, 9 Sep 2003, Mimic Mimicmike wrote:

> (I saw some one post this (BUG)  in previous version, but I see at
> bugzilla.samba.org this bug is "FIXED" )
It's seems there are several instances of this bug.  We fixed all the ones
we could reproduce.   Can you give me some more details?  For example,
  * smb.conf
  * operation you are trying to perform when you
see the failure (including client details such
as OS and SP)
  * any error messages you see on the client
>  lib/smbldap.c:smbldap_open(801)
>  smbldap_open: cannot access LDAP when not root..
>  passdb/pdb_ldap.c:ldapsam_setsamgrent(2085)
>   LDAP search failed: Insufficient access
> passdb/pdb_ldap.c:ldapsam_enum_group_mapping(2150)
> Unable to open passdb
> lib/smbldap.c:smbldap_open(801)
Hi,
My Samba PDC is Redhat9.0
Client both XPsp1 and win2k Pro. sp3
this error will occure when I find user(and group) for seting security for
User in samba domain,
on client no error message but quite slow (samba search 10sec. compare with
w2kserv. 1-2 sec.)  but It can search in finally.


smb.conf
-
[global]
netbios name = rod
passdb backend = ldapsam, guest
ldap suffix = dc=abc,dc=net
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap admin dn = "cn=admin,dc=abc,dc=net"
idmap backend = ldap:ldap://xxx.xx.x.xxx
ldap idmap suffix = ou=idmap,dc=abc,dc=net
  workgroup = abc
  server string = Samba admin test Server
  allow trusted domains = yes
 log file = /var/log/samba/log.%m
 max log size = 50
 security = user

 password server = *
password level = 8
 username level = 8
 encrypt passwords = yes
 username map = /etc/samba/smbusers
 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   os level = 65

   logon drive = U:
   logon path =
  domain logons = yes
  add machine script = /usr/sbin/useradd -d /dev/null -g 1000 -s /bin/false
-M %u
  wins server = 172.xx.x.x
  time server = yes
  winbind separator = +
idmap uid = 3-4
idmap gid = 3-4
winbind enum users = yes
winbind enum groups = yes
[homes]
  comment = Home Directories
  browseable = no
  writable = yes
[netlogon]
  comment = Network Logon Service
  path = /home/netlogon
  guest ok = yes
  writable = no
_
Tired of spam? Get advanced junk mail protection with MSN 8. 
http://join.msn.com/?page=features/junkmail

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Home Subdirectory and [homes]

[Raymond]

Installed Samba 3.0RC4 on a RH80 box.

Need [homes] section to point to a subdirectory of the users home directory.
The aforementioned subdirectory exists in EVERY users home directory.
Defining a path for EACH user is impractical.

How does one accomplish this?

Thanks in advance.

Raymond
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: check if drive letters are occupied by novell

[Marcus Schopen]

John H Terpstra wrote:

On Thu, 11 Sep 2003, Marcus Schopen wrote:


Hi,

I use Samba's root preexec funktionality to create dynamic logon scripts:

root preexec = /usr/local/samba/install/bin/make_logon_script
'%m' '%U' '%a' '%g' '%L
Who do I check in the by make_logon_script generated logon .bat script,
which is executed on the windows clients, if a drive letters is already
occupied by novell. The logon.bat script should then select the next
free drive letter for the samba share. Possible?


How can we make Samba aware of the drive letters that are already mapped
on the Windows client? I know of no method to do this. Sorry, put on the
never-todo list for now! :)
And on client side? Is there a method to do that in a batch script on 
the windows machine. Samba could generate a dynamic batch script, which 
is executed on the client. And this batch-script checks, if a letter is 
already mapped. Just an idea, but I don't know the commands on a windows 
machine to get a list of all novell letters.

Marcus

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: How to find all workgroups being used on a subnet?

[David Wuertele]

John> HAve you checked out 'findsmb' that is supplied as part of Samba?

Yes, and I don't think it does what I want.  It only does nmblookup '*',
which does not return the address of any hybrid mode node that does
not have the messenger service (resource "<03>") enabled, which
happens to be most of the boxes on our network.

If I knew the workgroups of those boxes, I could find the browser and
get the registered names.  Without the workgroups, I'll never be able
to find those boxes.

Dave

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Password Expiration

[Leif W]

(Sorry if this post is a duplicate, but I posted the message two days ago
and still have not seen it on the list).

Looking in the mail archives [1] I see someone else had a similar problem
but I saw no resolution.  I got the error: NT_STATUS_PASSWORD_EXPIRED. (btw
error RAP2242).  I'm 100% positive the user's system password was not
expired, I was able to log into the system console, and via ssh.  When I
changed the password using smbpasswd, it worked again.  But I'd like to know
where I can change the samba password expiration time, or set it when
creating a new samba user, so it will not expire at all, or not in one week,
but a year or 6 months instead.

Leif

[1] http://www.mail-archive.com/[EMAIL PROTECTED]/msg48708.html


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] sharing folder in clients problem

[debritoa]

Hi, I want to ask if anyone is having problems getting the remote user list 
when try to share a folder in 
User-level Access Control. When i try to share te folder i get the following 
error:

[2003/09/11 18:36:41, 1] smbd/ipc.c:api_fd_reply(284)
  api_fd_reply: INVALID PIPE HANDLE: 0
[2003/09/11 18:36:42, 1] smbd/ipc.c:api_fd_reply(284)
  api_fd_reply: INVALID PIPE HANDLE: 0
[2003/09/11 18:36:42, 1] smbd/ipc.c:api_fd_reply(284)
  api_fd_reply: INVALID PIPE HANDLE: 0
[2003/09/11 18:36:42, 1] smbd/ipc.c:api_fd_reply(284)
  api_fd_reply: INVALID PIPE HANDLE: 0

the system installed is debian woody 3.0, kernel 2.4.20, xfs filesystem with 
quotas, samba version 3.0.0rc3, Openldap 2.1

I previusly use samba 2.2.XX like a PDC working fine for two years and try to 
install samba 3.0.0rc3 in another server, almost 
everything work fine, but if a client machine (all machines are windows 98) 
with a shared folder try to log on the network and 
the the client machine share a folder, concurrently in all the machines with a 
shared folder (in User-level Access Control) 
appears a blue screen with the error 0028:C0004D3F IN VXD VMM(01) + 3D3F, 
that for a while I atribute to "unknown reasons" 
of samba. Later I found that the problem was originated in the imposibility of 
get the user list to validate users accesing the 
shares.

Any advice? 

PD: Sorry my bad english.





-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] How to find all workgroups being used on a subnet?

[John H Terpstra]

On Thu, 11 Sep 2003, David Wuertele wrote:

> I want to discover all the groups currently in use on a subnet.  Is
> there a way to do this with a broadcast request?
>
> I know that I could just run nmblookup on every single host on the
> subnet, but that would take forever.  I'd like to just make one or
> maybe a few calls.  I'd like to limit the number of calls I make to no
> more than one plus the number of workgroups that are in use.

HAve you checked out 'findsmb' that is supplied as part of Samba?

- John T.
-- 
John H Terpstra
Email: [EMAIL PROTECTED]
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] how can I be a domain admin in 3.0RC3 ?

[John H Terpstra]

On Thu, 11 Sep 2003, Antoine Jacoutot wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On Thursday 11 September 2003 22:47, John H Terpstra wrote:
> > Please explain precisely what you mean. What exact steps are you
> > following?
>
> OK, I created 1 user, 1 computer and several groups.
> One group is called domainadmins. I did a 'net groupmad add' to map it to
> SID-512 (Windows Domain admins group).
> My user's primarygroupID is SID-2001.
> I added my user to domainadmins, which made me believe it then would be
> considered as a Windows Domain administrator... but it does not work. However
> it does work if instead if I set my user's primarygroupID to SID-512.
> So my question is: can I have admin rights if my primarygroupID is not
> domainadmins (supposing I'm part of domainadmins as I'm part of other groups
> too).

The NT Group, Domain Admins, must have the well known RID=512 otherwise it
is not seen by the Windows client as the Domain Admins group.

PS: The Domain SID + the RID = the user SID.

> Is it clearer ? (I'm sorry, English is not my first language)

PS: English is not my first language either.
Additionally, most who claim to speak English don't either! :)

> For information, I'm running FreeBSD-5.1+LDAP+samba-3.0RC3
>
> Thanks.

- John T.
-- 
John H Terpstra
Email: [EMAIL PROTECTED]
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] smb/cifs protocol thingy

[Alexandru Ionica]

Hello, i have some big dilemas regarding to smb, and i couldn't figure out
the following(afer reading the docs):
When a client authenticates to a samba server does he send the hash of the
password over a clear text connection , or does he send the hash over some
kind of encrypted connection ?.
When there is a password change from the client, does the password travel
in clear text over and encrypted connection, or is the password hashed ?

I ask those question beacuse i'm wondering how the:
unix password sync = yes
is really working(couldn't make it work on a gentoo linux distro, think it
was beacuse of the chat script).

My goal is to crate a ldap backend for storing samba and unix accounts,
and i want to have 1 user and 1 pass for using both services

-- 
Permission to live...DENIED!
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] How to find all workgroups being used on a subnet?

[David Wuertele]

I want to discover all the groups currently in use on a subnet.  Is
there a way to do this with a broadcast request?

I know that I could just run nmblookup on every single host on the
subnet, but that would take forever.  I'd like to just make one or
maybe a few calls.  I'd like to limit the number of calls I make to no
more than one plus the number of workgroups that are in use.

Any advice?
Dave

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] samba log

[Joe Stuart]

I spotted these entries in a log from samba. They are from a win2k box
and it appears that someone mapped a drive to the /tmp directory as the
nobody user. In /tmp there are a bunch of empty files owned by the
nobody user. Has anybody seen this before or have any hints as to what
is going on. 
Any help would be appreciated.


[2003/09/09 10:45:09, 3] smbd/password.c:register_vuid(336)
  uid 99 registered to name nobody
[2003/09/09 10:45:09, 3] smbd/password.c:register_vuid(338)
  Clearing default real name
[2003/09/09 10:45:09, 3] smbd/password.c:register_vuid(340)
  User name: nobody Real name: Nobody
[2003/09/09 10:45:09, 3] smbd/process.c:chain_reply(1023)
  Chained message
[2003/09/09 10:45:09, 3] smbd/process.c:switch_message(685)
  switch message SMBtconX (pid 6337)
[2003/09/09 10:45:09, 3] smbd/sec_ctx.c:set_sec_ctx(328)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2003/09/09 10:45:09, 3] smbd/password.c:authorise_login(854)
  authorise_login: ACCEPTED: guest account and guest ok (nobody)
[2003/09/09 10:45:09, 3] smbd/service.c:make_connection(487)
  Connect path is /tmp



Thanks
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] A PDC migration postmortem (and SIDs Novell-style)

[John H Terpstra]

On Thu, 11 Sep 2003, Dan Gapinski wrote:

> Hello,
>
> I just migrated a Samba PDC from one computer to another without too much
> complaining from Samba itself, but had to rejoin my computers (fortunately
> this is a small office) to the domain thereafter, which caused a litttle
> problem in getting the profiles back to where they were supposed to be.
> (Windows, not seeing the proper domain, cannot copy the profile in the
> profile manager, listing the old domain profiles as "Account Deleted").
>
> My question is:
> 1) Aside from having the forethought to offload the previous profiles to a
> temp area, was there any way I could have recreated the client account
> database to rejoin automatically? Ans is the SID tied directly to the PDC's
> hostname?

The change of hostname will have changed the SID. Had you saved the SID
first, you could restore it and then all your profiles should work
correctly again. The domain SID is stored in the profile NTUser.DAT files.

> 2) Is there any way to have Samba ignore the workstation SID as Novell does,
> which could be a help in this case as well as when an admin might wish to
> clone a whole batch of PC's?

Nope.

But you can recover the SID from the profile NTUser.DAT file using the
'profiles' tool that is part of Samba-3. You will need to compile it
separately. Then use it to list the security descriptors. Alternatively
you may be able to find the SID using the 'editreg' tool.

Once you find the domain SID you can record it and then use the 'net' tool
to reset the domain SID.

Of course, if you have already rejoined your clients to the domain, then
after you revert the domain SID you will have to go through the re-joining
process again. :(

- John T.
-- 
John H Terpstra
Email: [EMAIL PROTECTED]
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] A PDC migration postmortem (and SIDs Novell-style)

[Dan Gapinski]

Hello,

I just migrated a Samba PDC from one computer to another without too much
complaining from Samba itself, but had to rejoin my computers (fortunately
this is a small office) to the domain thereafter, which caused a litttle
problem in getting the profiles back to where they were supposed to be.
(Windows, not seeing the proper domain, cannot copy the profile in the
profile manager, listing the old domain profiles as "Account Deleted").

My question is:
1) Aside from having the forethought to offload the previous profiles to a
temp area, was there any way I could have recreated the client account
database to rejoin automatically? Ans is the SID tied directly to the PDC's
hostname?
2) Is there any way to have Samba ignore the workstation SID as Novell does,
which could be a help in this case as well as when an admin might wish to
clone a whole batch of PC's?

Thanks a lot for your input,
Dan


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] how can I be a domain admin in 3.0RC3 ?

[John H Terpstra]

On Thu, 11 Sep 2003, Antoine Jacoutot wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On Thursday 11 September 2003 19:22, John H Terpstra wrote:
> > Then on each Windows workstation you need to make the "Samba_Domain\Domain
> > Admins" group a member of the Local Group called "Adminsitrators" while
> > logged on as the Workstation Administrator.
>
> ... ouch, it measn I have to go on every workstation, right ?
> This really is a no-go for me.
> Isn't "Domain Admins" a part of the local Administrator by default under
> Windows ?

Oops! My guffaw! Of course it is. Domain Admins are made a member of the
Local Adminstrators group on joining the domain.

Sorry to cause you heart failure!

- John T.
-- 
John H Terpstra
Email: [EMAIL PROTECTED]
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] how can I be a domain admin in 3.0RC3 ?

[Antoine Jacoutot]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thursday 11 September 2003 19:22, John H Terpstra wrote:
> Then on each Windows workstation you need to make the "Samba_Domain\Domain
> Admins" group a member of the Local Group called "Adminsitrators" while
> logged on as the Workstation Administrator.

... ouch, it measn I have to go on every workstation, right ?
This really is a no-go for me.
Isn't "Domain Admins" a part of the local Administrator by default under 
Windows ?

- -- 
Antoine Jacoutot
[EMAIL PROTECTED]
http://www.lphp.org
PGP/GnuPG key: http://www.lphp.org/ressources/ajacoutot.asc
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQE/YMS+Y3Hnhkr+5cQRAkMYAJ4hos96wBEE2c4AdnDrGXpM3tDEKgCffAGm
AAX3Ih6yS2nwgRsC0oM8OUY=
=lv/m
-END PGP SIGNATURE-

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] domain admin and primarygroupSID

[Antoine Jacoutot]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi !

I'm using samba-3.0RC3.
I just figured out that if I wanted a user to be a Domain Admin, his 
primarygroupSID had to be the group mapped to "Domain Admins" (sid=512).
Is there a way to just add the user to the admin group without modifying his 
primarygroupSID ?

Thanks.

- -- 
Antoine Jacoutot
[EMAIL PROTECTED]
http://www.lphp.org
PGP/GnuPG key: http://www.lphp.org/ressources/ajacoutot.asc
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (FreeBSD)

iD8DBQE/YMHSY3Hnhkr+5cQRAvyaAKCF9NxiFn3p5vlX2D1wVhcHXctgvwCfWnRW
ZEqjexpkDtjkjf2USOWFAi8=
=6gmI
-END PGP SIGNATURE-

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] can't join ads w/ rc3

[david williams]

I googled for help on this, all I found was this cryptic irc chat log 
http://irc.vernstok.nl/samba-technical.php.  It seems to be a kerberos 
ticket encoding problem.  the AD server is giving me a arcfour-hmac-md5 
ticket. I'm running mit krb5-1.3.1.  Any ideas would be greatly appreciated.

-dave

david williams wrote:
it was working for me with version <= rc2

the end of net ads join -d 10 says:

Search for (objectclass=*) gave 1 replies
Got error packet 0x7e from kpasswd server
parse_setpw_reply failed (Message stream modified)
return code = -1
Let me know if you want the whole log/some other debug info.

-dave

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Thank You

[Kevin Anderson]

I wanted to say a big Thank You for the time and work you've put into Samba.

This is a fantastic product, and we really appreciate it.

Kev.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Configuration-Files

[John H Terpstra]

On Thu, 11 Sep 2003, Marc Schoechlin wrote:

MArc,

Have you read the Samba-HOWTO-Collection.pdf that ships with Samba-3?
It has a chapter called "File, Directory and Share Access Controls".

IF there are problems with lack of clarity or inadequacy of information
please tell me so I can fix this before Samba-3 ships.


> Hi !
>
> I currently trying out samba-3.0.0rc3 - and i would like to test the following.
>
> I would like to try out the following:
>
> * SAMBA-PDC with ACL-Support
>
>   I have a debian-box with xfs-support.
>
>   Is it possible to modify ACLs of directories and files from a win2k-workstation ?

Yes, if you have administrative rights.

>
> * SAMBA_PDC with LDAP-Support

Yes!

>
> * Samba-PPC with Cups-Support

Yes!

>
>   Where can i get a tutorial for this ?

CUPS is very well documented in the Samba-HOWTO-Collection.pdf. If there
is a p[roblem with this documentation please let me know. I want to fix
this before Samba-3 ships.

>
>   Where can I get a very complete config-file ?

How long is a piece of string Marc? What would you like it to do?

The Samba-HOWTO-Collection is being published by Prentice Hall as a book.
It will be on the bookshelves by late October. It will have a detailed
chapter called "Fast Start: Cure for the Impatient" that has losts of
fully documented worked examples for all sorts of server configurations.
This chapter will be made open source 4 months after the book ships. It
will then be added to the CVS code tree and will eventually appear in the
Samba-3 packages.

>
>   I think it would be a good idea to add some sample config-files for this to the 
> samba-distribution.

Yes. I have spent over 5 months working on this, that's how the HOWTO got
to where it is. Is it good enough yet?

- John T.
-- 
John H Terpstra
Email: [EMAIL PROTECTED]
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] how can I be a domain admin in 3.0RC3 ?

[John H Terpstra]

On Thu, 11 Sep 2003, Antoine Jacoutot wrote:

> Hi !
>
> I'm using samba-3.0RC3 as a PDC (for testing).
> I'm using the ldap backend.
> I created 1 user, 1 computer and some groups.
>
> I mapped the unix groups domainadmins to "Domain admins" with
> my_personnal_sid-512.
> I added my user to domainadmins.
> I set "admin users = @domainadmins" in my smb.conf, but I still do not
> have domain admin rights on workstations :(

That's correct. The parameter "admin users" has been deprecated from
Samba-3. You need to add you user to the UNIX domadmins group, then map
the UNIX domadmins group to the NT "Domain Admins" group using:

net groupmap modify ntgroup="Domain Admins" unixgroup=domadmins

Then on each Windows workstation you need to make the "Samba_Domain\Domain
Admins" group a member of the Local Group called "Adminsitrators" while
logged on as the Workstation Administrator.

>
> Any idea about what I did wrong ?

Hope that helps!

- John T.
-- 
John H Terpstra
Email: [EMAIL PROTECTED]
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] check if drive letters are occupied by novell

[John H Terpstra]

On Thu, 11 Sep 2003, Marcus Schopen wrote:

> Hi,
>
> I use Samba's root preexec funktionality to create dynamic logon scripts:
>
> root preexec = /usr/local/samba/install/bin/make_logon_script
> '%m' '%U' '%a' '%g' '%L
>
> Who do I check in the by make_logon_script generated logon .bat script,
> which is executed on the windows clients, if a drive letters is already
> occupied by novell. The logon.bat script should then select the next
> free drive letter for the samba share. Possible?

How can we make Samba aware of the drive letters that are already mapped
on the Windows client? I know of no method to do this. Sorry, put on the
never-todo list for now! :)

- John T.
-- 
John H Terpstra
Email: [EMAIL PROTECTED]
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Wierd problem with file sharing over internet.

[James Knott]

I've set up a CIPE VPN, between my notebook computer and my Linux based 
firewall.  While the VPN generally works well, I've noticed a strange 
problem with file sharing from the local network to the notebook.  I set 
up the VPN, with the idea of accessing my systems at home via a dial up 
ISP, to my home network via cable modem.  The VPN works well for most 
protocols, such as telnet, ssh, ftp, X etc.  However, when I try to 
access files using Samba, about 12 packets are exchanged and then the 
session stops.  A similar problem occurs with NFS.  What makes the 
situation more perplexing, is that if I connect directly to my firewall 
or via WiFi, Samba and NFS work fine.  In all cases, the VPN enters my 
firewall via eth0.  This seems to imply that the problem may be due to 
the extreme speed difference between the dial up access and my 100 Mb 
lan.  If the problem were due to the firewall or VPN, it should be 
consistent, no matter what the connection speed.  I'm using Red Hat 7.3 
on all systems.  The problem also occurs, when trying to access files on 
my OS/2 system.  Also, when I try to access files on my notebook 
(connected via dialup), from my local lan, every is also fine, so the 
problem appears to be asymetrical.

Any ideas?

btw, I can provide ethereal or tcpdump records of some attempts.

tnx jk

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] starting Cups

[John H Terpstra]

On Thu, 11 Sep 2003, emma emma wrote:

> can anyone pls tell me how to start Cups b4 starting
> samba?
>
> Thanks in anticipation.

That is CUPS implementation dependant. If SuSE Linux use YaST2 to
configure it. If Red Hat Linux use chkconfig to configure it.

- John T.
-- 
John H Terpstra
Email: [EMAIL PROTECTED]
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] insufficient permissions to open spool file ........

[John H Terpstra]

Iyke,

You need to configure CUPS to accept the connection. The file you must
edit is /etc/cups/cupsd.conf, not Samba's smb.conf.

You need to make sure that your cupsd.conf has entries like the following:


Order Deny,Allow
Deny From All
Allow From 127.0.0.1




Have you checked the contents of your CUPS log files to see why it is
rejecting the connection from Samba?

- John T.


On Thu, 11 Sep 2003, iyke Adibe wrote:

>
> Hi all,
>
>
>
> I still have this persistent problem with my Printing.
>
> Printer state:
>
> Processing (accepting jobs)
>
> and Error message from Log:
>
> unable to connect to CUPS server localhost - Connection refused
>
> Even though I have modified the smb.conf to include:
>
> Interfaces = 127.0.0.1 194.180.75.90/255.255.255.0
>
> bind interfaces only = yes
>
> security = Share
>
> Disable spoolss = yes
>
> [hplaserjet8100]
>
> Printcap name = cups
>
> printing = Cups
>
> use client driver = yes
>
> Postscript = Yes
>
> Ill appreciate any recommendations
>
> Thanks
>
> Iyke
>
>
>
> -
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software
>

-- 
John H Terpstra
Email: [EMAIL PROTECTED]
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] non-primary group permissions

[John H Terpstra]

Mike,

CAn you document a test case and then file a bug with
https://bugzilla.samba.org please.

- John T.
-- 
John H Terpstra
Email: [EMAIL PROTECTED]Hi,

I have a problem that if I set a file or directory group owner, users 
that are members of this group can still not access it unless this is 
their primary group.

This is using samba 3.0rc3, all user and group info is coming from 
winbind and permissions work as expected when using a linux shell but 
not from a windows client.

The problem goes away if I use the 'force group' option on the share, 
but this still means that ony one group can be of any use for that 
share.  Is this expected behaviour or is something going wrong?

Thanks
Mike


pgp0.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: Accessing Samba Shares with AD usernames

[John H Terpstra]

On Thu, 11 Sep 2003, Lars Wiberg wrote:

> To follow up on this, I have been studying the documentation more
> intensively yesterday evening, and have concluded that the current release
> of Samba cannot do what I am trying to achieve.
>
> What I forgot to mention yesterday, was that there is to be no unix accounts
> on the Samba server, meaning the only user administration involved is from
> the Active Directory (AD), but after doing a more thorough studying of the
> documentation, this paragraph came up:

That's what I understood from your request.

> "In the course of development of Samba-3, a number of requests were received
> to provide the ability to migrate MS Windows NT4 SAM accounts to Samba-3
> without the need to provide matching UNIX/Linux accounts. We called this the
> Non UNIX Accounts (NUA) capability. The intent was that an administrator
> could decide to use the tdbsam backend and by simply specifying passdb
> backend = tdbsam_nua this would allow Samba-3 to implement a solution that
> did not use UNIX accounts per se. Late in the development cycle, the team
> doing this work hit upon some obstacles that prevents this solution from
> being used. Given the delays with Samba-3 release a decision was made to NOT
> deliver this functionality until a better method of recognising NT Group
> SIDs from NT User SIDs could be found. This feature may thus return during
> the life cycle for the Samba-3 series."
>
> If I understand that paragraph correctly, it is currently not possible to
> authenticate users on a Samba server solely from an Active Directory. The
> only possible way is to create unix accounts on the Samba server - which
> means more user administration.

No. You are confused it seems.

The paragraph you quoted is in respect of Samba being a domain controller
or a stand-alone server - NOT - as a domain member.

You need to make your Samba server a domain member. If you have Active
Directory, you need to configure for "security = ads" as discussed in the
"Domain Membership" chapter of the HOWTO.

When a machine is a domain member, you do NOT need any local /etc/passwd
accounts. Instead, you can use winbind to provide locally mapped users and
groups - all from Active Directory.

Your questions regarding access to shares is simply answered:
1. You CAN set AD User and Group ACLs on Shares
2. You can control file system permissions from an
administratively enabled Windows login using
Windows Explorer.
3. You can set additional access restrictions that use
AD Users and Groups in the share specification
4. If your UNIX file system has support for POSIX ACLs
you can from a Windows NT/2Kx/XP Windows
Explorer set ACLs on files and directories.

So what have we written that is confusing or not clear to you?
Please help us to correct the documentation before Samba-3 ships.

>
> Thank you all, for your input.
>
> Can anybody from the Samba team tell me how far into the horizon I have to
> look for this feature? From the documentation, it seems to me that a lot of
> work has gone into this already.

What is missing that you need?

Either you want Samba as a Domain Controller with non-UNIX account or you
don't? Which is it? IF you are running Active Directory then the paragraph
you have quoted is  not relevant to you.

IF you want to set ACLs (Access Control Lists) on shares, folders
(directories) or files and the chapter I referred you to is not clear
please help us to get the documentation cleaned up. What suggestions do
you have that would help you and others to find the answers they are
looking for? I am totally lost, what must I do to fix this?

- John T.
-- 
John H Terpstra
Email: [EMAIL PROTECTED]
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Configuration-Files

[Marc Schoechlin]

Hi !

I currently trying out samba-3.0.0rc3 - and i would like to test the following.

I would like to try out the following:

* SAMBA-PDC with ACL-Support
  
  I have a debian-box with xfs-support.

  Is it possible to modify ACLs of directories and files from a win2k-workstation ?

* SAMBA_PDC with LDAP-Support

* Samba-PPC with Cups-Support

  Where can i get a tutorial for this ?

  Where can I get a very complete config-file ?

  I think it would be a good idea to add some sample config-files for this to the 
samba-distribution.

Best regards

Marc Schoechlin

-- 

Gruss / Best regards  |  LF.net GmbH|  fon +49 711 90074-413
Marc Schoechlin   |  Ruppmannstr. 27|  fax +49 711 90074-33
[EMAIL PROTECTED] |  D-70565 Stuttgart  |  http://www.lf.net
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Problem uploading printer driver on 2.2.8a (FreeBSD 4.8)

[Jérôme Fenal]

Hello,
I have an annoying problem. I have declared a printer for which I want Samba to 
download drivers onto the clients.
So I have configured print$ share, the printer itself (by BSD printing), then connect 
the printer to my W2K client (SP3 with ALL RPC updates applied, including today's one).
And it fails :
- on the windows side, I have a popup : unable to install  driver. 
Operation could not be completed.
- on the samba side, I get an internal error :
[2003/09/11 18:09:29, 3] smbd/sec_ctx.c:pop_sec_ctx(436)
  pop_sec_ctx (1014, 1014) - sec_ctx_stack_ndx = 0
[2003/09/11 18:09:29, 5] printing/nt_printing.c:add_a_printer_driver_3(1654)
  add_a_printer_driver_3: Adding driver with key DRIVERS/W32X86/2/HP LaserJet 4 Plus
[2003/09/11 18:09:29, 0] lib/fault.c:fault_report(38)
  ===
[2003/09/11 18:09:29, 0] lib/fault.c:fault_report(39)
  INTERNAL ERROR: Signal 11 in pid 59048 (2.2.8a)
  Please read the file BUGS.txt in the distribution
[2003/09/11 18:09:29, 0] lib/fault.c:fault_report(41)
  ===
[2003/09/11 18:09:29, 0] lib/util.c:smb_panic(1094)
  PANIC: internal error
I must say that some (if not all, I can't say) of the printer driver files _are_ 
uploaded to the print$ share. But it fails to register, it seems.
Samba is in PDC mode (too much hassle with rights before, when beeing a simple 
'security=user' server : "service :{{SID}} not found" messages, SID corresponding to 
"Printers" on the W2K client, according to he registry ). Shares all are accessible 
with no noticeable messages in the logs.
I don't know what to say more. I can provide smb.conf on request if needed.
Any ideas about this ?
Regards,
Jérôme
 
 
 


**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager. LogicaCMG
**

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Samba 3.0b3+CUPS+server drivers

[Boogerman]

I'm trying to setup a printer using Cups, using cupsaddsmb

It uploads the files ok (smbclient ... -c 'mkdir W32X86;put ...;put ...')

It adds the driver ok (rpcclient -c 'adddriver "Windows NT X86"
"Canon:file1:file2..."
(I have verified this worked from server properties in "printers and faxes"
of the linux server: the driver "canon" shows up in the list"

Then when it does rpcclient -c 'setdriver Canon Canon' I get:
SetPrinter call failed!
result was WERR_ACCESS_DENIED

At the same time I run this command, I get this in log.smbd:
[2003/09/11 13:35:38, 0] smbd/oplock_linux.c:linux_init_kernel_oplocks(289)
  Failed to setup RT_SIGNAL_LEASE handler

I'm adding the CUPS postscript with the foomatic ppd of a Canon BJC-1000,
wich is properly configured in CUPS (the print test page works).

Any clues?

Here's my smb.conf:

[global]
netbios name = Natsumi
server string = Linux Server
workgroup = BoogerSoft
passdb backend = smbpasswd

hosts allow = 192.168.0. 127.0.0.1

;act as domain and master browser
os level = 64
preferred master = yes
domain master = yes
local master = yes

security = user

encrypt passwords = yes

domain logons = yes

;do not set this to \\%N\%U\{whatever}
logon path = \\%N\profile\%u
logon drive = H:

;logon script, relative to the [netlogon] share
logon script = logon.cmd

;neither of these seem to work with 3.0
;client code page = 850
;character set = ISO8859-1

;printer
load printers = yes
printing = cups
printcap = cups

[netlogon]
comment = Network Logon Service
path = /home/netlogon
read only = yes
write list = ntadmin

[homes]
comment = Home Directories
browseable = no
writable = yes
create mask = 0600

directory mask = 0700

[profile]
path = /home/profile
read only = no
create mask = 0600
directory mask = 0700

[print$]
comment = Printer Driver Download Area
path = /usr/local/samba/drivers
browseable = yes
guest ok = yes
read only = yes
write list = root

[printers]
comment = Printers
path = /var/spool/samba
browseable = no
guest ok = yes
writable = no
printable = yes
use client driver = yes

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] mangle characters (e.g. blank to underline)

[Liesinger Horst]

Hi

File names with blanks are not very useful in Unix scripts.
Our Windows users use very often (not allowed) blanks in file names.
So I am looking for a possibility to change blanks to underlines.
But mangled map = (*\ * *_*) does not work ?!?

Best regards 

Horst Liesinger

CAD Coordination (IT)
Doppelmayr Seilbahnen GmbH
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Problems with smbsh...

[Pedro Parrilla]

Hello!

I have a MBX860 board (MPC860 CPU); I've compiled/installed samba
2-2-8a with Gcc compiler for MPC860 on the board without problems. SMBD
and NMBD work fine, but when I start smbsh, I get the following message:

./smbsh
Username:
Password:
load_client_codepage: file /usr/local/samba/lib/codepages/codepage.850
is an incorrect size for a code page file (size=0).
load_unicode_map: file /usr/local/samba/lib/codepages/unicode_map.850 is
an incorrect size for a unicode map file (size=0).
load_unicode_map: file
/usr/local/samba/lib/codepages/unicode_map.ISO8859-1 is an incorrect
size for a unicode map file (size=0).
smbsh$ cd
smbsh$ cd /
smbsh$ ls -l
load_client_codepage: file /usr/local/samba/lib/codepages/codepage.850
is an incorrect size for a code page file (size=0).
load_unicode_map: file /usr/local/samba/lib/codepages/unicode_map.850 is
an incorrect size for a unicode map file (size=0).
load_unicode_map: file
/usr/local/samba/lib/codepages/unicode_map.ISO8859-1 is an incorrect
size for a unicode map file (size=0).
ls: error while loading shared libraries:
/usr/local/samba/bin/smbwrapper.so: undefined symbol: real_readdir64
smbsh$

And I cannot do anything but exit!

Please, could you help me!!!?

Thank you in advance.

Bye.

Pedro Parrilla Jimena  Prodys S. L.
R&D,Embedded Systems   Trigo,54
e-mail:[EMAIL PROTECTED] Leganes(Madrid)





-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] domain-logons : w2k clients complains about still existant machines

[Marc Schoechlin]

Hi !

I have problems with samba3.0.0-rc3 to get domain-access :-(

Joining the the domain(after doing a sucessful smbpasswd -a -m ) 
with the user "root" works well, but after I
reboot the Win2K Workstation i get on this machine a message which
says, that another computer is also using this name.

The logfile of the win2k workstation says also that a ip-adress-conflict
is present.

So I tried out another win2k-machine(with another name) - but the  
problem also appears on this machine.

I´m currently loggin on loglevel 3 - but there are no messages which
are suggesting errors.(log.smbd, log.nmbd, log.)

In which sequence should i start the different daemons ?

I currently starting "nmbd; smbd" .

My configuration is:
--
[global]
   workgroup = UML
   admin users = root
   server string = Samba Server
   log level = 3
   load printers = yes
   log file = /usr/local/samba/var/log.%m
   max log size = 50
   security = user
   encrypt passwords = yes

   socket options = TCP_NODELAY
   local master = no
   os level = 80
   domain master = yes
   preferred master = yes
   domain logons = yes
   local master = yes
   os level = 65
   nt acl support = yes
 [homes]
   comment = Home Directories
   browseable = no
   writable = yes
 [netlogon]
   comment = Network Logon Service
   path = /usr/local/samba/lib/netlogon
   guest ok = yes
   writable = no
[Profiles]
path = /usr/local/samba/profiles
browseable = no
guest ok = yes
[printers]
   comment = All Printers
   path = /usr/spool/samba
   browseable = no
   guest ok = no
   writable = no
   printable = yes
   public = yes
[public]
   comment = Public Stuff
   path = /serv/share
   public = yes
   writable = yes
   printable = no
   write list = @users
--

Best regards

Marc Schoechlin

-- 

Gruss / Best regards  |  LF.net GmbH|  fon +49 711 90074-413
Marc Schoechlin   |  Ruppmannstr. 27|  fax +49 711 90074-33
[EMAIL PROTECTED] |  D-70565 Stuttgart  |  http://www.lf.net
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] samba-3 problem joining ws to domain

[Rauno Tuul]

Howdi,

I can't add a w2k workstation to samba3 domain with my username. If I add my
username to "admin users" list, then I can add the box to domain (but
overritten by euid). My goal is, that joining domain can be done without
using "admin users" option.

Groupmapping is done and works. When machine is in domain and log in, I get
full admin rights on that box. Removing the box from domain works anytime.
Error message in windows is: "Logon failure: invalid user name or bad
password".

In log files (debuglevel 10) appear such lines:
...
[2003/09/11 18:09:33, 5] lib/util_seaccess.c:se_access_check(331)
  se_access_check: access (211) denied.
[2003/09/11 18:09:33, 2]
rpc_server/srv_samr_nt.c:access_check_samr_object(93)
  _samr_open_domain: ACCESS DENIED  (requested: 0x0211)
...
[2003/09/11 18:09:33, 5]
rpc_server/srv_samr_nt.c:access_check_samr_function(106)
  _samr_create_user: access check ((granted: 0x0201;  required:
0x0010)
[2003/09/11 18:09:33, 2]
rpc_server/srv_samr_nt.c:access_check_samr_function(115)
  _samr_create_user: ACCESS DENIED (granted: 0x0201;  required:
0x0010)
...

When user is admin users list, then happens this...
_samr_open_domain: ACCESS should be DENIED  (requested: 0x0211)
  but overritten by euid == sec_initial_uid()
... after that, access is granted.

Whats wrong? Could someone please say, what is wrong with my setup?

# smb.conf
passdb backend = ldapsam:ldaps://alfa.sf.lan, guest
delete user script = /usr/local/sbin/smbldap-userdel.pl %u
add group script = /usr/local/sbin/smbldap-groupadd.pl %g
add machine script = /usr/local/sbin/smbldap-computeradd.pl %u
ldap suffix = dc=ehk,dc=lan
ldap machine suffix = ou=Computers,dc=ehk,dc=lan,dc=ehk,dc=lan
ldap user suffix = ou=Users,dc=ehk,dc=lan,dc=ehk,dc=lan
ldap admin dn = cn=Manager,dc=ehk,dc=lan
force user = %U
force group = users

# 
Unix username:khk_rauno.tuul
User SID: S-1-5-21-1347305728-752463190-2852647101-3000
Primary Group SID:S-1-5-21-1347305728-752463190-2852647101-1443

# net groupmap list
Domain Users (S-1-5-21-1347305728-752463190-2852647101-513) -> domain_users
Users (S-1-5-21-1347305728-752463190-2852647101-1443) -> users
Domain Admins (S-1-5-21-1347305728-752463190-2852647101-512) ->
domain_admins
Administrators (S-1-5-21-1347305728-752463190-2852647101-1441) ->
administrators

#
domain_admins:x:200:khk_rauno.tuul
domain_users:x:201:khk_rauno.tuul
administrators:x:220:khk_rauno.tuul
users:x:221:
(these groups are stored in LDAP).

I attached also 2 log files with those messages.

Best regards,

 - Rauno Tuul -
 

...
[2003/09/11 18:09:33, 5] rpc_server/srv_samr_nt.c:access_check_samr_function(106)
  _samr_open_domain: access check ((granted: 0x0030;  required: 0x0020)
[2003/09/11 18:09:33, 10] lib/util_seaccess.c:se_access_check(250)
  se_access_check: requested access 0x0211, for NT token with 15 entries and first 
sid S-1-5-21-1347305728-752463190-2852647101-3000.
[2003/09/11 18:09:33, 3] lib/util_seaccess.c:se_access_check(267)
[2003/09/11 18:09:33, 3] lib/util_seaccess.c:se_access_check(268)
  se_access_check: user sid is S-1-5-21-1347305728-752463190-2852647101-3000
  se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1443
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
  se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1427
  se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1431
  se_access_check: also S-1-5-21-1347305728-752463190-2852647101-513
  se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1447
  se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1449
  se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1451
  se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1407
  se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1409
  se_access_check: also S-1-5-21-1347305728-752463190-2852647101-512
  se_access_check: also S-1-5-21-1347305728-752463190-2852647101-1441
  se_access_check: ACE 0: type 0, flags = 0x00, SID = S-1-1-0 mask = 20385, current 
desired = 211
  se_access_check: ACE 1: type 0, flags = 0x00, SID = S-1-5-32-544 mask = f07ff, 
current desired = 10
  se_access_check: ACE 2: type 0, flags = 0x00, SID = S-1-5-32-548 mask = f07ff, 
current desired = 10
[2003/09/11 18:09:33, 5] lib/util_seaccess.c:se_access_check(331)
  se_access_check: access (211) denied.
[2003/09/11 18:09:33, 2] rpc_server/srv_samr_nt.c:access_check_samr_object(93)
  _samr_open_domain: ACCESS DENIED  (requested: 0x0211)
...
[2003/09/11 18:09:33, 5] rpc_server/srv_samr_nt.c:access_check_samr_function(106)
  _samr_create_user: access check ((granted: 0x0201;  required: 0x0010)
[2003/09/11 18:09:33, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(115)
  _samr_create_user: ACCESS DENIED (granted: 0x0201;  required: 0x0010)

[Samba] how can I be a domain admin in 3.0RC3 ?

[Antoine Jacoutot]

Hi !

I'm using samba-3.0RC3 as a PDC (for testing).
I'm using the ldap backend.
I created 1 user, 1 computer and some groups.
I mapped the unix groups domainadmins to "Domain admins" with 
my_personnal_sid-512.
I added my user to domainadmins.
I set "admin users = @domainadmins" in my smb.conf, but I still do not 
have domain admin rights on workstations :(

Any idea about what I did wrong ?
Thanks in advance.
Antoine

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Is anybody else having trouble with domain joins?

[José Luis Tallón]

Hi all.

We have a setup with a Samba PDC( Samba-3.0.0beta1, Linux Kernel 2.4.22-xfs 
), LDAPSAM( OpenLDAP 2.1.22 ).

Everything seems to be fine, however we are afraid we can get in trouble 
because of bugs which have been recently fixed in releases up to RC3, 
specially panics in multibyte conversion routines.
Upgrading to RC2 had the undesirable effect of making every attempt to join 
a computer to the domain result in a "could not locate user" error. 
Downgrading to beta1 returned the behaviour to normal.

Anybody else has this problem? Suggestions, comments, whatever?
If the answer is no, I shall file a bug in Bugzilla, with as much info as i 
can provide.

Thanks in advance.

Best,
J.L.
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Testparm with two arguments in 3.0.0rc3

[Jay Fenlason]

What should testparm do if you provide only two arguments to it (a
config file and either an IP address or a hostname)?  According to the
manual page, it needs both a hostname and an IP address.  With the
3.0.0rc3 testparm, if you provide only two arguments, it ignores the
second one.  With the testparm in 2.2.7, it performed the access
testing, and possibly returned bogus results if a hostname was given,
but the access control was by IP address, or vice versa.

-- JF
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Fwd: Re: [Samba] Samba writes in wrong file]

[Markus Ungermann]

Hi,

i have searched for typical Samba log entries ( [200[0123]/.\]' 
) and found more logfile entries in different files:

File:   /home/markus/CUECards/markus ELZET80.bakfrom 2003-05-07
[2003/05/07 15:07:52, 1] smbd/service.c:close_cnum(655)
  cheops (192.168.17.45) closed connection to service markus
File: 	/samba/arev/VERKAUF/REV28819.OV  			from 2003-02-14
	[2003/02/14 12:21:52, 1] smbd/service.c:make_connection(615)
	  chui (192.168.17.55) connect to service main as user walter (uid=500, 
gid=101) (pid 26489)
	

File:   /samba/main/Produktion-Programmer/Produktion_beipackzettel.wpd ???
[2003/02/28 12:48:21, 1] smbd/service.c:close_cnum(655)
  cheops (192.168.17.45) closed connection to service main
-> File can be open by Wordperfect ??!!!
File:	/samba/team/markus/mCAT-Freigaben/mcat-Freigabe_TSMCPU32H2CP_R108.wpd 
from	2003-02-10
	[2003/02/10 10:29:45, 2] smbd/open.c:open_file(216)
	  markus opened file markus/mCAT-Freigaben/mcat-Freigabe_TSMCPU32H2CP_R108.wpd 
read=Yes write=Yes (numopen=2)
-> File can't be openend with Wordperfect

The Samba log under the filename appears inside the files.

You can see i have this problem at least from 2003-02-10.
The Problem: At this time i used Samba 2.2.3a-12 (Debian stable)
From 2003-04-07 i used Samba 2.2.8a
Jeremy Allison schrieb:
On Wed, Sep 10, 2003 at 06:17:43PM +0200, Markus Ungermann wrote:

Hello,

i have this problem again.
I have samba logs, from log.smbd, inside my Wordperfect-Document:
[2003/09/09 16:42:33, 2] smbd/close.c:close_normal_file(229)
  markus closed file SftemBASIC/Testprogramme/2.9_Structure.b~RFf12cf7.TMP
(numopen=4)
[2003/09/09 16:42:33, 2] smbd/open.c:open_file(246)
  markus opened file SftemBASIC/test/m3/M3/workbench/EMBWorkBench.exe read=Yes
write=No (numopen=5)
[2003/09/09 16:42:33, 2] smbd/close.c:close_normal_file(229)
  markus closed file SftemBASIC/test/m3/M3/workbench/EMBWorkBench.exe (numopen=4)
 ä < ” ì D œ ô L ¤/ ÓÔ2  ÔÔ3
 
 ÔÓ
The last 3 Lines are the Wordperfect lines. This is right, the samba logs before
are wrong.


We've seen this on a couple of systems, SuSE and now Debian. We've
never been able to reproduce it reliably. Our current best guess is
it might be a glibc bug. What version of glibc do you have ?
Can you reproduce this ? If so, can you get an strace ?

Jeremy
--
Mit freundlichen Gruessen / Best regards
Markus Ungermann

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Samba and CUPS Config Issue

[Jason D. Lee]

We have printing working from our Win2K clients, but the problem we have is
that, once a printer is mapped on the client, if we look at that printer in
the printers control panel, we don't see the comment or location fields as
having any data.  Since these fields are blank, our Win9x clients won't be
able to map to any printers on this box, as they apparently depend on the
comment field from the print server.  What we can't figure out is why the
comment fields are showing up blank after mapping the printer (if you browse
the printers, all the comments are there, though) and how to make them show
up.  Any ideas where we're missing something?  Thanks for your help. :)

-- 
Jason Lee - Programmer
Hobby Lobby Stores, Inc.



-Original Message-
From: John H Terpstra [mailto:[EMAIL PROTECTED]
Sent: Wednesday, September 10, 2003 3:13 PM
To: Jason D. Lee
Cc: '[EMAIL PROTECTED]'
Subject: RE: [Samba] Samba and CUPS Config Issue


On Wed, 10 Sep 2003, Jason D. Lee wrote:

> No takers.  Shoot.  Is this a better question for the CUPS group?  I'm
more
> than happy to go elsewhere if I need to.  I don't want to be obnoxious. ;)
> Thanks!

If this is not sufficiently covered in the CUPS chapter in the
Samba-HOWTO-Collection.pdf that ships with Samba-3.0.0RC3 please let me
know. There are links to this document on the Samba web site under
documentation.

- John T.
-- 
John H Terpstra
Email: [EMAIL PROTECTED]
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] security = share and smbclient

[Jay Fenlason]

Using the following config file, the command

smbclient //share/name -U user

returns an error code of instead of working

tree connect failed: SUCCESS - 0

-
# Samba config file created using SWAT
# from 127.0.0.1 (127.0.0.1)
# Date: 2003/09/10 17:54:56

# Global parameters
[global]
workgroup = MYGROUP
server string = Samba Server
security = SHARE
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n 
*passwd:*all*authentication*tokens*updated*successfully*
unix password sync = Yes
client lanman auth = No
client plaintext auth = No
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = Yes
domain master = Yes
dns proxy = No
printing = cups

[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0664
directory mask = 0775

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No

[stylus]
path = /var/spool/samba
read only = No
printable = Yes
printer name = stylus
browseable = No
oplocks = No

[deskjet-duplex]
path = /var/spool/samba
read only = No
guest ok = Yes
printable = Yes
printer name = deskjet-duplex
oplocks = No
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] nmbd -n option is ignored in samba-3.0.0rc3?

[Jay Fenlason]

One of my users is reporting that his Samba configuration is behaving
differently now that I've upgraded to 3.0.0rc3.  He is using nmbd -n
to set the netbios name of the machine.  With samba-2.2.x, this worked
as he expected, and the machine name seen when browsing from Windows
clients whas the name he set with -n.  With 3.0.0rc3, the machine name
reverts to the hostname of the machine.  Using "netbios name = " in
the smb.conf file works as expected with 3.0.0rc3.

-- JF
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] check if drive letters are occupied by novell

[Marcus Schopen]

Hi,

I use Samba's root preexec funktionality to create dynamic logon scripts:

root preexec = /usr/local/samba/install/bin/make_logon_script
'%m' '%U' '%a' '%g' '%L
Who do I check in the by make_logon_script generated logon .bat script, 
which is executed on the windows clients, if a drive letters is already 
occupied by novell. The logon.bat script should then select the next 
free drive letter for the samba share. Possible?

Thanks,
Marcus
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Please release an rc4 ..

[Jeremy Allison]

On Thu, Sep 11, 2003 at 04:17:09PM +0200, david de leeuw wrote:
> To the samba team,
> 
> Our samba 3.0 rc2 ran into troubles
> (lots of panics, probably caused by trouble with the domain)
> 
> I tried the 3.0 rc3, but it crashes on all our hebrew docs with
> 
> "OOPS - tried to store stat cache entry for werid length paths " etc.
> 
> As apparently there is a patch for the German umlaut, it might solve this
> bug as well.
> The whole issue of UNICODE file and directory names should be carefully
> tested ..

It's planned. I think I've fixed all these issues in CVS btw.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: Accessing Samba Shares with AD usernames

[Tom Dickson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Have you looked at winbind? It allows you to not have to manually create
the Unix accounts, as it integrates with nsswitch.
- -Tom

Lars Wiberg wrote:
| To follow up on this, I have been studying the documentation more
| intensively yesterday evening, and have concluded that the current release
| of Samba cannot do what I am trying to achieve.
|
| What I forgot to mention yesterday, was that there is to be no unix
accounts
| on the Samba server, meaning the only user administration involved is from
| the Active Directory (AD), but after doing a more thorough studying of the
| documentation, this paragraph came up:
|
| "In the course of development of Samba-3, a number of requests were
received
| to provide the ability to migrate MS Windows NT4 SAM accounts to Samba-3
| without the need to provide matching UNIX/Linux accounts. We called
this the
| Non UNIX Accounts (NUA) capability. The intent was that an administrator
| could decide to use the tdbsam backend and by simply specifying passdb
| backend = tdbsam_nua this would allow Samba-3 to implement a solution that
| did not use UNIX accounts per se. Late in the development cycle, the team
| doing this work hit upon some obstacles that prevents this solution from
| being used. Given the delays with Samba-3 release a decision was made
to NOT
| deliver this functionality until a better method of recognising NT Group
| SIDs from NT User SIDs could be found. This feature may thus return during
| the life cycle for the Samba-3 series."
|
| If I understand that paragraph correctly, it is currently not possible to
| authenticate users on a Samba server solely from an Active Directory. The
| only possible way is to create unix accounts on the Samba server - which
| means more user administration.
|
| Thank you all, for your input.
|
| Can anybody from the Samba team tell me how far into the horizon I have to
| look for this feature? From the documentation, it seems to me that a
lot of
| work has gone into this already.
|
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/YFtzRliD/69byygRAieYAJ0brB3t1jhAM3bSNIWPjSfg9n93RACeIWJt
bozCxFPX7l4MniyGQ8HnS4E=
=NgpX
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] samba 3.0 with ldap / sambaSID

[Wiktor Wodecki]

Hello,

I'm lloking for a way to convert my company's existing samba2.2 ldap
backed service to samba 3.0. What's particulary making me curious is the
sambaSID. As I've read it is the unique identifier of a PDC in the
windows world. So, how does samba3 generate this? Is it supposed to be
changed by the admin or is it determined by samba on the first startup?
Any pointer to a doc describing this in more depth would be apreciated.

Thank You,

-- 
Regards,

Wiktor Wodecki

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Please release an rc4 ..

[david de leeuw]

To the samba team,

Our samba 3.0 rc2 ran into troubles
(lots of panics, probably caused by trouble with the domain)

I tried the 3.0 rc3, but it crashes on all our hebrew docs with

"OOPS - tried to store stat cache entry for werid length paths " etc.

As apparently there is a patch for the German umlaut, it might solve this
bug as well.
The whole issue of UNICODE file and directory names should be carefully
tested ..

Thanks


David de Leeuw


- Original Message - 
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, September 11, 2003 4:10 PM
Subject: [Samba] samba samba-3.0.0rc3 make install error


Hi all,

I am trying to compile samba-3.0.0rc3 on solaris9 x86
make install booms out with an error.

./configure --prefix=/data4/samba --with-profiling-data --with-quotas --with
-sys-quotas
--with-acl-support
make
make install



Installing bin/CP850.so as /data4/samba/lib/charset/CP850.so
Installing bin/CP437.so as /data4/samba/lib/charset/CP437.so
./install-sh -c bin/libsmbclient.so /data4/samba/lib
mksh: Fatal error: Cannot load command `./install-sh': Bad file number
Current working directory /data4/samba-3.0.0rc3/source
*** Error code 1 (ignored)
: bin/libsmbclient.a /data4/samba/lib
./install-sh -c /data4/samba-3.0.0rc3/source/include/libsmbclient.h
/data4/samba
/include
mksh: Fatal error: Cannot load command `./install-sh': Bad file number
Current working directory /data4/samba-3.0.0rc3/source
*** Error code 1 (ignored)

Any help is Appreciated
Eli
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] samba samba-3.0.0rc3 make install error

[elik]

Hi all,

I am trying to compile samba-3.0.0rc3 on solaris9 x86
make install booms out with an error.

./configure --prefix=/data4/samba --with-profiling-data --with-quotas 
--with-sys-quotas 
--with-acl-support
make
make install



Installing bin/CP850.so as /data4/samba/lib/charset/CP850.so
Installing bin/CP437.so as /data4/samba/lib/charset/CP437.so
./install-sh -c bin/libsmbclient.so /data4/samba/lib
mksh: Fatal error: Cannot load command `./install-sh': Bad file number
Current working directory /data4/samba-3.0.0rc3/source
*** Error code 1 (ignored)
: bin/libsmbclient.a /data4/samba/lib
./install-sh -c /data4/samba-3.0.0rc3/source/include/libsmbclient.h /data4/samba
/include
mksh: Fatal error: Cannot load command `./install-sh': Bad file number
Current working directory /data4/samba-3.0.0rc3/source
*** Error code 1 (ignored)

Any help is Appreciated 
Eli
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Guest access

[SerpentMage (Christian Gross)]

I have been trying to get guest access to a share. 

My smb.conf is as follows...

[global]
   workgroup = DEVSPACE
   encrypt passwords = yes
[test]
   comment = my first share
   path = /home/temp
   read only = no
   guest ok = yes
   browseable = yes
   public = yes
   guest account = nobody
Then on one windows station I execute net view pluto and it works 
because the user that does the net view has been added to the smb.conf file.

Then on another windows station I execute net view pluto and I get 
System error 5 has occured Access is denied because the user that is 
accessing the server is not known as a user on the network.  The user 
nobody has been added to the smb.conf file.  If I attempt to connect to 
the network share directly using net use x: \\pluto\test I get an error 
because it asks me for a user.

I looked at the documentation and have tweaked all the combinations of 
the setting guest ok to yes and no and to setting of public to yes and 
no.  Nothing seems to let the unknown user onto the machine.  Both 
Windows boxes are running W2K.

Thanks

Christian Gross

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] samba(PDC, machine A) + LDAP (machine B)?

[lskuo]

Hello all,
  I am wondering if anyone successfully built samba PDC on
mahine A and used LDAP on machine B for authentication?

  Because now before creating a samba account, one must
create an unit account, right?

  My goal is as follows:

1. Master LDAP (server A): responsible for the master copy
of the account information
2. Slave LDAP (server B): synchronizing the database with
the Master LDAP through LDAP's slurpd
3. Samba PDC server (server C): the option of the ldap
server is pointed to server B. 

Is it doable for current samba?
I am using FreeBSD 5.0

  If anyone knows how to do it, please instruct me in
details. Thank you very much.


Long-Sheng   Sep. 11, 03
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] starting Cups

[emma emma]

can anyone pls tell me how to start Cups b4 starting
samba?

Thanks in anticipation.

Iyke

__
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] insufficient permissions to open spool file ........

[iyke Adibe]

Hi all,

 

I still have this persistent problem with my Printing.

Printer state:

Processing (accepting jobs)

and Error message from Log:

unable to connect to CUPS server localhost - Connection refused

Even though I have modified the smb.conf to include:

Interfaces = 127.0.0.1 194.180.75.90/255.255.255.0

bind interfaces only = yes

security = Share

Disable spoolss = yes

[hplaserjet8100]

Printcap name = cups

printing = Cups

use client driver = yes

Postscript = Yes

Ill appreciate any recommendations

Thanks

Iyke



-
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] non-primary group permissions

[Mike Dawson]

Hi,

I have a problem that if I set a file or directory group owner, users 
that are members of this group can still not access it unless this is 
their primary group.

This is using samba 3.0rc3, all user and group info is coming from 
winbind and permissions work as expected when using a linux shell but 
not from a windows client.

The problem goes away if I use the 'force group' option on the share, 
but this still means that ony one group can be of any use for that 
share.  Is this expected behaviour or is something going wrong?

Thanks
Mike


pgp0.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Simple configuration and not working.

[Vincent . Badier]

>I expect that getpwnam() failed for the user.  does
>
>getent passwd MYAD+mylogon
>
>succeed?


Sorry, i didn't answer to this question :

no this command didn't show anything to me :

#getent passwd MYAD+mylogon
#


Regard's
vincent


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Simple configuration and not working.

[Vincent . Badier]

>I would expect this to be 'security = ads'
>since you've specified a realm.

Yes you're right, i did it now.

>Does this apply to you?  (From WHATSNEW):
>
>Changes in Behavior
>- ---
>
>The following issues are known changes in behavior between Samba 2.2 and
>Samba 3.0 that may affect certain installations of Samba.
>
>1)  When operating as a member of a Windows domain, Samba 2.2 would
>map any users authenticated by the remote DC to the 'guest account'
>if a uid could not be obtained via the getpwnam() call.  Samba 3.0
>rejects the connection as NT_STATUS_LOGON_FAILURE.  There is no
>current work around to re-establish the 2.2 behavior.

I don't think so since i tried 2 remote connection attempts and auth seems
to success:

one from a remote linux client, and a log part :

# /usr/bin/smbclient //172.26.123.121/myshare -U mylogon -W MYAD
Password:
tree connect failed: NT_STATUS_ACCESS_DENIED

[2003/09/11 11:09:38, 2] auth/auth.c:check_ntlm_password(302)
 check_ntlm_password:  authentication for user [mylogon] -> [mylogon] -> ]
succeeded
[2003/09/11 11:09:38, 5] auth/auth_util.c:free_user_info(1185)
  attempting to free (and zero) a user_info structure
[2003/09/11 11:09:38, 10] auth/auth_util.c:free_user_info(1188)
  structure was created for mylogon
[2003/09/11 11:09:38, 3] smbd/password.c:register_vuid(207)
  User name:Real name:
[2003/09/11 11:09:38, 3] smbd/password.c:register_vuid(225)
  UNIX uid 0 is UNIX user, and will be vuid 100
[2003/09/11 11:09:38, 3] smbd/process.c:process_smb(890)
  Transaction 3 of length 104
[2003/09/11 11:09:38, 3] smbd/process.c:switch_message(685)
  switch message SMBtconX (pid 9247)
[2003/09/11 11:09:38, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2003/09/11 11:09:38, 2] smbd/service.c:make_connection_snum(384)
  user ' (from session setup) not permitted to access this share (myshare)
[2003/09/11 11:09:38, 3] smbd/error.c:error_packet(113)
  error packet at smbd/reply.c(274) cmd=117 (SMBtconX)
NT_STATUS_ACCESS_DENIED

Well, what i understand is that authentication succeeded, a free structure
was created, but it seems to be not populate (user name and real name
empty), so this is normal that user ' is not allowed to access to the
share.
Am I wrong in my reasoning?

Another attempt, from a windows client now. thing are quite weird to me :

First, there is
Ticket name is [EMAIL PROTECTED]
and after another Ticket with the username. While i don't see any
authentifiaction success nor deny, i see that it attempt to see if the
username is in the group. Does the failure related to the bad username
entry in the struct?

[2003/09/11 11:45:40, 3] smbd/password.c:register_vuid(207)
  User name:^IReal name:
...
[2003/09/11 11:45:40, 0] lib/username.c:user_in_winbind_group_list(339)
  user_in_winbind_group_list: nametogid for group MYAD+SEC_GLOBAL_GROUP
failed.
[2003/09/11 11:45:40, 0] lib/username.c:user_in_winbind_group_list(339)
  user_in_winbind_group_list: nametogid for group
MYAD+SEC_ANOTHER_GLOBAL_GROUP failed.
[2003/09/11 11:45:40, 0] lib/username.c:user_in_winbind_group_list(339)
  user_in_winbind_group_list: nametogid for group MYAD+THIRD_GLOBAL_GROUP
failed.
[2003/09/11 11:45:40, 2] smbd/service.c:make_connection_snum(384)
  user ' (from session setup) not permitted to access this share
(secondshare)


I obviously checked that permissions are set on the filesystem as well as
the user account membership to global groups.
Doing thoses test seem to tell me that auth is working, but there is still
a small thing that don't work in my case.
If needed, i can provide complete log for each of theses test.


Thank's again for your help
Vincent


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] more roaming profile woes after upgrading to 2.2.8a

[Andre de Koning]

I upgraded one of my samba boxes to 2.2.8a after all kinds of problems with
roaming profiles not loading corrently.

Everybody can now log in (as log as the w2k machine has sp3 or newer) but I
still get the following error:

Cannot start microsoft outlook.

This happens on w2k prof and on my w2k terminal servers.  I could fix the
workstations by adding their user account to the local administrators group
but I cannot do this on terminal server.  Does anybody know of a solution.

What's sort of stange is that it all worked 100% before - all I changed was
the samba version from 2.2.3 then 2.2.5 and now 2.2.8a - the error sounds
w2k related but I did not change anything there.  The machine SID did change
so I had to load sp3 on the machines that did not yet have it and had to
rejoin all the machines (340 of them) onm the domain.  I tried sp4 but same
problem.
André de Koning
IT Manager
Softline VIP Payroll
Tel: +27 12 420 7000
[EMAIL PROTECTED]

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Accessing Samba Shares with AD usernames

[Lars Wiberg]

To follow up on this, I have been studying the documentation more
intensively yesterday evening, and have concluded that the current release
of Samba cannot do what I am trying to achieve.

What I forgot to mention yesterday, was that there is to be no unix accounts
on the Samba server, meaning the only user administration involved is from
the Active Directory (AD), but after doing a more thorough studying of the
documentation, this paragraph came up:

"In the course of development of Samba-3, a number of requests were received
to provide the ability to migrate MS Windows NT4 SAM accounts to Samba-3
without the need to provide matching UNIX/Linux accounts. We called this the
Non UNIX Accounts (NUA) capability. The intent was that an administrator
could decide to use the tdbsam backend and by simply specifying passdb
backend = tdbsam_nua this would allow Samba-3 to implement a solution that
did not use UNIX accounts per se. Late in the development cycle, the team
doing this work hit upon some obstacles that prevents this solution from
being used. Given the delays with Samba-3 release a decision was made to NOT
deliver this functionality until a better method of recognising NT Group
SIDs from NT User SIDs could be found. This feature may thus return during
the life cycle for the Samba-3 series."

If I understand that paragraph correctly, it is currently not possible to
authenticate users on a Samba server solely from an Active Directory. The
only possible way is to create unix accounts on the Samba server - which
means more user administration.

Thank you all, for your input.

Can anybody from the Samba team tell me how far into the horizon I have to
look for this feature? From the documentation, it seems to me that a lot of
work has gone into this already.

-- 
Lars Wiberg

"Lars Wiberg" <[EMAIL PROTECTED]> skrev i en meddelelse
news:[EMAIL PROTECTED]
> I'm sorry if this post came through already ...
>
> Hi,
>
> I'm working on a project where the plan is to place a number of Samba
> servers on different locations as file and print servers. The samba server
> is supposed to be a part of the AD, which is easily done, but the samba
> servers are to contain a number of shares that only people with a valid
> logon on the AD will be able to access.
>
> How can this be achieved? Do I have to promote each Samba server to becoma
a
> Domain Controller and create a trust between the DC and the Samba DC? I'm
> hoping there is a way to make Samba check the login on the DC and based on
> that give access to the share.
>
> I hope I am being clear enough.
>
> In short: An AD user wishes to access a Samba share, but needs to be
> authenticated somehow.
>
> I hope you can help me out.
>
> -- 
> Lars Wiberg
>
>
>
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] OT: Win2k ts - cannot start microsft outlook

[kurt weiss]

Andre de Koning schrieb:

This is off-topic so please let me know if it is inappropriate.  I thought
i'd post here as a lot of people on the list seem to be using samba with ms
terminal server.
I have profile problem ito roaming profiles from my samba dc not loading
when you log onto w2k terminal server.
I reloaded one of the servers, installed sp4 and installed ms office 2000
using the termsrvr.mst file.
When a normal user now logs in it says : Cannot start microsoft outlook.
If I add that user to the administrators group it works fine.
It looks like it's trying to create registry entries in the global registry
in stead of that specific user's registry file that is saved in his profile.
if it's in the global section or else, - maybe...
u can modify access rights to the registry with regedt32.
giv the office keys free for all users, so u'll see if it's right...
I had this on NT4 t/s but can't remember the solution and M$ is, as usual,
not very helpfull.
maybe this will help:
http://support.microsoft.com/default.aspx?scid=kb;en-us;222303
how sensefull this security system is, u can think yourselve. ;-)

Does anybody have the solution for this?
André de Koning
IT Manager
Softline VIP Payroll
Tel: +27 12 420 7000
[EMAIL PROTECTED]

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Fwd: Re: [Samba] Samba writes in wrong file]

[Markus Ungermann]

Jeremy Allison schrieb:

On Wed, Sep 10, 2003 at 06:17:43PM +0200, Markus Ungermann wrote:

Hello,

i have this problem again.
I have samba logs, from log.smbd, inside my Wordperfect-Document:
[2003/09/09 16:42:33, 2] smbd/close.c:close_normal_file(229)
  markus closed file SftemBASIC/Testprogramme/2.9_Structure.b~RFf12cf7.TMP
(numopen=4)
[2003/09/09 16:42:33, 2] smbd/open.c:open_file(246)
  markus opened file SftemBASIC/test/m3/M3/workbench/EMBWorkBench.exe read=Yes
write=No (numopen=5)
[2003/09/09 16:42:33, 2] smbd/close.c:close_normal_file(229)
  markus closed file SftemBASIC/test/m3/M3/workbench/EMBWorkBench.exe (numopen=4)
 ä < ” ì D œ ô L ¤/ ÓÔ2  ÔÔ3
 
 ÔÓ
The last 3 Lines are the Wordperfect lines. This is right, the samba logs before
are wrong.


We've seen this on a couple of systems, SuSE and now Debian. We've
never been able to reproduce it reliably. Our current best guess is
it might be a glibc bug. What version of glibc do you have ?
glibc 2.2.5. The Woody-Stable.
Kernel 2.4.21 self-compiled
Can you reproduce this ? 
No, sorry i can't. But i try to reproduce it on the Reserve-System.


If so, can you get an strace ?
Sorry, if the error occurs i have no really logs. The only thing i saw is this:

[2003/09/09 16:08:02, 2] smbd/open.c:open_file(246)
  markus opened file SftemBASIC/Doku/Testprotokoll_M3.wpd read=Yes write=No 
(numopen=4)
[2003/09/09 16:08:02, 2] smbd/close.c:close_normal_file(229)
  markus closed file SftemBASIC/Doku/Testprotokoll_M3.wpd (numopen=3)
[2003/09/09 16:08:02, 2] smbd/open.c:open_file(246)
  markus opened file SftemBASIC/Doku/Testprotokoll_M3.wpd read=Yes write=Yes 
(numopen=4)
[2003/09/09 16:08:02, 2] smbd/open.c:open_file(246)
  markus opened file SftemBASIC/Doku/Testprotokoll_M3.wpd read=Yes write=No 
(numopen=5)
[2003/09/09 16:08:02, 2] smbd/close.c:close_normal_file(229)
  markus closed file SftemBASIC/Doku/Testprotokoll_M3.wpd (numopen=4)

Then i opened the file next day, and then it was destroyed:

[2003/09/10 13:36:57, 2] smbd/open.c:open_file(246)
  markus opened file SftemBASIC/Doku/Testprotokoll_M3.wpd read=Yes write=Yes 
(numopen=4)
[2003/09/10 13:36:57, 2] smbd/close.c:close_normal_file(229)
  markus closed file SftemBASIC/Doku/Testprotokoll_M3.wpd (numopen=3)
[2003/09/10 13:36:57, 2] smbd/open.c:open_file(246)
  markus opened file SftemBASIC/Doku/Testprotokoll_M3.wpd read=Yes write=Yes 
(numopen=4)
[2003/09/10 13:36:57, 2] smbd/open.c:open_file(246)
  markus opened file SftemBASIC/Doku/Testprotokoll_M3.wpd read=Yes write=No 
(numopen=5)
[2003/09/10 13:36:57, 2] smbd/close.c:close_normal_file(229)
  markus closed file SftemBASIC/Doku/Testprotokoll_M3.wpd (numopen=4)
[2003/09/10 13:36:57, 2] smbd/open.c:open_file(246)
  markus opened file SftemBASIC/Doku/Testprotokoll_M3.wpd read=Yes write=No 
(numopen=5)
[2003/09/10 13:36:57, 2] smbd/close.c:close_normal_file(229)
  markus closed file SftemBASIC/Doku/Testprotokoll_M3.wpd (numopen=4)
[2003/09/10 13:36:57, 2] smbd/open.c:open_file(246)
  markus opened file SftemBASIC/Doku/Testprotokoll_M3.wpd read=Yes write=No 
(numopen=5)
[2003/09/10 13:36:57, 2] smbd/close.c:close_normal_file(229)
  markus closed file SftemBASIC/Doku/Testprotokoll_M3.wpd (numopen=4)
[2003/09/10 13:36:57, 2] smbd/open.c:open_file(246)
  markus opened file SftemBASIC/Doku/Testprotokoll_M3.wpd read=Yes write=No 
(numopen=5)
[2003/09/10 13:36:57, 2] smbd/close.c:close_normal_file(229)
  markus closed file SftemBASIC/Doku/Testprotokoll_M3.wpd (numopen=4)
[2003/09/10 13:36:57, 2] smbd/open.c:open_file(246)
  markus opened file SftemBASIC/Doku/Testprotokoll_M3.wpd read=Yes write=No 
(numopen=5)
[2003/09/10 13:36:57, 2] smbd/close.c:close_normal_file(229)
  markus closed file SftemBASIC/Doku/Testprotokoll_M3.wpd (numopen=4)
[2003/09/10 13:36:57, 2] smbd/open.c:open_file(246)
  markus opened file SftemBASIC/Doku/Testprotokoll_M3.wpd read=Yes write=No 
(numopen=5)
[2003/09/10 13:36:57, 2] smbd/close.c:close_normal_file(229)
  markus closed file SftemBASIC/Doku/Testprotokoll_M3.wpd (numopen=4)
[2003/09/10 13:36:57, 2] smbd/open.c:open_file(246)
  markus opened file SftemBASIC/Doku/Testprotokoll_M3.wpd read=Yes write=No 
(numopen=5)
[2003/09/10 13:36:57, 2] smbd/close.c:close_normal_file(229)
  markus closed file SftemBASIC/Doku/Testprotokoll_M3.wpd (numopen=4)
[2003/09/10 13:36:57, 2] smbd/open.c:open_file(246)
  markus opened file SftemBASIC/Doku/Testprotokoll_M3.wpd read=Yes write=No 
(numopen=5)
[2003/09/10 13:36:57, 2] smbd/close.c:close_normal_file(229)
  markus closed file SftemBASIC/Doku/Testprotokoll_M3.wpd (numopen=4)
[2003/09/10 13:36:57, 2] smbd/open.c:open_file(246)
  markus opened file SftemBASIC/Doku/Testprotokoll_M3.wpd read=Yes write=No 
(numopen=5)
[2003/09/10 13:36:57, 2] smbd/close.c:close_normal_file(229)
  markus closed file SftemBASIC/Doku/Testprotokoll_M3.wpd (numopen=4)
[2003/09/10 13:37:02, 2] smbd/close.c:close_normal_file(229)
  markus closed file SftemBASIC/Doku/Testprotokoll_M3.wpd (numopen=3)

I found