Re: [Samba] Samba PDC and Win2k Client
John, Both machines have the default Digital Sign and Seal registry settings. 'Silv' was able to join, whilst 'Plaid' was not. I did try, however, disabling the Sign and Seal settings in the security policy and rebooted the machine. Whilst 'Plaid' reported successfully joining the domain, it continues to report the missing machine account error during login attempts. --Louis John H Terpstra wrote: Rod, It sounds to me as if the machine that can not logon has DigitalSign'n'Seal enabled. You must turn this off with Samba-2.x. - John T. On Sat, 14 Feb 2004, L.R.Rodriguez wrote: Quick Summary: I am trying to join some Win2k (Service Pack 4) machines to a NT4 style domain with a Samba PDC. One machine successfully joins the Samba domain. One fails. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba printing - help!
Hi there, My Mandrake server has been working fine for years, and I just recently tried adding some rpms to get my squirrel mail updated. (Of course I just removed my uneeded sound card at the same time, amd also found my /var was filling(fixed - printing still doesn't work_, so I am not sure what (if any) broke my system. Any how... here are the symptoms: (1) I can access my shared samba directories from my windowze clients. (2) I can access (see) my shared samba printers (they appear as "ready" in the printers folder from my windoze machines.) (3) I can print from linux (test page as well as documents) (4a) (And here is the problem) when I try to print from my windoze machines, either nothing happens (no warning, error, etc), I get a "A StartDocPrinter call was not issued"), or "Windows cannot print due to a problem with the current printer setup. Try one of the following:..." depending on the application. (4b) When I check the windows queue for the printer, there is nothing there. (4c) When I try to print a test page (printer->properties->Print Test Page), I get: "Test page failed to print. Would you like to view the print trouble shooter for assistance? Unable to create a print job." I am getting the same problem from both my windoze 2000 and xp machines on two different printers, and the error comes back instantly (no waiting for the server to make up its mind.) Here is an exerpt from my smb.conf (hack and slash are the two printers - what can I say, my kids and I are fans of the television show Reboot): [global] log file = /var/log/samba/log.%m guest account = guest load printers = yes passwd chat debug = Yes ldap ssl = yes status = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 null passwords = yes map to guest = never domain master = no encrypt passwords = yes hosts allow = 192.168.1.0/255.255.255.0 dead time = 0 password level = 0 wins support = no dns proxy = No netbios name = DOT server string = Dot %v printing = cups unix password sync = no workgroup = REBOOT os level = 0 debug level = 0 security = user preferred master = no max log size = 50 use client driver = yes [hack] lpq command = cups -o %p printer = hack printable = yes print command = lpr-cups -P %p -o raw %s -r public = yes path = /var/spool/samba lprm command = cancel %p-%j comment = hack Lexmark e210 guest ok = yes print ok = yes [slash] printer = slash lpq command = cups -o %p printer name = slash create mask = 0700 hide dot files = no share modes = No public = yes lprm command = cancel %p-%j root preexec close = no oplocks = No printable = yes preexec close = no print command = lpr-cups -P %p -o raw %s -r inherit permissions = no writable = yes path = /var/spool/samba comment = slash HP Deskjet 882C use client driver = yes guest ok = yes print ok = yes I tailed the /var/log/samba/log.phong (note phong is a windoze client) and got: [2004/02/10 12:10:20, 0] tdb/tdbutil.c:tdb_log(531) tdb(/var/cache/samba/printing.tdb): rec_free_read bad magic 0x0 at offset=1905 6 [2004/02/10 12:10:20, 0] tdb/tdbutil.c:tdb_log(531) tdb(/var/cache/samba/printing.tdb): rec_read bad magic 0x0 at offset=17964 Any help will be most appreciated. Jordan -- Jordan R. Thompson Mail:[EMAIL PROTECTED] Web:www.Jordan.ThompCo.com Tel:(321) 777-8377 Cel:(321) 501-2259 Fax:(509) 267-5577 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] how to mount another persons home dir when using [homes]
On Sat, 2004-02-14 at 20:35, Heupink, Mourik Jan C. wrote: > Dear list. > > Using samba 3.0.2, exporting home directories to drives using [homes]. > > Suppose this scenario: an employee falls ill. Someone else has to take over > this persons work. I want to give this NEW person access to the ill person's > home directory. Homedirectories shares are created at logon time. Meaning > that the share for the ill person currently does NOT exist (as he or she is > at home, being ill, and samba has been restarted) so the new person CANNOT > open the other persons home. > > Is this true..? Or am I missing something..? And what would be a > workaround..? Tried searching archives, but could find any similar > questions. Firstly, Samba will always honour filesystem permissions. This means that you would need to change those permissions first. After that, then you can simply access \\server\sick_puppy much as you already access \\server\well_person. (You should never use \\server\homes, always the 'per user' name due to nasty client interactions). Naturally, if you have 'valid users = %S', then this will get in your way. Or you could just create a shared folder, and have things that are not personal/private in there. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Book update "Samba-3 by Example"
Folks, Since appearing on the LinuxShow this past week I have had emails asking when the above book will be available. Patience will be rewarded. The book can be pre-ordered from Amazon.Com today and will ship late March. It will be available at the SambaXP conference in Goettingen, Germany on April 5th. That's a promise I fully intend to keep as my tutorial will use it as the prime reference document. For those wanting to know more about the SambaXP conference please refer to: http://www.sambaxp.org The SambaXP Conference is an event you will not want to miss. At a later date I will provide further information. At this time, the book is on schedule. Cheers, John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Sync win2k local user list with samba user list
Well, I just went and tried Andrew Bartlett's suggestion. Works like a champ! Guess I'm just used to not being able to nest groups. heh Thanks all, Paul Espinosa BTW John, Really getting a lot out of your book "The Official Samba-3 HOWTO and Reference Guide". I bought it for work and am planning on buying it for my personal bookshelf. .[ John H Terpstra wrote ] | | Sun, 15 Feb 2004 02:43:17 + (GMT) | | On Sat, 14 Feb 2004, Paul Espinosa wrote: | | > | > .[ John H Terpstra wrote ] | > > | > > Sun, 15 Feb 2004 01:36:08 + (GMT) | > > | > > On Sat, 14 Feb 2004 [EMAIL PROTECTED] wrote: | > > | > > > Hi all, | > > > | > > > I want to be able to at logon sync the windows 2000 userlist with | > > > the samba user list, so that each user that is added to the samba | > > > server is automatically added to each workstation with appropriate | > > > permisions ie admin, power users, etc. Is it possible to do this | > > > and if so how. I am running latest samba as PDC with roaming | > > > profiles. | > > | > > Why in goodness name would you want to add accounts to workstations | > > that already exist on the server? The whole purpose of having domain | > > accounts is so that you do not need user accounts on the individual | > > workstations. | > > | > > Baffled! | > | > I think what's he's saying is adding a local domain user to a box in | > order to upgrade permissions. In other words have "Bob" have a domain | > logon, but also be able to be a local admin for the Windows box. | | Doh! John T. Read it again next time! :( | | As Andrew Bartlett has said, that's easy. Simply add the "Domain Users" | group to your local Administrators group on each workstation. | | Sorry - I should not shoot from the hip so fast. | | > | > > | > > > Any help is greatly appreciated | > > | > > Avoid pain! Do NOT have local workstation accounts. Instead, use | > > domain accounts. | > > | > > | > > - John T. | > | > I would also like to know if this is possible as there is a lot of | > software out there that still requires elevated privs to run on Windows | > boxen. | > | > Paul Espinosa | > | > | | Cheers, | John T. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Sync win2k local user list with samba user list
On Sat, 14 Feb 2004, Paul Espinosa wrote: > > .[ John H Terpstra wrote ] > > > > Sun, 15 Feb 2004 01:36:08 + (GMT) > > > > On Sat, 14 Feb 2004 [EMAIL PROTECTED] wrote: > > > > > Hi all, > > > > > > I want to be able to at logon sync the windows 2000 userlist with the > > > samba user list, so that each user that is added to the samba server is > > > automatically added to each workstation with appropriate permisions ie > > > admin, power users, etc. Is it possible to do this and if so how. > > > I am running latest samba as PDC with roaming profiles. > > > > Why in goodness name would you want to add accounts to workstations that > > already exist on the server? The whole purpose of having domain accounts > > is so that you do not need user accounts on the individual workstations. > > > > Baffled! > > I think what's he's saying is adding a local domain user to a box in order > to upgrade permissions. In other words have "Bob" have a domain logon, but > also be able to be a local admin for the Windows box. Doh! John T. Read it again next time! :( As Andrew Bartlett has said, that's easy. Simply add the "Domain Users" group to your local Administrators group on each workstation. Sorry - I should not shoot from the hip so fast. > > > > > > Any help is greatly appreciated > > > > Avoid pain! Do NOT have local workstation accounts. Instead, use domain > > accounts. > > > > > > - John T. > > I would also like to know if this is possible as there is a lot of software > out there that still requires elevated privs to run on Windows boxen. > > Paul Espinosa > > Cheers, John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Sync win2k local user list with samba user list
On Sun, 2004-02-15 at 13:04, Paul Espinosa wrote: > .[ John H Terpstra wrote ] > > > > Sun, 15 Feb 2004 01:36:08 + (GMT) > > > > On Sat, 14 Feb 2004 [EMAIL PROTECTED] wrote: > > > > > Hi all, > > > > > > I want to be able to at logon sync the windows 2000 userlist with the > > > samba user list, so that each user that is added to the samba server is > > > automatically added to each workstation with appropriate permisions ie > > > admin, power users, etc. Is it possible to do this and if so how. > > > I am running latest samba as PDC with roaming profiles. > > > > Why in goodness name would you want to add accounts to workstations that > > already exist on the server? The whole purpose of having domain accounts > > is so that you do not need user accounts on the individual workstations. > > > > Baffled! > > I think what's he's saying is adding a local domain user to a box in order > to upgrade permissions. In other words have "Bob" have a domain logon, but > also be able to be a local admin for the Windows box. Indeed, this is quite a common setup. > > > > > Any help is greatly appreciated > > > > Avoid pain! Do NOT have local workstation accounts. Instead, use domain > > accounts. > > > > > > - John T. > > I would also like to know if this is possible as there is a lot of software > out there that still requires elevated privs to run on Windows boxen. Put each user in a domain group, and put that group into the local 'administrators' or 'power users' alias. So far, I've done this with the GUI. It should be possible to do this with remote tools like rpcclient, or with local scripting too. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem validating with LDAP and Samba3.0.1debian
On Sun, 2004-02-15 at 13:12, Torben Thomsen wrote: > Hi, > > I'm running openldap and samba3.0.1 from my debian system, but I have > used many many hours trying to get samba to validate users on the > ldap... And is now turning to the last resort ... > access to attribute=userPassword > by dn="cn=admin,dc=login" write > by anonymous auth > by self write > by * none > > access to dn.base="" by * read > > access to * > by dn="cn=admin,dc=login" write > by * read You should also restrict access to sambaNTpassword and sambaLMpassword, but that's a matter for after this is working. > Feb 14 21:04:54 compaq smbd[3754]: [2004/02/14 21:04:54, 0] > auth/auth_sam.c:check_sam_security(221) > > Feb 14 21:04:54 compaq smbd[3754]: check_sam_security: > make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' This means that the local unix user (the one with exactly the same name as the Samba user) does not exist. > So, it seems that the samba-backend recognizes the Administrator, with > the correct password, but still throws a NT_STATUS_NO_SUCH_USER > > I susepect it has something to do with the unix-user sync, but i have no > idea, at the moment how to deal with this problem! Populate LDAP with posixAccount attributes, and configure nss_ldap to talk to the same ldap server. This will allow 'getent passwd' to succeed (showing your samba users), and Samba will then work. > In the future i would like to sync the samba-user with the unix-user, > but there is still a LOONG way into the XP-pile before that problem has > priority This is now your priority, as it is required to make it work :-) Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem validating with LDAP and Samba3.0.1debian
boka wrote: Torben Thomsen wrote: I'm running openldap and samba3.0.1 ... forget about 3.0.1 ! better use 3.0.0 or 3.0.2a Oooops typo ... I ment using 3.0.2debian, and my problem is still real :) cheers /torben -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Sync win2k local user list with samba user list
.[ John H Terpstra wrote ] > > Sun, 15 Feb 2004 01:36:08 + (GMT) > > On Sat, 14 Feb 2004 [EMAIL PROTECTED] wrote: > > > Hi all, > > > > I want to be able to at logon sync the windows 2000 userlist with the > > samba user list, so that each user that is added to the samba server is > > automatically added to each workstation with appropriate permisions ie > > admin, power users, etc. Is it possible to do this and if so how. > > I am running latest samba as PDC with roaming profiles. > > Why in goodness name would you want to add accounts to workstations that > already exist on the server? The whole purpose of having domain accounts > is so that you do not need user accounts on the individual workstations. > > Baffled! I think what's he's saying is adding a local domain user to a box in order to upgrade permissions. In other words have "Bob" have a domain logon, but also be able to be a local admin for the Windows box. > > > Any help is greatly appreciated > > Avoid pain! Do NOT have local workstation accounts. Instead, use domain > accounts. > > > - John T. I would also like to know if this is possible as there is a lot of software out there that still requires elevated privs to run on Windows boxen. Paul Espinosa -- "They that would give up freedom to obtain a little temporary safety deserve neither freedom nor safety" --Benjamin Franklin -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Sync win2k local user list with samba user list
On Sat, 14 Feb 2004 [EMAIL PROTECTED] wrote: > Hi all, > > I want to be able to at logon sync the windows 2000 userlist with the samba > user list, so that each user that is added to the samba server is automatically > added to each workstation with appropriate permisions ie admin, power users, > etc. Is it possible to do this and if so how. > I am running latest samba as PDC with roaming profiles. Why in goodness name would you want to add accounts to workstations that already exist on the server? The whole purpose of having domain accounts is so that you do not need user accounts on the individual workstations. Baffled! > Any help is greatly appreciated Avoid pain! Do NOT have local workstation accounts. Instead, use domain accounts. - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Problem validating with LDAP and Samba3.0.1debian
Hi, I'm running openldap and samba3.0.1 from my debian system, but I have used many many hours trying to get samba to validate users on the ldap... And is now turning to the last resort ... This is my configuration __ the important lines in smb.conf looks like this... -- [global] workgroup = SKOLE passdb backend = ldapsam:ldap://127.0.0.1/ ldap suffix = dc=login ldap machine suffix = ou=machines ldap user suffix = ou=people ldap group suffix = ou=groups ldap admin dn = "cn=admin,dc=login" netbios name = thePri load printers = no security = user encrypt passwords = true socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = yes os level = 40 domain master = yes preferred master = yes domain logons = yes wins support = yes dns proxy = no ___ slapd.conf look like this: --- allow bind_v2 include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/samba.schema schemacheck on pidfile /var/run/slapd/slapd.pid argsfile/var/run/slapd.args loglevel256 modulepath /usr/lib/ldap moduleload back_ldbm databaseldbm suffix "dc=login" rootdn "cn=admin,dc=login" rootpw directory "/var/lib/ldap" index objectClass,uid,uidNumber,gidNumber,memberUid eq lastmod on access to attribute=userPassword by dn="cn=admin,dc=login" write by anonymous auth by self write by * none access to dn.base="" by * read access to * by dn="cn=admin,dc=login" write by * read _ /etc/ldap.conf - HOST127.0.0.1 BASEdc=login _ the samba.schema is copyed from the samba 3.0.1 source (/examples/LDAP/samba.schema) and the ldap is populated with the polulate tool from smb-tools, and i can see the ldap tree is working with lam(lam.sf.net), and create new users from here... a pdbedit -L revels the users as well the populate tool creates an Administrator, and when I do "smbpasswd Administrator" it looks like it succeed, the values in sambaNTPassword changes anyway... THE PROBLEM: I use the two cases to show my problem, one case with correct passw, and one with wrong passwd. [EMAIL PROTECTED]:~$ smbclient -L localhost -U Administrator Password: (CORRECT PASSWORD) session setup failed: NT_STATUS_LOGON_FAILURE The log for the above looks like this - Feb 14 21:04:54 compaq slapd[3739]: conn=8 op=2 SRCH base="dc=login" scope=2 filter="(&(uid=Administrator)(objectClass=sambaSamAccount))" Feb 14 21:04:54 compaq slapd[3739]: conn=8 op=2 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial Feb 14 21:04:54 compaq slapd[3739]: conn=8 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Feb 14 21:04:54 compaq smbd[3754]: [2004/02/14 21:04:54, 0] auth/auth_sam.c:check_sam_security(221) Feb 14 21:04:54 compaq smbd[3754]: check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' Feb 14 21:04:54 compaq slapd[3737]: conn=8 fd=9 closed - [EMAIL PROTECTED]:~$ smbclient -L localhost -U Administrator Password: (WRONG PASSWORD) session setup failed: NT_STATUS_LOGON_FAILURE ___ The log for the above looks like this --- Feb 14 21:20:56 compaq slapd[3739]: conn=9 op=2 SRCH base="dc=login" scope=2 filter="(&(uid=Administrator)(objectClass=sambaSamAccount))" Feb 14 21:20:56 compaq slapd[3739]: conn=9 op=2 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial Feb 14 21:20:56 compaq slapd[3739]: conn=9 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Feb 14 21:20:56 compaq slapd[3737]: conn=9 fd=9 closed - So, it seems that the samba-backend recognizes
[Samba] Sync win2k local user list with samba user list
Hi all, I want to be able to at logon sync the windows 2000 userlist with the samba user list, so that each user that is added to the samba server is automatically added to each workstation with appropriate permisions ie admin, power users, etc. Is it possible to do this and if so how. I am running latest samba as PDC with roaming profiles. Any help is greatly appreciated Regards Will - This mail sent through IMP: http://horde.org/imp/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba PDC and Win2k Client
Rod, It sounds to me as if the machine that can not logon has DigitalSign'n'Seal enabled. You must turn this off with Samba-2.x. - John T. On Sat, 14 Feb 2004, L.R.Rodriguez wrote: > Quick Summary: > I am trying to join some Win2k (Service Pack 4) machines to a NT4 style > domain with a Samba PDC. One machine successfully joins the Samba > domain. One fails. > > Current configuration: > SambaPDC: > - FreeBSD 4.9-RELEASE > - Samba 2.2.8a (from binary package) > Host1 (Silv): > - Windows 2000 SP4 (5.00.2195) > Host2 (Plaid): > - Windows 2000 SP4 (5.00.2195) > All machines are on the same network switch. > There are no other machines on the switch. > All connections are 100/Full Duplex.. > All machines are in the 192.168.x.y subnet > SambaPDC is is running bind9 with a fake zone (.error) for all > machines and forwards all other DNS queries. > All machines use SambaPDC for DNS resolution. > > smb.conf: > [global] >workgroup = SAMBAPDC >hosts allow = 192.168. >log file = /var/log/log.%m >log level = 2 >max log size = 5 >security = user >encrypt passwords = yes >smb passwd file = /usr/local/private/smbpasswd >domain master = yes >preferred master = yes >domain logons = yes > > Each machine has a user account (silv$, plaid$) in the > passwd/master.passwd files. Each machine has an account in the smbpasswd > file, created with 'smbpasswd -a -m [machine name]'. When I add 'silv' > to the domain and reboot, I can log in to the domain. When I add 'plaid' > to the domain and reboot, I cannot log in to the domain. I get the > following error: "The system cannot log you on to the domain because the > system's computer accout in the domain is missing or the password is > incorrect." I should stress that at no point during the process of > adding 'plaid' to the domain did the I get an error on 'plaid'. On > SambaPDC, in the logfile for plaid, 'log.plaid', I see these two errors: > > >[2004/02/14 17:39:11, 2] rpc_parse/parse_samr.c:samr_io_userinfo_ctr(6285) > > samr_io_userinfo_ctr: unknown switch level 0x1a > >[2004/02/14 17:39:11, 0] rpc_server/srv_samr.c:api_samr_set_userinfo(670) > > api_samr_set_userinfo: Unable to unmarshall SAMR_Q_SET_USERINFO. > > I am at a loss. 'Silv' and 'plaid' should not be acting differently > here. Can anyone suggest any courses of further investigation? > > > > Thanks, > > L.R.Rodriguez > > -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Single Sign On
On Sat, 14 Feb 2004, Jamrock wrote: > "Mani, Greg SPAWAR" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > > We have a network of PCs running XP and servers running Win 2k and > Win 2003. User Account management is done with Active Directory (AD). We > want to add some Sun Solaris computers to this network. One of the network > guys said that Samba could be used as a single sign on solution for a > network of Windows and Solaris computers. He said that Samba 3.x provided > the capability to use Active Directory to manage/synchronize the user > accounts. In other words, with Samba, the accounts on the AD server could > be used when logging onto the Solaris computers, the Xp computers, and the > Windows servers. Samba-3 can be a full native Active Directory member server. Through the use of winbind (as documented in the Samba-HOWTO-Collection - also available as "The Official Samba-3 HOWTO and Reference Guide" book - see Amazon.Com) you can use Active Directory user accounts to log onto the Solaris client (domain member). If you want to do this you must configure Samba (smb.conf), PAM (/etc/pam.conf) and NSS (/etc/nsswitch.conf) for this to work. > > You did not specify how you wanted to use the Solaris machines. Do you want > to run Solaris applications on them or do you want them to be able to access > shares on the Windows network? I believe this was not intimated in the original question. > > Samba will allow your Unix/Linux machines to access Windows shares. This > happens because Samba uses the same SMB/CIFS protocol that Windows uses. Yes, only through smbclient. Please note that smbfs (smbmount, smbumount, et al.) are not part of Samba and are not supported on Solaris. Samba is designed primarily to support access of UNIX resources from Windows clients as if the UNIX server is a Windows 200x server. > > Single Sign On (SSO) to me is a separate issue. SSO allows you to have one > database of usernames and passwords. Users can access this database and be > authenticated no matter which operating system they are using. Corect. That is exactly what winbind permits. The question asked originally was quite valid and on target. Samba winbind permits use of the Windows (NT4 style or ADS style) accounts (users and groups) for UNIX/Linux system logins. > > OpenLDAP is one of the user database backends that Samba 3.x can use. > > If you use an OpenLDAP database of usernames and passwords, Windows clients > and Linux/Unix clients can use it for authentication. > > To do this you would need to use a Linux/Unix machine running Samba and > OpenLDAP for authentication. These comments are not relevant to the question asked. > The Linux/Unix client's don't need Samba. OpenLDAP can be used to replace > the traditional password files that Linux/Unix machines use for user > authentication. Winbind permits the use of Windows domain accounts as if they were in /etc/passwd (or any other password backend). > > The Windows clients need Samba and OpenLDAP. Nope. Windows clients can use Windows domain accounts. :) PS: I know I am splitting hairs here! > > A Samba member server can authenticate against Active Directory, However, > Samba will not allow you to use Active Directory to authenticate the Solaris > boxes. Wrong! Samba through winbindd (a part of Samba) permits precisely this. > > This is my understanding of how the process works. Perhaps John or Jerry > would like to comment. So I did chime in here. Cheers, John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Unable to join ADS domain
On Thu, 2004-02-12 at 07:32, Joe Howell wrote: > No bueno. I changed the enctypes and took the "encrypt passwords=yes" out, but > still no reply and no computer account. > > > [EMAIL PROTECTED] wrote: > > > > > [libdefaults] > default_realm =MYDOMAIN.COM > clockskew = 300 > default_tkt_enctypes = des-cbc-crc > default_tgs_enctypes = des-cbc-crc > > > Change the enctypes to: des-cbc-crc as shown above. Also, if you do a > testparam I'll bet that the encrypt passwords = yes entry is going to give > you grief. Besides kerberos is encrypted anyway. Another thing to consider > is flushing the NetBIOS cache on your wins and kdc server - don't know if > this does anything, but it makes me feel better (nbtstat -R). I'm sorry, but almost every piece of the above advise is incorrect. encrypt passwords = yes is required for clients to contact us, as a kerberised server. When we contact AD (ie, in winbind) then we use kerberos anyway. (And at a protocol level, this is regarded as encrypted passwords). The enc types (for MIT 1.3.1) should be set to include 'arcfour-hmac-md5', as this is unsalted (removes name issues) and will always allow the administrator to login, even if they have not changed their password since AD was turned on. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Unable to join ADS domain
On Thu, 2004-02-12 at 08:20, Joe Howell wrote: > Great site with wonderful information. Unfortunately, it still don't work. > > John Simovic <[EMAIL PROTECTED]> wrote:have a look at > www.wlug.org.nz/ActiveDirectorySamba Actually, this is another case where some good intentions have created a most misleading site. (The ktpass stuff is just bogus) The correct documentation is in the Samba HOWTO collection. http://www.samba.org/samba/docs/man/ and the main Samba documentation page: http://www.samba.org/samba/docs/ Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Creating computer account
On Fri, 2004-02-13 at 16:07, Juer Lee wrote: > - Original Message - > From: "Juer Lee" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, February 11, 2004 10:00 AM > Subject: [Samba] Creating computer account > > > Hi, > > Can anybody confirm that I must have a user account of the AD who has rights > to add a machine to the domain when joining Samba as a domain member in AD > mode? > Say, when I run command kinit [EMAIL PROTECTED], USERNAME must be a user who > has rights to do that. > I got the information above from the HOWTO of Samba-3. > > While I found when I join a Win2000 workstation to a AD, I only need a > common user account even he hasn't got the rights to assign create the > computer account in the AD ( I am sure of this, also the account is in > Domain Users group only ) > > Is this the limitation of Samba3? Though I don't think this is a problem. Try a 'net rpc join' instead, but then you loose some of the ADS magic. But yes, because of the the operations we perform on that account it is a limitation of Samba 3. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba PDC and Win2k Client
Quick Summary: I am trying to join some Win2k (Service Pack 4) machines to a NT4 style domain with a Samba PDC. One machine successfully joins the Samba domain. One fails. Current configuration: SambaPDC: - FreeBSD 4.9-RELEASE - Samba 2.2.8a (from binary package) Host1 (Silv): - Windows 2000 SP4 (5.00.2195) Host2 (Plaid): - Windows 2000 SP4 (5.00.2195) All machines are on the same network switch. There are no other machines on the switch. All connections are 100/Full Duplex.. All machines are in the 192.168.x.y subnet SambaPDC is is running bind9 with a fake zone (.error) for all machines and forwards all other DNS queries. All machines use SambaPDC for DNS resolution. smb.conf: [global] workgroup = SAMBAPDC hosts allow = 192.168. log file = /var/log/log.%m log level = 2 max log size = 5 security = user encrypt passwords = yes smb passwd file = /usr/local/private/smbpasswd domain master = yes preferred master = yes domain logons = yes Each machine has a user account (silv$, plaid$) in the passwd/master.passwd files. Each machine has an account in the smbpasswd file, created with 'smbpasswd -a -m [machine name]'. When I add 'silv' to the domain and reboot, I can log in to the domain. When I add 'plaid' to the domain and reboot, I cannot log in to the domain. I get the following error: "The system cannot log you on to the domain because the system's computer accout in the domain is missing or the password is incorrect." I should stress that at no point during the process of adding 'plaid' to the domain did the I get an error on 'plaid'. On SambaPDC, in the logfile for plaid, 'log.plaid', I see these two errors: >[2004/02/14 17:39:11, 2] rpc_parse/parse_samr.c:samr_io_userinfo_ctr(6285) > samr_io_userinfo_ctr: unknown switch level 0x1a >[2004/02/14 17:39:11, 0] rpc_server/srv_samr.c:api_samr_set_userinfo(670) > api_samr_set_userinfo: Unable to unmarshall SAMR_Q_SET_USERINFO. I am at a loss. 'Silv' and 'plaid' should not be acting differently here. Can anyone suggest any courses of further investigation? Thanks, L.R.Rodriguez -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Single Sign On
"Mani, Greg SPAWAR" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > We have a network of PCs running XP and servers running Win 2k and Win 2003. User Account management is done with Active Directory (AD). We want to add some Sun Solaris computers to this network. One of the network guys said that Samba could be used as a single sign on solution for a network of Windows and Solaris computers. He said that Samba 3.x provided the capability to use Active Directory to manage/synchronize the user accounts. In other words, with Samba, the accounts on the AD server could be used when logging onto the Solaris computers, the Xp computers, and the Windows servers. You did not specify how you wanted to use the Solaris machines. Do you want to run Solaris applications on them or do you want them to be able to access shares on the Windows network? Samba will allow your Unix/Linux machines to access Windows shares. This happens because Samba uses the same SMB/CIFS protocol that Windows uses. Single Sign On (SSO) to me is a separate issue. SSO allows you to have one database of usernames and passwords. Users can access this database and be authenticated no matter which operating system they are using. OpenLDAP is one of the user database backends that Samba 3.x can use. If you use an OpenLDAP database of usernames and passwords, Windows clients and Linux/Unix clients can use it for authentication. To do this you would need to use a Linux/Unix machine running Samba and OpenLDAP for authentication. The Linux/Unix client's don't need Samba. OpenLDAP can be used to replace the traditional password files that Linux/Unix machines use for user authentication. The Windows clients need Samba and OpenLDAP. A Samba member server can authenticate against Active Directory, However, Samba will not allow you to use Active Directory to authenticate the Solaris boxes. This is my understanding of how the process works. Perhaps John or Jerry would like to comment. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] is this bug or what - samba 3.0.2 - workaround
Hi ! I made some workaround to this problem. I have moved all databases from /var/lib/samba to /var/lib/samba_lock folder, add: lock directory = /var/lib/samba_lock to smb.conf and it is working now - i can log into domain, i can browse machine list etc. but in logs i have many errors like that: lut 14 23:46:31 codo smbd[13803]: [2004/02/14 23:46:31, 0, pid=13803, effective(1002, 221), real(1002, 0)] groupdb/mapping.c:get_group_from_gid(655) lut 14 23:46:31 codo smbd[13803]: failed to initialize group mappingget_alias_user_groups: gid of user boka doesn't exist. Check your /etc/passwd and /etc/group files Perms in /var/lib/samba_lock are: [EMAIL PROTECTED] samba_lock]# ls -l razem 248 -rwxr-xr-x1 root root 8192 lut 14 23:20 account_policy.tdb -rwxr-xr-x1 root root 696 lut 14 23:20 brlock.tdb -rw-r--r--1 root root 3490 lut 14 23:53 browse.dat -rwxr-xr-x1 root root24576 lut 14 23:38 connections.tdb -rwxr-xr-x1 root root 8192 lut 14 23:20 gencache.tdb -rwxr-xr-x1 root root 8192 lut 14 23:34 group_mapping.tdb -rwxr-xr-x1 root root 8192 lut 14 23:21 locking.tdb -rwxr-xr-x1 root root 696 lut 14 23:20 messages.tdb -rwxr-xr-x1 root root60794 lut 14 23:10 namelist.debug -rwxr-xr-x1 root root 8192 lut 14 23:10 netsamlogon_cache.tdb -rwxr-xr-x1 root root 8192 lut 14 23:20 ntdrivers.tdb -rwxr-xr-x1 root root 696 lut 14 23:20 ntforms.tdb -rwxr-xr-x1 root root 8192 lut 14 23:20 ntprinters.tdb drwxr-xr-x2 root root 4096 lut 14 23:10 printing -rwxr-xr-x1 root root 8192 lut 14 23:20 registry.tdb -rwxr-xr-x1 root root24576 lut 14 23:30 sessionid.tdb -rwxr-xr-x1 root root 8192 lut 14 23:20 share_info.tdb -rwxr-xr-x1 root root0 lut 14 23:10 sync.4466 -rwxr-xr-x1 root root16384 lut 14 23:20 unexpected.tdb -rw-r--r--1 root root26672 lut 14 23:54 wins.dat greetz boka -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SMBMount Not Recognizing File Locks
On Fri, 2004-02-13 at 03:39, Bob McLaren wrote: > I'm trying to set up a "dropbox" application that will monitor a > directory for newly created files and process them. The problem I am > having is that my linux process is not recognizing that a file is > still being written to by another server. > I have reviewed the manpage for smb.conf and their are plenty of > directives that manage file locking. But they all seem to pertain to > the SMBD Server, not the client. smbfs does not support locking. The CIFS VFS does however, and is included in the 2.6 linux kernel, or as a patch to 2.4. http://www.samba.org/samba/Linux_CIFS_client.html Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] is this bug or what - samba 3.0.2
Hi ! I had working conf of samba 3.0.0 with ldap backend. After upgrade to 3.0.2 i have found problem with /var/lib/samba folder - wins not working, groupmapping etc. Permissions to this folder and files inside should be 0755, but on my PDC machine this folder and files have 0644 rights. When i manually change permissions it start working. Do You have any patch for this ? greetz boka -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC+BDC+Filereplication_How?
On Sun, 2004-02-15 at 00:29, Gémes Géza wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hi all, > > Sorry for this general question, but I'd like to hear your opinion on > this subject, but I'd like to set up a really working backup solution > for my PDC, currently it uses NFS, so there are lots of issues: No ACLs, > When NFS server goes down, everything fails. > What method would you recommend for replicating folders, keeping > existing ACLs (ability of manipulating that ACLs from Windows is not > important) between Samba PDC-BDCs: > - -Rsync+FAM based scripts For things that should be static, but replicated (such as the netlogon share), this sounds like the right solution. > or > - -Distributed filesystems: > -Coda > -Intermezzo > etc. > > Thank you for ANY answer. You cannot safely replicate files between two CIFS servers, unless you also manage the locks and share modes. A BDC is not a mirror of a PDC, for file shares, only for the logon database. Clustered CIFS is *hard*, see recent discussions on samba-technical. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Writing to a ReExported NFS Share With A MAC
I'm having this same problem with almost the exact same setup debian machine mounting a netapp fileserver re-exporting with samba - and mac users being unable to mount, same same log errors, same solution. Is there a better solution though? I'm assuming everything should be okay since nfs will handle locking - but are there any advantages/disadvantages to this solution? On Wed, Feb 11, 2004 at 11:06:34AM -0600, Paul Thomas wrote: > I ran into this problem and was unable to find a solution here or in > google. Thought I'd post it to the list so maybe it'll help someone out in > the future. > > Gentoo Linux running 2.4.22 and Samba 2.2.8a. ReExporting an NFS mounted > share on a NetAPP fileserver connected to eth1 via samba out eth0. All PCs > are able to write fine but when writing to the share via a mac using OSX > the MAC errored out with permission denied and the samba logs showed the > following > > [2004/02/09 16:48:01, 0] locking/posix.c:posix_fcntl_lock(657) > posix_fcntl_lock: WARNING: lock request at offset 0, length 4294967295 > returned > [2004/02/09 16:48:01, 0] locking/posix.c:posix_fcntl_lock(658) an No locks > available error. This can happen when using 64 bit lock offsets > [2004/02/09 16:48:01, 0] locking/posix.c:posix_fcntl_lock(659) on 32 bit > NFS mounted file systems. > > The solution I was able to come up with was to add "posix locking = no" to > the share in question. If there is a better solution that I missed please > let me know but otherwise this has been working without a hitch so far. > > Paul > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba -- __ what's with today, today? Rocky Olsen [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Segfaults in Debian?
Yeap, upgrading to 3.0.2 seem to have solved the problem. Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] PDC+BDC+Filereplication_How?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, Sorry for this general question, but I'd like to hear your opinion on this subject, but I'd like to set up a really working backup solution for my PDC, currently it uses NFS, so there are lots of issues: No ACLs, When NFS server goes down, everything fails. What method would you recommend for replicating folders, keeping existing ACLs (ability of manipulating that ACLs from Windows is not important) between Samba PDC-BDCs: - -Rsync+FAM based scripts or - -Distributed filesystems: -Coda -Intermezzo etc. Thank you for ANY answer. Geza -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFALiLR/PxuIn+i1pIRAiYpAJ48q99ChLiScSte4VSYFT02BvWuMQCgi2mz DsD5cBSfPG+PFHLxS0pw8/s= =NcB6 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NT4 Migration -> Samba 3.0.2a + LDAP
On Sat, 2004-02-14 at 20:18, Pirkka Luukkonen wrote: > Hi! > > How can I maintain users old NT RIDs while migrating to Samba PDC when they > start from 1000. The RID to UID conversion algorithm is RID = 2 * UID + 1000 > so the user with RID of 1000 would be root (0 * 2 + 1000 = 1000) on Unix. > Maintaining the old RIDs is essential for migrating on-the-fly, because > re-adding hundreds of computers to domain and losing local user profiles is > not an option. Samba will first try to match names to SIDs via getpwnam(). If you are concerned by the algorithmic assignment of SIDs conflicting with the NT4 sids, then you might want to use 'algorithmic rid base = ' to 'push' the algorithmic RIDs higher. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Uid problems with linux kernel 2.6.1
This issue can be solved by setting "unix_extensions = No" in your samba conf file. - Ryan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] how to mount another persons home dir when using [homes]
Dear list. Using samba 3.0.2, exporting home directories to drives using [homes]. Suppose this scenario: an employee falls ill. Someone else has to take over this persons work. I want to give this NEW person access to the ill person's home directory. Homedirectories shares are created at logon time. Meaning that the share for the ill person currently does NOT exist (as he or she is at home, being ill, and samba has been restarted) so the new person CANNOT open the other persons home. Is this true..? Or am I missing something..? And what would be a workaround..? Tried searching archives, but could find any similar questions. Kindly yours, Mourik Jan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] NT4 Migration -> Samba 3.0.2a + LDAP
Hi! How can I maintain users old NT RIDs while migrating to Samba PDC when they start from 1000. The RID to UID conversion algorithm is RID = 2 * UID + 1000 so the user with RID of 1000 would be root (0 * 2 + 1000 = 1000) on Unix. Maintaining the old RIDs is essential for migrating on-the-fly, because re-adding hundreds of computers to domain and losing local user profiles is not an option. Any help with this is appreciated! -- Pirkka -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
