Re: [Samba] user can't shut down windows clients?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ksc133 írta: | dear sir, | | i have create a few users of the nobody group on my samba server. | in my samba config, i listed root account as the domain admin group. | when i logon to samba server, my root account can shutdown my windows | client, can disconnect to domain ect etc... | but when i logon as a user of the nobody group. i can't shutdown the | windows client! the shutdown fucntion is not there anymore! | i don't want to list restricted my users as domain admin group. | is there any way to get around is problem? | thank Q! | Supposing that your group mapping is correct, something like this: System Operators (S-1-5-32-549) - daemon Replicators (S-1-5-32-552) - disk Guests (S-1-5-32-546) - nogroup Power Users (S-1-5-32-547) - wheel Domain Users (S-1-5-21-4109351342-2997801466-301355879-513) - users Print Operators (S-1-5-32-550) - lp Administrators (S-1-5-32-544) - root Domain Admins (S-1-5-21-4109351342-2997801466-301355879-512) - adm Domain Guests (S-1-5-21-4109351342-2997801466-301355879-514) - nogroup Account Operators (S-1-5-32-548) - adm Backup Operators (S-1-5-32-551) - daemon Users (S-1-5-32-545) - users where S-1-5-21-4109351342-2997801466-301355879 is my test domains domain sid. Your problem is Windows Policy related. Depending on your Windows OS version it could be the domain policy file in your Netlogon share for Win 9x/ME and NT4 (you should know about this if you were setting up your Samba server ;-) ) More probably you suffer from a Windows 2000/XP feature, called (I think) Local Policy. Probably you should go to each Windows box and fire up the mmc plugin for managing that policies. Good Luck! -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAVWI+/PxuIn+i1pIRAkdwAJ90mIhJZ7duuloK3JbXoBP85e0APACfWrJP nHoFQdlghhJ5BkEQBTsgJuk= =ECU7 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Nondeterministic share connect failures
Hello I have a Samba PDC in domain KEVF_D4 called OBERON and a NT4 workstation NEPTUN in workgroup (not domain, workgroup) WORKGROUP I tried to map \\oberon\linux from OBERON using smbclient oberon\\linux -U username and gave password and it worked. I tried to map \\oberon\linux from NEPTUN and 1) got error message: \\Oberon is not accessible. Logon failure: the user has not been granted the requested logon type at this computer.. No share was mapped. Logged out and in and tried the same again 2) \\oberon\linux has been mapped without problems. Logged out and in and tried the same again 3) the same error message, no share was mapped. Relogged, tried again 4) without problems 5) OK 6) OK 7) OK. Tried killing all killable connection with SWAT (why can't I kill those IPC connections with SWAT?). 8) OK. Shutdown, RESET of the PC 9) the error message occurs when mere clicking on OBERON, preventing me even from clicking on the linux share. relogging. 10) OK 11) OK 12) OK. Rebooting 13) OK How can I determine what am I doing wrong? I want to make it work all the time, not just sometimes. What does the error message mean? Does the user mean the user I am logged in on NEPTUN or the remote user I am putting into the form when connecting the drive? Does this computer mean NEPTUN or OBERON? The network is OK, no packetloss. Cl -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Roaming profiles on a small network
On Sunday 14 March 2004 05:20, Matt Janes wrote: Im having great diffiuculty synching the data, email, etc on my laptop and desktop, so I thought I might configure samba to act as a DC and use roaming profiles to make sure that my data is always synched. My question is this: is it worth the effort? If you are using Outlook or Outlook Express for email, roaming profiles in their default configuration won't help you unless you are also doing all your mail via imap, (or perhaps running a corporate MS Exchange server). That's because there is a hidden Local Settings folder in your profile that does not get synched with the server--- and that's where the email data store lives. So you must move your outlook.pst file into My Documents or somewhere that DOES sync. This can work with Outlook, but I'm not sure whether you can do this sort of thing with Outlook Express. And I don't know if this exposes you to a greater likelihood of data corruption down the line. Some other mail clients (Eudora for sure) will by default store data in a syncable location. Roaming profiles can be annoying when your computers are very different from each other -- On one or the other machine, you may have startup items that generate error messages, and task bar shortcuts that don't work, for example. In my experience, roaming profile users occasionally find that they are unable to download or upload their profiles due to 'file in use' errors, or filename weirdness (usually netscape cache files, but also favorites, or email attachments.) As the administrator of your LAN, you will be able to resolve these issues by moving or renaming the offending files so you should consider this a minor inconvenience rather than a deal-killer. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Problem with NT-Groups
Hello, I have a problem that doing a 'wbinfo -g' I see only a small number of groups (10 out of aprox. 25) in my NT Doamin. I have found the following error in 'log.winbindd': [2004/03/14 10:17:46, 1] nsswitch/winbindd_group.c:fill_grent_mem(122) could not lookup membership for group rid S-1-5-21-1656444545-70989180-316617838-1004 in domain MY-DOMAIN (error: NT_STATUS_NO_SUCH_GROUP) Initialy I thought it was about german 'Umlauts: öäü' in the names but the groups 'Domänen-Benutzer/Domänen-Admins/Domänen-Gäste' show up. Any hints what I could do? Thanks Thomas -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Besides: [Samba] Roaming profiles on a small network
Hi all, I don't know if it's of interest... when we were using home or profile shares with outlook.pst files, we had massive trouble with either shares breaking away or *.pst files getting corrupted. I can't tell the difference between shares of the [home]/[profile] sections and standard shares [...] but we fixed the problem by setting up individual user shares (one user == one section). Appearently we don't have the trouble now, we had before... CU Dirk - Original Message - From: Matthew Easton [EMAIL PROTECTED] Date: Monday, March 15, 2004 9:54 am Subject: Re: [Samba] Roaming profiles on a small network On Sunday 14 March 2004 05:20, Matt Janes wrote: Im having great diffiuculty synching the data, email, etc on my laptop and desktop, so I thought I might configure samba to act as a DC and use roaming profiles to make sure that my data is always synched. My question is this: is it worth the effort? If you are using Outlook or Outlook Express for email, roaming profiles in their default configuration won't help you unless you are also doing all your mail via imap, (or perhaps running a corporate MS Exchange server). That's because there is a hidden Local Settings folder in your profile that does not get synched with the server--- and that's where the email data store lives. So you must move your outlook.pst file into My Documents or somewhere that DOES sync. This can work with Outlook, but I'm not sure whether you can do this sort of thing with Outlook Express. And I don't know if this exposes you to a greater likelihood of data corruption down the line. Some other mail clients (Eudora for sure) will by default store data in a syncable location. Roaming profiles can be annoying when your computers are very different from each other -- On one or the other machine, you may have startup items that generate error messages, and task bar shortcuts that don't work, for example. In my experience, roaming profile users occasionally find that they are unable to download or upload their profiles due to 'file in use' errors, or filename weirdness (usually netscape cache files, but also favorites, or email attachments.) As the administrator of your LAN, you will be able to resolve these issues by moving or renaming the offending files so you should consider this a minor inconvenience rather than a deal-killer. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] trust secret location in WinXP
On 03/15, Andrew Bartlett wrote: On Sat, Mar 13, 2004 at 12:17:01AM +0100, Csillag Tamas wrote: [...] The only question: where windows stores this information? In the registry or in a file? I want to backup that information at the start of the backup and write back after the restore completes. Any help would be appreciated. If you are ghosting your machines like that, you have bigger problems. Like what each machines' name is, what it's sid is and the like. however, if it is a Samba DC, you can just restore the 'old' password to the DC at the same time. Andrew Bartlett aha, Interesting idea! Thanks! We use ldap so it can be done easily. I think when the machine joins to the domain, the SID changes according to the stored one. Am I right? -- cstamas -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba SID and new installation
Hi, I make a new installation of my server with samba 3.0.2a But I restored my LDAP tree and the SambaDomainName in LDAP is different that net getlocalsid. What can I make : - set the local sid with the old sid (from ldap) net setlocalsid .. - Or change the SambaDomainSID on LDAP tree and all users, groups, and computers. --- Stéphane PURNELLE [EMAIL PROTECTED] Service Informatique Corman S.A. Tel : 00 32 087/342467 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Virus incident
Panda Antivirus has found a virus in: File: Name: document_word.pif MIME type: application/octet-stream Virus found: W32/Netsky.D.worm Action carried out: Desinfected Sender: [EMAIL PROTECTED] Recipient: [EMAIL PROTECTED] Subject: Re: Word file Date: 04:33:19 03/15/2004 we have found a virus in the aforementioned message and have repaired or removed it. This message is being sent strictly for your benefit. If you are the sender, you should have your computer checked. Thank you for choosing Alphacomm.net! http://www.pandasoftware.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba SID and new installation
* [EMAIL PROTECTED] nulis: Hi, I make a new installation of my server with samba 3.0.2a But I restored my LDAP tree and the SambaDomainName in LDAP is different that net getlocalsid. What can I make : - set the local sid with the old sid (from ldap) net setlocalsid .. If you want to upgrade from previous Domain SID (assuming all user rid are remain same) - Or change the SambaDomainSID on LDAP tree and all users, groups, and computers. If you want to create new domain SID. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba with eDirectory
Hello, Can Samba join an eDirectory or a domain controlled by a NDS ? Acyualy, my need is to do SSO for IE with Squid, using the NTLM protocol. I know it uses Samba for domains controlled by an Active Directory. Does anybody know if it is possible with an eDirectory. Thx for any answer or advice. Regards, -- Stephane DESMET Responsable produits de sécurité All Computing SAS 17, rue du Colisée - 75008 Paris France (+33)1 49 53 90 36 (+33)6 88 82 55 87 internet: www.allcomputing.fr -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] smbpasswd trying to add instead of replace attribut
I have some weird error with one of my samba installation. When modifying samba password using smbpasswd, samba seems trying to add same attribute (instead of delete and add again), pls see the MOD from log file (from different domain) : UNSUCESSFULL Mar 15 17:10:53 hurricane slapd[27056]: conn=29489 op=1 MOD dn=uid=pwreka,ou=people,ou=purwakarta,dc=indorama,dc=com Mar 15 17:10:53 hurricane slapd[27056]: conn=29489 op=1 MOD attr=sambaPwdCanChange sambaPwdCanChange sambaPwdMustChange samb aPwdMustChange sambaLMPassword sambaNTPassword sambaPwdLastSet sambaPwdLastSet Mar 15 17:10:53 hurricane slapd[27056]: Entry (uid=pwreka,ou=people,ou=purwakarta,dc=indorama,dc=com), attribute 'sambaLMPas sword' cannot have multiple values Mar 15 17:10:53 hurricane slapd[27056]: entry failed schema check: attribute 'sambaLMPassword' cannot have multiple values Mar 15 17:10:53 hurricane slapd[27056]: conn=29489 op=1 RESULT tag=103 err=19 text=attribute 'sambaLMPassword' cannot have m ultiple values SUCCESSFULL Mar 15 17:16:22 hurricane slapd[27056]: conn=29509 op=1 MOD dn=uid=jktbudhi,ou=people,ou=jakarta,dc=indorama,dc=com Mar 15 17:16:22 hurricane slapd[27056]: conn=29509 op=1 MOD attr=sambaPwdCanChange sambaPwdCanChange sambaPwdMustChange samb aPwdMustChange sambaPwdLastSet sambaPwdLastSet Mar 15 17:16:22 hurricane slapd[27056]: conn=29509 op=1 RESULT tag=103 err=0 text= Mar 15 17:16:22 hurricane slapd[27056]: conn=29509 op=2 UNBIND any hints? --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba with eDirectory
On Mon, Mar 15, 2004 at 12:25:10PM +0100, Stephane DESMET wrote: Hello, Can Samba join an eDirectory or a domain controlled by a NDS ? Acyualy, my need is to do SSO for IE with Squid, using the NTLM protocol. I know it uses Samba for domains controlled by an Active Directory. Does anybody know if it is possible with an eDirectory. It cannot use your e-directory password at this time. Novell assures me that they are working on making eDirectory compatible with Samba, but I'll believe that when I see working code. ;-) Otherwise, edirectory is just another LDAP server. Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba-3 can't resolve groups
Hi list, maybe somebody had the same problem when upgrading to samba3. We have a Debian Sarge server running Samba3 without winbind. We used the old 2.2.x smb.conf and smbpasswd for the new installation. Problem 1: Since the migration some users can not write to their respective group shares (NT_STATUS_ACCESS_DENIED), when the directory is not owned by them. It looks like the groups are not resolved properly. Problem 2: Since thursday last week this effect is cumulating, it looks as if our samba installation were slowly degrading. Can anybody out there give some advise? THX in Advance Wolfgang -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] logon script question
Hi list I'm wondering if it and how it is possible to add printers to a workstation with a logon script like mounting shares. I can't find anything about this on the inetnet so is this possible? regards lm -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
AW: [Samba] logon script question
yes: @echo Installing Printers ... rundll32 printui.dll,PrintUIEntry /dn /n \\server\printer /q rundll32 printui.dll,PrintUIEntry /in /n \\server\printer /q /u Markus -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Lukas Meyer Gesendet: Montag, 15. März 2004 12:20 An: [EMAIL PROTECTED] Betreff: [Samba] logon script question Hi list I'm wondering if it and how it is possible to add printers to a workstation with a logon script like mounting shares. I can't find anything about this on the inetnet so is this possible? regards lm -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Problem with samba3 BDC
Hi, I have successfully installed and configured Samba 3.0.2 PDC BDC / ldap master slave servers in local network. Then I moved BDC to another site (with WAN connectivity). Now I discovered that workstations on this site (with BDC) are not able to join domain. After some investigations (also tcpdump) I found out that problem is that BDC don't reply to NBNS requests for name MYDOMAIN1b . But I'm not able to find my mistake. Situation is little uncommon, because on that lan exist workroup with the same name as my domain. But I had done experiment with similar situation on my primary site with no problem. Relevant parts from smb.conf on BDC are: netbios name = MYBDC workgroup = MYDOMAIN security = user domain logons = yes preferred master = yes domain master = no local master = yes os level = 33 encrypt passwords = yes passdb backend = ldapsam:ldap://localhost; Can anybody help me ? Thanks M. Vancl -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] netbios aliases question (retry)
I didn't get any responses, can anyone at least tell me if this should or should not work? Samba 3.0.2a, two servers, each with a netbios name that matches their hostname. The idea was to have two servers live all the time, with the same printer drivers installed, and we could have the clients hitting one or the other via a netbios alias. I set up the netbios alias in smb.conf and dns cname, and at first things appeared to work. If a client installed a printer using the netbios alias, it said Printername on Alias ... a few days later, however, when clients install a printer from the alias it says Printername on Real-Server-Name though they use the alias. Nothing changed in the configuration; I'm not sure what could cause this change in behavior. But now I worry that even though the clients installed the printers from the alias, if Settings... Printers and Faxes shows the real server name, if we change the alias and cname to point to a different server the clients will still hit the old one. Am I misusing netbios aliases, or should this work? Is there something else I am missing? Thanks, ~ Daniel --- This message is the property of Time Inc. or its affiliates. It may be legally privileged and/or confidential and is intended only for the use of the addressee(s). No addressee should forward, print, copy, or otherwise reproduce this message in any manner that would allow it to be viewed by any individual not originally listed as a recipient. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is strictly prohibited. If you have received this communication in error, please immediately notify the sender and delete this message. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] simple migration 2.8 - 3.02; simple test cases fail
Quoting Linda W: ---snip--- I'm running a version for Suse90 pointed to off of their support pages so shadow passwords are enabled by default -- so I don't think they'd build a suse release w/o support for shadow pw's. I am running SuSE 9.0 Pro (2.4.21-192-default) with samba-2.2.8a-107, and shadow passwords work just fine for me. My Samba install was a new install, not any type of upgrade. So, I'm GUESSING the migration process needs to be checked??? HTH Mike -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Howto give console access to a samba user ?
Hi people, I have a Debian (Woody) 2.4.25+Samba 3.0.2a running, I've joined a Active Directory domain (net ads join) and I can successfully browse the AD users and groups with wbinfo -u and wbinfo -g. I need to give to the samba (Windows) users access do linux console/terminal, I've read the samba documentation about pam_winbind ( http://us1.samba.org/samba/docs/man/winbind.html http://us1.samba.org/samba/docs/man/winbind.html ), but I found some difficulties, in my system there is no pam_stack module, where I can find it ? In despite of that I did the rest of the procedure described in the doc above and now when the samba users logon on the system they receive an error regarding to the home directory and alerting the user that (HOME=/) will be used instead (how can I give a home folder to windows users ?), after this message linux returns the user to the first questions in the logon screen (user name). Reading the logon files (auth.log) I could see the pam_winbind successfully authenticate the user, I also ran getent passwd and received a list with all linux+windows users, I observed the windows users have as shell /bin/false, and I think that is the root of the problem. Any help ? Thank you, Estevam Henrique = Esta mensagem pode conter informacao confidencial e/ou privilegiada. Se voce nao for o destinatario ou a pessoa autorizada a receber esta mensagem, nao devera utilizar, copiar, alterar, divulgar a informacao nela contida ou tomar qualquer acao baseada nessas informacoes. Se voce recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua cooperacao. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, change, take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. = -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with samba3 BDC
On Mon, Mar 15, 2004 at 12:58:12PM +0100, M. Vancl wrote: Hi, I have successfully installed and configured Samba 3.0.2 PDC BDC / ldap master slave servers in local network. Then I moved BDC to another site (with WAN connectivity). Now I discovered that workstations on this site (with BDC) are not able to join domain. After some investigations (also tcpdump) I found out that problem is that BDC don't reply to NBNS requests for name MYDOMAIN1b . But I'm not able to find my mistake. Situation is little uncommon, because on that lan exist workroup with the same name as my domain. But I had done experiment with similar situation on my primary site with no problem. Relevant parts from smb.conf on BDC are: netbios name = MYBDC workgroup = MYDOMAIN security = user domain logons = yes preferred master = yes domain master = no See below. Se this to yes. local master = yes os level = 33 encrypt passwords = yes passdb backend = ldapsam:ldap://localhost; Can anybody help me ? If the remote LAN cannot 'see' (in the netbios sense) your main PDC, make the remote 'DC' a PDC. It will then act on the local read-only LDAP slave, and update the LDAP master when it needs to. make sure your LDAP slave is setup for update referrals. Also see the 'ldap replication sleep' parameter. Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
AW: AW: [Samba] user can't shut down windows clients?
Hello, thanks for your prompt reply. does it means that i must assgin all my users to the domain users group in the smb.conf? then only they can shutdown the windows client? this will ba a headache, cos the user list is very large! anyway to automate this task? thank Q I've seen, that the Samba-Group Domain Users has the rights from lokal group Users, not Master-Users (I don't know how it's named in englisch-windows). Now, I map Domain Users to Master-Users on all Windows-Clients and it works fine. matze -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] inherit permissions doesnt work in 3.0.2a-SOLVED
the users homes share was also shared separately to automatically map the drive via logon drive = h: samba was applying standard linux perms to files in homes. my solution: change home directory in /etc/passwd to something else, and use a logon.bat to map the drives we need. simple really, too many late nights I suppose! redhat9, samba 3.0.2a-1 as pdc, wins, xp-pro domain clients, smbpasswd backend. all files created get stock 744 perms directories created in the samba share get 755 I cant seem to over-ride these? I would like 770 .my share definition has.. [share] path = /mypath valid users = @staff writable = yes inherit permissions = yes -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 2.2.7a and SunOS 5.8
Hi, Samba 2.2.7 series worked fine for us in Solaris 8 and 9. However we are currently running 2.2.8a on our samba server (Solaris 9) and working towards upgrading to samba 3.0.2a with ldapsam. We used versions 2.2.7, 2.2.7a,2.2.8, 2.2.8a for production in a server running nfs for ~200 Linux/sun clients and being the domain controller for ~20 windows machines without seeing any performance issues. The server is dual homed to two subnets and has gigabit uplinks. Diego On Sun, 14 Mar 2004, Cloutier,Joe wrote: I have 2 Sun servers. One is running Samba 2.0.7 and I have no problems with response time or performance. The other server is running Samba 2.2.7a and on this server there are performance issues, slowness and long response times with long latencies over 400 msec. Both Sun server's are running SunOS 5.8. Is Samba 2.2.7a supported on this Unix box or is for a Linux server? Should I be experiencing any problems with this release. Thanks in advance for your support. Joe CONFIDENTIALITY NOTICE This message and any included attachments are from Cerner Corporation and are intended only for the addressee. The information contained in this message is confidential and may constitute inside or non-public information under international, federal, or state securities laws. Unauthorized forwarding, printing, copying, distribution, or use of such information is strictly prohibited and may be unlawful. If you are not the addressee, please promptly delete this message and notify the sender of the delivery error by e-mail or you may call Cerner's corporate offices in Kansas City, Missouri, U.S.A at (+1) (816)221-1024. -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Problem with samba3 BDC
Andrew Bartlett [EMAIL PROTECTED] wrote: ... preferred master = yes domain master = no See below. Se this to yes. local master = yes os level = 33 ... If the remote LAN cannot 'see' (in the netbios sense) your main PDC, make the remote 'DC' a PDC. It will then act on the local read-only LDAP slave, and update the LDAP master when it needs to. make sure your LDAP slave is setup for update referrals. Also see the 'ldap replication sleep' parameter. Thanks, now (after setting domain master = yes) it's ok. But, tell me please, what may be wrong or missing in my setup that remote LAN cannot 'see' (in the netbios sense) my main PDC ? Do I need wins running ? M. Vancl -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Problem with samba3 BDC
On Mon, Mar 15, 2004 at 01:46:34PM +0100, M. Vancl wrote: Andrew Bartlett [EMAIL PROTECTED] wrote: ... preferred master = yes domain master = no See below. Se this to yes. local master = yes os level = 33 ... If the remote LAN cannot 'see' (in the netbios sense) your main PDC, make the remote 'DC' a PDC. It will then act on the local read-only LDAP slave, and update the LDAP master when it needs to. make sure your LDAP slave is setup for update referrals. Also see the 'ldap replication sleep' parameter. Thanks, now (after setting domain master = yes) it's ok. But, tell me please, what may be wrong or missing in my setup that remote LAN cannot 'see' (in the netbios sense) my main PDC ? Do I need wins running ? If you wish to allow that traffic, then you need WINS. If you want that is up to you, I have tried ot make Samba cope with either situation. andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Profiles and mapping share under different username
Hello Are flawlessly workingroaming profiles or whatever profiles a necessary prerequisity for working mechanism of mapping shares under different username? For example, sitting on NT4 machine IAPETUS in domain KEVF_D1, KEVF_D1 - KEVF_D4 mutual trust,KEVF_D4 PDC is Samba 3 OBERON, user from IAPETUS wants to map \\OBERON\linux under username from KEVF_D4 Cl -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Roaming profiles
I have a question about disabling roaming profiles. Apparently we can do that by adding logon path = , but if we do that on a machine that has roaming enabled, will I have to go and change that to local on all the accounts or will it do it automatically? Also, will that impact the users at all? Andy -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba3 errors and question
Hello I find some errors in my logs and have some questions about them: 1. Why are logfiles created based on machinename and on ipaddress? Only based on machinename has been configured in smb.conf These messages occur in the logfiles bases on ipaddress (e.g.: log.10.10.10.1) [2004/03/15 14:05:06, 2] smbd/sesssetup.c:setup_new_vc_session(591) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. 2. Why do these messages occur in /var/log/messages? And there's no problem with our network, no dodgy switches or so. Mar 15 13:28:34 smbd[11526]: [2004/03/15 13:28:34, 0] lib/util_sock.c:get_peer_addr(952) Mar 15 13:28:34 smbd[11526]: getpeername failed. Error was Transport endpoint is not connected Somebody said that this is related to iptables running. If you stop iptables these messages no longer occur. Any ideas? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
AW: [Samba] Problem with NT-Groups
Update: found the following after raising the log level = 3: [2004/03/15 14:18:50, 3] lib/charcnv.c:convert_string_internal(221) convert_string_internal: Conversion error: Illegal multibyte sequence(ä) [2004/03/15 14:18:50, 3] lib/charcnv.c:convert_string_internal(221) convert_string_internal: Conversion error: Illegal multibyte sequence(ä) [2004/03/15 14:18:50, 3] lib/charcnv.c:convert_string_internal(221) convert_string_internal: Conversion error: Illegal multibyte sequence(ä) [2004/03/15 14:18:50, 3] lib/charcnv.c:convert_string_internal(221) convert_string_internal: Conversion error: Illegal multibyte sequence(ä) -Ursprüngliche Nachricht- Von: Plant Thomas [mailto:[EMAIL PROTECTED] Gesendet: Montag, 15. März 2004 10:07 An: '[EMAIL PROTECTED]' Betreff: [Samba] Problem with NT-Groups Hello, I have a problem that doing a 'wbinfo -g' I see only a small number of groups (10 out of aprox. 25) in my NT Doamin. I have found the following error in 'log.winbindd': [2004/03/14 10:17:46, 1] nsswitch/winbindd_group.c:fill_grent_mem(122) could not lookup membership for group rid S-1-5-21-1656444545-70989180-316617838-1004 in domain MY-DOMAIN (error: NT_STATUS_NO_SUCH_GROUP) Initialy I thought it was about german 'Umlauts: öäü' in the names but the groups 'Domänen-Benutzer/Domänen-Admins/Domänen-Gäste' show up. Any hints what I could do? Thanks Thomas -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbpasswd trying to add instead of replace attribut
Nevermind. it was because of acl restriction on ldap. * Beast [EMAIL PROTECTED] nulis: I have some weird error with one of my samba installation. When modifying samba password using smbpasswd, samba seems trying to add same attribute (instead of delete and add again), pls see the MOD from log file (from different domain) : UNSUCESSFULL Mar 15 17:10:53 hurricane slapd[27056]: conn=29489 op=1 MOD dn=uid=pwreka,ou=people,ou=purwakarta,dc=indorama,dc=com Mar 15 17:10:53 hurricane slapd[27056]: conn=29489 op=1 MOD attr=sambaPwdCanChange sambaPwdCanChange sambaPwdMustChange samb aPwdMustChange sambaLMPassword sambaNTPassword sambaPwdLastSet sambaPwdLastSet Mar 15 17:10:53 hurricane slapd[27056]: Entry (uid=pwreka,ou=people,ou=purwakarta,dc=indorama,dc=com), attribute 'sambaLMPas sword' cannot have multiple values Mar 15 17:10:53 hurricane slapd[27056]: entry failed schema check: attribute 'sambaLMPassword' cannot have multiple values Mar 15 17:10:53 hurricane slapd[27056]: conn=29489 op=1 RESULT tag=103 err=19 text=attribute 'sambaLMPassword' cannot have m ultiple values SUCCESSFULL Mar 15 17:16:22 hurricane slapd[27056]: conn=29509 op=1 MOD dn=uid=jktbudhi,ou=people,ou=jakarta,dc=indorama,dc=com Mar 15 17:16:22 hurricane slapd[27056]: conn=29509 op=1 MOD attr=sambaPwdCanChange sambaPwdCanChange sambaPwdMustChange samb aPwdMustChange sambaPwdLastSet sambaPwdLastSet Mar 15 17:16:22 hurricane slapd[27056]: conn=29509 op=1 RESULT tag=103 err=0 text= Mar 15 17:16:22 hurricane slapd[27056]: conn=29509 op=2 UNBIND any hints? --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Loosing group mappings when I reboot Samba server.
Dear list, On my samba server I made the following group mappings: For the Domain Admins group: net groupmap modify sid=S-1-5-21-2075143179-238294558-572307100-512 unixgroup=root For the Domain Users group: net groupmap modify sid=S-1-5-21-2075143179-238294558-572307100-513 unixgroup=users For the Domain Guests group: net groupmap modify sid=S-1-5-21-2075143179-238294558-572307100-514 unixgroup=nobody For the Print Operators group: net groupmap modify sid=S-1-5-32-550 unixgroup=lp I loose these mappings when I reboot my samba (3.0.2a) server. Is this normal behaviour? TIA, Erik Hoitinga http://users.skynet.be/fanzel -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Issues while compiling samba 3.0.2a
Dear List, First forgive me for my RTFM question yesterday about groups not appearing in the Windows usermanager (Karel Kulhavý, thanks for your reply). I did read the SAMBA HOWTO Collection but in a more 'vertical' way. This net groupmap thing must have passed my attention. I installed a prebuild version of Samba for redhat 8.0. Redhat however does not compile in ACL's in their kernel by default. So I had to recompile my kernel (2.4.24) with the necessary ACL support. The packages libacl-2.0.11-2, acl-2.0.11-2 and libacl-devel-2.0.11-2 where already installed. Only the kernel was lacking ACL support which is working fine right now. However when I do a smbd -b | grep -i ACL there seems to be no ACL support in my precompiled samba. This is why I decided to recompile my Samba source. I took the tarbal from samba.org and not the source RPM from RedHat and compile it with make 21 | tee make.out after doing the configure below: ./configure --with-configdir=/etc/samba --with-privatedir=/etc/samba \ --with-lockdir=/var/lock/samba --with-logfilebase=/var/log/samba \ --with-piddir=/var/run/samba --with-swatdir=/usr/share/swat \ --with-ads --with-pam --with-quotas --with-sendfile-support \ --with-smbmount --with-syslog --with-utmp --with-winbind \ --with-ldapsam --with-ldap --with-acl-support --with-pam_smbpass Now I have the following questions: 1. The compilation process went without errors. But I got a couple of warnings (25), most of them concerning 'passing arg 1 of [function] from incompatible pointer type'. Is it possible that these warnings can cause unexpected behaviour when running samba? And if so what can I do to get rid of these warnings? 2. Can I assume that my e2fsprog and coreutils packages are already patched for ACL's because the ACL packages/libraries mentioned earlier in this mail were already installed? Can this be tested with just a cp or a mv of a directory or file with ACL's on it? 3. When I do a ./smbd -b | grep -i ACL on my newly compiled smbd deamon I got HAVE_SYS_ACL_H, HAVE_POSIX_ACLS. Does this mean ACL's are compiled in successfully? I'm a bit in doubt because when I look at the list under --with Options: Build Options: a WITH_ACL is lacking. TIA, Erik Hoitinga web: http://users.skynet.be/fanzel -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] logon script question
Hi Lukas! Am Montag, 15. März 2004 12:19 schrieb Lukas Meyer: Hi list I'm wondering if it and how it is possible to add printers to a workstation with a logon script like mounting shares. I can't find anything about this on the inetnet so is this possible? use the net command in the logon scripit like so: net use LPTX: \\MASCHINENAME\PRINTERSHARENAME e.g. net use LPT1: \\myserver\my1stprinter will connect your my1stprinter an server myserver to your local Windows PrinterPort 1. HTH regards lm Greets Wolfgang -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Group Mapping Problems with Samba 3.0.2a OpenLDAP 2.2.6
Hello all, I am attempting to setup a Samba 3.0.2a based PDC using OpenLDAP 2.2.6 for my user/group authentication backend. So far everything seems to be working properly, I can join the domain from a Win2k PC, login via an account created with smbldap-useradd.pl, map my home directory, run the proper login script, etc. However, with all of that working I'm still having difficulties getting group mapping to work. I've run through the steps in the Samba HOWTO manual and tried everything else I could find on the web but I'm stumped at this point. When I type: net groupmap list I get nothing, when I type: net groupmap add rid=512 ntgroup=Domain Admins unixgroup=Domain Admins I get the message adding entry for group Domain Admins failed!. I've tried several permutations of this using different groups, I've tried adding groups to the local /etc/group file to see if it was having an issue with LDAP, but nothing seems to help. I can't seem to find anyone else who has had this problem and like I said, everything else is working fine. Attached to the bottom of this message is a dump from testparm with the details of my /etc/samba/smb.conf file. Please let me know if anyone can give me any suggestions. Thanks, Chris Slack IT System Administrator Mercy Ships M/V Anastasis - Currently docked in Freetown, Sierra Leone, West Africa www.mercyships.org [EMAIL PROTECTED] /etc]# testparm Load smb config files from /etc/samba/smb.conf Processing section [homes] Processing section [nobody] Processing section [netlogon] Processing section [Profiles] Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions # Global parameters [global] workgroup = CHANNEL server string = Samba Server null passwords = Yes passdb backend = ldapsam:ldap://127.0.0.1/ passwd program = /usr/local/sbin/smbldap-passwd.pl -o %u passwd chat = *New*password* %n\n *ReType*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* unix password sync = Yes log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add user script = /usr/local/sbin/smbldap-useradd.pl -m -d /dev/null -g 553 -s /bin/false %u add machine script = /usr/local/sbin/smbldap-useradd.pl -m -d /dev/null -g 553 -s /bin/false %u logon script = login.js logon path = \\%L\Profiles\%U logon drive = X: domain logons = Yes os level = 64 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap port = 389 ldap suffix = ou=MSAN,dc=ana,dc=mercyships,dc=org ldap admin dn = cn=Manager,dc=ana,dc=mercyships,dc=org ldap ssl = no [homes] comment = Home Directories read only = No browseable = No [nobody] comment = to prevent from user nobody from having a home share path = /dev/null browseable = No [netlogon] comment = Network Logon Service path = /msu/netlogon browseable = No share modes = No root preexec = /usr/local/bin/mkuserconfig.pl %U root postexec = rm /msu/netlogon/%U.conf [Profiles] path = /msu1/Profiles read only = No create mask = 0600 directory mask = 0700 guest ok = Yes browseable = No -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Cancel Print Job from Windows
Hi, We use Samba and CUPS to print for Windows users. Users seem to be able to cancel their own jobs in the queue from the Windows queue interface (in Control Panel\Printers\Open queue, right click on job and select Cancel) but Domain Admins cannot cancel Domain Users documents in this way (the status bar says Access denied.). Domain Admins have this ability with a Windows print server. Should this be possible with a Samba server? I've got: [global] printer admin = @ntadmins, administrator, @STAFFAMB+Domain Admins And I've tried: [printers] create mode = 0777 Which didn't make any difference. Should this be possible? Any clues? TIA, Leon... -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Disabling Machine Account password change
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Look at the options : machine password timeout on the samba server ;) machine password timeout = seconds Default: 604,800 Allowable values: number of seconds Sets the period between (NT domain) machine password changes. Default is 1 week, or 604,800 seconds. mayby this help ;) Le vendredi 12 Mars 2004 08:36, Florian Thiel a écrit : Gerald (Jerry) Carter schrieb: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Florian Thiel wrote: | The MS kb artcile mentions the RefusrPasswordChange | reg value. You could add this to the hardcoded registry | paths than Samba supports. | | Yes, that's the idea. The problem is that I'm not feeling able | to do this on my own. Is there a samba developer around? | I think it shouldn't be too hard if you know the structures. | I'm not even sure what value Windows expect in return... Try this patch (i only guarantee it to compile). (stripped was the mailing list ). Should apply to any 3.0 version. Thanks. Looks like it should also apply to Samba 2.2. Do you think it would be working for Samba2? And most important: Can you think of a way to test it reliably? Setting the clients to a low change interval comes into mind... Florian -- Florian Thiel - Medienzentrum Kassel Systembetreuung Internet- und Kommunikationstechnik Kasseler Schulen am Netz - http://www.medienzentrum-kassel.de - -- Matthieu Le Corre -- CIE -- UFR sciences Université de Nantes 02-51-12-58-65 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAVcZjHj6Gj+ly9W4RAh68AKCURLELWABoAmqBWt7jTvsgiIxCQgCfTfMo 5KXGmGf/0nRH7GQx+e7FFwM= =PMQX -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] stable
I wanted to know if samba is under FreeBSD as stable as samba under Linux... Thanks scala -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] kerberos ticket expired
I have tried kinit -r 7d -l 7d admin to keep the ticket last longer, but it ignored my flags and use default 1 day ticket life time. As a point of interest - most KDCs enforce a maximum ticket life time, and kinit can only request up-to that life time; requests for a longer life will just get 'bumped down'. Every KDC I've met liked 24hrs as a ticket life (one can, of course, always renew). -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] prf*.tmp in samba-profiles
Hello list, sometimes, when a user logs off, not ntuser.dat, but prf4EC.tmp, prf4ED, ..., will save. Does anyone have this problem, too? matze -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] create_canon_ace_lists: unable to map SID
I have a samba server on linux with a LDAP DC, On a client server, I was do net join -S DOMSERV -Uadmin%PASSWORD and that's work The server member of DOMSERV have a share XFS filesystem. When I set manualy the acl (setfacl -m g:group:rwx the_file) It's ok, the other domain member see the ACL But when I set the acl with a Windows Workstation, that's don't work smbd/posix_acls.c:create_canon_ace_lists(1380) create_canon_ace_lists: unable to map SID my client smb.conf [global] workgroup = TOTODOM server string = Samba Server security = DOMAIN password server = domain-srv log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 load printers = No dns proxy = No ldap ssl = no map acl inherit = Yes my server smb.conf [global] unix charset = ASCII workgroup = DOMSERV server string = Samba Server update encrypted = Yes passdb backend = ldapsam:ldap://192.168.53.58, guest passwd program = /usr/bin/smbpasswd %u passwd chat = *new*password* %n\n *new*password* %n\n *changed* passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* unix password sync = no encrypt passwords = Yes passwd chat debug = Yes log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 bind interfaces only = no interfaces = eth0 lo pam password change = yes add user script = /usr/bin/smbpasswd -a %u -D 256 delete user script = /usr/bin/smbpasswd -x %u -D 256 add machine script = /usr/bin/smbpasswd -m -a %u$ -D 256 logon script = netlogon.bat logon path = \\srv-image\profiles\%u logon drive = X: logon home = \\srv-image\%u domain logons = Yes os level = 65 preferred master = No domain master = Yes dns proxy = No ldap suffix = dc=domserv,dc=com ldap machine suffix = ou=hosts ldap user suffix = ou=People ldap group suffix = ou=Groups ldap admin dn = cn=manager,dc=domserv,dc=com #ldap delete dn = Yes #ldap trust ids = Yes ldap ssl = no ldap passwd sync = Yes admin users = Administrator root hosts allow = 192.168.53.0/255.255.255.0 127.0.0.1 #ldap filter = ((uid=%u) (objectclass=sambaAccount)) ldap delete dn =yes Someone can help me?? -- Daniel Chnard Croesus Finansoft Inc. 2 Place Laval, Suite 510 Laval, Quebec Canada H7N 5N6 Site Web: www.croesus.com [EMAIL PROTECTED] Tel: +1 450-662-6101, 145 Fax: +1 450-662-3629 Please Note: The Light at the End of The Tunnel will be turned off until further notice due to budget cutbacks. --The Managemen -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] ADS Kerberos Authentication without winbind problem
Hello list, Due to problems with winbind on Solaris I cannot use winbind. Instead I need to get Kerberos authentication from ADS working with a Samba member server with local UNIX user accounts. So to briefly describe my configuration, I have an account in AD and a duplicate account locally on my Samba server which has been initialised with smbpasswd -a user password. My Samba server has successfully joined my AD domain and can successfully obtain Kerberos tickets. This does work in principal but I have the following problem, in order to get Kerberos authentication I have to use syntax like this on the Windows client net use \\bbcwwp-sun24\share /user:bbcwwp-sun24\user This works perfectly, but because my AD domain is called TESTLAN if you try and access the samba share by either of the following methods: from windows explorer directly accessing the URL \\bbcwwp-sun24\share or from command line net use \\bbcwwp-sun24\share They both fail, presumably because its assuming that the user account is TESTLAN\user which will not work (I tried this syntax manually and it didn't work). Although they fail I have verified that the client is still obtaining a ticket for the Samba server HOST/bbcwwp-sun24. Given that I don't expect my users to be using net use in order to access data on a Samba share I basically don't have a working solution at present. Is there anything I can tweak in the Samba config to get round this? Any help much appreciated, thanks in advance, Andy. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Trouble replicating samba
Dear all, I'm experencing a big trouble with samba and an instalation we had at my enterprise's intranet. This intranet is based on a Samba server v2 wich acts as Primary Domain Controller, wins server and file server. All these features works great nowadays. Our issue, is with a newest server that we are interested to replace the previous samba server in order to improve the performance and realibility to our users. For this reasen we have installed the samba daemon in this machine (keeping samba version, but minor version numbers) and we have copied everything from one server to the other, I mean, smb.conf, lmhost, smbpasswd, etc, and we have updated the smb.conf to change the IP address and netlogon name. Of course, we have updated the system's groups and users, and syncronize data. When we startup the service on the newest one (after shutting down in the other), we noticed that samba becomes domain master, master browser and that we can access files through smbclient. The trouble is with the MS Windows clients, which can't register in the domain anymore, Windows tell us that the machine account doesn't exist or the password is wrong. These accounts were created with smbpasswd -a -m, so they exists. So it seems to, that the autonegociated password is failing. Does anybody knows why is it failing? Is it related with the SIDs? What are these SIDs? Could you suggest me a solution? PD. we tried to remove a Windows client from the domain, and latter, register it again. And it seems to work, but we have to waste lots of time on every client, and we have more or less 300... Best Regards - Hola a todos, tengo un pequeño gran problema con una instalación de samba en la intranet de mi empresa. En ella, hasta este momento a estado funcionando un controlador de dominio + servidor wins + servidor de archivos con samba v2. Todo ello estaba realizado de forma clásica y funciona correctamente. EL caso, es que ahora hemos decidido incluir una máquina con mayores prestaciones en la red, y hemos decidido migrar el servicio de una máquina a otra, para lo que hemos copiado todos los archivos de configuración de samba (smb.conf, slmhost, mbpasswd, etc) en la nueva máquina, actualizando con cuidado la IP en que se publica, y su nombre en el dominio (netlogon), ya que no se ha mantenido igual en ambos servidores. Por supuesto, hemos importado los datos, los usuarios del sistema y se cuidado que esté correcto. El servicio en la nueva máquina se levanta de forma correcta, se hace controlador de dominio, master browser, etc, y se puede acceder a ella con smbclient para visaulizar/descargar contenidos. El problema lo tenemos al arrancar las estaciones Windows, que al querer registrarse en el dominio dice que o bien no existe la cuenta de la máquina o la clave es incorrecta. Las cuentas de las máquinas existen (se crearon en su dia con smbpasswd -a -m), pero parece ser que la clave autonegociada ya no es válida. ¿Sabe alguien a que se debe esto? ¿Tiene que ver con la SID? ¿Que es esa semilla? Nota: si desregistramos la máquina del dominio y la volvemos a registrar se solventa el problema, pero hacer esto con 300 ordenadores.. Un saludo a todos, -- Borja Pacheco Ortega Acisa - Dept. I+D: Desarrollo -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] cannot change file permissions
Hi List, I have some severe problem with Samba 3 with ldapsam backend on debian stable. The problem is that I can not change the rights of a file or directory on the server from Windows. I get this in smb.log: ---cut--- [2004/03/14 21:59:09, 0] smbd/posix_acls.c:create_canon_ace_lists(1380) create_canon_ace_lists: unable to map SID S-1-5-21-2443489570-4015384086-1858331161-3009 to uid or gid. ---cut--- 3009 is the correct rid(?) of the gid 1004. This is also correctly mapped: ---cut--- Buchhaltung (S-1-5-21-2443489570-4015384086-1858331161-3009) - buchhaltung ---cut--- Unfortunately this also happens with users: ---cut--- [2004/03/14 21:56:37, 0] smbd/posix_acls.c:create_canon_ace_lists(1380) create_canon_ace_lists: unable to map SID S-1-5-21-2443489570-4015384086-1858331161-3016 to uid or gid. ---cut--- In this case 3016 is the right rid for the user with the uid 1008. But this user has also the correct attributes in ldap: ---cut--- # # filter: uid=lf # requesting: ALL # # lf, RDS, KERNZEIT, COM dn: uid=lf,ou=RDS,dc=KERNZEIT,dc=COM objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: sambaSamAccount cn: lf sn: lf uidNumber: 1008 gidNumber: 100 homeDirectory: /home//lf loginShell: /bin/bash sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaSID: S-1-5-21-2443489570-4015384086-1858331161-3016 sambaPrimaryGroupSID: S-1-5-21-2443489570-4015384086-1858331161-513 sambaHomeDrive: H: sambaHomePath: \\LOGIN\homes sambaProfilePath: \\LOGIN\profile\lf sambaPwdMustChange: 1082893749 sambaLMPassword: *snip* sambaPwdLastSet: 1079005749 sambaAcctFlags: [U] sambaNTPassword: *snip* userPassword:: *snip* displayName: Lukas Frese sambaLogonScript: login.bat gecos: Lukas Frese description: Lukas Frese uid: lf ---cut--- Help is really appreciated as I am stucking with this problems for such a long time now without any light at the end of the tunnel! Thanks very much, Matthias Eichler -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] cannot change file permissions
Hi List, I have some severe problem with Samba 3 with ldapsam backend on debian stable. The problem is that I can not change the rights of a file or directory on the server from Windows. I get this in smb.log: ---cut--- [2004/03/14 21:59:09, 0] smbd/posix_acls.c:create_canon_ace_lists(1380) create_canon_ace_lists: unable to map SID S-1-5-21-2443489570-4015384086-1858331161-3009 to uid or gid. ---cut--- 3009 is the correct rid(?) of the gid 1004. This is also correctly mapped: ---cut--- Buchhaltung (S-1-5-21-2443489570-4015384086-1858331161-3009) - buchhaltung ---cut--- Unfortunately this also happens with users: ---cut--- [2004/03/14 21:56:37, 0] smbd/posix_acls.c:create_canon_ace_lists(1380) create_canon_ace_lists: unable to map SID S-1-5-21-2443489570-4015384086-1858331161-3016 to uid or gid. ---cut--- In this case 3016 is the right rid for the user with the uid 1008. But this user has also the correct attributes in ldap: ---cut--- # # filter: uid=lf # requesting: ALL # # lf, RDS, KERNZEIT, COM dn: uid=lf,ou=RDS,dc=KERNZEIT,dc=COM objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: sambaSamAccount cn: lf sn: lf uidNumber: 1008 gidNumber: 100 homeDirectory: /home//lf loginShell: /bin/bash sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaSID: S-1-5-21-2443489570-4015384086-1858331161-3016 sambaPrimaryGroupSID: S-1-5-21-2443489570-4015384086-1858331161-513 sambaHomeDrive: H: sambaHomePath: \\LOGIN\homes sambaProfilePath: \\LOGIN\profile\lf sambaPwdMustChange: 1082893749 sambaLMPassword: *snip* sambaPwdLastSet: 1079005749 sambaAcctFlags: [U] sambaNTPassword: *snip* userPassword:: *snip* displayName: Lukas Frese sambaLogonScript: login.bat gecos: Lukas Frese description: Lukas Frese uid: lf ---cut--- Help is really appreciated as I am stucking with this problems for such a long time now without any light at the end of the tunnel! Thanks very much, Matthias Eichler -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] smbd/service.c:set_current_service(56) chdir (/var/ghost) failed
Hey Gang, I have a suse 8.1 server that I have compiled samba 3.0.2 from source on. I have it configured to authenticate against our AD. That seems to be working fine. getent passwd produces the results from both passwd and AD. getent group gives me the groups + the AD groups. I was able to assign the permissions to the folder without problems. It picked up the group from AD and assigned it to the folder. I changed the owner to be my AD account and it let me view the folder, but when it's just assigned at the group level, I am unable to read/write to the folder. So it appears as though it's not able to do a group lookup to grant me permissions to the folder. Here is the folder listing and the logs. mntdlx74:/var/ghost # ll total 1 drwxrws---4 root US+SG-SuperAdmins 96 Mar 12 12:13 . drwxr-xr-x 23 root root 584 Mar 12 12:13 .. drwxrws---3 root US+SG-SuperAdmins 48 Mar 15 07:38 ghost drwxrws---3 root US+SG-SuperAdmins 48 Mar 12 12:12 ghost1 [2004/03/15 07:51:49, 1] smbd/service.c:make_connection_snum(705) usmnws809146 (165.75.x.x) connect to service ghost initially as user US+astein (uid=10469, gid=1) (pid 2859) [2004/03/15 07:51:49, 0] smbd/service.c:set_current_service(56) chdir (/var/ghost) failed Thanks! Andy -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba 2.2.3a / openLDAP connection problem
ok, thanks for the replies so far...I dont seem to be having much luck the samba and ldap servers are on the same machine.. i've tried the read -s -p Enter LDAP Root DN Password: LDAP_BINDPW smbpasswd -w $LDAP_BINDPW multiple times just to make sure i wasnt making any typos. i've added ALL: localhost ALL: 127.0.0.1 ALL: breadfruit to hosts.allow just in case. ldapsearch -x '(cn=Manager)' gives : version: 2 # # filter: (cn=Manager) # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1 which seems like its wrong to me (the 32 No such object) the output from slapd is very verbose, are there any critical sections i should be concerned with ? (or shall i post the all the slapd output resulting from the smbpasswd -a marvsmb command ?) again, thanks for the help...its good to know im not on my own here.. if there are any other tools / commands that i can use to help debug the situation please let me know.. thanks, martin Diego Julian Remolina wrote: If you have openldap compiled with tcp wrappers you should also have the appropriate entries in the file: /etc/hosts.allow Try to run a simple ldapsearch from the samba machine just to make sure you get some results: ldapsearch -x '(cn=Manager)' HTH, Diego On Sat, 13 Mar 2004, Markus Amersdorfer wrote: On Fri, 12 Mar 2004 14:27:48 + Martin Wood [EMAIL PROTECTED] wrote: i've created a normal account for the user, but when i get to do : # smbpasswd -D10 -a marvsmb i get : ldap_open_connection: connection opened ldap_connect_system: Binding to ldap server as cn=manager,dc=ideaworks3d,dc=com Bind failed: Can't contact LDAP server ldap_open_connection: connection opened ldap_connect_system: Binding to ldap server as cn=manager,dc=ideaworks3d,dc=com Bind failed: Can't contact LDAP server Failed to add entry for user marvsmb. Failed to modify password entry for user marvsmb It seems your Samba-process can not (or is not allowed to -- what does slapd-output say?) connect to the slapd-server properly. Did you run smbpasswd -w $LDAP_BINDPW? Cheers, Max -- The first time any man's freedom is trodden on, we're all damaged. Cpt. Picard, The Drumhead, StarTrek TNG http://homex.subnet.at/~max/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind
I am running Red Hat 9.0. I recently upgraded to Samba 3.02 from 2.8 using a binary. Before the upgrade, winbind was available in RH's Service Configuration as a service to be started on startup. After the upgrade, winbind is no longer available in RH's Service Configuration GUI and I must start winbind manually. The winbind script is in /etc/rc.d/init.d/ that RH's Service Configuration monitors for services. Does anyone know why winbind would not be present in RH's Service Configuration GUI. Thanks in advance, Terry L. Eleiott, P.E. TKE COMPANIES -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
AW: [Samba] user can't shut down windows clients?
Hello, i have 1 problem with samba NT styled domain logon. when i logon as root into a win2k box, i can connect and disconnect to domain, shutdown the PC and do many other stuff. cos i list domain admin group = root in my smb.conf file. but when i logon as other users, i can't even shutdown the win2k box!!! i don't want to list all my users as domain admin group. i try using the domain user group, but still the same problem, can't shutdown. how to over come this problem??? i didn't use any system edit program on the win2k box to restrict any users, but why users become restricted??? can't even shutdown PC??? Your users must be member of the Domain Users (-513). Then they can shutdown there maschines. matze -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Help identifying errors
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 1. Is there a reference that will help in the identification of Samba errors? 2. Can anyone identify these errors? I' @ log level = 6 and I get: Mar 15 10:58:01 enigma smbd3[4271]: [2004/03/15 10:58:01, 0] lib/util_sock.c:get_peer_addr(952) Mar 15 10:58:01 enigma smbd3[4271]: getpeername failed. Error was Transport endpoint is not connected Mar 15 10:58:01 enigma smbd3[4271]: [2004/03/15 10:58:01, 0] lib/util_sock.c:get_peer_addr(952) Mar 15 10:58:01 enigma smbd3[4271]: getpeername failed. Error was Transport endpoint is not connected Mar 15 10:58:01 enigma smbd3[4271]: [2004/03/15 10:58:01, 0] lib/access.c:check_access(328) Mar 15 10:58:01 enigma smbd3[4271]: [2004/03/15 10:58:01, 0] lib/util_sock.c:get_peer_addr(952) Mar 15 10:58:01 enigma smbd3[4271]: getpeername failed. Error was Transport endpoint is not connected Mar 15 10:58:01 enigma smbd3[4271]: Denied connection from (0.0.0.0) Mar 15 10:58:01 enigma smbd3[4271]: [2004/03/15 10:58:01, 0] lib/util_sock.c:get_peer_addr(952) Mar 15 10:58:01 enigma smbd3[4271]: getpeername failed. Error was Transport endpoint is not connected Mar 15 10:58:01 enigma smbd3[4271]: Connection denied from 0.0.0.0 Mar 15 10:58:01 enigma smbd3[4271]: [2004/03/15 10:58:01, 0] lib/util_sock.c:write_socket_data(388) Mar 15 10:58:01 enigma smbd3[4271]: write_socket_data: write failure. Error = Connection reset by peer Mar 15 10:58:01 enigma smbd3[4271]: [2004/03/15 10:58:01, 0] lib/util_sock.c:write_socket(413) Mar 15 10:58:01 enigma smbd3[4271]: write_socket: Error writing 5 bytes to socket 16: ERRNO = Connection reset by peer Mar 15 10:58:01 enigma smbd3[4271]: [2004/03/15 10:58:01, 0] lib/util_sock.c:send_smb(605) Mar 15 10:58:01 enigma smbd3[4271]: Error writing 5 bytes to client. - -1. (Connection reset by peer) Mar 15 11:00:00 enigma CROND[4290]: (mail) CMD (/usr/bin/python -S /usr/lib/mailman/cron/gate_news) Mar 15 11:01:00 enigma CROND[4301]: (root) CMD (nice -n 19 run-parts /etc/cron.hourly) - -- - - | I can be reached on the following Instant Messenger services: | |---| | MSN: [EMAIL PROTECTED] AIM: WyteLi0n ICQ: 123291844 | |---| | Y!: j_c_llings Jabber: [EMAIL PROTECTED]| - - -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3-nr1 (Windows XP) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAVf4+57L0B7uXm9oRAs1SAJ0ZZ45JnIjjikM6d4EkY8WOJHR+igCfeFn2 j7skBH1Q2vFj0Y0FW8pRbFI= =/5xu -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] SWAT vs. idealx
Has anyone else had problems with SWAT borking your smb.conf file if you specify your smb.conf scripts section like idealx suggests? For example: add machine script = /usr/local/sbin/smbldap-useradd -w %u When I save that from SWAT, I lose the script parameters inside quotes. This caused me some aggrivation this morning when I thought everything else worked just fine but the scripts appeared to be failing. I would imagine the use of quotes is so that you can do stuff like add a group named Some Screwed Up Group Name and not have UNIX bonk out on you for having spaces. -- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Limiting to Windows domain groups
Jason, You can reference Windows users in smb.conf but you need to configure Samba with Winbind. See the Samba how-to at http://us1.samba.org/samba/docs/Samba-HOWTO-Collection.pdf. On Monday, March 15, 2004, Jason Lehman wrote: I am new to samba and I wasn't sure that I understood something correctly. I can set the invalid users setting to limit users to a group but can I use windows groups in this setting and if so how do I reference them. I see how to do linux groups and nis groups but I didn't see for windows. Thank you for any help. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] understanding pam_ldap vs. winbindd
Dear List, some general question concerning the general understanding of pam_ldap and winbindd. I understand winbindd as a daemon who maps existing Windows User from some SAM (for example NT or samba PDC) into the unix os level. On the member server (fileserver with acls) we have pam_ldap running and over this way there are all users and groups existing on the os level which we need for samba access. Do I understand winbindd right in that way that I do not need winbindd at all in this setup? If no, why does I get map errors in the log that SIDs cant be mapped to gid or uid? (net groupmap list just shows -1 entries, manual groupmaps cant be inserted = error) If yes, whats the failure in my logic? Thanks for all input! Matthias P.S.: We were breaking our heads for hours now because of this groupmap errors. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] two samba servers on a windows nt domain
Has any one had problems with two samba servers on a windows 2000 domain. This is what I am running in to: I have a samba server that has been a member server on the windows 2000 domain for about four months and have not had any problems with it. Now I want add another samba member server to the domain. When I add the other samba server it seems that it removes the first samba server. Has any one ran it to this problem? Thanks, Thomas -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] understanding pam_ldap vs. winbindd
On Mon, 2004-03-15 at 12:48, Matthias Eichler wrote: Dear List, some general question concerning the general understanding of pam_ldap and winbindd. I understand winbindd as a daemon who maps existing Windows User from some SAM (for example NT or samba PDC) into the unix os level. On the member server (fileserver with acls) we have pam_ldap running and over this way there are all users and groups existing on the os level which we need for samba access. Do I understand winbindd right in that way that I do not need winbindd at all in this setup? --- I would agree with that --- If no, why does I get map errors in the log that SIDs cant be mapped to gid or uid? (net groupmap list just shows -1 entries, manual groupmaps cant be inserted = error) If yes, whats the failure in my logic? --- net groupmap list (would have been nice to see that) net groupmap modify sid=S-1-5-AND-SO-ON ntgroup=Domain Users unixgroup=valid_unix_group type=domain if groupmap exists for ntgroup, you either must delete it and then add it or modify it. Craig -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: AW: [Samba] user can't shut down windows clients?
hi matt, sorry to bother u again. i followed your instructions to create a domain user group GID -513 and assign all my users to that group. but to my dismay, i still can't work? i add domain user group = username1, to my smb.conf but still can't work? then i changed all my users to the wheel group = power users. but also cannot? is this a problem with win2k o/s rather than samba? thanks Q -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] 3.0.2a internal error (SIGABRT)
Hi there, We just upgraded from Samba 3.0.0 to 3.0.2a last weekend. It was working well for a short time but then I restarted smbd and winbindd, and for some unknown reason the user/group databases became corrupt. I had to delete the contents of /var/cache/samba to get it to work again. Anyway, it is back up and running, but now winbindd seems to be crashing about once a day. Attached is an excerpt from log.winbindd. The system is running Red Hat Linux 9.0, and is connected to a Windows 2000 SP4 Active directory domain. When re-joining the domain with net join I found that it would not join via AD (failed after a long timeout) and instead had to use RPC. I didn't notice this with 3.0.0. Cheers, Paul - Paul Eggleton Ph:+64-9-4154790 Software Developer Fax: +64-9-4154791 CJN Technologies Ltd. DDI: +64-9-4154795 http://www.cjntech.co.nz Email: [EMAIL PROTECTED] - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] two subnets, one domain, several DCs?
On Sat, Mar 13, 2004 at 12:31:54PM -0600, Paul Gienger wrote: One thing I've noticed though, is that since I've started testing in 'not the master LDAP server's subnet' I have to join the domain twice. Once to get the machine into LDAP, then wait a couple seconds until I hear the LDAP slave crunch through the slurpd push, and then join again Are you joining to the BDC instead of the PDC? and it works fine. Basically I'm running into a replication delay. I know there's an option to set that higher so that maybe I don't have to do it twice, but I can't remember what it is... is that what the password chat timeout is set for? No, I think it's ldap replication sleep. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Disabling Machine Account password change
On Mon, Mar 15, 2004 at 04:06:11PM +0100, Matthieu Le Corre wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Look at the options : machine password timeout on the samba server ;) machine password timeout = seconds Default: 604,800 Allowable values: number of seconds Sets the period between (NT domain) machine password changes. Default is 1 week, or 604,800 seconds. mayby this help ;) This is not relevent for a Samba PDC, the client chooses when to change the password. The only thing a DC can do is set a system policy. Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: tdb_fetch failed
I've seeing this as well. Lee Thao [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] My error messages are tiggered by print jobs. The print jobs DO go through but I get the same errors as your in my /var/log/messages log file. Anybody have any ideas? What are the steps to troubleshoot this? Lee. -Original Message- From: Guy Van den Bergh [mailto:[EMAIL PROTECTED] Sent: Saturday, March 13, 2004 6:10 AM To: Lee Thao Subject: Re: [Samba] tdb_fetch failed I got the same problem: but it has something to do with users logged on to an terminal server 2003 strange error's after upgrade to 3.0.2rc1 does somebody knows the cause? The messages are from user connected on a terminal server. Mar 9 19:07:05 farma1 smbd[]: [2004/03/09 19:07:05, 0] smbd/connection.c:register_message_flags(220) Mar 9 19:07:05 farma1 smbd[]: register_message_flags: tdb_fetch failed Mar 9 19:07:05 farma1 smbd[]: [2004/03/09 19:07:05, 0] smbd/connection.c:register_message_flags(220) Mar 9 19:07:05 farma1 smbd[]: register_message_flags: tdb_fetch failed Mar 9 19:07:05 farma1 smbd[]: [2004/03/09 19:07:05, 0] smbd/connection.c:register_message_flags(220) - Original Message - From: Lee Thao [EMAIL PROTECTED] Newsgroups: linux.samba Sent: Friday, March 12, 2004 6:10 PM Subject: [Samba] tdb_fetch failed Does this mean that one of my tdb files is corrupt? Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] 3.0.2a internal error (SIGABRT)
Oops, I forgot attachments were being stripped. The log file excerpt can be found here: http://www.cjn.co.nz/samba/log.winbindd.crash2 Cheers, Paul -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Print Queues Dying!!
It started with one networked printer but it appears to have spread to another and now all networked printers occasionally go down. We have several JetDirect boxes and one NetGear PS101 printer server served by CUPS, the Windows computers access the print queues via Samba 3.0.2 on RedHat Enterprise Server 3. This is a very problematic issue and it is getting worse. We used this same type of set up with LPD at other installations without issue. Is this a known issue with Samba and CUPS or just a CUPS issue? I'm trying to get LPD installed to see if it works better. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: printers unreachable in samba 3.0.2?
What was the original post? I think I may be having a similar issue. michel desfawes [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] hello, I have read your response to the printer problem in samba 3.0.2 but, can you explain me how to install this patch under redhat 7.3 thanks Michel -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Trouble replicating samba
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Borja Pacheco írta: | Dear all, | | I'm experencing a big trouble with samba and an instalation we had at my | enterprise's intranet. This intranet is based on a Samba server v2 wich | acts as Primary Domain Controller, wins server and file server. All | these features works great nowadays. | | Our issue, is with a newest server that we are interested to replace the | previous samba server in order to improve the performance and | realibility to our users. For this reasen we have installed the samba | daemon in this machine (keeping samba version, but minor version | numbers) and we have copied everything from one server to the other, I | mean, smb.conf, lmhost, smbpasswd, etc, and we have updated the smb.conf | to change the IP address and netlogon name. Of course, we have updated | the system's groups and users, and syncronize data. | | When we startup the service on the newest one (after shutting down in | the other), we noticed that samba becomes domain master, master browser | and that we can access files through smbclient. The trouble is with the | MS Windows clients, which can't register in the domain anymore, Windows | tell us that the machine account doesn't exist or the password is wrong. | These accounts were created with smbpasswd -a -m, so they exists. So it | seems to, that the autonegociated password is failing. | | Does anybody knows why is it failing? Is it related with the SIDs? What | are these SIDs? Could you suggest me a solution? Depending on your Samba version: 2.2.x You should start your old Samba instalation, then on your new machine as root you should do smbpasswd -S (Terebly sorry I'm not 100% about the -S switch, I used last time 2.2.x long time ago, about a year, so please read its manpage first) 3.0.x Start your old Samba installation. Run net getlocalsid. Note the string (S-...) obtained. Shut it down. Start up the new Samba installation, and run net setlocalsid the_previously_noted string After doing that you will need to rejoin thoose machines, which were rejoined :-( . Setting the correct SID is vital in the Windows world, since Windows operating systems identify all security objects: domains, users, groups, and computers, by their SID. | PD. we tried to remove a Windows client from the domain, and latter, | register it again. And it seems to work, but we have to waste lots of | time on every client, and we have more or less 300... Best Regards Geza -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAVhxW/PxuIn+i1pIRAqqoAJ0a24t6KaBMbPwsu80u3G2269ECugCfcirt YndVsNv3dreC/4AbbTuMQ7Y= =ulxl -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] trust secret location in WinXP
On 03/15, Clint Sharp wrote: On Mon, 15 Mar 2004, Csillag [iso-8859-2] Tams wrote: [...] The machine's sid only changes if you run a program to change it, otherwise it will inherit the SID of the ghosted machine. We use NewSID from Sysinternals (http://www.sysinternals.com/), but GhostWalker which comes from ghost or several other packages exist to do the same thing. Having multiple machines with the same SID on your domain will cause very unusual problems :). Can you give me some examples? I am really interested. I use ldap as a backend, here is a machine account. I do not undestand how can it work in the domain if the machines sid does not changes accordingly (on a particular machine). dn: uid=sucker$,ou=machines,dc=itk,dc=ppke uid: sucker$ sambaSID: S-1-5-21-1628963623-43893491-1455040052-181004 sambaPrimaryGroupSID: S-1-5-21-1628963623-43893491-1455040052-181005 displayName: sucker sambaPwdCanChange: 1063609369 sambaPwdMustChange: 2147483647 sambaLMPassword: 6B77AF665E0B4665A9A5F808568734A4 sambaNTPassword: 6B77AF665E0B4665A9A5F808568734A4 sambaPwdLastSet: 1063609369 sambaAcctFlags: [W ] objectClass: sambaSamAccount objectClass: account structuralObjectClass: account entryUUID: c251de74-6c14-1027-8621-f081c87e167e creatorsName: cn=admin,dc=itk,dc=ppke createTimestamp: 20030826132718Z entryCSN: 2003091507:02:27Z#0x0001#0# modifiersName: cn=admin,dc=itk,dc=ppke modifyTimestamp: 20030915070227Z (This is a fake entry) Any ideas? -- cstamas -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Roaming profiles
On Mon, 15 Mar 2004, Andrew Judge wrote: I have a question about disabling roaming profiles. Apparently we can do that by adding logon path = , but if we do that on a machine that has roaming enabled, will I have to go and change that to local on all the accounts or will it do it automatically? Also, will that impact the users at all? Andy Based on what I remember of disabling profiles on the server I have that actually has them disabled, it will automatically set the users to local profiles on machines which use it as a logon server. Windows queries for the roaming profile path every time LogonUser() is called from Windows, so it shouldn't attempt to load a roaming profile when it doesn't return a path to load. Clint -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] join domain without root
Dear Samba gurus,
I am still using Samba 2.2.8a; I have not seen an announcement that this
issue would be fixed in 3.0.2; all that follows refers to 2.2.8a.
Quoting from Samba-PDC-HOWTO.html (or Samba-HOWTO-Collection.html):
Joining the Client to the Domain
Windows 2000
... Windows prompts for an account and password that is privileged to
join the domain. A Samba administrative account (i.e., a Samba account
that has root privileges on the Samba server) must be entered here ...
This seems an onerous imposition, as it involves a security risk. In my
environment (Samba PDC with W2k clients) the following patch solves the
issue, allowing any account marked domain admin in smb.conf to be used.
Cheers,
Paul Szabo - [EMAIL PROTECTED] http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
--- rpc_server/srv_samr_nt.c.oldSat Mar 15 08:34:49 2003
+++ rpc_server/srv_samr_nt.cTue Mar 16 06:14:29 2004
@@ -2369,16 +2369,67 @@
uint32 len;
pstring buf;
uint16 acct_ctrl;
+ int do_become_root;
+ BOOL ret;
pdb_init_sam(pwd);
- if (!pdb_getsampwrid(pwd, rid)) {
+/* PSz 15 Mar 04
+ * This code is called, as the domain admin, when a machine is joining
+ * the domain, both with netdom and via sysprep/mini-setup.
+ * Do as root (bracket within become_root()/unbecome_root() if it is
+ * a domain admin, updating his own machine password. (Otherwise the
+ * pdb_ calls fail for non-root.)
+ * More precisely: bracket pdb_getsampwrid if I am a domain admin; then
+ * also bracket pdb_update_sam_account if rid is my own machine account.
+ */
+ do_become_root = 0;
+ if (geteuid()) {
+ struct passwd* pass;
+ /* Should we use current_user-uid, or current_user-conn-uid
+* and current_user-conn-user, for any of this? */
+ if ( (pass=sys_getpwuid(geteuid())) != NULL ) {
+ if ( user_in_list(pass-pw_name, lp_domain_admin_group()) ) {
+ do_become_root = 1;
+ DEBUG(1, (set_user_info_pw: EUID %d for rid=%d(=0x%x), with
become_root\n, geteuid(), rid, rid));
+ }
+ }
+ }
+
+ if (do_become_root) become_root();
+ ret = pdb_getsampwrid(pwd, rid);
+ if (do_become_root) unbecome_root();
+ if (ret != True) {
pdb_free_sam(pwd);
return False;
}
acct_ctrl = pdb_get_acct_ctrl(pwd);
+ if (do_become_root) {
+ char *username, *hostname, *s;
+ username = pdb_get_username(pwd);
+ DEBUG(0, (set_user_info_pw: EUID %d for %s, with become_root\n,
geteuid(), username));
+ if ( !(acct_ctrl ACB_WSTRUST) ) {
+ DEBUG(0, (set_user_info_pw: Not a machine account\n));
+ pdb_free_sam(pwd);
+ return False;
+ }
+ hostname = client_name();
+ /* Not simply len = strlen(hostname): stop at first dot */
+ for (s = hostname, len = 0; *s *s != '.'; s++, len++);
+ if (! (
+ len 0
+ len + 1 == strlen(username)
+ username[len] == '$'
+ strncmp(hostname,username,len) == 0
+ ) ) {
+ DEBUG(0, (set_user_info_pw: Wrong account %s for host %s\n,
username, hostname));
+ pdb_free_sam(pwd);
+ return False;
+ }
+ }
+
memset(buf, 0, sizeof(buf));
if (!decode_pw_buffer(pass, buf, 256, len, nt_hash, lm_hash)) {
@@ -2414,7 +2465,10 @@
DEBUG(5,(set_user_info_pw: pdb_update_sam_account()\n));
/* update the SAMBA password */
- if(!pdb_update_sam_account(pwd, True)) {
+ if (do_become_root) become_root();
+ ret = pdb_update_sam_account(pwd, True);
+ if (do_become_root) unbecome_root();
+ if (ret != True) {
pdb_free_sam(pwd);
return False;
}
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Group Mapping Problems with Samba 3.0.2a OpenLDAP 2.2.6
On Mon, 15 Mar 2004, Chris Slack wrote: Hello all, I am attempting to setup a Samba 3.0.2a based PDC using OpenLDAP 2.2.6 for my user/group authentication backend. So far everything seems to be working properly, I can join the domain from a Win2k PC, login via an account created with smbldap-useradd.pl, map my home directory, run the proper login script, etc. However, with all of that working I'm still having difficulties getting group mapping to work. I've run through the steps in the Samba HOWTO manual and tried everything else I could find on the web but I'm stumped at this point. When I type: net groupmap list I get nothing, when I type: net groupmap add rid=512 ntgroup=Domain Admins unixgroup=Domain Admins I get the message adding entry for group Domain Admins failed!. I've tried several permutations of this using different groups, I've tried adding groups to the local /etc/group file to see if it was having an issue with LDAP, but nothing seems to help. I can't seem to find anyone else who has had this problem and like I said, everything else is working fine. Attached to the bottom of this message is a dump from testparm with the details of my /etc/samba/smb.conf file. Please let me know if anyone can give me any suggestions. Thanks, Chris Slack IT System Administrator Mercy Ships M/V Anastasis - Currently docked in Freetown, Sierra Leone, West Africa www.mercyships.org Chris, What do your LDAP logs show samba is sending as the queries? In the past when I've had this problem it was related to my ldap suffix. User queries worked, but group queries did not (I had groups in a seperate ou from users). However, your user and group suffixes are not set in your smb.conf, so it's not the exact same problem I had. Please send me the output from a: net -d3 groupmap list Clint -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] prf*.tmp in samba-profiles
On Mon, 15 Mar 2004, Matthias Spork wrote: Hello list, sometimes, when a user logs off, not ntuser.dat, but prf4EC.tmp, prf4ED, ..., will save. Does anyone have this problem, too? matze I have lots of problems with roaming profiles, and this is one of them. In my case it's not service affecting though. Is this causing you some sort of an issue? This generally means Windows did not finish properly saving the roaming profile (at least in my experience). Clint -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Speed issue
Hi all, I am trying to migrate a NetWare file server to samba (on Red Hat 9). My problem is that unfortunatelly samba is somehow painfully slow, when we run DOS programs from it on the client machines. The NetWare server is an ancient machine. P1, probably. The Samba server is P4 3G, 1G RAM, RAID mirroring, etc. We are running and old DOS program on the client machines, and when it's running from the Samba server it's less than half of the speed when it runs from the old NetWare machine. (It's and old database handler application, generating huge network traffic.) As far as I can tell, in every aspect the Samba machine is far better than the NetWare one. The only main difference between the two is that Samba (Linux) and NetWare are using different network protocols. Any idea? Thanks, Dan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] ldap auth no longer works with upgrade from 3.0-3.0.2?
Ok, I had ldap with samba working perfectly a few weeks ago. however, I had no root account, since i was told not to have a root account on ldap server, so someone recommended i do this in smb.conf... passdb backend = smbpasswd adding root user to samba with smbpasswd -a then changing smb.conf to this passdb backend = ldapsam:ldap://127.0.0.1 smbpasswd so it could use both, right? So a while later I let fedora up2date upgrade samba 3.0.0 rpms to 3.0.2. Everything seemed to work fine afterward. I looked in smbpasswd today, and I noticed all the ldap accounts, including the machine accounts are in there, as well as the root account. I thought this odd, so I removed smbpasswd from the aforementioned line, and oddly enough, none of the ldap accounts could use samba anymore, getting nt_login_failure or whatever! however, in a command line, i can still id username and it shows their username, through ldap, and i can log in to unix with them(ssh and everything), but samba no longer recognizes them. can someone tell me what i did wrong, or if this is a bug or something? below i paste relevant parts of smb.conf [global] workgroup = DOMAINNAME netbios name = NETBIOSNAME netbios aliases = INTRANET logon script = logon.cmd logon home = #\\homeserver\%u\winprofile logon path = domain logons = Yes os level = 64 preferred master = Yes encrypt passwords = Yes domain master = Yes wins support = Yes encrypt passwords = Yes update encrypted = Yes auth methods = sam guest security = USER #ldap passdb backend = ldapsam:ldap://127.0.0.1 smbpasswd ldap suffix = dc=INTRANET ldap machine suffix = ou=People ldap passwd sync = yes ldap user suffix = ou=People ldap group suffix = ou=Group ldap admin dn = cn=Manager,dc=INTRANET ldap ssl = no idmap backend = ldapsam:ldapsam://127.0.0.1 passwd chat debug = Yes passwd program =/usr/local/sbin/smbldap-passwd -o %u passwd chat = *new*password* %n\n *new*password:* %n\ *successfully* socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add machine script = /usr/local/sbin/smbldap-useradd -w %m add user script = /usr/local/sbin/smbldap-useradd -a -n -m %u delete user script = /usr/local/sbin/smbldap-userdel %u add group script = /usr/local/sbin/smbldap-groupadd %g delete group script = /usr/local/sbin/smbldap-groupdel %g add user to group script = /usr/local/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/local/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/local/sbin/smbldap-usermod -G %g %u ___ No banners. No pop-ups. No kidding. Introducing My Way - http://www.myway.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba 2.2.3a / openLDAP connection problem
On Mon, 15 Mar 2004 16:47:14 + Martin Wood [EMAIL PROTECTED] wrote: Hi, ok, thanks for the replies so far...I dont seem to be having much luck the samba and ldap servers are on the same machine.. [...] ldapsearch -x '(cn=Manager)' gives : [nothing-found] Can you add entries to and search the directory without any Samba software involved? What does ldapsearch -x return? Also, try some more verbose ldapsearch-commands. Debian e.g. needs /etc/ldap/ldap.conf to hold BASE and URI information in order for ldapsearch -x '(pattern)' to succeed (AFAICT), otherwise your have to set these options explicitly... Cheers, Max -- The first time any man's freedom is trodden on, we're all damaged. Cpt. Picard, The Drumhead, StarTrek TNG http://homex.subnet.at/~max/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] two samba servers on a windows nt domain
On Mon, 15 Mar 2004, Thomas Browner wrote: Has any one had problems with two samba servers on a windows 2000 domain. This is what I am running in to: I have a samba server that has been a member server on the windows 2000 domain for about four months and have not had any problems with it. Now I want add another samba member server to the domain. When I add the other samba server it seems that it removes the first samba server. Has any one ran it to this problem? Make sure that you do not have a name-space clash. ie: What are the hostnames of your Samba servers? - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] ldap auth no longer works with upgrade from 3.0-3.0.2?
k, it seems only certain accounts do work on samba with ldap, others do not. the first one does not, the second one does. any ideas? ?php # safety, People, INTRANET dn: uid=safety,ou=People,dc=INTRANET shadowLastChange: 12418 shadowMax: 9 shadowWarning: 7 sambaAcctFlags: [U ] sambaSID: S-1-5-21-4070452498-3149834983-2923667569-2000 sambaPwdCanChange: 1075750753 sambaPwdMustChange: 2147483647 sambaPwdLastSet: 1075750753 sambaNTPassword: B34EY5E59X50620EACZ9FF5B4C3C359A gecos: Mikey sambaLMPassword: D2B5A9E561CABAB5AAD3B435B51404EE loginShell: /bin/bash uid: safety uidNumber: 500 gidNumber: 504 objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: phpgwAccount objectClass: sambaSamAccount homeDirectory: /home/safety cn: user pass userPassword:: e1NNRDV2V9VqNVEwYxh2anZUcTAra2pqYWVzSjg3RWI0PQ== # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 WORKING dn: uid=david,ou=People,dc=INTRANET shadowLastChange: 12418 sambaSID: S-1-5-21-4070452498-3149834983-2923667569-2002 sambaPrimaryGroupSID: S-1-5-21-4070452498-3149834983-2923667569-1201 displayName: David sambaPwdCanChange: 1075763078 sambaPwdLastSet: 1075763078 sambaAcctFlags: [U ] sambaPwdMustChange: 2147483647 homeDirectory: /home/david sambaLMPassword: F3289011E7FBB7D1AAD3B435B51404EE uidNumber: 501 loginShell: /bin/bash cn: David uid: david gidNumber: 100 objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: sambaSamAccount objectClass: phpgwAccount gecos: David sambaNTPassword: 22GFDXE1C98968F33C19F452A46875A3 userPassword:: e2NxeXB0zTZScTMwbGFhdlBxZS4= # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 ? --- On Mon 03/15, John H. [EMAIL PROTECTED] wrote: From: John H. [mailto: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Mon, 15 Mar 2004 17:16:49 -0500 (EST) Subject: [Samba] ldap auth no longer works with upgrade from 3.0-3.0.2? brOk, I had ldap with samba working perfectly a few weeks ago. however, I had no root account, since i was told not to have a root account on ldap server, so someone recommended i do this in smb.conf...br passdb backend = smbpasswdbrbradding root user to samba with smbpasswd -a brbrthen changing smb.conf to thisbrbr passdb backend = ldapsam:ldap://127.0.0.1 smbpasswdbrbrso it could use both, right?brbrSo a while later I let fedora up2date upgrade samba 3.0.0 rpms to 3.0.2. Everything seemed to work fine afterward.brI looked in smbpasswd today, and I noticed all the ldap accounts, including the machine accounts are in there, as well as the root account. I thought this odd, so I removed smbpasswd from the aforementioned line, and oddly enough, none of the ldap accounts could use samba anymore, getting nt_login_failure or whatever! brbrhowever, in a command line, i can still id username and it shows their username, through ldap, and i can log in to unix with them(ssh and everything), but samba no longer recognizes them. can someone tell me what i did wrong, or if this is a bug or something? below i paste relevant parts of smb.confbrbrbr[global]brworkgroup = DOMAINNAMEbr netbios name = NETBIOSNAMEbrnetbios aliases = INTRANETbrlogon script = logon.cmdbrlogon home =br#\\homeserver\%u\winprofilebr logon path =brdomain logons = Yesbros level = 64br preferred master = Yesbrencrypt passwords = Yesbrdomain master = Yesbrwins support = Yesbrencrypt passwords = Yesbrupdate encrypted = Yesbrauth methods = sam guestbrsecurity = USERbrbr#ldapbrpassdb backend = ldapsam:ldap://127.0.0.1 smbpasswdbr ldap suffix = dc=INTRANETbrldap machine suffix = ou=Peoplebr ldap passwd sync = yesbrldap user suffix = ou=Peo plebrldap group suffix = ou=Groupbrldap admin dn = cn=Manager,dc=INTRANETbrldap ssl = nobridmap backend = ldapsam:ldapsam://127.0.0.1brpasswd chat debug = Yesbrpasswd program =/usr/local/sbin/smbldap-passwd -o %ubrpasswd chat = *new*password* %n\n *new*password:* %n\ *successfully*brsocket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192bradd machine script = /usr/local/sbin/smbldap-useradd -w %mbradd user script = /usr/local/sbin/smbldap-useradd -a -n -m %ubrdelete user script = /usr/local/sbin/smbldap-userdel %ubradd group script = /usr/local/sbin/smbldap-groupadd %gbrdelete group script = /usr/local/sbin/smbldap-groupdel %gbradd user to group script = /usr/local/sbin/smbldap-groupmod -m %u %gbrdelete user from group script = /usr/local/sbin/smbldap-groupmod -x %u %gbrset primary group script = /usr/local/sbin/ smbldap-usermod -G %g %ubrbrbrbrbrbr___brNo banners.
RE: [Samba] Speed issue
I have done the same thing and dramatically increased the speed of the system. Does the system slow down only when you have more than one user accessing the database? This is a problem I found when trying to upgrade it to a windows 2000 server. Anyway if you let me have a look at your smb.conf I might be able to work out why. Just for starters though try setting oplocks to off. Ned -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Kiss Sent: 15 March 2004 21:58 To: [EMAIL PROTECTED] Subject: [Samba] Speed issue Hi all, I am trying to migrate a NetWare file server to samba (on Red Hat 9). My problem is that unfortunatelly samba is somehow painfully slow, when we run DOS programs from it on the client machines. The NetWare server is an ancient machine. P1, probably. The Samba server is P4 3G, 1G RAM, RAID mirroring, etc. We are running and old DOS program on the client machines, and when it's running from the Samba server it's less than half of the speed when it runs from the old NetWare machine. (It's and old database handler application, generating huge network traffic.) As far as I can tell, in every aspect the Samba machine is far better than the NetWare one. The only main difference between the two is that Samba (Linux) and NetWare are using different network protocols. Any idea? Thanks, Dan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] I get authenicated but I can't get to share
I see in the log where I get authenticated but it won't let me have access to the share from Windows XP to linux box. If I set up the server without domain auth on samba and setup a matching account on the linux box I have no problems accessing. But we want to use domain auth. So then if I setup domain auth I can get authenticated in fact I can login to the linux box with my windows username and password but I can't then reference setup shares with \\ip\share file:///\\ip\share from windows. I have tried in valid users the values username, domain+username, and a group that has my username. All show up in the log as authenticating me but all also say no access to share. Any help would be appreciated. Below is my conf file # Samba config file created using SWAT # from 0.0.0.0 (0.0.0.0) # Date: 2004/03/15 18:32:47 # Global parameters [global] workgroup = DOMAIN_NAME server string = Test Samba Server security = DOMAIN log level = 2 name resolve order = wins lmhosts bcast os level = 10 preferred master = No local master = No domain master = No wins server = 000.000.000.000 #are actual ip address here ldap ssl = no idmap uid = 1-2 idmap gid = 1-2 template shell = /bin/bash winbind separator = + [web] path = /var/www/html read only = No valid users = jlehman Jason Lehman Webmaster, Registrar's Office (813)974-4157 Phone 574-4157 Suncom (813)974-5271 FAX [EMAIL PROTECTED] Email -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] M$ W2K Clients get requests to change samba password -- PDC is a samba 2.2.8a
I am seeing an intermittent problem that bugs just a few people, infrequently. We use a Linux RH8 / Samba 2.2.8a PDC and the clients are W2K SP3 systems with current M$ patches. At times, users get the a message that their password expires in XX days and if they would like to change them. The smbpasswd file for all user entries are marked with the flags 'UX' meaning of course the password NEVER expires. I have verified that the RH shadow passwords (should not be used) are set to never expire. And obey pam restrictions=no. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] mapping home dir
On Friday, March 12, 2004 12:38 PM IT Clown wrote: Hi I am running a RH9 box in a w2k domain. I have installed winbind on the RH9 box joined it to the domain successfully. Domain users can login with their accounts. The problem is when they login they get a message stating that their home dir doesnt excists. How can i map their home dir that is on a w2k member server and how can i create their home dir on the RH9 box when the domain users login? I would prever to map their home dir from the member server. Use pam_mkhomedir to make your local home directories (see the pam docs for how to do this). To mount a Windows home share on which a user has permissions, use pam_mount. This module will transfer the password using PAM that a user enters during login to the appropriate mount command. Download pam_mount from: http://www.flyn.org/projects/pam_mount/index.html Read the docs. Here is my configuration: /etc/security/pam_mount.conf: (last line in the file) volume * smb WinServer /home//WinHome uid=,gid= - - Edit the /etc/pam.d/ files accordingly. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] ACLs, fedora core 1 and samba 3.0.2a-1
Hi all, I'm having problems implementing ACLs with the above configration. I've rebuilt my kernel, mounted the share with the acl option and recompiled samba with --with-acl-support. I have the nt acl support = yes in my config and can change the ownership with a chmod to my domain users so I know winbind is working. If I try to apply an ACL with smbcacls I get the following error: ERROR: Unable to open credentials file! If I try to apply permissions from our domain controller (an NT4 box) or from an XP machine with an admin rights user I get Access Denied. Any help is GREATLY appreciated. Phil _ Store more e-mails with MSN Hotmail Extra Storage 4 plans to choose from! http://click.atdmt.com/AVE/go/onm00200362ave/direct/01/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] could not initialise lsa pipe - unable to join domain
Have installed Redhat ES 3.1 and updated to samba-3.02-6.3E The PDC is solaris running PC netlink. Can join the domain if running samba 2.28. Have tried net oldjoin as well as net join but to no avail. Debug level 5 dump attached. Any help appreciated. [2004/03/16 11:56:53, 5] lib/debug.c:debug_dump_status(360) INFO: Current debug levels: all: True/5 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 quota: False/0 [2004/03/16 11:56:53, 3] param/loadparm.c:lp_load(3819) lp_load: refreshing parameters [2004/03/16 11:56:53, 3] param/loadparm.c:init_globals(1300) Initialising global parameters [2004/03/16 11:56:53, 3] param/params.c:pm_process(566) params.c:pm_process() - Processing configuration file /etc/samba/smb.conf [2004/03/16 11:56:53, 3] param/loadparm.c:do_section(3331) Processing section [global] doing parameter workgroup = MCC doing parameter server string = samba server doing parameter printcap name = /etc/printcap doing parameter load printers = yes doing parameter log file = /var/log/samba/%m.log doing parameter max log size = 50 doing parameter security = DOMAIN doing parameter password server = 172.17.250.171 bell_nt4_ora1 pear tomato doing parameter password level = 8 doing parameter username level = 8 doing parameter encrypt passwords = yes doing parameter smb passwd file = /etc/samba/smbpasswd doing parameter username map = /etc/samba/smbusers doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 doing parameter local master = no doing parameter os level = 33 doing parameter wins server = 172.17.250.147 doing parameter dns proxy = no [2004/03/16 11:56:53, 4] param/loadparm.c:lp_load(3851) pm_process() returned Yes [2004/03/16 11:56:53, 5] lib/iconv.c:smb_register_charset(95) Attempting to register new charset UCS-2LE [2004/03/16 11:56:53, 5] lib/iconv.c:smb_register_charset(103) Registered charset UCS-2LE [2004/03/16 11:56:53, 5] lib/iconv.c:smb_register_charset(95) Attempting to register new charset UTF8 [2004/03/16 11:56:53, 5] lib/iconv.c:smb_register_charset(103) Registered charset UTF8 [2004/03/16 11:56:53, 5] lib/iconv.c:smb_register_charset(95) Attempting to register new charset ASCII [2004/03/16 11:56:53, 5] lib/iconv.c:smb_register_charset(103) Registered charset ASCII [2004/03/16 11:56:53, 5] lib/iconv.c:smb_register_charset(95) Attempting to register new charset 646 [2004/03/16 11:56:53, 5] lib/iconv.c:smb_register_charset(103) Registered charset 646 [2004/03/16 11:56:53, 5] lib/iconv.c:smb_register_charset(95) Attempting to register new charset ISO-8859-1 [2004/03/16 11:56:53, 5] lib/iconv.c:smb_register_charset(103) Registered charset ISO-8859-1 [2004/03/16 11:56:53, 5] lib/iconv.c:smb_register_charset(95) Attempting to register new charset UCS2-HEX [2004/03/16 11:56:53, 5] lib/iconv.c:smb_register_charset(103) Registered charset UCS2-HEX [2004/03/16 11:56:53, 5] lib/charcnv.c:charset_name(74) Substituting charset 'UTF-8' for LOCALE [2004/03/16 11:56:53, 5] lib/charcnv.c:charset_name(74) Substituting charset 'UTF-8' for LOCALE [2004/03/16 11:56:53, 5] lib/charcnv.c:charset_name(74) Substituting charset 'UTF-8' for LOCALE [2004/03/16 11:56:53, 5] lib/charcnv.c:charset_name(74) Substituting charset 'UTF-8' for LOCALE [2004/03/16 11:56:53, 5] lib/charcnv.c:charset_name(74) Substituting charset 'UTF-8' for LOCALE [2004/03/16 11:56:53, 5] lib/charcnv.c:charset_name(74) Substituting charset 'UTF-8' for LOCALE [2004/03/16 11:56:53, 5] lib/charcnv.c:charset_name(74) Substituting charset 'UTF-8' for LOCALE [2004/03/16 11:56:53, 5] lib/charcnv.c:charset_name(74) Substituting charset 'UTF-8' for LOCALE [2004/03/16 11:56:53, 5] lib/charcnv.c:charset_name(74) Substituting charset 'UTF-8' for LOCALE [2004/03/16 11:56:53, 5] lib/charcnv.c:charset_name(74) Substituting charset 'UTF-8' for LOCALE [2004/03/16 11:56:53, 5] lib/charcnv.c:charset_name(74) Substituting charset 'UTF-8' for LOCALE [2004/03/16 11:56:53, 5] lib/charcnv.c:charset_name(74) Substituting charset 'UTF-8' for LOCALE [2004/03/16 11:56:53, 5] lib/charcnv.c:charset_name(74) Substituting charset 'UTF-8' for LOCALE [2004/03/16 11:56:53, 5] lib/charcnv.c:charset_name(74) Substituting charset 'UTF-8' for LOCALE [2004/03/16 11:56:53, 5] lib/charcnv.c:charset_name(74) Substituting charset 'UTF-8' for LOCALE [2004/03/16 11:56:53, 5] lib/charcnv.c:charset_name(74) Substituting charset 'UTF-8' for LOCALE [2004/03/16 11:56:53, 5] lib/charcnv.c:charset_name(74) Substituting charset 'UTF-8' for LOCALE [2004/03/16 11:56:53, 5] lib/charcnv.c:charset_name(74) Substituting charset 'UTF-8' for LOCALE [2004/03/16 11:56:53, 5] lib/charcnv.c:charset_name(74) Substituting charset 'UTF-8' for LOCALE
[Samba] matching UIDs to RIDs when converting from Windows to Samba
I have a bunch of Windows users using a Win2k server as a PDC. I want to move all the server functions to a Samba server without disturbing the users in any way. The client machines are all Win2k, using local profiles. Samba insists on algorithmicly generating the RID from the UID, so the Windows user, after migration, gets a new SID and loses contact with their local profile. In fact, they seem to be an entirely different user, with a new SID and new profile directory. I haven't had any luck yet using the profiles tool to convert NTUSER.DAT, and I don't really want to go that route if I can help it, since it involves converting to remote profiles which slows down login/logout and doesn't meat my seamless migration requirements. Is there any way to get Samba to match the Unix UIDs to Windows RIDs, or to force the RIDs to be particular values as we can do with net groupmap for groups? Thanks, -- Ed -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Yahoo! Auto Response
Moi van de trao doi xin va`o Forum: http://www.tinhocabc.com Nick cua toi la` HueNhi - Admin De nghi khong gui va`o thu`ng thu na`y. Xin ca'm on. (Thu duoc tra loi tu dong) Original Message: X-Rocket-Spam: 203.210.159.230 X-YahooFilteredBulk: 203.210.159.230 X-Rocket-Track: 1372813: 20 ; SERVER=66.218.86.215 Return-Path: [EMAIL PROTECTED] Received: from 203.210.159.230 (EHLO yahoo.com) (203.210.159.230) by mta123.mail.scd.yahoo.com with SMTP; Mon, 15 Mar 2004 17:17:48 -0800 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Document Date: Tue, 16 Mar 2004 08:17:57 +0700 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_0005_216C.32B7 X-Priority: 3 X-MSMail-Priority: Normal This is a multi-part message in MIME format. --=_NextPart_000_0005_216C.32B7 Content-Type: text/plain; charset=Windows-1252 Content-Transfer-Encoding: 7bit Please have a look at the attached file. --=_NextPart_000_0005_216C.32B7 Content-Type: application/octet-stream; name=your_document.pif Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=your_document.pif TVqQAAME//8AALgAQ _ DO YOU YAHOO!? Get your free @yahoo.com address at http://mail.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] (no subject)
Un message dont vous etes le destinataire a ete refuse par exim Il contenait un fichier attache non autorise : exe,bat,zip,... l'auteur de ce mail est : [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] configure failed, with option --with-ads (samba 3.0.2a)
I'm configuring samba v3.0.2a on Solaris 8 machine. # ./configure (completed, to be sure default is ok) then rm configure.log and configure.status, start again. # ./configure --with-ads(failed) checking for ldap_initialize... no configure: WARNING: libldap is needed for LDAP support checking for Active Directory and krb5 support... yes configure: error: Active Directory Support requires LDAP support but libldap is on this machine: % uname -a SunOS hostname 5.8 Generic_108528-17 sun4u sparc SUNW,Ultra-2 % pkginfo | grep -i ldap system SUNWlldap LDAP Libraries % ls -la /usr/lib/libldap* lrwxrwxrwx 1 root root 14 Mar 24 2003 /usr/lib/libldap.so - ./libldap.so.4 -rwxr-xr-x 1 root bin 225808 Jan 5 2000 /usr/lib/libldap.so.3 -rwxr-xr-x 1 root bin 225712 Aug 30 2002 /usr/lib/libldap.so.4 The reason to use --with-ads, is that I want to join Samba server to Active Directory domain as a member server. (security = ADS) Does samba requires different libldap as SunOS's? thanks, Jeffrey -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] matching UIDs to RIDs when converting from Windows to Samba
On Mon, Mar 15, 2004 at 08:11:42PM -0500, Ed Ravin wrote: I have a bunch of Windows users using a Win2k server as a PDC. I want to move all the server functions to a Samba server without disturbing the users in any way. The client machines are all Win2k, using local profiles. Samba insists on algorithmicly generating the RID from the UID, so the Windows user, after migration, gets a new SID and loses contact with their local profile. In fact, they seem to be an entirely different user, with a new SID and new profile directory. If you used a 'real' passdb backend, like ldapsam and tdbsam, then this should 'just work'. I haven't had any luck yet using the profiles tool to convert NTUSER.DAT, and I don't really want to go that route if I can help it, since it involves converting to remote profiles which slows down login/logout and doesn't meat my seamless migration requirements. Is there any way to get Samba to match the Unix UIDs to Windows RIDs, or to force the RIDs to be particular values as we can do with net groupmap for groups? For users, this is done by matching names via getpwnam(). We are working to make it work on a table, sort of like the way group mapping works, in Samba HEAD. Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] net groupmap problems
On Mon, Mar 15, 2004 at 08:11:42PM -0500, Ed Ravin wrote: Is there any way to get Samba to match the Unix UIDs to Windows RIDs, or to force the RIDs to be particular values as we can do with net groupmap for groups? Speaking of which, I'm having trouble with that command too (samba-3.0.2a, running on Red Hat 6.x Linux with some new bits grafted into it). I started by deleting group_mapping.tdb and starting the server. # net groupmap list | grep Users Power Users (S-1-5-32-547) - -1 Users (S-1-5-32-545) - -1 Domain Users (S-1-5-21-662018651-3907110178-816287836-513) - -1 Now, I want to map Domain Users to my local users group and keep the same RID: [root migration]# net groupmap add rid=513 unixgroup=users type=domain ntgroup='Domain Users' adding entry for group Domain Users failed! Well, that's a helpful error message. What's going on here? I've noticed that I can do this without specifying the RID: # net groupmap add unixgroup=users type=domain ntgroup='Domain Users' No rid or sid specified, choosing algorithmic mapping Successully added group Domain Users to the mapping db But now, there are TWO entries in the map for Domain Users: # net groupmap list | grep Users Power Users (S-1-5-32-547) - -1 Domain Users (S-1-5-21-662018651-3907110178-816287836-1201) - users Users (S-1-5-32-545) - -1 Domain Users (S-1-5-21-662018651-3907110178-816287836-513) - -1 And running rpcclient against localhost reports that Domain Users is RID 1201, not 513. Other experiments show that there will always be an entry for Domain Users with rid 513 pointing to -1, even when I explicitly try to delete it. -- Ed -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net groupmap problems
On Mon, 15 Mar 2004, Ed Ravin wrote: On Mon, Mar 15, 2004 at 08:11:42PM -0500, Ed Ravin wrote: Is there any way to get Samba to match the Unix UIDs to Windows RIDs, or to force the RIDs to be particular values as we can do with net groupmap for groups? Speaking of which, I'm having trouble with that command too (samba-3.0.2a, running on Red Hat 6.x Linux with some new bits grafted into it). I started by deleting group_mapping.tdb and starting the server. # net groupmap list | grep Users Power Users (S-1-5-32-547) - -1 Users (S-1-5-32-545) - -1 Domain Users (S-1-5-21-662018651-3907110178-816287836-513) - -1 Now, I want to map Domain Users to my local users group and keep the same RID: [root migration]# net groupmap add rid=513 unixgroup=users type=domain ntgroup='Domain Users' adding entry for group Domain Users failed! No way! Try the following: net groupmap modify ntgroup=Domain Users unixgroup=users Well, that's a helpful error message. What's going on here? I've noticed that I can do this without specifying the RID: # net groupmap add unixgroup=users type=domain ntgroup='Domain Users' No rid or sid specified, choosing algorithmic mapping Successully added group Domain Users to the mapping db But now, there are TWO entries in the map for Domain Users: # net groupmap list | grep Users Power Users (S-1-5-32-547) - -1 Domain Users (S-1-5-21-662018651-3907110178-816287836-1201) - users Users (S-1-5-32-545) - -1 Domain Users (S-1-5-21-662018651-3907110178-816287836-513) - -1 And running rpcclient against localhost reports that Domain Users is RID 1201, not 513. net groupmap delete ntgroup=Domain Users will get rid of the entry you added. Other experiments show that there will always be an entry for Domain Users with rid 513 pointing to -1, even when I explicitly try to delete it. Maybe you have could find what you are looking for in the Samba-HOWTO-Collection.pdf. See: http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] smbclient with lanman auth=no unable to connect
Hi all, In short, how do you force smbclient not to use Lanman passwords ? I specify these in my smb.conf lanman auth = no min protocol = NT1 Trying smbclient from the same host, [EMAIL PROTECTED] root]# smbclient //fileservertest/private -U somebody Password: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.2a] tree connect failed: NT_STATUS_WRONG_PASSWORD Here are the logs, [2004/03/17 00:00:52, 3] libsmb/ntlm_check.c:ntlm_password_check(306) ntlm_password_check: Lanman passwords NOT PERMITTED for user somebody [2004/03/17 00:00:52, 3] libsmb/ntlm_check.c:ntlm_password_check(371) ntlm_password_check: LM password, NT MD4 password in LM field and LMv2 failed for user somebody [2004/03/17 00:00:52, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [somebody] - [somebody] FAILED with error NT_STATUS_WRONG_PASSWORD [2004/03/17 00:00:52, 2] smbd/service.c:make_connection_snum(410) Invalid username/password for [private] [2004/03/17 00:00:52, 3] smbd/error.c:error_packet(118) error packet at smbd/reply.c(286) cmd=117 (SMBtconX) NT_STATUS_WRONG_PASSWORD If I put lanman auth=no, it works, both from smbclient and from Win98. Based on these, I figure if I can force smbclient not to use send password as lanman I should be able to connect. But I'm not sure, I might have missed something. I've also tried with smbclient //fileservertest/private -U somebody -s /path/to/smb.conf. That didn't work either. Tried smbclient //fileservertest/private -U workstation -m NT1 also doesn't work. Does anyone have any suggestion or ideas ? Or direct me to the appropriate docs or source code that I should look at ? Dion Sasmito Computer Engineer Luxindo Enterprise Pty Ltd, Australia _ This mail sent using V-webmail - http://www.v-webmail.org -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] (3.0.2a) nsswitch/winbindd_user.c:winbindd_getpwnam(157)
After connecting to the samba server as a domain user without password challenge, authenticating against a w2k DC (security = ADS), with winbindd running, I can navigate the shares successfully but cannot write to the share. I have done net groupadd ... to map windoze-unix groups. I am assuming from the log enties below that my access problem lies in the given errors. How to resolve? Also, I have seen a variety of conflicting examples of how to properly define domain users and groups in smb.conf. Can someone provide the proper definition that has evolved for 3.0.2a? From winbind.log: - nsswitch/winbindd_user.c:winbindd_getpwnam(157) user 'SERVER$' does not exist From the SERVER.log: [2004/03/15 18:08:02, 1] smbd/sesssetup.c:reply_spnego_kerberos(245) Username DOMAIN+SERVER$ is invalid on this system Thanks, Ken -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] matching UIDs to RIDs when converting from Windows to Samba
On Tue, Mar 16, 2004 at 01:26:11AM +, Andrew Bartlett wrote:
On Mon, Mar 15, 2004 at 08:11:42PM -0500, Ed Ravin wrote:
I have a bunch of Windows users using a Win2k server as a PDC. I want
to move all the server functions to a Samba server without disturbing
the users in any way. The client machines are all Win2k, using local
profiles.
Samba insists on algorithmicly generating the RID from the UID, so the
Windows user, after migration, gets a new SID and loses contact with
their local profile. In fact, they seem to be an entirely different
user, with a new SID and new profile directory.
If you used a 'real' passdb backend, like ldapsam and tdbsam, then
this should 'just work'.
Thanks, but it doesn't. I looked up tdbedit and the HOWTO and did
the following:
; added this to smb.conf
passdb backend = tdb
# ran this:
# pdbedit -i smbpasswd
Now, if I look at the table with pdbedit:
# pdbedit -L -u bilbo
bilbo:1112:Bilbo Baggins
That looks good, but the when I query via rpcclient for the RID, it's still
3224, which is the value returned by the algorithmic mapping (1112 * 2 + 1000).
If I run tdbdump | grep -C2 bilbo I see this:
{
key = RID_0c98\00
data = bilbo\00
}
0xc98 is 3224. It looks like the algorithmic mapping happened when I
ran pdbedit -i. Even if I use pdbedit -u bilbo -U sid-string-1112,
the stored value in the TDB is still 0xc98. Clearly, something is
enforcing the mapping on the way into or out of the TDB backend.
Are you sure this is supposed to just work?
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] ldap auth no longer works with upgrade from 3.0-3.0.2?
No sambaPrimaryGroupSID on first one (non-working) - next issue? You have taken some marginal advice. Craig On Mon, 2004-03-15 at 15:46, John H. wrote: k, it seems only certain accounts do work on samba with ldap, others do not. the first one does not, the second one does. any ideas? ?php # safety, People, INTRANET dn: uid=safety,ou=People,dc=INTRANET shadowLastChange: 12418 shadowMax: 9 shadowWarning: 7 sambaAcctFlags: [U ] sambaSID: S-1-5-21-4070452498-3149834983-2923667569-2000 sambaPwdCanChange: 1075750753 sambaPwdMustChange: 2147483647 sambaPwdLastSet: 1075750753 sambaNTPassword: B34EY5E59X50620EACZ9FF5B4C3C359A gecos: Mikey sambaLMPassword: D2B5A9E561CABAB5AAD3B435B51404EE loginShell: /bin/bash uid: safety uidNumber: 500 gidNumber: 504 objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: phpgwAccount objectClass: sambaSamAccount homeDirectory: /home/safety cn: user pass userPassword:: e1NNRDV2V9VqNVEwYxh2anZUcTAra2pqYWVzSjg3RWI0PQ== # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 WORKING dn: uid=david,ou=People,dc=INTRANET shadowLastChange: 12418 sambaSID: S-1-5-21-4070452498-3149834983-2923667569-2002 sambaPrimaryGroupSID: S-1-5-21-4070452498-3149834983-2923667569-1201 displayName: David sambaPwdCanChange: 1075763078 sambaPwdLastSet: 1075763078 sambaAcctFlags: [U ] sambaPwdMustChange: 2147483647 homeDirectory: /home/david sambaLMPassword: F3289011E7FBB7D1AAD3B435B51404EE uidNumber: 501 loginShell: /bin/bash cn: David uid: david gidNumber: 100 objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: sambaSamAccount objectClass: phpgwAccount gecos: David sambaNTPassword: 22GFDXE1C98968F33C19F452A46875A3 userPassword:: e2NxeXB0zTZScTMwbGFhdlBxZS4= # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] M$ W2K Clients get requests to change samba password -- PDC is a samba 2.2.8a
On Mon, 2004-03-15 at 16:39, M. D. Parker wrote: I am seeing an intermittent problem that bugs just a few people, infrequently. We use a Linux RH8 / Samba 2.2.8a PDC and the clients are W2K SP3 systems with current M$ patches. At times, users get the a message that their password expires in XX days and if they would like to change them. The smbpasswd file for all user entries are marked with the flags 'UX' meaning of course the password NEVER expires. I have verified that the RH shadow passwords (should not be used) are set to never expire. And obey pam restrictions=no. sounds to me like a local policy issue Craig -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] matching UIDs to RIDs when converting from Windows to Samba
On Mon, 15 Mar 2004, Ed Ravin wrote:
On Tue, Mar 16, 2004 at 01:26:11AM +, Andrew Bartlett wrote:
On Mon, Mar 15, 2004 at 08:11:42PM -0500, Ed Ravin wrote:
I have a bunch of Windows users using a Win2k server as a PDC. I want
to move all the server functions to a Samba server without disturbing
the users in any way. The client machines are all Win2k, using local
profiles.
Samba insists on algorithmicly generating the RID from the UID, so the
Windows user, after migration, gets a new SID and loses contact with
their local profile. In fact, they seem to be an entirely different
user, with a new SID and new profile directory.
If you used a 'real' passdb backend, like ldapsam and tdbsam, then
this should 'just work'.
Thanks, but it doesn't. I looked up tdbedit and the HOWTO and did
the following:
; added this to smb.conf
passdb backend = tdb
Try:
passdb backend = tdbsam
# ran this:
# pdbedit -i smbpasswd
Try:
pdbedit -i smbpasswd -e tdbsam
It helps if you tell it which backend to migrate to.
Now, if I look at the table with pdbedit:
# pdbedit -L -u bilbo
bilbo:1112:Bilbo Baggins
That's likely derived from smbpasswd, not from tdbsam since you did not
specify a tdbsam. Samba has no idea what to do with:
passdb backend = tdb
I'm surprised you got no error messages in the log files. Did you check
the logs?
That looks good, but the when I query via rpcclient for the RID, it's still
3224, which is the value returned by the algorithmic mapping (1112 * 2 + 1000).
If I run tdbdump | grep -C2 bilbo I see this:
{
key = RID_0c98\00
data = bilbo\00
}
You have not provided enough information to comment on this. The tdbdump
command should be passed the name of a tdb file. Your example does not do
that.
0xc98 is 3224. It looks like the algorithmic mapping happened when I
ran pdbedit -i. Even if I use pdbedit -u bilbo -U sid-string-1112,
the stored value in the TDB is still 0xc98. Clearly, something is
enforcing the mapping on the way into or out of the TDB backend.
I can not figure out what you are trying to do here. HAve you read any of
the command man pages?
Are you sure this is supposed to just work?
Sorry, I am not sure what you mean by that.
- John T.
--
John H Terpstra
Email: [EMAIL PROTECTED]
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] matching UIDs to RIDs when converting from Windows to Samba
I'd like to just say in advance that I really appreciate the responses
received so far, especially the patience with what looks to you like dumb
typos on my part.
Thanks, but it doesn't. I looked up tdbedit and the HOWTO and did
the following:
; added this to smb.conf
passdb backend = tdb
Try:
passdb backend = tdbsam
Actually, I think that's what I did do, that was a cut-and-paste error
in the original email.
# ran this:
# pdbedit -i smbpasswd
Try:
pdbedit -i smbpasswd -e tdbsam
It helps if you tell it which backend to migrate to.
If my first attempt didn't work, why did /etc/samba/passdb.tdb get
populated? No matter, I tried again with the syntax as shown above,
same results.
Now, if I look at the table with pdbedit:
# pdbedit -L -u bilbo
bilbo:1112:Bilbo Baggins
That's likely derived from smbpasswd, not from tdbsam since you did not
specify a tdbsam.
Nope, it's not coming from smbpasswd, I renamed it after the import.
# strace -e open pdbedit -L -u bilbo
...
open(/pkg/samba-3.0.2a/usr/lib/samba/valid.dat, O_RDONLY) = 3
open(/pkg/samba-3.0.2a/etc/samba/passdb.tdb, O_RDONLY) = 3
open(/pkg/samba-3.0.2a/etc/samba/secrets.tdb, O_RDWR|O_CREAT, 0600) = 4
open(/etc/nsswitch.conf, O_RDONLY)= 3
open(/etc/ld.so.cache, O_RDONLY) = 3
open(/lib/libnss_files.so.2, O_RDONLY) = 3
open(/etc/passwd, O_RDONLY) = 3
bilbo:1112:Bilbo Baggins
As you can see, it's opening passdb.tdb. I see it's also opening
/etc/passwd, which is a little suspicious. Perhaps that's where it's
getting the 1112 value from?
If I run tdbdump | grep -C2 bilbo I see this:
{
key = RID_0c98\00
data = bilbo\00
}
You have not provided enough information to comment on this. The tdbdump
command should be passed the name of a tdb file. Your example does not do
that.
Typo again, that was really tdbdump /etc/samba/passdb.tdb | grep -C2 bilbo
0xc98 is 3224. It looks like the algorithmic mapping happened when I
ran pdbedit -i. Even if I use pdbedit -u bilbo -U sid-string-1112,
the stored value in the TDB is still 0xc98. Clearly, something is
enforcing the mapping on the way into or out of the TDB backend.
I can not figure out what you are trying to do here.
You must have missed the first message in this thread. I'm trying to
force the user RIDs to particular values in the range 1000-1200 in order
to have a seamless migration from an existing Win2k server acting as PDC
for a handful of clients. I started by naively making sure all the UIDs
on the Unix box matched the RIDs in the Windows domain, but since Samba
insists on remapping the RIDS to avoid potential collision with Windows
users, that didn't work. Andrew Bartlett responded with:
If you used a 'real' passdb backend, like ldapsam and tdbsam, then
this should 'just work'.
Hence my current line of investigation.
Have you read any of the command man pages?
Yes, lots of them. And big chunks of the HOWTOs. I'm also reading
the source code for pdbedit to try figure out where the transformation
is taking place. Is it worth trying to use tdbtool to change the
values in passdb.tdb to what I want?
Thanks,
-- Ed
[original message below in full for reference]
On Tue, Mar 16, 2004 at 02:46:16AM +, John H Terpstra wrote:
On Mon, 15 Mar 2004, Ed Ravin wrote:
On Tue, Mar 16, 2004 at 01:26:11AM +, Andrew Bartlett wrote:
On Mon, Mar 15, 2004 at 08:11:42PM -0500, Ed Ravin wrote:
I have a bunch of Windows users using a Win2k server as a PDC. I want
to move all the server functions to a Samba server without disturbing
the users in any way. The client machines are all Win2k, using local
profiles.
Samba insists on algorithmicly generating the RID from the UID, so the
Windows user, after migration, gets a new SID and loses contact with
their local profile. In fact, they seem to be an entirely different
user, with a new SID and new profile directory.
If you used a 'real' passdb backend, like ldapsam and tdbsam, then
this should 'just work'.
Thanks, but it doesn't. I looked up tdbedit and the HOWTO and did
the following:
; added this to smb.conf
passdb backend = tdb
Try:
passdb backend = tdbsam
# ran this:
# pdbedit -i smbpasswd
Try:
pdbedit -i smbpasswd -e tdbsam
It helps if you tell it which backend to migrate to.
Now, if I look at the table with pdbedit:
# pdbedit -L -u bilbo
bilbo:1112:Bilbo Baggins
That's likely derived from smbpasswd, not from tdbsam since you did not
specify a tdbsam. Samba has no idea what to do with:
passdb backend = tdb
I'm surprised you got no error messages in the log files. Did you check
the logs?
That looks good, but the when I query via rpcclient for the RID, it's still
3224, which is the value returned by the algorithmic mapping (1112 * 2 + 1000).
If I run
RE: [Samba] ldap auth no longer works with upgrade from 3.0-3.0.2?
but the following account has the same problem, they cannot log in either, yet look at their ldap entry... dn: uid=mkt1,ou=People,dc=INTRANET shadowLastChange: 12418 sambaSID: S-1-5-21-4070452498-3149834983-2923667569-2010 sambaPrimaryGroupSID: S-1-5-21-4070452498-3149834983-2923667569-1201 displayName: display name sambaPwdCanChange: 1075505065 sambaPwdLastSet: 1075505065 sambaAcctFlags: [U ] sambaNTPassword: E886B7AADD4D342F9F2AFA2C8A06E901 gecos: Larry Fannaly sambaLMPassword: FEDE57F19EE96EDEAAD4B435B51404EE loginShell: /bin/bash uid: mkt1 uidNumber: 505 gidNumber: 100 objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: phpgwAccount objectClass: sambaSamAccount homeDirectory: /home/mkt1 cn: first last sambaPwdMustChange: 2147483647 userPassword:: e1NNRDV9dVzSZnl4UlZrYnRSampvOEtqZ3FXeFhJOHE4PQ== # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 --- On Mon 03/15, Craig White [EMAIL PROTECTED] wrote: From: Craig White [mailto: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Date: Mon, 15 Mar 2004 19:36:50 -0700 Subject: RE: [Samba] ldap auth no longer works with upgrade from 3.0-3.0.2? No sambaPrimaryGroupSID on first one (non-working) - next issue? Youbrhave taken some marginal advice.brbrCraigbrbrOn Mon, 2004-03-15 at 15:46, John H. wrote:br k, it seems only certain accounts do work on samba with ldap, others do not.br br the first one does not, the second one does.br any ideas?br ?phpbr # safety, People, INTRANETbr dn: uid=safety,ou=People,dc=INTRANETbr shadowLastChange: 12418br shadowMax: 9br shadowWarning: 7br sambaAcctFlags: [U ]br sambaSID: S-1-5-21-4070452498-3149834983-2923667569-2000br sambaPwdCanChange: 1075750753br sambaPwdMustChange: 2147483647br sambaPwdLastSet: 1075750753br sambaNTPassword: B34EY5E59X50620EACZ9FF5B4C3C359Abr gecos: Mikeybr sambaLMPassword: D2B5A9E561CABAB5AAD3B435B51404EEbr loginShell: /bin/bashbr uid: safetybr uidNumber: 500br gidNumber: 504br objectClass: accountbr objectClass: posixAccountbr objectClass: topbr objectClass : shadowAccountbr objectClass: phpgwAccountbr objectClass: sambaSamAccountbr homeDirectory: /home/safetybr cn: user passbr userPassword:: e1NNRDV2V9VqNVEwYxh2anZUcTAra2pqYWVzSjg3RWI0PQ==br br # search resultbr search: 2br result: 0 Successbr br # numResponses: 2br # numEntries: 1br br br br br WORKINGbr dn: uid=david,ou=People,dc=INTRANETbr shadowLastChange: 12418br sambaSID: S-1-5-21-4070452498-3149834983-2923667569-2002br sambaPrimaryGroupSID: S-1-5-21-4070452498-3149834983-2923667569-1201br displayName: Davidbr sambaPwdCanChange: 1075763078br sambaPwdLastSet: 1075763078br sambaAcctFlags: [U ]br sambaPwdMustChange: 2147483647br homeDirectory: /home/davidbr sambaLMPassword: F3289011E7FBB7D1AAD3B435B51404EEbr uidNumber: 501br loginShell: /bin/bashbr cn: Davidbr uid: davidbr gidNumber: 100br objectClass: accountbr objectClass: posixAccountbr objectClass: topbr objectClass: shadowAccountbr objectClass: sambaSamAccountbr objectClass: phpgwAccountbr gecos: Davidbr sambaNTPassword: 22GFDXE1C98968F33C19F452A46875A3br userPassword:: e2NxeXB0zTZScTMwbGFhdlBxZS4=br br # search resultbr search: 2br result: 0 Successbr br # numResponses: 2br # numEntries: 1brbrbr ___ No banners. No pop-ups. No kidding. Introducing My Way - http://www.myway.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: M$ W2K Clients get requests to change samba password -- PDC is a samba 2.2.8a
On 2004-03-15, M. D. Parker [EMAIL PROTECTED] wrote: At times, users get the a message that their password expires in XX days and if they would like to change them. The smbpasswd file for all user entries are marked with the flags 'UX' meaning of course the password NEVER expires. I have verified that the RH shadow passwords (should not be used) are set to never expire. And obey pam restrictions=no. Yes, it is very hard to find out how to change expire date on the net. Bad document or document organization on Samba. You have to use 'pdbedit' to control that. And this should be in FAQ. All the talk about shadow password and pam are misleading. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] ldap auth no longer works with upgrade from 3.0-3.0.2?
ah, the problem was the users still had the phpgw object, despite me uninstalling phpgw/egw. i remove the object from the user, and it works fine. --- On Mon 03/15, Craig White [EMAIL PROTECTED] wrote: From: Craig White [mailto: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Date: Mon, 15 Mar 2004 19:36:50 -0700 Subject: RE: [Samba] ldap auth no longer works with upgrade from 3.0-3.0.2? No sambaPrimaryGroupSID on first one (non-working) - next issue? Youbrhave taken some marginal advice.brbrCraigbrbrOn Mon, 2004-03-15 at 15:46, John H. wrote:br k, it seems only certain accounts do work on samba with ldap, others do not.br br the first one does not, the second one does.br any ideas?br ?phpbr # safety, People, INTRANETbr dn: uid=safety,ou=People,dc=INTRANETbr shadowLastChange: 12418br shadowMax: 9br shadowWarning: 7br sambaAcctFlags: [U ]br sambaSID: S-1-5-21-4070452498-3149834983-2923667569-2000br sambaPwdCanChange: 1075750753br sambaPwdMustChange: 2147483647br sambaPwdLastSet: 1075750753br sambaNTPassword: B34EY5E59X50620EACZ9FF5B4C3C359Abr gecos: Mikeybr sambaLMPassword: D2B5A9E561CABAB5AAD3B435B51404EEbr loginShell: /bin/bashbr uid: safetybr uidNumber: 500br gidNumber: 504br objectClass: accountbr objectClass: posixAccountbr objectClass: topbr objectClass : shadowAccountbr objectClass: phpgwAccountbr objectClass: sambaSamAccountbr homeDirectory: /home/safetybr cn: user passbr userPassword:: e1NNRDV2V9VqNVEwYxh2anZUcTAra2pqYWVzSjg3RWI0PQ==br br # search resultbr search: 2br result: 0 Successbr br # numResponses: 2br # numEntries: 1br br br br br WORKINGbr dn: uid=david,ou=People,dc=INTRANETbr shadowLastChange: 12418br sambaSID: S-1-5-21-4070452498-3149834983-2923667569-2002br sambaPrimaryGroupSID: S-1-5-21-4070452498-3149834983-2923667569-1201br displayName: Davidbr sambaPwdCanChange: 1075763078br sambaPwdLastSet: 1075763078br sambaAcctFlags: [U ]br sambaPwdMustChange: 2147483647br homeDirectory: /home/davidbr sambaLMPassword: F3289011E7FBB7D1AAD3B435B51404EEbr uidNumber: 501br loginShell: /bin/bashbr cn: Davidbr uid: davidbr gidNumber: 100br objectClass: accountbr objectClass: posixAccountbr objectClass: topbr objectClass: shadowAccountbr objectClass: sambaSamAccountbr objectClass: phpgwAccountbr gecos: Davidbr sambaNTPassword: 22GFDXE1C98968F33C19F452A46875A3br userPassword:: e2NxeXB0zTZScTMwbGFhdlBxZS4=br br # search resultbr search: 2br result: 0 Successbr br # numResponses: 2br # numEntries: 1brbrbr ___ No banners. No pop-ups. No kidding. Introducing My Way - http://www.myway.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] matching UIDs to RIDs when converting from Windows to Samba
On Mon, Mar 15, 2004 at 10:27:29PM -0500, Ed Ravin wrote: I'd like to just say in advance that I really appreciate the responses received so far, especially the patience with what looks to you like dumb typos on my part. 0xc98 is 3224. It looks like the algorithmic mapping happened when I ran pdbedit -i. Even if I use pdbedit -u bilbo -U sid-string-1112, the stored value in the TDB is still 0xc98. Clearly, something is enforcing the mapping on the way into or out of the TDB backend. I can not figure out what you are trying to do here. You must have missed the first message in this thread. I'm trying to force the user RIDs to particular values in the range 1000-1200 in order to have a seamless migration from an existing Win2k server acting as PDC for a handful of clients. I started by naively making sure all the UIDs on the Unix box matched the RIDs in the Windows domain, but since Samba insists on remapping the RIDS to avoid potential collision with Windows users, that didn't work. Andrew Bartlett responded with: If you used a 'real' passdb backend, like ldapsam and tdbsam, then this should 'just work'. Hence my current line of investigation. Have you read any of the command man pages? Yes, lots of them. And big chunks of the HOWTOs. I'm also reading the source code for pdbedit to try figure out where the transformation is taking place. Is it worth trying to use tdbtool to change the values in passdb.tdb to what I want? The problem is that you are trying to be a little too smart about it all. If you had followed the instructions in the HOWTO, you would have run 'net rpc vampire' into tdbsam, or ldapsam. As soon as you touch smbpasswd, the data is lost and the game is up. Redo your migration into tdbsam, and things should work a lot better. Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] matching UIDs to RIDs when converting from Windows to Samba
On Tue, Mar 16, 2004 at 04:23:00AM +, Andrew Bartlett wrote: The problem is that you are trying to be a little too smart about it all. If you had followed the instructions in the HOWTO, you would have run 'net rpc vampire' into tdbsam, or ldapsam. I tried that originally, but using the smbpasswd backend. And this marvelous gem of wisdom: As soon as you touch smbpasswd, the data is lost and the game is up. isn't in the HOWTO file yet :-). Redo your migration into tdbsam, and things should work a lot better. Thanks, will give it a go! -- Ed -- eravin@| Grief can take care of itself; but to get the full panix.com | value of a joy you must have somebody to divide it with. | -- Mark Twain -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: M$ W2K Clients get requests to change samba password -- PDC is a samba 2.2.8a
Ahhthere is no pbedit in Samba 2.2.8a Mike On 16 Mar 2004 at 3:36, JustFillBug wrote: On 2004-03-15, M. D. Parker [EMAIL PROTECTED] wrote: At times, users get the a message that their password expires in XX days and if they would like to change them. The smbpasswd file for all user entries are marked with the flags 'UX' meaning of course the password NEVER expires. I have verified that the RH shadow passwords (should not be used) are set to never expire. And obey pam restrictions=no. Yes, it is very hard to find out how to change expire date on the net. Bad document or document organization on Samba. You have to use 'pdbedit' to control that. And this should be in FAQ. All the talk about shadow password and pam are misleading. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] M$ W2K Clients get requests to change samba password -- PDC is a samba 2.2.8a
Please explain further.there are no policies implemented and we use a samba 2.2.8a PDC. If you are talking something on the local machine, please be advised that it has seemed endemic to a specific couple of users even after the physical machines have been swapped out. Mike On 15 Mar 2004 at 19:38, Craig White wrote: On Mon, 2004-03-15 at 16:39, M. D. Parker wrote: I am seeing an intermittent problem that bugs just a few people, infrequently. We use a Linux RH8 / Samba 2.2.8a PDC and the clients are W2K SP3 systems with current M$ patches. At times, users get the a message that their password expires in XX days and if they would like to change them. The smbpasswd file for all user entries are marked with the flags 'UX' meaning of course the password NEVER expires. I have verified that the RH shadow passwords (should not be used) are set to never expire. And obey pam restrictions=no. sounds to me like a local policy issue Craig -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
