date:20041117

Paul Gienger wrote:

As I'm logged onto that workstation as an Administrator (Administrator 
of that PC, not logged into a domain), I get something like that into 
the logs - when I double click on a Server icon in a Network 
Neighbourhood:

Sounds like you want to be dealing with the guest parameters. Just off 
the top of my head, you can try setting guest ok = yes, then you need a 
guest account to map the username to so that samba stays sane.  You 
could try either setting up a guest and putting that into the guest 
account = directive or using any user that has permissions on the 
share.  And of course make sure it's read only, which I believe you've 
already done.

Tada!
OK, so I added these two lines to the [global] section of smb.conf:
guest account = dupa
null passwords = yes
and matched Administrator to this user dupa in smbusers:
dupa = administrator
and it works!
Now I have to "reconfigure" it a bit, because Administrator is used for 
other purposes like joining domain here... :)

Tomek
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] winbind: authenticating UNIX user before Win Domain user

2004-11-17 Thread Greg Chavez

We have a samba 3.0.7 server on RHEL-3 (rain) joined as a domain
member (security = domain) to a win2k pdc (clouds) for the domain DOM.
 We have several unix users and two Win-only users.  The unix users
have matching AD accounts on the win2k, but the Win-only users do not
have unix accounts (and we want to keep it that way).  So, it seemed
that winbind would be the best way to bridge the gap:

1.  UNIX users could access shares on the samba server in the same way
whether logged on to windows workstation or the samba server itself
2.  Files created on the shares would be controlled via permissions
for UNIX users and groups.
3.  Win users would not need to have UNIX accounts created, but could
access the samba shares as easily as the UNIX users.
4.  Home directories and profiles will be pulled from the samba server.

It works well exept that winbind does not authenticate the UNIX users
as expected when they logon from Windows.  For example: from Windows
workstation, I log on as "gchavez".  There is a UNIX user on the samba
server "gchavez" which I expect winbind to authenticate against when I
try to access the samba shares.  This does not happen.  Instead,
winbind authenticates against the win2k server with my Win account,
DOM+gchavez, and things don't work (although it does manage to map my
home directory correctly).

Consequently, I come in with Windows group permissions (DOM+Domain
Users) and cannot access the shares protected with UNIX group
permissions.  I am trying to keep this message short, but these
command line vitals should tell the rest of the story.

shell> tesparm -sv 
[global]
workgroup = DOM
security = DOMAIN
passdb backend = tdbsam
username map = /etc/samba/smbusers
log level = 2
client use spnego = No
preferred master = No
local master = No
domain master = No
idmap uid = 1-2
idmap gid = 1-2
winbind separator = +
valid users = +users, "DOM+Domain Users"
force group = +users
read only = No
create mask = 0660
directory mask = 01770

[homes]
comment = "DOM Home Directories"
path = /usera/home/%U/winhome
create mask = 0600
directory mask = 0740
browseable = No

[docs]
comment = "Product Documentation - full access"
path = /usera/docs

[programs]
comment = "Shared Programs - full access"
path = /usera/programs

[backups]
comment = "Backups"
path = /usera/backups

[projects]
comment = "Project Files - full access"
path = /usera/projects

[proj_psc]
comment = "PSC Project - restricted"
path = /usera/projects/psc
valid users = +psc
force group = +psc


shell> getent passwd | grep gchavez
gchavez:x:503:503:Greg Chavez:/home/gchavez:/bin/bash
DOM+gchavez:x:10007:1:Greg Chavez:/home/OSDS/gchavez:/bin/false

** this happens when I try to access my homes share from windows, the 
shares are chmod'd with full permission so I can get in ***
shell> tail /var/log/samba/smb.log
[2004/11/17 15:09:12, 2] auth/auth.c:check_ntlm_password(305)
  check_ntlm_password:  authentication for user [gchavez] -> [gchavez]
-> [DOM+gchavez] succeeded
[2004/11/17 15:09:14, 2] smbd/uid.c:change_to_user(202)
  change_to_user: SMB user  (unix user nobody, vuid 101) not permitted
access to share IPC$.
[2004/11/17 15:09:14, 0] smbd/service.c:make_connection_snum(570)
  Can't become connected user!
[2004/11/17 15:09:14, 1] smbd/service.c:make_connection_snum(648)
  sunfish (xx.93.106.16) connect to service gchavez initially as user
DOM+gchavez (uid=10007, gid=1) (pid 3312)

# net groupmap list | grep users
Domain Users (S-1-5-21-1316288518-2476102628-626236970-513) -> users   

# grep winbind /etc/nsswitch.conf
passwd: files winbind
group:  files winbind

Thanks
--Greg Chavez
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba PDC with shares accessible for not logged users - how?


As I'm logged onto that workstation as an Administrator (Administrator 
of that PC, not logged into a domain), I get something like that into 
the logs - when I double click on a Server icon in a Network 
Neighbourhood:
Sounds like you want to be dealing with the guest parameters. Just off 
the top of my head, you can try setting guest ok = yes, then you need a 
guest account to map the username to so that samba stays sane.  You 
could try either setting up a guest and putting that into the guest 
account = directive or using any user that has permissions on the 
share.  And of course make sure it's read only, which I believe you've 
already done. 

--
--
Paul GiengerOffice: 701-281-1884
Applied Engineering Inc.
Systems Architect   Fax:701-281-1322
URL: www.ae-solutions.com   mailto: [EMAIL PROTECTED]
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba PDC with shares accessible for not logged users - how?

Paul Gienger wrote:

this directory shouldn't be writable, so I have it now like that:
[wpkg]
  comment = Windows Packager
  path = /home/samba/wpkg
  read only = yes
  browseable = yes
  valid users = nobody, unattended, guest
  guest ok = Yes
  public = Yes
but as the server is a domain controller, it prompts for a 
username/password even if I just click on its icon (from win2k 
workstation).

Most likely it's prompting you for a user/pass because you're not coming 
in as a valid user for the server.
Indeed it's the case.
But I want every user to be able to browse this share - but this is not 
possible as it seems that to access this share I have to access server 
first (as a valid user).

As I'm logged onto that workstation as an Administrator (Administrator 
of that PC, not logged into a domain), I get something like that into 
the logs - when I double click on a Server icon in a Network Neighbourhood:

  check_ntlm_password:  Checking password for unmapped user 
[EMAIL PROTECTED] with the new password interface
[2004/11/17 21:05:57, 3] auth/auth.c:check_ntlm_password(222)
(...)
  check_ntlm_password:  Authentication for user [Administrator] -> 
[root] FAILED with error NT_STATUS_WRONG_PASSWORD

If I try to access it from Explorer like \\server\myshare - Windows 
complains that there is no such object (?), with Samba logs similar to 
above.


What do you mean by "force user"?

Force user means, in a nutshell: Make it look like I'm this guy, where 
thisguy is the user named in the force user line.  You still need to be 
a valid authenticated user before going to said share. From the man page:
So this is rather useful for me, right (as I have to still supply password).
Any more hints?
Tomek
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba PDC with shares accessible for not logged users - how?


this directory shouldn't be writable, so I have it now like that:
[wpkg]
  comment = Windows Packager
  path = /home/samba/wpkg
  read only = yes
  browseable = yes
  valid users = nobody, unattended, guest
  guest ok = Yes
  public = Yes
but as the server is a domain controller, it prompts for a 
username/password even if I just click on its icon (from win2k 
workstation).
Most likely it's prompting you for a user/pass because you're not coming 
in as a valid user for the server. 

This workstation already has a machine account.
Doesn't really matter for simple file access. Does matter for logging 
into the domain from said machine.

What do you mean by "force user"?
Force user means, in a nutshell: Make it look like I'm this guy, where 
thisguy is the user named in the force user line.  You still need to be 
a valid authenticated user before going to said share. From the man page:

This specifies a UNIX user name that will be assigned as the default 
user for all users connecting to this service. This is useful for 
sharing files. You should also use it carefully as using it incorrectly 
can cause security problems.

This user name only gets used once a connection is established. Thus 
clients still need to connect as a valid user and supply a valid 
password. Once connected, all file operations will be performed as the 
"forced user", no matter what username the client connected as. This can 
be very useful.

In Samba 2.0.5 and above this parameter also causes the primary group of 
the forced user to be used as the primary group for all file activity. 
Prior to 2.0.5 the primary group was left as the primary group of the 
connecting user (this was a bug).



Any more hints?
Tomek

--
--
Paul GiengerOffice: 701-281-1884
Applied Engineering Inc.
Systems Architect   Fax:701-281-1322
URL: www.ae-solutions.com   mailto: [EMAIL PROTECTED]
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] More compile problems with Samba 3.0.8a...

2004-11-17 Thread Kevin Statz

Thank for your help everyone!  I did get Samba compiled and upgraded and 
running fine on my test machine.  I plan on upgrading production this 
evening (still running the sunfreeware.com package of 3.0.2a) to 3.0.8a 
tonight.  Problem is I have compile errors on one machine.  The other two 
have worked fine.  The one that is having problems is a Solaris 8 machine.

The error when compiling is:
bash-2.03# make
Using FLAGS =  -O -I./popt -Iinclude 
-I/f1/kls/samba/samba-3.0.8/source/include 
-I/f1/kls/samba/samba-3.0.8/source/ubiqx 
-I/f1/kls/samba/samba-3.0.8/source/smbwrapper  -I. -D_LARGEFILE_SOURCE 
-D_REENTRANT -D_FILE_OFFSET_BITS=64 -I/f1/kls/samba/samba-3.0.8/source
  LIBS = -lsendfile -lsec -lgen -lresolv -lsocket -lnsl -ldl
  LDSHFLAGS = -G  -lthread
  LDFLAGS = -lthread
Compiling dynconfig.c
Compiling smbd/vfs.c
Compiling passdb/pdb_interface.c
Compiling lib/iconv.c
Compiling auth/auth.c
Compiling smbd/build_options.c
Compiling smbd/server.c
Linking bin/smbd
/usr/ccs/bin/ld: illegal option -- E

Probably something simple.  I did the configure with the option of 
--with-included-popt so I would not have to set the LD_Library_Path in the 
startup script.

Please help!
Thanks in advance!
~Kevin

==
Kevin L. Statz
University of Chicago Press
Unix Systems Administration
773-702-7651
==
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba PDC with shares accessible for not logged users - how?

MaTT wrote:
Tomek, did you checked if using force user, and setting read only=no, 
and having a machine account in the samba for the machine where the 
program runs, work? just guessing!
this directory shouldn't be writable, so I have it now like that:
[wpkg]
  comment = Windows Packager
  path = /home/samba/wpkg
  read only = yes
  browseable = yes
  valid users = nobody, unattended, guest
  guest ok = Yes
  public = Yes
but as the server is a domain controller, it prompts for a 
username/password even if I just click on its icon (from win2k workstation).

This workstation already has a machine account.
What do you mean by "force user"?
Any more hints?
Tomek
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Can join domain; can't logon

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
i am having a similar problem when using samba 3.0.7 and LDAP.  i get
the same error message, but on random machines at random times.
for instance, my (other) workstation was working just fine.  i rebooted
and was unable to log back into the domain (same error you were having).
~ it was working just a few minutes earlier.  nothing had changed on the
entry in LDAP at all, but to be sure, i removed the LDAP entry, and
added it back again.  i still was unable to log in.
so, i logged in locally as myself, changed my settings from using a
domain to using a workgroup (same name).  when i was welcomed to the
workgroup, i went back in and changed it back to domain.  i used the
administrator username/password to add the machine back to the domain,
logged out and back into the domain, and it's been fine ever since.
i did have this problem spring up on two more computers today.  they
were working fine, then *poof*.  everything has been working fine for
over a month, then these things started happening.
so any help you or anyone else reading this may be able to provide would
be greatly appreciated (i know that Daniel Gapinski on this list is
having the same problem as well, but non-LDAP).
regards,
nb
Chris St. Pierre thus spake on 10/05/2004 11:24 AM:
| I had a problem similar to my current one a week or so ago, and I was
| encouraged to upgrade from Samba 2.2.9 to 3.0.7, which I did.  Now
| that I've completed that nightmare, the problem I initially set out to
| fix is still there, just different.  Namely:
|
| I am trying to set up Samba 3.0.7 on a SuSE 9.1 box as an LDAP PDC
| whose only job will be authentication.  Our LDAP server is on a
| separate box.  I can join the domain just fine, but when I try to
| login via Windows, I get the following error:
|
| "The system cannot log you on to this domain because the system's
| computer account in its primary domain is missing or the password on
| that account is incorrect."
|
| I suspected that neither of these were the case, as I created the
| account with idealx's smbldap-tools.  I verified that the account is
| there with ldapsearch.  Last time I had this problem, Samba wasn't
| even communicating with LDAP, but this time it is.  When I try to
| login, here's what the LDAP logs show:
|
| [05/Oct/2004:10:03:52 -0500] conn=53576 op=7 SRCH
| base="o=nebrwesleyan.edu,o=isp" scope=2
| filter="(&(uid=GUINEA-PIG$)(objectClass=sambaSamAccount))" attrs="uid
| uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
| sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
| displayName sambaHomeDrive sambaHomePath sambaLogonScript
| sambaProfilePath description sambaUserWorkstations sambaSID
| sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
| objectClass sambaAcctFlags sambamungeddial sambabadpasswordcount
| sambabadpasswordtime sambapasswordhistory modifyTimestamp
| sambalogonhours modifyTimestamp"
| [05/Oct/2004:10:03:52 -0500] conn=53576 op=8 SRCH
| base="o=nebrwesleyan.edu,o=isp" scope=2
| filter="(&(uid=GUINEA-PIG$)(objectClass=sambaSamAccount))" attrs="uid
| uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
| sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
| displayName sambaHomeDrive sambaHomePath sambaLogonScript
| sambaProfilePath description sambaUserWorkstations sambaSID
| sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
| objectClass sambaAcctFlags sambamungeddial sambabadpasswordcount
| sambabadpasswordtime sambapasswordhistory modifyTimestamp
| sambalogonhours modifyTimestamp"
|
| It searches twice for the machine trust account, which I've verified
| exists.  The only thing I can think of is that not all of the
| attributes it's asking for exist.  (In fact, a lot of them don't.)  As
| you can see in the attached nmbd log, though, Samba doesn't show any
| obvious errors.  I've also included my smb.conf (with some changes to
| protect my server's innocence).  Any ideas are greatly appreciated.
| Thanks.
|
| Chris St. Pierre
| Unix Systems Administrator
| Nebraska Wesleyan University
| 402.465.7549
|
|
| 
|
| [global]  
| server string = test
| workgroup = NWU_TEST
| netbios name = TESTERATOR
|
| log level = 1
| encrypt passwords = yes
| max smbd processes = 0
| socket options = TCP_NODELAY
|
| add machine script = /usr/local/sbin/smbldap-useradd -w '%u'
|
| logon script = scripts\logon.bat  
| logon path = \\%L\profiles\%U 
|
| domain logons = yes
| local master = yes
| preferred master = yes
| wins server = 10.9.1.12
| security = user
|
| passdb backend = ldapsam:ldap://server.nebrwesleyan.edu
| ldap suffix = o=nebrwesleyan,o=edu
| ldap machine suffix = ou=Machines
| ldap user suffix = ou=People
| ldap group suffix = ou=Groups
| ldap filter = (uid=%u)
| ldap admin dn = cn=foo
| ldap ssl = no
|
| idmap uid = 1-2
| idmap gid = 1

Re: [Samba] Intermittent failed logon for one computer

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
hi Dan,
i too am having the same problems with 3.0.7.  things have been
functioning fine for over a month when my (other) workstation gave me
the same error.  my only difference is i am using LDAP to store all the
~ information.
zero changes had been made to my workstation's LDAP entry when this
happened.  i logged in as myself locally (instead of domain logon),
changed network settings from domain to workgroup (i kept the same
name).  once i was welcomed to the workgroup, i went back in and changed
it back to domain.  i then used the admin username/password to add
myself back to the domain.  i have had no problems with my workstation
since then.
i thought it might be some random occurance until two other people had
the same problem today.  so, like you i am on a quest for answers.  i
will certainly let you know if/when i figure out what is going on.
so to those reading this, any ideas/suggestions would be most welcome.
regards,
nb
P.S. - i am not running ncsd, i don't even have it installed.
Daniel Gapinski thus spake on 10/18/2004 11:32 AM:
| Hello,
|
| We have been using Samba 3.0.7 for almost a month now, and today marks
| the second time that I see a machine (one out of twelve on our network"
| that gives this error when I log in:
|
|  "The system cannot log you on to this domain because the system's
| computer account in its primary domain is missing or the password on
| that account is incorrect."
|
| Last time this happened, I thought it might be a problem with that
| computer needing to be removed and then rejoined to the domain, which
| didn't work (the user still was not able to log on), and then half an
| hour later, the user could log on again.
|
| Can anybody tell me what might be wrong - on other posts it looks like a
| problem with the guest account (nobody), but specifying the nobody
| account as guest doesn't seem to help (though I did check to make sure
| that a nobody account in fact existed).
|
| I should mention that the 2 computers that had this problem are on a
| subnet (192.168.1.0). I am sending my smb.conf as a post script. Thanks
| for your help!!!
|
| My best,
| Dan Gapinski
|
| [global]
| ;
| ;+ Server Settings  +
| ;
|  workgroup = QUASAR
|  netbios name = Jupiter
|  server string = QSI Office Server %v
|  hosts allow = 192.168.1. 192.168.0. 192.168.2. 192.168.3. 192.168.4.
| 127.0.0.1
|  log level = 2
|  log file = /var/log/samba/%m.log
|  max log size = 0
|  time server = yes
|
| ;
| ;+ Domain Settings  +
| ;
|  os level = 35
|  domain logons = yes
|
| ;
| ;+ Browse Settings  +
| ;
|  domain master = yes
|  local master = yes
|  preferred master = yes
|  remote browse sync = 192.168.1.255 192.168.2.255 192.168.3.255
| 192.168.4.255
|  remote announce = 192.168.1.255 192.168.2.255 192.168.3.255
| 192.168.4.255
|
| ;
| ;+ WINS Settings  +
| ;
|  wins support = yes
|  guest ok = yes
|  dns proxy = no
|
| ;
| ;+ User and Security Settings   +
| ;
|  logon drive = z:
|  logon home =
|  logon path =
|  encrypt passwords = yes
|  smb passwd file = /etc/samba/smbpasswd
|  username map = /etc/samba/smbusers
|  min password length = 3
|  guest account = nobody
|
| ;++
| ;+ added 10-Sep-2003 for file server support  +
| ;++
| # admin users = @public
|  nt acl support = yes
|  security mask = 0777
|  force security mode = 0
|  directory security mask = 0777
|  force directory security mode = 0
|
| ;++
| ;+ Management Scripts   +
| ;++
|  add user script = /usr/sbin/useradd -m %u
|  delete user script = /usr/sbin/userdel -r %u
|  add group script = /usr/sbin/groupadd %g
|  delete group script = /usr/sbin/groupdel %g
|  add user to group script = /usr/sbin/usermod -G %g %u
|  add machine script = /usr/sbin/useradd -d /dev/null -g machines -s
| /bin/false -M %u
|
| ;++
| ;+ Logon Scripts   +
| ;++
| # NOTE: SAMBA CAN ONLY RUN ONE SCRIPT AT A TIME!
| # run a general logon batch file for everyone
|  logon script = logon.bat
| # run a specific logon batch file per workstation (machine)
| #logon script = %m.bat
| # run a specific logon batch file per username
| #logon script = %U.bat
|
| ;++
| ;+ General Share Settings +
| ;++
|  preserve case = yes
|  short preserve case = no
|  default case = lower
|  case sensitive = no
|
| (then the share settings...)
- --
Nathan Benson
http://sourcefire.com/
1C1A F2C1 82AD F75F 9B6B  E501 0D73 DC9B E96B DD96
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFBm6TEDXPcm+lr3ZYRAjaoAJ0RTBM6

Re: [Samba] authentication against win2k3 server

2004-11-17 Thread Carissa Srugis

OK, I've tried to get a kerberos ticket, without success.  I generated
the w2k3 keytab, then integrated into the freebsd machine via the
ktutil command.

I tried to use the kinit [EMAIL PROTECTED] but got this error:

secureschool# kinit [EMAIL PROTECTED]
FreeBSD Inc. (freebsd.newdomain.com)
Kerberos Initialization for "[EMAIL PROTECTED]"
Password:
kinit: Can't send request (send_to_kdc)

Here's the krb5.conf file:

[libdefaults]
default_realm = DOMAIN.LOCAL
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
default_keytab-name = FILE:/usr/src/crypto/heimdal/freebsd_mchine.keytab
clockskew = 300

[realms]
ANDLESS.LOCAL = {
kdc= WIN2K3.DOMAIN.LOCAL
admin_server = WIN2K3.DOMAIN.LOCAL
default_domain = DOMAIN.LOCAL
}
[domain_realm]
.DOMAIN.LOCAL = DOMAIN.LOCAL

The one thing I noticied is I do not have a krb5.conf in /etc or
anywhere else on my system.  Should thisfile be there already, or do I
have to manually create it?

Thanks for the help!
Carissa Srugis




On Tue, 16 Nov 2004 13:29:20 -0800, Tom Skeren <[EMAIL PROTECTED]> wrote:
> Carissa Srugis wrote:
>
> >I've been trying to setup Samba to authenticate users against accounts
> >existing on a Windows 2003 Server without any backwards capability.
> >Ideally, this needs to be done without any changes to the Windows 2003
> >Server.  Users will not be logging into the Samba shares at all.  This
> >is merely for authentication.
> >
> >
> OK, well, try getting a kerberos ticket first.
>
> kinit [EMAIL PROTECTED]
> If you get a valid ticket, you can just do net ads join -U
> Administrator, no need for pw.
>
> If no kerberos ticket, then you've got a krb5.conf issue.
>
> Heimdal requires these lines:
>
> default_etypes  = des-cbc-crc des-cbc-md5
>  default_etypes_des = des-cbc-crc des-cbc-md5
>
> You also might need to have the w2k3 generate a keytab for you.  If so you 
> need this line as well.
>
>  default_keytab-name = FILE:/etc/krb5.keytab
>
>
>
>
> >I'm running FreeBSD 4.10-Relase #4 with Samba 3.0.8.
> >
> >This is my smb.conf file:
> >[global]
> >  realm = WIN2K3.DOMAIN.LOCAL
> >  security = ads
> >  auth methods = winbind
> >  winbind separator = +
> >  encrypt passwords = yes
> >  workgroup = DOMAIN.LOCAL
> >  netbios name = FREEBSD_Machine
> >  winbind uid = 1-2
> >  winbind gid = 1-2
> >  winbind enum users = yes
> >  winbind enum groups = yes
> >  idmap uid = 1-2
> >  idmap gid = 1-2
> >  password server = WIN2K3.DOMAIN.LOCAL
> >
> >So once winbindd is running, I type the following and get these results:
> >
> >freebsd_machine# net ads join member -I 192.168.0.1 -U administrator
> >administrator's password: *password*
> >[2004/11/16 14:27:06, 0] libsmb/nmblib.c:send_udp(793)
> >  Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
> >[2004/11/16 14:27:07, 0] libsmb/nmblib.c:send_udp(793)
> >  Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
> >[2004/11/16 14:27:07, 0] utils/net_ads.c:ads_startup(186)
> >  ads_connect: Permission denied
> >
> >In the winbindd log I've also gotten the following error messages at
> >one point or another:
> >
> >Could not fetch sid for our domain WIN2K3.DOMAIN.LOCAL
> >Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
> >ads_connect for domain WIN2K3.DOMAIN.LOCAL failed: Permission denied
> >get_trust_pw: could not fetch trust account password for my domain 
> >DOMAIN.LOCAL
> >
> >The odd part is when I try to use wbinfo to verify connections.  If I
> >type "wbinfo -g" it will display the correct group listing from the
> >win2k3 server.  But nothing else seems to work:
> >
> >freebsd_machine# wbinfo -t
> >checking the trust secret via RPC calls failed
> >error code was NT_STATUS_INTERNAL_ERROR (0xc0e5)
> >Could not check secret
> >
> >freebsd_machine# wbinfo -u
> >Error looking up domain users
> >
> >freebsd_machine# wbinfo --domain-info=DOMAIN.LOCAL
> >Name  : WIN2K3.DOMAIN.LOCAL
> >Alt_Name  : DOMAIN.LOCAL
> >SID   : S-0-0
> >Active Directory  : No
> >Native: No
> >Primary   : Yes
> >Sequence  : -1
> >
> >I'm obviously missing something, but I am at a loss.  Any help is
> >greatly appreciated!
> >
> >Carissa Srugis
> >
> >
> >
> >
>
>

--
*
Carissa Srugis
[EMAIL PROTECTED]
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] fix for libldap configure error when using openldap on FreeBSD

2004-11-17 Thread Adam Laurie

i have seen several reports of the following problem:
  ./configure --with-ldap --with-krb5=/usr/heimdal --with-ads 
--config-cache --with-pam
  [snip]
  checking for LDAP support... yes
  checking ldap.h usability... yes
  checking ldap.h presence... yes
  checking for ldap.h... yes
  checking lber.h usability... yes
  checking lber.h presence... yes
  checking for lber.h... yes
  checking for ber_scanf in -llber... yes
  checking for ldap_init in -lldap... no
  checking for ldap_domain2hostlist... no
  checking for ldap_set_rebind_proc... no
  checking whether ldap_set_rebind_proc takes 3 arguments... 3
  checking for ldap_initialize... no
  configure: error: libldap is needed for LDAP support

despite libldap being present and correct. in my case (FreeBSD 5.2.1), 
this turned out to be a crypto library problem as well as the more 
obvious path issues, and the fix is:

  CFLAGS=-I/usr/local/include CPPFLAGS=-I/usr/local/include 
LDFLAGS="-lcrypto -L/usr/local/lib" ./configure --with-ldap 
--with-krb5=/usr/heimdal --with-ads --config-cache --with-pam

hope this is useful to someone somewhere... :)
please note that i'm not subbed to this list, so copy me in on any 
replies if you want me to see them.

cheers,
Adam
--
Adam Laurie Tel: +44 (20) 7605 7000
The Bunker Secure Hosting Ltd.  Fax: +44 (20) 7605 7099
Shepherds Building  http://www.thebunker.net
Rockley Road
London W14 0DA  mailto:[EMAIL PROTECTED]
UNITED KINGDOM  PGP key on keyservers
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba PDC with shares accessible for not logged users - how?

Tomek, did you checked if using force user, and setting read only=no, 
and having a machine account in the samba for the machine where the 
program runs, work? just guessing!

MRB
http://www.lionix.com
Linux
Tomasz Chmielewski wrote:
Hello,
Is it possible to create a share on a Samba PDC, which would be 
accessible for everybody, evyn for users who didn't join / log into the 
domain?

I have a program which starts as a service, and keeps its settings on a 
central server (for all machines); but the authors of that program 
didn't think that some servers are password-protected (or are domains)...


Tomek
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] iplanet ldap and samba

2004-11-17 Thread synrat

Is there a good how-to on getting samba to work
with Iplanet LDAP ? I already installed it and started
configuring from bits and pieces I could find with google, but
there're still many things missing. I also found a posting that said
samba schema for Iplanet5 shipped with Samba 3.0.8 isn't up to date.
What would need to be changed ?
Basically I'm looking for a complete walkthrough, modify/import schema, 
settings, users to create, etc...

also, is it at all possible to get Samba users authenticated via LDAP or 
PAM without having any lm, SSID and other attributes, basically relying 
only on successful LDAP bind or PAM success ?

thank you
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] RE: SOLVED: More Printing Fun (Point and print not working)

2004-11-17 Thread Jason Balicki

Ok, last night I was able to do some work after the
trolls, er, users went home.

1)  printer admin= is set in the [global] section.

2)  restarted samba.  Same problem.

3)  stopped samba.  got rid of all printing related tdb
files.  started samba.  made no other changes.  was able
to add drivers to the print$ share.

All this was done remotely, so I couldn't verify
that the printers were actually printing, so I
came in a little early and saw that they were.

So, I'm guessing I had another corrupt tdb file,
probably from screwing around so much trying to get
the slow-print issue fixed.  (In case anyone missed
that, my vendor issued a new driver for their printer
that sped up printing.  It's still a little slow,
but it's much, much better than it was.)

Now if I can just fix the "printer on x.x.x.x" instead
of "printer on " problem.  But that's cosmetic
and I don't care at this point.  3.0.8 will probably fix
it anyway.  :)

Thanks, everyone, for your help.

--J(K)

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Samba PDC with shares accessible for not logged users - how?

Hello,
Is it possible to create a share on a Samba PDC, which would be 
accessible for everybody, evyn for users who didn't join / log into the 
domain?

I have a program which starts as a service, and keeps its settings on a 
central server (for all machines); but the authors of that program 
didn't think that some servers are password-protected (or are domains)...


Tomek
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: Problem running kde

2004-11-17 Thread Jeremy Allison

On Wed, Nov 17, 2004 at 07:11:26PM +0100, Tilo Lutz wrote:
> 
> > If you're pointing it at a Samba server then get a debug level 10 log
> > with timestamps so you can tell what is going on on the wire.
> > 
> > It might be easier for test purposes to set up a loopback mount onto
> > the same machine to ensure time sync.
> 
> Thank you for aour support. It's not directly a samba problem
> but how can I debug the cifs kernel module and kde itself?
> 
> Is there any way to start an application, kde in my case, with another
> programm wich logs every filesystem access?

strace would do it. But what I'm saying is that logging cifsfs and
Samba will tell you exactly what filesystem calls are being made, and
what is being failed.

Jeremy
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: Problem running kde

2004-11-17 Thread Tilo Lutz

Hi

> On Wed, Nov 17, 2004 at 11:40:19AM +0100, Tilo Lutz wrote:
> > I've tried out the registry patch. I'm now able to run kde
> > applications like konqueror. But I can't start the kde display-manager
> > via startx oder kdm. Startup still hangs.

Jeremy wrote:
> If you're pointing it at a Samba server then get a debug level 10 log
> with timestamps so you can tell what is going on on the wire.
> 
> It might be easier for test purposes to set up a loopback mount onto
> the same machine to ensure time sync.

Thank you for aour support. It's not directly a samba problem
but how can I debug the cifs kernel module and kde itself?

Is there any way to start an application, kde in my case, with another
programm wich logs every filesystem access?

Cheers, Tilo
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [samba] create account that can join machines but not admin access on domain

daniel, increase the log level and check if the information provided 
give any help

MRB
http://www.lionix.com
Linux
Daniel Wilson wrote:
MaTT wrote:
Hi Daniel... this is from the Samba Docs... will help
 One of my junior staff needs the ability to add machines to the 
Domain, but I do not want to give him root access. How can we do this?
   
Users who are members of the Domain Admins group can add machines to 
the Domain. This group is mapped to the UNIX group account called root 
(or equivalent on wheel on some UNIX systems) that has a GID of 0. 
This must be the primary GID of the account of the user who is a 
member of the Windows Domain Admins account.

MRB
http://www.lionix.com
Linux
Daniel Wilson wrote:
hi list,
im using samba 3.0.8 with LDAP,
To add a machine to the domain i currently use the administrator 
account (which has uidNumber=0), which means this account has 
automatic root on all of the shares (my shares arnt using samba, im 
using NetApps Filers, which have been configured to authenticate via 
samba), when we roll this project out accross the university (approx 
50,000 users) we want the technicians in each school to be able to 
add machines to the domain but not get root/admin access to all the 
shares.

So my question is, Can you create an account that can add machines to 
the domain but doesnt get root/admin priveldges on all the 
shares/domain (as the would conflict with human rights issues etc...)

Regards
ive tried to set GID to 0 to an account, but i get unkwon username or 
password error when i try to add it, if i use administrtor adding is 
successful! 

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: Problem running kde

2004-11-17 Thread Jeremy Allison

On Wed, Nov 17, 2004 at 11:40:19AM +0100, Tilo Lutz wrote:
> Hi
> 
> > We use the exact same setup as you. We found NFS too insecure for our 
> > tastes aswell.
> > Here are our experiences with it:
> > http://lists.samba.org/archive/linux-cifs-client/2004-November/000477.html
> > ( http://tinyurl.com/55ofl )
> > and:
> > http://lists.samba.org/archive/linux-cifs-client/2004-November/000485.html
> > ( http://tinyurl.com/6wfc5 )
> > 
> > I haven't gotten gotten around to testing the kernel-patch yet but my 
> > buddy said kde works properly now.
> 
> I've tried out the registry patch. I'm now able to run kde
> applications like konqueror. But I can't start the kde display-manager
> via startx oder kdm. Startup still hangs.

If you're pointing it at a Samba server then get a debug level 10 log
with timestamps so you can tell what is going on on the wire.

It might be easier for test purposes to set up a loopback mount onto
the same machine to ensure time sync.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Transfer winbind idmap to LDAP

2004-11-17 Thread Marcel de Riedmatten

Le sam 13/11/2004 à 12:36, Paul Coray a écrit :
> Marcel de Riedmatten wrote:
> > Le mer 10/11/2004 à 11:21, Paul Coray a écrit :
> > 

> > 
> > 1) get the winbind-idmap in text form with a getent passwd for example
> 
> I did that with # net idmap dump winbindd_idmap.tdb > 
> /tmp/winbindd_idmap.dump on the member server. the resulting file looks 
> like:
> 
> ...
> UID 10013 S-1-5-21-98201057-1281969052-1085559986-1608
> UID 10202 S-1-5-21-98201057-1281969052-1085559986-1436
> UID 10138 S-1-5-21-98201057-1281969052-1085559986-1011
> UID 10105 S-1-5-21-98201057-1281969052-1085559986-1418
> UID 10067 S-1-5-21-98201057-1281969052-1085559986-1137
> ...

Actualy you want this information on the following form

UIDName:x:UIDNumber:GIDNumber

This is because smbldap-useradd doesn't know about SID. The vampire use
it only for the posix part of the account. Again a getent passwd with
the unusefull line removed will do the trick.


> > 
> > 3) hack the script defined under "user add script" who will be adding
> > the users to use the information of 1). With the ldap backend this is
> > usually smbldap-useradd .
> 
> Well, I'd like to, but my knowledge of Perl is still too limited :-( So 
> if any body can help, I think I'm not the only one who would appreciate 
> highly! Another way would be to modify the IDs of each user and Group in 
> LDAP after the vampire process.

I have had an other idea. You can just populate the posix account before
running the vampire according to the data you got under 1). The vampire
check if the account exist and if it exist smbldap-useradd is not
called. You can populate with the following script:

#!/bin/bash 
  
USERADD="/usr/local/sbin/smbldap-useradd"

   
while read STRING ; do
  #echo $STRING
  UIDName=$(echo $STRING | cut -d : -f1)
  UIDNumber=$(echo $STRING | cut -d : -f3)
  GIDNumber=$(echo $STRING | cut -d : -f4)
  echo "Creating Account: $UIDName $UIDNumber $GIDNumber "
  $USERADD  -u $UIDNumber  -g $GIDNumber  $UIDName
done

call it populate.sh and do

# ./populate.sh < myaccountlistfile 

Depending of your data you might need something similar for your groups.

Cheers 

-- 
Marcel de Riedmatten






signature.asc
Description: Ceci est une partie de message	=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e=2E?=
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Problem with joining Active Server Domain

2004-11-17 Thread David Evans-Roberts

I have built samba 3.0.8 with ADS support.  From the Solaris 9 end it
appeared to join the active directory server domain OK.  However when I look
using Windows Explorer on the ADS (Windows 2003) machine it appears as Samba
3.0.8 server under WORKGROUP, and I cannot access the shares.  I am using
the MIT kerberos.  The Howto guide on page 74 is a bit ambiguous.  I read it
to say that if you are you are using Heimdel it must be a release later than
0.6.  A colleague took it to read that you must use Heimdal rather than MIT
for Windows 2003.  Is this the problem or is it something else.  Any advice
welcomed.

/usr/local/samba/bin/net ads join -U Administrator
Administrator's password: 

[2004/11/17 17:03:53, 0] libads/ldap.c:(1366)
  ads_add_machine_acct: Host account for pike already exists - modifying old
account
  Using short domain name -- ASTTEST
  Joined 'PIKE' to realm 'ASTTEST.LOCAL'

The relevant parts of the /etc/krb5.conf file are as follows:

[libdefaults]
default_realm = astest.local

[realms]
astest.local = {
kdc = eng-test.astest.local
}

[domain_realm]
.kerberos.server = astest.local



And smb.conf :

# Global parameters
[global]
workgroup = ASTTEST
realm = ASTTEST.LOCAL
security = ADS
password server = eng-test.asttest.local
username map = /etc/samba/usermap.txt
log level = 1
log file = /var/log/samba
socket options = TCP_NODELAY IPTOS_LOWDELAY
load printers = No
os level = 0
dns proxy = No
idmap uid = 15000-2
idmap gid = 15000-2
read only = No
create mask = 0775
directory mask = 0775

[mds0650]


---


David Evans-Roberts
[EMAIL PROTECTED]
Systems Administrator
HR Wallingford  

 


**
HR Wallingford uses Faxes and Emails for confidential and 
legally privileged business communications.  They do not of
themselves create legal commitments.  Disclosure to parties 
other than addressees requires our specific consent.  We are
not liable for unauthorised disclosures nor reliance upon them.  
If you have received this message in error please advise us 
immediately and destroy all copies of it.
**

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Program for encrypt passwords

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
check out the perl module Crypt::SmbHash, you can find it on CPAN.
i hope this helps.
nb
Francisco Cano Entrena thus spake on 11/10/2004 06:06 AM:
| Hello!
| At the University of Granada (Spain) we use a Samba Server for aprox. 1000
| users and runs ok.
| But (there's always a but) we need to know how encript password for the
| smbpasswd file. I know that we can use the smbpasswd program but we
need get
| the encrypted password in the stdout. Has someone a program than does
this??
|
| TIA.
|
|  _
| / __/  / _/   / _/
|/ /___ / // /___ Francisco Cano Entrena
|   /  ___// // /Serv. Informática, Univ. Granada
|  / // /_   / /_   E-mail: [EMAIL PROTECTED]
| /_//___/  /___/  Tlf: + 34 58 241010 Ext. 31081 Fax:
244221
|
- --
Nathan Benson
http://sourcefire.com/
1C1A F2C1 82AD F75F 9B6B  E501 0D73 DC9B E96B DD96
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFBm4TKDXPcm+lr3ZYRAn08AKCDwouw2946jkn5BZzdrhQqS8EsCgCgpOsu
FS9oSAnaGC8cfRUEysdAzDY=
=z8xx
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [samba] create account that can join machines but not admin access on domain

2004-11-17 Thread Daniel Wilson

MaTT wrote:
Hi Daniel... this is from the Samba Docs... will help
One of my junior staff needs the ability to add machines to the
Domain, but I do not want to give him root access. How can we do this?

Users who are members of the Domain Admins group can add machines to
the Domain. This group is mapped to the UNIX group account called root
(or equivalent on wheel on some UNIX systems) that has a GID of 0.
This must be the primary GID of the account of the user who is a
member of the Windows Domain Admins account.

MRB
http://www.lionix.com
Linux
Daniel Wilson wrote:
hi list,
im using samba 3.0.8 with LDAP,
To add a machine to the domain i currently use the administrator
account (which has uidNumber=0), which means this account has
automatic root on all of the shares (my shares arnt using samba, im
using NetApps Filers, which have been configured to authenticate via
samba), when we roll this project out accross the university (approx
50,000 users) we want the technicians in each school to be able to
add machines to the domain but not get root/admin access to all the
shares.

So my question is, Can you create an account that can add machines to
the domain but doesnt get root/admin priveldges on all the
shares/domain (as the would conflict with human rights issues etc...)

Regards
ive tried to set GID to 0 to an account, but i get unkwon username or
password error when i try to add it, if i use administrtor adding is
successful!

Daniel Wilson
Systems Administrator
IT & Communications Service
University of Sunderland
Unit1 Technology Park
Chester Road
Sunderland
SR2 7PT
Tel: 0191 515 2695
This e-mail contains information which is confidential and may be privileged and is for the exclusive use of the recipient.
It is the responsibility of the recipient to ensure that this message and its attachments are virus free.
Any views or opinions presented are solely those of the author and do not necessarily represent those of the University, unless otherwise specifically
stated.

--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Migrating NT4 Domain with Idealx tools

2004-11-17 Thread Andreas

On Wed, Nov 17, 2004 at 05:37:02PM +0100, Marcel de Riedmatten wrote:
> > nss_base_passwd ou=Users,dc=mydomain,dc=ch
> > nss_base_passwd ou=Computers,dc=mydomain,dc=ch
> > nss_base_group  ou=Groups,dc=mydomain,dc=ch
> 
> I am not sure. I just don't specify nss_base_passwd ie i just
> defined 

Yes, this is possible since nss_ldap-204:
204 Luke Howard <[EMAIL PROTECTED]>

* Linux netgroup implementation from Larry Lile
--> * Multiple service search descriptor support from
  Symas
* IPv6 patch from Thorsten Kukuk at SuSE

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] 3.0.7 problems with LDAP groups

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I just upgraded samba to 3.0.7 from 3.0.4, and am now having trouble
with my groups.  I used to be able to log into a windows machine and
request a share that I didn't have access to, and it would then ask me
for a username/password to connect to the share (as it should).
I would then add myself (or whatever user) to the proper LDAP group
entry that was responsible for that share.  I would then try the share
again and it would either let me right in, or prompt me for the username
and password.  If I got prompted, I entered my username/password, and I
was given access to the share.
Now my problem is that since upgrading to 3.0.7, this is no longer the
case.  I have to log out and log back in for me to gain access to the
share.  So, it seems that samba is caching the groups I belong to when
I log in, and not querying the LDAP server again when I provide
credentials when prompted.
I am sure that is is probably something trivial that I am missing, but
I am indeed missing it.  I would appreciate any input on this, as it is
more than mildly annoying.
Regards,
Nathan
- --
Nathan Benson
http://sourcefire.com/
1C1A F2C1 82AD F75F 9B6B  E501 0D73 DC9B E96B DD96
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFBm3+qDXPcm+lr3ZYRAtohAJ9YUu3wn0Vi8C7zN3KA+fPXn5N10QCgl77F
4TchVkpfCchSzJZKjykwzYA=
=9Cxa
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] AD Account locked out issue

2004-11-17 Thread sharif islam

I am having several of my AD account getting locked out while users
are trying to get to the samba share from the workstation in the AD
domain. I am trying to figure out if this is something to do with the
samba setup or problem in the AD domain. After the user unlocks their
account, they can get in.  However, there ware few instance when they
had to unlock the account multiple times or wait several minutes
before they can get in. This is something I noticed in the log after a
user tried to access a share.

[2004/11/17 10:28:40, 1] smbd/service.c:make_connection_snum(648)
  .x connect to service systemsweb initially as user
Domain\joe (uid=10093, gid=17540) (pid 31075)
[2004/11/17 10:28:40, 1] smbd/service.c:close_cnum(836)
xx.xxx. closed connection to service web

-- 
Sharif Islamhttp://www.sharifislam.com
Research Programmer 
Library Systems Office
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Migrating NT4 Domain with Idealx tools

2004-11-17 Thread Marcel de Riedmatten

Le mer 17/11/2004 à 17:09, Paul Coray a écrit :
> Marcel de Riedmatten schrieb:

> > 
> > you can have them separated. What count is that the machines account are
> > visible on domain controllers (PDC BDC) ie getent passwd must show the
> > machine (posix) account. This is nss_ldap configuration. If samba
> > doesn't see the machine (posix) account it won't work . 
> 
> So can I specify more then one nss base for passwd in libnss-ldap.conf
> 
> i.e.
> 
> nss_base_passwd   ou=Users,dc=mydomain,dc=ch
> nss_base_passwd ou=Computers,dc=mydomain,dc=ch
> nss_base_groupou=Groups,dc=mydomain,dc=ch

I am not sure. I just don't specify nss_base_passwd ie i just
defined 

base dc=mydomain,dc=ch

> > 
> >>  So I would suspect some problem in the communication with the
> >>
> >>>PDC and double check that on the samba box 
> >>>
> >>>1) you have the domain SID as local SID
> >>
> >>Do SIDS for the PDC and for the domain have to be the same?
> > 
> > 
> > yes the domain SID _is_ the (local) SID of the PDC and all domain
> > controllers must have the same SID.
> 
> Thanks Marcel, this is very valuable information to me! I think these 
> should be pointed out more clearly in the docs.
> 
> 
ok 

By the way I am preparing something for the vampire and idmap stuff. 

-- 
Marcel de Riedmatten



signature.asc
Description: Ceci est une partie de message	=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e=2E?=
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Migrating NT4 Domain with Idealx tools

2004-11-17 Thread Paul Coray

Marcel de Riedmatten schrieb:

Now I realize this works when i configure LDAP and Idealx-Tools to store 
machine accounts in the same container as useraccounts. Although this 
makes my directory look somewhat messy, I can live with it if I have to. 
Still I can't add machines doing smbldap-useradd -w, nor when I try to 
join the domain from a client.

you can have them separated. What count is that the machines account are
visible on domain controllers (PDC BDC) ie getent passwd must show the
machine (posix) account. This is nss_ldap configuration. If samba
doesn't see the machine (posix) account it won't work . 
So can I specify more then one nss base for passwd in libnss-ldap.conf?
i.e.
nss_base_passwd ou=Users,dc=mydomain,dc=ch
nss_base_passwd ou=Computers,dc=mydomain,dc=ch
nss_base_group  ou=Groups,dc=mydomain,dc=ch

 So I would suspect some problem in the communication with the
PDC and double check that on the samba box 

1) you have the domain SID as local SID
Do SIDS for the PDC and for the domain have to be the same?

yes the domain SID _is_ the (local) SID of the PDC and all domain
controllers must have the same SID.
Thanks Marcel, this is very valuable information to me! I think these 
should be pointed out more clearly in the docs.

Cheers
Paul
--
Paul Coray
Administrator Server und Netzwerk
Oeffentliche Bibliothek der Universitaet Basel
EDV-Abteilung
Schoenbeinstrasse 18-20
CH-4056 Basel
Tel: +41 61 267 05 13
Fax: +41 61 267 31 03
mailto:[EMAIL PROTECTED]
http://www.ub.unibas.ch
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Migrating NT4 Domain with Idealx tools

2004-11-17 Thread Marcel de Riedmatten

Le sam 13/11/2004 à 12:23, Paul Coray a écrit :
> Marcel de Riedmatten wrote:
> > Le mar 09/11/2004 à 17:57, Paul Coray a écrit :

>  
> > This doesn't seem normal.  The samba attribute should be added by the
> > vampire.
> 
> But I my case it doesn't... net rpc vampire says 'Couldn't create Posix 
> information for machinename$'. Well in reality, it did, but without 
> samba atrrs.
> 
> Now I realize this works when i configure LDAP and Idealx-Tools to store 
> machine accounts in the same container as useraccounts. Although this 
> makes my directory look somewhat messy, I can live with it if I have to. 
> Still I can't add machines doing smbldap-useradd -w, nor when I try to 
> join the domain from a client.

you can have them separated. What count is that the machines account are
visible on domain controllers (PDC BDC) ie getent passwd must show the
machine (posix) account. This is nss_ldap configuration. If samba
doesn't see the machine (posix) account it won't work . 


> 
>   So I would suspect some problem in the communication with the
> > PDC and double check that on the samba box 
> > 
> > 1) you have the domain SID as local SID
> 
> Do SIDS for the PDC and for the domain have to be the same?

yes the domain SID _is_ the (local) SID of the PDC and all domain
controllers must have the same SID.


signature.asc
Description: Ceci est une partie de message	=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e=2E?=
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [samba] create account that can join machines but not admin access on domain

Hi Daniel... this is from the Samba Docs... will help
 One of my junior staff needs the ability to add machines to the 
Domain, but I do not want to give him root access. How can we do this?
	

Users who are members of the Domain Admins group can add machines to the 
Domain. This group is mapped to the UNIX group account called root (or 
equivalent on wheel on some UNIX systems) that has a GID of 0. This must 
be the primary GID of the account of the user who is a member of the 
Windows Domain Admins account.

MRB
http://www.lionix.com
Linux
Daniel Wilson wrote:
hi list,
im using samba 3.0.8 with LDAP,
To add a machine to the domain i currently use the administrator account 
(which has uidNumber=0), which means this account has automatic root on 
all of the shares (my shares arnt using samba, im using NetApps Filers, 
which have been configured to authenticate via samba), when we roll this 
project out accross the university (approx 50,000 users) we want the 
technicians in each school to be able to add machines to the domain but 
not get root/admin access to all the shares.

So my question is, Can you create an account that can add machines to 
the domain but doesnt get root/admin priveldges on all the shares/domain 
(as the would conflict with human rights issues etc...)

Regards
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] User Administrator in passdb, but getpwnam() fails when trying to add XP machine to smb/ldap domain

2004-11-17 Thread Andreas

On Wed, Nov 17, 2004 at 04:35:48PM +0200, Henti Smith wrote:
> when I try to add the computer using the settings in XP, when prompted with
> username and password I use the administrator and password set preveiosly.
> 
> this results in failure and log reports: 
> 
> [2004/11/17 17:59:25, 1] auth/auth_util.c:make_server_info_sam(822)
>   User Administrator in passdb, but getpwnam() fails!

Try configuring nss_ldap.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] A device attached to the system is not functioning

Hi, doesn't seems to be a samba related problem. did you check the 
logs?? anything there?? increase log level ?? check the XP event viewer

regards
MRB
www.lionix.com
Linux
Hiu Yen Onn wrote:
hi,
i have a samba-ldap pdc. from the windows xp client. i hardly logon to 
the network.
the windows popup a box stating "A device attached to the system is not 
functioning".
.but however, i tested the account from windows 98. it worked perfectly.
can someone give me some pointers? thanks


--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Profile inaccessable


I have ONE user on ONE workstation that occasionally gets locked out 
of his workstation with the message about a corrupt/inaccessable 
profile, using a temp (sorry for not having the exact text, I've 
killed people for lesser offenses myself).  When I go in as 
administrator I see that
Amendment to this statement, I guess it's happening to another user as 
well, so it's not as isolated as I thought.  He's just not one to complain,

--
--
Paul GiengerOffice: 701-281-1884
Applied Engineering Inc.
Systems Architect   Fax:701-281-1322
URL: www.ae-solutions.com   mailto: [EMAIL PROTECTED]
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] User Administrator in passdb, but getpwnam() fails when trying to add XP machine to smb/ldap domain

2004-11-17 Thread Henti Smith

Hi all 

I've been trying to get this sorted out for a day now, 

I have done the following: 

Followed the howto at http://samba.idealx.org/smbldap-howto.en.html
Changed the reg settings in XP
added the computer to ldap
added administrator to ldap

when I try to add the computer using the settings in XP, when prompted with 
username and password I use the administrator and password set preveiosly.

this results in failure and log reports: 

[2004/11/17 17:59:25, 1] auth/auth_util.c:make_server_info_sam(822)
  User Administrator in passdb, but getpwnam() fails!
[2004/11/17 17:59:25, 0] auth/auth_sam.c:check_sam_security(306)
  check_sam_security: make_server_info_sam() failed with 
'NT_STATUS_NO_SUCH_USER'
[2004/11/17 17:59:25, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1982)
  ldapsam_search_one_group: Problem during the LDAP search: LDAP error:  (No 
such object)
[2004/11/17 17:59:26, 1] auth/auth_util.c:make_server_info_sam(822)
  User Administrator in passdb, but getpwnam() fails!
[2004/11/17 17:59:26, 0] auth/auth_sam.c:check_sam_security(306)
  check_sam_security: make_server_info_sam() failed with 
'NT_STATUS_NO_SUCH_USER'
[2004/11/17 17:59:26, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1982)
  ldapsam_search_one_group: Problem during the LDAP search: LDAP error:  (No 
such object)

I've searched google and the list for possible options, but I've not yet found 
one that solves this problem. 

Any suggestions ? 

Thanks 

-- 
Henti Smith
[EMAIL PROTECTED]
+27 82 958 2525
http://www.geekware.co.za

DISCLAIMER : 

Unauthorised use of characters, images, sounds, odors, severed limbs, noodles, 
wierd dreams, strange looking fruit, oxygen, and certain parts of Jupiter are 
strictly forbidden.  If I find you violating, or molesting my property in any 
way, I will employ a pair of burly convicts to find you, kidnap you, and 
perform god-awful sexual experiments on you until you lose the ability to sound 
out vowels.  I don't know why you are still reading this, but by doing so you 
have proven that you have far too much time on your hands, and you should go 
plant a tree, or read a book or something.
- http://www.ctrlaltdel-online.com/
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Limit the size of file sended to samba server

2004-11-17 Thread Nicolas Ecarnot

Hi,
I'm looking for a way to prevent users to send BIG files to a samba server.
After some research, I discovered that :
- There are option in smb.conf that deal with quota (get/set quota 
commands), but the quotas deal with the total amount of data you put in 
a partition (a file system), not the size of one file

- There is an option to limit the amount of octets sent in a samba 
session, but I doubt this has to deal with my question

- Some advice me to modify the script that launches the smb server, 
(that is launched by root) to add a 'ulimit' command before the launch.
This may work, but I don't know if this command will act on this 
script/environnement alone, or will act on everything is done by root on 
this server (that would not fit)

So, I can't believe I'm the first guy to have this problem, with users 
sending huge MPEGs in the boss's financial subdirectories :o)

How would you do that (except napalm) ?
--
Nicolas Ecarnot
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: Samba 3.0.4 and DOS 6.2.2 - MSDOS Copy problem

2004-11-17 Thread Craig Funk

Hi Craig,
could you (temporarely) set the samba debuglevel to 10?

Set log level to 10 and got the output below. Hopefully it is useful. 
We have about 12 machines using samba, so I tried to only send relevant 
portion of log file.

Generated by COPY DEFAULT.PLP TMP.PLP
[2004/11/17 01:04:39, 5] smbd/filename.c:unix_convert(114)
  unix_convert called on file "3277/TEST/DEFAULT.PLP"
[2004/11/17 01:04:39, 10] smbd/statcache.c:stat_cache_lookup(251)
  stat_cache_lookup: lookup failed for name [3277/TEST/DEFAULT.PLP]
[2004/11/17 01:04:39, 10] smbd/statcache.c:stat_cache_lookup(251)
  stat_cache_lookup: lookup failed for name [3277/TEST]
[2004/11/17 01:04:39, 10] smbd/statcache.c:stat_cache_lookup(251)
  stat_cache_lookup: lookup failed for name [3277]
[2004/11/17 01:04:39, 5] smbd/statcache.c:stat_cache_add(178)
  stat_cache_add: Added entry 3277/TEST/DEFAULT.PLP -> 
3277/TEST/DEFAULT.PLP
[2004/11/17 01:04:39, 5] smbd/filename.c:unix_convert(176)
  conversion finished 3277/TEST/DEFAULT.PLP -> 3277/TEST/DEFAULT.PLP
[2004/11/17 01:04:39, 3] smbd/dosmode.c:unix_mode(111)
  unix_mode(3277/TEST/DEFAULT.PLP) returning 0764
[2004/11/17 01:04:39, 5] smbd/files.c:file_new(122)
  allocated file structure 3721, fnum = 7817 (1 used)
[2004/11/17 01:04:39, 10] smbd/open.c:open_file_shared1(833)
  open_file_shared: fname = 3277/TEST/DEFAULT.PLP, dos_attrs = 6, 
share_mode = 0, ofun = 1, mode = 764, oplock request = 0
[2004/11/17 01:04:39, 8] lib/util.c:is_in_path(1508)
  is_in_path: 3277/TEST/DEFAULT.PLP
[2004/11/17 01:04:39, 8] lib/util.c:is_in_path(1512)
  is_in_path: no name list.
[2004/11/17 01:04:39, 8] smbd/dosmode.c:dos_mode(270)
  dos_mode: 3277/TEST/DEFAULT.PLP
[2004/11/17 01:04:39, 8] smbd/dosmode.c:dos_mode_from_sbuf(151)
  dos_mode_from_sbuf returning a
[2004/11/17 01:04:39, 8] lib/util.c:is_in_path(1508)
  is_in_path: 3277/TEST/DEFAULT.PLP
[2004/11/17 01:04:39, 8] lib/util.c:is_in_path(1512)
  is_in_path: no name list.
[2004/11/17 01:04:39, 8] smbd/dosmode.c:dos_mode(302)
  dos_mode returning a
[2004/11/17 01:04:39, 4] smbd/open.c:open_file_shared1(1010)
  calling open_file with flags=0x0 flags2=0x0 mode=0764
[2004/11/17 01:04:39, 10] smbd/open.c:fd_open(45)
  fd_open: name 3277/TEST/DEFAULT.PLP, flags = 00 mode = 0764, fd = 25.
[2004/11/17 01:04:39, 2] smbd/open.c:open_file(240)
  JENNY opened file 3277/TEST/DEFAULT.PLP read=Yes write=No (numopen=1)
[2004/11/17 01:04:39, 10] smbd/open.c:open_file_shared1(1122)
  open_file_shared : share_mode = 0
[2004/11/17 01:04:39, 10] locking/locking.c:set_share_mode(659)
  set_share_mode: creating entry for file 3277/TEST/DEFAULT.PLP. 
num_share_modes = 1
[2004/11/17 01:04:39, 10] locking/locking.c:print_share_mode_table(409)
  print_share_mode_table: share_mode_entry[0]: pid = 18126, share_mode 
= 0x0, desired_access = 0x1, port = 0x0, type= 0x0, file_id = 1, dev = 
0x803, inode = 295012
[2004/11/17 01:04:39, 8] smbd/dosmode.c:dos_mode(270)
  dos_mode: 3277/TEST/DEFAULT.PLP
[2004/11/17 01:04:39, 8] smbd/dosmode.c:dos_mode_from_sbuf(151)
  dos_mode_from_sbuf returning a
[2004/11/17 01:04:39, 8] lib/util.c:is_in_path(1508)
  is_in_path: 3277/TEST/DEFAULT.PLP
[2004/11/17 01:04:39, 8] lib/util.c:is_in_path(1512)
  is_in_path: no name list.
[2004/11/17 01:04:39, 8] smbd/dosmode.c:dos_mode(302)
  dos_mode returning a
[2004/11/17 01:04:39, 5] lib/util.c:show_msg(456)
[2004/11/17 01:04:39, 5] lib/util.c:show_msg(466)
  size=49
  smb_com=0x2
  smb_rcls=0
  smb_reh=0
  smb_err=0
  smb_flg=128
  smb_flg2=18433
  smb_tid=1
  smb_pid=1597
  smb_uid=100
  smb_mid=0
  smt_wct=7
  smb_vwv[ 0]= 7817 (0x1E89)
  smb_vwv[ 1]=   32 (0x20)
  smb_vwv[ 2]= 4256 (0x10A0)
  smb_vwv[ 3]=16794 (0x419A)
  smb_vwv[ 4]=  600 (0x258)
  smb_vwv[ 5]=0 (0x0)
  smb_vwv[ 6]=0 (0x0)
  smb_bcc=0
[2004/11/17 01:04:39, 6] lib/util_sock.c:write_socket(432)
  write_socket(5,53)
[2004/11/17 01:04:39, 6] lib/util_sock.c:write_socket(435)
  write_socket(5,53) wrote 53
[2004/11/17 01:04:39, 10] 
lib/util_sock.c:read_smb_length_return_keepalive(488)
  got smb length of 41
[2004/11/17 01:04:39, 6] smbd/process.c:process_smb(889)
  got message type 0x0 of len 0x29
[2004/11/17 01:04:39, 3] smbd/process.c:process_smb(890)
  Transaction 5 of length 45
[2004/11/17 01:04:39, 5] lib/util.c:show_msg(456)
[2004/11/17 01:04:39, 5] lib/util.c:show_msg(466)
  size=41
  smb_com=0x4
  smb_rcls=0
  smb_reh=0
  smb_err=0
  smb_flg=0
  smb_flg2=0
  smb_tid=1
  smb_pid=1597
  smb_uid=100
  smb_mid=0
  smt_wct=3
  smb_vwv[ 0]= 7817 (0x1E89)
  smb_vwv[ 1]= 4256 (0x10A0)
  smb_vwv[ 2]=16794 (0x419A)
  smb_bcc=0
[2004/11/17 01:04:39, 3] smbd/process.c:switch_message(685)
  switch message SMBclose (pid 18126)
[2004/11/17 01:04:39, 4] smbd/uid.c:change_to_user(186)
  change_to_user: Skipping user change - already user
[2004/11/17 01:04:39, 3] smbd/reply.c:reply_close(2693)
  close fd=25 fnum=7817 (numopen=1)
[2004/11/17 01:04:39, 10] locking/locking.c:del_share_entry(569)
  del_share_entry: num_share_modes = 1
[2004/11/17 01:04:39, 10] l

[Samba] Profile inaccessable