[Samba] Domain Unavailable, XP and Samba 3.0.8
400MHz Dell Poweredge server with Debian and Samba 3.0.8 from the .deb files at samba.org. 40 WinXP Acer workstations connected via ethernet are joined to the domain and working fine. Profiles are local. However, new P4 Toshiba laptops(XP Service Pack 2, 256MB RAM) are unable to cache credentials. That means laptops can join the domain when connected via ethernet, and domain users are able to log in, but disconnected operation is impossible. The laptop reports "domain is unavailable" and refuses to let the user past the password prompt. Not convenient when they take the laptops home. User's best option is to log on to the laptop with a local user account and mount shares from a script. But I would rather they join the domain. The laptop security policy is set to cache 10 credentials by default. My aged Windows 2000 laptop can handle this situation just fine. It caches credentials and user can log on in disconnected mode, provided at least one connected domain login has occurred ever. Windows 2000 laptop can even login successfully over the wireless access point-- another thing the poor XP laptops are unable to accomplish. I've tried everything I can think of -- is there a registry hack or configuration trick which will make WinXP honor the cached credentials? Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Re: SAMBA / LDAP / Domain Password change problem
First I setup DHCP on the server - we were using the Linksys router to provide DHCP Then did following: service smb stop ; service winbind stop ; rm -f /var/cache/samba/wins.dat ; service smb start ; service winbind start Same problem I looked at the log file for one of the computers that won't join the domain. It says the following: cat /var/log/samba/log.ron_laptop [2004/11/30 11:25:24, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1870) ldapsam_add_sam_account: failed to modify/add user with uid = ron_laptop$ (dn = uid=ron_laptop$,ou=Computers,dc=twinoakschurch,dc=org) [2004/11/30 11:25:24, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2277) could not add user/computer ron_laptop$ to passdb. Check permissions? Any ideas? To summarize, we can't change user passwords at the workstations & several PCs won't attach to the domain. John Danny Paul wrote: Remove the 'pam password change' option along with the 'remote announce'. Also take out the 'password chat' option - it's not needed with ldapsam. It sounds like maybe your clients don't realize your PDC is also a WINS server. Is that info added to DHCPd? If not, are the clients configured to use it as a WINS server manually? Also, I still stand by the wins.dat fix. It seems like the wins file is corrupted. Try it again after everyone has left for the day. One more thing, run your config through testparm to make sure there are no errors. Then catch the output of the testparm -s into a new smb.conf file. This way the conf file is optimised and the errors are removed. I usually make all my changes to smb.conf.master, then do testparm -s smb.conf.master > smb.conf. Also, please do not contact me directly - only through the newsgroup posting. John Schmerold <[EMAIL PROTECTED]> 11/30 1:26 pm >>> Danny, Thanks but that didn't solve the problem, matter of fact things have gotten a little worse since I first wrote. None of the XP boxes will join the TOPC domain, boxes that have already joined aren't having the problem, just new joins seem to be giving us trouble. I'll wait until end of day when everyone is off system & try the wins.dat delete trick again, I've also added a couple lines that may make a difference with regard to the password change issue: pam password change = yes &the browsing issue: remote announce = 192.168.70.255 local master = Yes Thanks again, it's really helpful having someone that knows what they are doing help out. John John Schmerold Katy Computer & Wireless 20 Meramec Station Rd Valley Park MO 63088 636-861-6900 v 775-227-6947 f Danny Paul wrote: While it looks wrong, it is correct. It means the subnet at that interface, so you're OK there. What you're experiencing is bad entries in the WINS.DAT file. You should stop smbd and nmbd, delete the wins.dat file (/usr/local/samba/var/locks/wins.dat), then restart smbd and nmbd. That should fix your problem. John Schmerold wrote: cat /var/log/samba/nmbd.log | grep error shows: register_name_response: WINS server at IP 127.0.0.1 rejected our name registration of TOPC<00> IP 192.168.70.10 with error code 5. register_name_response: WINS server at IP 127.0.0.1 rejected our name registration of TOPC<1e> IP 192.168.70.10 with error code 5. lists.samba.org has reported this error 6 times with no solutions listed, any idea what I'm doing wrong tail -50 < /var/log/samba/nmbd.log shows following may be a problem, what do you think? Samba server FS1 is now a domain master browser for workgroup TOPC on subnet UNICAST_SUBNET Samba server FS1 is now a domain master browser for workgroup TOPC on subnet 192.168.70.10 Shouldn't the second line read 192.168.70.0 ? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] pam ssh athentication using winbind
Samba setup as a Member Server in native AD domain with winbind authenticating AD users for access to shares. My understanding is that with pam and winbind, domain users can log into the samba server via ssh, even if they do not have a local user account? Logs shows access granted but user unknown, so I must be missing something and need some help. /var/log/messages during an ssh login: Nov 30 21:44:56 myserver pam_winbind[7349]: user 'stile' granted access Nov 30 21:45:44 myserver sshd(pam_unix)[7349]: check pass; user unknown Nov 30 21:45:44 myserver pam_winbind[7349]: user 'stile' granted access Using Red Hat EL AS 3 + samba-3.0.9-1 + krb5-lib-1.3.1 /etc/pam.d/sshd #%PAM-1.0 auth required pam_stack.so service=system-auth auth sufficient pam_winbind.so auth required pam_nologin.so accountsufficient pam_winbind.so accountrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_limits.so sessionoptional pam_console.so /etc/pam.d/login #%PAM-1.0 auth required pam_securetty.so auth sufficient pam_winbind.so auth required pam_stack.so service=system-auth auth required pam_nologin.so accountsufficient pam_winbind.so accountrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionoptional pam_console.so /etc/samba/smb.conf [global] server string = Samba Server workgroup = MYREALM realm = MYREALM.MY.DOMAIN.COM security = ADS username map = /etc/samba/smbusers map to guest = Bad User password server = * socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 preferred master = no local master = no domain master = no os level = 33 wins server = 128.32.68.75 128.32.67.118 ldap ssl = no idmap uid = 1-2 idmap gid = 1-2 winbind enum users = yes winbind enum groups = yes winbind separator = + winbind use default domain = Yes template primary group = "Domain Users" template homedir = /home/%U template shell = /bin/bash load printers = no log level = 1 syslog = 0 log file = /var/log/samba/%m.log max log size = 0 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Case Sensitive Problem in SMBFS mount
Hi, I am using Redhat Linux 9.0 on one machine and Windows XP on another machine. There is a folder named "Test" on WinXP which is mounted on my linux machine using mount -t smbfs //servername/Test /mount-point. Everything is working fine and I am able to get into this folder. My problem is when I am trying to access Test in linux using " cd test", I am able to access it but from Linux point of view this should not be permitted, as linux is case sensitive, I should access this folder as " cd Test" and not "cd test". Please tell me how to make this mount case sensitive. Thanks & Regards, Saurabh Pendharker -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba shares issue
Hi Mark. On Wed, 2004-12-01 at 12:05 +1100, Mark Huff wrote: > I have a company that uses Debian and Samba. I have created three shared > folders on the server and the users connect to them from win2K workstations > using a common user ID login. Users can also connect via VPN via pop-top > VPN server. > > The problem is that when editting a file locally then trying to save back to > the samba share, Windows Excel (or other program) will tell the user that > the file has been modified and do they wish to overwrite or save as a new > copy. However, if i connect in via VPN, map to the share using the common > user ID, I can open, change, and re-save files without getting this error. > I had a similar issue which turned out to be directory mask and create mask related. I used a common group and added members to it. The Linux permissions were 770 and the masks were default as in the Swat tool. I changed the masks to match the Linux permissions and that solved the problem. Regards, James Bowes, Volar Technology Consulting. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbd won't start - new installation
Al, Never used swat, but on Suse, use: #rcnmb stop #rcsmb stop to kill the processes. Then just start them manually and check to logs. #rcnmb start #rcsmb start Suse has split the scripts that start smbd and nmbd so it is possible swat is having problems. I have samba 3.07 running fine on Suse 9.0 and Mdk 7.2. Another possibility is that one of the processes has died and has left a lock file or PID file around that is giving you problems. After stopping the daemons, check for leftover lock of PID files and nuke them if found and try restarting. (These are just stabs from past posts I have read) -- David C. Rankin, J.D., P.E. Rankin * Bertin, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 (936) 715-9333 (936) 715-9339 fax www.rankin-bertin.com -- - Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, November 30, 2004 4:22 PM Subject: [Samba] smbd won't start - new installation Hi all, I installed SuSe 9.1 with Samba 3.0.4-suse. I can not get the smbd to start from swat, but nmbd is running, When I start smdb and nmbd with the SWAT restat then ps -A shows that the processes are there and it seems to run, but not according to the 'status' of swat. Copying files from samba and printing with the shared printers work though. The printers show "access denied, no connection" in the W$ print status. Is it a bug or do I miss some configuration with localhost:901 and SWAT? -- Greetings, :-) Al Active ___ " Experience: the most brutal of teachers but you learn, my God, you learn " - C S Lewis - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain authentication failing after a period of time
Thanks for the clarification. Cheers! Bill Knox Lead Operating Systems Programmer/Analyst The MITRE Corporation On Tue, 30 Nov 2004, Jeremy Allison wrote: > Date: Tue, 30 Nov 2004 14:23:50 -0800 > From: Jeremy Allison <[EMAIL PROTECTED]> > To: William R. Knox <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Subject: Re: [Samba] Domain authentication failing after a period of time > > On Tue, Nov 30, 2004 at 04:31:44PM -0500, William R. Knox wrote: > > > > One final note - though I hadn't had it before, during the course of some > > testing, I put in a second domain controller that did have the 1c entries, > > and that didn't help the situation, i.e. only the first "wins server" > > parameter entry seems to get queried for the DOMAIN#1C servers. I don't > > know if this is a bug or the expected behavior, but I thought I would > > mention it as part of the final wrap-up. > > Actually that wasn't what was happening in your case. The WINS > server in question was responding to the name query - it was > just responding "name unknown" (ie. the tombstone). If the > server hadn't responded at all then the other WINS servers > would have been queried. So it wasn't missing data, it was > incorrect data that did you in :-). > > Cheers, > > Jeremy. > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba shares issue
I have a company that uses Debian and Samba. I have created three shared folders on the server and the users connect to them from win2K workstations using a common user ID login. Users can also connect via VPN via pop-top VPN server. The problem is that when editting a file locally then trying to save back to the samba share, Windows Excel (or other program) will tell the user that the file has been modified and do they wish to overwrite or save as a new copy. However, if i connect in via VPN, map to the share using the common user ID, I can open, change, and re-save files without getting this error. Has anyone come accross this and if so what can i do to fix it? Thanks in advance, Mark --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.802 / Virus Database: 545 - Release Date: 26/11/2004 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: XP bug -- client spooler loop (MS KB 329234)
I think it is more of a windoze bug than a samba one. For what it's worth, I fixed it but changing my print setup on my xp clients to print via standard tcp/ip port. This immediately fixed my problem. Cheers, Rohan Rohan Gilchrist [EMAIL PROTECTED] http://www.e-mailme.org/~rohan/ 0412 648 909 *** This e-mail and any files transmitted with it are privileged and confidential information intended for the use of the addressee. The confidentiality and/or privilege in this e-mail is not waived, lost or destroyed if it has been transmitted to you in error. If you have received this e-mail in error you must: (a) not disseminate, copy or take any action in reliance on it; (b) please notify the sender immediately by return e-mail; and (c) please delete the original e-mail. Except as required by law, we do not represent, warrant and/or guarantee that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception, inference or interference. *** On Tue, 30 Nov 2004, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thanks to Martin and Walter for pointing out that this is an old XP bug. Here's the link: http://support.microsoft.com/default.aspx?scid=kb;en-us;329234 Unless someone can provide more information to show that this is not the bug you are seeing with "slow printing from xp sp2 clients", I'm marking this one off my list. Some old bugs never die I guess. cheers, jerry - - Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc "If we're adding to the noise, turn off this song"--Switchfoot (2003) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBrJmuIR7qMdg1EfYRAlt0AKCLMB0giTpC7dpvpaovTpLGcQLxiQCg3Tzy MRWYfsCD+rxuJfyBIQDTjgQ= =6oIq -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] PDF Print From Windows 98
I've got a pdf script on the server that converts postscript to pdf files. The script works and prints but only when I'm using a windows 2000 and up station. Try the same user on a windows 98 machine and it doesn't work. I get a stopped with print status 249 in the cups log. Even with logging set to 2 same there isn't much more info. Anyone have this problem before. Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] smbd won't start - new installation
Hi all, I installed SuSe 9.1 with Samba 3.0.4-suse. I can not get the smbd to start from swat, but nmbd is running, When I start smdb and nmbd with the SWAT restat then ps -A shows that the processes are there and it seems to run, but not according to the 'status' of swat. Copying files from samba and printing with the shared printers work though. The printers show "access denied, no connection" in the W$ print status. Is it a bug or do I miss some configuration with localhost:901 and SWAT? -- Greetings, :-) Al Active ___ " Experience: the most brutal of teachers but you learn, my God, you learn " - C S Lewis - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain authentication failing after a period of time
On Tue, Nov 30, 2004 at 04:31:44PM -0500, William R. Knox wrote: > > One final note - though I hadn't had it before, during the course of some > testing, I put in a second domain controller that did have the 1c entries, > and that didn't help the situation, i.e. only the first "wins server" > parameter entry seems to get queried for the DOMAIN#1C servers. I don't > know if this is a bug or the expected behavior, but I thought I would > mention it as part of the final wrap-up. Actually that wasn't what was happening in your case. The WINS server in question was responding to the name query - it was just responding "name unknown" (ie. the tombstone). If the server hadn't responded at all then the other WINS servers would have been queried. So it wasn't missing data, it was incorrect data that did you in :-). Cheers, Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] XP Client: Domain Downgraded from Win2K+ to NT4-
Greetings! I am currently running Win2K/AD domain with compatible mode. I managed to run the vampie procedure to migrate all credentials (SIDs and passwords) to Samba/PDC with OpenLDAP backend. The existing XP clients logon to the under the Samb/PDC domain without re-join the domain because they expect to locate the domain in Win2K/AD way. Here is the Event View message from NetLOGON The domainof this computer, AB has been downgraded from Windows 2000 or newer to Windows NT4 or older. This computer cannot funtion prpoerly in this case for authetication purposes. This computer needs to rejoin the domain. The following error occurred: There are currently no logon servers available to service the logon request. logon server is avaialbe (the same Samba/PDC) because a new XP client can join and logon to the domain with no problem. The question is how to twist the registry parameter(s) so the existing XP clients will look for a NT4 or orlder style domain? According to MS Q314861. NT4 uses discovery to find its domain ... Any information and suggestion are appreciated. Please response to [EMAIL PROTECTED] -- Kang Sun -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] upgrade from 3.0.7-2 to 3.0.9-1 problems
good afternoon, i am running samba 3.0.7-2 on a fedora core 2 servers. has anyone had any serious problems upgrading from this version to the new version? thank you, stuart -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain authentication failing after a period of time
I didn't see that the "1c" server wasn't being queried until after 15 minutes (thanks to Jeremy for taking hold of my hand and pointing this out - I will never, EVER get my head wrapped around Windows browsing and why that isn't queried until fifteen minutes after I join the domain). It turned out that I was able to alert my Windows admin brethren to a problem wherein one of their domain controller had a "tombstone" for their "logon server (1c)" records, and so were not responding properly. One final note - though I hadn't had it before, during the course of some testing, I put in a second domain controller that did have the 1c entries, and that didn't help the situation, i.e. only the first "wins server" parameter entry seems to get queried for the DOMAIN#1C servers. I don't know if this is a bug or the expected behavior, but I thought I would mention it as part of the final wrap-up. Thanks again to Jeremy for picking up my calls for help and pointing out the flaw in my investigation. Bill Knox Lead Operating Systems Programmer/Analyst The MITRE Corporation On Tue, 30 Nov 2004, Jeremy Allison wrote: > Date: Tue, 30 Nov 2004 10:06:41 -0800 > From: Jeremy Allison <[EMAIL PROTECTED]> > To: William R. Knox <[EMAIL PROTECTED]> > Cc: Jeremy Allison <[EMAIL PROTECTED]> > Subject: Re: [Samba] Domain authentication failing after a period of time > > On Tue, Nov 30, 2004 at 12:47:52PM -0500, William R. Knox wrote: > > Here is the session - I ran the following commands during the session: > > > > 12:11:46 net join -U username%password > > 12:11:51 smbclient -L corpdev2 -U username (prompted for and typed in > > password) - success > > 12:25:54 same smbclient command as above - success > > 12:27:01 same smbclient command as above, but this time it fails with the > > session setup failed: NT_STATUS_NO_LOGON_SERVERS error > > Your problem is that the NetBIOS name MITRE<1C> (ie. the > NetBIOS name of the primary domain controller) can't > be found. You can see these queries in packets 1489 > onwards. The client domain join isn't broken, it's fine, > you've got a problem with name resolution. > > What are you using for name resolution ? Wins ? > > Jeremy. > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Numerous errors trying to authenticate samba against w2k3
My goal is to authenticate a Windows 2003 Server user from a FreeBSD
4.10 box via samba. A week ago I had this working. I then needed to
verify the procedure and test on a fresh install. Now it doesn't work,
despite doing the same steps (I think).
I generated a Kerberos ticket on the w2k3 box and transfered it to the
FreeBSD box. I used the ktutil command to incorporate the ticket into
Kerberos on the FreeBSD machine.
freebsd# ktutil add
Principal: host/[EMAIL PROTECTED]
Encryption type: DES-CBC-MD5
Key version: 0x502
Password:
Verifying - Password:
>From what I've read, I should be able to see the ticket information
such as expiration dates, but I don't see this information.
freebsd# klist
Ticket file:/tmp/tkt0
klist: No ticket file (tf_util)
freebsd# ktutil list
FILE:/etc/krb5.keytab:
Vno Type Principal
0 des-cbc-md5 host/[EMAIL PROTECTED]
krb4:/etc/srvtab:
Vno Type Principal
When I try to authenticate with the kinit command I get an error:
freebsd# kinit [EMAIL PROTECTED]
FreeBSD Inc. (freebsd.template.state.company.com)
Kerberos Initialization for "[EMAIL PROTECTED]"
Password:
kinit: Retry count exceeded (send_to_kdc)
I seem to be having a hard time finding an helpful information about
this error message, which has been frustrating.
Since I can't connect via kinit, I obviously can't connect via samba (3.0.9):
freebsd# net ads join -U administrator%password -S 192.168.1.1 -W DOMAIN
[2004/11/30 15:41:48, 0] libads/kerberos.c:ads_kinit_password(146)
kerberos_kinit_password [EMAIL PROTECTED] failed: Unknown
error -1765328378
[2004/11/30 15:41:48, 0] utils/net_ads.c:ads_startup(186)
ads_connect: Unknown error -1765328378
Here is my smb.conf file:
[global]
realm = DOMAIN.LOCAL
security = ads
password server = W2K3.DOMAIN.LOCAL
auth methods = winbind
winbind separator = +
encrypt passwords = yes
workgroup = DOMAIN
netbios name = FREEBSD
winbind uid = 1-2
winbind gid = 1-2
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
idmap uid = 1-2
idmap gid = 1-2
client use spnego = no
Here is my krb5.conf file:
[libdefaults]
default_realm = DOMAIN.LOCAL
clockskew = 300
default_tkt_enctypes = des-cbc-crc des-cbc-md5
default_tgs_enctypes = dex-cbc-crc des-cbc-md5
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
default_keytab-name = FILE:/usr/src/crypto/heimdal/freebsd.keytab
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
ANDLESS2.LOCAL = {
kdc = W2K3.DOMAIN.LOCAL:88
admin_server = W2K3.DOMAIN.LOCAL
default_domain = DOMAIN.LOCAL
}
[domain_realm]
.DOMAIN.LOCAL = DOMAIN.LOCAL
DOMAIN.LOCAL = DOMAIN.LOCAL
Now if I issue a "net rpc join" command instead, I get completely
different error messages. The W2K3 machine also adds the FreeBSD
machine to it's computer list in AD USers & Computers, but I still
can't authenticate or use commands like wbinfo.
freebsd# net rpc join -U freebsd%password -W DOMAIN -S 192.168.1.1
[2004/11/30 15:54:34, 0] rpc_client/cli_netlogon.c:cli_nt_setup_creds(256)
cli_nt_setup_creds: request challenge failed
[2004/11/30 15:54:34, 0] libsmb/smb_signing.c:signing_good(240)
signing_good: BAD SIG: seq 1
[2004/11/30 15:54:34, 0] libsmb/clientgen.c:cli_receive_smb(121)
SMB Signature verification failed on incoming packet!
Could not connect to server 192.168.1.1
The username or password was not correct.
The /usr/local/etc/winbindd/log/main/current file only contians this
error which seems to be difficult to research online:
ads_connect for domain ANDLESS2 failed: Unknown error -1765328254
I also noticed something odd when I did a packet capture on the W2K3
machine while the kinit authentication was tested. The FreeBSD
machine was querying the DNS server (also on the W2K3 machine) for
names like kerberos-iv.udp.domain.com kerberos-iv.tcp.domain.com
kerberos-iv.http.domain.com and kerberos.domain.com I have no idea
where these requests are coming from, since the Kerberos server is
specified in the krb5.conf file. Following these DNS queries, the
FreeBSD box tries to conect to the following source ports: 26077,
10008, 4811, 10096, 10282, and 13372 all from destination port:
kerberos-iv (750). So it appears that the FreeBSD box is trying to
use Kerberos 4, even though it should be using Kerberos 5. So
something somewhere is not correct, and I really don't know where to
look.
Any and all help is greatly appreciated.
Carissa
*
Carissa Srugis
[EMAIL PROTECTED]
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: XP bug -- client spooler loop (MS KB 329234)
Gerald (Jerry) Carter schrieb: Thanks to Martin and Walter for pointing out that this is an old XP bug. Here's the link: http://support.microsoft.com/default.aspx?scid=kb;en-us;329234 this bug is fixed in XP SP2 and not the same as in "slow printing from xp sp2 clients". Unless someone can provide more information to show that this is not the bug you are seeing with "slow printing from xp sp2 clients", I'm marking this one off my list. Some old bugs never die I guess. But I have some informations from our users, that samba 3.0.9 fixed the slow printing from xp sp2 clients :) -- der tom -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to access samba without login prompt. !
Kenneth Chun Wah Yeung [SMILE] wrote: Dear Sir, Hello, My name is kenneth Yeung. I wonder to know how to configure samba or window to access samba folder without login prompt. ! I am using Wins 2K for client, and Linux server is set samba server. I can login to samba using username and password, but I want to do a windows backup schedule task without prompt. login window ! Could you tell me the method to do this task. Thank you for your help. You could also define a share using guest ok = Yes guest only = Yes //Carsten -- "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." --Jeremy S. Anderson -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Useradd doesn't accept dollar sign ($) and "add machine script" doesn't work
- Original Message - From: "Paul Gienger" <[EMAIL PROTECTED]> To: "Jarod Legault" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, November 30, 2004 11:25 AM Subject: Re: [Samba] Useradd doesn't accept dollar sign ($) and "add machine script" doesn't work > > >I have set up a Fedora Core 3 machine with Samba 3.0.9 to act as a PDC file and print server. Everything > > > > > >"invalid user name 'SPRUCE$'". I can add the user without the dollar sign, then go in and edit > > > There was a thread about this started mid last week under the title > "Fedora Core 3 and Samba". It appears to be a shift that RedHat has > made, and is going back and changing now. Take a look at that thread > please. > > Search is your friend. > Thanks for your prompt reply. Sorry, I never saw that thread in my many hours of searching (posting a question is a last resort for me). Sometimes your search terms have to be "just right" to find the answer you're looking for. Anyway, that thread you mentioned solved my problem. I upgraded the shadow-utils package from 4.0.3-40 to 4.0.3-42. The version of useradd that comes with it allows the dollar sign in usernames. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] problem with cached netbios name of wins server
it seems to go back and forth between working. how do i completely get rid of the references to 192.168.1.64 when people ping the netbios name of the server, or the domain name? --- "John H." <[EMAIL PROTECTED]> wrote: > fc2, samba 3.0.9 > > The samba server is PDC. > Temporarily, the server was dhcp, which gave it the > IP > 192.168.1.64 > > we then set it to static 192.168.1.150, which is > what > we want. > > however, the different windows clients, on and off, > on > ping and such, resolve INTRANET, the netbios name of > the pdc, to 192.168.1.64 still, despite me removing > wins.dat. > > I even tried the following suggestion, to no avail > > "add 'name resolve order = hosts bcast' to your > smb.conf (without the tick marks ') and add > '192.168.1.150Netbiosname' to your /etc/hosts > (where netbiosname is what you have in your smb.conf > file and again no ' marks)" > > where is 192.168.1.64 being stored, and how do i get > rid of it so INTRANET Is correctly resolved, always, > to 192.168.1.150? > > the router tells all the windows clients, which are > using dhcp, to use 192.168.1.150 for wins. > > > > > > __ > Do you Yahoo!? > Read only the mail you want - Yahoo! Mail SpamGuard. > > http://promotions.yahoo.com/new_mail > -- > To unsubscribe from this list go to the following > URL and read the > instructions: > http://lists.samba.org/mailman/listinfo/samba > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Re: SAMBA / LDAP / Domain Password change problem
Remove the 'pam password change' option along with the 'remote announce'. Also take out the 'password chat' option - it's not needed with ldapsam. It sounds like maybe your clients don't realize your PDC is also a WINS server. Is that info added to DHCPd? If not, are the clients configured to use it as a WINS server manually? Also, I still stand by the wins.dat fix. It seems like the wins file is corrupted. Try it again after everyone has left for the day. One more thing, run your config through testparm to make sure there are no errors. Then catch the output of the testparm -s into a new smb.conf file. This way the conf file is optimised and the errors are removed. I usually make all my changes to smb.conf.master, then do testparm -s smb.conf.master > smb.conf. Also, please do not contact me directly - only through the newsgroup posting. >>>John Schmerold <[EMAIL PROTECTED]> 11/30 1:26 pm >>> Danny, Thanks but that didn't solve the problem, matter of fact things have gotten a little worse since I first wrote. None of the XP boxes will join the TOPC domain, boxes that have already joined aren't having the problem, just new joins seem to be giving us trouble. I'll wait until end of day when everyone is off system & try the wins.dat delete trick again, I've also added a couple lines that may make a difference with regard to the password change issue: pam password change = yes &the browsing issue: remote announce = 192.168.70.255 local master = Yes Thanks again, it's really helpful having someone that knows what they are doing help out. John John Schmerold Katy Computer & Wireless 20 Meramec Station Rd Valley Park MO 63088 636-861-6900 v 775-227-6947 f Danny Paul wrote: >While it looks wrong, it is correct. It means the subnet at that interface, >so you're OK there. > >What you're experiencing is bad entries in the WINS.DAT file. You should >stop smbd and nmbd, delete the wins.dat file >(/usr/local/samba/var/locks/wins.dat), then restart smbd and nmbd. That >should fix your problem. > > >John Schmerold wrote: > > > >>cat /var/log/samba/nmbd.log | grep error shows: >>Âregister_name_response: WINS server at IP 127.0.0.1 rejected our name >>registration of TOPC<00> IP 192.168.70.10 with error code 5. >>Âregister_name_response: WINS server at IP 127.0.0.1 rejected our name >>registration of TOPC<1e> IP 192.168.70.10 with error code 5. >>lists.samba.org has reported this error 6 times with no solutions >>listed, any idea what I'm doing wrong >> >>tail -50 < /var/log/samba/nmbd.log shows following may be a problem, >>what do you think? >>Samba server FS1 is now a domain master browser for workgroup TOPC on >>subnet UNICAST_SUBNET >>Samba server FS1 is now a domain master browser for workgroup TOPC on >>subnet 192.168.70.10 >> >>Shouldn't the second line read 192.168.70.0 ? >> >> >> > > > > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] problem with cached netbios name of wins server
fc2, samba 3.0.9 The samba server is PDC. Temporarily, the server was dhcp, which gave it the IP 192.168.1.64 we then set it to static 192.168.1.150, which is what we want. however, the different windows clients, on and off, on ping and such, resolve INTRANET, the netbios name of the pdc, to 192.168.1.64 still, despite me removing wins.dat. I even tried the following suggestion, to no avail "add 'name resolve order = hosts bcast' to your smb.conf (without the tick marks ') and add '192.168.1.150Netbiosname' to your /etc/hosts (where netbiosname is what you have in your smb.conf file and again no ' marks)" where is 192.168.1.64 being stored, and how do i get rid of it so INTRANET Is correctly resolved, always, to 192.168.1.150? the router tells all the windows clients, which are using dhcp, to use 192.168.1.150 for wins. __ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] MS User Manager Permission Denied
Jim Canfield wrote: Greetings everyone! So for things are very simple. Smbpasswd with matching unix accounts. I followed permissions as instructed in chapter 3 and set up groups accordingly. I downloaded SVRTOOLS.EXE from microsoft to see if I could create users from the user manager and everything seems to be there (users, groups..etc.) but I get "Access is denied" errors trying to add any information with the user manager on a Win2k machine. Any help would be greatly appreciated? You have to logon as 'root' yes the unix root is meant here, on the windows machine to be able to use the NT Usermanager for example Regards Carsten -- "There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence." --Jeremy S. Anderson -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos authentication sigsegvs
* Jeremy Allison ([EMAIL PROTECTED]) wrote:
> On Tue, Nov 30, 2004 at 07:04:06PM +0100, Bård Kalbakk wrote:
> > Hi
> > I'm having major problems setting up Samba 3.0.9 with kerberos
> > authentication. I have also tried with 3.0.8(from Debian SID) with same
> > result.
> > smb.conf[1] has 'security = ads' , and 'use kerberos keytab = yes'.
> > I have set up pam_krb5 and I get TGTs that works with my ssh
> > servers.
> > But, when I try to authenticate using smbclient -k -L server I
> > get:
> > "session setup failed: Call returned zero bytes (EOF)".
> >
> > Running smbd -i -d 10 ends up in this backtrace:
> >
> > GDB is maybee more precise? Here's a backtrace from the coredump, in
> > case you need
> >
> > #51 0xb7ff5a16 in _dl_map_object_deps () from /lib/ld-linux.so.2
> > #52 0x081d3b3a in smb_panic (why=0x82a173d "internal error") at
> > lib/util.c:1353
> > #53 0x081c12d8 in fault_report (sig=11) at lib/fault.c:41
> > #54
> > #55 0x080e3c57 in get_auth_data_from_tkt (auth_data=0xbfffea90,
> > tkt=0x8387ba0) at libsmb/clikrb5.c:188
>
> Indeed - this is *very* useful ! :-).
>
> Try this patch please.
>
> Jeremy.
> Index: libsmb/clikrb5.c
> ===
> --- libsmb/clikrb5.c (revision 4019)
> +++ libsmb/clikrb5.c (working copy)
> @@ -184,7 +184,7 @@
> void get_auth_data_from_tkt(DATA_BLOB *auth_data, krb5_ticket *tkt)
> {
> #if defined(HAVE_KRB5_TKT_ENC_PART2)
> - if (tkt->enc_part2)
> + if (tkt->enc_part2 && tkt->enc_part2->authorization_data &&
> tkt->enc_part2->authorization_data[0] &&
> tkt->enc_part2->authorization_data[0]->length)
> *auth_data =
> data_blob(tkt->enc_part2->authorization_data[0]->contents,
> tkt->enc_part2->authorization_data[0]->length);
> #else
Thank you !
Nice to get a working patch so quick :)
Bård
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Useradd doesn't accept dollar sign ($) and "add machine script" doesn't work
Hi. Try --force-badname option in useradd Jarod Legault wrote: Hi, I have set up a Fedora Core 3 machine with Samba 3.0.9 to act as a PDC file and print server. Everything works fine but I am having problems adding new machine accounts. When I try to add them manually using "/usr/sbin/useradd -g machines -d /dev/null -c "Spruce" -s /bin/false SPRUCE$", I get the error message: "invalid user name 'SPRUCE$'". I can add the user without the dollar sign, then go in and edit /etc/passwd and /etc/shadow and add the dollar sign, but this process is kind of tedious. I have tried the "add machine script = /usr/sbin/useradd -d /dev/null -g machines -s /bin/false -M %u" line in smb.conf, but that doesn't work. I get an error message when I try to join the domain (I forget what the error is, sorry). I think the problem is due to useradd not accepting dollar signs at the end of machine names. Can anybody think of a way around this? Is there a way I can use a different version of useradd that will accept dollar signs? The reason why I would like it automated is because I will be leaving the company to go back to school shortly, and I want to make adding computers and users as simple as possible. Thanks in advance. Here's my smb.conf file: [global] netbios name = KAITLYN workgroup = THERMATEK passdb backend = tdbsam passwd chat = *New*UNIX*password* %n\n *Retype*new*UNIX*password* %n\n *Enter*new*UNIX*password* %n\n *Retype*new*UNIX*password* %n\n *passwd: *all*authentication*tokens*updated*successfully* unix password sync = Yes os level = 64 log level = 2 log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192 preferred master = yes domain master = yes local master = yes security = user encrypt passwords = yes domain logons = yes add machine script = /usr/sbin/useradd -d /dev/null -g machines -s /bin/false -M %u # add machine script = /usr/sbin/useradd -d /dev/null -g machines -s /bin/false %u ;this didn't work either hosts allow = 127.0.0.1, 192.168.1. ;user profiles and home directory logon home = logon drive = H: logon path = logon script = %G.bat [profiles] path = /home/samba/profiles writeable = yes browseable = no create mask = 0600 directory mask = 0700 [netlogon] comment = Network Logon Service path = /home/netlogon read only = no browseable = no write list = @admin [homes] valid users = %S read only = No browseable = No [Home] comment = Home Directory path = /home/%U/Home valid users = %U read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [PROJECTS] path = /home/shares/Projects valid users = @employees, @management # write list = @employees, @management read only = No inherit permissions = Yes case sensitive = No msdfs proxy = no [THERMATEK] path = /home/shares/Thermatek valid users = @employees, @management # write list = @employees, @management read only = No inherit permissions = Yes [MANAGEMENT] path = /home/shares/Management valid users = @management # write list = @management read only = No inherit permissions = Yes [TEMP] comment = Temp directory (Will be deleted periodically!) path = /home/shares/Temp valid users = @users # write list = @employees, @management read only = No inherit permissions = Yes [ml-2150-3] comment = Samsung ML-2150 on Linux Server path = /var/spool/samba read only = No guest ok = Yes printable = Yes printer name = ml-2150-3 use client driver = Yes #[netlogon] #path = /var/lib/samba/netlogon #read only = yes #write list = ntadmin #[profiles] #path = /var/lib/samba/profiles #read only = no #create mask = 0600 directory mask = 0700 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Useradd doesn't accept dollar sign ($) and "add machine script" doesn't work
I have set up a Fedora Core 3 machine with Samba 3.0.9 to act as a PDC file and print server. Everything "invalid user name 'SPRUCE$'". I can add the user without the dollar sign, then go in and edit There was a thread about this started mid last week under the title "Fedora Core 3 and Samba". It appears to be a shift that RedHat has made, and is going back and changing now. Take a look at that thread please. Search is your friend. -- -- Paul GiengerOffice: 701-281-1884 Applied Engineering Inc. Systems Architect Fax:701-281-1322 URL: www.ae-solutions.com mailto: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Useradd doesn't accept dollar sign ($) and "add machine script" doesn't work
Hi, I have set up a Fedora Core 3 machine with Samba 3.0.9 to act as a PDC file and print server. Everything works fine but I am having problems adding new machine accounts. When I try to add them manually using "/usr/sbin/useradd -g machines -d /dev/null -c "Spruce" -s /bin/false SPRUCE$", I get the error message: "invalid user name 'SPRUCE$'". I can add the user without the dollar sign, then go in and edit /etc/passwd and /etc/shadow and add the dollar sign, but this process is kind of tedious. I have tried the "add machine script = /usr/sbin/useradd -d /dev/null -g machines -s /bin/false -M %u" line in smb.conf, but that doesn't work. I get an error message when I try to join the domain (I forget what the error is, sorry). I think the problem is due to useradd not accepting dollar signs at the end of machine names. Can anybody think of a way around this? Is there a way I can use a different version of useradd that will accept dollar signs? The reason why I would like it automated is because I will be leaving the company to go back to school shortly, and I want to make adding computers and users as simple as possible. Thanks in advance. Here's my smb.conf file: [global] netbios name = KAITLYN workgroup = THERMATEK passdb backend = tdbsam passwd chat = *New*UNIX*password* %n\n *Retype*new*UNIX*password* %n\n *Enter*new*UNIX*password* %n\n *Retype*new*UNIX*password* %n\n *passwd: *all*authentication*tokens*updated*successfully* unix password sync = Yes os level = 64 log level = 2 log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192 preferred master = yes domain master = yes local master = yes security = user encrypt passwords = yes domain logons = yes add machine script = /usr/sbin/useradd -d /dev/null -g machines -s /bin/false -M %u # add machine script = /usr/sbin/useradd -d /dev/null -g machines -s /bin/false %u ;this didn't work either hosts allow = 127.0.0.1, 192.168.1. ;user profiles and home directory logon home = logon drive = H: logon path = logon script = %G.bat [profiles] path = /home/samba/profiles writeable = yes browseable = no create mask = 0600 directory mask = 0700 [netlogon] comment = Network Logon Service path = /home/netlogon read only = no browseable = no write list = @admin [homes] valid users = %S read only = No browseable = No [Home] comment = Home Directory path = /home/%U/Home valid users = %U read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [PROJECTS] path = /home/shares/Projects valid users = @employees, @management # write list = @employees, @management read only = No inherit permissions = Yes case sensitive = No msdfs proxy = no [THERMATEK] path = /home/shares/Thermatek valid users = @employees, @management # write list = @employees, @management read only = No inherit permissions = Yes [MANAGEMENT] path = /home/shares/Management valid users = @management # write list = @management read only = No inherit permissions = Yes [TEMP] comment = Temp directory (Will be deleted periodically!) path = /home/shares/Temp valid users = @users # write list = @employees, @management read only = No inherit permissions = Yes [ml-2150-3] comment = Samsung ML-2150 on Linux Server path = /var/spool/samba read only = No guest ok = Yes printable = Yes printer name = ml-2150-3 use client driver = Yes #[netlogon] #path = /var/lib/samba/netlogon #read only = yes #write list = ntadmin #[profiles] #path = /var/lib/samba/profiles #read only = no #create mask = 0600 directory mask = 0700 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Re: SAMBA / LDAP / Domain Password change problem
While it looks wrong, it is correct. It means the subnet at that interface, so you're OK there. What you're experiencing is bad entries in the WINS.DAT file. You should stop smbd and nmbd, delete the wins.dat file (/usr/local/samba/var/locks/wins.dat), then restart smbd and nmbd. That should fix your problem. John Schmerold wrote: > cat /var/log/samba/nmbd.log | grep error shows: > register_name_response: WINS server at IP 127.0.0.1 rejected our name > registration of TOPC<00> IP 192.168.70.10 with error code 5. > register_name_response: WINS server at IP 127.0.0.1 rejected our name > registration of TOPC<1e> IP 192.168.70.10 with error code 5. > lists.samba.org has reported this error 6 times with no solutions > listed, any idea what I'm doing wrong > > tail -50 < /var/log/samba/nmbd.log shows following may be a problem, > what do you think? > Samba server FS1 is now a domain master browser for workgroup TOPC on > subnet UNICAST_SUBNET > Samba server FS1 is now a domain master browser for workgroup TOPC on > subnet 192.168.70.10 > > Shouldn't the second line read 192.168.70.0 ? > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos authentication sigsegvs
On Tue, Nov 30, 2004 at 07:04:06PM +0100, Bård Kalbakk wrote:
> Hi
> I'm having major problems setting up Samba 3.0.9 with kerberos
> authentication. I have also tried with 3.0.8(from Debian SID) with same
> result.
> smb.conf[1] has 'security = ads' , and 'use kerberos keytab = yes'.
> I have set up pam_krb5 and I get TGTs that works with my ssh
> servers.
> But, when I try to authenticate using smbclient -k -L server I
> get:
> "session setup failed: Call returned zero bytes (EOF)".
>
> Running smbd -i -d 10 ends up in this backtrace:
>
> GDB is maybee more precise? Here's a backtrace from the coredump, in
> case you need
>
> #51 0xb7ff5a16 in _dl_map_object_deps () from /lib/ld-linux.so.2
> #52 0x081d3b3a in smb_panic (why=0x82a173d "internal error") at
> lib/util.c:1353
> #53 0x081c12d8 in fault_report (sig=11) at lib/fault.c:41
> #54
> #55 0x080e3c57 in get_auth_data_from_tkt (auth_data=0xbfffea90,
> tkt=0x8387ba0) at libsmb/clikrb5.c:188
Indeed - this is *very* useful ! :-).
Try this patch please.
Jeremy.
Index: libsmb/clikrb5.c
===
--- libsmb/clikrb5.c(revision 4019)
+++ libsmb/clikrb5.c(working copy)
@@ -184,7 +184,7 @@
void get_auth_data_from_tkt(DATA_BLOB *auth_data, krb5_ticket *tkt)
{
#if defined(HAVE_KRB5_TKT_ENC_PART2)
- if (tkt->enc_part2)
+ if (tkt->enc_part2 && tkt->enc_part2->authorization_data &&
tkt->enc_part2->authorization_data[0] &&
tkt->enc_part2->authorization_data[0]->length)
*auth_data =
data_blob(tkt->enc_part2->authorization_data[0]->contents,
tkt->enc_part2->authorization_data[0]->length);
#else
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: SAMBA / LDAP / Domain Password change problem
cat /var/log/samba/nmbd.log | grep error shows: register_name_response: WINS server at IP 127.0.0.1 rejected our name registration of TOPC<00> IP 192.168.70.10 with error code 5. register_name_response: WINS server at IP 127.0.0.1 rejected our name registration of TOPC<1e> IP 192.168.70.10 with error code 5. lists.samba.org has reported this error 6 times with no solutions listed, any idea what I'm doing wrong tail -50 < /var/log/samba/nmbd.log shows following may be a problem, what do you think? Samba server FS1 is now a domain master browser for workgroup TOPC on subnet UNICAST_SUBNET Samba server FS1 is now a domain master browser for workgroup TOPC on subnet 192.168.70.10 Shouldn't the second line read 192.168.70.0 ? John Schmerold Katy Computer & Wireless 20 Meramec Station Rd Valley Park MO 63088 636-861-6900 v 775-227-6947 f Danny Paul wrote: Do a tail -25 . This will give you the last 25 lines of the nmbd log file. See if there are any error messages relating to name resolution problems or errors registering domain names. If you are having such errors, stop smbd & nmbd, remove wins.dat (probably /usr/local/samba/var/locks/wins.dat), then restart smbd & nmbd. Best of luck -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Kerberos authentication sigsegvs
Hi
I'm having major problems setting up Samba 3.0.9 with kerberos
authentication. I have also tried with 3.0.8(from Debian SID) with same
result.
smb.conf[1] has 'security = ads' , and 'use kerberos keytab = yes'.
I have set up pam_krb5 and I get TGTs that works with my ssh
servers.
But, when I try to authenticate using smbclient -k -L server I
get:
"session setup failed: Call returned zero bytes (EOF)".
Running smbd -i -d 10 ends up in this backtrace:
name_to_fqdn: lookup for DAISY -> daisy.
krb5_rd_req succeeded for principal [EMAIL PROTECTED]
secrets_named_mutex: released mutex for replay cache mutex
Got KRB5 session key of length 16
===
INTERNAL ERROR: Signal 11 in pid 4077 (3.0.9-Debian)
Please read the appendix Bugs of the Samba HOWTO collection
===
PANIC: internal error
BACKTRACE: 15 stack frames:
#0 ./smbd(smb_panic2+0x111) [0x81d3c51]
#1 ./smbd(smb_panic+0x1a) [0x81d3b3a]
#2 ./smbd [0x81c12d8]
#3 [0xe420]
#4 ./smbd(ads_verify_ticket+0x5e5) [0x823ca25]
#5 ./smbd [0x80abfe6]
#6 ./smbd [0x80accbf]
#7 ./smbd [0x80ad16b]
#8 ./smbd(reply_sesssetup_and_X+0xe6b) [0x80ae11b]
#9 ./smbd [0x80d0526]
#10 ./smbd [0x80d07b0]
#11 ./smbd(process_smb+0x8c) [0x80d09bc]
#12 ./smbd(smbd_process+0x168) [0x80d16f8]
#13 ./smbd(main+0x4ea) [0x8246e5a]
#14 /lib/tls/libc.so.6(__libc_start_main+0x108) [0xb7d4c7f8]
GDB is maybee more precise? Here's a backtrace from the coredump, in
case you need
#51 0xb7ff5a16 in _dl_map_object_deps () from /lib/ld-linux.so.2
#52 0x081d3b3a in smb_panic (why=0x82a173d "internal error") at lib/util.c:1353
#53 0x081c12d8 in fault_report (sig=11) at lib/fault.c:41
#54
#55 0x080e3c57 in get_auth_data_from_tkt (auth_data=0xbfffea90, tkt=0x8387ba0)
at libsmb/clikrb5.c:188
#56 0x0823ca25 in ads_verify_ticket (realm=0x835acc0 "LOCALDOMAIN",
ticket=0xbfffeba0, principal=0xbfffdce4, auth_data=0xbfffea90,
ap_rep=0xbfffea80,
session_key=0xbfffea50) at libads/kerberos_verify.c:335
#57 0x080abfe6 in reply_spnego_kerberos (conn=0x0, inbuf=0xb7aa6008 "",
outbuf=0xb7a85008 "", length=604, bufsize=131072, secblob=0xbfffec20) at
smbd/sesssetup.c:168
#58 0x080accbf in reply_spnego_negotiate (conn=0x0, inbuf=0xb7aa6008 "",
outbuf=0xb7a85008 "", length=604, bufsize=131072, blob1=
{data = 0x8385d98
"`\202\002\003\006\006+\006\001\005\005\002 \202\001÷0\202\001ó \0310\027\006\t*\206H\202÷\022\001\002\002\006\n+\006\001\004\001\2027\002\002\n¢\202\001Ô\004\202\001Ð`\202\001Ì\006\t*\206H\206÷\022\001\002\002\001",
length = 519, free = 0x81d13b0 }) at smbd/sesssetup.c:451
#59 0x080ad16b in reply_sesssetup_and_X_spnego (conn=0x0, inbuf=0xb7aa6008 "",
outbuf=0xb7a85008 "", length=604, bufsize=131072) at smbd/sesssetup.c:580
#60 0x080ae11b in reply_sesssetup_and_X (conn=0x0, inbuf=0xb7aa6008 "",
outbuf=0xb7a85008 "", length=604, bufsize=131072) at smbd/sesssetup.c:669
#61 0x080d0526 in switch_message (type=115, inbuf=0xb7aa6008 "",
outbuf=0xb7a85008 "", size=604, bufsize=131072) at smbd/process.c:969
#62 0x080d07b0 in construct_reply (inbuf=0xb7aa6008 "", outbuf=0xb7a85008 "",
size=604, bufsize=131072) at smbd/process.c:999
#63 0x080d09bc in process_smb (inbuf=0xb7aa6008 "", outbuf=0xb7a85008 "") at
smbd/process.c:1099
#64 0x080d16f8 in smbd_process () at smbd/process.c:1561
#65 0x08246e5a in main (argc=4, argv=0xbdb4) at smbd/server.c:910
I have created an entry in /etc/krb5.keytab[2] with kadmin; 'ktadd daisy$'.
`ktlist -k -e` shows "[EMAIL PROTECTED] (ArcFour with HMAC/md5)"
and some more, but if I'm right Samba/Windows use arc4:hhmac encryption?
After spending saturday, sunday and monday looking around the net for an answer
I turn to you guys, I feel pretty lost :)
Running samba 3.1 may give a bit more exact pinpoint. It doesn't sigsegvs, but
says:
ads_secrets_verify_ticket: enc type [23] failed to decrypt with error Decrypt
integrity check failed
This is all I have, any answer would do :) Much better to know "this doesn't
work", than not knowing anything at all !
Bård
[1] http://files.inett.biz/samba/smb.conf
[2] http://files.inett.biz/samba/krb5.conf
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Question about samba 3.0.9
Richmond Dyes wrote: I have been setting up my domain server using FC2 and samba 3.0.9. First thing, for your information: In the notations in several sources, it tells you to user "logon path = \\%L\profiles\%u" this is wrong. It should be, "logon path = \\%L\profiles\%U". Now that I spent 5 million hours banging my head on a wall with that, how do I get he exist desktops on my 2000/XP machines to move to my roaming profiles. When I move a user now, it makes a new desktop. I want to use the user's local desktop, just transfer it to the server. any ideas? This seems like quite a common block! Here is my reply from a couple of weeks ago to a similar question: XP and 2k will try to use a directory under "documents and settings" for users profiles, from the domain or local or roaming. If the directory already exists, it will try username.domain and then username.domain.001 etc. If you want to keep users settings, you will need to copy them over - i am not aware of a tool to force it to use existing settings. To move the users over, log on as the new user, then log in as an administrator. Right click "my computer" > advanced tab > User Profiles: settings. In this window, select the old user (probably COMPUTERNAME\username) and click "copy to" > Browse to "documents and settings"/newusername.domainname > OK. Change "permitted to use" and add the user in the format DOMAIN\username (just username will not work for domain users) Hope that helps H -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain authentication failing after a period of time
I have the output (collected from a snoop session on the Samba server - I have no access to run Ethereal on the Windows boxes) and will forward it to you directly (all 1504 packets). Please do let me know if you need anything else, and thanks. Bill Knox Lead Operating Systems Programmer/Analyst The MITRE Corporation On Tue, 30 Nov 2004, Jeremy Allison wrote: > Date: Tue, 30 Nov 2004 08:55:49 -0800 > From: Jeremy Allison <[EMAIL PROTECTED]> > To: William R. Knox <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Subject: Re: [Samba] Domain authentication failing after a period of time > > On Tue, Nov 30, 2004 at 09:23:23AM -0500, William R. Knox wrote: > > OK, I've now downgraded back to an older, formerly working version of > > Samba (3.0.2a), and the same behavior is still happening (i.e. after > > rejoining the domain, it works for 15 minutes and then stops with a > > NT_STATUS_NO_LOGON_SERVERS error). I tried adding the domain after > > deleting the secrets.tdb file with Samba up and with it down, and it > > always has the same effect. I even uninstalled samba, blew away the > > secrets.tdb file, had the machine account removed from the domain, waited > > overnight to confirm that the machine account would be removed across the > > domain, reinstalled samba, rejoined the domain, and restarted samba. Same > > dang problem. > > > > Is there anything else that anyone can suggest that I try? > > Ok, I hate to see you in such a bind. Can you set an ethereal > trace running to monitor the DC for the 15 minutes, and see > what, if anything is going between the Samba server and DC. > > I must confess I haven't been following your problem but this > can't be impossible to solve (famous last words :-). > > Jeremy. > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Question about samba 3.0.9
I have been setting up my domain server using FC2 and samba 3.0.9. First thing, for your information: In the notations in several sources, it tells you to user "logon path = \\%L\profiles\%u" this is wrong. It should be, "logon path = \\%L\profiles\%U". Now that I spent 5 million hours banging my head on a wall with that, how do I get he exist desktops on my 2000/XP machines to move to my roaming profiles. When I move a user now, it makes a new desktop. I want to use the user's local desktop, just transfer it to the server. any ideas? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SuSE 9.2 - Browsing Windows Network
Hi, can you provide more info? logs? did u installed from source?? rpm?? check libsmbclient.so it is used by kde/others to browse the network. Regards MRB LinuX is out there http://lionix.com";> On Mon, 2004-11-29 at 16:13 -0600, [EMAIL PROTECTED] wrote: > I installed SuSE 9.2 on a development workstation over the weekend. After > the install completed, I was able to view my network, both at home and at > work (via VPN), with no problems. I later updated my Samba installation to > 3.0.9 and that seemed to break my ability to browse the network. I > downgraded Samba back to the original 3.0.7 that loaded in the original > install, but that didn't make any difference. > > I can mount network shares, but just can't browse them. Is there a patch > available that would solve this problem? > > Thanks! > > David Christensen > Brokers International, Ltd. > 1200 E Main St > Panora, IA 50216 > Phone: (641) 755-2775 Ext 1032 > Cell: (515) 490-3936 > Fax: (641) 755-2381 > [EMAIL PROTECTED] > > > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Session Control
How can I control share logins? Here's what I need to do. We share a file server with a company upstairs. I control the access by groups. RH Linux 7.3. They are logging in with the same user several times. I.E. user "Mark" is logged into the server 2 times. I need to restrict him to logging in only once. Samba version 2.0.7 PID Username Machine Time logged in --- 8703bobb chinaberryWed Nov 24 09:19:40 2004 21659 vadim vadim Tue Nov 30 08:07:12 2004 20949 mattm willowMon Nov 29 13:00:27 2004 21642 rose cjs7 Tue Nov 30 07:28:39 2004 20810 paul cjs29 Mon Nov 29 07:54:18 2004 21630 johnf beech Tue Nov 30 07:08:35 2004 21627 timw cjs42 Tue Nov 30 07:01:01 2004 21624 markk cjs6 Tue Nov 30 06:59:29 2004 21639 don cjs27 Tue Nov 30 07:18:46 2004 21623 jaime hemlock Tue Nov 30 06:57:14 2004 20777 terry cjs43 Mon Nov 29 06:53:35 2004 27998 mark cjs10 Thu Nov 18 20:55:29 2004 21404 mark cjs55 Fri Nov 19 10:05:34 2004 21576 davidselm Tue Nov 30 05:05:42 2004 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] getent passwd and wbinfo -u returns machine names too
Hi, first I like to thank the samba team for making it possible to keep the UID's consistant across multiple machine. I've just got a quick question about my winbind implementation. I'm running 3.0.9 on fedora core 2, using my AD for authentication via winbind. When I run 'getent passwd' or 'wbinfo -u' I get the computer names from AD as well as the usernames. (now the usernames are lowercased, I think that was a good idea BTW) But when I run 'getent group' or 'wbinfo -g' all I get is the groups from AD (as well as locally). Is this supposed to happen or have I set it up wrong? thanks, -tom -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain authentication failing after a period of time
On Tue, Nov 30, 2004 at 09:23:23AM -0500, William R. Knox wrote: > OK, I've now downgraded back to an older, formerly working version of > Samba (3.0.2a), and the same behavior is still happening (i.e. after > rejoining the domain, it works for 15 minutes and then stops with a > NT_STATUS_NO_LOGON_SERVERS error). I tried adding the domain after > deleting the secrets.tdb file with Samba up and with it down, and it > always has the same effect. I even uninstalled samba, blew away the > secrets.tdb file, had the machine account removed from the domain, waited > overnight to confirm that the machine account would be removed across the > domain, reinstalled samba, rejoined the domain, and restarted samba. Same > dang problem. > > Is there anything else that anyone can suggest that I try? Ok, I hate to see you in such a bind. Can you set an ethereal trace running to monitor the DC for the 15 minutes, and see what, if anything is going between the Samba server and DC. I must confess I haven't been following your problem but this can't be impossible to solve (famous last words :-). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Problem with printer in win98
Hi list, i have installed the samba3 - Version 3.0.9 - in my FreeBSD server. I have one HP1300 LaserJet, and its work fine in my FreeBSD. When i log in the win98, i can mapping the printer, but when i send to print a test page, its leave all wrong. I'm trying to print some document in the Word, but i have the same result. In my smb.conf i have this configuration: [Global] load printers = yes printcap name = /etc/printcap printing = bsd printer admin = root, mscandian And, in the [Printer] session i have this: [printers] comment = All Printers path = /tmp guest ok = Yes printable = Yes print command = lpr -r -P %p %s lpq command = lpq -P %p lprm command = lprm -P %p %j browseable = No use client driver = Yes available = Yes I installed the driver for the HP1300 in my Windows, but doest work, and I dont obtain to print that I send to print. Someone know how i can to fix it? Thanks for all. Mario Sergio Candian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] AD member ticket verify errors
On Tue, Nov 30, 2004 at 05:05:54AM -0800, John Stile wrote: > > Is there an rpm available for RedHat AS? > I got it working but only after some bad practices. > My verbose notes follow: Well done ! Thanks for posting these to the list, I'm sure others will find them useful (and you went through a lot of pain to get them :-). Thanks, Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 3.0.8/3.0.9 printing tdb entries not clearing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin Zielinski wrote : |> Do you mean the Windows XP SP2 - slow printing problem? |> If so, I've to add, that this problem also occours, when |> the network printer is on a Windows 2003 server. So it's |> not related to Samba (although you might find a workaround). | |> The symptoms are the same as mentioned in |> http://support.microsoft.com/default.aspx?scid=kb;en-us;329234 |> , which covers a bug that should be fixed in SP2. I believe |> something went wrong. | |> It's definitly related to the existance of a local |> devicemode and to certain drivers. Yup. That's what I was going to look into. Thanks a bunch. You saved me a good bit of work. cheers, jerry - - Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc "If we're adding to the noise, turn off this song"--Switchfoot (2003) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBrJm0IR7qMdg1EfYRAssYAJ9tQaFLTnOT1Ff4F9t+Vt1BST5gNQCfSdpW 0X+HJaZ97UlxUJ8OLqZFRHk= =59LU -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] XP bug -- client spooler loop (MS KB 329234)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thanks to Martin and Walter for pointing out that this is an old XP bug. Here's the link: http://support.microsoft.com/default.aspx?scid=kb;en-us;329234 Unless someone can provide more information to show that this is not the bug you are seeing with "slow printing from xp sp2 clients", I'm marking this one off my list. Some old bugs never die I guess. cheers, jerry - - Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc "If we're adding to the noise, turn off this song"--Switchfoot (2003) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBrJmuIR7qMdg1EfYRAlt0AKCLMB0giTpC7dpvpaovTpLGcQLxiQCg3Tzy MRWYfsCD+rxuJfyBIQDTjgQ= =6oIq -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] SHARE PERMISSIONS
Hi Gurus, I have two veriy basic questions. One is, what permissions are necessar for users to be able to copy files from a samba share? I have a share and the machine is part of my AD domain. Currently, the shar is set to 755 and is owned by root. When a user goes to the share they can see the files but can not copy files from. So what permissions does a user need to copy and is it common to leave shares owned by root? My second question is: Now that my server is on my AD Domain i would like to add my AD account as an administrator for my samba shares. How do i go about doing this wihtou adding everyone in my AD group to the machine. I would rather have samba reference a file or group file to find admins and allow those admins write to share folders. Thanks, R. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] cannot change user password with CTRL-ALT-DEL
On Tuesday 30 November 2004 10:53, g s wrote: > Has anyone found a resolution to this problem? I am curiousif there is a > reg hack or something to correct this behavior. Thanks for anyhelp. Running > Samba 2.2.8a-13mdk on mandrake 9.2 with WinXPpro clients. Sambais the PDC. This works for me in 3.0.x. I actually didn't know until yesterday because I forgot to test it, and I had a user call me and ask "How do I change my password?" I told them, crossed my fingers, and it worked. I did not even have to put anything special in smb.conf, just "pam passwd change = yes" and "ldap passwd sync = yes" which would be replaced by "unix password sync = yes" if you are using /etc/passwd backend. Misty > > > > - > Do you Yahoo!? > The all-new My Yahoo! Get yours free! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] cannot change user password with CTRL-ALT-DEL
Has anyone found a resolution to this problem? I am curiousif there is a reg hack or something to correct this behavior. Thanks for anyhelp. Running Samba 2.2.8a-13mdk on mandrake 9.2 with WinXPpro clients. Sambais the PDC. - Do you Yahoo!? The all-new My Yahoo! Get yours free! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 3.0.8/3.0.9 printing tdb entries not clearing
On Tuesday 30 November 2004 15:03, Gerald (Jerry) Carter wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Martin Sapsed wrote: > | Hi all, > | > | We have a strange issue with printing tdb entries not > | clearing. From what I can tell, this may be an issue on > | Solaris (5.9) but not on Linux (2.4.18) - I have 3.0.8 (and > | since last night .9) on a linux server and a solaris one. I > | don't see the problem on print queues hosted on the linux box. > > This was a bug introduced in 3.0.6 and fixed in 3.0.8 (at > least on Intel). Yours is the second report I have on a > big endian box so we still have a byte ordering problem here > apparently. > > | Previously with 3.0.5 we did find situations where jobs > | would be submitted and would have status "Spooling" for > | ever and not go through - we're not seeing that on .8 or .9 - > | just this other issue. Is this perhaps related to the > | earlier problem? > > No. It's a different issue. The 'spooling job' bug was fixed > in 3.0.7 I think. Can't remember exactly. > > I'll look at this today and the slow printing bug people > have reported as well. Hello Gerald! Do you mean the Windows XP SP2 - slow printing problem? If so, I've to add, that this problem also occours, when the network printer is on a Windows 2003 server. So it's not related to Samba (although you might find a workaround). The symptoms are the same as mentioned in http://support.microsoft.com/default.aspx?scid=kb;en-us;329234 , which covers a bug that should be fixed in SP2. I believe something went wrong. It's definitly related to the existance of a local devicemode and to certain drivers. Bye, Martin > > > > > cheers, jerry > - - > Alleviating the pain of Windows(tm) --- http://www.samba.org > GnuPG Key- http://www.plainjoe.org/gpg_public.asc > "If we're adding to the noise, turn off this song"--Switchfoot (2003) > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.2.4 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFBrH2+IR7qMdg1EfYRAv+UAKDcOzVG512IOp+98ikvn+weFFCwdACeKc3i > CoBWKfCovRMR+AAj3+sIJIM= > =BiX+ > -END PGP SIGNATURE- -- Martin Zielinski [EMAIL PROTECTED] Software Development SEH Computertechnik GmbH www.seh.de -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] using Windows NT4 user manager
Hi, I would like to go on using Win NT user manager (usrmgr.exe) to edit and create users after migration to Samba 3.0.7. But I can only use this tool with a low speed connection. Is there a way to make it run properly? Thanks in advance - Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] profiles and home directories
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greg Andrews wrote: | So now I am in the situation of wanting to turn off | profiles. Ha Ha I hear people say, thats simple, just set | logon home = and logon path = and leave them blank and bingo | no profiles. Absolutely correct. There is however one small | problem. When I do this I also lose the users home directories.:( You don't have to disbale the 'logon home' parameter. Just the 'logon path' cheers, jerry - - Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc "If we're adding to the noise, turn off this song"--Switchfoot (2003) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBrITJIR7qMdg1EfYRAhFMAJ4q5O+KeH8VoT38CaRxz5WMUrudnACeMKm8 F5FCOjYKPiJD4/zpeaKZwws= =JwZF -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] DFS root - slow writes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: | Hello, | | we use DFS on samba and have noticed that writes to some | file servers listed under the DFS drive letter are very slow, | yet writes to the same machines directly using UNC paths | are very quick. | | Are all communications between the client and end server | proxied threw the DFS root server if this service is used? No. The client talks directly to the target server. cheers, jerry - - Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc "If we're adding to the noise, turn off this song"--Switchfoot (2003) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBrIQyIR7qMdg1EfYRAiJ2AJ0fzGb8sS25jl8O8juQaIlk8wQQiwCbBofI 7krgZTOZl4vsD9mrkxVSYI0= =1Vxm -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP authentication only with SAMBA
> This question has probably been asked before, but I would like to ask it > again. I know all about LDAP authentication between samba and a LDAP > service with the proper schema in place. You create a entry in the LDAP > database with all the samba privileges in place. I want to just > authenticate with a LDAP service and not use a special samba schema. No, not possible. (Well you might be able to if you hack to disable encrypted passwords, etc... but I doubt it would work as a DC). > We use > LDAP to authenticate for telnet, ftp and proxy services. This LDAP service > is used for single sign on type of authentication so that the user does not > need to have dozens of passwords for different servers and services. I want > to use LDAP with samba for the same reason. I will create and entry on the > samba host in the samba smbpasswd file, but want to go against the LDAP > server for the password. Can this be done? This works, but must be done in collaberation with the Samba schema extensions. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain authentication failing after a period of time
OK, I've now downgraded back to an older, formerly working version of Samba (3.0.2a), and the same behavior is still happening (i.e. after rejoining the domain, it works for 15 minutes and then stops with a NT_STATUS_NO_LOGON_SERVERS error). I tried adding the domain after deleting the secrets.tdb file with Samba up and with it down, and it always has the same effect. I even uninstalled samba, blew away the secrets.tdb file, had the machine account removed from the domain, waited overnight to confirm that the machine account would be removed across the domain, reinstalled samba, rejoined the domain, and restarted samba. Same dang problem. Is there anything else that anyone can suggest that I try? Bill Knox Lead Operating Systems Programmer/Analyst The MITRE Corporation On Wed, 24 Nov 2004, William R. Knox wrote: > Date: Wed, 24 Nov 2004 15:02:04 -0500 (EST) > From: William R. Knox <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: Re: [Samba] Domain authentication failing after a period of time > > OK, I tried removing and readding the machine account from the domain, and > still no luck - logons work for 15 minutes and then stop. > > Anyone else seeing anything like this? Anyone have any ideas? At this > point, I'll try nearly anything. As I said, everything had been working > like a charm under 3.0.2a, through a few upgrades and everything. > > Bill Knox > Lead Operating Systems Programmer/Analyst > The MITRE Corporation > > On Fri, 19 Nov 2004, William R. Knox wrote: > > > Date: Fri, 19 Nov 2004 13:02:47 -0500 (EST) > > From: William R. Knox <[EMAIL PROTECTED]> > > To: [EMAIL PROTECTED] > > Subject: Re: [Samba] Domain authentication failing after a period of time > > > > Adding a little bit more detail: > > > > It still happens with a just upgraded 3.0.9 install > > > > The period of time appears to be 15 minutes (tested twice, connecting > > every 30 seconds, 15 minutes both times) - until then, connections work > > fine. After that, see below. > > > > Here is the output from a debug level 3 smbclient connection: > > > > $ smbclient -d 3 -L server_name -U user%pass > > lp_load: refreshing parameters > > Initialising global parameters > > params.c:pm_process() - Processing configuration file > > "/path/to/smb.conf" > > Processing section "[global]" > > added interface ip=XXX.XXX.XXX.XXX bcast=XXX.XXX.XXX.XXX nmask=255.255.255.0 > > Client started (version 3.0.9). > > resolve_lmhosts: Attempting lmhosts lookup for name server_name<0x20> > > resolve_wins: Attempting wins lookup for name server_name<0x20> > > resolve_wins: using WINS server XXX.XXX.XXX.XXX and tag '*' > > Got a positive name query response from XXX.XXX.XXX.XXX ( XXX.XXX.XXX.XXX ) > > Connecting to XXX.XXX.XXX.XXX at port 445 > > Doing spnego session setup (blob length=58) > > got OID=1 3 6 1 4 1 311 2 2 10 > > got principal=NONE > > Got challenge flags: > > Got NTLMSSP neg_flags=0x60890215 > > NTLMSSP: Set final flags: > > Got NTLMSSP neg_flags=0x60080215 > > NTLMSSP Sign/Seal - Initialising with flags: > > Got NTLMSSP neg_flags=0x60080215 > > SPNEGO login failed: No logon servers > > session setup failed: NT_STATUS_NO_LOGON_SERVERS > > > > Bill Knox > > Lead Operating Systems Programmer/Analyst > > The MITRE Corporation > > > > On Thu, 18 Nov 2004, William R. Knox wrote: > > > > > Date: Thu, 18 Nov 2004 14:36:53 -0500 (EST) > > > From: William R. Knox <[EMAIL PROTECTED]> > > > To: [EMAIL PROTECTED] > > > Subject: [Samba] Domain authentication failing after a period of time > > > > > > I am having an unusual bit of behavior with a recently upgraded 3.0.8 > > > installation (from 3.0.2a). I upgraded the server and retained the > > > secrets.tdb file. The server itself is using security = domain, and it had > > > been joined to the domain prior to the upgrade. Now, once I started the > > > new version, I couldn't log on, and would get the error "There are no > > > logon servers available to service the logon request". If I "rejoin" the > > > domain (using the net join command), I can access the shares, but only for > > > a period of time. After a few minutes (there doesn't seem to be a specific > > > interval), that same message is returned. Running a smbclient -L against > > > the system yields "session setup failed: NT_STATUS_NO_LOGON_SERVERS". > > > > > > I haven't tried failing back to 3.0.2a yet, but I will if that will help > > > in any diagnoses. > > > > > > Thanks in advance for any help anyone may be able to give. > > > > > > Bill Knox > > > Lead Operating Systems Programmer/Analyst > > > The MITRE Corporation > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: http://lists.samba.org/mailman/listinfo/samba > > > > > -- > >
[Samba] Configuration with Windows clients
Hi, I have troubles to configure a Samba Server to give access to a shared directory and subdirectories on a LINUX Server : - Read access to everyboby WITHOUT need to give a login (User/password): to all PCs on my network (workgroup) - Write access to only some Users , or some PC ( authorized by their @IP) With this in the smb.conf file : - With Telnet, the users "root" and "myuser" can write in /Common/Shared_Dir but with a logical drive connected on /Common/Shared_Dir within Windows, they can't !! The error message is "Impossible to copy file : access denied" #--- [Shared_Dir] path = /Common/Shared_Dir guest ok = yes create mask = 0775 browseable = yes write list = root, myuser Where : root is the owner for /Common/Shared_Diron the LINUX Server and : "myuser" is a user in a group which has the rights 775 on /Common/Shared_Dir #-- Thanks for help -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] LDAP authentication only with SAMBA
This question has probably been asked before, but I would like to ask it again. I know all about LDAP authentication between samba and a LDAP service with the proper schema in place. You create a entry in the LDAP database with all the samba privileges in place. I want to just authenticate with a LDAP service and not use a special samba schema. We use LDAP to authenticate for telnet, ftp and proxy services. This LDAP service is used for single sign on type of authentication so that the user does not need to have dozens of passwords for different servers and services. I want to use LDAP with samba for the same reason. I will create and entry on the samba host in the samba smbpasswd file, but want to go against the LDAP server for the password. Can this be done? TIA. Jim OBrien NYSDOH [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] root ownership on some profile files cause login errors
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Justin Zachor wrote: | Here's another question related to how to use masks -- | | In my PDC area I specify: | | logon path = \\netapp\profiles\%u I recommend %U and not %u for the 'logon path' in most cases | This puts server-based (roaming) profiles on my | Network Appliance (which itself is an SMB/PDC client). | | A previous admin here left this commented section: | | #[profiles] | # path = /var/lib/samba/profiles # path = /netapp/profiles ??? | # read only = no | # create mask = 0600 | # directory mask = 0700 | | So, is this the sytax for masks? | Do I add "create mask = 0744" -OR- "force create mask = 0744"? | Where do I put it? Anywhere in smb.conf? | | Should the mask be 0077? (it's a mask, not chown | notation, right??) the 'create mask' is a bitwise logical AND with the requested permissions. The force create mode is a bitwise logical OR. cheers, jerry - - Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc "If we're adding to the noise, turn off this song"--Switchfoot (2003) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBrH+dIR7qMdg1EfYRAjXKAJ4xPwt+xqvQdlXEoSX2VfGB5Q1BRwCfUEDo yz722EST9QMNNcY5o9lPivw= =85PN -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] root ownership on some profile files cause login errors
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Justin Zachor wrote: | On a newly migrated profile (migrated onto Samba server, from local) | some files/dirs get root ownership. | | [global] | | # -- BEGIN PDC -- | domain logons = yes | logon path = \\netapp\profiles\%u | logon drive = H: | logon home = \\netapp\%u\.winprofile | logon script = logon.bat | | add user to group script = /usr/sbin/usermod -G %g %u | add machine script = /usr/sbin/adduser --firstuid 9001 \ | --lastuid 9500 \ | --gid 9000 --home /dev/null --shell /bin/false \ | --no-create-home \ | --disabled-password --gecos "%u Samba Machine Account" \ | --force-badname %u | admin users = @ntadmins ^^ It's probably this line. See the smb.conf(5) man page for details. cheers, jerry - - Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc "If we're adding to the noise, turn off this song"--Switchfoot (2003) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBrH8gIR7qMdg1EfYRArLXAJ9FgcHeU4w9RLnwnxqNpdaWTlFSzgCdHmdQ tPk55mdMMA581CIbk4hlmbA= =yz8T -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 3.0.8/3.0.9 printing tdb entries not clearing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin Sapsed wrote: | Hi all, | | We have a strange issue with printing tdb entries not | clearing. From what I can tell, this may be an issue on | Solaris (5.9) but not on Linux (2.4.18) - I have 3.0.8 (and | since last night .9) on a linux server and a solaris one. I | don't see the problem on print queues hosted on the linux box. This was a bug introduced in 3.0.6 and fixed in 3.0.8 (at least on Intel). Yours is the second report I have on a big endian box so we still have a byte ordering problem here apparently. | Previously with 3.0.5 we did find situations where jobs | would be submitted and would have status "Spooling" for | ever and not go through - we're not seeing that on .8 or .9 - | just this other issue. Is this perhaps related to the | earlier problem? No. It's a different issue. The 'spooling job' bug was fixed in 3.0.7 I think. Can't remember exactly. I'll look at this today and the slow printing bug people have reported as well. cheers, jerry - - Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc "If we're adding to the noise, turn off this song"--Switchfoot (2003) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBrH2+IR7qMdg1EfYRAv+UAKDcOzVG512IOp+98ikvn+weFFCwdACeKc3i CoBWKfCovRMR+AAj3+sIJIM= =BiX+ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with static WINS entries
It also doesn't work. I have stoped SAMBA, edited 'wins.dat' and once SAMBA is started, in few seconds the file 'wins.dat' is rebuilded just with the registered clients. Hope there are other solutions... Tomasz Chmielewski wrote: Angel Galindo Muñoz wrote: Hi! I need to add static entries to my Samba 3.0.9 WINS server but I can't. Let's explain: What amb I doing wrong? Is there any way to add static entries to my WINS server? Thanks a lot in advance, Try stopping Samba, edit your file, and then start Samba again. Tell if it worked. Tomek -- Angel Galindo Muñoz University of Barcelona -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] DFS root - slow writes
Hello, we use DFS on samba and have noticed that writes to some file servers listed under the DFS drive letter are very slow, yet writes to the same machines directly using UNC paths are very quick. Are all communications between the client and end server proxied threw the DFS root server if this service is used? thanks, greg -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with static WINS entries
Angel Galindo Muñoz wrote: Hi! I need to add static entries to my Samba 3.0.9 WINS server but I can't. Let's explain: What amb I doing wrong? Is there any way to add static entries to my WINS server? Thanks a lot in advance, Try stopping Samba, edit your file, and then start Samba again. Tell if it worked. Tomek -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Problem with static WINS entries
Hi! I need to add static entries to my Samba 3.0.9 WINS server but I can't. Let's explain: The "Samba Collection Howto" chapter "Network Browsing" , section "Static WINS Entries" tells that I can edit my "wins.dat" file (/opt/samba/var/locks/wins.dat) to set the TTL of some entries to 0 . No matter if I edit the TTL of some existing entries (self-registered clients) or if I insert new lines to that file : The file "wins.dat" is regenerated after it . May be this regeneration is due to network browsing... This is an example of what I added: "ONENBTNAME#03" 0 xxx.yyy.zzz.ttt 66R Trying, trying ... I've also tried with a "64R" flag (don't know what is it) and with the "#20" LanMan Netbios type : No way. As I can't make that name resolution work , I have edited my Samba's "lmhosts" file (/opt/samba/lib/lmhosts). I have added some entries to that file , and they are valid when my server is trying to resolve a NETBIOS name (i.e. executing "/opt/samba/bin/smbclient -L \\NETBIOS_NAME" on the WINS server), but when my WINS clients ask for those Netbios names to my WINS server, the answer is 'Unknown host". As you will see in my `testparm` , the "name resolve order" is "host lmhost bcast" : [EMAIL PROTECTED] opt]# /opt/samba/bin/testparm Load smb config files from /opt/samba-3.0.9/lib/smb.conf Processing section "[usuarioprueba]" Loaded services file OK. WARNING: You have some share names that are longer than 12 characters. These may not be accessible to some older clients. (Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.) Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions # Global parameters [global] workgroup = UBGRUPDETREBALL server string = Servidor WINS de proves log level = 3 log file = /var/log/samba/log.%m max log size = 50 name resolve order = host lmhost bcast load printers = No preferred master = Yes domain master = Yes dns proxy = No wins support = Yes [usuarioprueba] comment = Share per l'usuarioprueba path = /home/usuarioprueba valid users = usuarioprueba What amb I doing wrong? Is there any way to add static entries to my WINS server? Thanks a lot in advance, -- Angel Galindo Muñoz University of Barcelona -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] strange behaviour of Windows Clients regarding HTTP/PDC
Hi, I am using samba 3.0.9 as a PDC with some W2K and XP clients. Some of the XP machines have got SP2 some weeks ago. (They are all private, so some users did it, others did not) On my PDC there also runs an apache, now I read in my error_log: [Mon Nov 22 14:40:54 2004] [error] [client 172.16.3.100] File does not exist: /var/www.public/tmp [Mon Nov 22 20:03:49 2004] [error] [client 172.16.2.3] File does not exist: /var/www.public/standard [Mon Nov 29 14:06:17 2004] [error] [client 172.16.3.100] File does not exist: /var/www.public/saal [Wed Nov 24 13:55:08 2004] [error] [client 172.16.3.100] File does not exist: /var/www.public/home where standard is the name of one of my printers and the others are names of shares on the pdc ! and in access_log there are things like 172.16.3.100 - - [29/Nov/2004:14:06:17 +0100] "PROPFIND /saal HTTP/1.1" 302 317 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600" 172.16.3.100 - - [29/Nov/2004:14:06:18 +0100] "PROPFIND /saal HTTP/1.1" 302 317 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600" 172.16.3.100 - - [29/Nov/2004:15:15:18 +0100] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/5.1.2600" 172.16.3.100 - - [29/Nov/2004:15:15:18 +0100] "PROPFIND /saaldirektorium HTTP/1.1" 302 317 "-" "Microsoft-WebDAV-MiniRedir/5.1.2600" maybe somebody can explain that to me? Is there some option or trick in the netlogon-script so I can prevent that? thanks! Florian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] AD member ticket verify errors
On Mon, 2004-11-29 at 17:36 -0800, John Stile wrote:
> On Mon, 2004-11-29 at 16:48 -0800, Jeremy Allison wrote:
> > On Mon, Nov 29, 2004 at 01:26:36PM -0800, John Stile wrote:
> > > I installed samba-3.0.9-1 on RedHat-AS3, configured it as a member
> > > server, and joined the domain. wbinfo -u and -g work. When I brows to
> > > the samba share from Windows XP client, I see the shares, and my home
> > > directory is listed, but I am prompted for a password when I try to use
> > > the share. No password works. The samba log for the client session
> > > shows: 'smbd/sesssetup.c:reply_spnego_kerberose(173) Failed to verify
> > > incoming ticket!'
> > >
> > > Is this a common problem?
> > >
> > > The system has RedHat rpm's:
> > > krb5-libs-1.2.7-28
> > > krb5-workstation-1.2.7-28
> > > krb5-devel-1.2.7-28
> >
> > You're going to need krb5 1.3 or later for the correct enctype.
>
> Is there an rpm available for RedHat AS?
I got it working but only after some bad practices.
My verbose notes follow:
Downloaded source rpm for fedora :
wget
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/SRPMS/krb5-1.3.1-6.src.rpm
# NOTE: tried krb5-1.3.4-5.src.rpm but it failed.
-
Rebuild kerberose (first try):
rpmbuild --rebuild krb5-1.3.1-6.src.rpm
error: Failed build dependencies:
bison is needed by krb5-1.3.1-6
e2fsprogs-devel >= 1.33 is needed by krb5-1.3.1-6
libtermcap-devel is needed by krb5-1.3.1-6
-
Install needed packages:
up2date -i bison e2fsprogs-devel libtermcap-devel
#Note: version of e2fsprogs too old. need to upgrade
-
Download newer version of e2fsprogs:
wget
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/SRPMS/e2fsprogs-1.34-1.src.rpm
rpmbuild --rebuild e2fsprogs-1.34-1.src.rpm
rpm -U /usr/src/redhat/RPMS/i386/e2fsprogs-1.34-1.i386.rpm
rpm -U /usr/src/redhat/RPMS/i386/e2fsprogs-devel-1.34-1.i386.rpm
-
Rebuild kerberose (second try)
rpmbuild --rebuild krb5-1.3.1-6.src.rpm
-
Install new kerberose
rpm -U /usr/src/redhat/RPMS/i386/krb5-*
error: Failed dependencies:
libcom_err.so.3 is needed by (installed)
-
Since I know we are upgrading existing requiremetns, I think it's ok to use
--nodeps
rpm -Uhiv --nodeps /usr/src/redhat/RPMS/i386/krb5-*
-
Rebuilding latest samba rpm from samba.org to ensure linking against kerberose
rpmbuild --rebuild samba-3.0.9-1.src.rpm
-
Install samba
rpm -i /usr/src/redhat/RPMS/i386/samba-3.0.9-1.i386.rpm
Installing stack version of /etc/pam.d/samba...
-
Create my /etc/samba/smb.conf
[global]
server string = Samba Server
workgroup = MYREALM
realm = MYREALM.MY.DOMAIN.COM
security = ADS
map to guest = Bad User
password server = *
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = no
local master = no
domain master = no
os level = 33
wins server = 128.32.68.75 128.32.67.118
ldap ssl = no
idmap uid = 1-2
idmap gid = 1-2
winbind enum users = yes
winbind enum groups = yes
winbind separator = +
winbind use default domain = Yes
-
Create the /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = MYREALM.MY.DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
MYREALM.MY.DOMAIN.COM = {
kdc = hcs-ad-a.myrealm.my.domain.com:88
admin_server = hcs-ad-a.myrealm.my.domain.com:749
default_domain = myrealm.my.domain.com
}
[domain_realm]
.myrealm.domain.com = MYREALM.MY.DOMAIN.COM
myrealm.domain.com = MYREALM.MY.DOMAIN.COM
.myrealm.my.domain.com = MYREALM.MY.DOMAIN.COM
myrealm.my.domain.com = MYREALM.MY.DOMAIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
-
Starting winbind fails:
/etc/init.d/winbind start
Starting Winbind services: winbindd: error while loading shared libraries:
libcom_err.so.3: cannot open shared object file: No such file or directory
[FAILED]
-
It looks like the new verison of kerberose doesn't supply libcom_err.so.3
whereis libcom_err.so.3
libcom_err.so: /lib/libcom_err.so.2 /usr/lib/libcom_err.so
ls -alF /lib/libcom_err.so.2*
lrwxrwxrwx1 root root17 Nov 30 02:53 /lib/libcom_err.so.2 ->
libcom_err.so.2.1*
-rwxr-xr-x1 root root 18472 Nov 30 02:52 /lib/libcom_err.so.2.1*
ldco
Re: [Samba] file_set_dosmode / No data available with 3.0.8
Gerald (Jerry) Carter schrieb:
Yes. This was fixed in 3.0.9. I always recommend
searching bugzilla and reading the release notes (WHATSNEW.txt)
for this kind of information.
actually i *read* the changelog, but there are quite a lot changes in
there (wow!) and i could not tell from the log if exactly this issue was
addressed. the thread on the list did not come to a conclusion either
("3.0.7 works..."), so i asked on the listand got a reply ;-)
thanks,
Christian.
--
BOFH excuse #254:
Interference from lunar radiation
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Securty hole (to Jeremy Allison):password chat
As you ar looking for security holes:
With password chat it is easy to exchange the change password program and
log to users passwords. Because on AIX password chat does not work we have
implemented the unix password change with system calls directly from the
samba code. We have a new parameter to switch this option on. It takes
effect when unix password sync is yes. In this case password chat is never
reached. The code is running with Samba 2.2.2 and 2.2.8 on AIX (80
locations each with about 80 to 300 users). I am going to implement this
in 3.0.8 or 9 which will be our next production release. The code also has
been tested with Linux, but only with few users.
I have added the code and would be glad if you think it is worth to be
implemented in a next release.
regards Mathias
ADD TO include/includes.h
#include
#include
__
ADD TO param/loadparm.c
BOOL bDirectPasswdSync;
Globals.bDirectPasswdSync = False;
FN_GLOBAL_BOOL(lp_direct_password_sync, &Globals.bDirectPasswdSync)
__
ADD TO smbd/chgpasswd.c
@@ -521,6 +542,43 @@
return ret;
}
#endif
+//
+/* ADDSTART security enhancement [EMAIL PROTECTED] */
+//
+ if (lp_direct_password_sync()) {
+ status = direct_password_sync(name,newpass,as_root);
+if (!NT_STATUS_IS_OK(status)) {
+/* we lose status here */
+/* confusing for the user - password is changed!
*/
+return False;
+}
+ return True;/* forget the rest */
+ }
___
ADD NEW FUNCTION
#include "includes.h"
NTSTATUS direct_password_sync(const char *name,const char *newpass,BOOL
as_root)
{
charsalt[3];
#ifdef AIX
#define PASSWD userpw
#define GETPWNAMgetuserpw
#define PW_PASSWD upw_passwd
#else /* tested on Linux */
#define PASSWD passwd
#define GETPWNAMgetpwnam
#define PW_PASSWD pw_passwd
#endif
struct PASSWD *PASSWD;
char*alpha =
"ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890./";
if (as_root) become_root();
#ifdef AIX
setpwdb(S_READ | S_WRITE); /* only AIX */
#endif
if (! (PASSWD = GETPWNAM(name))) {
DEBUG(0,
("Password Change: user %s unknown on operating
system.\n",
name));
#ifdef AIX
endpwdb(); /* only for AIX */
#endif
if (as_root) unbecome_root();
return NT_STATUS_INTERNAL_ERROR;
}
salt[0] = alpha[time(NULL) % strlen(alpha)];
salt[1] = alpha[getpid() % strlen(alpha)];
salt[2] = 0;
PASSWD->PW_PASSWD = crypt(newpass,salt);
#ifdef AIX
userpw->upw_lastupdate = time(NULL);
if (putuserpw(userpw)) {
DEBUG(0,
("Password Change: could not change password for
user %s on operating system.\n",
name));
endpwdb();
if (as_root) unbecome_root();
return NT_STATUS_INTERNAL_ERROR;
}
endpwdb();
#else /* not AIX tested on Linux */
/* I like AIX */
#define PASSWD_MODE 0644
{
FILE* tmp_file;
FILE* sav_file;
pstring passwd_name = "/etc/passwd";
pstring passwd_name_tmp = "/etc/passwd.smbd.tmp";
pstring passwd_name_sav = "/etc/opasswd.smbd";
struct passwd *passwd_tmp;
tmp_file = sys_fopen(passwd_name_tmp,"w");
if (tmp_file == NULL) {
DEBUG(0,
("Password Change: could not open %s (user:%s)",
passwd_name_tmp,name));
if (as_root) unbecome_root();
return NT_STATUS_INTERNAL_ERROR;
}
sav_file = sys_fopen(passwd_name_sav,"w");
if (tmp_file == NULL) {
DEBUG(0,
("Password Change: could not open %s (user:%s)",
passwd_name_sav,name));
if (as_root) unbecome_root();
return NT_STATUS_INTERNAL_ERROR;
}
setpwent();
while ((passwd_tmp = getpwent()) != NULL) {
if (strcmp(passwd_tmp->pw_name, PASSWD->pw_name) == 0) {
if (putpwent(PASSWD,tmp_file) != 0) {
DEBUG(0,
("Password Change: could not putpwent
%s
(user:%s)",
passwd_name_tmp,name));
endpwent();
Re: [Samba] Users being deleted from Domain Users group on Samba BDC during vampire process of migration
I'm having the same problem but sadly also have no solution. Any clues I'd be grateful. Cheers, Bradley. [EMAIL PROTECTED] wrote: I think I'm having a problem during the vampire process. Would someone tell me why my domain users are being deleted from the Domain Users group after they are created? First, the accounts are being created normally... Creating account: marshah Creating account: marshab Creating account: johnp . . . Creating account: ronniem Creating account: bobbyr Creating account: robertk Creating account: g4400$ Creating account: INFI2292-80$ Creating account: PAP-E06EFL2FLCA$ Creating account: G830-78$ Creating account: COL190GPCTAB-62$ Creating account: PERIA30-63$ Creating account: ROM010IA30-71$ Creating account: DEK480IA30-73$ Group members of Domain Admins: charliebrown,faxserver,joeblow(primary),vbe(primary),snoopy(primary),epo,xerox, Group members of Domain Users: PRIMARY$(primary),CONSDEV $(primary),marshah(primary),marshab(primary),johnp(primary) . . . rajg(primary),FIEGATEWAY450-5$(primary),MAC120I2652-8 $(primary),FISGE2000D-2$(primary),DISGE2000D-1$(primary),ADA440GPCTAB-6 $(primary),CJRG450ROG-29$(primary),DAL230GPCTAB-21 $(primary),THO070GPCTAB-65$(primary),CAN300GPCTAB-5 $(primary),ADA440GPCTAB-75$(primary),THO070GPCTAB-7 $(primary),CAN300GPCTAB-4$(primary),DOU400GPCTAB-25 $(primary),CAR540GPCTAB-8$(primary),LAG310GPCTAB-5$(primary),ELL560GPCTAB-2 $(primary),LAG310GPCTAB-12$(primary),ELL560GPCTAB-18 $(primary),LAG310GPCTAB-2$(primary),ELL560GPCTAB-4$(primary),CON360GPCTAB-2 $(primary),LAG310GPTAB-15$(primary),INFGFE2000D-100 $(primary),LAG310GPCTAB-6$(primary),DAH590GPCTAB-6$(primary) . . . Then the users are being deleted . . . deleting user marshah from group Domain Users deleting user marshab from group Domain Users deleting user johnp from group Domain Users . . . deleting user joyceb from group Domain Users deleting user lyndae from group Domain Users deleting user janices from group Domain Users deleting user mredding from group Domain Users deleting user darylb from group Domain Users deleting user deborahm from group Domain Users deleting user tammyc from group Domain Users deleting user jeanettb from group Domain Users deleting user dessiep from group Domain Users deleting user jennifej from group Domain Users The users with "(primary)" attached to their name are being deleted. As you can see, the Domain Admins group no longer includes jonathanb, ninos or vbe. sd1:~# getent group | grep "Domain Admins" Domain Admins:x:512:charliebrown,faxserver,epo,xerox There were several hundred domain users but after the migration there are only a few. - Here is my smb.conf. [global] unix charset = LOCALE workgroup = PAP netbios name = SD1 server string = announce version = 4.0 #interfaces = lo #bind interfaces only = Yes passdb backend = ldapsam:ldap://127.0.0.1 username map = /etc/samba/smbusers log level = 2 syslog = 0 log file = /var/log/samba/log.%m max log size = 50 smb ports = 139 445 name resolve order = wins bcast hosts time server = Yes printcap name = CUPS show add printer wizard = No add machine script = /usr/local/sbin/smbldap-useradd -w "%u" add user script = /usr/local/sbin/smbldap-useradd -m "%u" delete user script = /usr/local/sbin/smbldap-userdel "%u" add machine script = /usr/local/sbin/smbldap-useradd -w "%u" add group script = /usr/local/sbin/smbldap-groupadd -p "%g" delete group script = /usr/local/sbin/smbldap-groupdel "%g" add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u" logon script = scripts\SLOGIC.bat logon path = logon drive = X: domain logons = Yes domain master = No preferred master = Yes ldap delete dn = Yes ldap suffix = dc=home,dc=us ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ## Example 6.5. LDAP Based smb.conf File, Server: MASSIVE global Section: Part B ldap idmap suffix = ou=Idmap ldap admin dn = cn=admin,dc=home,dc=us idmap backend = ldap:ldap://127.0.0.1 idmap uid = 1-2 idmap gid = 1-2 map acl inherit = Yes printing = cups printer admin = Administrator, alexb [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon guest ok = Yes locking = No [homes] comment = Home Directories valid users = %U read only = No browseable = No Here is my smbldap.conf SID removed from this intentionally. # Ex: slaveLDAP=127.0.0.1 slaveLDAP="127.0.0.1" slavePort="389" # Master LDAP : needed for write operations # Ex: masterLDAP=127.0.0.1 masterLDAP="127.0.0.1" masterPort="389" # Use TLS for LDAP # If set to 1, this option will use start_tls for connection # (you should also used
[Samba] Problem with smbclient
Hi, i want to list the shares from my Windows 2000 or XP Clients. With the command. smbclient -d 3 -L // -W -U Administrator%password I get this errorl -- lp_load: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" added interface ip=192.168.1.51 bcast=192.168.1.255 nmask=255.255.255.0 Client started (version 3.0.7-5-SUSE). Connecting to 192.168.1.202 at port 445 Doing spnego session setup (blob length=16) server didn't supply a full spnego negprot Got challenge flags: Got NTLMSSP neg_flags=0x60890215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60080215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60080215 SPNEGO login failed: Logon failure session setup failed: NT_STATUS_LOGON_FAILURE Know anybody what´s the problem Regards -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] 3.0.8/3.0.9 printing tdb entries not clearing
Hi all, We have a strange issue with printing tdb entries not clearing. From what I can tell, this may be an issue on Solaris (5.9) but not on Linux (2.4.18) - I have 3.0.8 (and since last night .9) on a linux server and a solaris one. I don't see the problem on print queues hosted on the linux box. The symptom is that you can print from both XP and 98 and the print job appears on the printer but sometimes the entry for the job doesn't disappear if you look at the queue entries on the PC. We can end up after a busy day with the queue viewer on the PC showing several jobs pending but if you do lpstat -o on the server there's nothing in the queue. People use the queue viewer to see whether their job has finished in order to decide when to go to the printer to collect it. As I said, printing itself appears to work ok so the problem could be described as "cosmetic" but there's still a bug of some sort. Previously with 3.0.5 we did find situations where jobs would be submitted and would have status "Spooling" for ever and not go through - we're not seeing that on .8 or .9 - just this other issue. Is this perhaps related to the earlier problem? I've have a zip file containing my ntprinters.tdb, ntdrivers.tdb and a tdb file from one of the printers in case it helps. According to the queue viewer on my PC there are 4 jobs outstanding but according to lpstat the queue is clear. I can't recall whether the list strips off attachments though. I can send it to someone direct if it would help. Cheers, Martin -- Martin Sapsed"I've got 8 little fingers and only 2 thumbs, Microcomputer Support won't you leave me in peace Information Serviceswhile I get the job done?" University of Wales, Bangor Chris Rea, "I'm working on it" -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smb-scripts package
is there a good reason to use these tools instead of the idealx ones? best Tomasz Chmielewski wrote: [EMAIL PROTECTED] wrote: Hi guys, I wrote some scripts to help in Samba management, giving support to Samba rpc calls. I would like that you tested and evaluated this package, sending me critical and suggestions. This package name is smb-scripts and can be found at http://sourceforge.net/projects/smb-scripts. The original documentation was written in portuguese but is alrealdy being translated to english. Sorry my english... might be interesting - but let us know when the English translation is done :) Tomek -- "Matrix - more than a vision" ** Michael Gasch - Central IT Department - Max Planck Institute for Evolutionary Anthropology Deutscher Platz 6 04103 Leipzig Germany ** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba Authenticate against Active Directory
Hi! I'm trying to use the Samba Serrver Configuration tool to make Samba authenticate and authorize users against our Active Directory Server. But I'm doing something wrong since I can't get it to work. Our network has the AD at 192.168.10.10 and the domain in ALFA-MOVING. So in the Server Settings dialog I have: Authenicate mode: ADS Authenticate Server: 192.168.10.10 Keberos Realm: ALFA-MOVING Encrypt password: YES Guest Account: No guest Accont I don't know if it related but I also have done some settings in the Autentication Configuration where I have checked Enable WinBind support and in the Winbind Settings dialog: Winbind Domain: ALFA-MOVING Security model: ADS (there is a lowercase option to but it seems to be the same) Winbind ADS realm: ALFA-MOVING Winbind domain controller: 192.168.10.10 Template shell: /bin/sh When trying to "join domain" it says nothing about failure or success but when looking at the AD-server the server is not in the domain. Thank you very much in advance Roland Carlsson -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
