[Samba] windows env variable for USERDOMAIN is wrong
Hi all, I just setup my Samba PDC. Mostly everything works, but I am wondering why on some clients, they have the wrong USERDOMAIN environment variable. (when you run 'set' in win xp cmd) The domain name is MEIDLING, and the user and computer are joined ok. But in set, it shows USERDOMAIN as the Server name. Which is MAIN. How do I change that? Thanks in advance. -- Greg Fischer 1st Byte Solutions http://www.1stbyte.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] LDAP and CA certificates
Hi all, When configuring Samba against an LDAP server, it is possible to configure an SSL connection by using "ldap ssl = on" in the smb.conf file. Is there a way of telling Samba's LDAP code to ensure that the certificate presented by the LDAP server is signed by a specific CA? Regards, Graham -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Share Access for SAMBA 2.2.8a on HP-UX 11.11
Security=server Username map=/etc/opt/samba/username.map All NT ids are mapped to the same unix id via username.map. Some NT id's don't see all the SHARES when they access SAMBA...Not sure why this would be if all NT ids are being translated to the same unix id. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] WINS clients fail to release/refresh records with Samba WINS server after reboot
Hi all, We are running Samba 3.0.2a and using it as a domain controller and WINS server. After rebooting the server, we are unable to reach (i.e. looking up machines by name) some of our network PCs (Windows 2000 boxes), due to failure with WINS look up. I investigated the wins.db file, and those Win boxes are not listed in there. If I use the command "nbtstat -RR" on those PCs to refresh and renew their WINS record on the WINS server, this does NOT seem to add them back in. The only way to get them to be added again is to reboot those PCs. What I would like to know is: a) Is there a way to have the PCs to register themselves with the Samba WINS server automatically after the Samba WINS server has been rebooted? b) if there is no way to do this automatically, is there a way or a command to get the PCs to register with the Samba WINS server without having to reboot them? -f. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] WINS clients fail to release/refresh records with Samba WINS server after reboot
Hi all, We are running Samba 3.0.2a and using it as a domain controller and WINS server. After rebooting the server, we are unable to reach (i.e. looking up machines by name) some of our network PCs (Windows 2000 boxes), due to failure with WINS look up. I investigated the wins.db file, and those Win boxes are not listed in there. If I use the command "nbtstat -RR" on those PCs to refresh and renew their WINS record on the WINS server, this does NOT seem to add them back in. The only way to get them to be added again is to reboot those PCs. What I would like to know is: a) Is there a way to have the PCs to register themselves with the Samba WINS server automatically after the Samba WINS server has been rebooted? b) if there is no way to do this automatically, is there a way or a command to get the PCs to register with the Samba WINS server without having to reboot them? -f. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] User Must Change Password On Next Logon
Hello, you can write this: pdbedit --pwd-must-change-time=1134732000 'username' P.S.: 1134732000 is the time (sec) starting at 01/01/1970, in this case, the user 'username' must change his password after the 16/12/2005 12:20. Bye Emanuele -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba over PVFS: Corrupted Data
Hello, I'm trying to export Samba shares that access a PVFS2 (http://www.pvfs.org/pvfs2)-mounted partition. PVFS2 is a parallel, distributed file system for Linux clusters. PVFS2 gets mounted like any other partition and it offers non-POSIX file semantics similar to NFS. We can use standard shell commands (mv, ls, cp, etc.) to read and write files on the PVFS2 file system without any problems. On Samba (3.0.13) we've had quite a few problems: 1. When we first made a Samba share, Windows (XP) explorer could see files, but would not let us manipulate them. For example, if we tried copying a file on the share, Windows would complain about a bad file handle. The Samba logs indicated that send_file_readX was causing a problem, so we put "use sendfile = no" in the share's configuration. We can now read from the share and save files using Notepad. 2. However, if we try copying files to the share with explorer or cmd, such as a pdf file, they get corrupted. The files are consistently corrupted in the same way. Similarly, Word refuses to write to the share. Unfortunately, for these problems, the samba logs say nothing -- I just see that the Windows computer connected to Samba server and the logs stop there. Has anyone had luck sharing PVFS volumes, or if not, are there any special settings I need for file systems with NFS-like semantics? I'm using a 2.6.14 Linux kernel on Mandrake 10.2. Samba is the aforementioned version 3.0.13. Thanks, --Justin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] HOW TO: Migrating users' locally-stored profiles from one domain or workgroup to a new domain
Migrating Users Profiles When Changing Domain Affiliation: A Primer I. Introduction NOTE: This applies to Windows NT-based systems with locally-stored user profiles. Windows 9x and Me do not manage user profiles in the same way. Quite often we find the need to change a workstation's affiliation, either from a workgroup (that is, the workstation is not in a domain environment) to a domain, from one domain to another, or perhaps we need to remove a workstation from a domain and have it rely on local user authentication. The problem is that in any of these scenarios, established users finds that they have lost access to their locally stored profiles; a new profile is created for them when they log in to the new domain. They need to re-establish the icons on their desktops, they need to re-establish rights on that computer, and they need to copy their personal files (i.e., My Documents) from the old profile to the new one. This is a recipe for a headache and ill feelings toward the network administrator. The traditional solution has been to use roaming profiles, but this is not always convenient or practical, and sometimes something breaks and that tactic doesn't work. There is another method that I've developed which seems to work pretty well. It involves messing with permissions and the registry, so caveat administrator. II. Active Directory Migration Tool: The Microsoft Way Microsoft provides the Active Directory Migration Tool (ADMT) for migrating user accounts, groups, and machine accounts from one domain to another as an installable tool from the Windows Server 2003 CD. You can also download it from Microsoft; go to http://download.microsoft.com/ and search for ADMT. I have used it on several occasions for migrating accounts between Windows domains (NT to 2003, 2000 to 2003, and even Samba to 2003). I do not believe it would work for migrating from a Windows domain to a Samba domain, but I've never tried it. Perhaps some intrepid administrators would like to try it out with the early versions of Samba 4. One of the significant advantages of using ADMT is that in addition to migrating user, group, and machine accounts, it will dispatch to each workstation during the computer migration phase an agent which translates user profiles. In my observations, ADMT performs the following tasks when migrating a machine account (assuming that user accounts have been first migrated with the "preserve SID history" option): 1. File system rights are translated. This especially applies to user profile folders. 2. File sharing rights are tanslated. 3. Registry hive rights are translated. This especially applies to individual NTUSER.DAT registry hives (the core of the user profile), so that the migrated user has full access to his or her original profile. 4. User rights and groups are translated. If a user was a member of the local administrators group, the user will remain so in the new domain. 5. User is mapped to profle. For machines with numerous user profiles, or for a network with a large number of workstations, ADMT saves the administrator a lot of time, as these tasks are fully automated. Since we are using Samba, we can't use ADMT to translate user rights and migrate these items to the new domain. We must do this manually. III. Manual Migration of Local User Profiles from Domain to Domain or from Workgroup to Domain Before joining the workstation to the new domain, it is helpful to document the location of the profile folder of the user account we wish to migrate. This is easily done from a command shell by typing 'echo %userprofile%'. It is also helpful to note what local groups the user is a member of, such as "administrators." Once you have joined the worstation to the new domain, log in to the new domain as the user you wish to migrate. At this time, a new profile will be created. Make a note of this profile's folder location. The profile folder will be deleted in a later step, but by logging in this way we have created the registry entry that defines the user's profile in the new domain. Log out. Now, log in to the workstation as a local administrator. It is helpful if the account also has domain admin priviledges. Assign rights to the user's "old domain" local profile folder: add the user's new domain account to filesystem security. Be sure to "reset permissions on child objects" so subfolders and contents will have the proper permissions. Similarly, assign rights to any shares on this workstation that have specific permissions applied. Launch the registry editor. In Windows 2000 or NT, you must use regedt32, not regedit. In Windows XP, use regedit. Under HKEY_USERS, load the user's "old domain profile" registry hive. This will be the NTUSER.DAT file located in the profile folder you noted at the beginning of this exercise. Assign permissions to this newly loaded hive such that the user's new domain account has full access. Be sure to apply this to all child objects. You may be presented
Re: [Samba] Using smbmount in a script - no return value
For some of us simple minded types, like me, perhaps you could have a permanent file in the share and test for it after mounting. Create the file NonsenseShare/iamhere #!/bin/bash smbmount //NonsenseShare /bad/mnt/point if test -f /bad/mnt/point/iamhere ; then printf "The mount worked!\n" else printf "Rats, it didn't work!\n" fi If you can't get a return value from one command, use another command :-) HTH, Michael Mathew D. Watson told me on 12/17/2005 11:53: I'm trying to periodically mount an XP share on my linux box, and I've noticed that smbmount doesn't return a value so I can't test for success in my shell script: #!/bin/bash smbmount //NonsenseShare /bad/mnt/point || echo "error with smbmount" In this case smbmount silently fails. I searched the archives and found a couple of messages about smbmount demonizing before leaving a return value. Is there a good way to test for the success or failure of smbmount? Mat -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Migrating W2K Workstation to Samba Domain
I'm sorry, I can't help you with the issue of forcing Samba to use local profiles. I should be able to help you, but at the moment I'm rusty on that and I have a headache. But what I CAN help you with, once you get over the issue of roaming vs. local profiles, is how to make sure the users get their old profiles. In this example, let us consider the user account fred. The issue is that when you move the workstation to the new Samba domain, Windows will attempt to create a new profile for the user fred, because the user's SID will have changed (unless you have used 'net rpc vampire' to extract the SIDs from the AD domain). Windows doesn't know you by your name (fred), it knows you by your SID (big long ugly string of characters), just like the bank does. So fred logs in to the Samba domain, and all his settings, desktop, documents, etc. are GONE. What is the poor, embattled administrator to do? The answer lies in the registry, a few keys that associate a SID with a user profile directory. Here's how to fix it. After joining the workstation to the new domain, login as fred. A new profile folder will be created, something like \Documents and Settings\fred.newdomain (note that Fred's old profile was something like \Documents and Settings\fred). Hint: you can determine the profile folder by right-clicking the Start button and clicking Explore (not Explore All). Now log out. Log in to the workstation with an account that has local administrative rights. It helps if this account also has domain admin rights, but it absolutely must have local admin rights. Find Fred's original profile folder, and apply permissions to it such that the user fred in the new domain has full rights to it. (You should see existing permissions of OLDDOMAIN\fred has full rights. You need to add NEWDOMAIN\fred.) Make sure you apply these rights to all child objects. Do the same for any other folders on this workstation that fred might've been given specific rights to. (You can skip this step if the filesystem is FAT32.) Now open the registry editor (regedt32 on Windows 2000 or earlier; regedit ONLY in XP.). Under the HKEY_USERS hive, load the hive \Documents and Settings\fred\ntuser.dat. Note that this is fred's original profile registry hive. Similarly to how you just assigned rights to the profile folder, assign the rights to fred's registry hive. AFTER ASSIGNING RIGHTS, YOU MUST UNLOAD THE HIVE OR RESTART THE WORKSTATION or else Fred won't be able to log on. Go to the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList. Under this key, you will see several keys named for the user SIDs for profiles on this machine. Locate the key corresponding to fred's SID in the NEW domain. Change the value for ProfileImagePath to reflect the path to fred's original profile*.* Close the registry editor. Assign any other rights, such as local administrator, to fred's new domain account. REBOOT THE WORKSTATION. Log in as fred, to the new domain. You should get fred's original desktop and have access to his documents. WARNING: changes made in the registry editor are immediate. There is no undo. Use caution. ~Jon Johnson Sutinen Consulting, Inc. www.sutinen.com (360) 270-9317 cell Michael Urban wrote: >My message dated: Mon, 12 Dec 2005 10:16:14 EST > > >>I am replacing a W2K AD server with a Samba server. The server has >>a single W2K Workstation client, in a public area and used by a dozen >>or so different users. When I join the workstation to the Samba domain, >>it complains that it cannot load a roaming profile (in the W2K AD domain, >>it used local profiles), and it does not create a new local profile, >>instead using a temporary profile. >> >>Obviously a permission problem somewhere. What is the exact problem, >>and what is the solution? >> >> > > >I am still at sea on this. To clarify things a bit more, users of >this workstation (under the W2K server) have local profiles, not >floating profiles. I would like to let them continue to have local >profiles, even if it proves impossible to let them use their old >ones due to permission problems. However, even removing their >directories from "C:\Documents and Settings" does not help - Windows >does not create a new one for them (as all the documentation I have >read led me to believe it would).o > >logon path= >logon home= > >does not seem to affect this situation. It still seems to try >to get a floating profile, fails, and then makes a local profile >in TEMP. > >Hasn't anyone performed this sort of migration before? What >other information can I provide (or try to glean from log files) >to get this sorted out? > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: SAMBA3 + LDAP
mallapadi niranjan wrote: > Hi all > > I have samb3 with LDAP , My query is > > 1. My clients are windows 2000 professional, and the clients are not able to > join the domain > but if add the computer name in /etc/passwd > ie computername$:x:110:200::/bin/false:/dev/null > and then do smbpasswd -a -m computername , the computer is able to join the > domain > but i have mentioned the add machine script in smb.conf file It seems you missed the nss_ldap part, what is in your /etc/ldap.conf and /etc/nsswitch.conf? > > 2. After Joining the domain, i am unable to login as Administrator, but able > to login as root > if i give command getent passwd | grep Administrator , there is no output again, nss_ldap setup broken. > > 3. How do i create groups , and add users to the groups, it is not taking > system groups, > when i do smbldap-populate, it adds people,group, Domain Admins, Domain > Users, etc and root, but not system groups > so how to add system groups , depends, if you have the "add user to group script" and friends set up in smb.conf you can use usermgr.exe. You can use any ldap-tool to do it though. > > 4. in have smbldap-tool 0.9 , in that there is no mkntpasswd , is it ok, or > this should be there, when i downloaded from the IDEALX website, it was not > there int the TAR.gz file. I think it has been replaced with some perl module recently. cheers Paul -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Stuck in read-only mode
On Sat, 2005-12-17 at 07:28 -0600, Michael Satterwhite wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > I'm running Samba on Ubuntu linux. I'm trying set it up so that my > Windows laptop can use my home directory on the linux box. I've > configured the home directory as follows > > [home] > case sensitive = no > msdfs proxy = no > read only = no > username = michael > comment = My home directory > path = /home/michael > > When I try to write to the file on my Windows box, however, it shows the > directory to be read-only. What am I missing? You could try Samba 3.0.21rc2, as there were changes in this area. Is it just shown as read only, or actually read only? The issue I'm talking about can be worked around by setting 'acl check permissions = no' in Samba 3.0.20 (where we had this issue). Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Using smbmount in a script - no return value
I'm trying to periodically mount an XP share on my linux box, and I've noticed that smbmount doesn't return a value so I can't test for success in my shell script: #!/bin/bash smbmount //NonsenseShare /bad/mnt/point || echo "error with smbmount" In this case smbmount silently fails. I searched the archives and found a couple of messages about smbmount demonizing before leaving a return value. Is there a good way to test for the success or failure of smbmount? Mat -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba over PVFS: Corrupted Data
On Fri, 2005-12-16 at 20:56 -0500, Justin Mazzola Paluska wrote: > Hello, > > I'm trying to export Samba shares that access a PVFS2 > (http://www.pvfs.org/pvfs2)-mounted partition. PVFS2 is a parallel, > distributed file system for Linux clusters. PVFS2 gets mounted like > any other partition and it offers non-POSIX file semantics similar to > NFS. We can use standard shell commands (mv, ls, cp, etc.) to read > and write files on the PVFS2 file system without any problems. On > Samba (3.0.13) we've had quite a few problems: The Samba 3.0.13 would be the first thing I would fix. Samba 3.0.21 is about to be released, and with oplock rewrites and other things since 3.0.13, it should provide a better basis for distributed filesystem work. My guess is that the lack of posix locking is causing Word to fail, as it uses a lot of locks. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] "NT_STATUS_LOGON_FAILURE"
Donald Musser wrote: Hi everyone, I'm using the online HOWTO manual in the "Quick Start" reference to try and get a basic domain controller going. So I set up smb.conf, and testparm checked out okay, I've started nmbd and smbd, but when I try to to run [EMAIL PROTECTED] samba]#smbclient -L -U% session setup failed: NT_STATUS_LOGON_FAILURE <-- I get this error I recently got this message, and the solution in my case was to run (as root): # smbpasswd -a where is a valid user account on the samba server. Mat -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind problem (Trusting domains)
I cannot comment on idmap_rid approach because I am currently using idmap_ldap. I have had a wonderful experience with this setup. Also on all the clients I am running nscd and I have had no troubles. If nscd ever gives you trouble all you have to do is invalidate the cache in question. Rather than shutting down nscd you can simpley do nscd -i passwd to flush the users cache. I must warn you that the idmap_ldap setup is horribly unstable on RHEL3.xand CentOS 3.x. Winbind dies periodically. However on CentOS4/RHEL4 and SLEL 9.3 it is very stable. I am also running Gentoo clients and it is very stable on that too. By the way initially I did all my testing without nscd. I only started to use nscd when I noticed the increased load on ldap server and slow response. On 12/16/05, Simo Sorce <[EMAIL PROTECTED]> wrote: > > On Fri, 2005-12-16 at 12:33 +0100, Michael Gasch wrote: > > it has always been mentioned, that idmap_rid is the better backend in > > large organizations > > Sorry ? > > I do not think idmap_rid is good for v. large organization. > Probably the best bet is idmap_ldap. > > Nscd is ok as long as you know it's downsides. For example on the PDC it > is necessary to shut it down while adding or modifying users, and it may > be a problem on member servers as it caches both positive _and_ negative > lookups. > > Simo. > > -- > Simo Sorce- [EMAIL PROTECTED] > Samba Team- http://www.samba.org > Italian Site - http://samba.xsec.it > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- "Knowledge is the only wealth that grows as you spend it, and diminishes as you save it." -- ancient Sanskrit saying -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Stuck in read-only mode
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm running Samba on Ubuntu linux. I'm trying set it up so that my Windows laptop can use my home directory on the linux box. I've configured the home directory as follows [home] case sensitive = no msdfs proxy = no read only = no username = michael comment = My home directory path = /home/michael When I try to write to the file on my Windows box, however, it shows the directory to be read-only. What am I missing? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDpBKPjeziQOokQnARAgyRAKCIn+cLnz6+6S5efjjDADsFG3lzTQCeP+Ti FqvjGNLX28q7BxKYDSK+eQs= =zh8+ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba