[Samba] XP to smb: won't log in as administrator

[robert_s]

We have a debian sarge box running in a small peer-to-peer network with
W2K and XP.  If I try to access a smb share from my XP box when I'm
logged in as administrator, I get prompted to log in as another user.
If I manually enter "administrator" and my password, it logs me in OK.
This is causing problems because commands like "net time" don't work
from my administrator account.

If I try to get to my smb shares from an W2K box as administrator, I
get logged in no problems.

Needless to say I have an account on my debian box called administrator
and the samba password matches my XP password.  I also have a valid user
on my debian box called administrator.

This is probably more of a Windows question, but I doubt that their
support is going to help me!


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Join AD domain using security = domain ?

[David Wilson]

Thanks Thomas.

Samba-3.0.21b. My smb.conf is off-site. I'll send it if disabling the client 
schannel still does not work.


Thanks for your help so far !


Kind regards

David Wilson
D c D a t a
CNS, CLS, Linux+
T: 0860-1-LINUX
F: 0866878971
M: 0824147413
E: [EMAIL PROTECTED]
W: http://www.dcdata.co.za

- Original Message - 
From: "Thomas Limoncelli" <[EMAIL PROTECTED]>

To: 
Sent: Wednesday, February 22, 2006 3:48 PM
Subject: Re: [Samba] Join AD domain using security = domain ?



David Wilson wrote:

Is it possible to join an AD domain using NT style authentication ?
i.e. security = domain  in smb.conf and use 'net join rpc -W [MYADDOMAIN]


Been there. Done that.


When I tried this I get the following error:
[2006/02/22 11:56:42, 0] 
rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(2641)
 cli_rpc_pipe_open_schannel: failed to get schannel session key from 
server msu

adserver for domain MYADDOMAIN.
[2006/02/22 11:56:42, 0] utils/net_rpc_join.c:net_rpc_join_ok(61)
 Error connecting to NETLOGON pipe. Error was 
NT_STATUS_NO_TRUST_SAM_ACCOUNT

Unable to join domain MYADDOMAIN.


You didn't post your Samba version and smb.conf, so we need to wild-guess. 
Try adding "client schannel = No" in [global].



-TL
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

--
This email and all contents are subject to the following disclaimer:
http://www.dcdata.co.za/emaildisclaimer.html




--
This email and all contents are subject to the following disclaimer:
http://www.dcdata.co.za/emaildisclaimer.html

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Join AD domain using security = domain ?

[David Wilson]

Hi Jerry,

Thanks for your reply.

Cool. So I can just try 'client schannel = no' in the smb.conf and it should 
join ?


This is samba-3.0.21b on Solaris 9 (SunOS5.9).


Kind regards

David Wilson
D c D a t a
CNS, CLS, Linux+
T: 0860-1-LINUX
F: 0866878971
M: 0824147413
E: [EMAIL PROTECTED]
W: http://www.dcdata.co.za

- Original Message - 
From: "Gerald (Jerry) Carter" <[EMAIL PROTECTED]>

To: "David Wilson" <[EMAIL PROTECTED]>
Cc: 
Sent: Wednesday, February 22, 2006 3:58 PM
Subject: Re: [Samba] Join AD domain using security = domain ?



-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, 22 Feb 2006, David Wilson wrote:


Hi guys,

Is it possible to join an AD domain using NT style authentication ?
i.e. security = domain  in smb.conf and use 'net join rpc -W [MYADDOMAIN]

When I tried this I get the following error:
[2006/02/22 11:56:42, 0]
rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(2641)
 cli_rpc_pipe_open_schannel: failed to get schannel session key from 
server

msu
adserver for domain MYADDOMAIN.
[2006/02/22 11:56:42, 0] utils/net_rpc_join.c:net_rpc_join_ok(61)
 Error connecting to NETLOGON pipe. Error was 
NT_STATUS_NO_TRUST_SAM_ACCOUNT

Unable to join domain MYADDOMAIN.


Schannel is on RPC connections so you will see the same processing
regardless of how winbindd is configured.  You can set 'client schannel =
no' in smb.conf.  What version of Samba is this.?




cheers, jerry
=
I live in a Reply-to-All world.   ---
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQFD/G4kIR7qMdg1EfYRApKAAKDYZ7xjn8/mY7Ume7nVnH8mtkShCgCgifz1
0rf30YyqVzKveX3UHvTdnC0=
=zQy/
-END PGP SIGNATURE-

--
This email and all contents are subject to the following disclaimer:
http://www.dcdata.co.za/emaildisclaimer.html




--
This email and all contents are subject to the following disclaimer:
http://www.dcdata.co.za/emaildisclaimer.html

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba LDAP PDC BDC quit working

[mallapadi niranjan]

Hi philip

the samba pdc with openldap 2.2.13, i have lot of troubles, i have compiled
samba 3.0.21.when at the first time was released , i am not sure it's called
samba 3.0.21a or something. openldap 2.2.13 (shipped with Redhat Enterprise
linux 4) also need to be tweaked for having a good cachesize, checkpoints
etc.

so i have decided to go with samba 3.0.21b with openldap 2.3.19.
see to take backup in ldif and restore it , and check whether it works.
as i was told that openldap 2.3.19 has auto recovery in case of unclean
shutdowns.
hope this works

Regards
Niranjan




On 2/22/06, Philip Washington <[EMAIL PROTECTED]> wrote:
>
> mallapadi niranjan wrote:
>
> > Hi Philip
> >
> >
> > yes, I have the same properties, (for checking i did the rid*2+1000
> > and object class test. , but
> > once the computer are rejoined, it gets new rid, not the rid which is
> > in the LDIF.
> >
> > Regards
> > Niranjan
> >
> Okay, then this is something else I don't understand.
> If the LDAP database is getting corrupted then I can see how this
> problem could happen.  But if the PDC goes down as you describe in
> scenario-2 then it doesn't make sense that the computers should have to
> rejoin the domain, unless there is some information which is not being
> stored in the LDAP database.
>
> > On 2/21/06, *Philip Washington* <[EMAIL PROTECTED]
> > > wrote:
> >
> > mallapadi niranjan wrote:
> >
> > > Hi Craig
> > >
> > > Thanks for replying, The samba PDC gets rebooted because of Power
> > > outage, at night times.
> > > After the system gets rebooted,
> > > Scenario -01
> > > 1. Either some times the ldap gets hanged, (2.2.13) may be
> > because of
> > > inconsistency.
> > > 2. since ldap hangs, samba doesn't come up properly.
> > > 3. so i run db_recover and try to start the ldap service and
> > then samba
> > >
> > > Scenario-02
> > > if LDAP doesn't hang, and samba comes up nicely, the computer had
> to
> > > rejoin.
> > > but in my ldapdatabase, in OU=Computers, all the computer accounts
> > > exist. with
> > > rid and Object class intact.
> > > but some how i don't know why i have to rejoin,
> > >
> > Okay I just want to clarify this. After an unplanned reboot (power
> > outage) , your PDC comes back up and you find that some of the
> > computers
> > in your domain need to rejoin the domain??  Do you have recent
> > ldiff or
> > slapcats indicating that most of these computers have the same
> > properties in the LDAP database as before.
> >
> > > Scenario-03.
> > > I take the regular backup of LDAP, to LDIF file, and restore with
> > > latest LDIF file,
> > > eventhough i don't get the Computer Accounts and also i lose user
> 's
> > > passwords,
> > > After restoring from LDIF file.
> > >
> > > Scenario-04
> > > If i do safe reboot or shutdown, there 's no problem , the server
> > > works properly without any
> > > problem
> > >
> > > Regards
> > > Niranjan
> > >
> > >
> > > On 2/20/06, *Craig White* <[EMAIL PROTECTED]
> > 
> > >  > >> wrote:
> > >
> > > On Mon, 2006-02-20 at 11:55 +0530, mallapadi niranjan wrote:
> > > > Hi all
> > > >
> > > >
> > > > I too have the same problem , i am also using samba 3.0.21
> > with
> > > > openldap  version 2.2.13 on Redhat Enterprise Linux 4
> > enterprise
> > > > server.
> > > > if the samba PDC gets rebooted aburuptly,  some of my
> clients
> > > > workstations (Windows 2000 professional) have to rejoin.
> > > > i was asked to check whether RID of the computer name is
> > > correct(uid*2
> > > > + 1000) , ans whether
> > > > computer names have SambaSAMAccount object class.
> > > > eventhough my computernames' exist in the database with
> > correct
> > > object
> > > > class and rid, the clients
> > > > have to be rejoined. this happens only when samba PDC with
> > ldap
> > > gets
> > > > rebooted abruptly.
> > > > having said that, so i assume that LDAP is unable to
> maintain
> > > > consistency when it gets rebooted.
> > > >
> > > > so i had kept DB_CONFIG file in /var/lib/ldap(this is
> > where all bdb
> > > > files are there) and use db_recover
> > > > in case of any crash of ldap.
> > > >
> > > > But if we take backup in LDIF file and restore it, but
> > still my
> > > > computer accounts are not getting back, i had to rejoin.
> > > >
> > > > this is the problem that i am having, but still could not
> > find the
> > > > correct solution.
> > > 
> > > No - as you and he describe it, these are separate problems.
>

Re: [Samba] inherit groups?

[Jeremy Allison]

On Wed, Feb 22, 2006 at 04:07:01PM -0600, Marc Donnelly wrote:
> I'm wondering if there is a better way of doing this.
> 
> Right now we have a share (ShareA) with three sub directories in it 
> (Dir1, Dir2, Dir3) that have specific groups set for each directory. We 
> would like to have newly created files and/or directories inherit the 
> parent directories group.  Right now were using SETGID bit to 
> accomplish this.
> 
> Is there a better way to accomplish this via samba?  We are using 
> create mask and directory mask in smb.conf to ensure permission are 
> consistent.  However that doesn't seem to affect groups ownership.  We 
> also used "inherit permission = yes" but that also doesn't fill the 
> need.
> 
> Is there something similar to 'inherit owner" but for groups?

Not currently. I deliberately didn't add "inherit group" because
the SETGID bit in UNIX means the same thing. Anything I added
in smbd would just do the same thing, only slower :-). I could
add it if people would find it easier to set the same thing on
a per-share basis without having to mess with UNIX permissions,
although as I say it'll be slower.

I'm curious as to why this isn't working for you. Can you
give more details ?

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Questions about sub-folders, access...?

[Warren Beldad]

On 2/22/06, Alberto Moreno <[EMAIL PROTECTED]> wrote:
>
> Hi people, iam testing samba3 on freebsd 5.4, i install samba from ports
> with no problems, i have this simple smb.conf file:
>
> [global]
>workgroup = WORKGROUP
>netbios name = FREEBSD
>server string = Samba Server FreeBSD
>security = user
>encrypt passwords = yes
> [public]
>comment = %h Shared Public Directory
>path = /opt/test
>force directory mode = 0777
>force create mode = 0777
>force group = nobody
>force user = nobody
>public = yes
>writeable = yes
>read only = no
>
>   My problem right now is that i want to create one folder with the user X
> inside this share and give access to  user Y to that sub-folder, them i
> create the folder with the user X from windows 2000, smbd create the
> folder
> with this permisions:
>
> root# getfacl test
> #file:test
> #owner:65534
> #group:0
> user::rwx
> group::rwx
> other::rwx
>
> The owner is nobody like the smb.conf say, the group 0 is wheel, ok here
> everybody can access the folder, but what about if i only want to give
> access to the owner(X user) and the user Y...?
>
>   Ok, after rading some docs, i do this:
>
> Go to freebsd login with root and change the folder rights:
>
> root# chown X:Y /opt/test/NewFolder
> root# chmod 770 /opt/test/NewFolder
>
>   Now user X or Y if try to access the folder from windows 2000 smbd say
> \\Freebsd\public\test is not accessible Access is denied


yes, maybe access denied because you connect to public as user "nobody" and
then you access a subfolder in it where only user:group X:Y has the
permission.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba and pocket-pc

[Jeremy Allison]

On Thu, Feb 23, 2006 at 02:49:11AM +0100, Nikolaus Hammler wrote:
> hi,
> 
> A longer time ago (maybe I had still an old samba version, I can't 
> remember) I connected my Pocket PC (PPC2003) to my samba server without 
> any problems.
> 
> Now I've got a new device which features builtin WLAN and I tried to 
> connect but I get an error which makes me feel sad:
> 
> (in german)
> 
> '\\' (oder eine der zugehoerigen Komponenten) nicht gefunden. Stellen 
> Sie sicher, dass Pfad und Dateiname korrekt sind, und dass alle 
> erforderlichen Bibliotheken verfuegbar sind.
> 
> analogous,
> 
> File '\\' (or some needed components) not found. Make sure that path and 
> file name is correct and that all required libraries are available.
> 
> 
> At the moment smbd -V displays:
> Version 3.0.14a-Debian
> 
> I read a few things on that issue on the net but there are no solutions 
> and I'm confused because it WORKED already.
> 
> 
> Is there any known solution or fix on this problem?

Yes, upgrade. I did a lot of work on making PPC clients work
correctly against later Samba codebases. Try 3.0.21b, it should
work fine. I'm also looking for testers for 3.0.21c for a change
I need to make in this area...

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba and pocket-pc

[Nikolaus Hammler]

hi,

A longer time ago (maybe I had still an old samba version, I can't 
remember) I connected my Pocket PC (PPC2003) to my samba server without 
any problems.


Now I've got a new device which features builtin WLAN and I tried to 
connect but I get an error which makes me feel sad:


(in german)

'\\' (oder eine der zugehoerigen Komponenten) nicht gefunden. Stellen 
Sie sicher, dass Pfad und Dateiname korrekt sind, und dass alle 
erforderlichen Bibliotheken verfuegbar sind.


analogous,

File '\\' (or some needed components) not found. Make sure that path and 
file name is correct and that all required libraries are available.



At the moment smbd -V displays:
Version 3.0.14a-Debian

I read a few things on that issue on the net but there are no solutions 
and I'm confused because it WORKED already.



Is there any known solution or fix on this problem?


I could also provide you with any (debug-)information required!



Thank you very much!

niki



Attachment: dump of my smb.conf (global-section)

panic action = /usr/share/samba/panic-action %d
domain master = yes
bind interfaces only = true
interfaces = eth0
domain logons = yes
printing = cups
printcap name = cups
load printers = yes
username map = /etc/samba/users.map
preferred master = yes
logon path = \\%L\profile
server string = NOBAQ Server, PDC
workgroup = NOBAQ.NET
logon script = logon.cmd
netbios name = nobaq
dos charset = CP850
create mode = 644
logon drive = U:
log level = 3
log file = /var/log/samba/SMB.log

; PPC try...
;nt status support = no

max log size = 5
time server = yes
preserve case = yes
passwd program = /usr/bin/passwd %u
encrypt passwords = true
passdb backend = tdbsam guest
socket options = TCP_NODELAY IPTOS_THROUGHPUT SO_KEEPALIVE 
SO_SNDBUF=18384 SO_RCVBUF=16384


deadtime = 0
guest account = nobody
local master = yes
short preserve case = yes
security = user
unix charset = ISO8859-1
create mask = 600
directory mask = 700
os level = 128
wins support = yes
name resolve order = lmhosts wins host bcast


--
Nikolaus Hammler
http://www.nobaq.net

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] ? BDC & LDAP

[Chuck Kollars]

Can I set up a *second* server as a BDC yet still have all my file-share 
requests routed to the *first* server? In other words can I have *two* domain 
controllers but only *one* file share? If I can, what's the rough sketch of the 
configuration I want?

My short-term goal is to not have any Microsoft software in the back room so as 
to avoid paying the Gates tax. (My long-term goal is in a few years to not have 
any Microsoft software on the clients either for the same reason.)

(Or maybe I'm not asking the right specific question, missing the forest for 
the trees. If you'd like to back up and view the whole picture and offer some 
meta-advice, here's my situation: I'm hosting "home" directories for each of 
~800 students and teachers. [A flash/thumb drive for every user would cost a 
whole lot more than a couple servers in the back room.] I currently use domain 
login only to a] allow a startup script to map the "home" directory to a drive 
and b] validate credentials right away so it doesn't need to be done at file 
save time. Currently I do all this with only *one* Samba server acting as both 
a file share and a PDC; it works tolerably well, but seems overly risky.)
--
Chuck Kollars - principal Kollars Informatics




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] wbinfo -g/-u error

[luciano_mt]

Hi,

I have a problem with users enumeration on winbind ...
If I run wbinfo -g the system only display :

BUILTIN-System Operators
BUILTIN-Replicators
BUILTIN-Guests
BUILTIN-Power Users
BUILTIN-Print Operators
BUILTIN-Administrators
BUILTIN-Account Operators
BUILTIN-Backup Operators
BUILTIN-Users

But I am joined on Domain COSTACAVALCANTI and there are many groups...

Some queries work ...

[EMAIL PROTECTED] samba]# wbinfo -n COSTACAVALCANTI-Administrator
S-1-5-21-153786527-857004153-1838531238-500 User (1)
[EMAIL PROTECTED] samba]# wbinfo -S S-1-5-21-153786527-857004153-1838531238-500
10166

[EMAIL PROTECTED] samba]# wbinfo -t
checking the trust secret via RPC calls succeeded

When I use  ...

[EMAIL PROTECTED] samba]# wbinfo -u
Error looking up domain users

[EMAIL PROTECTED] samba]# wbinfo --sequence
SERVER03 : 1
BUILTIN : 1
COSTACAVALCANTI : DISCONNECTED

[EMAIL PROTECTED] samba]# wbinfo -m
SERVER03
BUILTIN

I tried put  a password with ...

wbinfo --set-auth-user=COSTACAVALCANTI-Administrator%password

But the problem continue

There are error messagens when I user winbindd -i -d 3

get_sam_group_entries: could not enumerate domain groups! Error: 
NT_STATUS_ACCESS_DENIED

When I try ...

[EMAIL PROTECTED] samba]# wbinfo -g
BUILTIN-System Operators
BUILTIN-Replicators
BUILTIN-Guests
BUILTIN-Power Users
BUILTIN-Print Operators
BUILTIN-Administrators
BUILTIN-Account Operators
BUILTIN-Backup Operators
BUILTIN-Users

The winbindd log display ...

[17701]: request interface version
[17701]: request location of privileged pipe
[17701]: list groups
convert_string_allocate: Conversion error: Incomplete multibyte sequence(?K)
get_sam_group_entries: could not enumerate domain groups! Error: 
NT_STATUS_ACCESS_DENIED

My system is a REHL 4 ...
[EMAIL PROTECTED] samba]# uname -a
Linux server03.costacavalcanti.local 2.6.9-22.0.2.ELsmp #1 SMP Thu Jan 5 
17:13:01 EST 2006 i686 i686 i386 GNU/Linux

and samba is ..

[EMAIL PROTECTED] samba]# rpm -qa | grep samba
samba-3.0.10-1.4E.2
samba-common-3.0.10-1.4E.2
system-config-samba-1.2.21-1
samba-client-3.0.10-1.4E.2

The smb.conf

# Global parameters
[global]
workgroup = COSTACAVALCANTI
realm = COSTACAVALCANTI.LOCAL
netbios aliases = SRV_HMCC
server string = Samba Server
security = DOMAIN
map to guest = Bad User
password server = 172.16.1.1
username map = /etc/samba/username.map
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
dns proxy = No
wins server = 172.16.1.1
idmap uid = 1-2
idmap gid = 1-2
winbind separator = -
winbind use default domain = Yes
recycle:maxsize = 10
recycle:noversions = .doc|.xls|.ppt
recycle:versions = True
recycle:keeptree = True
recycle:exclude = *.tmp *.temp *.o *.obj ~$* *.mpg *.mpeg *.mp3 *.wav 
*.wmv *.pps
guest ok = Yes
cups options = raw
veto files = lost+found
vfs objects = recycle


The AD server is Windows 2003 Server with SP1 ...

I need help ...

Thanks ...

Luciano


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] My Network Places not finding Samba server

[Eric Hines]

You might try adding it to your XP's hosts file, 
also.  This is located in the same place as your 
lmhosts file; it has slightly different 
uses.  Also, you might ensure that this other 
NetBIOS name and IP address are listed in your 
Linux box's hosts file.  A lot of things in your 
network get gutsed up when your Linux box comes 
up, and it gets its initial data from, among other places, its hosts file.


Eric Hines

At 02/21/06 22:11, Frederick C. Damen wrote:
I changed the smb.conf to have a different 
NetBios Name then the workgroup 'DAMEN'.

There does not appear to any change from the XP 'My Network Places'
Although the nmbd.log indicates that the name DAMEN<00> is not found.
[2006/02/21 21:24:14, 1] 
nmbd/nmbd_incomingrequests.c:process_node_status_request(328)
 process_node_status_request: status request 
for name DAMEN<00> from IP 192.168.0.1 on subnet UNICAST_SUBNET -

name not found.
[2006/02/21 21:24:16, 1] 
nmbd/nmbd_incomingrequests.c:process_node_status_request(328)
 process_node_status_request: status request 
for name DAMEN<00> from IP 192.168.0.1 on subnet UNICAST_SUBNET -

name not found.

Although  'nmblookup DAMEN' finds the name when 
executed on the linux box upon which smbd/nmbd is running.

querying DAMEN on 192.168.255.255
192.168.0.1 DAMEN<00>

This appear to (not)work the same with or 
without DAMEN listed in the lmhosts file.

Do I need to list the workgroup name somewhere else also?

Thanks,

Fred


Frederick C. Damen wrote:


Thanks. I removed the entry for DAMEN from lmhosts and restart smb/nmb and
no change that I can see.

Thanks,

Fred

Kristaps Rāts wrote:


Having the machine name equal to the workgroup name is a no-no, as far
as I know.

On O , 2006-02-21 at 08:15 -0600, Frederick C. Damen wrote:



I assume I am doing(or not) something extremely simple that is causing
my XP boxes to not see my linux(FC4) Samba 
server in the 'My Network Places'.


I can access the shares by 'Map Network Drive' and using the IP
address(192.168.0.1).
I have set the workgroup name 'DAMEN' in the lmhosts file.
192.168.0.1 DAMEN

I have set the workgroup in the smb.conf file.
   workgroup = damen
   netbios name = damen
I have configured the Samba server to be the Domain Master Browser
   os level = 35
  domain master = yes
   preferred master = yes
  wins support = yes
I have configured the [global] to be browseable.
   browseable = yes
   public = yes


I have set the XP box to be on a home network(not bussiness network) and
workgroup to DAMEN.

Any ideas?

Thanks,

Fred











--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


There is no nonsense so errant that it cannot be 
made the creed of the vast majority by adequate governmental action.

--Bertrand Russell

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Kerberos auth w/o a domain

[Chris Dombroski]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I would like to be able to use kerberos for samba authentication from
linux and windows, without having to create a domain/ad. From what I've
read and seen, native kerberos authentication only works for windows
clients inside a active directory context, while pam authentication only
works with unencrypted passwords which aren't supported by recent
windows versions.

Here are the software versions FWIW:
Samba: 3.0.21b
MIT-krb5: 1.4.3
Linux-PAM: 0.79
Windows XP Pro SP2

Thanks in advance for your help,

Chris Dombroski
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFD/N95nUQ+0UT6+t8RAujIAJ4060z1JjcuvstUiDiJeVsJnJUAPQCbBCGz
MfnN5+3NvEMtnZeQsWRMRwg=
=D1VV
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] inherit groups?

[Marc Donnelly]

I'm wondering if there is a better way of doing this.

Right now we have a share (ShareA) with three sub directories in it 
(Dir1, Dir2, Dir3) that have specific groups set for each directory. We 
would like to have newly created files and/or directories inherit the 
parent directories group.  Right now were using SETGID bit to 
accomplish this.


Is there a better way to accomplish this via samba?  We are using 
create mask and directory mask in smb.conf to ensure permission are 
consistent.  However that doesn't seem to affect groups ownership.  We 
also used "inherit permission = yes" but that also doesn't fill the 
need.


Is there something similar to 'inherit owner" but for groups?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 3.0.21b winbind crash

[Thomas Limoncelli]

Gerald (Jerry) Carter wrote:

I still have the original (problematic) tdb file around, so I could
easily verify if winbindd still crashes upon *reading* this file. Would
you be interested?


No.  That's ok.  I have a tool to corrupt tdbs for tests like this.
:-)


But then, given that tdbtool apparently has no problem dealing with this 
file, perhaps this is a more subtle issue than just tdb file curruption 
as such? Maybe winbindd chokes about a particular (valid?) entry? Still 
not interested? ;-)



-TL
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 3.0.21b winbind crash

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Thomas Limoncelli wrote:

> I agree that this'd be a useful generic change to limit the
> *consequences* of any tdb cache file corruption (which winbindd should
> still avoid to contribute to in the first place, of course).
>
> Are you saying that we'll see such a change in one of the upcoming
> releases (3.0.21c or 3.0.22)?

Maybe for 3.0.22.  I had some code that did this once before.
I think Jeremy was the original author but it got removed from
the tree a year or so ago.

> I still have the original (problematic) tdb file around, so I could
> easily verify if winbindd still crashes upon *reading* this file. Would
> you be interested?

No.  That's ok.  I have a tool to corrupt tdbs for tests like this.
:-)

> Reproducing the fact that winbindd *produced* a corrupted 
> tdb file is likely to be much harder.

True.





cheers, jerry
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFD/NR/IR7qMdg1EfYRAsu5AJ9ixyZBj1DALqcl02nczMY6war83QCgt3PW
Ox/dFaid0T4naIPSnmfAFDs=
=pLpa
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 3.0.21b winbind crash

[Thomas Limoncelli]

Gerald (Jerry) Carter wrote:

Lars Müller wrote:

On Wed, Feb 22, 2006 at 11:50:36AM +0100, Thomas Limoncelli wrote:

Shall I file a bugzilla entry and assign to the SuSE package maintainer?

Please as soon as you have the same problem again.  See the details for
bug reporting at http://en.opensuse.org/Samba in the section 'Samba
package bug reporting'.


For what it's worth, the SAMBA_3_0_RELEASE is ready for 3.0.21c
minus the release notes, the fix for BUG #3501, and a workaround
for a bug in 2k clients.  But you could test winbindd now.


I still have the original (problematic) tdb file around, so I could 
easily verify if winbindd still crashes upon *reading* this file. Would 
you be interested?


Reproducing the fact that winbindd *produced* a corrupted tdb file is 
likely to be much harder.



-TL
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 3.0.21b winbind crash

[Thomas Limoncelli]

Gerald (Jerry) Carter wrote:

But since winbindd from 3.0.21b was the only process ever maintaining
this file, wouldn't this still make it a significant bug worth looking
into?


Yes.  But the only real solution is to have winbindd remove
the corrupted file automatically and reopen it.  It's a robustness
fix.


I agree that this'd be a useful generic change to limit the 
*consequences* of any tdb cache file corruption (which winbindd should 
still avoid to contribute to in the first place, of course).


Are you saying that we'll see such a change in one of the upcoming 
releases (3.0.21c or 3.0.22)?



-TL
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Problem authenticating another domain

[Trimble, Ronald D]

I am trying to authenticate a user in a domain (EU) other than my
default domain (NA).  I am at a loss as to what may be wrong at this
point.  When I run a wbinfo -sequence, I see the following:

 

linux:~ # wbinfo --sequence

LAC : DISCONNECTED

EU : DISCONNECTED

AP : DISCONNECTED

UIS : 19895750

TRIMBLRDLINUX : 1

BUILTIN : 1

NA : 15410431

 

If I try a kinit, here is the output:

 

linux:~ # kinit [EMAIL PROTECTED]

[EMAIL PROTECTED]'s Password:

kinit: krb5_get_init_creds: unable to reach any KDC in realm
eu.uis.unisys.com

 

When I look at the logs for this domain, I see the following.  Notice
that it is correctly identifying a domain controller in that domain, but
starts failing after that.

 

[2006/02/22 15:12:51, 10] libsmb/namequery.c:internal_resolve_name(1145)

  internal_resolve_name: returning 26 addresses: 129.221.252.21:389
129.221.133.22:389 192.39.63.13:389 129.227.66.176:389
129.227.167.210:389 192.39.98.13:389 129.227.145.14:389
129.227.59.14:389 192.39.48.14:389 192.39.178.4:389 129.227.37.30:389
129.227.207.13:389 192.39.193.60:389 192.39.7.11:389 129.221.130.16:389
192.61.146.133:389 129.227.208.15:389 192.39.239.60:389
129.227.196.10:389 192.39.187.7:389 129.227.28.11:389 192.39.248.10:389
129.227.143.60:389 129.221.130.10:389 192.39.239.30:389
192.39.186.45:389

[2006/02/22 15:12:51, 5] libads/ldap.c:ads_try_connect(123)

  ads_try_connect: trying ldap server '192.61.146.133' port 389

[2006/02/22 15:12:51, 3] libads/ldap.c:ads_connect(285)

  Connected to LDAP server 192.61.146.133

[2006/02/22 15:12:51, 3] libads/ldap.c:ads_server_info(2514)

  got ldap server name [EMAIL PROTECTED], using bind path:
dc=EU,dc=UIS,dc=UNISYS,dc=COM

[2006/02/22 15:12:51, 4] libads/ldap.c:ads_server_info(2520)

  time offset is 70 seconds

[2006/02/22 15:12:52, 4] libads/sasl.c:ads_sasl_bind(451)

  Found SASL mechanism GSS-SPNEGO

[2006/02/22 15:12:52, 3] libads/sasl.c:ads_sasl_spnego_bind(206)

  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2

[2006/02/22 15:12:52, 3] libads/sasl.c:ads_sasl_spnego_bind(206)

  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2

[2006/02/22 15:12:52, 3] libads/sasl.c:ads_sasl_spnego_bind(206)

  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3

[2006/02/22 15:12:52, 3] libads/sasl.c:ads_sasl_spnego_bind(206)

  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10

[2006/02/22 15:12:52, 3] libads/sasl.c:ads_sasl_spnego_bind(215)

  ads_sasl_spnego_bind: got server principal name
[EMAIL PROTECTED]

[2006/02/22 15:13:04, 1] libsmb/clikrb5.c:ads_krb5_mk_req(394)

  ads_krb5_mk_req: krb5_get_credentials failed for
[EMAIL PROTECTED] (Cannot contact any KDC for requested
realm)

[2006/02/22 15:13:14, 1] libsmb/clikrb5.c:ads_krb5_mk_req(394)

  ads_krb5_mk_req: krb5_get_credentials failed for
[EMAIL PROTECTED] (Cannot contact any KDC for requested
realm)

[2006/02/22 15:13:14, 1]
nsswitch/winbindd_ads.c:ads_cached_connection(81)

  ads_connect for domain EU failed: Cannot contact any KDC for requested
realm

[2006/02/22 15:13:14, 10]
nsswitch/winbindd_cache.c:store_cache_seqnum(329)

  store_cache_seqnum: success [EU][4294967295 @ 1140639194]

[2006/02/22 15:13:14, 10]
nsswitch/winbindd_cache.c:refresh_sequence_number(387)

  refresh_sequence_number: EU seq number is now -1

 

Does anyone see what may be wrong?  This problem is driving me nuts.

 

Thanks in advance,

Ron

 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Can't join my domain

[James Taylor]

Then that would be your problem... change your Add Machine Script...

smbldap-useradd -w -d /dev/null -c 'Machine Account' -s /bin/false '%m'

Then try adding a new machine.

JT

-Original Message-
From: Bevan Agard [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, February 22, 2006 12:04 PM
To: 'James Taylor'
Subject: RE: [Samba] Can't join my domain



In the World one must be able to 
Adapt, and Evolve 
Or run the risk of becoming EXTINCT

> -Original Message-
> From: James Taylor [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, February 22, 2006 3:59 PM
> To: 'Bevan Agard'
> Subject: RE: [Samba] Can't join my domain
> 
> Does the LDAP Machine account include:
> objectClass: sambaSAMAccount
> sambaSID: "domain sid"-
> 
> JT
[Bevan Agard] 

Actually it does not.  strange
> 
> -Original Message-
> From: Bevan Agard [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, February 22, 2006 11:53 AM
> To: 'James Taylor'
> Subject: RE: [Samba] Can't join my domain
> 
> 
> 
> In the World one must be able to
> Adapt, and Evolve
> Or run the risk of becoming EXTINCT
> 
> > -Original Message-
> > From: James Taylor [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, February 22, 2006 3:04 PM
> > To: 'Bevan Agard'
> > Subject: RE: [Samba] Can't join my domain
> >
> > When you are trying to join a system to your Domain are the computer
> > accounts created in your LDAP Database as "machinename$" also with the
> > sambaSAMAccount information?
> >
> [Bevan Agard]
> Yes the machine name gets added to the LDAP Database and I get an error on
> the windows box stating
> "Cannot join Domain"
> "User name not found"
> 
> 
> 
> > What does your SAMBA "Add Machine Script" look like in your smb.conf
> file?
> >
> > JT
> [Bevan Agard]
> add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
> 
> 
> >
> > -Original Message-
> > From: Bevan Agard [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, February 22, 2006 11:00 AM
> > To: 'James Taylor'; samba@lists.samba.org
> > Subject: RE: [Samba] Can't join my domain
> >
> >
> >
> > In the World one must be able to
> > Adapt, and Evolve
> > Or run the risk of becoming EXTINCT
> >
> > > -Original Message-
> > > From: James Taylor [mailto:[EMAIL PROTECTED]
> > > Sent: Wednesday, February 22, 2006 2:39 PM
> > > To: 'Bevan Agard'; samba@lists.samba.org
> > > Subject: RE: [Samba] Can't join my domain
> > >
> > > What do your Add Machine Scripts look like in Samba?  Also, are you
> > using
> > > the smbldap-tools from idealx?
> > >
> > [Bevan Agard]
> >
> > I am using the scripts from idealx.
> >
> > I followed the HOWTO on samba.org (Happy Users Ch 5)
> >
> >
> > > JT
> > >
> > > -Original Message-
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED] On
> > Behalf
> > > Of Bevan Agard
> > > Sent: Wednesday, February 22, 2006 5:12 AM
> > > To: samba@lists.samba.org
> > > Subject: [Samba] Can't join my domain
> > >
> > > Guys and dolls,
> > > Greetings, I hope you all are in good health, great spirits and your
> > > glasses
> > > never empty.
> > >
> > > I have a samba, openldap question.
> > >
> > > I am trying to setup a FC-4 box to be a PDC for a small network of
> about
> > > 150
> > > users.  I was following the HOWTO on the SAMBA site.  Everything seems
> > to
> > > be
> > > fine however I cannot join the domain.  I get the error "User name
> could
> > > not
> > > be found." The error logs show that the login/password used to join
> the
> > > domain was accpeted and correct.  I decided to step back a bit to see
> if
> > > the
> > > PDC could join the domain but also no luck.  I got the following when
> I
> > > ran
> > > the command
> > >
> > > [EMAIL PROTECTED] ~]# net rpc join -d 3 -l -S PDC -U root
> > > [2006/02/21 10:57:03, 3] param/loadparm.c:lp_load(3916)
> > >   lp_load: refreshing parameters
> > > [2006/02/21 10:57:03, 3] param/loadparm.c:init_globals(1321)
> > >   Initialising global parameters
> > > [2006/02/21 10:57:03, 3] param/params.c:pm_process(573)
> > >   params.c:pm_process() - Processing configuration file
> > > "/etc/samba/smb.conf"
> > > [2006/02/21 10:57:03, 3] param/loadparm.c:do_section(3418)
> > >   Processing section "[global]"
> > > [2006/02/21 10:57:03, 1] param/loadparm.c:lp_do_parameter(3159)
> > >   WARNING: The "min passwd length" option is deprecated
> > > [2006/02/21 10:57:03, 2] lib/interface.c:add_interface(81)
> > >   added interface ip=10.50.0.20 bcast=10.50.255.255 nmask=255.255.0.0
> > > [2006/02/21 10:57:03, 2] lib/interface.c:add_interface(81)
> > >   added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
> > > [2006/02/21 10:57:03, 3] libsmb/namequery.c:resolve_wins(752)
> > >   resolve_wins: Attempting wins lookup for name PDC<0x20>
> > > [2006/02/21 10:57:03, 3] libsmb/namequery.c:name_resolve_bcast(694)
> > >   name_resolve_bcast: Attempting broadcast lookup for name PDC<0x20>
> > > [2006/02/21 10:57:03, 2] libsmb/namequery.c:name_query(492)
> > >   Got a positive name query respon

[Samba] Group Migration from tbd to ldap on same machine

[Hans Rasmussen]

Hi All.

I am changing my server over from tdbsam to ldapsam (same machine).  I have 
successfully migrated my users and computers using the idealx tools and 
pdbedit.  I can't seem to find a way to tranfer my custom NT groups into 
ldap.  The idealx tools created "Domain Admins", "Domain Users", etc.  I 
have created other domain groups, "Drafting", "Admin", etc and would like to 
transfer these.  Also, the local groups did not seem to be created "Power 
Users" "Users".   pdbedit -g copied my /etc/group over.  Anything that I am 
missing, or will I have to use the idealx tools to recreate my custom domain 
groups.


Thanks

Hans Rasmussen
CIS/GIS Coordinator


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Wrong user used when mounting with mount.cifs

[Corey McGuire]

This may be sorta off topic considering this is probably regarding the
linux kernel but I am hoping someone here will have the answer anyway.

I am having the strangest problem when mounting a samba share with "-t
cifs" as opposed to "-t smbfs" where, instead of mounting as the user I am
logged in as, it is mounted as if I were logged on as a completely
different user.

For example:
=

[EMAIL PROTECTED] ~ $ mount

/dev/sda2 on / type reiserfs (rw,noatime)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
udev on /dev type tmpfs (rw,nosuid)
devpts on /dev/pts type devpts (rw)
none on /dev/shm type tmpfs (rw)

[EMAIL PROTECTED] ~ $ ls -l /mnt

drwxr-xr-x   2 me   users  48 Jan 27 06:48 samba

[EMAIL PROTECTED] ~ $ mount /mnt/samba
Password:

[EMAIL PROTECTED] ~ $ ls -l /mnt

drwxr-xr-x  27 notmeusers   0 Feb 22 08:46 samba

[EMAIL PROTECTED] ~ $ su -

Password:

workstation ~ # umount /mnt/samba

workstation ~ # mount /mnt/samba
Password:

luthic ~ # ls -l /mnt

drwxr-xr-x  27 notmeusers   0 Feb 22 08:46 samba

=

my fstab reads as such

//server/share /mnt/samba cifs user,noauto,username=user 0 0

If I remove the offending user account (ie. "notme") and remount the
share, I get the UID instead of the username

example:
drwxr-xr-x  27 1002 users   0 Feb 22 08:46 samba

This is my first time using cifs, due to problems, I was going to move off
of smbfs.

Has anyone had any experiences like mine?  It doesn't seam to make any sense?

workstation 411
=
Linux version 2.6.15-gentoo-r1
mount: mount-2.12r
mount.cifs version: 1.9

server 411
=
Linux version 2.6.12-gentoo
samba-3.0.21b

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Can't join my domain

[Bevan Agard]

In the World one must be able to 
Adapt, and Evolve 
Or run the risk of becoming EXTINCT

> -Original Message-
> From: James Taylor [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, February 22, 2006 2:39 PM
> To: 'Bevan Agard'; samba@lists.samba.org
> Subject: RE: [Samba] Can't join my domain
> 
> What do your Add Machine Scripts look like in Samba?  Also, are you using
> the smbldap-tools from idealx?
> 
[Bevan Agard] 

I am using the scripts from idealx.

I followed the HOWTO on samba.org (Happy Users Ch 5)


> JT
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf
> Of Bevan Agard
> Sent: Wednesday, February 22, 2006 5:12 AM
> To: samba@lists.samba.org
> Subject: [Samba] Can't join my domain
> 
> Guys and dolls,
> Greetings, I hope you all are in good health, great spirits and your
> glasses
> never empty.
> 
> I have a samba, openldap question.
> 
> I am trying to setup a FC-4 box to be a PDC for a small network of about
> 150
> users.  I was following the HOWTO on the SAMBA site.  Everything seems to
> be
> fine however I cannot join the domain.  I get the error "User name could
> not
> be found." The error logs show that the login/password used to join the
> domain was accpeted and correct.  I decided to step back a bit to see if
> the
> PDC could join the domain but also no luck.  I got the following when I
> ran
> the command
> 
> [EMAIL PROTECTED] ~]# net rpc join -d 3 -l -S PDC -U root
> [2006/02/21 10:57:03, 3] param/loadparm.c:lp_load(3916)
>   lp_load: refreshing parameters
> [2006/02/21 10:57:03, 3] param/loadparm.c:init_globals(1321)
>   Initialising global parameters
> [2006/02/21 10:57:03, 3] param/params.c:pm_process(573)
>   params.c:pm_process() - Processing configuration file
> "/etc/samba/smb.conf"
> [2006/02/21 10:57:03, 3] param/loadparm.c:do_section(3418)
>   Processing section "[global]"
> [2006/02/21 10:57:03, 1] param/loadparm.c:lp_do_parameter(3159)
>   WARNING: The "min passwd length" option is deprecated
> [2006/02/21 10:57:03, 2] lib/interface.c:add_interface(81)
>   added interface ip=10.50.0.20 bcast=10.50.255.255 nmask=255.255.0.0
> [2006/02/21 10:57:03, 2] lib/interface.c:add_interface(81)
>   added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
> [2006/02/21 10:57:03, 3] libsmb/namequery.c:resolve_wins(752)
>   resolve_wins: Attempting wins lookup for name PDC<0x20>
> [2006/02/21 10:57:03, 3] libsmb/namequery.c:name_resolve_bcast(694)
>   name_resolve_bcast: Attempting broadcast lookup for name PDC<0x20>
> [2006/02/21 10:57:03, 2] libsmb/namequery.c:name_query(492)
>   Got a positive name query response from 10.50.0.20 ( 10.50.0.20 )
> [2006/02/21 10:57:03, 3] libsmb/cliconnect.c:cli_start_connection(1406)
>   Connecting to host=PDC
> [2006/02/21 10:57:03, 3] lib/util_sock.c:open_socket_out(752)
>   Connecting to 10.50.0.20 at port 445
> [2006/02/21 10:57:04, 3] rpc_client/cli_netlogon.c:cli_nt_setup_creds(290)
>   cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED
> [2006/02/21 10:57:04, 3] libsmb/trusts_util.c:just_change_the_password(43)
>   just_change_the_password: unable to setup creds
> (NT_STATUS_ACCESS_DENIED)!
> [2006/02/21 10:57:04, 1] utils/net_rpc.c:run_rpc_command(138)
>   rpc command function failed! (NT_STATUS_ACCESS_DENIED)
> Password:
> [2006/02/21 10:57:10, 3] libsmb/cliconnect.c:cli_start_connection(1406)
>   Connecting to host=PDC
> [2006/02/21 10:57:10, 3] lib/util_sock.c:open_socket_out(752)
>   Connecting to 10.50.0.20 at port 445
> [2006/02/21 10:57:10, 3] libsmb/cliconnect.c:cli_session_setup_spnego(708)
>   Doing spnego session setup (blob length=58)
> [2006/02/21 10:57:10, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733)
>   got OID=1 3 6 1 4 1 311 2 2 10
> [2006/02/21 10:57:10, 3] libsmb/cliconnect.c:cli_session_setup_spnego(740)
>   got principal=NONE
> [2006/02/21 10:57:10, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(869)
>   Got challenge flags:
> [2006/02/21 10:57:10, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
>   Got NTLMSSP neg_flags=0x60890215
> [2006/02/21 10:57:10, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(891)
>   NTLMSSP: Set final flags:
> [2006/02/21 10:57:10, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
>   Got NTLMSSP neg_flags=0x60080215
> [2006/02/21 10:57:10, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
>   NTLMSSP Sign/Seal - Initialising with flags:
> [2006/02/21 10:57:10, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
>   Got NTLMSSP neg_flags=0x60080215
> [2006/02/21 10:57:10, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(181)
>   lsa_io_sec_qos: length c does not match size 8
> Creation of workstation account failed
> Unable to join domain CDCGA.
> [2006/02/21 10:57:12, 2] utils/net.c:main(897)
>   return code = 1
> 
> I googled the the NT_STATUS_ACCESS_DENIED error and no luck as of yet.
> 
> Have any of you samba sensei seen anything like this or have an
> suggestions
> as to how to kick this trouble ticket out.
> 
> Thanks
> 
> 
> 
> I

RE: [Samba] Can't join my domain

[James Taylor]

What do your Add Machine Scripts look like in Samba?  Also, are you using
the smbldap-tools from idealx?

JT

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Of Bevan Agard
Sent: Wednesday, February 22, 2006 5:12 AM
To: samba@lists.samba.org
Subject: [Samba] Can't join my domain

Guys and dolls,
Greetings, I hope you all are in good health, great spirits and your glasses
never empty.

I have a samba, openldap question.

I am trying to setup a FC-4 box to be a PDC for a small network of about 150
users.  I was following the HOWTO on the SAMBA site.  Everything seems to be
fine however I cannot join the domain.  I get the error "User name could not
be found." The error logs show that the login/password used to join the
domain was accpeted and correct.  I decided to step back a bit to see if the
PDC could join the domain but also no luck.  I got the following when I ran
the command

[EMAIL PROTECTED] ~]# net rpc join -d 3 -l -S PDC -U root
[2006/02/21 10:57:03, 3] param/loadparm.c:lp_load(3916)
  lp_load: refreshing parameters
[2006/02/21 10:57:03, 3] param/loadparm.c:init_globals(1321)
  Initialising global parameters
[2006/02/21 10:57:03, 3] param/params.c:pm_process(573)
  params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
[2006/02/21 10:57:03, 3] param/loadparm.c:do_section(3418)
  Processing section "[global]"
[2006/02/21 10:57:03, 1] param/loadparm.c:lp_do_parameter(3159)
  WARNING: The "min passwd length" option is deprecated
[2006/02/21 10:57:03, 2] lib/interface.c:add_interface(81)
  added interface ip=10.50.0.20 bcast=10.50.255.255 nmask=255.255.0.0
[2006/02/21 10:57:03, 2] lib/interface.c:add_interface(81)
  added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
[2006/02/21 10:57:03, 3] libsmb/namequery.c:resolve_wins(752)
  resolve_wins: Attempting wins lookup for name PDC<0x20>
[2006/02/21 10:57:03, 3] libsmb/namequery.c:name_resolve_bcast(694)
  name_resolve_bcast: Attempting broadcast lookup for name PDC<0x20>
[2006/02/21 10:57:03, 2] libsmb/namequery.c:name_query(492)
  Got a positive name query response from 10.50.0.20 ( 10.50.0.20 )
[2006/02/21 10:57:03, 3] libsmb/cliconnect.c:cli_start_connection(1406)
  Connecting to host=PDC
[2006/02/21 10:57:03, 3] lib/util_sock.c:open_socket_out(752)
  Connecting to 10.50.0.20 at port 445
[2006/02/21 10:57:04, 3] rpc_client/cli_netlogon.c:cli_nt_setup_creds(290)
  cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED
[2006/02/21 10:57:04, 3] libsmb/trusts_util.c:just_change_the_password(43)
  just_change_the_password: unable to setup creds (NT_STATUS_ACCESS_DENIED)!
[2006/02/21 10:57:04, 1] utils/net_rpc.c:run_rpc_command(138)
  rpc command function failed! (NT_STATUS_ACCESS_DENIED)
Password:
[2006/02/21 10:57:10, 3] libsmb/cliconnect.c:cli_start_connection(1406)
  Connecting to host=PDC
[2006/02/21 10:57:10, 3] lib/util_sock.c:open_socket_out(752)
  Connecting to 10.50.0.20 at port 445
[2006/02/21 10:57:10, 3] libsmb/cliconnect.c:cli_session_setup_spnego(708)
  Doing spnego session setup (blob length=58)
[2006/02/21 10:57:10, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733)
  got OID=1 3 6 1 4 1 311 2 2 10
[2006/02/21 10:57:10, 3] libsmb/cliconnect.c:cli_session_setup_spnego(740)
  got principal=NONE
[2006/02/21 10:57:10, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(869)
  Got challenge flags:
[2006/02/21 10:57:10, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
  Got NTLMSSP neg_flags=0x60890215
[2006/02/21 10:57:10, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(891)
  NTLMSSP: Set final flags:
[2006/02/21 10:57:10, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
  Got NTLMSSP neg_flags=0x60080215
[2006/02/21 10:57:10, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
  NTLMSSP Sign/Seal - Initialising with flags:
[2006/02/21 10:57:10, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
  Got NTLMSSP neg_flags=0x60080215
[2006/02/21 10:57:10, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(181)
  lsa_io_sec_qos: length c does not match size 8
Creation of workstation account failed
Unable to join domain CDCGA.
[2006/02/21 10:57:12, 2] utils/net.c:main(897)
  return code = 1

I googled the the NT_STATUS_ACCESS_DENIED error and no luck as of yet.

Have any of you samba sensei seen anything like this or have an suggestions
as to how to kick this trouble ticket out.

Thanks

 

In the World one must be able to 

Adapt, and Evolve 

Or run the risk of becoming EXTINCT

 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Linux tool for create windows shortcut

[Roberto João Lopes Garcia]

Hi

I need to create a windows shortcut ( lnk file ) on a samba share from linux 
script. 

Any one know  about a linux tool that can create windows shortcut file ?

Thank you

Roberto

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] edited tdb... restart samba?

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Joe wrote:

> 
> Hmmm...  which tdb is the printer object?

It's in ntprinters.tdb.  But the  key prefix is "PRINTERS/",
not "SECDESC/"






cheers, jerry
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFD/KlSIR7qMdg1EfYRApfPAJ9Ve6zeuL4FuQI7JsUw6S6Hz7c9vQCfZrrG
SFrQRY7M0DUOJdw5A/21fcU=
=cLM1
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] My Network Places not finding Samba server

[Frederick C. Damen]

Thanks.  I set the WINS server to the ip of the box running smbd/nmbd.
There is no change in browsing from 'My Network Places'.
I tried 'net view \\192.168.0.1\' from the XP 'cmd' window and received 
the correct output expected.
I tried 'net view \\DAD\' and 'net view \\DAMEN\' in the XP cmd window 
and received:

System error 53 has occurred.

The network path was not found.

While setting the 'smbcontrol nmbd debug 10' the nmbd.log file logs
[2006/02/22 11:47:49, 4] nmbd/nmbd_workgroupdb.c:dump_workgroups(284)
 dump_workgroups()
  dump workgroup on subnet 192.168.0.1: netmask=255.255.0.0:
   WORKGROUP(2) current master browser = MONEY
   DAMEN(1) current master browser = DAD
   DAD 400c9a03 (Damen Samba Server)
   BABYDRAGON 40011203 (Sue's Computer)
   FREDDYDAMEN 40001003 (Freddy Damen's Computer)
and everything else does not indicate an error has occurred.

Also I tried what I think is the linux equilvant for the net view -> ' 
smbclient //DAD/'

I receive at the tty
Password:
Domain=[DAD] OS=[Unix] Server=[Samba 3.0.14a-2]
tree connect failed: NT_STATUS_BAD_NETWORK_NAME

and in the messages file
Feb 22 11:53:14 www smbd[2420]: [2006/02/22 11:53:14, 0] 
smbd/service.c:make_connection(794)

Feb 22 11:53:14 www smbd[2420]:   dad (192.168.0.1) couldn't find service

I get this response with the workgroup, lmhost name or ip address.

' smbclient -L dad -U%' gives the correct responce expected.

Thanks,

Fred

Chris Lounsbury wrote:


Do you have the wins servers IP address setup on your xp box?  I had this 
problem when I first set up our network and adding the wins server IP address 
to the xp machines tcpip settings solved it.
Chris


 


"Frederick C. Damen" <[EMAIL PROTECTED]> 2/21/2006 9:11:47 PM >>>
   

I changed the smb.conf to have a different NetBios Name then the 
workgroup 'DAMEN'.

There does not appear to any change from the XP 'My Network Places'
Although the nmbd.log indicates that the name DAMEN<00> is not found.
[2006/02/21 21:24:14, 1] 
nmbd/nmbd_incomingrequests.c:process_node_status_request(328)
 process_node_status_request: status request for name DAMEN<00> from IP 
192.168.0.1 on subnet UNICAST_SUBNET -

name not found.
[2006/02/21 21:24:16, 1] 
nmbd/nmbd_incomingrequests.c:process_node_status_request(328)
 process_node_status_request: status request for name DAMEN<00> from IP 
192.168.0.1 on subnet UNICAST_SUBNET -

name not found.

Although  'nmblookup DAMEN' finds the name when executed on the linux 
box upon which smbd/nmbd is running.

querying DAMEN on 192.168.255.255
192.168.0.1 DAMEN<00>

This appear to (not)work the same with or without DAMEN listed in the 
lmhosts file.

Do I need to list the workgroup name somewhere else also?

Thanks,

Fred


Frederick C. Damen wrote:

 

Thanks. I removed the entry for DAMEN from lmhosts and restart smb/nmb 
and

no change that I can see.

Thanks,

Fred

Kristaps R*ts wrote:

   


Having the machine name equal to the workgroup name is a no-no, as far
as I know.

On O , 2006-02-21 at 08:15 -0600, Frederick C. Damen wrote:


 


I assume I am doing(or not) something extremely simple that is causing
my XP boxes to not see my linux(FC4) Samba server in the 'My Network 
Places'.


I can access the shares by 'Map Network Drive' and using the IP
address(192.168.0.1).
I have set the workgroup name 'DAMEN' in the lmhosts file.
192.168.0.1 DAMEN

I have set the workgroup in the smb.conf file.
  workgroup = damen
  netbios name = damen
I have configured the Samba server to be the Domain Master Browser
  os level = 35
 domain master = yes
  preferred master = yes
 wins support = yes
I have configured the [global] to be browseable.
  browseable = yes
  public = yes


I have set the XP box to be on a home network(not bussiness network) 
and

workgroup to DAMEN.

Any ideas?

Thanks,

Fred




 
   




 



 



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba LDAP PDC BDC quit working

[Philip Washington]

mallapadi niranjan wrote:


Hi Philip


yes, I have the same properties, (for checking i did the rid*2+1000 
and object class test. , but
once the computer are rejoined, it gets new rid, not the rid which is 
in the LDIF.


Regards
Niranjan


You might check your MS client event logs for this error.
error 3224
Changing machine account password for account $ failed with 
the following error: 
A remote procedure call (RPC) protocol error occurred. 



On 2/21/06, *Philip Washington* <[EMAIL PROTECTED] 
> wrote:


mallapadi niranjan wrote:

> Hi Craig
>
> Thanks for replying, The samba PDC gets rebooted because of Power
> outage, at night times.
> After the system gets rebooted,
> Scenario -01
> 1. Either some times the ldap gets hanged, (2.2.13) may be
because of
> inconsistency.
> 2. since ldap hangs, samba doesn't come up properly.
> 3. so i run db_recover and try to start the ldap service and
then samba
>
> Scenario-02
> if LDAP doesn't hang, and samba comes up nicely, the computer had to
> rejoin.
> but in my ldapdatabase, in OU=Computers, all the computer accounts
> exist. with
> rid and Object class intact.
> but some how i don't know why i have to rejoin,
>
Okay I just want to clarify this. After an unplanned reboot (power
outage) , your PDC comes back up and you find that some of the
computers
in your domain need to rejoin the domain??  Do you have recent
ldiff or
slapcats indicating that most of these computers have the same
properties in the LDAP database as before.

> Scenario-03.
> I take the regular backup of LDAP, to LDIF file, and restore with
> latest LDIF file,
> eventhough i don't get the Computer Accounts and also i lose user 's
> passwords,
> After restoring from LDIF file.
>
> Scenario-04
> If i do safe reboot or shutdown, there 's no problem , the server
> works properly without any
> problem
>
> Regards
> Niranjan
>
>
> On 2/20/06, *Craig White* <[EMAIL PROTECTED]

> mailto:[EMAIL PROTECTED]>>> wrote:
>
> On Mon, 2006-02-20 at 11:55 +0530, mallapadi niranjan wrote:
> > Hi all
> >
> >
> > I too have the same problem , i am also using samba 3.0.21
with
> > openldap  version 2.2.13 on Redhat Enterprise Linux 4
enterprise
> > server.
> > if the samba PDC gets rebooted aburuptly,  some of my clients
> > workstations (Windows 2000 professional) have to rejoin.
> > i was asked to check whether RID of the computer name is
> correct(uid*2
> > + 1000) , ans whether
> > computer names have SambaSAMAccount object class.
> > eventhough my computernames' exist in the database with
correct
> object
> > class and rid, the clients
> > have to be rejoined. this happens only when samba PDC with
ldap
> gets
> > rebooted abruptly.
> > having said that, so i assume that LDAP is unable to maintain
> > consistency when it gets rebooted.
> >
> > so i had kept DB_CONFIG file in /var/lib/ldap(this is
where all bdb
> > files are there) and use db_recover
> > in case of any crash of ldap.
> >
> > But if we take backup in LDIF file and restore it, but
still my
> > computer accounts are not getting back, i had to rejoin.
> >
> > this is the problem that i am having, but still could not
find the
> > correct solution.
> 
> No - as you and he describe it, these are separate problems.
>
> Your issues is that PDC shouldn't get rebooted abruptly and
newer
> versions of openldap have a script that automatically runs
db_recover.
> This however doesn't come in the version of openldap that
ships with
> RHEL
>
> You might want to set up a cron script that performs a
slapcat on
> a more
> frequent basis so that if it is necessary to dump the entire
LDAP DSA
> and reload from an ldif, the ldif is much more current and
thus, you
> wouldn't have to rejoin many if any computers to the domain.
>
> Craig
>
>




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] How to make a symlink appear as a real file (for a Linux client)?

[Nick S. Grechukh]

В сообщении от 22 февраля 2006 18:53 Tomasz Chmielewski написал(a):
maybe you should put 
unix extensions = no
into smb.conf

-- 
With best regards, Nick S. Grechukh
System Administrator
Technopark Corp.

E-mail: [EMAIL PROTECTED]
Cell: +38 0676 13 76 07
JID: [EMAIL PROTECTED]

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] [OT] windows user migration

[Chris McKeever]

sorry for the off topic, but I am thinking some clever samba sole has
tinkered with this!!
I am trying to find a method to migrate local user profiles off one
server, onto another server.
Both are win2k machines.

Is there a way using roaming profiles to pull it off the live server,
onto the network via samba, and then pull it up to the secondary
server??

any thoughts would be appreciated!

thanks -


--
--
please respond to the list .. if you need to contact me direct
cgmckeever is the account
prupref.com is the domain

http://www.prupref.com";>Simply Chicago Real Estate
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] How to make a symlink appear as a real file (for a Linux client)?

[Tomasz Chmielewski]

I have a share with a couple of symlinked files in it.

On a Samba server, it looks like this for "addon" directory:

# ls -l
(...) acrobatreader7
(...) addon -> /home/samba/unattended-write/packages


Now, if I mount it on a Linux client using smbmount, symlinks point to 
non existing directories locally (/home/samba/unattended-write/packages 
exist only on a Samba server):


# smbmount //192.168.111.172/unattended /mnt/1
# ls -l /mnt/1
(...) acrobatreader7/
(...) addon -> /home/samba/unattended-write/packages


On a Windows client, however, I can browse the files in such directories 
just fine.


I would rather expect that to happen on a Linux client, too (i.e., Linux 
client should not see it as symlinks, but as real files/directories).


Where can I look for a solution?

I didn't find anything about it in smbmount nor in smb.conf manuals.


--
Tomasz Chmielewski
Software deployment with Samba
http://wpkg.org
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Can't join my domain

[Bevan Agard]

In the World one must be able to 
Adapt, and Evolve 
Or run the risk of becoming EXTINCT

> -Original Message-
> From: Craig White [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, February 22, 2006 12:06 PM
> To: Bevan Agard
> Cc: samba@lists.samba.org
> Subject: RE: [Samba] Can't join my domain
> 
> On Wed, 2006-02-22 at 11:53 -0400, Bevan Agard wrote:
> >
> > In the World one must be able to
> > Adapt, and Evolve
> > Or run the risk of becoming EXTINCT
> >
> > > 
> > > The PDC is the domain and doesn't join it.
> > >
> > > Craig
> > >
> > [Bevan Agard]
> > This may be so but I can't join any pc to the domain
> 
> Let's keep this on list as I am leaving and won't be of much help
> throughout the day.
> 
> Are you tracking the 'Samba By Example' documentation on samba.org
> website?
> 

[Bevan Agard] 
Yes I am.

> Can you add workstation account via command line?
>
[Bevan Agard] 
No I cannot
 
> Craig

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 3.0.21b winbind crash

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Lars Müller wrote:
> On Wed, Feb 22, 2006 at 11:50:36AM +0100, Thomas Limoncelli wrote:
> [snip]
>> Is there anything else I can do to help tracking this down?
> 
> Run the upcoming 3.0.21c release as soon as it is out.
> 
>> Shall I file a bugzilla entry and assign to the SuSE package maintainer?
> 
> Please as soon as you have the same problem again.  See the details for
> bug reporting at http://en.opensuse.org/Samba in the section 'Samba
> package bug reporting'.

For what it's worth, the SAMBA_3_0_RELEASE is ready for 3.0.21c
minus the release notes, the fix for BUG #3501, and a workaround
for a bug in 2k clients.  But you could test winbindd now.





cheers, jerry
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFD/I0PIR7qMdg1EfYRAhIOAKDQzjvF5Lh7qHp3ZO5Kk/+OHazeeACglQ0H
bw5jZNJTSXC707Ovu3QXOgU=
=dphw
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Can't join my domain

[Craig White]

On Wed, 2006-02-22 at 11:53 -0400, Bevan Agard wrote:
> 
> In the World one must be able to 
> Adapt, and Evolve 
> Or run the risk of becoming EXTINCT
> 
> > 
> > The PDC is the domain and doesn't join it.
> > 
> > Craig
> > 
> [Bevan Agard] 
> This may be so but I can't join any pc to the domain

Let's keep this on list as I am leaving and won't be of much help
throughout the day.

Are you tracking the 'Samba By Example' documentation on samba.org
website?

Can you add workstation account via command line?

Craig

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 3.0.21b winbind crash

[Lars Müller]

On Wed, Feb 22, 2006 at 11:50:36AM +0100, Thomas Limoncelli wrote:
[snip]
> Is there anything else I can do to help tracking this down?

Run the upcoming 3.0.21c release as soon as it is out.

> Shall I file a bugzilla entry and assign to the SuSE package maintainer?

Please as soon as you have the same problem again.  See the details for
bug reporting at http://en.opensuse.org/Samba in the section 'Samba
package bug reporting'.

Lars
-- 
Lars Müller [ˈlaː(r)z ˈmʏlɐ]
Samba Team
SuSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany


pgprFj82940yT.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Permissions when writing files

[Matt Smith]

Hi, I'm having an issue where it seems that if a user opens a public
file, then resaves it it loses its permissions/rights and becomes
readonly by the owner

Any Ideas where to start looking?
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Windows UIDs

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

John Halfpenny wrote:
> hi all.
> 
> how does samba create its uids and gids from the windows domain? 
> and what can i do to prevent it 'dropping' these mappings?

uids and gids are allocated by winbindd on an as needed basis
in a monotonically increasing fashion.

> i've set up windows 2003 sfu to allow samba to map to the 
> uid stored in active directory (by using sfu nis), is this
> the safest way to ensure folder permissions remain constant
> or am i being unnecessarily scared? :-)

Probably unnecessarily scared.  Just keep winbindd_idmap.tdb
backed up.  If you have a single domain with no trusts, you
might prefer to look at the rid idmap backend.






cheers, jerry
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFD/IRxIR7qMdg1EfYRAvZKAJ9pEkHUbkogYltBC1pSUqed6S0O5QCg8Vgg
IXNDP4ydJ7PuMkX45QsF2AA=
=V93f
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Can't join my domain

[Craig White]

On Wed, 2006-02-22 at 09:12 -0400, Bevan Agard wrote:
> Guys and dolls,
> Greetings, I hope you all are in good health, great spirits and your glasses
> never empty.
> 
> I have a samba, openldap question.
> 
> I am trying to setup a FC-4 box to be a PDC for a small network of about 150
> users.  I was following the HOWTO on the SAMBA site.  Everything seems to be
> fine however I cannot join the domain.  I get the error "User name could not
> be found." The error logs show that the login/password used to join the
> domain was accpeted and correct.  I decided to step back a bit to see if the
> PDC could join the domain but also no luck.  I got the following when I ran
> the command
> 
> [EMAIL PROTECTED] ~]# net rpc join -d 3 -l -S PDC -U root
> [2006/02/21 10:57:03, 3] param/loadparm.c:lp_load(3916)
>   lp_load: refreshing parameters
> [2006/02/21 10:57:03, 3] param/loadparm.c:init_globals(1321)
>   Initialising global parameters
> [2006/02/21 10:57:03, 3] param/params.c:pm_process(573)
>   params.c:pm_process() - Processing configuration file
> "/etc/samba/smb.conf"
> [2006/02/21 10:57:03, 3] param/loadparm.c:do_section(3418)
>   Processing section "[global]"
> [2006/02/21 10:57:03, 1] param/loadparm.c:lp_do_parameter(3159)
>   WARNING: The "min passwd length" option is deprecated
> [2006/02/21 10:57:03, 2] lib/interface.c:add_interface(81)
>   added interface ip=10.50.0.20 bcast=10.50.255.255 nmask=255.255.0.0
> [2006/02/21 10:57:03, 2] lib/interface.c:add_interface(81)
>   added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
> [2006/02/21 10:57:03, 3] libsmb/namequery.c:resolve_wins(752)
>   resolve_wins: Attempting wins lookup for name PDC<0x20>
> [2006/02/21 10:57:03, 3] libsmb/namequery.c:name_resolve_bcast(694)
>   name_resolve_bcast: Attempting broadcast lookup for name PDC<0x20>
> [2006/02/21 10:57:03, 2] libsmb/namequery.c:name_query(492)
>   Got a positive name query response from 10.50.0.20 ( 10.50.0.20 )
> [2006/02/21 10:57:03, 3] libsmb/cliconnect.c:cli_start_connection(1406)
>   Connecting to host=PDC
> [2006/02/21 10:57:03, 3] lib/util_sock.c:open_socket_out(752)
>   Connecting to 10.50.0.20 at port 445
> [2006/02/21 10:57:04, 3] rpc_client/cli_netlogon.c:cli_nt_setup_creds(290)
>   cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED
> [2006/02/21 10:57:04, 3] libsmb/trusts_util.c:just_change_the_password(43)
>   just_change_the_password: unable to setup creds (NT_STATUS_ACCESS_DENIED)!
> [2006/02/21 10:57:04, 1] utils/net_rpc.c:run_rpc_command(138)
>   rpc command function failed! (NT_STATUS_ACCESS_DENIED)
> Password:
> [2006/02/21 10:57:10, 3] libsmb/cliconnect.c:cli_start_connection(1406)
>   Connecting to host=PDC
> [2006/02/21 10:57:10, 3] lib/util_sock.c:open_socket_out(752)
>   Connecting to 10.50.0.20 at port 445
> [2006/02/21 10:57:10, 3] libsmb/cliconnect.c:cli_session_setup_spnego(708)
>   Doing spnego session setup (blob length=58)
> [2006/02/21 10:57:10, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733)
>   got OID=1 3 6 1 4 1 311 2 2 10
> [2006/02/21 10:57:10, 3] libsmb/cliconnect.c:cli_session_setup_spnego(740)
>   got principal=NONE
> [2006/02/21 10:57:10, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(869)
>   Got challenge flags:
> [2006/02/21 10:57:10, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
>   Got NTLMSSP neg_flags=0x60890215
> [2006/02/21 10:57:10, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(891)
>   NTLMSSP: Set final flags:
> [2006/02/21 10:57:10, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
>   Got NTLMSSP neg_flags=0x60080215
> [2006/02/21 10:57:10, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
>   NTLMSSP Sign/Seal - Initialising with flags:
> [2006/02/21 10:57:10, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
>   Got NTLMSSP neg_flags=0x60080215
> [2006/02/21 10:57:10, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(181)
>   lsa_io_sec_qos: length c does not match size 8
> Creation of workstation account failed
> Unable to join domain CDCGA.
> [2006/02/21 10:57:12, 2] utils/net.c:main(897)
>   return code = 1
> 
> I googled the the NT_STATUS_ACCESS_DENIED error and no luck as of yet.
> 
> Have any of you samba sensei seen anything like this or have an suggestions
> as to how to kick this trouble ticket out.

The PDC is the domain and doesn't join it.

Craig

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba 3 vs. MS 2003

[Jeff Stewart]

Does anyone know of or have any good information comparing  Samba 3 and 
MS 2003.  I'm really looking for a  feature matrix for the file and 
print sharing aspects of the two.


--
Jeff Stewart

Network Specialist
Western Kentucky University

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Windows UIDs

[John Halfpenny]

hi all.

how does samba create its uids and gids from the windows domain? and what can i 
do to prevent it 'dropping' these mappings?

i've set up windows 2003 sfu to allow samba to map to the uid stored in active 
directory (by using sfu nis), is this the safest way to ensure folder 
permissions remain constant or am i being unnecessarily scared? :-)

thanks for any tips

john





___
Join Excite! - http://www.excite.com
The most personalized portal on the Web!


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba LDAP PDC BDC quit working

[Philip Washington]

mallapadi niranjan wrote:


Hi Philip


yes, I have the same properties, (for checking i did the rid*2+1000 
and object class test. , but
once the computer are rejoined, it gets new rid, not the rid which is 
in the LDIF.


Regards
Niranjan

 Okay, then this is something else I don't understand. 
If the LDAP database is getting corrupted then I can see how this 
problem could happen.  But if the PDC goes down as you describe in 
scenario-2 then it doesn't make sense that the computers should have to 
rejoin the domain, unless there is some information which is not being 
stored in the LDAP database.


On 2/21/06, *Philip Washington* <[EMAIL PROTECTED] 
> wrote:


mallapadi niranjan wrote:

> Hi Craig
>
> Thanks for replying, The samba PDC gets rebooted because of Power
> outage, at night times.
> After the system gets rebooted,
> Scenario -01
> 1. Either some times the ldap gets hanged, (2.2.13) may be
because of
> inconsistency.
> 2. since ldap hangs, samba doesn't come up properly.
> 3. so i run db_recover and try to start the ldap service and
then samba
>
> Scenario-02
> if LDAP doesn't hang, and samba comes up nicely, the computer had to
> rejoin.
> but in my ldapdatabase, in OU=Computers, all the computer accounts
> exist. with
> rid and Object class intact.
> but some how i don't know why i have to rejoin,
>
Okay I just want to clarify this. After an unplanned reboot (power
outage) , your PDC comes back up and you find that some of the
computers
in your domain need to rejoin the domain??  Do you have recent
ldiff or
slapcats indicating that most of these computers have the same
properties in the LDAP database as before.

> Scenario-03.
> I take the regular backup of LDAP, to LDIF file, and restore with
> latest LDIF file,
> eventhough i don't get the Computer Accounts and also i lose user 's
> passwords,
> After restoring from LDIF file.
>
> Scenario-04
> If i do safe reboot or shutdown, there 's no problem , the server
> works properly without any
> problem
>
> Regards
> Niranjan
>
>
> On 2/20/06, *Craig White* <[EMAIL PROTECTED]

> mailto:[EMAIL PROTECTED]>>> wrote:
>
> On Mon, 2006-02-20 at 11:55 +0530, mallapadi niranjan wrote:
> > Hi all
> >
> >
> > I too have the same problem , i am also using samba 3.0.21
with
> > openldap  version 2.2.13 on Redhat Enterprise Linux 4
enterprise
> > server.
> > if the samba PDC gets rebooted aburuptly,  some of my clients
> > workstations (Windows 2000 professional) have to rejoin.
> > i was asked to check whether RID of the computer name is
> correct(uid*2
> > + 1000) , ans whether
> > computer names have SambaSAMAccount object class.
> > eventhough my computernames' exist in the database with
correct
> object
> > class and rid, the clients
> > have to be rejoined. this happens only when samba PDC with
ldap
> gets
> > rebooted abruptly.
> > having said that, so i assume that LDAP is unable to maintain
> > consistency when it gets rebooted.
> >
> > so i had kept DB_CONFIG file in /var/lib/ldap(this is
where all bdb
> > files are there) and use db_recover
> > in case of any crash of ldap.
> >
> > But if we take backup in LDIF file and restore it, but
still my
> > computer accounts are not getting back, i had to rejoin.
> >
> > this is the problem that i am having, but still could not
find the
> > correct solution.
> 
> No - as you and he describe it, these are separate problems.
>
> Your issues is that PDC shouldn't get rebooted abruptly and
newer
> versions of openldap have a script that automatically runs
db_recover.
> This however doesn't come in the version of openldap that
ships with
> RHEL
>
> You might want to set up a cron script that performs a
slapcat on
> a more
> frequent basis so that if it is necessary to dump the entire
LDAP DSA
> and reload from an ldif, the ldif is much more current and
thus, you
> wouldn't have to rejoin many if any computers to the domain.
>
> Craig
>
>




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 3.0.21b winbind crash

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Thomas Limoncelli wrote:
> Gerald (Jerry) Carter wrote:
>>> At least, erasing winbindd_cache.tdb with tdbtool fixes the crashes
>>> for the
>>> moment.
>>
>> Sounds like and assert() firing in the caching code caused by
>> a failure to open the winbindd_cache.tdb file.  I doubt there's
>> anything else for you to do right now.
> 
> But since winbindd from 3.0.21b was the only process ever maintaining
> this file, wouldn't this still make it a significant bug worth looking
> into?

Yes.  But the only real solution is to have winbindd remove
the corrupted file automatically and reopen it.  It's a robustness
fix.




cheers, jerry
=
I live in a Reply-to-All world---
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFD/HgKIR7qMdg1EfYRAvg5AJ0VuAJ8HxnNSr0vcKM8YNCrsGxWXwCfV953
UIFtGnpskhAGsirXCtzaQm4=
=9xFm
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 3.0.21b winbind crash

[Thomas Limoncelli]

Gerald (Jerry) Carter wrote:

At least, erasing winbindd_cache.tdb with tdbtool fixes the crashes for the
moment.


Sounds like and assert() firing in the caching code caused by
a failure to open the winbindd_cache.tdb file.  I doubt there's
anything else for you to do right now.


But since winbindd from 3.0.21b was the only process ever maintaining 
this file, wouldn't this still make it a significant bug worth looking into?



-TL
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Effect of disabling LM/NTLMv1 auth on an AD?

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Tue, 21 Feb 2006, Don Meyer wrote:

> I can see that modern Samba versions support NTLMv1 and NTLMv2 methods. 
> Theoretically, that should leave support for NTLMv2, and all should 
> work. Practically, however, there is the question of "what really 
> happens with Samba member servers when one disables LM/NTLMv1 on the 
> domain controllers?"  Can anyone speak to this?

We've been testing this throughout the 3.0 release series. 
However, we just got complete support in 3.0.21 (for all layers 
of authentication).  There are a few small corner cases that will
be fixed in 3.0.21c.  If you have any problems with NTLMv2 and Samba
3.0.21c (due out real soon now), we would very much like to know.




cheers, jerry
=
I live in a Reply-to-All world.   ---
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQFD/G7AIR7qMdg1EfYRAiraAJ4voG/RycC2qI+SyODTistlMYEQ2ACff0iN
rW8HX7YkQDUjv7MZJ6o1oVU=
=MDAc
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Join AD domain using security = domain ?

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, 22 Feb 2006, David Wilson wrote:

> Hi guys,
> 
> Is it possible to join an AD domain using NT style authentication ?
> i.e. security = domain  in smb.conf and use 'net join rpc -W [MYADDOMAIN]
> 
> When I tried this I get the following error:
> [2006/02/22 11:56:42, 0]
> rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(2641)
>  cli_rpc_pipe_open_schannel: failed to get schannel session key from server
> msu
> adserver for domain MYADDOMAIN.
> [2006/02/22 11:56:42, 0] utils/net_rpc_join.c:net_rpc_join_ok(61)
>  Error connecting to NETLOGON pipe. Error was NT_STATUS_NO_TRUST_SAM_ACCOUNT
> Unable to join domain MYADDOMAIN.

Schannel is on RPC connections so you will see the same processing 
regardless of how winbindd is configured.  You can set 'client schannel = 
no' in smb.conf.  What version of Samba is this.?




cheers, jerry
=
I live in a Reply-to-All world.   ---
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQFD/G4kIR7qMdg1EfYRApKAAKDYZ7xjn8/mY7Ume7nVnH8mtkShCgCgifz1
0rf30YyqVzKveX3UHvTdnC0=
=zQy/
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Can gencache.tdb be deletely at will?

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, 22 Feb 2006, David Landgren wrote:

> When I look at the client smbd log file, I see that the printer server
> is trying to open a connection to the IP address that corresponds to
> the address the client had when it connects via the VPN tunnel,
> instead of the address it currently has. I've even reconnected the PC
> via the VPN, where it acquired a different VPN address, but when I
> bring the PC back inside the corporate network, the old VPN address
> continues to pop up in the client Samba log.

Try reducing the 'name cache timeout' in smb.conf.







cheers, jerry
=
I live in a Reply-to-All world.   ---
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQFD/G2HIR7qMdg1EfYRArqxAJwOWWRSbHYZR9We8dnxxt3XW9IbMwCcC+tX
aWaJm8EcZUFvMPHNqXFSKvI=
=7hSi
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 3.0.21b winbind crash

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, 22 Feb 2006, Thomas Limoncelli wrote:

> At least, erasing winbindd_cache.tdb with tdbtool fixes the crashes for the
> moment.

Sounds like and assert() firing in the caching code caused by
a failure to open the winbindd_cache.tdb file.  I doubt there's
anything else for you to do right now.





cheers, jerry
=
I live in a Reply-to-All world.   ---
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQFD/G0SIR7qMdg1EfYRAmyOAKDFD14b27E5D/Ml7u8Nj4EG8kKqeQCfTzjy
qgtPP8SnpQ7/5SONqmTrlQk=
=Q1LK
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] [Fwd: New Unix user and group domain]

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Tue, 21 Feb 2006, Gerald (Jerry) Carter wrote:

> Some people might find this discussion about upcoming
> changes in 3.0.22 interesting.  It might also be helpful
> to get some feedback from the field on the ramifications
> of the changes.

The formward mail attachment was stripped.  The original mail is 
http://lists.samba.org/archive/samba-technical/2006-February/045600.html




- - forwarded message -
Volker & those interested in the user/group changes in 3.0.22:

Here's my random thoughts on the name <-> SID <-> uid/gid
mapping work you've been doing.  Please correct me if I make
any wrong assumption.  This is kind of a summary for me to
help write down the design and issues in one mail.

The crux of the changes is the new uid/gid mapping code.  The
S-1-22-1 domain will replace the rid algorithm for users and the
S-1-22-2 domain will be used for groups.

So we have local groups and domain groups.  The S-1-22-2
(well known Samba servers) and S-1-5-32 (well known among
Windows and Samba) domains are always local groups.  For a
non-DC, the S-1-5-$MACHINE is also a local domain (specific
per Samba installation).

'net groupmap' is used to set explicit mappings for the
S-1-5-$MACHINE domain (which is the same as the domain SID
on a samba DC).

'net rpc sam' will be used as a user/group management shell.
Note that I don't see how this can replace 'net groupmap'
without adding a new rpc pipe or possible the unixinfo pipe
and have commands for associating a SID with a gid.

lookup_sid() and lookup_name() have been re-written to be
a single point of name <-> SID resolution.

When adding a new user we now generate the primary group
RID from the actual Unix primary gid and fallback to 513
in case that Unix group is not resolvable or exists in the
S-1-22-2 domain (see the patch I posted earlier tonight).
I realize that this is not entirely true since we still
have an unfinished mix of RID algorithms, rid allocation,
and the new S-1-22-{1,2} domains.

The main problem that we have is that a group might have
resolved to S-1-5-$MACHINE in 3.0.21 and we now are resolving
it to S-1-22-2 in 3.0.22.  This directly affects the user's
token passed back to the client in the net_samlogon() reply
(potentially part of the other_sids field).  So therefore
a Windows File server joined to a Samba domain might have
security descriptors with the old group SIDs and now deny
access to a user that should have access.  The same situation
could occur if you upgrade the Samba DC and leave Samba
member servers running and older release.

The main problem with the rid algorithms is potential conflicts
with migrated windows domains.  There is no prevention for
assigning duplicate rids (and no easy way to tell if you are
using a previously assigned rid).

On a non-DC I think this is a non-issue.  Or at least is
ignorable.  For a new domain, we don't have any upgrade
issues with group SIDs.  So the problem we can focus on
is upgrading a Samba domain.

We have 3 possible solutions on the table to get from where we
are in 3.0.21 to where we want to be in 3.0.22.

(a) have the administrator manually create the explicit
group mapping which matches the SID assigned by 3.0.21,

(b) auto map the groups on behalf of the administrator, or

(c) Ignore the change in group SIDs entirely.

I think that (c) should be the default behavior.  For those
people not affected by the security descriptor issue (i.e.
only Samba file servers and running the 3.0.22 or higher on
all servers).

Now for those servers that will be adversely affected
we have to careful;y explain the scenarios and let the
administrator decide.

I do not believe that (b) can reliably work.  There are too
many differences between smbpasswd, tdb, and LDAP installations.
And at what point do you stop automapping groups?  This
solutions seems only slightly better than what we have now
and actually replies on more persistent storage (so more
places for things to potentially go wrong).

I know you have option (a) but I think it is the best solution
to prevent long term baggage.  I think this should be a HOWTO
and a set of tools that helps walk the admin though the upgrade
process.  We can refuse to start somehow unless we know that
things have been dealt with somehow.

Additional questions:

1.  Why did you move the Unix create user/group calls into
the passdb API?  I don't understand what you are trying
to solve there.

2.  What is the real meaning of the pdb_rid_algorithm() call?
Which algorithm do you mean?  The one used by 3.0.21 or
the new Unix S-1-22- domains?

That's enough for now I think.





cheers, jerry
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQFD/GyUIR7qMdg1EfYRAil7AKC6vx6yud9n6XYX9slBWJ6ltEri9gCgkv1Z
ugeg5gYtkn8JbY3p3FXFoj0=
=MXNR
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to t

Re: [Samba] Join AD domain using security = domain ?

[Thomas Limoncelli]

David Wilson wrote:

Is it possible to join an AD domain using NT style authentication ?
i.e. security = domain  in smb.conf and use 'net join rpc -W [MYADDOMAIN]


Been there. Done that.


When I tried this I get the following error:
[2006/02/22 11:56:42, 0] 
rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(2641)
 cli_rpc_pipe_open_schannel: failed to get schannel session key from 
server msu

adserver for domain MYADDOMAIN.
[2006/02/22 11:56:42, 0] utils/net_rpc_join.c:net_rpc_join_ok(61)
 Error connecting to NETLOGON pipe. Error was 
NT_STATUS_NO_TRUST_SAM_ACCOUNT

Unable to join domain MYADDOMAIN.


You didn't post your Samba version and smb.conf, so we need to 
wild-guess. Try adding "client schannel = No" in [global].



-TL
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

AW: [Samba] Questions about sub-folders, access...?

[Torsten Geile]

Hi,


Am Wed, 22 Feb 2006 09:00:21 +0100 schrieb Alberto Moreno:

>   Hi people, iam testing samba3 on freebsd 5.4, i install samba from ports
> with no problems, i have this simple smb.conf file:
> 
> [global]
> workgroup = WORKGROUP
> netbios name = FREEBSD
> server string = Samba Server FreeBSD
> security = user
> encrypt passwords = yes
> [public]
> comment = %h Shared Public Directory
> path = /opt/test
> force directory mode = 0777
> force create mode = 0777
> force group = nobody
> force user = nobody
> public = yes
> writeable = yes
> read only = no
> 
>My problem right now is that i want to create one folder with the user
X
> inside this share and give access to  user Y to that sub-folder, them i
> create the folder with the user X from windows 2000, smbd create the
folder
> with this permisions:

what do you mean when saying "with the user x inside this share"?

> 
> root# getfacl test
> #file:test
> #owner:65534
> #group:0
> user::rwx
> group::rwx
> other::rwx
> 


>   The owner is nobody like the smb.conf say, the group 0 is wheel, ok here
> everybody can access the folder, but what about if i only want to give
> access to the owner(X user) and the user Y...?

so why creating force user 0777?

best method would be creating a group which is supposed to have access 
to that specific folder, placing all users into that group and then 
setting the rights.for example create group test, make user x and user y 
be a member of the group. then:

setfacl -R -m g:test:rwx test

and if you want this group to have access to all files and folders 
createt later on in this folder then in adition

setfacl -d -R -m g:test:rwx test
> 
>Ok, after rading some docs, i do this:
> 
> Go to freebsd login with root and change the folder rights:
> 
> root# chown X:Y /opt/test/NewFolder
> root# chmod 770 /opt/test/NewFolder

> 
>Now user X or Y if try to access the folder from windows 2000 smbd say
> "\\Freebsd\public\test is not accessible Access is denied"
> 
>I have been reading the samba 3 by examples book "10.3.3 Share Point
> Directory and File Permisions", but didnt find the answer, and the chapter
> 15 of the samba how-to but they speak about the smb.conf shares, and i
want
> to apply this to sub-folders i create inside of samba shares...?
> 
>I think this can be done inside the Unix/Linux box with the root user
but
> i still dont find the way, what i forget...?
> 
>Hope you can help me people, thanks all for your time!!!

hth

torsten

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Outlook path to pst file is lost when using roaming profiles

[Charles Marcus]

Douglas Phillipson wrote:
Is nobody else losing their Outlook profile/path to pst when using 
roaming profiles?


The simple answer is, if you change the path to the Outlook .pst file to 
reside on a network share, you WILL have problems with it. This is a 
well known issue with Outlook, and is NOT Samba related (it happens when 
using a Windows Domain controller too).


The best answer is, don't do it. I have had bad experiences - again, 
even when using a Windows Domain controller.


--

Best regards,

Charles
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Join AD domain using security = domain ?

[David Wilson]

Hi guys,

Is it possible to join an AD domain using NT style authentication ?
i.e. security = domain  in smb.conf and use 'net join rpc -W [MYADDOMAIN]

When I tried this I get the following error:
[2006/02/22 11:56:42, 0] 
rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(2641)
 cli_rpc_pipe_open_schannel: failed to get schannel session key from server 
msu

adserver for domain MYADDOMAIN.
[2006/02/22 11:56:42, 0] utils/net_rpc_join.c:net_rpc_join_ok(61)
 Error connecting to NETLOGON pipe. Error was 
NT_STATUS_NO_TRUST_SAM_ACCOUNT

Unable to join domain MYADDOMAIN.

Do you have to have 'security = ads' and use 'net join ads..', and also 
have Kerberos enabled ?



Kind regards

David Wilson
D c D a t a
CNS, CLS, Linux+
T: 0860-1-LINUX
F: 0866878971
M: 0824147413
E: [EMAIL PROTECTED]
W: http://www.dcdata.co.za 



--
This email and all contents are subject to the following disclaimer:
http://www.dcdata.co.za/emaildisclaimer.html

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] unknown interface | win 2k server

[Charles Marcus]

On 2/21/2006 Augusto Flavio ([EMAIL PROTECTED]) wrote:

The machine joins with no problems in the domain. But
the all users of the domain don`t have permission to
shutdown, restart and any other operation that a
"administrator" have.


You're thinking in Unix/Linux terms. A normal user on a windows 
workstation DOES have the ability to shutdown/restart the windows system.



Look this text that i found on samba.org(how to):

"When a Windows NT4 (or later) client joins a domain,
the domain global Domain Admins group is added to the
membership of the local Administrators group on the
client. Any user who is a member of the domain global
Domain Admins group will have administrative rights on
the Windows client." (chapter 14. What Rights and
Privileges Will Permit Windows Client Administration?)

What i need to do for the users of samba(smbpasswd)
have permission of a local administrator?


This is really a bad idea, and it may not fix your problem anyway.

It is not necessary for a user to have Local Administrative privleges to 
shutdown or restart a workstation, so your problem is elsewhere.


What I do is add each User to their workstation as a Domain User, and 
make them a member of the Power Users Group. Alternatively (less 
administration), you could add the 'Domain Users' group to the 'Power 
Users' group on each Local computer - that way each Domain User is 
automatically given Power User rights on the local computer, instead of 
normal Users rights (which is the default). The difference is, if you do 
it by Group, then any User can log in and have Power User privs at any 
workstation. Doing it on a per user basis, if any other user logs in at 
that workstation, they only have normal user privleges.


Unless, of course, you really want to lock them down, in which case 
don't do anything - the 'Domain Users' group is automatically a member 
of the local computers 'Users' group when the computer is joined to the 
domain (but you will most likely get complaints, and some software won't 
run properly without Power User privs).


--

Best regards,

Charles
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Can't join my domain

[Bevan Agard]

Guys and dolls,
Greetings, I hope you all are in good health, great spirits and your glasses
never empty.

I have a samba, openldap question.

I am trying to setup a FC-4 box to be a PDC for a small network of about 150
users.  I was following the HOWTO on the SAMBA site.  Everything seems to be
fine however I cannot join the domain.  I get the error "User name could not
be found." The error logs show that the login/password used to join the
domain was accpeted and correct.  I decided to step back a bit to see if the
PDC could join the domain but also no luck.  I got the following when I ran
the command

[EMAIL PROTECTED] ~]# net rpc join -d 3 -l -S PDC -U root
[2006/02/21 10:57:03, 3] param/loadparm.c:lp_load(3916)
  lp_load: refreshing parameters
[2006/02/21 10:57:03, 3] param/loadparm.c:init_globals(1321)
  Initialising global parameters
[2006/02/21 10:57:03, 3] param/params.c:pm_process(573)
  params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
[2006/02/21 10:57:03, 3] param/loadparm.c:do_section(3418)
  Processing section "[global]"
[2006/02/21 10:57:03, 1] param/loadparm.c:lp_do_parameter(3159)
  WARNING: The "min passwd length" option is deprecated
[2006/02/21 10:57:03, 2] lib/interface.c:add_interface(81)
  added interface ip=10.50.0.20 bcast=10.50.255.255 nmask=255.255.0.0
[2006/02/21 10:57:03, 2] lib/interface.c:add_interface(81)
  added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
[2006/02/21 10:57:03, 3] libsmb/namequery.c:resolve_wins(752)
  resolve_wins: Attempting wins lookup for name PDC<0x20>
[2006/02/21 10:57:03, 3] libsmb/namequery.c:name_resolve_bcast(694)
  name_resolve_bcast: Attempting broadcast lookup for name PDC<0x20>
[2006/02/21 10:57:03, 2] libsmb/namequery.c:name_query(492)
  Got a positive name query response from 10.50.0.20 ( 10.50.0.20 )
[2006/02/21 10:57:03, 3] libsmb/cliconnect.c:cli_start_connection(1406)
  Connecting to host=PDC
[2006/02/21 10:57:03, 3] lib/util_sock.c:open_socket_out(752)
  Connecting to 10.50.0.20 at port 445
[2006/02/21 10:57:04, 3] rpc_client/cli_netlogon.c:cli_nt_setup_creds(290)
  cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED
[2006/02/21 10:57:04, 3] libsmb/trusts_util.c:just_change_the_password(43)
  just_change_the_password: unable to setup creds (NT_STATUS_ACCESS_DENIED)!
[2006/02/21 10:57:04, 1] utils/net_rpc.c:run_rpc_command(138)
  rpc command function failed! (NT_STATUS_ACCESS_DENIED)
Password:
[2006/02/21 10:57:10, 3] libsmb/cliconnect.c:cli_start_connection(1406)
  Connecting to host=PDC
[2006/02/21 10:57:10, 3] lib/util_sock.c:open_socket_out(752)
  Connecting to 10.50.0.20 at port 445
[2006/02/21 10:57:10, 3] libsmb/cliconnect.c:cli_session_setup_spnego(708)
  Doing spnego session setup (blob length=58)
[2006/02/21 10:57:10, 3] libsmb/cliconnect.c:cli_session_setup_spnego(733)
  got OID=1 3 6 1 4 1 311 2 2 10
[2006/02/21 10:57:10, 3] libsmb/cliconnect.c:cli_session_setup_spnego(740)
  got principal=NONE
[2006/02/21 10:57:10, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(869)
  Got challenge flags:
[2006/02/21 10:57:10, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
  Got NTLMSSP neg_flags=0x60890215
[2006/02/21 10:57:10, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(891)
  NTLMSSP: Set final flags:
[2006/02/21 10:57:10, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
  Got NTLMSSP neg_flags=0x60080215
[2006/02/21 10:57:10, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
  NTLMSSP Sign/Seal - Initialising with flags:
[2006/02/21 10:57:10, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
  Got NTLMSSP neg_flags=0x60080215
[2006/02/21 10:57:10, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(181)
  lsa_io_sec_qos: length c does not match size 8
Creation of workstation account failed
Unable to join domain CDCGA.
[2006/02/21 10:57:12, 2] utils/net.c:main(897)
  return code = 1

I googled the the NT_STATUS_ACCESS_DENIED error and no luck as of yet.

Have any of you samba sensei seen anything like this or have an suggestions
as to how to kick this trouble ticket out.

Thanks

 

In the World one must be able to 

Adapt, and Evolve 

Or run the risk of becoming EXTINCT

 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

AW: [Samba] Samba with 2 subnet browsing

[Torsten Geile]

Hi,


Am Mon, 20 Feb 2006 07:20:15 +0100 schrieb wLLm:

> I have a problem browsing in my subnets let me explain me situation:
> 
> I have a m0n0wall (FreeBSD based router software) with 3 nics.
> nic1:My WAN connection
> Nic2:My LAN connection (192.168.0.0/24 m0n0 is DHCP)
> Nic3:My Wifi connenciot (192.168.1.0/24 m0n0 is DHCP)
> 
> just using ip-adresses acrossed the network is no problem.
> 
> now i want to use windows browsing works on LAN but can't see the
computers
> in WiFi
> 
> now i gave my samba server 2 nics (nic1:192.168.0.2 nic2:192.168.1.2) in
my
> wifi network i can see my LAN clients
> in my LAN network i can't see my Wifi clients and the wifi clients can't
> connect to computer seen in browsing
> 
> I've tried wins support, does not work for me
> 
> does anyone else have a solution vor this ?

For subnetbrowsing across subnets you will need a LMB and DMB for each 
subnet. In my case, a samba server serves this pupose. furthermore each 
samba server needs 2 more directives in smb.conf

remote announce = remote_ip_of_dmb/local_workgroup
remote browse sync = remote_ip_of_dmb

I have tried to use on of the samba servers as a wins server, but this 
caused trouble whith browsing, so our w2kserver is offering the wins 
service.

hth

torsten

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba + swat not working

[travelondude]

First of all trying to get samba-3.0.14 working on FC4 (SELINUX on). smbd and 
nmbd running, but my user can't browse from W2K. I have a working samba-2.2.7 
server on RH 8.0, users connect no problem. 
The smb.conf file seems a little different and tried to use swat to configure. 
Tried to start and the /var/log/messages show:
xinetd[1694]: bind failed (Address already in use (errno = 98)). service = swat
Issues are starting to snowball now. I am more concerned with getting samba 
working but would like to know what's wrong with swat.
I started with a minimal smb.conf file:

[global]
workgroup = work
security = USER
[share]
comment = jack's storage
path = /opt/share
valid users = jack
public = no
writable = yes
printable = no

Any suggestions?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] NT_STATUS_BUFFER_TOO_SMALL

[Meli Marco]

Hi,

What following error is referred to, while Winbind restarting daemon?

 

Feb 22 12:15:41 srv winbindd[30216]: [2006/02/22 12:15:41, 0]
nsswitch/winbindd_dual.c:child_read_request(49)

Feb 22 12:15:41 srv winbindd[30216]:   Got invalid request length: 0

Feb 22 12:15:58 srv winbindd[23660]: [2006/02/22 12:15:58, 0]
rpc_client/cli_pipe.c:cli_rpc_pipe_open_noauth(2240)

Feb 22 12:15:58 srv winbindd[23660]:   cli_rpc_pipe_open_noauth:
rpc_pipe_bind for pipe \lsarpc failed with error NT_STATUS_BUFFER_TOO_SMALL

 

Thanks.

Marco.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 3.0.21b winbind crash

[Thomas Limoncelli]

Thomas Limoncelli wrote:
Unfortunately the backtrace doesn't look too meaningful (like in the 
original level 10 debug) although I've installed the samba-debuginfo 
package.


myserver# gdb winbindd 24887
[...]
(gdb) bt
#0  0xe410 in ?? ()


strace reveals that winbind segfaults when reading winbindd_cache.tdb:

29712 open("/var/lib/samba/winbindd_cache.tdb", 
O_RDWR|O_CREAT|O_LARGEFILE, 0600) = 23
29712 fcntl64(23, F_SETLKW64, {type=F_WRLCK, whence=SEEK_SET, start=0, 
len=1}, 0xbfffa6b0) = 0
29712 read(23, "TDB 
file\n\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 168) = 168

29712 fstat64(23, {st_mode=S_IFREG|0600, st_size=1818624, ...}) = 0
29712 mmap2(NULL, 1818624, PROT_READ|PROT_WRITE, MAP_SHARED, 23, 0) = 
0xb7942000
29712 fcntl64(23, F_SETLKW64, {type=F_UNLCK, whence=SEEK_SET, start=0, 
len=1}, 0xbfffa6b0) = 0
29712 fcntl64(23, F_SETLKW64, {type=F_WRLCK, whence=SEEK_SET, start=168, 
len=1}, 0xbfffa6a0) = 0
29712 fcntl64(23, F_SETLKW64, {type=F_RDLCK, whence=SEEK_SET, 
start=536396, len=1}, 0xbfffa6b0) = 0

[...]
29712 fcntl64(23, F_SETLKW64, {type=F_UNLCK, whence=SEEK_SET, 
start=5136, len=1}, 0xbfffa200) = 0

29712 --- SIGSEGV (Segmentation fault) @ 0 (0) ---

myserver# tdbtool /var/lib/samba/winbindd_cache.tdb
tdb> info
4460 records totalling 453648 bytes
tdb> dump

tdb>

Is there anything particular you'd want me to check? Anyone wants a 
private copy?


At least, erasing winbindd_cache.tdb with tdbtool fixes the crashes for 
the moment.



-TL

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Can gencache.tdb be deletely at will?

[David Landgren]

List,

I have a client PC that is able to connect to my network via a VPN
tunnel. When the client PC comes back to the mother ship, it acquires
an ordinary network address via DHCP. In this situation, the PC is
currently having problems viewing Samba printers... the printer folder
takes several minutes to open all the printers, and requesting a print
from an application takes a couple of minutes before getting the
dialog box.

When I look at the client smbd log file, I see that the printer server
is trying to open a connection to the IP address that corresponds to
the address the client had when it connects via the VPN tunnel,
instead of the address it currently has. I've even reconnected the PC
via the VPN, where it acquired a different VPN address, but when I
bring the PC back inside the corporate network, the old VPN address
continues to pop up in the client Samba log.

I cannot find any reference to the VPN address in either the client
registry, or the wins.dat or browse.dat files on the server. In fact,
the only place I do find the address on the server is the gencache.tdb
database.

I have tried to find some more information about this file, with no
luck. What I would like to know is whether it is safe to stop Samba,
rename this file, and then restart Samba. I would hope that this fixes
up the problem, but I don't know how critical this file is. Given its
name, I suppose it can be blown away at will, but I'd like to be sure.
Only in the hope that this is the cause of the problem, but I am not
even sure about that.

Thanks,
David
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 3.0.21b winbind crash

[Thomas Limoncelli]

Jeremy Allison wrote:

On Wed, Feb 22, 2006 at 01:07:32AM +0100, Thomas Limoncelli wrote:

I'm using Samba 3.0.21b on SuSE 9.3 Pro (x86) with the binary RPMs from 
samba.org/suse.com (3.0.21b-1.1.2-SUSE-SL9.3) on a Domain Member Server in ADS 
mode with winbind against W2K3 SP1 AD servers and idmap uids/gids stored in a 
central OpenLDAP directory.

Unfortunately, winbind gives me a hard time and reproducibly dies with a PANIC on a 
"wbinfo -g", although I think I've followed TOSHARG's and S3bE's advices and 
have used it successfully in similar environments (although not with 3.0.21b) in the 
past. Can anyone shed some light on this? Below please find my smb.conf and level 10 
log.winbindd (both slightly obfuscated to protect the innocent, but not mangled in any 
other way). I can provide Ethereal traces privately on request.


Can you add the following line to the [global] section of your smb.conf.

panic action = "/bin/sleep 9"

and then when winbindd crashes it will hang waiting
for the sleep to finish. You can then attach to it with
gdb and get a backtrace using the "bt" command.


Unfortunately the backtrace doesn't look too meaningful (like in the 
original level 10 debug) although I've installed the samba-debuginfo 
package.


myserver# gdb winbindd 24887
[...]
(gdb) bt
#0  0xe410 in ?? ()

Is there anything else I can do to help tracking this down?
Shall I file a bugzilla entry and assign to the SuSE package maintainer?


Best regards,
-TL
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] WINS and INet~Services name

[Leon Stringer]

On Tue, 2006-02-21 at 16:00 -0800, Jeremy Allison wrote:
> On Tue, Feb 21, 2006 at 08:56:39PM +, Leon Stringer wrote:

> > As I understand it the problem is with Samba's WINS server
> > implementation not handling the mixed case Windows uses for the
> > "Inet~Services#1c" name. (Am I correct in thinking all other NetBIOS
> > names are upper case only?).
> 
> No, that's not the issue, at least not with modern nmbd code.
> 
> You might want to try upgrading from 3.0.4, I definately fixed
> case-sensitive bugs in this code between then and now.
> 
> Jeremy.

Thanks! I'll try upgrading at the weekend... (Apologies in advance if
this fixes it!).

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Outlook path to pst file is lost when usingroaming profiles

[Louis van Belle]

I use poledit.exe and the outlook.adm templete to define the path
of my pst files. I did put them on the server in the personal folder
in a hidden non accessable path for the users (example P:\.email ) 
at first start outlook wil create in p:\.email\ the file Outlook.pst
if alread one exist it will create Outlook1.pst.

Louis

>-Oorspronkelijk bericht-
>Van: [EMAIL PROTECTED] 
>[mailto:[EMAIL PROTECTED] 
>Namens Robert Schetterer
>Verzonden: woensdag 22 februari 2006 0:37
>Aan: Douglas Phillipson
>CC: samba@lists.samba.org
>Onderwerp: Re: [Samba] Outlook path to pst file is lost when 
>usingroaming profiles
>
>Hi,
>i have all kind of versions of outlook ( 2000/xp/2003) running with 
>roaming profiles and samba pdc and i dont have any problem loosing the 
>pst path, on win 2000/xp, perhaps this was a bug from outlook 
>configured
>using with imap, check about that, note that every outlook patchlevel 
>behaves different, so check the outlook patch level too.
>I dont recommend setting regs , for the default pst i think it 
>is better
>to use a adm/ntconfig.pol
>Regards
>
>
>Douglas Phillipson schrieb:
>> Is nobody else losing their Outlook profile/path to pst when using 
>> roaming profiles?
>> 
>> Doug P
>> 
>> Douglas Phillipson wrote:
>>> We are having a problem getting the path to the Outlook PST file to 
>>> move from machine to machine using roaming profiles (Samba 
>3.0.10 on 
>>> RHEL 4).  When a user logs off on one machine and logs on 
>to another, 
>>> the outlook path to the PST file is gone.  I found this 
>message in the 
>>> archive back in 2002 but I see no resolution for it:
>>>
>>> http://lists.samba.org/archive/samba/2002-July/047507.html
>>>
>>> Here is the text from that post:
>>>
>>> Does anybody know how to manage roaming profiles with 
>outlook 2002 ? I
>>> have XP boxes with roaming profiles and all work fine. The 
>only problem
>>> is that
>>> XP doesn´t export the path where outlook stores ist .pst 
>file. This is
>>> not the problem for the .pst file where outlook stores 
>contacts and so.
>>> The path of the normal pst is on a network drive.  But I 
>have an IMAP
>>> mail account for every user and if you configure outlook for imap it
>>> creates another .pst file under the normal path ...Local
>>> Settings../outlook/
>>> I am not able to store this file under a different path 
>e.g. a network
>>> drive. I think that there are 2 ways for my problem:
>>>
>>> 1.) show outlook the path to a network drive for the imap 
>pst as I did
>>> it for the normal pst --> I don´t know how
>>>
>>> 2.) export the whole outlook path under local settings -->
>>>
>>> It works, but not for a long time:
>>>
>>> After you create an outlook account for the first time, 
>outlook adds a
>>> registry entry under
>>>
>>> HKEY_CURRENT_USER\Software\Microsoft\Windows 
>NT\CurrentVersion\Winlogon
>>> --> ExcludeProfileDirs
>>>
>>> In this entry you can add directories of the roaming profile not to
>>> export. --> because of that, the outlook pst would not 
>exported with the
>>> roaming profile. If I delete this entry on all workstations 
>under the
>>> default and the user profile of the registry it works for some time.
>>> But after some time, I don´t know why the entry is back in 
>the registry
>>> to not export the outlook folder.
>>>
>>> Does anybody have an idea ?
>>>
>>> Regards sven
>>>
>>> Has anybody else seen this problem or found a resolution?
>>>
>>> Thanks
>>>
>>> Doug P
>
>-- 
>Mit freundlichen Gruessen
>Best Regards
>Robert Schetterer
>
>robert_at_schetterer_dot_org
>Munich / Bavaria / Germany
>https://www.schetterer.org
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba