[Samba] passwd: Authentication token manipulation error
hi there, I've got my RHEL4 Mail server authenticating against Active directory using winbind. When I login and try and reset my password using the 'passwd' command I get this error message. passwd: Authentication token manipulation error Is there something i'm meant to do before I can change my ADS password on a unix machine using winbind? Can I? here is my smb.conf file workgroup = myodmain security = ads realm = MYDOMAIN.COM encrypt passwords = yes username map = /etc/samba/smbusers winbind uid = 1-2 winbind gid = 1-2 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%u template shell = /bin/bash -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] giving user rights to files
> I have a Samba 3.0.22 server working as domain controller. When a user > copy a file to a share, the file is owned by user root and group "no > group" , not by the user and its group. > All the users are in an LDAP directory, authentication works good, all > groups are declared in LDAP too. > > What should I do to have the file with the right owner/group > membership ? Are you running winbindd? You'll need this before the your non-UNIX users can own files. Once it's working, you should be able to do something like "chown DOMAIN\\user text.txt". > For groups, I maybe have to use the group map command. But for users ? Group mapping (in my experience) doesn't work that well with winbind - but winbind handles groups as well as users, so that shouldn't be a problem. One thing to bear in mind is that any new files created will be owned by the user's *primary* group (which is probably 'Domain Users') but you can make new files belong to the same group as the folder by running "chmod g+s ." - then any new files created in that folder will belong to the same group as the folder itself. Cheers, Adam. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] no route to host
Alessio Bandini wrote: Hello, First of all sorry for my English. I am experiencing with Samba and I have a problem. I have an old server (OLD) with Red Hat 9 and Samba 2.2.7a that is working well. Now I try to start up a new server (NEW) with Red Hat Enterprise 4 and Samba 3.0.22. If I try to connect from NEW to itself by using smbclient I got the shared resources list correctly. If I try to connect to NEW from OLD, always using smbclient, I receive the message: added interface ip=XXX.XXX.XXX.XXX bcast=XXX.XXX.X.255 nmask=255.255.255.0 error connecting to YYY.YYY.YYY.YYY:139 (No route to host) If you have a firewall on the new server that rejects access to port 139, one would expect this behavior. There should be a firewall setup program. Make sure to allow access to smb ports 137-138 and 445. I've not used RH Enterprise 4, but Fedora, an offshoot, the rpm is system-config-securitylevel and so is the command name to run the program. Error connecting to YYY.YYY.YYY.YYY (No route to host) Connection to YYY.YYY.YYY.YYY failed Supposing that XXX.XXX.XXX.XXX is the OLD server address and YYY.YYY.YYY.YYY is the NEW server address. I try to find in documentation and in other resources but I found nothing. Could you help me. Thank you. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind crashes after clean build of 3.0.22
Paul Hoehne wrote: Net ads join -U% appears to work. The machine is joined to the domain. Is there any way I can verify this through secrets.tdb? "net ads testjoin" should do the trick. -TL -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] winbind crashes after clean build of 3.0.22
Net ads join -U% appears to work. The machine is joined to the domain. Is there any way I can verify this through secrets.tdb? Paul -Original Message- From: Volker Lendecke [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 17, 2006 2:53 AM To: Paul Hoehne Cc: samba@lists.samba.org Subject: Re: [Samba] winbind crashes after clean build of 3.0.22 On Tue, May 16, 2006 at 06:34:53PM -0400, Paul Hoehne wrote: > [2006/05/16 18:22:23, 0] lib/util.c:smb_panic2(1554) > > PANIC: Could not fetch our SID - did we join? It would be interesting to see the answer to the question winbind is asking you here. Did you successfully do a net join? Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba ldap domain join
still haven't found any resolution for this problem. I tried using a "-t"
parameter with smbldap-passwd, but that didn't make any difference. The
debug output still shows that it simply can't find the created computer
account, eventhough it creates it the right ou.
I wish there was a way to no have to deal with computer accounts at all.
here's the relevant part of debug output. machine name is cia.
Finding user cia$
Trying _Get_Pwnam(), username as lowercase is cia$
Checking combinations of 0 uppercase letters in cia$
Get_Pwnam_internals didn't find user [cia$]!
_samr_create_user: Running the command
`/usr/local/samba/sbin/smbldap-useradd -t 5 -n -d /dev/null -s
/bin/false -w "cia"' gave 0
Finding user cia$
Trying _Get_Pwnam(), username as lowercase is cia$
Checking combinations of 0 uppercase letters in cia$
Get_Pwnam_internals didn't find user [cia$]!
cia (192.168.1.94) closed connection to service IPC$
some other relevant config parts. ( the actual config files have correct
dns) ).
Domain Admins (S-1-5-21-572523613-314456280-397268875-512) -> sambaadmins
Domain Users (S-1-5-21-572523613-314456280-397268875-513) -> admins
Domain Guests (S-1-5-21-572523613-314456280-397268875-514) -> users
Domain Computers (S-1-5-21-572523613-314456280-397268875-515) -> guests
init_sam_from_ldap: Entry found for user: administrator
Home server: brutus
Home server: brutus
---
Unix username:administrator
NT username: administrator
Account Flags:[U ]
User SID: S-1-5-21-572523613-314456280-397268875-500
Primary Group SID:S-1-5-21-572523613-314456280-397268875-1041
Full Name:administrator
Home Directory: \\brutus\administrator
HomeDir Drive:
Logon Script:
Profile Path: \\brutus\administrator\profile
Domain: LDAPAUTH
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Mon, 18 Jan 2038 22:14:07 EST
Kickoff time: Mon, 18 Jan 2038 22:14:07 EST
Password last set:Mon, 15 May 2006 10:00:52 EDT
Password can change: Mon, 08 May 2006 14:39:02 EDT
Password must change: Mon, 18 Jan 2038 22:14:07 EST
Last bad password : 0
Bad password count : 0
Logon hours : FF
--
>
>
> smb.conf
>
> add user script = /usr/local/samba/sbin/smbldap-useradd -n "%u"
>add machine script = /usr/local/samba/sbin/smbldap-useradd -n -d
> /dev/null -s /bin/false -w "%m"
>
ldap suffix = dc=mydomain,dc=com
> ldap admin dn = "cn=Directory Manager"
> ldap group suffix = ou=groups,dc=mydomain,dc=com
> ldap idmap suffix = ou=idmap,dc=mydomain,dc=com
> ldap machine suffix =ou=computers,dc=mydomain,dc=com
> ldap ssl = no
> ldap user suffix = ou=people
> idmap backend = ldapsam:ldap://myldapserver
> idmap uid = 1-3
> idmap gid = 1-3
> smb-ldap.conf
>
> suffix="dc=mydomain,dc=com"
>
> usersdn="ou=People,${suffix}"
> computersdn="ou=computers,${suffix}"
> groupsdn="ou=Groups,${suffix}"
> idmapdn="ou=idmap,${suffix}"
> sambaUnixIdPooldn="sambaDomainName=LDAPAUTH,${suffix}"
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] giving user rights to files
Hi list, I have a Samba 3.0.22 server working as domain controller. When a user copy a file to a share, the file is owned by user root and group "no group" , not by the user and its group. All the users are in an LDAP directory, authentication works good, all groups are declared in LDAP too. What should I do to have the file with the right owner/group membership ? For groups, I maybe have to use the group map command. But for users ? Thanks for any answer you could give me, Valéry Roché -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Multiple Clients, Winbind and idmap in LDAP, documentation incorrect?
Hi! I have a setup with several Linux machines running samba-3.0.22-10.1.17 (from SuSE 10 OSS), authenticating against an AD. Since one of the machines is exporting an NFS share mounted by the rest of the machines, I need SID <-> uid/gid mapping to be shared between all Linux machines, which led me into using an OpenLDAP server as idmap backend. My smb.conf is found at the end of this mail. I got this working, but several questions were raised during implementation: *) The documentation, more specifically chapter 13 in the official howto, doesn't seem to cover this kind of setup. Both "IDMAP Storage in LDAP Using Winbind" and "IDMAP and NSS Using LDAP from ADS with RFC2307bis Schema Extension" talks about using nss_ldap to fetch account information. This doesn't work very well in my kind of setup, for several reasons. First, the LDAP database isn't populated with all users automatically, but only "on demand". You have to ask for a user via NSS in order to populate the idmap with that user's SID <-> uid/gid mapping. Also, since there is no posixAccount/posixGroup information added, nss_ldap won't find any users. Either the documentation is not written for my kind of setup, or it's just plain wrong. I'm a little bit confused on what kind of setup the documentation in question is written for. *) Even though I use ldap as idmap backend, it seems like /var/lib/samba/winbind_idmap.tdb is still used. Running 'net idmap dump /var/lib/samba/winbindd_idmap.tdb' reveals that entries that I've asked for with 'getent passwd ' or 'getent group ' are stored in the .tdb. Is this intended behaviour, and if so, why? If I for some reason decide I want to wipe out my entire idmap mapping, do I have to remove not only the data in LDAP, but also the winbindd_idmap.tdb on each server? *) Mapping of numerical user id to username and numerical group id to groupname seems to work only for users/groups that have been asked for using the username as key in NSS on the same server. This is confusing in my setup, since one of the machines is exporting an NFS share with home directories to the other machines. For example, if a user has been logged in to machine1 but not to machine2, doing an 'ls /home' on machine2 will not list the username owning the home directory of the user, but instead the numerical id of the user. In this case, I would expect winbind to try to search the LDAP backend for the uidNumber, find the SID added when the user logged in to machine1, and then lookup the username in the AD. Perhaps there's a good reason this doesn't happen? -- begin smb.conf -- [global] idmap uid = 1-5 idmap gid = 1-5 template shell = /bin/bash winbind separator = + winbind use default domain = true winbind enum groups = yes winbind enum users = yes workgroup = UTB security = ads realm = utb.example.com password server = * wins server = 192.168.5.12 192.168.5.3 # client use spnego = yes encrypt passwords = yes # client schannel = no # disable netbios = yes idmap backend = ldap:ldap://tl1.utb.example.com ldap admin dn = cn=manager,ou=idmap ldap suffix = ou=idmap -- end smb.conf -- Thanks, \EF -- Erik ForsbergOpenSource-based Thin Client Technology Systems Analyst/DeveloperPhone: +46-13-21 46 00 Cendio ABWeb: http://www.cendio.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Domain logins: 2 small issues
Hey gang, I've managed to get samba servers working as PDCs/BDCs with LDAP backend for replication. Working fine. Here's my problems: 1) A new machine will not join the domain on the first attempt. Apparently samba creates the machine account but can't authenticate it. I have attempt to join a second time for it to authenticate and succeed. This isn't that big of a deal, and if I don't figure it out, I'm not in a major bind. 2) After a machine joins a domain, EVERYTHING in msconfig is gibberish. Looking in the registry, every entry now has either a "C" or just "" for it's entry. Also, the machines now pop up the system32 folder on login. This is the one I *REALLY* need help with. My smb.conf is as follows: -- [global] netbios name = workgroup = server string = security = user hosts allow = log file = /var/log/samba.%m max log size = 50 log level = 1 passdb = ldapsam:ldap://127.0.0.1 socket options = TCP_NODELAY interfaces = local master = yes os level = 64 domain master = yes preferred master = auto domain logins = yes # LDAP authentication stuff: ldap admin dn = cn=Manager,dc=,dc=com ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ldap passwd sync = Yes ldap suffix = dc=,dc=com ldap user suffix = ou=Users idmap backend = ldap:ldap://127.0.0.1 idmap uid = 1-2 idmap gid = 1-2 logon script = logon.bat logon path = logon drive = H: wins support = yes wins proxy = no dns proxy = no # domain scripts add user script = /usr/local/sbin/smbldap-useradd -a '%u' add group script = /usr/local/sbin/smbldap-groupadd -p '%g' add user to group script = /usr/local/sbin/smbldap-groupmod -m '%u' '%g' delete user script = /usr/local/sbin/smbldap-userdel '%u' delete user from group script = /usr/local/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/local/sbin/smbldap-useradd -w '%u' delete group script = /usr/local/sbin/smbldap-groupdel '%g' # Share Definitions == [homes] comment = Home Directories browseable = no writable = yes # Un-comment the following and create the netlogon directory for Domain Logons [netlogon] comment = Network Logon Service path = /usr/local/samba/lib/netlogon guest ok = yes writable = no share modes = no [shared] comment = Shared Space path = /usr/local/share/common public = yes writable = yes printable = no create mask = 777 -- end smb.conf Any help/suggestions is greatly appreciated. Thanks! -- Rob -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] no route to host
Hello, First of all sorry for my English. I am experiencing with Samba and I have a problem. I have an old server (OLD) with Red Hat 9 and Samba 2.2.7a that is working well. Now I try to start up a new server (NEW) with Red Hat Enterprise 4 and Samba 3.0.22. If I try to connect from NEW to itself by using smbclient I got the shared resources list correctly. If I try to connect to NEW from OLD, always using smbclient, I receive the message: added interface ip=XXX.XXX.XXX.XXX bcast=XXX.XXX.X.255 nmask=255.255.255.0 error connecting to YYY.YYY.YYY.YYY:139 (No route to host) Error connecting to YYY.YYY.YYY.YYY (No route to host) Connection to YYY.YYY.YYY.YYY failed Supposing that XXX.XXX.XXX.XXX is the OLD server address and YYY.YYY.YYY.YYY is the NEW server address. I try to find in documentation and in other resources but I found nothing. Could you help me. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Problem compiling NDOUtils 1.3.1
Hi all, I'm having problems compiling NDOUtils for use with MySQL. I've googled for NDOUtils, NDOUtils and Mysql. But I'm not having any luck I've tried specifying the --with-mysql-lib and --with-mysql-inc but with no luck. The message I'm getting when I run configure is below: checking for mysql_store_result in -lmysqlclient... no *** MySQL library could not be located... ** You chose to compile NDBXT with MySQL support, but I was unable to locate the MySQL library on your system. If the library is installed, use the --with-mysql-lib argument to specify the location of the MySQL library. NOTE: After you install the necessary libraries on your system: 1. Make sure /etc/ld.so.conf has an entry for the directory in which the MySQL libraries are installed. 2. Run 'ldconfig' to update the run-time linker options. 3. Run 'make devclean' in the NDBXT distribution to clean out any old references to your previous compile. 4. Rerun the configure script. TIP: Try the following ./configure --with-mysql-lib=/usr/lib/mysql checking mysql/mysql.h usability... no checking mysql/mysql.h presence... no checking for mysql/mysql.h... no *** MySQL include file could not be located... ** You chose to compile NDBXT with MySQL support, but I was unable to locate on your system. If the include file is installed, use the --with-mysql-inc argument to specify the location of the MySQL include file. Josh [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Mac OSX 10.4.6 and Samba going down
We have a wonderful new mac server running osx 10.4.6 but infrequently the nmbd needs to be killed and relaunched inorder to get my windows shares working again. (shares are on a windows 2000 server) Check out the last lot of logs. I have spoken to a few people in the Australian Mac community and there seems to be a common theme. Initiating sync with domain master browser OSXSERVER<20> at IP 10.0.0.13 for workgroup TOMKINO$ [2006/04/16 15:08:45, 2] /SourceCache/samba/samba-92.9/samba/source/nmbd/nmbd_synclists.c:sync_br$ Initiating browse sync for TK to NTSERVER(10.0.0.2) [2006/04/16 15:08:45, 2] /SourceCache/samba/samba-92.9/samba/source/nmbd/nmbd_synclists.c:complet$ sync with NTSERVER(10.0.0.2) for workgroup TK completed (2 records) [2006/04/16 15:13:56, 2] /SourceCache/samba/samba-92.9/samba/source/nmbd/nmbd_synclists.c:sync_br$ Initiating browse sync for TK to NTSERVER(10.0.0.2) [2006/04/16 15:13:56, 2] /SourceCache/samba/samba-92.9/samba/source/nmbd/nmbd_synclists.c:complet$ sync with NTSERVER(10.0.0.2) for workgroup TK completed (2 records) [2006/04/16 15:16:11, 0] /SourceCache/samba/samba-92.9/samba/source/nmbd/nmbd.c:terminate(56) Got SIGTERM: going down... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Write access doesn't grant delete access?!
may be it´s related to the samber version you´re using?!? did you try with 3.0.14a and 3.0.2x? greez Adam Nielsen wrote: is the file set "read-only" in windows properties view? Nope, none of the main attributes are ticked - but like I say, on the Advanced settings on the Security tab, none of the users have Delete access to the file (but some of them do have write access, which does explain how I can modify the file.) Cheers, Adam. -- Michael Gasch Max Planck Institute for Evolutionary Anthropology Department of Human Evolution (IT Staff) Deutscher Platz 6 D-04103 Leipzig Germany Phone: 49 (0)341 - 3550 137 49 (0)341 - 3550 374 Fax: 49 (0)341 - 3550 399 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] access denied for License manager on Win2000
Hi, I don't remember if it's the first time I'm accessing the license manager on a Win2000-server machine since the transfer of my NT-PDC to samba 3.0.20b, but now I can't access it. I get the message that I have to be administrator on the domain (translation from Dutch : "To open LicenseManager, you have to be manager of the domain where the licenseinformation of your network is stored. If you are servermanager, you can manage the licenses via LicenseManager of the ControlPanel"). Unfortunatly I am logged in as domain-administrator. Even if I log in as user "root" of the PDC, I'm denied access. I can manage users and machines with those user-names, so I don't know what's happening. Any suggestions were I should look to solve this ? Could it be that this information was stored on the old PDC, which I removed some time ago (even information about this Win2000-server ?) ? Thanks for any help you can provide. -- Koenraad Lelong ACE electronics -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: How to handle special characters in filenames
Tried it and it worked! Thanks a bunch Mike! Cheers, Henrik 16 maj 2006 kl. 17:29 skrev Michael B Allen: On Tue, 16 May 2006 10:19:01 +0200 Henrik Zagerholm <[EMAIL PROTECTED]> wrote: Hi, I'm using samba 3.0.21 on a FC 4 box. I'm connecting to Win XP pro clients. Using smbclient I can get and put files which contain '%' in file names. Using libsmbclient smbc_open this is not possible. I get 'No such file or directory Errno::ENOENT' error. Any ideas how to solve this. I guess it has to do with escaping special characters in smb urls but I haven't found the correct way of doing this. Try standard url escapes %. For example if you have '%' in your path like "p%th" then 0x25 the hexcode so you need "p%25th". Mike -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC with no roaming profiles ?
Roberto Salvatierra schrieb: now... if i tweak [profiles] or [netlogon] is there a way to totally stop the roaming profiles from the server ? just have the PDC to authenticate the users, and to serve files to those users ? thank you very much. Just set the "logon path" option in smb.conf to an empty string and also delete the profile path information that may be attached to each user account in the passdb backend you are using. (With LDAP it is the sambaProfilePath property.) Kind regards Wolfgang Ratzka -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] PDC with no roaming profiles ?
hi ! thanks now I have my samba up and running fine. I have it configured as a PDC, and all the roaming profiles work, the management, etc. it's all fine. now, the client that I'm working for, told me ( after some days of making it all work ) that he sees that the use of roaming profiles in his network is useless. ok now, he says no roaming profiles ! I have searched around the network and i found that if I edit the windows policies, i can avoid the computer from trying to create roaming profiles using this: "Start/Run/gpedit.msc Local Computer Policy/Computer Configuration/Administrative Templates/System/User Profiles/Only Allow Local User Profiles. Local Computer Policy/Computer Configuration/Administrative Templates/System/User Profiles Enable both the "Prevent Roaming Profile changes from propagating to the server" setting and the "Only allow local user profiles" setting." and that works, but I was wondering is there a way to stop the roaming profiles from the server, instead from each client ? i have tried some ways, and I always get the "I can't save or find the profile on the server, it will be saved next time it's available" every time I log on. now... if i tweak [profiles] or [netlogon] is there a way to totally stop the roaming profiles from the server ? just have the PDC to authenticate the users, and to serve files to those users ? thank you very much. R. Salvatierra http://www.advicemag.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
