[Samba] core dumps with 3.0.23c
I have a fedora core 5 server running samba-3.0.23c-1.fc5 from fedora updates. Recently I changed smb.conf to use security=domain instead of security=user. The server that it authenticates against is running fedora core 4 with samba-3.0.14a-2. Anyway, this setup worked just fine for a couple of weeks, but today I yum updated many packages including pam, glibc and kernel on the fedora 5 server and now, anytime I access a share that includes a setting like valid users = @someGroup or admin users = @someOtherGroup I get an smbd core dump. If I comment out the line above and restart smb, then all is well. Any ideas much appreciated. Thanks, Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] password strenght doubt
Guido Lorenzutti wrote: Maybe I can do this with the "check password script". But I only found the cracklib example. Anyone knows a way of doing this? Becouse the cracklib example only check agains a dictionary. Tnxs in advance. Just make a simple script that can check the input password must be the combination of UPPERCASE, lowercase,numb3rs and other sp3c1a!ch4r4ct3r#. --beast -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] password strenght doubt
Hi Guido, There are a set of ways to accomplish such task. Some I use is: 1) Set obey pam restrictions = yes in the smb.conf file. 2) Set check password script = /usr/sbin/crackcheck -d /usr/lib/cracklib_dict This check the user password against a dictionary. Crackcheck can be downloaded from samba (http://people.samba.org/bzr/mwxia/samba-soc/examples/auth/crackcheck/). The cracklib package must be installed for the dictionary to work. 3) Use pam pam_cracklib to set your password rules for lower/upper characters, numbers, special characters, etc: passwordrequisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 difok=3 dcredit=-1 lcredit=-1 Or pam_passwdqc for the same thing: passwordrequisite/lib/security/$ISA/pam_passwdqc.so min=disable,8,8,8,8 max=25 passphrase=0 match=6 similar=deny random=64 enforce=users retry=3 See the man pages for correct options values. 4) You can block users after X retries using pam pam_tally.so, but I haven't tried this yet. I think this can help you. On 12/26/06, Guido Lorenzutti <[EMAIL PROTECTED]> wrote: Maybe I can do this with the "check password script". But I only found the cracklib example. Anyone knows a way of doing this? Becouse the cracklib example only check agains a dictionary. Tnxs in advance. Gary Dale wrote: > I think you'll find at least some of these are Windows Policies and > would not be reflected in the smb.conf file. If you check the Samba > Howto collection and the Samba by example documents at samba.org, > you'll find examples of how to set some of the policies. > > To be honest, I've never gone beyond requiring password changes, > minimum lengths and histories. :) > > > Guido Lorenzutti wrote: >> Hi people! I have a few problems with the password strength in Samba. >> I have a PDC with LDAP on Debian Stable, with a few packages from >> backports. >> The problem is that I can't find a way to enforce strenght to the >> passwords of the users. I can't define a policy to force things like: >> number of uppercase letters, number of downcase letters, number of >> numbers in the password, to check the diference between the new and >> the old, to store a list of old passwords to check... I mean, things >> that are requiered to enforce some policy of security by my company. >> Bottom line? The users can put his username for password! Not even >> that is checked... >> >> It's something wrong in my setup or is a feature request? I see min >> password length.. but.. the rest? >> >> >> This is the important part of my setup: >> >> [global] >> #Network ID >>workgroup = JUSBAIRES >>netbios name = PDC >>netbios aliases = SERVER >>server string = >> >> #Logs >>debug level = 0 >>syslog = 0 >>log level = 0 >>log file = /var/log/samba/%m.%U.log >>max log size = 1 >>panic action = /usr/share/samba/panic-action %d >> >> #Network Support >>name resolve order = wins hosts lmhosts bcast >>socket options = TCP_NODELAY SO_RCVBUF=65535 SO_SNDBUF=65535 >> IPTOS_LOWDELAY SO_KEEPALIVE >>wins support = yes >>wins proxy = yes >>enhanced browsing = yes >>dns proxy = yes >>time server = yes >>local master = yes >>smb ports = 139 >> >> #LDAP >>ldap admin dn = >> uid=alem-fs2,ou=security,dc=jusbaires,dc=gov,dc=ar >>ldap suffix = dc=jusbaires,dc=gov,dc=ar >>ldap group suffix = ou=Group >>ldap user suffix = ou=People >>ldap machine suffix = ou=alem,ou=Computers >>ldap delete dn = no >>ldap passwd sync = yes >> >> #Printer Options >>printcap name = /dev/null >>printing = bsd >>load printers = no >> >> #Security Options >>admin users = administrador lgiacchetta >>enable privileges = yes >>preferred master = yes >>lm announce = yes >>domain master = yes >>domain logons = yes >>encrypt passwords = yes >>pam password change = yes >>passdb backend = ldapsam:"ldap://127.0.0.1 >> ldap://alem-ldap.jusbaires.gov.ar >> ldap://alem-systemlog.jusbaires.gov.ar"; >>passwd chat debug = no >>check password script = /usr/local/bin/crackcheck -d >> /var/cache/cracklib/cracklib_dict >>unix charset = 850 >>dont descend = .recycle >>delete veto files = yes >>restrict anonymous = 1 >> >> #Profiles stuff >>logon script = netlogon.%U.bat >>logon path = \\PDC\profiles\%U >>logon home = \\PDC\personal >>logon drive = H: >>hide files = /Desktop.ini/desktop.ini/ >>hide dot files = yes > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- *** Cleber P. de Souza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: PPP + ntlm_auth
On Thu, 2006-11-30 at 19:17 -0500, Sebastien wrote: > Luis Daniel Lucio Quiroz a écrit : > > CHAP and any other varian wont work because password does not fly accross > > internet, CHAP use a hash to crypt one way password and sends that to > > server. > > Because server have a hash also (no same algorithm) it fails. If you want > > to > > use chap you must use clear text passwords on server (no hashes) but its a > > securrity issue > > Thanks for your response Luis! > At least, now I'm aware that there's no solution! (just a late correction for the archives...) Indeed, for the original CHAP there isn't a solution, but for MSCHAP, this is meant to work, that is the point of the plugin (the AD server holds the magic values, the hashes, required). What user are you running ntlm_auth as? Can it access the winbindd privilaged pipe? Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] password strenght doubt
Maybe I can do this with the "check password script". But I only found the cracklib example. Anyone knows a way of doing this? Becouse the cracklib example only check agains a dictionary. Tnxs in advance. Gary Dale wrote: I think you'll find at least some of these are Windows Policies and would not be reflected in the smb.conf file. If you check the Samba Howto collection and the Samba by example documents at samba.org, you'll find examples of how to set some of the policies. To be honest, I've never gone beyond requiring password changes, minimum lengths and histories. :) Guido Lorenzutti wrote: Hi people! I have a few problems with the password strength in Samba. I have a PDC with LDAP on Debian Stable, with a few packages from backports. The problem is that I can't find a way to enforce strenght to the passwords of the users. I can't define a policy to force things like: number of uppercase letters, number of downcase letters, number of numbers in the password, to check the diference between the new and the old, to store a list of old passwords to check... I mean, things that are requiered to enforce some policy of security by my company. Bottom line? The users can put his username for password! Not even that is checked... It's something wrong in my setup or is a feature request? I see min password length.. but.. the rest? This is the important part of my setup: [global] #Network ID workgroup = JUSBAIRES netbios name = PDC netbios aliases = SERVER server string = #Logs debug level = 0 syslog = 0 log level = 0 log file = /var/log/samba/%m.%U.log max log size = 1 panic action = /usr/share/samba/panic-action %d #Network Support name resolve order = wins hosts lmhosts bcast socket options = TCP_NODELAY SO_RCVBUF=65535 SO_SNDBUF=65535 IPTOS_LOWDELAY SO_KEEPALIVE wins support = yes wins proxy = yes enhanced browsing = yes dns proxy = yes time server = yes local master = yes smb ports = 139 #LDAP ldap admin dn = uid=alem-fs2,ou=security,dc=jusbaires,dc=gov,dc=ar ldap suffix = dc=jusbaires,dc=gov,dc=ar ldap group suffix = ou=Group ldap user suffix = ou=People ldap machine suffix = ou=alem,ou=Computers ldap delete dn = no ldap passwd sync = yes #Printer Options printcap name = /dev/null printing = bsd load printers = no #Security Options admin users = administrador lgiacchetta enable privileges = yes preferred master = yes lm announce = yes domain master = yes domain logons = yes encrypt passwords = yes pam password change = yes passdb backend = ldapsam:"ldap://127.0.0.1 ldap://alem-ldap.jusbaires.gov.ar ldap://alem-systemlog.jusbaires.gov.ar"; passwd chat debug = no check password script = /usr/local/bin/crackcheck -d /var/cache/cracklib/cracklib_dict unix charset = 850 dont descend = .recycle delete veto files = yes restrict anonymous = 1 #Profiles stuff logon script = netlogon.%U.bat logon path = \\PDC\profiles\%U logon home = \\PDC\personal logon drive = H: hide files = /Desktop.ini/desktop.ini/ hide dot files = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Heimdal or MIT kerberos comparison
On Tue, 2006-12-26 at 16:28 -0600, James A. Dinkel wrote: > > -Original Message- > > From: Andrew Bartlett > > Sent: Saturday, December 23, 2006 3:42 PM > > > > The biggest thing users will notice is that the error message system > > returns contextual errors, with the actual reason for the failure, not > > just the translated code. It often includes the vital clues that help > > fix up the inevitable kerberos issues. > > > > I've use Heimdal in Samba4, particularly because of the close working > > relationship I have with it's primary maintainer. > > > > Andrew Bartlett > > Is this "close working relationship" true of the entire Samba team (or > at least of anyone involved in coding anything related to Kerberos)? It's a Samba4 thing, because we bundle kerberos in the distribution. > Samba's "Authentication Developer"'s preference of Heimdal over MIT is > good enough for me, but I would like to put some accurate information in > the wiki, as it pertains to Samba users. I went ahead and added a blurb > to this page: http://wiki.samba.org/index.php/Samba_%26_Kerberos since > this is the only feedback I've gotten thus far. Almost all users will use the system kerberos libraries, whatever they are. They tend to be difficult to replace. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Re: [opensuse] Open-source leader leaving Novell forGoogle
> -Original Message- > From: Jeremy Allison > Sent: Monday, December 25, 2006 12:03 AM > > It's true I'm leaving Novell, but why do you think this means > I'm not going to be on any Samba lists ? I'm joining Google on > 2nd Jan, and believe me when I tell you they're *very* interested > in me spending all my time on Samba :-) :-). > > As Herb once said to me, "Same job, different office" :-) :-). > > Jeremy. Good luck at Google. I hope they treat you and samba (and therefore, us ;)) good. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Heimdal or MIT kerberos comparison
> -Original Message- > From: Andrew Bartlett > Sent: Saturday, December 23, 2006 3:42 PM > > The biggest thing users will notice is that the error message system > returns contextual errors, with the actual reason for the failure, not > just the translated code. It often includes the vital clues that help > fix up the inevitable kerberos issues. > > I've use Heimdal in Samba4, particularly because of the close working > relationship I have with it's primary maintainer. > > Andrew Bartlett Is this "close working relationship" true of the entire Samba team (or at least of anyone involved in coding anything related to Kerberos)? Samba's "Authentication Developer"'s preference of Heimdal over MIT is good enough for me, but I would like to put some accurate information in the wiki, as it pertains to Samba users. I went ahead and added a blurb to this page: http://wiki.samba.org/index.php/Samba_%26_Kerberos since this is the only feedback I've gotten thus far. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba shares on Linux machine get disconnected after ~ 1 min
Hi, I have Samba 3.0.13 running on Suse 9.2 on an i586. I can browse and connect to the Samba shares on the Linux machine from Windows XP and Mac OSX. However, about 1 min after connecting, the shares are lost and gone from the network environment - same for Windows XP and Mac OSX. From time to time, they "re-appear" only to be gone after another minute or so. The Windows shares mounted on the Linux machine work fine. Is this a known problem? Regards, Helge --- This is my smb.conf-file: # Samba config file created using SWAT # from 127.0.0.1 (127.0.0.1) # Date: 2005/02/19 17:41:36 # Global parameters [global] workgroup = kauai server string = Samba 3.0.13 at napali.kauai.de map to guest = Bad User username map = /etc/samba/smbusers printcap cache time = 750 logon path = \\%L\profiles\.msprofile logon drive = P: logon home = \\%L\%U\.9xprofile printer admin = @ntadmin, root, administrator cups options = raw include = /etc/samba/dhcp.conf add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$ domain logons = No domain master = No security = user [users] comment = All users path = /home read only = No inherit acls = Yes veto files = /aquota.user/groups/shares/ [pdf] comment = PDF creator path = /var/tmp create mask = 0600 printable = Yes print command = /usr/bin/smbprngenpdf -J '%J' -c %c -s %s -u '%u' -z %z [printers] comment = All Printers path = /var/tmp create mask = 0600 printable = Yes browseable = No [helge] comment = Helges ~-Verzeichnis path = /home/helge read only = No [archive] comment = Archiv: Software, Musik, Bilder, Filme, etc. path = /archive read only = No [backup] comment = Backup: /home/helge, /etc, /root, /boot path = /backup read only = No [hostfs] comment = napali host-filesystem path = / -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba shares lost from Windows/Mac after ~ 1 min
Hi, I have Samba 3.0.13 running on Suse 9.2 on an i586. I can browse and connect to the Samba shares on Windows XP and Mac OSX. However, about 1 min after connecting, the shares are lost and gone from the network environment - same for Windows XP and Mac OSX. The Windows shares mounted on the Linux machine work fine. Is this a know problem? Regards, Helge --- This is my smb.conf-file: # Samba config file created using SWAT # from 127.0.0.1 (127.0.0.1) # Date: 2005/02/19 17:41:36 # Global parameters [global] workgroup = kauai server string = Samba 3.0.13 at napali.kauai.de map to guest = Bad User username map = /etc/samba/smbusers printcap cache time = 750 logon path = \\%L\profiles\.msprofile logon drive = P: logon home = \\%L\%U\.9xprofile printer admin = @ntadmin, root, administrator cups options = raw include = /etc/samba/dhcp.conf add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$ domain logons = No domain master = No security = user [users] comment = All users path = /home read only = No inherit acls = Yes veto files = /aquota.user/groups/shares/ [pdf] comment = PDF creator path = /var/tmp create mask = 0600 printable = Yes print command = /usr/bin/smbprngenpdf -J '%J' -c %c -s %s -u '%u' -z %z [printers] comment = All Printers path = /var/tmp create mask = 0600 printable = Yes browseable = No [helge] comment = Helges ~-Verzeichnis path = /home/helge read only = No [archive] comment = Archiv: Software, Musik, Bilder, Filme, etc. path = /archive read only = No [backup] comment = Backup: /home/helge, /etc, /root, /boot path = /backup read only = No [hostfs] comment = napali host-filesystem path = / -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: SOLVED [cups] print_job: Unsupported format "application/octet-stream"
On Tuesday 26 December 2006 15:40, Chris Worley wrote: > The attached message is 2001, but was the top of the list in a Google > search for the error message. > > The same solution fixed a SuSE 9.3 Samba/Cups problem for a Brother > MFC 3360C printer. No longer necessary unless you're running old versions - man smb.conf and see the "cups options" parameter. In fact the man page even describes your error condition. Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: [opensuse] Open-source leader leaving Novell for Google
On Tue, Dec 26, 2006 at 02:45:49PM -0600, Chris Garrigues wrote: > > What I really meant is "Why are they very interested in Samba?" I'm having a > hard time imagining the Samba-based offering that Google might have in mind, > but the idea is intriguing enough that I can't stop thinking about it. Yes I know what you meant :-). I was being deliberately obtuse :-). Unfortunately I can't comment on that at this time, sorry. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: [opensuse] Open-source leader leaving Novell for Google
> From: Jeremy Allison <[EMAIL PROTECTED]> > Date: Tue, 26 Dec 2006 12:42:03 -0800 > > On Tue, Dec 26, 2006 at 12:54:52PM -0600, Chris Garrigues wrote: > > > > I must admit to being intrigued as to why they're *very* interested in your > > working on Samba fulltime. Is it just to poke at the folks in Redmond or > > is > > there more to it than that? > > Not everything is about Microsoft :-). No, as far as I can tell > they (and I) have no interest in poking Redmond, they're just very > interested in Samba. What I really meant is "Why are they very interested in Samba?" I'm having a hard time imagining the Samba-based offering that Google might have in mind, but the idea is intriguing enough that I can't stop thinking about it. Chris -- Chris Garrigues Trinsic Solutions President 710-B West 14th Street Austin, TX 78701-1755 512-322-0180http://www.trinsics.com Would you rather proactively pay for uptime or reactively pay for downtime? Trinsic Solutions Your Proactive IT Management Partner pgpGf56a0nmQP.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: [opensuse] Open-source leader leaving Novell for Google
On Tue, Dec 26, 2006 at 12:54:52PM -0600, Chris Garrigues wrote: > > I must admit to being intrigued as to why they're *very* interested in your > working on Samba fulltime. Is it just to poke at the folks in Redmond or is > there more to it than that? Not everything is about Microsoft :-). No, as far as I can tell they (and I) have no interest in poking Redmond, they're just very interested in Samba. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: SOLVED [cups] print_job: Unsupported format "application/octet-stream"
The attached message is 2001, but was the top of the list in a Google search for the error message. The same solution fixed a SuSE 9.3 Samba/Cups problem for a Brother MFC 3360C printer. Thanks! Original message: Bill Schoolcraft bill at wiliweld.com Sat Dec 29 13:36:02 GMT 2001 Gustavo Courault has solved this for me with the following advice and I have enclosed my smb.conf file in case it may help anyone, I'm running Samba-2.2.2 and CUPS printing to a Epson-777 injet via a Edimax $40 printserver attached to the back of the printer with a static IP address assigned to the printer. My OS is RedHat-6.2 I uncomment the line in the /etc/cups/mime.types file: application/octet-stream and in the /etc/cups/mime.convs file: */*application/vnd.cups-raw -- Bill Schoolcraft PO Box 210076 -o) San Francisco CA 94121 /\ "UNIX, A Way Of Life."_\_v http://forwardslashunix.com -- next part -- # You need to uncomment two lines in two files # # /etc/cups/mime.types uncomment the line at # # the end of the file that says: # # -> application/octet-stream <--- # # and in the file called /etc/cups/mime.convs # # you need to uncomment the line that says:# # -> */* application/vnd.cups-raw <- # [global] workgroup = WORKGROUP passwd program = /usr/bin/passwd log level = 3 server string = Samba Server hosts allow = 192.168.7. 127. log file = /usr/local/samba/var/log.%m max log size = 50 security = share encrypt passwords = yes socket options = TCP_NODELAY dns proxy = no null passwords = yes guest ok = yes show add printer wizard = no ## # Global Printer Stuff Below # ## use client driver = yes disable spoolss = yes load printers = yes printcap name = cups printing = cups # End of Global Section# [homes] browseable = yes writable = yes [printers] printer name = epson777 path = /tmp printable = yes browseable = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: [opensuse] Open-source leader leaving Novell for Google
> From: Jeremy Allison <[EMAIL PROTECTED]> > Date: Sun, 24 Dec 2006 22:02:32 -0800 > > It's true I'm leaving Novell, but why do you think this means > I'm not going to be on any Samba lists ? I'm joining Google on > 2nd Jan, and believe me when I tell you they're *very* interested > in me spending all my time on Samba :-) :-). I must admit to being intrigued as to why they're *very* interested in your working on Samba fulltime. Is it just to poke at the folks in Redmond or is there more to it than that? Chris -- Chris Garrigues Trinsic Solutions President 710-B West 14th Street Austin, TX 78701-1755 512-322-0180http://www.trinsics.com Would you rather proactively pay for uptime or reactively pay for downtime? Trinsic Solutions Your Proactive IT Management Partner pgp6DrKDC0Ol2.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: [opensuse] Open-source leader leaving Novell for Google
Whew.. God that's good news. Best of luck in the new office! -- David C. Rankin, J.D., P.E. 510 Ochiltree Street Nacogdoches, Texas 75961 (936) 715-9333 (936) 715-9339 fax www.rankinlawfirm.com -- - Original Message - From: "Jeremy Allison" <[EMAIL PROTECTED]> To: "david rankin" <[EMAIL PROTECTED]> Cc: "opensuse" ; "samba" Sent: Monday, December 25, 2006 12:02 AM Subject: Re: [Samba] Re: [opensuse] Open-source leader leaving Novell for Google On Sun, Dec 24, 2006 at 11:11:18PM -0600, david rankin wrote: Jesus, I hope it isn't true. But if it is, we will miss him dearly, both here and very much so on the Samba list. However I can under stand and respect the decision. Good luck and God speed Jeremy. Jerry, can you pick up the slack?? An ill wind blows for us all as a result of the MS deal It's true I'm leaving Novell, but why do you think this means I'm not going to be on any Samba lists ? I'm joining Google on 2nd Jan, and believe me when I tell you they're *very* interested in me spending all my time on Samba :-) :-). As Herb once said to me, "Same job, different office" :-) :-). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] password strenght doubt
I think you'll find at least some of these are Windows Policies and would not be reflected in the smb.conf file. If you check the Samba Howto collection and the Samba by example documents at samba.org, you'll find examples of how to set some of the policies. To be honest, I've never gone beyond requiring password changes, minimum lengths and histories. :) Guido Lorenzutti wrote: Hi people! I have a few problems with the password strength in Samba. I have a PDC with LDAP on Debian Stable, with a few packages from backports. The problem is that I can't find a way to enforce strenght to the passwords of the users. I can't define a policy to force things like: number of uppercase letters, number of downcase letters, number of numbers in the password, to check the diference between the new and the old, to store a list of old passwords to check... I mean, things that are requiered to enforce some policy of security by my company. Bottom line? The users can put his username for password! Not even that is checked... It's something wrong in my setup or is a feature request? I see min password length.. but.. the rest? This is the important part of my setup: [global] #Network ID workgroup = JUSBAIRES netbios name = PDC netbios aliases = SERVER server string = #Logs debug level = 0 syslog = 0 log level = 0 log file = /var/log/samba/%m.%U.log max log size = 1 panic action = /usr/share/samba/panic-action %d #Network Support name resolve order = wins hosts lmhosts bcast socket options = TCP_NODELAY SO_RCVBUF=65535 SO_SNDBUF=65535 IPTOS_LOWDELAY SO_KEEPALIVE wins support = yes wins proxy = yes enhanced browsing = yes dns proxy = yes time server = yes local master = yes smb ports = 139 #LDAP ldap admin dn = uid=alem-fs2,ou=security,dc=jusbaires,dc=gov,dc=ar ldap suffix = dc=jusbaires,dc=gov,dc=ar ldap group suffix = ou=Group ldap user suffix = ou=People ldap machine suffix = ou=alem,ou=Computers ldap delete dn = no ldap passwd sync = yes #Printer Options printcap name = /dev/null printing = bsd load printers = no #Security Options admin users = administrador lgiacchetta enable privileges = yes preferred master = yes lm announce = yes domain master = yes domain logons = yes encrypt passwords = yes pam password change = yes passdb backend = ldapsam:"ldap://127.0.0.1 ldap://alem-ldap.jusbaires.gov.ar ldap://alem-systemlog.jusbaires.gov.ar"; passwd chat debug = no check password script = /usr/local/bin/crackcheck -d /var/cache/cracklib/cracklib_dict unix charset = 850 dont descend = .recycle delete veto files = yes restrict anonymous = 1 #Profiles stuff logon script = netlogon.%U.bat logon path = \\PDC\profiles\%U logon home = \\PDC\personal logon drive = H: hide files = /Desktop.ini/desktop.ini/ hide dot files = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] password strenght doubt
Hi people! I have a few problems with the password strength in Samba. I have a PDC with LDAP on Debian Stable, with a few packages from backports. The problem is that I can't find a way to enforce strenght to the passwords of the users. I can't define a policy to force things like: number of uppercase letters, number of downcase letters, number of numbers in the password, to check the diference between the new and the old, to store a list of old passwords to check... I mean, things that are requiered to enforce some policy of security by my company. Bottom line? The users can put his username for password! Not even that is checked... It's something wrong in my setup or is a feature request? I see min password length.. but.. the rest? This is the important part of my setup: [global] #Network ID workgroup = JUSBAIRES netbios name = PDC netbios aliases = SERVER server string = #Logs debug level = 0 syslog = 0 log level = 0 log file = /var/log/samba/%m.%U.log max log size = 1 panic action = /usr/share/samba/panic-action %d #Network Support name resolve order = wins hosts lmhosts bcast socket options = TCP_NODELAY SO_RCVBUF=65535 SO_SNDBUF=65535 IPTOS_LOWDELAY SO_KEEPALIVE wins support = yes wins proxy = yes enhanced browsing = yes dns proxy = yes time server = yes local master = yes smb ports = 139 #LDAP ldap admin dn = uid=alem-fs2,ou=security,dc=jusbaires,dc=gov,dc=ar ldap suffix = dc=jusbaires,dc=gov,dc=ar ldap group suffix = ou=Group ldap user suffix = ou=People ldap machine suffix = ou=alem,ou=Computers ldap delete dn = no ldap passwd sync = yes #Printer Options printcap name = /dev/null printing = bsd load printers = no #Security Options admin users = administrador lgiacchetta enable privileges = yes preferred master = yes lm announce = yes domain master = yes domain logons = yes encrypt passwords = yes pam password change = yes passdb backend = ldapsam:"ldap://127.0.0.1 ldap://alem-ldap.jusbaires.gov.ar ldap://alem-systemlog.jusbaires.gov.ar"; passwd chat debug = no check password script = /usr/local/bin/crackcheck -d /var/cache/cracklib/cracklib_dict unix charset = 850 dont descend = .recycle delete veto files = yes restrict anonymous = 1 #Profiles stuff logon script = netlogon.%U.bat logon path = \\PDC\profiles\%U logon home = \\PDC\personal logon drive = H: hide files = /Desktop.ini/desktop.ini/ hide dot files = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Multi office samba domains
Asier Baranguán schrieb: > Hi all! > > I've a computer acting as a PDC in a network with Samba+OpenLDAP working > fairly well ina Debian Sarge for several months (Samba servers, XP > cients). It's working so well that my company wants to deploy this > system to all the offices (five offices physically separated). > > Each office has it's own peculiarities so each one has to have it's own > domain with shares and so on. But there some users with special > requirements: > > + Normal users only access to their local domain resources > > + Users from marketing and sales dpt. travel across all the offices and > it would be great allow this users to login in all the offices with the > _same_ user account and access to shares, printers, etc. > > + Some special users are willing must be allowed to access remotely -via > VPN link- to other office shares > > + And "admin" users be able to access to all office shares > > Inter-office communication will be done with some VPN so in theory I can > have one main LDAP server with all the users, groups, computers and > domains and replicate them. > > In other words: share all the users and groups between offices but with > several domains and access policies. > > Can this be done -almost partially-? perhaps with domain trust > relationships? > > Thanks! > > -- > Diese Nachricht wurde auf Viren und andere gefährliche Inhalte untersucht > und ist - aktuelle Virenscanner vorausgesetzt - sauber. > > Hi Asier, this can be done, i did this with bdcs in the offices (ldap slaves samba ) an connected them with openvpn. For traveling user i used pptpd. But you have to think about lot of things before you start this so how are the coenncting qualitiy of the lines the offices use, how implement wins browsing, and the generall net architekture. If you only want one domain , no trust ist needed. If you want let the offices independent, use different domains and trust them to one another, but i would not recommend it. You should setup internal dns with replication, maybe dhcp with relay. normaly the homes/profiles of the office users are lying on there bdcs. Make different policies for workstations and laptops, cause of of profile caching etc. Think about slow traffic vpns , sometimes it makes no sense to push them printers etc. The layout goes along with you would do with nt windows servers , see exmaple in the samba books and faqs. It a lot of work at the start, but then it works very nice. I dont know how time lines are for samba 4 ( active dir emulation) but it should be a little be easier then, with those setups Best Regards -- Diese Nachricht wurde auf Viren und andere gefährliche Inhalte untersucht und ist - aktuelle Virenscanner vorausgesetzt - sauber. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Multi office samba domains
Hi all! I've a computer acting as a PDC in a network with Samba+OpenLDAP working fairly well ina Debian Sarge for several months (Samba servers, XP cients). It's working so well that my company wants to deploy this system to all the offices (five offices physically separated). Each office has it's own peculiarities so each one has to have it's own domain with shares and so on. But there some users with special requirements: + Normal users only access to their local domain resources + Users from marketing and sales dpt. travel across all the offices and it would be great allow this users to login in all the offices with the _same_ user account and access to shares, printers, etc. + Some special users are willing must be allowed to access remotely -via VPN link- to other office shares + And "admin" users be able to access to all office shares Inter-office communication will be done with some VPN so in theory I can have one main LDAP server with all the users, groups, computers and domains and replicate them. In other words: share all the users and groups between offices but with several domains and access policies. Can this be done -almost partially-? perhaps with domain trust relationships? Thanks! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
