Re: [Samba] /etc/fstab and windows share problem

[Chris Smith]

On Tuesday 06 March 2007, Dariusz Trzaska wrote:
> The problem is with the disk label, as it contains three strings: "My",
> "Book" and "(J)".

Try replacing spaces with "\040".

Chris
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Network name no longer available error on large file write to FAT Shares

[Rupesh Kumar]

Hi ,

I am sharing my FAT Shares over samba.

When i copy small files (less than 100MB ) everything is fine.

But when i copy large files( >200MB) my windows machine is getting
busy for some time and i am getting error "Network name no longer available"
but the file is
getting copied properly.


Regards
Kumar
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Buffalo Terastation with 3.0.23d PDC and LDAP backend?

[Eric Knudstrup]

I have my system properly running as a PDC now, but I'm having trouble 
getting one of the machines here to join the domain.
This system is a Buffalo Terastation Pro.  For this system I have to 
create the machine trust account manually.  The domain access fails as 
follows:

[2007/03/06 17:51:44, 2] lib/smbldap.c:smbldap_open_connection(788)
 smbldap_open_connection: connection opened
[2007/03/06 17:51:44, 2] smbd/reply.c:reply_tcon_and_X(711)
 Serving IPC$ as a Dfs root
[2007/03/06 17:51:44, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541)
 init_sam_from_ldap: Entry found for user: vault1$
[2007/03/06 17:51:44, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
 init_group_from_ldap: Entry found for group: 513
[2007/03/06 17:51:44, 0] rpc_server/srv_netlog_nt.c:get_md4pw(258)
 get_md4pw: Workstation VAULT1$: account is not a trust account
[2007/03/06 17:51:44, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461)
 _net_auth2: failed to get machine password for account VAULT1$: 
NT_STATUS_NO_TRUST_SAM_ACCOUNT

[2007/03/06 17:51:46, 2] lib/smbldap.c:smbldap_open_connection(788)
 smbldap_open_connection: connection opened
[2007/03/06 17:51:46, 2] smbd/reply.c:reply_tcon_and_X(711)

slapcat returns this for the vault1 account:
dn: uid=vault1$,ou=Computers,dc=,dc=com
uid: vault1$
uidNumber: 1003
homeDirectory: /dev/null
description: Computer
structuralObjectClass: inetOrgPerson
entryUUID: 96c250c8-608e-102b-8430-bb92676cee49
creatorsName: cn=Manager,dc=,dc=com
createTimestamp: 20070307002900Z
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSamAccount
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaPwdLastSet: 1173227352
sambaLMPassword: 5D28B17651A6D0E4FBDB26A17E21D0C1
sambaNTPassword: 728AF3A1A793361485674B7B2833CEE7
sambaSID: S-1-5-21-3868333197-704855571-3977030669-3006
gecos: Computer
cn: Computer
sn: Computer
loginShell: /bin/false
gidNumber: 513
sambaPrimaryGroupSID: S-1-5-21-2139989288-483860436-2398042574-513
sambaAcctFlags: IW
entryCSN: 20070307013727Z#00#00#00
modifiersName: cn=Manager,dc=,dc=com
modifyTimestamp: 20070307013727Z

I added this account using smbldap-useradd -w -i vault1 and had to 
change the gidNumber to 513 and also set the W sambaAcctFlags value.

Can anyone help?

Thanks,

Eric

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] smbldap-useradd says "Error: modifications require authentication at /usr/lib/perl5/5.8.8/smbldap_tools.pm line 1056."

[Eric Knudstrup]

Quoting Michael Heydon <[EMAIL PROTECTED]>:


Hi Eric,

This line here looks like the interesting bit to me.


Mar  6 13:59:38 macallan slapd[4731]: conn=50 op=3 RESULT tag=103   
err=8 text=modifications require authentication

It looks like the useradd script is doing an anonymous bind, which is
interesting since you mentioned that you used the populate script which
should be using the same bind settings. have you reset any passwords?
changed any acls? I would double check the bind DN and password in the
smbldap-tools config.


I found that I had the smbldab_bind.conf passwords set to use hashes  
instead of the plaintext password.  After I changed that I am able to  
add new accounts, although hashed passwords in here would be useful :).
I also found that these scripts (even the latest 0.9.2 ones) are  
incapable of using the new sambaDomain object, so I had to set it to  
use the previous uidNumber object instead.

I should probably see if I can update openSuSE's wiki for 10.2...

Thanks,

Eric


This message was sent using IMP, the Internet Messaging Program.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] smbldap-useradd says "Error: modifications require authentication at /usr/lib/perl5/5.8.8/smbldap_tools.pm line 1056."

[Edmundo Valle Neto]

Moreless, it isn't trying to do it anonymously but as you said probably 
is a problem with credentials:


Mar  6 13:59:38 macallan slapd[4731]: conn=50 op=0 BIND 
dn="cn=Manager,dc=,dc=com" method=128


Binding as the manager but with a strange  in the DN (that is 
repeated in the searches).


Mar  6 13:59:38 macallan slapd[4731]: conn=50 op=0 RESULT tag=97 err=49 
text=


Then failing with an error 49, bad credentials (dn or password).

Have you configured correctly your smbldap_bind.conf or forgotten to 
configure some option related to the base dn in smbldap.conf?


Regards.

Edmundo Valle Neto


Michael Heydon escreveu:

Hi Eric,

This line here looks like the interesting bit to me.


Mar  6 13:59:38 macallan slapd[4731]: conn=50 op=3 RESULT tag=103 
err=8 text=modifications require authentication
It looks like the useradd script is doing an anonymous bind, which is 
interesting since you mentioned that you used the populate script 
which should be using the same bind settings. have you reset any 
passwords? changed any acls? I would double check the bind DN and 
password in the smbldap-tools config.


Regards,

Michael Heydon


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] smbldap-useradd says "Error: modifications require authentication at /usr/lib/perl5/5.8.8/smbldap_tools.pm line 1056."

[Michael Heydon]

Hi Eric,

This line here looks like the interesting bit to me.


Mar  6 13:59:38 macallan slapd[4731]: conn=50 op=3 RESULT tag=103 
err=8 text=modifications require authentication
It looks like the useradd script is doing an anonymous bind, which is 
interesting since you mentioned that you used the populate script which 
should be using the same bind settings. have you reset any passwords? 
changed any acls? I would double check the bind DN and password in the 
smbldap-tools config.


Regards,

Michael Heydon
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba problems. accounts expire after a hour, but work after reset

[Edmundo Valle Neto]

Collen Blijenberg escreveu:

Thx Felipe, after a week debugging, i found the problem!!

there was a mix up with SID's. i had 5 machines and username with the 
same SID

including the PDC.


Would be a nice thing if you discover why that happened. Samba generates 
the RID part of the SID algorithmically (1000 + (2 x uid) for user 
accounts, and 1001 + (2 x gid) for groups), if the uid is different in 
these accounts the RID should be different too.




but there is something funny were i need some help with,

if i make a new user or machine account, samba generate the SID 
automatically.

i saw, that my server doesn't look at existing SID's.


No it doesn't, that's right. It's not needed, calculating RIDs that way 
will not make clashes.




how can i let samba make SID's after a specified number ??
my problem at the moment is that  if i make a new user, samba generate 
an existing SID, and there for

trouble arise!



Well, normally it will not make clashes, unless you already have a base 
with SIDs calculated, who knows how.
You can change the "algorithmic rid base" option that defaults to 1000 
to another value raising the values that will make RIDs. (if you have 
unmapped accounts, it will have their SIDs changed too, as the algorithm 
will be different, if I remember right in samba 3.0.23c theres some 
changes about that).


In some distributions, you can raise the uid/gids range. That way would 
make higher RIDs be generated too. :)


example: current last SID in user database:  
S-1-5-21-1968991162-2130249723-1959552931-5462
if i make a new user samba will use: 
S-1-5-21-1968991162-2130249723-1959552931-5410


Do you use a database server to store your samba users right? Well, I 
never used it, I don't know how exactly it stores information. As I 
don't know how do you have created your accounts or how much have you 
messed with them. Normally uids are not reused in posix accounts and 
samba user/group accounts picks up even/odd RID numbers, not making that 
probably future clash as you are seeing. :)



so basically it's all about the last 4 digits!
can i alter a .tdb file ??? (if so witch one??)


I can't say that you can't, there's some tools that dump/change/add/etc 
contents of .tdb files, you can even dump them and grep to find where's 
the information that you are looking for, but keep in mind that probably 
you will mess up with any reference to the SID being changed (beeing it 
ACLs, profiles, or whatever).


The last time that I blowed up my base with repeated SIDs (took me a 
while to discover why users where getting permissions that they 
shouldn't, it was the first time I used an LDAP base importing the old 
base and I changed the code that make the SIDs in the scripts that 
creates the accounts) I deleted all these accounts, raised the base RID, 
recreated them and changed permissions with shell scripts.



all i like is samba to start making SID's after that -5462 number !!!

Cheers, Collen

...

[cut]


I hope it helps.

Regards.

Edmundo Valle Neto
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Shares losing group entries

[Mostro Mostro]

Hello,

This my first post to this list. I just spent the last day an a half
building a Samba server for our corporate network. Our Windows file
server crashed so I stepped up and decided to go with Samba 3.023d on
Suse 10.2.

Anyway, I am using Winbindd to control access.  The problem I am
currently faced with has to do with security permissions sticking to
the share. From the Windows MMC I right click the share, go to the
security tab, select advanced and try to assign the "Domain Users"
group and a few others. After clicking ok all the way through I go
back in to verify an see my groups have been replaces with SIDs.

[relevent portion of smb.conf]

[global]

  workgroup = CAPRI
  netbios name = VENENCIA
  realm = BAMBINO.COM 
  server string = File Server
  security = ADS
  encrypt passwords = yes
  log level = 5
  log file = /var/log/samba/%m
  max log size = 1000
  wins server = 10.20.1.2
  idmap uid = 2 - 3
  idmap gid = 2 - 3
  interfaces = eth0
  bind interfaces only = yes
  enable privileges = yes

[shared]
  comment = Shared (temporary storage)
  path = /community/shared
  read only = no
  store dos attributes = yes
  nt acl support = yes
  map acl inherit = yes
  inherit acls = yes
  valid users = @"CAPRI\Domain Users"

[directory for shared]

drwxrwxrwx+ 2 CAPRI\root CAPRI\domain users 4.0K 2007-03-05 20:59
shared

Thanks
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba + kerberos

[Chechu]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

hey,

I read something about samba can use kerberos password from an external
kdc using pam...
someone knows how can do it

thanks
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF7fB2u1kTJztljjMRAmuNAJ4+WTCtVWqPEAtjbBLQhV8Tf+yDSQCfRNH1
3VJ6ZyRIVZeazS6k7d/X+Pg=
=m+G7
-END PGP SIGNATURE-

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba profiles and homes

[Chechu]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

hi,

I like my homes and profiles don't do roaming...i mean work directly to
the server...I have a pdc in samba over ldap...and i want winxp mount
the units in net for homes and profiles and work over them instead
download at first and upload and the end of session...someone know how
can i do...

thanks
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF7fASu1kTJztljjMRAtlJAJ4j3XDhN83qIRG/UF3Ct71WEJHVfACeJtVf
xeRh+zXwbkdl/u8GAeBWijU=
=GjE4
-END PGP SIGNATURE-

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] /etc/fstab and windows share problem

[Dariusz Trzaska]

Hi,
I`ve got a problem with samba and /etc/fstab.
I have a second computer running Windows XP SP2 with Western Digital 
MyBook USB2 external hard disk attached. The Disk is shared over windows 
network with a label "My Book (J)".
I can manually mount this samba resource by typing "sudo mount -t smbfs 
-o fmask=777,dmask=777,guest '//win/My Book (J)' /media/MyBook", but I 
can't figure out how to mount it by using fstab...
The problem is with the disk label, as it contains three strings: "My", 
"Book" and "(J)".


I tried:
//win/My Book (J) /media/MyBook smbfs guest,dmask=777,fmask=777 0 0
and
'//win/My Book (J)' /media/MyBook smbfs guest,dmask=777,fmask=777 0 0

I also tried replacing ' with " but nothing has changed.

PS. Windows doesn't allow me to share the disk with one-word label... 
the ... (J) is always there.


Plz someone help me,
SaneOne
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] smbldap-useradd says "Error: modifications require authentication at /usr/lib/perl5/5.8.8/smbldap_tools.pm line 1056."

[Eric Knudstrup]

I'm trying to get Samba 3.0.23d set up to run as a PDC on SuSE 10.2.  
I'm getting *very* close, but I have one small issue.

I can't add users.  When I run:
smbldap-useradd -a  -m

I get the following in the messages file:
Mar  6 13:59:38 macallan slapd[4731]: conn=50 fd=24 ACCEPT from 
IP=127.0.0.1:11246 (IP=0.0.0.0:389)
Mar  6 13:59:38 macallan slapd[4731]: conn=50 op=0 BIND 
dn="cn=Manager,dc=,dc=com" method=128
Mar  6 13:59:38 macallan slapd[4731]: conn=50 op=0 RESULT tag=97 err=49 
text=
Mar  6 13:59:38 macallan slapd[4731]: conn=50 op=1 SRCH base="dc=DOMAIN>,dc=com" scope=2 deref=2 
filter="(&(objectClass=posixAccount)(uid=))"
Mar  6 13:59:38 macallan slapd[4731]: conn=50 op=1 SEARCH RESULT tag=101 
err=0 nentries=0 text=
Mar  6 13:59:38 macallan slapd[4731]: conn=50 op=2 SRCH 
base="cn=NextFreeUnixId,dc=,dc=com" scope=0 deref=2 
filter="(objectClass=sambaUnixIdPool)"
Mar  6 13:59:38 macallan slapd[4731]: conn=50 op=2 SEARCH RESULT tag=101 
err=0 nentries=1 text=
Mar  6 13:59:38 macallan slapd[4731]: conn=50 op=3 MOD 
dn="cn=NextFreeUnixId,dc=,dc=com"

Mar  6 13:59:38 macallan slapd[4731]: conn=50 op=3 MOD attr=uidNumber
Mar  6 13:59:38 macallan slapd[4731]: conn=50 op=3 RESULT tag=103 err=8 
text=modifications require authentication

Mar  6 13:59:38 macallan slapd[4731]: conn=50 fd=24 closed (connection lost)

Please let me know if anything else is needed.  I can get the "net 
groupmap list" that the populate script added, so I think it's almost there.


Eric
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: Change user IDs on Samba PDC

[Richard Wood]

On 5 Mar 2007, at 10:26PM, Marco De Vitis wrote:


On 05/03/2007 14:23, Felipe Augusto van de Wiel wrote:


That's a little bit of a "hard guess". Windows can be an
wild environment, and profiles can be even wilder. :-)


I know, I know ;).

PS: actually, I suppose I could simple delete both Linux and  
Samba users
and create them again, as long as I know their passwords or  
inform the
"human" users that they have to enter a new password... but what  
happens
to their roaming profiles? Are they completely lost? Can't I  
reuse them

by just changing file ownerships?

There is a great chance that with new sid the workstation
will create a new profile, isn't anything in the Samba Official
HOWTO (Desktop Profile Management Chapter) about this?


No, as far as I can tell this situation is not covered there; it  
talks about migrating profiles from a NT PDC, which is somehow  
different, and I'm missing the pieces to link it all together.
Anyway I see mention of a "profiles" Samba tool which might be  
useful: it changes all occurrences of a SID in a NT registry file.  
But I strongly fear it could break something; it also only appears  
to support NT, which probably means you're in for a headache if you  
use it on XP profiles.


Anyway, I could avoid touching the SID, if I can make the Samba  
users keep their SIDs while changing their Linux UIDs.
This is the first piece I'm missing: what is the link between Samba  
users and Linux UIDs? What happens if I only change the UIDs? Can't  
I just change some references to them in the Samba database?


PS: uhm, I now also noticed that the pdbedit command has -G and -U  
arguments which should be able to change the user/group SID for a  
user... If the only problem is the new SID, then maybe I could  
simply set it like the old one this way.


Can anyone shed some light on this?


I've just found out you can create a new user on the linux PDC with  
the same name as the user on the Windows domain, copy all of that  
users profile data from "Documents and Settings" from their machine  
to the linux PDC profile/ directory (need to be logged in  
as admin to do this), do a 'chown -R ' on the newly copied  
files (in the profile directory on the linux PDC) and it all "just  
works".


The user logs in and everything they had is there and (seems) to work  
just fine.







Richard

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba+ldap: Simu.- login of 2 different users => user rejected

[Tim Boneko]

Felipe Augusto van de Wiel schrieb:

>   PAM: UNKNOWN PAM ERROR is not something nice to see
> on your longs. 

That's sad but true...

>   Did you already increase the log level of Samba?

I'll check that tomorrow (hopefully).
>   Simultaneously should be interpreted "at the exactly
> same time", or should be interpreted as "a user logs in the
> morning and the same user logs in the afternoon".

They hit the return key at the same second. Found it out when i did some
performance tuning and testing (which showed that the SO_xBUF options
indeed increased it. I'm at 8 MB/sec netto data rate on a 100Mbit net.
Is that acceptable for you?)

>> obey pam restrictions = yes
>> pam password change =   yes
> 
>   You are using PAM, so you really should check
> there, it could be the problem.

OK, I'll try it tomorrow. I'm not sure why these options are set, must
have been me some months ago... darn amateurs...

Many thanks for your hints, i'll let you know the effects!

timbo
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] smbclient -P

[Harve Dearing]

Good Morning,
In version 2.x we used smbclient -P in the interface files to print to
printers connected to windows machines. I see that in version 3.x that no
longer works. What is the equivalent command in 3.x?

Thanks

Harve Dearing
Technical Services
VRC Insurance Systems
Phone: 818-707-4295 ext 400
Direct:  818-827-2173

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] problem with 3.0.24.

[sharif islam]

This is my setup. I am connecting to a Windows 2003 server. Everything was
working fine with my old setup : 3.0.20b.

krb5-1.6: (I also tried it with krb51-.5);
./configure --without-tcl --enable-shared
samba-3.0.24:
./configure --with-ads --with-ldap --with-krb5=/usr/local/
smb.conf:
[global]
   netbios name=MACHINE NAME
   workgroup = MYWORKGROUP
   realm = myactivedirectoryrealm
   server string = Samba Server
   security = ADS
   password server = ad.university.edu
   log file = /var/log/samba/log.%m
   name resolve order = wins lmhosts host bcast
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   os level = 0
   preferred master = No
   local master = No
   domain master = No
   dns proxy = No
   wins server = winsa.uiuc.edu, winsb.uiuc.edu
   idmap uid = 1-60
   idmap gid = 1-60
   winbind cache time = 600
   winbind use default domain = Yes
   strict allocate = Yes
   client schannel = no
   winbind enum users = yes
   winbind enum groups = yes
   smb ports = 139

wbinfo -m  and wbinfo -t and wbinfo --sequence returns what it is suppose
to.

]# ./smbclient -L MACHINENAME -Uuserid [works fine]
Password:
Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 3.0.24]

   Sharename   Type  Comment
   -     ---
   DSDWEB  Disk  Media Server web share
   IPC$IPC   IPC Service (Samba Server)
[...]

But when I log in from the windows machine \\machinename, I get the list of
the shares. When I click on the share, I get the password prompt.
log.winbindd:
[2007/03/06 10:28:35, 0] nsswitch/winbindd_util.c:trustdom_recv(268)
 Got invalid trustdom response
[2007/03/06 10:33:13, 0] lib/util_sid.c:string_to_sid(242)
 string_to_sid: Sid S-0-0 is not in a valid format.
[2007/03/06 10:33:13, 0] nsswitch/winbindd_util.c:trustdom_recv(268)
 Got invalid trustdom response
log.smbd:
[2007/03/06 10:23:10, 0] smbd/server.c:main(881)
 standard input is not a socket, assuming -D option
[2007/03/06 10:33:07, 0] smbd/server.c:main(881)
 standard input is not a socket, assuming -D option
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] net send *

[Salatiel Filho]

Is there a way to send a message to all domain , like net send * ,
using smbclient ?
Sorry if this message was already answered but google did not help me
to find it.

--
[]'s
Salatiel

"O maior prazer do inteligente é bancar o  idiota
  diante de um  idiota que banca o inteligente".
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Change user IDs on Samba PDC

[Marco De Vitis]

On 06/03/2007 14:46, simo wrote:


Ahh, then you should have no problems, we don't save uids/gids in
tdbsam, just the username.


That sounds great.
So, the UIDs in pdbedit's output are not read from the Samba database, 
but taken instead at runtime from /etc/passwd?


I mean, quoting the pdbedit manpage:

   -L This option lists all the user accounts present in the users 
database. This option prints  a list of user/uid pairs separated by the 
':' character.


  Example: pdbedit -L

  sorce:500:Simo Sorce
  samba:45:Test User

   -v This  option  enables the verbose listing format. It causes 
pdbedit to list the users in the database, printing out the account 
fields in a descriptive format.


  Example: pdbedit -L -v

  ---
  username:   sorce
  user ID/Group:  500/500
  user RID/GRID:  2000/2001
  Full Name:  Simo Sorce

(Actually, with the current pdbedit I don't see any UIDs with -Lv, I 
only see SIDs; but I still see the Linux UIDs when only using the -L option)



Unfortunately we do save the gid in the group mapping database, so you
must be carefull with mapped groups, but at most you will have to delete
and redo the mapping.


No problem here, I have almost no group mappings at all.


Better to do it wtih samba stopped imo.


Of course.

This would wipe out all of my doubts, but I don't expect it to be SO 
easy... is it?


Why not? :-)


Because sh*t happens ;).

--
Ciao,
  Marco.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba problems. accounts expire after a hour, but work after reset

[Collen Blijenberg]

Thx Felipe, after a week debugging, i found the problem!!

there was a mix up with SID's. i had 5 machines and username with the 
same SID

including the PDC.

but there is something funny were i need some help with,

if i make a new user or machine account, samba generate the SID 
automatically.

i saw, that my server doesn't look at existing SID's.

how can i let samba make SID's after a specified number ??
my problem at the moment is that  if i make a new user, samba generate 
an existing SID, and there for

trouble arise!

example: current last SID in user database:  
S-1-5-21-1968991162-2130249723-1959552931-5462
if i make a new user samba will use: 
S-1-5-21-1968991162-2130249723-1959552931-5410


so basically it's all about the last 4 digits!
can i alter a .tdb file ??? (if so witch one??)

all i like is samba to start making SID's after that -5462 number !!!

Cheers, Collen


Felipe Augusto van de Wiel wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 02/28/2007 10:11 AM, Collen Blijenberg wrote:
  

Hello I'm having some strange problems with samba 3.0.23d
(PDC) on my FC6



Hi Collen!



  
if i start samba, everything works fine, but after an hour 
orso(some times 2 hours if there is not mutch traffic)

machines and user accounts start expiring.



  
i don't know why, but it is ?! after i do a restart, samba 
comes up and works again.
i checked the mysql server (coz' i use pdb-sql as backend) 
but the sql query's get executed and value's are returned.

(even if goes into bug-mode) so that part works ok!, all i
can think of is that tdb files get corrupted ??



That's strange. Are you using Policy for you domain?
Like the length of the password, time before user can change
password and so on.


  
the funny part is that i also have a BDC running the same 
samba version and sql version, and that one has no prob's

ad all (only the smb.conf is differed and the netbios name)
but on the counter part, the bdc isn't really doing anything, 
ot's not serving shares or printers actively..


some input would be nice, coz' i really have no idea where 
to look... ???



Can you provide logs when your server is working? That
could help diagnose the problem.


Kind regards,

- --
Felipe Augusto van de Wiel <[EMAIL PROTECTED]>
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/   Phone: (+55 41 3350 3300)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF5usCCj65ZxU4gPQRAjF0AJ0bU9di1VckV0pmvKEj6b/ouEuRNwCfenYu
jz79l+zzDiTyYu6GRwpsxug=
=3R6i
-END PGP SIGNATURE-
  


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Duplicate group mappings - which ones to delete?

[Paul Smith]

Deleted both groups by sid and everything looks to be working fine.

Thanks Gary, Jerry.
Paul

-Original Message-
From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, February 27, 2007 9:03 AM
To: Paul Smith; [EMAIL PROTECTED]
Subject: Re: [Samba] Duplicate group mappings - which ones to delete?

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

CC'ing back to list for archives.

Paul Smith wrote:

> As you can see, everything looks fine except from the two "parts"
group
> mappings and the "users" mapping:
> 
> parts (S-1-5-21-3597458131-155160113-1223051555-132073) -> parts
> parts (S-1-5-21-3597458131-155160113-1223051555-132074) -> parts
> users (S-1-5-21-3597458131-155160113-1223051555-132075) -> users
> 
>From what I remember the "net groupmap cleanup" wouldn't 
> help me here as these are legitimate, but incorrect,
> mappings.  I think I'm happy to delete the "users" mapping
> but don't quite know how to proceed with the
> "parts" duplicates.

Yup.  You are correct.  'net groupmap cleanup' won't help.
but a

  $ net groupmap delete \
  sid=S-1-5-21-3597458131-155160113-1223051555-132074

Should do the trick.






cheers, jerry
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF5Eg7IR7qMdg1EfYRApf0AJ0WsbGPfmd8pWJP9L8FzkB0W9I8bwCcDhuM
0H6V0nXqe2Ilm8/FV45IO/4=
=fzX6
-END PGP SIGNATURE-

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] "rec_read bad magic" error when printing... again

[Volker Lendecke]

On Tue, Mar 06, 2007 at 01:54:37PM +0100, Yves Glodt wrote:
> > If this really happens often to you, then you have some
> > basic problems with your setup.
> 
> The setup is a stock Ubuntu 6.06, using only ubuntu packages.
> I have 25 servers and it happens about once a week in total.
> (This might not sound like a lot, but it creates a support ticket on each 
> occurrence..)

This error should definitely not happen at all if everything
is running well. This _is_ a bug somewhere. It happens
completely randomly across all servers?

> > Either your hardware is 
> > flaky
> 
> I can not know 100% of course, but apart of the printing problem, the boxes 
> run very well.
> 
> > or your smbd processes tend to crash.
> 
> I never had an smbd crashing so far (AFAIK). Samba version is 3.0.22.

You might not have noticed it, because clients automatically
reconnect. You could have panic messages in the log files.
Did you look there?

> I read somewhere that samba V3 would be able to recreate the tdb while 
> running, but could not find a parameter for that. Is it possible at all?

Not that I'm aware of.

Volker


pgpvX7bqY3qwK.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] libnss_winbind.so AIX 5.3

[Markus PASCHINGER]

Hello i am trying for a few days to generate the file libnss_winbind.so
under AIX 5.3 but i do not get it.

My configure looks like :  ./configure--prefix=/usr/local/samba
--with-ads --with-winbind  --with-ldap --with-libsmbcl  --with-pam

When i look into the source/nsswitch directory after the make, i do not
have a libnss_winbind.so.

What am i doing wrong?  Has anyone an idea how i could solve the problem?

I do not find any information how i coult genertate the file in an other
way.

  Regards
  Markus






--
VERTRAULICHKEIT: Diese Nachricht ist ausschließlich für denjenigen
bestimmt,
an den sie adressiert ist und kann vertrauliche Informationen enthalten.
Falls Sie
nicht der Empfänger dieser Nachricht sind, weisen wir Sie darauf hin, dass
die unberechtigte
Weitergabe oder Verwendung sowie das unberechtigte Verteilen oder
Kopieren dieser Nachricht strikt untersagt sind. Falls Sie diese Nachricht
irrtuemlich
erhalten haben, vernichten Sie sie bitte sofort.
CONFIDENTIALITY: This message is intended only for the use of the
individuality
or entity to which it is addressed and may contain information that is
privileged,
confidential and exempt from disclosure. If you are not the intended
recipient you are
notified that any dissemination, distribution, use or copying of this
communication is
strictly prohibited. If you received this message in error, please
immediately destroy
this message.

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba+ldap: Simu.- login of 2 different users => user rejected

[Felipe Augusto van de Wiel]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 03/05/2007 02:02 PM, Tim Boneko wrote:
> Has anybody had this problem before? If not, where should i 
> start digging?

By the logs you sent, definetely PAM. :-)


> I'm running Samba 3.0.24 on Debian stable with slapd-2.2.23 backend.
> smb.conf is attached below.
> When two different users log in at the same moment, the login process
> seems to freeze for a minute and the client (win2k) complains about
> missing profile or missing access to profile. A single user login works
> perfectly.
> 
> The log.smbd contains this:
> 
> krake smbd[28474]: [2007/03/05 15:06:09, 0]
> auth/pampass.c:smb_pam_account(573)
> krake smbd[28474]:   smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during
> Account Management for User: ws13
> krake smbd[28474]: [2007/03/05 15:06:09, 0]
> auth/pampass.c:smb_pam_accountcheck(781)
> krake smbd[28474]:   smb_pam_accountcheck: PAM: Account Validation
> Failed - Rejecting User ws13!

PAM: UNKNOWN PAM ERROR is not something nice to see
on your longs. By the description of the problem, I would
say that the try to access the profile (specially if it is
a big one) could lead do RO/RW problems, but I'm not sure,
that's just MHO.


> Nothing interesting in auth.log and the same message in 
> syslog (where slapd logs to).
> I don't know if this is a samba issue or ldap or network...

It seems something in the middle. ;)

Did you already increase the log level of Samba?


> Any suggestions are highly welcome. We've got 20+ clients and users
> typically log in simultaneously.

Simultaneously should be interpreted "at the exactly
same time", or should be interpreted as "a user logs in the
morning and the same user logs in the afternoon".



>   timbo
> 
> smb.conf:

[...]
> obey pam restrictions = yes
> pam password change =   yes

You are using PAM, so you really should check
there, it could be the problem.


> socket options =IPTOS_LOWDELAY SO_SNDBUF=32768 SO_RCVBUF=32768

Are you aware that under kernel 2.6.x you
can have a better network performance if you remove
SO_SNDBUF and SO_RCVBUF?


> [netlogon]
> path = /ghswa/home/netlogon
> write list = supervisor
> browseable = yes
> 
> [profiles]
> path = /ghswa/home/%u
> writeable = yes
> write list = %u
> browseable = no

Maybe you should try 'csc policy = disable' and maybe
'profile acls' can help you on this one.


Kind regards,

- --
Felipe Augusto van de Wiel <[EMAIL PROTECTED]>
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/   Phone: (+55 41 3350 3300)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF7XpfCj65ZxU4gPQRArDWAJ0T7jbRlTwSdcS9dpOQsmExj5h5/QCbBV6X
m6NLCHaK2kRH2GlafeZROyU=
=Mzz/
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: Change user IDs on Samba PDC

[simo]

On Tue, 2007-03-06 at 09:18 +0100, Marco De Vitis wrote:
> On 06/03/2007 0:35, simo wrote:
> 
> >>> HOWTO (Desktop Profile Management Chapter) about this?
>  >>
> >> No, as far as I can tell this situation is not covered there; it talks 
> >> about migrating profiles from a NT PDC, which is somehow different, and 
> >> I'm missing the pieces to link it all together.
> > 
> > You are missing the fact it is the same thing :-)
> 
> Hi Simo! :)
> 
> Well... maybe it is the same thing conceptually, but surely it is not 
> from a practical point of view, e.g. "On your NT4 domain controller, 
> right-click on My Computer, then select Properties, then the tab labeled 
> User Profiles" hardly suits a Samba PDC ;).
> 
> Moreover, my main purpose is not the migration of profiles from a server 
> to a second one: I just want to "fix" UIDs on a server. I don't even 
> know if some kind of migration will be needed for this, that's why I'm 
> asking.

Ahh, then you should have no problems, we don't save uids/gids in
tdbsam, just the username.
Unfortunately we do save the gid in the group mapping database, so you
must be carefull with mapped groups, but at most you will have to delete
and redo the mapping.

> > Why can't you just keep your original tdbsam/ldap database  of users,
> > alogn with your PDC name and the secrets.tdb file ?
> 
> Can I?
> Are you saying I can change the Linux UIDs, and Samba will continue 
> working without a hitch with the same configuration and user database as 
> before?

Better to do it wtih samba stopped imo.

> This would wipe out all of my doubts, but I don't expect it to be SO 
> easy... is it?

Why not? :-)

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer
email: [EMAIL PROTECTED]
http://samba.org

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] strange problem with share access

[Roland_Lepper]

I'm testing a Samba PDC NT4-style with a samba memberserver joined the domain 
and another
testmachine on Windows2000.
I've setup the PDC and the Samba memberserver. The memberserver joined the 
Samba PDC and wbinfo -u
and wbinfo -g is working.

I created a share on the member server:

[test]
comment = test share
path = /export/test
valid users = testuser1
guest ok = no
writeable = yes

drwxrwxrwx  2 testuser1 root 48 Mar 6 12:56 test

I restarted samba to activate this new share.
When I login as testuser1 on the windows machine and want to access the test 
share it gives me a
popup that i have to specify a login and password to login and access the share.
This is strange because the permissions on the folder are 777 and in smb.conf I 
specified testuser1
to access the share.
It doesn't matter what login I try, I can't access the share.

any help is appreciated.

Thanks in advance


Best Regards,
Roland de Lepper
--

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] "rec_read bad magic" error when printing... again

[Yves Glodt]

On Tuesday 06 March 2007 11:01, Volker Lendecke wrote:
> On Tue, Mar 06, 2007 at 10:02:35AM +0100, Yves Glodt wrote:
> > some of my servers regularly come up with this error, which makes
> > printing over samba impossible:
> >
> > Mar  6 09:06:44 server smbd[4431]: [2007/03/06 09:06:44, 0]
> > tdb/tdbutil.c:tdb_log(772)
> > Mar  6 09:06:44 server smbd[4431]:
> > tdb(/var/cache/samba/printing/printer.tdb): rec_read bad magic 0xd9fee666
> > at offset=22796
>
> If this really happens often to you, then you have some
> basic problems with your setup.

The setup is a stock Ubuntu 6.06, using only ubuntu packages.
I have 25 servers and it happens about once a week in total.
(This might not sound like a lot, but it creates a support ticket on each 
occurrence..)

> Either your hardware is 
> flaky

I can not know 100% of course, but apart of the printing problem, the boxes 
run very well.

> or your smbd processes tend to crash.

I never had an smbd crashing so far (AFAIK). Samba version is 3.0.22.

> If you happen to  
> use reiserfs for /var/cache/samba you might try to change
> that fs to ext3.

All my partitions are ext3, /var being on a separate one as well.

is it worth that I increase the loglevel, or is there anything else I can 
watch for?

I read somewhere that samba V3 would be able to recreate the tdb while 
running, but could not find a parameter for that. Is it possible at all?

yves

> Volker
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] SSO group / map problem

[stef vetter]

Hello list,

I'm using samba/winbind (rhel4, samba-3.0.10, w2k-dc) for single sign
on for windows users .

When logged on to the linux mashine they run an application, which
checks if the user has the same group rights ( appl. has local
Unix-user/group "app", so the windows user should also be member of
this group).

I've tried with group mapping (map "app" to "domain-users"), but it didn't work.
While reading the howto it looks to me, as groupmapping is for
integrating unix into windows. i need it the other way. did i get
something wrong?

thx for your help!
kind regards, stef.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] win2003 AD to samba ldap pdc migration

[Cardon Denis]

Hi all,

I just wanted to check with you all a detail : is it possible to 
convert/migrate win2003 ADS account (user and machine) to samba ldap PDC 
accounts.


I know the AD stuff is planned for samba4, and that the authentication 
infrastructure is quite different (SAM base vs. kerberos/ldap). However 
since it is possible to active NT4 compatibility in AD, I was wondering 
if there was enough information in the AD that can be transfered into 
the samba3 in order to avoid to recreate all the user/machine accounts?


Cheers,

Denis

--
Denis Cardon
Tranquil IT Systems
10 rue du Docteur Bouchard
49400 Saumur
http://www.tranquil-it-systems.fr


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] SambaNextRid, SambaPrimaryGroupSid.

[emmanuel musso]

Hello All

With Samba 3.0.24 with ldap backend, what can i do for using  algorithm "rid =
2*uid + 1000", when samba create samba attributes (sambasid) of computer
account, instead of SambaNextRid from SambaDomainName entry ?
Is samba able to create SambaPrimaryGroupSid (with rid = 515) with other samba
attributes ?
Why 3.0.22 -> 3.0.23 upgrade has modified thoses two.

thanks, regards

P.S.I've already post this on the list


-- 
Emmanuel musso
technicien informatique
I.U.T. Paul Sabatier
Dépt Génie électrique 0562258241
Service informatique 0562258025






This message was sent using IMP, the Internet Messaging Program.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] "rec_read bad magic" error when printing... again

[Volker Lendecke]

On Tue, Mar 06, 2007 at 10:02:35AM +0100, Yves Glodt wrote:
> some of my servers regularly come up with this error, which makes printing 
> over samba impossible:
> 
> Mar  6 09:06:44 server smbd[4431]: [2007/03/06 09:06:44, 0] 
> tdb/tdbutil.c:tdb_log(772)
> Mar  6 09:06:44 server smbd[4431]:   
> tdb(/var/cache/samba/printing/printer.tdb): rec_read bad magic 0xd9fee666 at 
> offset=22796

If this really happens often to you, then you have some
basic problems with your setup. Either your hardware is
flaky or your smbd processes tend to crash. If you happen to
use reiserfs for /var/cache/samba you might try to change
that fs to ext3.

Volker


pgpdTeJNtbzJg.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] "rec_read bad magic" error when printing... again

[Yves Glodt]

Hello,

some of my servers regularly come up with this error, which makes printing 
over samba impossible:

Mar  6 09:06:44 server smbd[4431]: [2007/03/06 09:06:44, 0] 
tdb/tdbutil.c:tdb_log(772)
Mar  6 09:06:44 server smbd[4431]:   
tdb(/var/cache/samba/printing/printer.tdb): rec_read bad magic 0xd9fee666 at 
offset=22796

Searching mailing lists, I just found the "solution" to stop samba, delete the 
tdb file, and restart it.

I am in charge of 25 servers of this kind and would be happy for a 
more "professional" solution to this... :-)

Is there any... ?

Otherwise I guess I will set up a cronjob to remove the file on a nightly 
base... :-| Please tell me there is a better way :-)


best regards,
Yves
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba 3.0.24 ported to OS/2 - a couple of problems

[Paul Smedley]

Hi Jeremy,

On Tue, 6 Mar 2007 00:59:33 UTC, Jeremy Allison <[EMAIL PROTECTED]> wrote:

> On Thu, Mar 01, 2007 at 03:35:57AM +, Paul Smedley wrote:
> > Hi all,
> > 
> > I've recently managed to compile Samba v3.0.24 for OS/2 and have 
> > debugged most of the issues.
> > 
> > The positive is that relatively few source changes were required to 
> > get the daemon working, however, having said that, there are two 
> > problems that I'm still having trouble with.
> 
> Can we see the patch ? It'd be interesting to see what
> you had to change.

Why certainly, http://smedley.info/samba-3.0.25pre1-os2.patch

Incidentally, I solved the problem with display of umlauts and other 
such characters by changing the default codepage from UTF-8 to SYSTEM.

-- 
Cheers,

Paul.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: Fwd: [Samba] Changing LDAP password from Windows XP

[Asier Baranguán]

Daniel Müller escribió:


OOps! fat fingers come again! The ACL's were bad (exactly the 2nd and 3rd ACL)

This are the correct ACLS (I don't use the 'smbldap-tools' user)

 > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Added 'shadowLastChange' to avoid some warnings with libpam-unix2
access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange,shadowLastChange
   by dn="cn=samba,ou=DSA,dc=example,dc=org" write
   by dn="cn=nssldap,ou=DSA,dc=example,dc=org" write
   by self write
   by anonymous auth
   by * none

# some attributes need to be readable anonymously so that 'id user' can answer 
correctly
access to 
attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
 by dn="cn=samba,ou=DSA,dc=example,dc=org" write
 by * read

# Users can change some attributes of their profile
access to
attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname,mail
   by dn="cn=samba,ou=DSA,dc=example,dc=org" write
   by self write
   by users read
   by * none

# some attributes need to be writable for samba
access to
attrs=cn,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption
   by dn="cn=samba,ou=DSA,dc=example,dc=org" write
   by self read
   by * none

# samba gestiona:
# -> Cuentas de dominio
# -> Nuevos usuarios
# -> Nuevos grupos
# -> Máquinas en el dominio
access to dn.base="dc=example,dc=org"
   by dn="cn=samba,ou=DSA,dc=example,dc=org" write
   by * none
access to dn="ou=Users,dc=example,dc=org"
   by dn="cn=samba,ou=DSA,dc=example,dc=org" write
   by * none
access to dn="ou=Groups,dc=example,dc=org"
   by dn="cn=samba,ou=DSA,dc=example,dc=org" write
   by * none
access to dn="ou=Computers,dc=example,dc=org"
   by dn="cn=samba,ou=DSA,dc=example,dc=org" write
   by * none

access to *
   by * read
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Specify profile type per user

[Matthias Kellermann]

Hi all,

currently I'm working on the migration from a NT4 PDC to a Samba PDC.

Some users have roaming profiles, some have local profiles. Is there a 
way to specify the profile type per user on the Samba machine?


Thanks and best regards,
Matthias Kellermann
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: Fwd: [Samba] Changing LDAP password from Windows XP

[Asier Baranguán]

Daniel Müller escribió:


Here is a copy of my smb.conf:


You can accomplish this by two ways: using a password change script ala 'smbldap-passwd' 
or using the Samba goodies. I assume you have the appropiate group mappings between your 
linux server and your windows workstations:


[EMAIL PROTECTED] ~ # net groupmap list
Domain Admins (S-1-5-21-2958930118-1012938775-211482674-512) -> Domain Admins
Domain Users (S-1-5-21-2958930118-1012938775-211482674-513) -> Domain Users
Domain Guests (S-1-5-21-2958930118-1012938775-211482674-514) -> Domain Guests
Domain Computers (S-1-5-21-2958930118-1012938775-211482674-515) -> Domain 
Computers
Administrators (S-1-5-32-544) -> Administrators
Account Operators (S-1-5-32-548) -> Account Operators
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> Replicators
[EMAIL PROTECTED] ~ #

My Samba relevant lines are this:

> - [ /etc/samba/smb.conf ] - - - - - - - - - - - - - - - - - - - - - -

[ ... ]

enable privileges = yes
obey pam restrictions = yes
pam password change = no

ldap passwd sync = yes
ldap delete dn = yes
ldap suffix = dc=example,dc=org
ldap admin dn = cn=samba,ou=DSA,dc=example,dc=org
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap

# Uncomment if you use TLS
#ldap ssl = start_tls
passdb backend = ldapsam:ldap://ldap.example.org/
idmap backend = ldap:ldap://ldap.example.org/

# Scripts
add user script = /usr/sbin/smbldap-useradd -m -a "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

If you use LDAP as your backend make sure your ACLS work well. I follow the IDEALX HOWTO 
and find that if I don't add as the last line of the ACLS 'access to * by * read' the LDAP 
password synchronization didn't work well.


This are my ACLs:

> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Added 'shadowLastChange' to avoid some warnings with libpam-unix2
access to 
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange,shadowLastChange

  by dn="cn=samba,ou=DSA,dc=example,dc=org" write
  by dn="cn=nssldap,ou=DSA,dc=example,dc=org" write
  by self write
  by anonymous auth
  by * none

# some attributes need to be readable anonymously so that 'id user' can answer 
correctly
access to attrs=objectClass,homeDirectory,uid,uidNumber,gidNumber,memberUid
by dn="cn=samba,ou=DSA,dc=example,dc=org" write
by * read

access to attrs=entry
by dn="cn=samba,ou=DSA,dc=example,dc=org" write
by users read
by * none

# Users can change some attributes of their profile
access to 
attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname,mail

  by dn="cn=samba,ou=DSA,dc=example,dc=org" write
  by self write
  by users read
  by * none

# some attributes need to be writable for samba
access to 
attrs=cn,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption

  by dn="cn=samba,ou=DSA,dc=example,dc=org" write
  by self read
  by * none

# samba gestiona:
# -> Cuentas de dominio
# -> Nuevos usuarios
# -> Nuevos grupos
# -> Máquinas en el dominio
access to dn.base="dc=example,dc=org"
  by dn="cn=samba,ou=DSA,dc=example,dc=org" write
  by * none
access to dn="ou=Users,dc=example,dc=org"
  by dn="cn=samba,ou=DSA,dc=example,dc=org" write
  by * none
access to dn="ou=Groups,dc=example,dc=org"
  by dn="cn=samba,ou=DSA,dc=example,dc=org" write
  by * none
access to dn="ou=Computers,dc=example,dc=org"
  by dn="cn=samba,ou=DSA,dc=example,dc=org" write
  by * none

access to *
  by * read
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

And don't forget to adjust your PAM settings (install libpam-ldap or similar package) to 
allow users change their password with the passwd command:


> - [ /etc/samba/smb.conf ] 

[Samba] Re: Change user IDs on Samba PDC

[Marco De Vitis]

On 06/03/2007 0:35, simo wrote:


HOWTO (Desktop Profile Management Chapter) about this?

>>
No, as far as I can tell this situation is not covered there; it talks 
about migrating profiles from a NT PDC, which is somehow different, and 
I'm missing the pieces to link it all together.


You are missing the fact it is the same thing :-)


Hi Simo! :)

Well... maybe it is the same thing conceptually, but surely it is not 
from a practical point of view, e.g. "On your NT4 domain controller, 
right-click on My Computer, then select Properties, then the tab labeled 
User Profiles" hardly suits a Samba PDC ;).


Moreover, my main purpose is not the migration of profiles from a server 
to a second one: I just want to "fix" UIDs on a server. I don't even 
know if some kind of migration will be needed for this, that's why I'm 
asking.


strongly fear it could break something; it also only appears to support 
NT, which probably means you're in for a headache if you use it on XP 
profiles.


profiles are the same on all machines the registry format has not change
afaik.


"AFAIK" is the problem here ;).


Why can't you just keep your original tdbsam/ldap database  of users,
alogn with your PDC name and the secrets.tdb file ?


Can I?
Are you saying I can change the Linux UIDs, and Samba will continue 
working without a hitch with the same configuration and user database as 
before?
This would wipe out all of my doubts, but I don't expect it to be SO 
easy... is it?

I'm using tdbsam BTW.

--
Ciao,
  Marco.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba