Re: [Samba] pdc configuration

2007-03-24 Thread Paul Matthews 
I have a how-to on my website [url]http://www.opensourcehowto.org[/url]
for setting up samba as a primary domain controller (PDC) maybe your
answer will be there

OpenLDAP LAM Samba as PDC
[url]http://www.opensourcehowto.org/how-to/samba/openldap-lam-samba-as-pdc.html[/url]

and if you feeling a little bit more adventurous later on you could try
getting into the policies with samba

Samba Primary Domain Controller with Group Policies
[url]http://www.opensourcehowto.org/how-to/samba/samba-primary-domain-controller-with-group-policies.html[/url]

>> Of course you don't need that to join the machine into the domain (you
>> just
>> need root and its smbpassword). But last year when I started creating a
>> PDC
>> (samba-3.0.20b-3.3) with LDAP backend (of course it has nothing to do
>> with
>> LDAP), I found out that I could not login into the computer (the
>> domain).
>> But after I'd configure that Domain member matters, I could. It was even
>> stated in samba.org tutorial, if I'm not mistaken, but they prefer
>> changing
>> the registry.
>
> If you had to change that registry setting with version 3 of Samba, then
> you had something else wrong in your setup (probabloy ldap related)
> causing that problem. According to Andrew Bartlett, this has never been
> required for any released version of Samba3.
>
> In fact, apparently this is a major security risk to your network to
> disable this setting:
>
> http://lists.samba.org/archive/samba/2005-November/113748.html
>
> This workaround hasn't been needed for a long time, although I don't
> recall the specific version that fixed the need for it.
>
> --
>
> Best regards,
>
> Charles
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>


-- 
OpenSourceHowTo.org
[url]http://www.opensourcehowto.org/[/url]

Wiki.OpenSourceHowTo.org
[url]http://wiki.opensourcehowto.org/[/url]

My ServerSetup Scripts
[url]http://evilperson85.110mb.com[/url]

Please Support OpenSourceHowTo.org
[url]http://www.opensourcehowto.org/how-to/welcome/support-opensourcehowto.org.html[/url]
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] error while migrating users to ldap with pdbedit

2007-03-24 Thread Volker Lendecke 
On Sat, Mar 24, 2007 at 10:47:25PM +0100, Volker Lendecke wrote:
> > Attached find the patch I checked in as revision 21962.
> 
> This time with patch...

Sorry for the confusion. Something has eaten the patch I did
send the first time before it hit my inbox.

Volker


pgpt9rxUynDAM.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] error while migrating users to ldap with pdbedit

2007-03-24 Thread Volker Lendecke 
On Sat, Mar 24, 2007 at 10:31:16PM +0100, Volker Lendecke wrote:
> On Wed, Mar 21, 2007 at 08:08:22PM +0100, Volker Lendecke wrote:
> > Give me two or three days and I'll fix it. I'm just really
> > busy right now.
> 
> Attached find the patch I checked in as revision 21962.

This time with patch...

Volker


pgpXUDaeGuKuj.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] error while migrating users to ldap with pdbedit

2007-03-24 Thread Volker Lendecke 
On Wed, Mar 21, 2007 at 08:08:22PM +0100, Volker Lendecke wrote:
> Give me two or three days and I'll fix it. I'm just really
> busy right now.

Attached find the patch I checked in as revision 21962.

Volker


pgpuNl9zWUok6.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] winbind: BUILTIN\users group gid 1001 conflict

2007-03-24 Thread Don Piven 

Sez Christoph Peus:

Hi everybody,

I've joined a fileserver running samba 3.0.24 to an AD domain using 
winbind and noticed that samba maps the "users" group SID (5-1-5-32-545) 
 to gid 1001 automatically. This seems to conflict with one of ~2000 
mappings I had to "inject" in winbinds winbindd_idmap.tdb by use of net 
idmap dump/restore, because the fileserver had millions of files with 
certain uid/gid ownership from a local passwd/group before I did the 
"net ads join". The gid 1001 was allocated to the group "nawi" in 
/etc/group before.

I'm unsure now which problems could be caused by this regarding security.
Is it possible - and usefull - to change this mapping to get a 
"BUILTIN\users" group as expected?

Thanks!


Have you checked the "idmap" settings in your smb.conf?  In particular, 
"idmap uid" and "idmap gid" specify the range of uid/gid values used to 
map to SIDs.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] pdc configuration

2007-03-24 Thread Charles Marcus 

Of course you don't need that to join the machine into the domain (you just
need root and its smbpassword). But last year when I started creating a PDC
(samba-3.0.20b-3.3) with LDAP backend (of course it has nothing to do with
LDAP), I found out that I could not login into the computer (the domain).
But after I'd configure that Domain member matters, I could. It was even
stated in samba.org tutorial, if I'm not mistaken, but they prefer changing
the registry.


If you had to change that registry setting with version 3 of Samba, then 
you had something else wrong in your setup (probabloy ldap related) 
causing that problem. According to Andrew Bartlett, this has never been 
required for any released version of Samba3.


In fact, apparently this is a major security risk to your network to 
disable this setting:


http://lists.samba.org/archive/samba/2005-November/113748.html

This workaround hasn't been needed for a long time, although I don't 
recall the specific version that fixed the need for it.


--

Best regards,

Charles
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] help with Samba & win2k3 domain

2007-03-24 Thread sato x 

Hi..

I once had a simillar problem to yours, but mine is nscd. To let nscd
recognise the change in my LDAP backend, I usually reload nscd each time the
changing happend or it will change automatically in a couple of minute. But
this doesn't happend if I added new users or groups. As with winbind, I also
cannot run id user but I can use winbind with my proxy server (squid) so
users in PDC who try to connect to the web will get a login message. I just
left nsswitch.conf as it was before.

Regards,

sato

On 3/23/07, Felipe Augusto van de Wiel <[EMAIL PROTECTED]> wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 03/22/2007 01:31 PM, nix_kot wrote:
> You received my configuration files?

No, I didn't.


> If is not present, I shall include them in a body of
> the letter! What you mean under setup nss?

Configure the NSS. nsswitch.conf and related files
in order to have information from winbind in your system
(like when you use the 'id' command).


> nssswitch.conf:
>passwd:files winbind
>group: files winbind

Yes, that should do the trick.

Just for the sake of it, the file is /etc/nsswitch.conf
and I use them in Debian GNU/Linux machines with LDAP as the samba
backend, so I'm not 100% sure about the required steps to have
this info available under winbind environment.

When using glibc, instead of 'files' I use 'compat', not
sure if that would have an impact on the information of your
system accounts. nscd and other services (like nis, nys) can
mess with that.

Kind regards,

- --
Felipe Augusto van de Wiel <[EMAIL PROTECTED]>
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/   Phone: (+55 41 3350 3300)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGAu29Cj65ZxU4gPQRAkW8AJ0RukviZy94wDGOqgTdY1EUR2vIngCgxihe
kFRkOPA/XORdS4HE3R8Ns8Y=
=yNN4
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba errors when using windows xp home edition

2007-03-24 Thread sato x 

Hi Chantal,

I don't know what is the real problem you face, but here in my office, we
don't have such problems  with users using Win XP HE. All I do is join their
machine into the PDC (with smbldap-useradd -w; since I use ldap as the
backend) then add their username and smbpassword into the PDC. The username
and smbpassword should be the same as their local one. Other way, samba will
ask them to login every time they start to browse the samba share. Good
luck.

PS. I use samba-3.0.20b-3.3 on OpenSuSE.

Regards,

sato


On 3/20/07, Chantal Rosmuller <[EMAIL PROTECTED]> wrote:


Hi everyone,

I hope someone can help me with the following problem:

I administer 2 separate networks, each with one samba server  (samba
versions
are 3.0.14 and 3.0.22) and serveral windows xp professional clients. There
were never any problems, but recently one of the employees bought a laptop
with windows xp home that he wants to use in both networks. He does not
log
on to the domain like other employees but only accesses  the shares. He
complains that office hangs when he is working on an excel sheet that's on
the server. I also noticed some errors in te logson both servers, for
example:

libsmb/cliconnect.c:cli_connect(1330) Error connecting to 192.168.2.236
(Operation already in progress) : 1 Time(s)

Or

lib/util_sock.c:write_data(557) write_data: write failure in writing to
client 192.168.2.236. Error Broken pipe : 1 Time(s)

Can this have something to do with XP home or not logging onto the domain?
I

Thanks, regards Chantal

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Laptops randomly losing their domain credentials

2007-03-24 Thread sato x 

Hi Chris,

Windows XP Pro has a default value of 10 logons for the number of the
previous  logon. You can change it in Administrative Tools > Local Security
Settings > Security Settings > Local Policies > Security Options >
Interactive logon: Number of previous logons to cache (in case domain
controller is not available). Change the value as you like. Good luck.

Regards,

sato

On 3/22/07, Gerald (Jerry) Carter <[EMAIL PROTECTED]> wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Chris Jeter wrote:
> I'm having a randomly occurring problem with some of the laptops that
> we maintain. They are joined to our Samba domain (samba-3.0.14a-1).
> Every once in a while when they are disconnected from the local network
> they will drop their cached domain passwords and will not allow the
> user to log back into the computer. It will return a domain unavailable
> error until it is plugged back into the network, at which point it will
> work as intended.
>   Googleing around I've found mention of this problem
> but no way to resolve it. Have any of you ran into this problem and
> been able to resolve it?

Look at the offline logon support in 3.0.23 and (improved
support) 3.0.25pre2.






cheers, jerry
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGApzZIR7qMdg1EfYRAhQpAKDklD089eX0FRI1OFoy4CwsAo42vQCeLBSU
xcYbm65G7Zpb1vktFpXMSA8=
=46M+
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] pdc configuration

2007-03-24 Thread sato x 

Hi John,

Of course you don't need that to join the machine into the domain (you just
need root and its smbpassword). But last year when I started creating a PDC
(samba-3.0.20b-3.3) with LDAP backend (of course it has nothing to do with
LDAP), I found out that I could not login into the computer (the domain).
But after I'd configure that Domain member matters, I could. It was even
stated in samba.org tutorial, if I'm not mistaken, but they prefer changing
the registry.

Other thing, some times you'll find yourself fail to join a machine into the
domain, even if the configuration above is right. You can do a trick to add
your PDC ip address (that operates as a wins server either) in your network
configuration in the WINS part. Thank you for your information.

Regards,

sato

On 3/24/07, Jon Wilson <[EMAIL PROTECTED]> wrote:


Hi all,

just read this thread and sparked a couple thoughts ...

Re: {Digitally encrypt...,> Digitally encrypt secure, Digitally sign
... } options
I'm not starting an argument here or saying you are wrong, merely
making the observation that I've never had to do this to make any of
our 350 workstations join the domain ... well not that I can remember
anyhow.

Also:
Re: >socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

And here is my question I guess ...

I *thought* I've recently read the O_RCVBUF=8192 SO_SNDBUF=8192
options shouldnt be used on 2.6 kernels. Have I got the wrong end of
the stick here or is this the case ?

Many thanks

/Jon


On 24/03/07, sato x <[EMAIL PROTECTED]> wrote:

> Hi...
>
> Don't forget the [netlogon] share in smb.conf. You will need that for
your
> windows users to login into the domain. All login script should be
placed
> there; or if you didn't want any login script, just leave it empty. BUT,
you
> must have it, no matter how.
>
> Other story, for winXP Pro to login into domain, you would have to
change
> something in registry or in local security settings (within
Administrative
> Tools) (it has something to do with Domain member: {Digitally
encrypt...,
> Digitally encrypt secure, Digitally sign ... } options. You can access
it
> via  Security Settings > Local Policies > Security Options. Just set the
> values to disable). Don't forget to join the machine into the domain.
>
> WinXP Home cannot join the domain, but you can still access the share in
the
> domain automatically after you login into your local domain (I mean,
your
> WinXP Home local domain/workgroup). Create a local user with password as
> same as the one in the PDC. Then create a machine account for your WinXP
> Home directly in your PDC (in term of WinXP Pro, join the machine into
the
> domain). As for win98/Me, no need to worry about the WinXP issue. Hope
it
> can help.
>
> Regards,
>
> sato
>
> On 3/22/07, Asier Baranguán <[EMAIL PROTECTED]> wrote:
> >
> > [EMAIL PROTECTED] escribió:
> > >
> > > Hello,
> > >
> > > I am using the February 15, 2002 document by Andrew Bartlett titled
> > Using
> > > Samba as a PDC.
> > >
> > > Having difficulty, is there a more recent document or guidelines ? I
am
> > > getting access denied - shares have worked but not the PDC part.
> > >
> > > below is the smb.conf without comments:
> > >
> > > #begin smb.conf
> > >workgroup = CENTOS
> > >server string = Samba Server
> > >hosts allow = 192.199.2.
> > >
> > > printcap name = /etc/printcap
> > >load printers = yes
> > > cups options = raw
> > >  log file = /var/log/samba/%m.log
> > >max log size = 50
> > >security = user
> > >   encrypt passwords = yes
> > >   domain logons=yes
> > >   unix password sync = Yes
> > >   passwd program = /usr/bin/passwd %u
> > >socket options = TCP_NODELAY SO_RCVBUF=8192
> > > SO_SNDBUF=8192
> > >dns proxy = no
> >
> > You must add the following to become a PDC:
> >
> > ### PDC
> >  domain master = yes
> >  domain logons = yes
> >  preferred master = yes
> >  local master = yes
> >  os level = 100
> >
> > If you have Windows clients add:
> >
> >  wins support = yes
> >  name resolve order = wins hosts lmhosts bcast
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/listinfo/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Windows won't recognize hostname of server

2007-03-24 Thread sato x 

Hi

Was your nmb service running? Please start it and try again. To make your
windows automatically check for netbios name in wins server, please
configure your network options (in tcp/ip) to include wins server ip
address.

Regards,

sato

On 3/21/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:


> Last time you posted your smb.conf it included the line
> wins server = 
>
> So, not knowing the ip address of your WINS server I suggested you try
> nmblookup -R -U ipaddr.of.wins.server mis001
>
> I thought you'd realize for ipaddr.of.wins.server you where supposed
to
> type in the ip address of your WINS server.
>
> Today when you posted your smb.conf you've got the line
> wins server = 192.161.200.1
>
> What happens when you issue the following command?
>
> nmblookup -R -U 192.161.200.1 mis001


I'm really sorry.  That was quite a foolish mistake on my part.  Clearly
I have too much to do... so much that I'm not investing enough thought
in what I'm doing anymore.

I tried running the command from various machines but I always get the
same answer...

name_query failed to find name mis001

I also have found out there is another samba server on our network.
Running the same command with its hostname instead of mine renders the
same result.  That server is version 2.2.12 running on AIX 5.

Here is the config on that machine...

[global]
workgroup = DFJ
netbios name = DFJ250
server string = Samba srvdfj250
security = SERVER
encrypt passwords = Yes
password server = lr-dc01
username map = /usr/local/samba/lib/username.map
log file = /local/samba/var/log.%U
max log size = 50
name resolve order = wins bcast host
load printers = No
character set = ISO8859-1
wins server = 192.161.200.1
create mask = 0777
directory mask = 0777
follow symlinks = No

I have looked closely at its config file and even tried using elements
from it in my own config file, but its not helping.  If anyone has any
suggestions of what I may want to try, I'd be happy to hear them.  But
the conclusion I am reaching is that I need to install another version
of Samba and maybe this will resolve itself.

One final thing...  I was looking at my log files and I noticed that
clients on the same subnet as my server are being logged as their
hostname, while clients connecting from different subnets are logged as
their IP address.  I don't know if this because name resolution isn't
working too well, or if this is normal behavior.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] pdc configuration

2007-03-24 Thread Jon Wilson 

Hi all,

just read this thread and sparked a couple thoughts ...

Re: {Digitally encrypt...,> Digitally encrypt secure, Digitally sign
... } options
I'm not starting an argument here or saying you are wrong, merely
making the observation that I've never had to do this to make any of
our 350 workstations join the domain ... well not that I can remember
anyhow.

Also:
Re: >socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

And here is my question I guess ...

I *thought* I've recently read the O_RCVBUF=8192 SO_SNDBUF=8192
options shouldnt be used on 2.6 kernels. Have I got the wrong end of
the stick here or is this the case ?

Many thanks

/Jon


On 24/03/07, sato x <[EMAIL PROTECTED]> wrote:


Hi...

Don't forget the [netlogon] share in smb.conf. You will need that for your
windows users to login into the domain. All login script should be placed
there; or if you didn't want any login script, just leave it empty. BUT, you
must have it, no matter how.

Other story, for winXP Pro to login into domain, you would have to change
something in registry or in local security settings (within Administrative
Tools) (it has something to do with Domain member: {Digitally encrypt...,
Digitally encrypt secure, Digitally sign ... } options. You can access it
via  Security Settings > Local Policies > Security Options. Just set the
values to disable). Don't forget to join the machine into the domain.

WinXP Home cannot join the domain, but you can still access the share in the
domain automatically after you login into your local domain (I mean, your
WinXP Home local domain/workgroup). Create a local user with password as
same as the one in the PDC. Then create a machine account for your WinXP
Home directly in your PDC (in term of WinXP Pro, join the machine into the
domain). As for win98/Me, no need to worry about the WinXP issue. Hope it
can help.

Regards,

sato

On 3/22/07, Asier Baranguán <[EMAIL PROTECTED]> wrote:
>
> [EMAIL PROTECTED] escribió:
> >
> > Hello,
> >
> > I am using the February 15, 2002 document by Andrew Bartlett titled
> Using
> > Samba as a PDC.
> >
> > Having difficulty, is there a more recent document or guidelines ? I am
> > getting access denied - shares have worked but not the PDC part.
> >
> > below is the smb.conf without comments:
> >
> > #begin smb.conf
> >workgroup = CENTOS
> >server string = Samba Server
> >hosts allow = 192.199.2.
> >
> > printcap name = /etc/printcap
> >load printers = yes
> > cups options = raw
> >  log file = /var/log/samba/%m.log
> >max log size = 50
> >security = user
> >   encrypt passwords = yes
> >   domain logons=yes
> >   unix password sync = Yes
> >   passwd program = /usr/bin/passwd %u
> >socket options = TCP_NODELAY SO_RCVBUF=8192
> > SO_SNDBUF=8192
> >dns proxy = no
>
> You must add the following to become a PDC:
>
> ### PDC
>  domain master = yes
>  domain logons = yes
>  preferred master = yes
>  local master = yes
>  os level = 100
>
> If you have Windows clients add:
>
>  wins support = yes
>  name resolve order = wins hosts lmhosts bcast
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Can No Longer Join to Domain

2007-03-24 Thread John Drescher 

On 3/23/07, Jason Baker <[EMAIL PROTECTED]> wrote:

I have Samba 3.0.24 running on CentOS 4 as a PDC with an LDAP backend.
When I first set everything up, I could join workstations to the domain
automatically with the  Windows Network ID Wizard. Now when I try to
join a workstation I get:

Your computer could not be joined to the domain because the
following error has occurred:
The user name could not be found.

If I add the computer name to the domain manually from the command line
or with LDAP Account Manager, then go back and join it, it works. But it
sure would be nice not to have to set up each machine manually. Any
thoughts?


Nothing helpful from me as I have the same problem but this is this
has been how it has always worked for me. I actually thought that was
a feature. Thanks for starting the thread.

John
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: getent passwd / wbinfo -u timeout

2007-03-24 Thread sato x 

Hi guys,

Just currious. Some questions:
1. Do you have winbind running in your smb2 server? If you don't,  start
one.
2. Do you have nscd running in your smb2 server? If you do, kill it. You
can't have both nscd and winbind in the same machine.

I'm not a master in reading the log, but some people use to have problems
with the two above. Good luck.

Regards,

sato

On 3/23/07, Bert Burgemeister <[EMAIL PROTECTED]> wrote:


Bramsi,

For me, problems of this kind went away entirely after upgrading to
Samba 3.0.24 on the PDC. If you do so on Debian you'll have to copy
manually a new version of samba.schema from package samba-doc and change
an index line or two in slapd.conf as described in
http://us4.samba.org/samba/history/samba-3.0.24.html.

Bert

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Can No Longer Join to Domain

2007-03-24 Thread sato x 

Hi...

Sorry if I was wrong. I just want to ask, did you join the machine (via
windows machine) using root account? If it's true, then I guess you have to
have samba password for your root. If you have made it before, try to
recreate your root's samba password (with smbldap-passwd), then try to join
the machine. Let me know if it failed. :)

Regards,

sato

On 3/24/07, Jason Baker <[EMAIL PROTECTED]> wrote:


I have Samba 3.0.24 running on CentOS 4 as a PDC with an LDAP backend.
When I first set everything up, I could join workstations to the domain
automatically with the  Windows Network ID Wizard. Now when I try to
join a workstation I get:

Your computer could not be joined to the domain because the
following error has occurred:
The user name could not be found.

If I add the computer name to the domain manually from the command line
or with LDAP Account Manager, then go back and join it, it works. But it
sure would be nice not to have to set up each machine manually. Any
thoughts?

[global]
unix charset = LOCALE
workgroup = glastendernet
netbios name = aster
server string = Glastender Domain Controller running %v
interfaces = eth1, lo
bind interfaces only = yes
os level = 255
preferred master = yes
local master = yes
domain master = yes
security = user
time server = yes
username map = /etc/samba/smbusers
wins support = yes
encrypt passwords = yes
pam password change = yes
name resolve order = wins bcast hosts
winbind nested groups = no
passdb backend = ldapsam:ldap://127.0.0.1/
ldap passwd sync = Yes
ldap suffix = dc=glastender,dc=com
ldap admin dn = cn=Manager,dc=glastender,dc=com
ldap ssl = no
ldap group suffix = ou=Groups
ldap user suffix = ou=People
ldap machine suffix = ou=People
ldap idmap suffix = ou=Idmap
idmap backend = ldap:ldap://127.0.0.1/
idmap uid = 1-2
idmap gid = 1-2
map acl inherit = yes
add user script = /etc/smbldap-tools/smbldap-useradd -m "%u"
#delete user script = /etc/smbldap-tools/smbldap-userdel "%u"
add machine script = /etc/smbldap-tools/smbldap-useradd -w "%u"
add group script = /etc/smbldap-tools/smbldap-groupadd -p "%g"
#delete group script = /etc/smbldap-tools/smbldap-groupdel "%g"
add user to group script = /etc/smbldap-tools/smbldap-groupmod
-m "%u" "%g"
delete user from group script =
/etc/smbldap-tools/smbldap-groupmod -x "%u" "%g"
set primary group script = /etc/smbldap-tools/smbldap-usermod -g
"%g" "%u"
domain logons = yes
log file = /var/log/samba/log.%m
log level = 1
syslog = 0
max log size = 50
#smb ports = 139 445
smb ports = 139
hosts allow = 127.0.0.1 172.16.0.0/255.255.0.0
# User profiles and home directories
logon drive = U:
logon path = \\%L\profiles\%U
logon script = %U.bat
large readwrite = no
read raw = no
write raw = no
printcap name = /etc/printcap
load printers = no
printing =

#=Shares===
   template shell = /bin/false
   winbind use default domain = no

[homes]
comment = Home Directories
browseable = no

--

*Jason Baker
*/IT Coordinator/


*Glastender Inc.*
5400 North Michigan Road
Saginaw, Michigan 48604 USA
800.748.0423
Phone: 989.752.4275 ext. 228
Fax: 989.752.
www.glastender.com 

-BEGIN GEEK CODE BLOCK-
Version: 3.1
GIT$ d- s: a C++$ LU+++$ P+ L++>L !E--- W+++ N o? K?
w !O M !V PS PE- Y? PGP- t 5? X+ R+ tv+ b- DI-- D++ G e+ h---
r+++ y+++
--END GEEK CODE BLOCK--

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] pdc configuration

2007-03-24 Thread sato x 

Hi...

Don't forget the [netlogon] share in smb.conf. You will need that for your
windows users to login into the domain. All login script should be placed
there; or if you didn't want any login script, just leave it empty. BUT, you
must have it, no matter how.

Other story, for winXP Pro to login into domain, you would have to change
something in registry or in local security settings (within Administrative
Tools) (it has something to do with Domain member: {Digitally encrypt...,
Digitally encrypt secure, Digitally sign ... } options. You can access it
via  Security Settings > Local Policies > Security Options. Just set the
values to disable). Don't forget to join the machine into the domain.

WinXP Home cannot join the domain, but you can still access the share in the
domain automatically after you login into your local domain (I mean, your
WinXP Home local domain/workgroup). Create a local user with password as
same as the one in the PDC. Then create a machine account for your WinXP
Home directly in your PDC (in term of WinXP Pro, join the machine into the
domain). As for win98/Me, no need to worry about the WinXP issue. Hope it
can help.

Regards,

sato

On 3/22/07, Asier Baranguán <[EMAIL PROTECTED]> wrote:


[EMAIL PROTECTED] escribió:
>
> Hello,
>
> I am using the February 15, 2002 document by Andrew Bartlett titled
Using
> Samba as a PDC.
>
> Having difficulty, is there a more recent document or guidelines ? I am
> getting access denied - shares have worked but not the PDC part.
>
> below is the smb.conf without comments:
>
> #begin smb.conf
>workgroup = CENTOS
>server string = Samba Server
>hosts allow = 192.199.2.
>
> printcap name = /etc/printcap
>load printers = yes
> cups options = raw
>  log file = /var/log/samba/%m.log
>max log size = 50
>security = user
>   encrypt passwords = yes
>   domain logons=yes
>   unix password sync = Yes
>   passwd program = /usr/bin/passwd %u
>socket options = TCP_NODELAY SO_RCVBUF=8192
> SO_SNDBUF=8192
>dns proxy = no

You must add the following to become a PDC:

### PDC
 domain master = yes
 domain logons = yes
 preferred master = yes
 local master = yes
 os level = 100

If you have Windows clients add:

 wins support = yes
 name resolve order = wins hosts lmhosts bcast

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] winbind: BUILTIN\users group gid 1001 conflict

2007-03-24 Thread Christoph Peus 

Hi everybody,

I've joined a fileserver running samba 3.0.24 to an AD domain using 
winbind and noticed that samba maps the "users" group SID (5-1-5-32-545) 
 to gid 1001 automatically. This seems to conflict with one of ~2000 
mappings I had to "inject" in winbinds winbindd_idmap.tdb by use of net 
idmap dump/restore, because the fileserver had millions of files with 
certain uid/gid ownership from a local passwd/group before I did the 
"net ads join". The gid 1001 was allocated to the group "nawi" in 
/etc/group before.

I'm unsure now which problems could be caused by this regarding security.
Is it possible - and usefull - to change this mapping to get a 
"BUILTIN\users" group as expected?

Thanks!

Regards
Christoph

lunkwill / # net groupmap list -v
Administrators
SID   : S-1-5-32-544
Unix gid  : 1000
Unix group: BUILTIN\administrators
Group type: Local Group
Comment   :
Users
SID   : S-1-5-32-545
Unix gid  : 1001
Unix group: nawi
Group type: Local Group
Comment   :

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba