Re: [Samba] How to change SID in ntuser.dat?

[Stefan Drees]

Many thanks, i will try today.

Gerald (Jerry) Carter schrieb:
> Stefan Drees wrote:
> > Sorry, i try to explain again.
> > I want to migrate nt4 user and groups von nt4 pdc to
> > samba3 with net rpc vampire. Normally samba generate
> > new SID´s like this: 2*UID + 1000.
>
> > Now i want to change the nt4 user SID´s to the style samba would
> > calculate them.  The reason for this, a friend told me there
> > are some access problems if i leave
> > the original NT4 SID.  I tried the /usr/bin/profiles binary, but this
> > seems only to work for NT4/W2K and not for XP.
>
> > Hope its better now :-). Sorry, for my bad english.
>
> I already answered you here:
>
> http://lists.samba.org/archive/samba/2007-April/130849.html
>
>
>
>
>
>
> cheers, jerry
> =
> Samba--- http://www.samba.org
> Centeris ---  http://www.centeris.com
> "What man is a man who does not make the world better?"  --Balian

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Use of cache_peer login=username:password

[[EMAIL PROTECTED]]

Oops, sorry, wrong mailing list!


Ian

On Thu Apr  5  9:08 , "[EMAIL PROTECTED]"  sent:

>I'm running squid 2.6.11 on FreeBSD with a parent cache that requires
>authentication in order to access any web sites.
>It's been suggested to us by the department that runs the upstream cache that 
>we
>can make some sites accessible without the client having to authenticate by
>getting our local squid to supply the username & password to the upstream cache
>for those sites.
>It users the cache_peer login= syntax.
>Unfortunately, the configuration they sent me doesn't work - I get the 
>following
>error:"FATAL: ERROR: cache_peer xxx.xxx.xxx.xxx specified twice".
>
>Here is the relavent section of squid.conf (IP address, username & password 
>have
>been removed!)
>
>#Define acl for all source addresses
>acl rest src 0.0.0.0/0.0.0.0
>#
>#Define acl for proxy bypass addresses (squid does authentication for these)
>acl safe dstdomain "/usr/local/etc/squid/safe.conf"
>#Supply username & password for sites defined in safe.conf
>cache_peer xxx.xxx.xxx.xxx parent 8080 3130 default no-query 
>login=username:password
>cache_peer_access xxx.xxx.xxx.xxx allow safe
>cache_peer_access xxx.xxx.xxx.xxx deny rest
>#Require authentication for all other sites
>cache_peer xxx.xxx.xxx.xxx parent 8080 3130 default no-query login=PASS
>cache_peer_access xxx.xxx.xxx.xxx deny safe
>cache_peer_access xxx.xxx.xxx.xxx allow rest
>
>Can anyone suggest a way to implement this that gets around the duplicate
>cache_peer problem?
>
>Cheers,
>Ian
>
>
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] How to change SID in ntuser.dat?

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Stefan Drees wrote:
> Sorry, i try to explain again.
> I want to migrate nt4 user and groups von nt4 pdc to 
> samba3 with net rpc vampire. Normally samba generate
> new SID´s like this: 2*UID + 1000.
> 
> Now i want to change the nt4 user SID´s to the style samba would
> calculate them.  The reason for this, a friend told me there 
> are some access problems if i leave
> the original NT4 SID.  I tried the /usr/bin/profiles binary, but this
> seems only to work for NT4/W2K and not for XP.
> 
> Hope its better now :-). Sorry, for my bad english.

I already answered you here:

http://lists.samba.org/archive/samba/2007-April/130849.html






cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGFGdQIR7qMdg1EfYRAtuMAKDmdoMxlR3eAjL/QN7D9uXxX2ZGngCgvsI4
19bAUgq3//HxGnljyhkXkI4=
=EVOF
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Use of cache_peer login=username:password

[[EMAIL PROTECTED]]

I'm running squid 2.6.11 on FreeBSD with a parent cache that requires
authentication in order to access any web sites.
It's been suggested to us by the department that runs the upstream cache that we
can make some sites accessible without the client having to authenticate by
getting our local squid to supply the username & password to the upstream cache
for those sites.
It users the cache_peer login= syntax.
Unfortunately, the configuration they sent me doesn't work - I get the following
error:"FATAL: ERROR: cache_peer xxx.xxx.xxx.xxx specified twice".

Here is the relavent section of squid.conf (IP address, username & password have
been removed!)

#Define acl for all source addresses
acl rest src 0.0.0.0/0.0.0.0
#
#Define acl for proxy bypass addresses (squid does authentication for these)
acl safe dstdomain "/usr/local/etc/squid/safe.conf"
#Supply username & password for sites defined in safe.conf
cache_peer xxx.xxx.xxx.xxx parent 8080 3130 default no-query 
login=username:password
cache_peer_access xxx.xxx.xxx.xxx allow safe
cache_peer_access xxx.xxx.xxx.xxx deny rest
#Require authentication for all other sites
cache_peer xxx.xxx.xxx.xxx parent 8080 3130 default no-query login=PASS
cache_peer_access xxx.xxx.xxx.xxx deny safe
cache_peer_access xxx.xxx.xxx.xxx allow rest

Can anyone suggest a way to implement this that gets around the duplicate
cache_peer problem?

Cheers,
Ian



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] winbind occasionally failing to find domain controllers for trusted domains

[Jason Haar]

Gerald (Jerry) Carter wrote:
> Jason Haar wrote:
> > Hi there
>
> > We have a bunch of Win2K3 trusted domains that are
> > parts of other forests from our own Win2K3 forest.
> ...
> We should be talking to DNS anyways in this case.
> Can you DNS resolve teh SRV records for the trusted domain?
>
Absolutely. The Samba servers just use the local Active Directory DNS
servers - and indeed they can resolve  these domains correctly (e.g the
SRV records for   "_ldap._tcp.DOMAIN")

> Do you have "host" listed in the "name resolve order" option
> in smb.conf ?
>
>

It's set to "lmhosts wins host bcast", and /etc/nsswitch.conf is set to
"hosts: files dns"

Thanks!

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] smbd trying to use incorrect am-utils paths

[Geoff Ransom]

Hello
  I am running samba on a RHEL 3 system and am having problems with file 
systems that are automounted by am-utils.


  [EMAIL PROTECTED] www]$ /usr/sbin/smbd -V
  Version 3.0.9-1.3E.12

  [EMAIL PROTECTED] samba]# cd /fs/icdlraid
  [EMAIL PROTECTED] icdlraid]# pwd
  /a/icdl/export/raid

smb.conf has an entry for this filesystem as...

  [icdlraid2]
path = /fs/icdlraid2
public = yes
writable = yes
browsable = no

And the error that shows up in the log is...

  [2007/04/04 16:51:12, 0] smbd/service.c:set_current_service(51)
chdir (/a/icdl/export/raid2) failed
  [2007/04/04 16:51:12, 1] smbd/service.c:close_cnum(841)
catoctin (128.8.130.207) closed connection to service icdlraid2

/fs/icdlraid2 is one of the paths I want smbd to use and it does the initial 
mount correctly. After some idle time, the automounter unmounts the filesystem 
and the /a/icdl/export/raid2 path is no longer valid. smbd is trying to use 
the back end path instead of the original /fs/icdlraid2 path which would make 
the automounter remount the file system. When this happens, the user has to 
remount their smb mounts to start using it again.


Are there any options available to affect the path used in this case?

Thanks
-Geoff
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] How to change SID in ntuser.dat?

[Stefan Drees]

Sorry, i try to explain again.
I want to migrate nt4 user and groups von nt4 pdc to samba3 with net rpc
vampire.
Normally samba generate new SID´s like this: 2*UID + 1000.

Now i want to change the nt4 user SID´s to the style samba would
calculate them.
The reason for this, a friend told me there are some access problems if
i leave
the original NT4 SID.  I tried the /usr/bin/profiles binary, but this
seems only
to work for NT4/W2K and not for XP.

Hope its better now :-). Sorry, for my bad english.

Regards
Stefan D.

Fred Nuffer schrieb:
> Even after reading this I am not entirely sure what you are asking. 
> If you want to change the owners of the existing profiles, you would
> use moveuser.exe from the server resource kits.
>
> Stefan Drees wrote:
>> No one?
>> How can i change SID in ntuser.dat?
>>
>> Stefan Drees schrieb:
>>   
>>> Hello,
>>> i try to migrate user/groups from NT4 PDC to Samba3 with LDAP backend.
>>> There is already an NIS-Server with Samba runing, so there exists two
>>> userlists.
>>> I migrated the user/ groups from windows via net rpc vampire and
>>> added/changed
>>> the UID´s from the NIS-Server but didn´t change the SID.
>>> A teammate told me, there could be some access problems, if i don´t
>>> change the SID.
>>> So i tried to change the SID in ntuser.dat to produce a samba equal SID
>>> (RID = 2xUID +1000).
>>> /usr/bin/profiles dumps me only the reghive, but doesn´t change the SID.
>>> I´m using Samba 3.0.24.
>>>
>>> Any hints?
>>>
>>> Regards
>>> Stefan D.
>>>   
>>> 
>>
>>   
>
> -- 
> Best regards, 
>   
> L. Fred Nuffer
> Support Systems Analyst, Senior
> Parking and Transportation Services
> Office:  (520)621-5021
> Cell:  (520)307-2306
> Email:  [EMAIL PROTECTED]
>   
   
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] How to change SID in ntuser.dat?

[Stefan Drees]

No one?
How can i change SID in ntuser.dat?

Stefan Drees schrieb:
> Hello,
> i try to migrate user/groups from NT4 PDC to Samba3 with LDAP backend.
> There is already an NIS-Server with Samba runing, so there exists two
> userlists.
> I migrated the user/ groups from windows via net rpc vampire and
> added/changed
> the UID´s from the NIS-Server but didn´t change the SID.
> A teammate told me, there could be some access problems, if i don´t
> change the SID.
> So i tried to change the SID in ntuser.dat to produce a samba equal SID
> (RID = 2xUID +1000).
> /usr/bin/profiles dumps me only the reghive, but doesn´t change the SID.
> I´m using Samba 3.0.24.
>
> Any hints?
>
> Regards
> Stefan D.
>   

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Issue with pam_winbind for MS AD authentication and moduleoptions

[Miles, Noal]

I haven't tested but perhaps this pam entry in system-auth will help
(insert before winbind account entry)

account sufficient/lib/security/$ISA/pam_succeed_if.so uid < 100
quiet

Noal

-Original Message-
From: Andre Fernando Goldacker [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, April 04, 2007 11:06 AM
To: Andre Fernando Goldacker
Cc: Miles, Noal; samba@lists.samba.org
Subject: Re: [Samba] Issue with pam_winbind for MS AD authentication and
moduleoptions


I made a mistake, group in nsswitch.conf looks like this:

group:files winbind

sorry about that!!

Andre

Andre Fernando Goldacker wrote:
> Hello!
>
> passwd, shadow and group looks as follows in nsswitch.conf:
>
> passwd:  files winbind
> shadow:  files
> group: files group
>
> What really confuses me is that when my AD server is up and running, 
> root or any local user logs in with no problem. And even when AD 
> server is down, after trying a zillion times, root and other local 
> users login, and then if I log them out and try again a few minutes 
> later it won't go again, then again after a few minutes it works again

> and it keeps going like that.
>
> My guess is that when it's not going pam_winbind and winbind are 
> trying to connect to the AD Server resulting in a huge delay in the 
> login process afecting also local users login. That's why I was 
> wondering if there is a "timeout" option or something for pam_winbind 
> to avoid that. Well, that's my guess I could be wrong and maybe the 
> problem is something else.
>
> Anyway thank's so far for your help, if you or anyone has a light...
>
> Andre
>
>
>
> Miles, Noal wrote:
>   
>> You have files before winbind in /etc/nsswitch.conf for passwd, 
>> shadow, group?
>>
>> Noal
>>
>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] On 
>> Behalf Of Andre Fernando Goldacker
>> Sent: Wednesday, April 04, 2007 8:40 AM
>> To: samba@lists.samba.org
>> Subject: [Samba] Issue with pam_winbind for MS AD authentication and 
>> moduleoptions
>>
>>
>> Hello!
>>
>> I've configured samba with winbind and pam_winbind module to 
>> authenticate users that connect to my linux box against MS AD.
>>
>> Works like a charm. If a user exists both in AD and locally, login 
>> should assume local users. Again, it works pretty well (It seems at 
>> least with my current config).
>>
>> If my AD server goes down for any reason, local users should be able 
>> to login. For example, root has to login always no matter if my AD 
>> server exploded.
>>
>> That's where is the problem. When I shutdown my AD server and I try 
>> to login with a local user (root as well), my guess is that it seems 
>> that pam_winbind waits for a very very long time trying to find my AD

>> server to authenticate that even the local login times out. I don't 
>> really know if that is the reason for this behaviour, but if it is, 
>> I'm wondering if there is a hidden or maybe a new "timeout" option 
>> for pam_winbind module as I didn't found anything related in the man 
>> pages and the mailing lists archive. Or maybe if login finds the user

>> in the local database, bypass winbind authentication, don't know if 
>> that is possible.
>>
>> The reason why I came up with this idea is that when the AD server is

>> down and I try to login with root for eg. over and over many times, 
>> after a while it goes (looks like pam config order is right), but a 
>> few minutes later it won't again, which made me thought that perhaps 
>> winbind or pam_winbind are trying to estabilish a connection with AD 
>> and somehow because of that the whole process slows down so much that

>> even local login times out.
>>
>> Samba is configured to catch UID's, GID's from AD using SFU and ad 
>> idmap backend. Only users that are members of a specified AD group 
>> are able to login. The purpose of the machine is to be an application

>> server and share folders based on AD users and group permissions.
>>
>> My system is RHEL AS3 with update 7 and samba-3.0.24
>>
>> Below are my pam lines in the system-auth file:
>>
>> #%PAM-1.0
>> # This file is auto-generated.
>> # User changes will be destroyed the next time authconfig is run.
>> authrequired  /lib/security/$ISA/pam_env.so
>> authsufficient/lib/security/$ISA/pam_unix.so likeauth
nullok
>> authsufficient/lib/security/$ISA/pam_winbind.so
>> try_first_pass require_membership_of=DOMAIN+group
>> authrequired  /lib/security/$ISA/pam_deny.so
>>
>> account required  /lib/security/$ISA/pam_unix.so
nullok_secure
>> account sufficient/lib/security/$ISA/pam_winbind.so
>>
>> passwordrequired  /lib/security/$ISA/pam_cracklib.so retry=3
>> passwordsufficient/lib/security/$ISA/pam_unix.so nullok
>> use_authtok md5 shadow
>> passwordrequired  /lib/security/$ISA/pam_deny.so
>>
>> session required  /lib/security/$ISA/pam_limits.so
>> session required  /lib/security/$ISA/pam_

[Samba] Samba-3.0.24 patched drive mapping prompting for username/password and fails..

[Wayne Rasmussen]

This weekend upgraded a Solaris 9 system which has been using
samba-3.0.10 for a while without any problems to version 24 with patches
applied.  

When Samba-3.0.10 is running, can browse to share as well as map it
without getting any prompts or failures.  Under 3.0.24, get prompted for
username and password and still not allowed into share. User is on
Windows XP professional and AD server is Windows 2000 Server.

[global]
   hide unreadable = Yes
workgroup = adtestnetbios
realm = adtest.com
security = ADS
encrypt passwords = yes
log level = 4
idmap uid = 1-35000
idmap gid = 1-35000
winbind enum users = yes
winbind enum groups = yes
template homedir = /u/%U
template shell = /bin/csh
winbind use default domain = yes
winbind cache time = 600
   client schannel = no  
   username map = /usr/local/samba/lib/users.map

[u]
  comment = Monarch's u directory
  path = /u
  public = no
  create mask = 0660
  read only = No
  directory mask = 0770
  browseable = Yes
  force group = group
  valid users = root,monarch,@"xyzusers"

[public]
  comment = Monarch's public directory 
  public = no
  path = /u/public
  read only = No
  create mask = 0660
  directory mask = 0770
  browseable = Yes
  force group = group
  valid users = root,monarch,@"xyzusers"

[user]
  comment = User's home directory
  path = /u/%U
  writable = yes
  public = no
  create mask = 0660
  directory mask = 0770
  browseable = Yes
  force group = group
  valid users = root,monarch,@"xyzusers"

[stock]
  comment = Monarch's stock directory
  path = /u/stock
  read only = no
  public = no
  create mask = 0660
  directory mask = 0770
  browseable = Yes
  force group = group
  valid users = root,monarch,@"xyzusers"
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: roaming profile not uploaded correctly when logging outfor the first time

[Mark Nienberg]

Tomasz Chmielewski wrote:



Does it happen for you with XP or 2000?



I'm certain it happens with 2000.  I'm not sure if it happens with XP or not.
Mark

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: winbind: BUILTIN\users group gid 1001 conflict

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Christoph Peus wrote:
> Don Piven wrote:
>> Sez Christoph Peus:
>>> Hi everybody,
>>>
>>> I've joined a fileserver running samba 3.0.24 to an AD domain using
>>> winbind and noticed that samba maps the "users" group SID
>>> (5-1-5-32-545)  to gid 1001 automatically. This seems to conflict
>>> with one of ~2000 mappings I had to "inject" in winbinds
>>> winbindd_idmap.tdb by use of net idmap dump/restore, because the

I don't remember but I assume the restore sets the UID and
GID HWM values right ?

> Thanks for the hint, but both are set to 1000-6, 
> which is - as far as I know - the correct setting
> if domain users/groups SIDs shall resolve to uids/gids
> of this range.

Definitely sounds like the HWM values are wrong.  Winbindd
uses these records to determine the next available uid/gid
which can be allocated.



cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGE9pcIR7qMdg1EfYRAuavAJ9IqEa/u5AnRlb6fQaYe24WL8lw/ACgr4ac
KmW60GT60+7Paw837lPcQuQ=
=GvfJ
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Registry on server

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

[EMAIL PROTECTED] wrote:
> Hi, all,
> 
> I can connect to the 'registry' of our Samba server using regedt32; 
> I can't however change/add entries even though I start the program as 
> Domain Admin. 

You have to be a member of the BUILTIN\Administrators group
on Samba server (and be running >- Samba 3.0.20).




cheers, jerry


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGE9k5IR7qMdg1EfYRAsxIAJ9abjVZZswmQvLz7RG8Q3dpzQNivQCdFYDU
R9sPSkeytomo2dFoy6uj4n0=
=o2ch
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] deny second or multiple logins

[Marcus Sobchak <[EMAIL PROTECTED]>]

Hello Helmut,

Am Mittwoch, den 04.04.2007, 08:55 +0200 schrieb Helmut Hullen:
> Hallo, Marcus,
> 
> Du meintest am 04.04.07 zum Thema Re: [Samba] deny second or multiple logins:
> 
> >>> test "$RESULT" -eq 1 || exit 1
> >>> ---
> 
> >> That's no good idea.
> >> Try
> >>
> >> test "$RESULT" -eq 0
> >>
> >> Then the return level is 0 (= ok) for 0 , and it's 1 (not ok) for 1
> >> or higher.
> 
> > Hmmm, if the value of RESULUT is not 1 or higher,
> 
> That's the DOS way ...
> 
> > the scipt has to "exit 1" (not ok), which is correct, because in this
> > case the same userid tries to connect from different IPs.
> 
> Your script returns with 1 also if $RESULT is 0.
> My version returns with 0 if $RESULT is 0, otherwise with 1 (if it's the  
> last line in the script).

Okay, let's finish this 1 or 0 result question, because this is not the
main problem. The preexec parameter thing does not solve the problem of
denying multiple logins. The user is still able to login, but no shares
are mounted. And as I wrote in of my last emails, windows reconnects its
shares every few minutes. In this case, the script doesn't know anymore
which client PC was the user's first and therefore the script is
blocking all client PCs, the first client and all following clients (of
the user). 
 To avoid this one has to set lock files with username and IP. These
lock files could be removed with the postexec parameter. But what
happens if a client PCs crashes and doesn't disconnect its shares? The
postexec command will not run and if the user tries to connect from a
different machine (or his machine is getting a new IP by dhcp after
restart), the existing lock file is blocking the complete user. Any
other ideas? Did nobody solve this problem?

Ciao,
Marcus


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] creating NTConfig.POL

[Mike Petersen]

On Wed, 2007-04-04 at 09:58 -0500, Adam Williams wrote:
> I have an NTConfig.POL I created from poledit with the Windows 2000 
> Administrator toolkit.  It contains my WSUS configuration, and 
> NTConfig.POL is placed in my [netlogon] share and is being loaded fine 
> by the clients.  Is this still the propery way to create NTConfig.POL 
> files, or is there a newer utility I should be using?  I'm looking at 
> Vista and it uses .admx templates, which I guess aren't compatible with 
> the Windows 2000 poledit.exe I'm using.
> 

Yes, that is the proper way to configure Policies until Samba supports
GPOs.

This summer I will probably create policy templates for Vista to be used
with the Policy Editor (they will be in .adm format).  Currently I have
a few custom templates for the Policy Editor available at:

http://www.pcc-services.com/custom_poledit.html

I am in the process of updating them to include IE7 policies (among
other policies).  If you are in need of any policy that is not in these
templates, please let me know so I can add them as I update the
templates.

I have a working IE7 template at:

http://files.pcc-services.com/files/samba/

I have run into a few snags that look like they are simply bugs with IE7
and am trying to work with Microsoft to fix them (imagine that),
although I don't know if they will be fixed - I think I can create work
arounds that should be easy to implement if they aren't fixed.

Anyway, if you need any policies you can email me directly - as I want
to be finished with a new custom_policy template sometime this month.

Mike Petersen
[EMAIL PROTECTED]


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: home shares and thunderbird profiles

[Mark Nienberg]

Gerald (Jerry) Carter wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jeremy Allison wrote:

On Mon, Apr 02, 2007 at 11:08:14AM -0700, Mark Nienberg wrote:
We find it convenient to keep thunderbird email client profiles on our home 
shares rather than in our user profiles, as is the default.  From time to 
time some users experience the dreaded "delayed write failed" error for 
certain thunderbird files. The only solution seems to be to log off and log 
on again. (after clicking OK to accept the error about seven times).

This almost always means a network problem (it's a client oplock
break response failure).


The only time I ever see this in my environment is when
you are re-exporting NFS home directories.  Firefox has the
same problem.


I am seeing the Firefox problem too, but the home directories are not on NFS.  It 
happens less often for Firefox, but that is probably because there is less writing to 
be done.  (The Firefox profiles do not include the browser cache, which is local to 
each machine). I have not seen the problem on any other shares, but the home share is 
the only one with Thunderbird and Firefox profiles.  So far, I have not been able to 
identify a hardware culprit, but I am still keeping an eye out for one.


Thanks very much for the information.

Mark Nienberg

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Issue with pam_winbind for MS AD authentication and moduleoptions

[Andre Fernando Goldacker]

I made a mistake, group in nsswitch.conf looks like this:

group:files winbind

sorry about that!!

Andre

Andre Fernando Goldacker wrote:
> Hello!
>
> passwd, shadow and group looks as follows in nsswitch.conf:
>
> passwd:  files winbind
> shadow:  files
> group: files group
>
> What really confuses me is that when my AD server is up and running,
> root or any local user logs in with no problem.
> And even when AD server is down, after trying a zillion times, root and
> other local users login, and then if I log them out and try again a few
> minutes later it won't go again, then again after a few minutes it works
> again and it keeps going like that.
>
> My guess is that when it's not going pam_winbind and winbind are trying
> to connect to the AD Server resulting in a huge delay in the login
> process afecting also local users login. That's why I was wondering if
> there is a "timeout" option or something for pam_winbind to avoid that.
> Well, that's my guess I could be wrong and maybe the problem is
> something else.
>
> Anyway thank's so far for your help, if you or anyone has a light...
>
> Andre
>
>
>
> Miles, Noal wrote:
>   
>> You have files before winbind in /etc/nsswitch.conf for passwd, shadow,
>> group?
>>
>> Noal
>>
>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] On
>> Behalf Of Andre Fernando Goldacker
>> Sent: Wednesday, April 04, 2007 8:40 AM
>> To: samba@lists.samba.org
>> Subject: [Samba] Issue with pam_winbind for MS AD authentication and
>> moduleoptions
>>
>>
>> Hello!
>>
>> I've configured samba with winbind and pam_winbind module to
>> authenticate users that connect to my linux box against MS AD.
>>
>> Works like a charm. If a user exists both in AD and locally, login
>> should assume local users. Again, it works pretty well (It seems at
>> least with my current config).
>>
>> If my AD server goes down for any reason, local users should be able to
>> login. For example, root has to login always no matter if my AD server
>> exploded.
>>
>> That's where is the problem. When I shutdown my AD server and I try to
>> login with a local user (root as well), my guess is that it seems that
>> pam_winbind waits for a very very long time trying to find my AD server
>> to authenticate that even the local login times out. I don't really know
>> if that is the reason for this behaviour, but if it is, I'm wondering if
>> there is a hidden or maybe a new "timeout" option for pam_winbind module
>> as I didn't found anything related in the man pages and the mailing
>> lists archive. Or maybe if login finds the user in the local database,
>> bypass winbind authentication, don't know if that is possible.
>>
>> The reason why I came up with this idea is that when the AD server is
>> down and I try to login with root for eg. over and over many times,
>> after a while it goes (looks like pam config order is right), but a few
>> minutes later it won't again, which made me thought that perhaps winbind
>> or pam_winbind are trying to estabilish a connection with AD and somehow
>> because of that the whole process slows down so much that even local
>> login times out.
>>
>> Samba is configured to catch UID's, GID's from AD using SFU and ad idmap
>> backend. Only users that are members of a specified AD group are able to
>> login. The purpose of the machine is to be an application server and
>> share folders based on AD users and group permissions.
>>
>> My system is RHEL AS3 with update 7 and samba-3.0.24
>>
>> Below are my pam lines in the system-auth file:
>>
>> #%PAM-1.0
>> # This file is auto-generated.
>> # User changes will be destroyed the next time authconfig is run.
>> authrequired  /lib/security/$ISA/pam_env.so
>> authsufficient/lib/security/$ISA/pam_unix.so likeauth nullok
>> authsufficient/lib/security/$ISA/pam_winbind.so
>> try_first_pass require_membership_of=DOMAIN+group
>> authrequired  /lib/security/$ISA/pam_deny.so
>>
>> account required  /lib/security/$ISA/pam_unix.so nullok_secure
>> account sufficient/lib/security/$ISA/pam_winbind.so
>>
>> passwordrequired  /lib/security/$ISA/pam_cracklib.so retry=3
>> passwordsufficient/lib/security/$ISA/pam_unix.so nullok
>> use_authtok md5 shadow
>> passwordrequired  /lib/security/$ISA/pam_deny.so
>>
>> session required  /lib/security/$ISA/pam_limits.so
>> session required  /lib/security/$ISA/pam_unix.so
>> session required  /lib/security/$ISA/pam_mkhomedir.so umask=0022
>> skel=/etc/skel
>>
>> Considering that if a user exists both in the local user database and
>> AD, login has to assume local user (seems to be working fine), could
>> someone give me a hint if I'm in the right path, and maybe an idea why
>> or what I could do when my AD servers goes down to my local users
>> (including root) log in normally??
>>
>> Any help will be greatly appreciated,
>>
>> Andre
>>
>>   
>> 
-- 
To unsub

Re: [Samba] winbind occasionally failing to find domain controllers for trusted domains

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jason Haar wrote:
> Hi there
> 
> We have a bunch of Win2K3 trusted domains that are 
> parts of other forests from our own Win2K3 forest.
...

> Have I missed something that could make these trusts 
> more reliable? We are running Samba-3.0.24 under CentOS4.4

We should be talking to DNS anyways in this case.
Can you DNS resolve teh SRV records for the trusted domain?

Do you have "host" listed in the "name resolve order" option
in smb.conf ?



cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGE8xNIR7qMdg1EfYRAoj8AJ94N3JZ6wnjWswrOwEEiOUumGKhYwCg3yFx
dzLXWx7KLUe/LCjzAE+1tBU=
=ePHX
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: NDN: Re: [Samba] Move local profile to domain profile.

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Charles Marcus wrote:
> Post Office wrote:
>> Sorry. Your message could not be delivered to:
>>
>> Jonathan DEL CAMPO /jdc/ .Y (Mailbox or Conference is full.)
> 
> Would one of the list admins PLEASE remove this guy from the list?
> 
> I've been getting NDRs from him for as long as I can remember...

Done.



cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGE8tCIR7qMdg1EfYRAkuHAKDrtWLPtly2sOaGFtytaxxhkr505wCgn5xH
pRC6oNottfZjmxJ6VurxsdQ=
=K4dt
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] smbclient and long share names

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Leif Adeloew wrote:
> Hi,
> Have been trying to find info on how to tune samba/smbclient to show
> shares with long names. E.g  a share named "Production Documents" on a WIN
> 2000 server is not shown in 'browsing' list (smbclient -L boxname) whereas
> "Cetal Backup" is.

This is fixed in reetn Samba version.  Starting with 3.0.23 IIRC.




cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGE8qkIR7qMdg1EfYRArtxAJ92OIHO/P7C9pLOSlp2lSv9jq+wXgCfeNH0
iALG7xjYcS2zxulk3Pih/SU=
=JJHg
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] cups and inf file with hp laserjet 4000

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Miguel Angel Miranda wrote:
> Hi, im having the very same problem described in this thread (October
> 2004), 
> 
> http://lists.samba.org/archive/samba/2004-October/094840.html
> 
> the user got zero responses, does somebody have a 
> response or comment now (march 2007)?

My advice is to not use cupsmbadd.  Use a real windows client
to upload the driver.




cheers. jerry
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGE8ppIR7qMdg1EfYRAsrYAKDVkP/RLwMzFZL1+VHBD6ORFT7QWgCg5TVb
XU9eBQsN9W1Xu3wouizgQTs=
=jtL6
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Does samba support ipv6 ?

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

[EMAIL PROTECTED] wrote:
> Hi All,
>  
> Am fairly new to samba and using samba-3.0.22. Is there 
> any option for configurimng samba so that it supports ipv6
> or any patch which will help us to enable ipv6 ??

None that are current.




cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGE8jtIR7qMdg1EfYRAmggAKCL3DsAAJBKPxbb3kO6pvm7M93fLwCePZjs
SolboHoAQoPDOFzzOOabdAI=
=RJqP
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] creating NTConfig.POL

[Adam Williams]

I have an NTConfig.POL I created from poledit with the Windows 2000 
Administrator toolkit.  It contains my WSUS configuration, and 
NTConfig.POL is placed in my [netlogon] share and is being loaded fine 
by the clients.  Is this still the propery way to create NTConfig.POL 
files, or is there a newer utility I should be using?  I'm looking at 
Vista and it uses .admx templates, which I guess aren't compatible with 
the Windows 2000 poledit.exe I'm using.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] How to change SID in ntuser.dat?

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Stefan,

> Hello,
> i try to migrate user/groups from NT4 PDC to Samba3 with LDAP backend.
> There is already an NIS-Server with Samba runing, so there exists two
> userlists.
> I migrated the user/ groups from windows via net rpc vampire and
> added/changed
> the UID´s from the NIS-Server but didn´t change the SID.
> A teammate told me, there could be some access problems, if i don´t
> change the SID.
> So i tried to change the SID in ntuser.dat to produce a samba equal SID
> (RID = 2xUID +1000).
> /usr/bin/profiles dumps me only the reghive, but doesn´t change the SID.
> I´m using Samba 3.0.24.

Grab the profiles tool from 3.0.25pre2.



cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGE8NjIR7qMdg1EfYRAinvAKCiX+DuZ2fgQPknmnvFNnjyqtAl4QCgknON
EHVzlO7finn1Rz7HJevmQfY=
=N6Vn
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Changing winbind's user settings of an AD-User

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Sebastian Knieschewski wrote:
> Hi,
> 
> I set up a Win2k3 AD and joined Samba 3.0.24 sucessfully.
> 
> "getent passwd" lists all Linux and AD users correctly.
> [...]
> "UIB+knieschewski:*:1:1:Sebastian
> Knieschewski:/home/UIB/knieschewski:/bin/bash"
> 
> Now I want to change the home directory of some users. Is there any way
> to do this??? I expected the home-dir entries to be stored in the AD,
> but there isn't a trace, so there must be a place to find on my linux
> machine. In other words, I'm looking for a file like /etc/passwd for
> changing settings for the AD-Users.

Set "winbind nss info = rfc2307" or sfu depending on your
domain schema.





cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGE8MBIR7qMdg1EfYRAtK7AJ4qMV9MAgDmQu2fUmmpX2sELF471ACffreb
spLyieUVyjorw/5P9IFVjII=
=cYL7
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] home shares and thunderbird profiles

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jeremy Allison wrote:
> On Mon, Apr 02, 2007 at 11:08:14AM -0700, Mark Nienberg wrote:
>> We find it convenient to keep thunderbird email client profiles on our home 
>> shares rather than in our user profiles, as is the default.  From time to 
>> time some users experience the dreaded "delayed write failed" error for 
>> certain thunderbird files. The only solution seems to be to log off and log 
>> on again. (after clicking OK to accept the error about seven times).
> 
> This almost always means a network problem (it's a client oplock
> break response failure).

The only time I ever see this in my environment is when
you are re-exporting NFS home directories.  Firefox has the
same problem.






cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGE8KCIR7qMdg1EfYRAvFAAKDAo9/iik97uZ1J2hUl9S8Nf6pVKQCg32j7
C02TMFcWjdlH54tKrc/CrhU=
=cfss
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] unsupported nsswitch entry

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Collen Blijenberg wrote:
> isn't password change done through PAM, not nsswitch 

The Solaris passwd command is a bit borken in my experience.
I recommend using kpasswd for change AD domain user passwords.

>>> # passwd root
>>> passwd: Unsupported nsswitch entry for "passwd:". Use "-r repository ".
>>> Unexpected failure. Password file/table unchanged.
>> How do you get Solaris to recognize the winbind entry? I have
>> installed the winbind library.

IIRC, this has to be "passwd -r files root"






cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGE8IXIR7qMdg1EfYRAkQhAJ9k9hDQNxEgkEX2oVpnB2rndsiIdACeI58U
DXQaffmZVsUKkLP5/QaKw3M=
=QRqF
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Failed to verify incoming ticket! When clients use netbios names only!

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

m.bland wrote:

> thor:/var/log/samba# cat /etc/samba/smb.conf
> [global]

> workgroup = DOMAIN
> realm = DOMAIN

Are these really the same value ?

...

> thor:/var/log/samba# cat /etc/krb5.conf
> [libdefaults]
>  default_realm = DOMAIN.NAME






cheers, jerry
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGE8GbIR7qMdg1EfYRAuqRAKCQXy8POjaFF9IyvZjpInVG08j2vwCgyYEF
wR6kgQb/nFF7t3DppDHWyVQ=
=ye1d
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Failed to verify incoming ticket! When clients use netbios names only!

[m.bland]

Hi,
I have set up our samba box in 'ADS' mode; the problem I have is clients
connecting to the server can not do so by using its netbios name. Only when
they use the IP address of the machine are they able to be authenticated and
browse the box.
When clients connect via the netbios name this message will appear in my
samba logs with the IP of the connecting client;

"smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming
ticket!"
 
Additionally, If a client connects successfully via the IP of the samba
server, the log file is named in the clients netbios name rather than their
IP.
eg machinenetbiosname.log will contain
[2007/04/04 15:13:00, 1] smbd/service.c:make_connection_snum(642)
  netbiosnameofmachine (192.168.16.203) signed connect to service data
initially as user DOMAIN+gorby (uid=10002, gid=10004) (pid 4329)
 
Can some one tell me what's happening here? ;)
 
thor:/var/log/samba# cat /etc/samba/smb.conf
[global]
winbind use default domain = yes
winbind separator = +
client use spnego = yes
use spnego = yes
server signing = auto
client signing = auto
netbios name = THOR
idmap uid = 1-2
idmap gid = 1-2
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
workgroup = DOMAIN
server string = Thor
security = ads
hosts allow = 192.168.16.
load printers = no
cups options = raw
log file = /var/log/samba/%m.log
max log size = 50
password server = SERVER01
encrypt passwords = yes
realm = DOMAIN
passdb backend = tdbsam
local master = no
domain master = no
wins support = no
wins server = 192.168.16.3
dns proxy = no
hostname lookups = yes
name resolve order = lmhosts host wins dns bcast
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
 
[data]
comment = 
path = /data
Valid Users = +DOMAIN+"domain users"
writeable = yes
browseable = yes
 
[ftp]
comment = FTP area
path = /data/ftp
Valid Users = +DOMAIN+"domain users"
writeable = yes
browseable = yes
thor:/var/log/samba#
 
wbinfo -u works!
wbinfo -g works
 
passwd: files winbind
shadow: files winbind
group:  files winbind
 
#hosts: db files nisplus nis dns
hosts:  files winbind
 
# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files
 
bootparams: nisplus [NOTFOUND=return] files
 
ethers: files
netmasks:   files
networks:   files
protocols:  files winbind
rpc:files
services:   files winbind
 
netgroup:   files winbind
 
publickey:  nisplus
 
automount:  files winbind
aliases:files nisplus

cat /etc/resolv.conf

search DOMAIN.NAME
nameserver 192.168.16.3 (also the PDC)

thor:/var/log/samba# cat /etc/hosts
127.0.0.1   localhost.localdomain   localhost
192.168.16.4thor.DOMAIN.NAME  thor
192.168.16.3server01.DOMAIN.NAME  server01

thor:/var/log/samba# kinit administrator@ 
DOMAIN.NAME
  administrator@
 DOMAIN.NAME
 's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
 
thor:/var/log/samba# cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 
[libdefaults]
 default_realm = DOMAIN.NAME
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes
 krb4_get_tickets = false
[realms]
 DOMAIN.NAME = {
  kdc = server01:88
 }
 
[domain_realm]
 .server01 = DOMAIN.NAME
 server01 = DOMAIN.NAME
 
[kdc]
 profile = /var/lib/heimdal-kdc/kdc.conf
 
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Issue with pam_winbind for MS AD authentication and moduleoptions

[Andre Fernando Goldacker]

Hello!

passwd, shadow and group looks as follows in nsswitch.conf:

passwd:  files winbind
shadow:  files
group: files group

What really confuses me is that when my AD server is up and running,
root or any local user logs in with no problem.
And even when AD server is down, after trying a zillion times, root and
other local users login, and then if I log them out and try again a few
minutes later it won't go again, then again after a few minutes it works
again and it keeps going like that.

My guess is that when it's not going pam_winbind and winbind are trying
to connect to the AD Server resulting in a huge delay in the login
process afecting also local users login. That's why I was wondering if
there is a "timeout" option or something for pam_winbind to avoid that.
Well, that's my guess I could be wrong and maybe the problem is
something else.

Anyway thank's so far for your help, if you or anyone has a light...

Andre



Miles, Noal wrote:
> You have files before winbind in /etc/nsswitch.conf for passwd, shadow,
> group?
>
> Noal
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On
> Behalf Of Andre Fernando Goldacker
> Sent: Wednesday, April 04, 2007 8:40 AM
> To: samba@lists.samba.org
> Subject: [Samba] Issue with pam_winbind for MS AD authentication and
> moduleoptions
>
>
> Hello!
>
> I've configured samba with winbind and pam_winbind module to
> authenticate users that connect to my linux box against MS AD.
>
> Works like a charm. If a user exists both in AD and locally, login
> should assume local users. Again, it works pretty well (It seems at
> least with my current config).
>
> If my AD server goes down for any reason, local users should be able to
> login. For example, root has to login always no matter if my AD server
> exploded.
>
> That's where is the problem. When I shutdown my AD server and I try to
> login with a local user (root as well), my guess is that it seems that
> pam_winbind waits for a very very long time trying to find my AD server
> to authenticate that even the local login times out. I don't really know
> if that is the reason for this behaviour, but if it is, I'm wondering if
> there is a hidden or maybe a new "timeout" option for pam_winbind module
> as I didn't found anything related in the man pages and the mailing
> lists archive. Or maybe if login finds the user in the local database,
> bypass winbind authentication, don't know if that is possible.
>
> The reason why I came up with this idea is that when the AD server is
> down and I try to login with root for eg. over and over many times,
> after a while it goes (looks like pam config order is right), but a few
> minutes later it won't again, which made me thought that perhaps winbind
> or pam_winbind are trying to estabilish a connection with AD and somehow
> because of that the whole process slows down so much that even local
> login times out.
>
> Samba is configured to catch UID's, GID's from AD using SFU and ad idmap
> backend. Only users that are members of a specified AD group are able to
> login. The purpose of the machine is to be an application server and
> share folders based on AD users and group permissions.
>
> My system is RHEL AS3 with update 7 and samba-3.0.24
>
> Below are my pam lines in the system-auth file:
>
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> authrequired  /lib/security/$ISA/pam_env.so
> authsufficient/lib/security/$ISA/pam_unix.so likeauth nullok
> authsufficient/lib/security/$ISA/pam_winbind.so
> try_first_pass require_membership_of=DOMAIN+group
> authrequired  /lib/security/$ISA/pam_deny.so
>
> account required  /lib/security/$ISA/pam_unix.so nullok_secure
> account sufficient/lib/security/$ISA/pam_winbind.so
>
> passwordrequired  /lib/security/$ISA/pam_cracklib.so retry=3
> passwordsufficient/lib/security/$ISA/pam_unix.so nullok
> use_authtok md5 shadow
> passwordrequired  /lib/security/$ISA/pam_deny.so
>
> session required  /lib/security/$ISA/pam_limits.so
> session required  /lib/security/$ISA/pam_unix.so
> session required  /lib/security/$ISA/pam_mkhomedir.so umask=0022
> skel=/etc/skel
>
> Considering that if a user exists both in the local user database and
> AD, login has to assume local user (seems to be working fine), could
> someone give me a hint if I'm in the right path, and maybe an idea why
> or what I could do when my AD servers goes down to my local users
> (including root) log in normally??
>
> Any help will be greatly appreciated,
>
> Andre
>
>   
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Solaris 10 Samba and AD using LDAP

[Jeff Wheelock]

Environment: Solaris 10, Samba 3.0.24 and LDAP client (native to Solaris 10). 

The Solaris machine/Samba is running LDAP client, pointing at a Windows 2003 R2 
LDAP server. We wish to have the Samba instance look to the Windows machine for 
user authentication, single sign-on.
Ideally, when a user is writing files on the Samba share, the file attributes 
reflect the Windows attributes and these are gathered from the Active Directory 
via LDAP.
LDAP/Kerberos functionality has been verified (klist, kinit, etc).

1. When compiling Samba we receive the following error: Configure: Warning: 
Disabling Active Directory Support (requires ldap_initialize). We are in the 
process of chasing this error down.
2. Most documentation has the Samba machine running as a BDC. We want the 
Samba/Solaris 10 machine to use LDAP for user authentication.

Will Samba use a Windows 2003 LDAP server for user authentication, providing 
single sign on?


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Issue with pam_winbind for MS AD authentication and module options

[Sebastian Knieschewski]

Hi,

maybe this isn't exactly what you're looking for, but it could help you:

"pam_ccreds"

cached credentials, this should give you full access to your server even 
if the ad-server is down. I haven't used this module yet. Just found it 
today while looking for a solution concerning a similar issue.


Good luck!

Sebastian Knieschewski
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Issue with pam_winbind for MS AD authentication and module options

[Andre Fernando Goldacker]

Hello!

I've configured samba with winbind and pam_winbind module to
authenticate users that connect to my linux box against MS AD.

Works like a charm. If a user exists both in AD and locally, login
should assume local users. Again, it works pretty well (It seems at
least with my current config).

If my AD server goes down for any reason, local users should be able to
login. For example, root has to login always no matter if my AD server
exploded.

That's where is the problem. When I shutdown my AD server and I try to
login with a local user (root as well), my guess is that it seems that
pam_winbind waits for a very very long time trying to find my AD server
to authenticate that even the local login times out. I don't really know
if that is the reason for this behaviour, but if it is, I'm wondering if
there is a hidden or maybe a new "timeout" option for pam_winbind module
as I didn't found anything related in the man pages and the mailing
lists archive. Or maybe if login finds the user in the local database,
bypass winbind authentication, don't know if that is possible.

The reason why I came up with this idea is that when the AD server is
down and I try to login with root for eg. over and over many times,
after a while it goes (looks like pam config order is right), but a few
minutes later it won't again, which made me thought that perhaps winbind
or pam_winbind are trying to estabilish a connection with AD and somehow
because of that the whole process slows down so much that even local
login times out.

Samba is configured to catch UID's, GID's from AD using SFU and ad idmap
backend. Only users that are members of a specified AD group are able to
login. The purpose of the machine is to be an application server and
share folders based on AD users and group permissions.

My system is RHEL AS3 with update 7 and samba-3.0.24

Below are my pam lines in the system-auth file:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authrequired  /lib/security/$ISA/pam_env.so
authsufficient/lib/security/$ISA/pam_unix.so likeauth nullok
authsufficient/lib/security/$ISA/pam_winbind.so
try_first_pass require_membership_of=DOMAIN+group
authrequired  /lib/security/$ISA/pam_deny.so

account required  /lib/security/$ISA/pam_unix.so nullok_secure
account sufficient/lib/security/$ISA/pam_winbind.so

passwordrequired  /lib/security/$ISA/pam_cracklib.so retry=3
passwordsufficient/lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
passwordrequired  /lib/security/$ISA/pam_deny.so

session required  /lib/security/$ISA/pam_limits.so
session required  /lib/security/$ISA/pam_unix.so
session required  /lib/security/$ISA/pam_mkhomedir.so umask=0022
skel=/etc/skel

Considering that if a user exists both in the local user database and
AD, login has to assume local user (seems to be working fine), could
someone give me a hint if I'm in the right path, and maybe an idea why
or what I could do when my AD servers goes down to my local users
(including root) log in normally??

Any help will be greatly appreciated,

Andre

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba - LDAP - Kerberos

[Jörg Herzinger]

> The other option is the smbk5pwd module for openldap, and setting 'ldap 
> password sync = yes'.  I've not used it > myself, but I'm told it works.

Hmm, thanks, but this module is just a dirty trick in my eyes and it works just 
for Heimdal Kerberos but I use MIT-Kerberos. I almost can't believe that samba 
supports no other way of authenticating local users than its own database.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] General question about 'smbclient'

[André Jee]

Mark,

Thanks for the confirmation.

Regards,

Andre

 Original Message  
Subject: Re:[Samba] General question about 'smbclient'
From: Mark Adams <[EMAIL PROTECTED]>
To: André Jee <[EMAIL PROTECTED]>
Cc: samba@lists.samba.org
Date: Wed Apr 04 2007 14:11:34 GMT+0200 (Romance Daylight Time)

On Wed, Apr 04, 2007 at 01:04:51PM +0100, Mark Adams wrote:
  

On Tue, Apr 03, 2007 at 09:56:05AM +0200, André Jee wrote:


As above,

From what I understand (also obvious from the package name) is that 
'smbclient' is only a client.
You can browse shares or use it for troubleshooting. Does it have any 
affect on the actual samba server?
  

You can also use it to mount shares.



Sorry this was wrong - I was thinking of smbmount/smbfs
  
I mean does this package have to be installed in order for a samba 
server to work properly?
  

No it does not need to be installed for samba to work.


It seems to be that this package can be removed, I just want to make 
sure that it's not an important part of the samba server.


Thanks
--
  

Cheers,
Mark




  


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] General question about 'smbclient'

[Mark Adams]

On Wed, Apr 04, 2007 at 01:04:51PM +0100, Mark Adams wrote:
> On Tue, Apr 03, 2007 at 09:56:05AM +0200, André Jee wrote:
> > As above,
> > 
> > From what I understand (also obvious from the package name) is that 
> > 'smbclient' is only a client.
> > You can browse shares or use it for troubleshooting. Does it have any 
> > affect on the actual samba server?
> 
> You can also use it to mount shares.

Sorry this was wrong - I was thinking of smbmount/smbfs
> > 
> > I mean does this package have to be installed in order for a samba 
> > server to work properly?
> 
> No it does not need to be installed for samba to work.
> 
> > It seems to be that this package can be removed, I just want to make 
> > sure that it's not an important part of the samba server.
> > 
> > Thanks
> > -- 
> 
> Cheers,
> Mark
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] General question about 'smbclient'

[Mark Adams]

On Tue, Apr 03, 2007 at 09:56:05AM +0200, André Jee wrote:
> As above,
> 
> From what I understand (also obvious from the package name) is that 
> 'smbclient' is only a client.
> You can browse shares or use it for troubleshooting. Does it have any 
> affect on the actual samba server?

You can also use it to mount shares.
> 
> I mean does this package have to be installed in order for a samba 
> server to work properly?

No it does not need to be installed for samba to work.

> It seems to be that this package can be removed, I just want to make 
> sure that it's not an important part of the samba server.
> 
> Thanks
> -- 

Cheers,
Mark
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba - LDAP - Kerberos

[Andrew Bartlett]

On Tue, 2007-04-03 at 21:47 -0400, Sean Elble wrote:
> On 4/3/07 1:20 PM, "Jörg Herzinger" <[EMAIL PROTECTED]> wrote:
> 
> > Hello. I'm trying to implement a single-sign-on system with MIT-Kerberos and
> > OpenLDAP. These two are currently working pretty well, but now I'm trying to
> > add samba to this system. I've found a lot of tutorials about samba PDC with
> > LDAP backend, but this is of course not quite what I want. My passwords are
> > stored in the kerberos database and userdata is stored in LDAP.
> > Is there a way to authenticate samba through LDAP/Kerberos? Or is it maybe
> > possible to authenticate samba through PAM?
> > 
> 
> It's an idea a lot of people want to implement, but sadly, it is not
> possible for Samba to use a Kerberos password database, at least not while
> using encrypted passwords. The reason being is that, when Samba uses
> encrypted passwords, it has no access to the password itself, only the
> hashed representation. In addition, the encryption hash, if you will, that
> Windows uses is nothing like the encryption hash used by Kerberos. This is a
> bit of a simplification, but it is how I understand it.

This is incorrect.  Heimdal can use Samba's password database as a
backend, because the sambaNTPassword is what Microsoft made the
arcfour-hmac-md5 kerberos key out of. 

> I have achieved a sort of single-sign-on environment by using Samba's
> password script functionality to change both the Samba password (stored in a
> LDAP backend) and the Kerberos password at the same time. My particular
> setup involves Samba running on the same machine as the KDC daemon, which
> allows me to use these Samba parameters in smb.conf:
> 
> unix password sync = yes
> passwd program = /usr/kerberos/sbin/kadmin.local -q 'cpw %u'
> passwd chat = "Authenticating as principal*"\n"Enter password for
> principal *"%u"*:*" %n\n \n"Re-enter password for principal *"%u"*:*" %n\n
> \n"Password for *"%u"@* changed."\n
> 
> This probably would not be the best setup in an enterprise environment, but
> at my in-home "lab" where I play with this kind of stuff, it works just
> fine, as long as my "users" remember to change their passwords via Windows
> (i.e. Not your typical passwd/kpasswd programs). Hope that helps . . .

The other option is the smbk5pwd module for openldap, and setting 'ldap
password sync = yes'.  I've not used it myself, but I'm told it works.

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org
Samba Developer, Red Hat Inc.  http://redhat.com


signature.asc
Description: This is a digitally signed message part
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] SID resolution to Username

[Marc Muehlfeld]

Hello,

I have two Samba 3.0.22 PDCs and each trust each other.

When I add an user of each domain to the permissions of a file on a
windows machine (W2k, WXP), it shows for them DOMAIN\USERNAME. Everything
is fine. But when i close the permission window and reopen it, then the
user out of the trusted domain is only shown as SID. The one of the own
domain is resolved fine. This happens on clients of both domains.

Any ideas?

Regards
Marc


-- 
Marc Muehlfeld
Zentrum fuer Humangenetik und Laboratoriumsmedizin Dr. Klein und Dr. Rost
Lochhamer Str. 29 - D-82152 Martinsried
Telefon: +49(0)89/895578-0 - Fax: +49(0)89/895578-78
http://www.medizinische-genetik.de



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] DFS not working from XP

[mourik jan heupink]

I have sort of hit a dead end and was hoping that someone would have a 
fix?


You probably know more about this than I do, but I'm using it 
successfully here, so it does work :-)


What happens when you open \\server in an explorer window, and then view 
the properties of your dfs share?
Is there a tab called DFS, or not? I guess this would tell us if windows 
actually 'sees' it as a DFS share or not.
(I have a DFS tab there, with 'clear history', 'check status', and 'set 
active' buttons)



mj
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Mac OSX Samba Q

[Mark Adams]

Hi,

As long as your Quark documents have extentions, this should not be an
issue.

If you do have issues you might want to use AFP. You could install
netatalk which is a great piece of software that allows you to setup afp
shares on your linux box. This works fine sharing the same shares as
samba, as long as you use the "veto files = " option in smb.conf to
hide all the hidden Apple folders.

http://netatalk.sourceforge.net/

Regards,
Mark

On Tue, Apr 03, 2007 at 04:56:40PM -0300, Dawn & Marie Perry wrote:
> Are Samba & Quark compatible?
> 
> -- 
> Dawn & Marie
> [EMAIL PROTECTED]
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba not calling "add user script"

[Roman Gorohov.]

Hello, samba.

I'm trying to add users via "add user script", and when I doing it from 
work-station
its doen't work, seems that samba don't call script.
The "add machine script" working ok the same time.
Also when I checking from server with command "net rpc user add testuser" samba 
calling script and its working ok.
Whats might be wrong?


Here is my relevant config:
security = user
domain logons = Yes
os level = 32
preferred master = Yes
domain master = Yes
add user script =  /usr/sbin/pw useradd -n %u -d 
/usr/local/samba/homes/%u -m -g ntusers -s /usr/sbin/nologin -w none
add machine script = /usr/sbin/pw useradd -n %u -d /nonexistent -g 
computers -s /usr/sbin/nologin -w none
winbind use default domain = Yes


samba-3.0.24
FreeBSD 6.2.


TIA, Roman.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: Re: [Samba] Samba - LDAP - Kerberos

[Jörg Herzinger]

I already thought that this is not possible. Is there no other way of 
authenticating samba? PAM, SASL, ANYTHING. I mean, I like samba, but in terms 
of user authentication it really isn't flexible.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Changing winbind's user settings of an AD-User

[Sebastian Knieschewski]

Hi,

I set up a Win2k3 AD and joined Samba 3.0.24 sucessfully.

"getent passwd" lists all Linux and AD users correctly.
[...]
"UIB+knieschewski:*:1:1:Sebastian 
Knieschewski:/home/UIB/knieschewski:/bin/bash"


Now I want to change the home directory of some users. Is there any way 
to do this??? I expected the home-dir entries to be stored in the AD, 
but there isn't a trace, so there must be a place to find on my linux 
machine. In other words, I'm looking for a file like /etc/passwd for 
changing settings for the AD-Users.


Any hints? Any ideas?

Let me know if you need some more config-infos.

Thanks in advance.

Sebastian Knieschewski
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Problems setting up Samba-3 as PDC

[Martin Mielke]

Hi all,

it's been a long time since I last posted something to this list as it's
been a long time since I administered Samba, so please bear with me :-)

I need to setup a PDC on Samba 3. To achieve this I followed the steps
described on the Samba docs and on some other websites I found after
googling for a while. From the Samba side everything seems to be OK:

Apr  3 15:30:06 v601 nmbd[11664]:   Samba server V601 is now a domain
master browser for workgroup MYDOMAIN.COM on subnet 192.168.1.11


So far, so good... it was an easy task.

Now problems arise when I want the WinXP Professional clients to join
that domain (full disclosure here: I'm a Windows user by "market
contamination" so maybe I'm overseeing something obvious during the
process).

This is the error message I get when trying to join the domain:

DNS was successfully queried for the service location (SRV) resource
record used to locate a domain controller for domain mydomain.com:

The query was for the SRV record for _ldap._tcp.dc._msdcs.mydomain.com

The following domain controllers were identified by the query:

v601.mydomain.com

Common causes of this error include:

- Host (A) records that map the name of the domain controller to its IP
addresses are missing or contain incorrect addresses.

- Domain controllers registered in DNS are not connected to the network
or are not running.

For information about correcting this problem, click Help.


First off, I had to manually add that SRV record on my named.conf. I've
been told that all needed entries are created automatically on the DNS
when you are on a Windows environment...

Secondly, AFAIK the DNS has been setup correctly for both direct and
reverse queries. That's why I must raise an eyebrow when I see such an
error message popping up

So... is there anything I have forgotten to set up things correctly??


TIA and regards,
Martin


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] %LOGONSERVER% variable in netlogon/Default User folder redirection

[Ruben Tato]

Hi, 

(This is taken form here :
 http://samba.org/samba/docs/man/Samba-Guide/happy.html#redirfold )

I'm using folder redirection so I have a NTUSER.DAT file in the
"netlogon" directory on the logon server (the primary domain controler),
which I edited with regedit to set up some folders so that they point to
the logon server by using the %LOGONSERVER% variable, and it seems it
doesn't work if I change this variable for the logon server netbios
name. 


The thing is that the users data is in the Primary Domain Controler, and
when they log in byt the Backup Domain Controler this variable becames
the netbios name of the Backup Domain Controler, where are not the users
profile data. 



Is there a way to define this field in NTUSER.DAT so it always point to
the Primary Domain Controler?

Example: 

I want  to change in NTUSER.DAT (with regedit, the User Shell Folders
key )

Desktop REG_SZ  %LOGONSERVER%\profdata\%USERNAME%\Desktop 


by: 

Desktop REG_SZ  \\PDC\profdata\%USERNAME%\Desktop 


It shoud work but it doesn't.

Any tips please?

Thanks a lot.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: SambasSID with 1 ldap-server and 3 samba-servers

[Bert Burgemeister]

the last part of the
SambaSID (from unix uid) would be the same for all samba servers, but 
what about the leading part?



I guess this is why you need a PDC so I suggest what works for me:

Set up a Samba PDC, using LDAP.

Have the other severs get unix user credentials from PDC via winbind. 
Now SIDs are consistent on all servers.


If you need consistent Unix uids as well use an Ldap Idmap which is 
accessed by all your servers.


Bert

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] SambasSID with 1 ldap-server and 3 samba-servers

[Markus Krause]

hi list!

we are storing our user data in one central ldap database. to handle  
the big amount of data (some hundred terabytes) we are using currently  
3 samba servers (called cindy01, cindy02 and cindy03 , and more to  
come!) which (of course?) have diffrent SIDs. right now the  
credentials are stored in identical smbpasswd files on every samba  
server but we want to migrate wo ldap. the problem i see is that in  
ldap i can only store one SambaSID per user, so which SID should i  
take? the last part of the SambaSID (from unix uid) would be the same  
for all samba servers, but what about the leading part?
we do not need any domain controller functionality, our users just  
mount their samba shares. is it possible to use only on SID on all  
samba servers or what would be the side effects?


thanks in advance for any hints!

regards
  markus

+-+
| Markus Krause, Mogli-Soft   |
| Support for Mac OS X, Webmail/Horde, LDAP, RADIUS, MySQL|
| by order of the |
|Computing Center of the Max-Planck-Institute of Biochemistry |
+++
| E-Mail: [EMAIL PROTECTED]  |  Tel.: 089 - 89 40 85 99   |
| [EMAIL PROTECTED]  |  Fax.: 089 - 89 40 85 98   |
|  Skype: markus.krause  | iChat: [EMAIL PROTECTED]   |
+++



--
 This message was sent using https://webmail2.biochem.mpg.de
If you encounter any problems please report to [EMAIL PROTECTED]


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] unsupported nsswitch entry

[Collen Blijenberg]

isn't password change done through PAM, not nsswitch 

Collen.

Robert Steinmetz AIA wrote:

After upgrading Samba on Solaris 8 I am unable to change passwords

nsswitch.conf

passwd: files winbind

Attempting to change passwords results in;


# passwd root
passwd: Unsupported nsswitch entry for "passwd:". Use "-r repository ".
Unexpected failure. Password file/table unchanged.
How do you get Solaris to recognize the winbind entry? I have 
installed the winbind library.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba