[Samba] That new user changes password at start first session
How apply I, in Samba 3.0.24 with tdbsam backend, that new user changes the password (the passw has been applied by the administrator) in the first sessions start, just as in MSWindos? It is this possible one? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba on Debian: Sarge -> Etch = broken guest shares
OK, I have now used tdbtool to remove the entries for "nobody" from passwd.tdb, and I checked for anything relating to the share or the guest user in all the other tdb files. It still doesn't work. I have just entered "security=share" for that share, and removed write access and the other security options. That makes it work, but I don't really want to leave it in that state. I'm led to believe there's something up with my valid users list or something... Could someone check the "unattended" and "wpkg" shares I have listed in my config (in the quoted messages below) and tell me if there's something completely wrong with what I have? It used to work, but I guess something's changed. TB Dale Schroeder wrote: Tim, Going from Sarge to Etch, I am assuming you went from Samba 3.0.14 to 3.0.24. Major changes occurred, starting with 3.0.23. I suspect your problem lies within these changes. If I had to guess, I would say the Samba ldap schema changes are the culprit, but since I don't use ldap, it's just a guess. See http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/ChangeNotes.html for details. The user and group changes would be the other likely possibility. [BTW, [printers] has conflicting directives - "public = yes" and "guest ok = no".] Good luck, Dale Tim Bates wrote: I upgraded a server from Debian Sarge to Etch the other day. Today I discovered a fairly major issue... All the shares I had set up for guest access have stopped working. The shares are meant to be writable by me and a few others, and read only for guest, but it's flat out refusing to authenticate anyone using guest (or unknown users which should be mapping to guest). SMB.conf is below (with a pile of unrelated shares stripped out for space). [global] workgroup = wwhs server string = WWHS Main Data Server dns proxy = no map to guest = Bad User guest account = nobody log file = /var/log/samba/log.%m log level = 2 max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d security = user encrypt passwords = true passdb backend = ldapsam:ldap://127.0.0.1/ ldap suffix = dc=wwhs ldap machine suffix = ou=machines ldap user suffix = ou=users ldap group suffix = ou=groups ldap admin dn = "cn=admin,dc=wwhs" ldap delete dn = no obey pam restrictions = yes ldap password sync = yes pam password change = yes add machine script = /usr/sbin/smbldap-useradd -w "%u" printing = cups printcap name = cups socket options = TCP_NODELAY domain master = yes prefered master = yes domain logons = yes logon path = \\%L\Profiles\%U logon script = %G.bat # The next line includes homes based on groups. Some groups need different options. include = /etc/samba/homes-%G.conf [netlogon] comment = Network Logon Service path = /samba/netlogon writable = yes share modes = no write list = @it-admin, root guest ok = no [printers] comment = All Printers browseable = no path = /tmp printable = yes public = yes writable = no create mode = 0700 guest ok = no [print$] comment = Printer Drivers path = /samba/print$ browseable = yes guest ok = no writable = yes write list = root, @it-admin [profiles] comment = Account Profile Data path = /samba/profiles browsable = no read only = no guest ok = no create mode = 0750 hide files = /desktop.ini/ntuser.ini/NTUSER.*/nethood/target.lnk/prf???.tmp/prf??.tmp/ [unattended] comment = Files for scripted Windows reinstalls path = /samba/unattended browsable = no writeable = yes write list = @it-admin create mode = 0664 directory mode = 0775 force group = it-admin valid users = @it-admin, guest, nobody guest ok = yes [wpkg] comment = WPKG files path = /samba/wpkg browsable = no writeable = yes write list = @it-admin create mode = 0664 directory mode = 0775 force group = it-admin valid users = @it-admin, nobody guest ok = yes ** This message is intended for the addressee named and may contain privileged information or confidential information or both. If you are not the intended recipient please delete it and notify the sender. ** ** This message is intended for the addressee named and may contain privileged information or confidential information or both. If you are not the intended recipient please delete it and notify the sender. ** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] pam_smbpass migrate & null passwords
Hi! I'm configuring Samba for Unix<->Samba account synchronization and have come across a situation which I like, but cannot explain with absolute certainty, and am therefore worried about security. I have set the following: (Debian uses a bit different structure, but I have expanded @includes in this email) 1) Samba -> Unix password sync /etc/samba/smb.conf: unix password sync = yes pam password change = yes /etc/pam.d/samba: auth requisite pam_unix.so nullok_secure auth optional pam_smbpass.so migrate account required pam_unix.so session required pam_unix.so (don't know why auth, account and session are @included in Debian by default, doesn't Samba only use pam for password updates?) password requisite pam_unix.so nullok obscure min=4 max=8 md5 password required pam_smbpass.so nullok use_authtok try_first_pass 2) Unix -> Samba password sync /etc/pam.d/common-password: auth requisite pam_unix.so nullok_secure auth optional pam_smbpass.so migrate Now here's what concerns me. If I do "smbpasswd -an someuser" to add a user with a null password, that user will not be able to set his password using smbpasswd, if he leaves the old password field empty. Is this observation correct? Users also cannot smbpasswd -a(dd) themselves; this requires root access(direct access to smbpasswd file), right? I understand that pam_smbpass's migrate option is meant for cleartext->encrypted password transition, and that makes perfect sense, since in that case the user (-> pam) knows the old password, and can just set the password again, this time using encryption. The thing is, migrate does even more for me when I login using SSH! It creates the samba user, if it doesn't exist, and it set's the user's Samba password, to his Unix password, regardless of what it is. Now, while this seems very useful to me, I am worried because I haven't seen it used like this in any of the guides on the web. I assume what's going on is that pam_smbpass is executed by SSH before dropping privileges, and it thus enables it to directly access the smbpasswd file. Is this what's going on here? If it is, why is this a silent feature? I haven't seen it mentioned in anywhere. Are there any security considerations (besides any possible vulnerabilities in pam_smbpass itself)? Regards -- Jaka Jančar http://jaka.kubje.org/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] can't add machine account
I am using FreeBSD 6.2 with Samba 3.0.24. Samba is set up as PDC and using the tdbsam backend. I'm having a hell of a time logging in my first machine (say Windows machine BLAH). First I created my login user on the system side (pw) and the samba side (pdbedit). # pw useradd username # pdbedit -a -u username Then I create the machine system account: # pw useradd -g machines -c Machine -d /dev/null -s /bin/false -n blah$ Then on the Samba side: # pdbedit -a -m -u blah These two get created (confirmed). Now when I log in my logs show: [2007/05/13 15:08:26, 2] smbd/sesssetup.c:setup_new_vc_session(799) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2007/05/13 15:08:26, 2] smbd/sesssetup.c:setup_new_vc_session(799) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2007/05/13 15:08:26, 2] smbd/reply.c:reply_tcon_and_X(711) Serving IPC$ as a Dfs root [2007/05/13 15:08:26, 2] libsmb/credentials.c:creds_server_check(218) creds_server_check: credentials check failed. [2007/05/13 15:08:26, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478) _net_auth2: creds_server_check failed. Rejecting auth request from client BLAH machine account BLAH$ [2007/05/13 15:08:26, 2] libsmb/credentials.c:creds_server_check(218) creds_server_check: credentials check failed. [2007/05/13 15:08:26, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478) _net_auth2: creds_server_check failed. Rejecting auth request from client BLAH machine account BLAH$ What is happening? Juan __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3 as PDC and hidden folders
I'm running Samba 3.0.10 as a PDC for Win XP Pro (SP2) workstations. User Outlook .pst files on desktop machines are (obviously) very important, and must be synced with server at logout for proper backup (which occurs on server). I've noticed that said Outlook .pst files are stored on the XP Pro desktops in a folder called: "C:\Documents and Settings\\Local Settings\Application Data\Microsoft\Outlook" However, the "Local Settings" folder and everything within it are "hidden" folders in Windows, and seem not to get synced with the server when user logs out of domain. Is there a way to make this folder sync? Any notable downsides to doing so? Better to just move the .pst file to a visible folder in the user profile? Would love to hear any best practice advice frmm folks who've done this. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cannot join Win XP SP2 client to domain
Thomas, Thomas Ußmüller wrote: Dear all, I have created two virtual machines on my computer (With Vmware 5.5.3). One is running SuSE Linux Enterprise Server 10 with Samba 3.0.22. The other one is runnung a WinXP SP2 client (name: test01). I can browse the shares of the Samba Server. Furthermore I can connect to them with different user names. When trying to join the client to the domain I get an error message that the user does not exist (although connecting to the shares works with this username). Furthermore the user has the SeMachineAccountPrivilege set. I remember getting this "user does not exist" error message and discovering that it was (like many Windows errors) a "red herring" -- did not reflect actual problem and was somewhat misleading. With XP, our underlying problem was name resolution. We had to force NetBIOS node type to "hybrid" and then things started working. See here: http://www.windowsitlibrary.com/Content/386/10/5.html To wit: "To configure a machine to use h-node-type resolution, set the following registry value to 8: HKEY_LOCAL_MACHINE\CurrentControlSet\Services\NetBT\Parameters\NodeType " I am "shooting from the hip" here and I do not have confidence that this information will fix your problem, but it is a trivial change to make and test, so I figured it might help. Jim What might cause this error? I have added the log.test01, log.smbd and the smb.conf file. Hope somebody can help me Regards Thomas log.test01: --- [2007/05/16 17:51:41, 2] lib/smbldap.c:smbldap_open_connection(724) smbldap_open_connection: connection opened [2007/05/16 17:51:41, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: root [2007/05/16 17:51:41, 2] passdb/pdb_ldap.c:init_group_from_ldap() init_group_from_ldap: Entry found for group: 512 [2007/05/16 17:51:41, 2] smbd/server.c:exit_server(614) Closing connections [2007/05/16 17:51:41, 2] auth/auth.c:check_ntlm_password(307) check_ntlm_password: authentication for user [root] -> [root] -> [root] succeeded [2007/05/16 17:51:41, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2670) Returning domain sid for domain LTE -> S-1-5-21-4205727931-4131263253-1851132061 [2007/05/16 17:51:42, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2415) _samr_create_user: Running the command `/usr/local/sbin/smbldap-useradd -w "test01$"' gave 9 [2007/05/16 17:51:42, 2] smbd/server.c:exit_server(614) Closing connections the error message in smbldap-useradd script only means that the account has already been created in the LDAP directory (only unix attributes are set, no win or samba specific stuff). When deleting the user from the directory the message disappears, but nothing else changes. log.smbd: - [2007/05/16 17:51:36, 0] smbd/server.c:main(805) smbd version 3.0.22-13.16-SUSE-SLES10 started. Copyright Andrew Tridgell and the Samba Team 1992-2006 [2007/05/16 17:51:36, 2] param/loadparm.c:do_section(3721) Processing section "[homes]" [2007/05/16 17:51:36, 2] param/loadparm.c:do_section(3721) Processing section "[profiles]" [2007/05/16 17:51:36, 2] param/loadparm.c:do_section(3721) Processing section "[netlogon]" [2007/05/16 17:51:36, 2] param/loadparm.c:do_section(3721) Processing section "[intranet]" [2007/05/16 17:51:36, 2] param/loadparm.c:do_section(3721) Processing section "[literatur]" [2007/05/16 17:51:36, 2] param/loadparm.c:do_section(3721) Processing section "[projekte]" [2007/05/16 17:51:36, 2] param/loadparm.c:do_section(3721) Processing section "[software]" [2007/05/16 17:51:36, 2] param/loadparm.c:do_section(3721) Processing section "[transfer]" [2007/05/16 17:51:36, 2] param/loadparm.c:do_section(3721) Processing section "[sekretariat]" [2007/05/16 17:51:36, 0] printing/print_cups.c:cups_cache_reload(85) Unable to connect to CUPS server localhost - Connection refused [2007/05/16 17:51:36, 0] printing/print_cups.c:cups_cache_reload(85) Unable to connect to CUPS server localhost - Connection refused [2007/05/16 17:51:36, 2] lib/interface.c:add_interface(81) added interface ip=192.168.1.50 bcast=192.168.1.255 nmask=255.255.255.0 [2007/05/16 17:51:36, 2] lib/smbldap_util.c:smbldap_search_domain_info(228) Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=LTE))] [2007/05/16 17:51:36, 2] lib/smbldap.c:smbldap_open_connection(724) smbldap_open_connection: connection opened [2007/05/16 17:51:36, 2] lib/tallocmsg.c:register_msg_pool_usage(61) Registered MSG_REQ_POOL_USAGE [2007/05/16 17:51:36, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71) Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED [2007/05/16 17:51:36, 2] lib/smbldap.c:smbldap_open_connection(724) smbldap_open_connection: connection opened [2007/05/16 17:51:36, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: root [2007/05/16 17:51:36, 2] smbd/server.c:open_sockets_smbd(336) waiting for a conne
Re: [Samba] Cannot connect to NT 4 BDC Server
Salut Marc-Henri! :-) Ok the message "A peripheral connected to this system doesn't works" mean that the SID of your user/group are not the same of the Domain Controller. Check the SID between the result of 'net groupmap list' and 'net getlocalsid'. Robert -- Cybionet - Solution reseautique http://www.cybionet.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] A regression in 3.0.25rc3?
Jerry, Any ideas yet? I've reverted my Server 2003 box to 32-bit for now, so it's not so pressing to use 3.0.25. Cheers Alex On Thu, 2007-05-10 at 15:50 +0100, Alex Crow wrote: > Jerry, > > I realised I forgot to restrict the dump to the XP client concerned. I > have now replaced the file on the webserver. > > Cheers > > Alex > > On Thu, 2007-05-10 at 08:28 -0500, Gerald (Jerry) Carter wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > Alex Crow wrote: > > > Jerry, > > > > > > I am running Gentoo kernel 2.6.20-gentoo-r7, glibc 2.5, openldap > > > 2.3.30-r2, all clients are XP Pro SP2 (32 and a couple of 64-bit). > > > > > > Any more info you need just ask. > > > > How about your smb.conf and a network trace of the failure ? > > The server is on x86 hardware correct ? > > > > > > > > > > > > cheers, jerry > > = > > Samba--- http://www.samba.org > > Centeris --- http://www.centeris.com > > "What man is a man who does not make the world better?" --Balian > > -BEGIN PGP SIGNATURE- > > Version: GnuPG v1.4.6 (GNU/Linux) > > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > > > iD8DBQFGQx3KIR7qMdg1EfYRAko2AKDt6TgswlsGMZXHOxGnOMkkyBMK8wCdEbBK > > Ifp2Ahb4nbP1avBppDbrJwE= > > =dtR8 > > -END PGP SIGNATURE- > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] uid mapping
Hi It's me again ;-) I have set "idmap uid = 1-4". But my ads users have now uid's starting from 5000. And the new Files from this users have MYDOMAIN:MYDOMAIN as owner. I think this should be MYDOMAINUSERNAME:MYDOMAINGROUP. Any ideas? I think it's almost done... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Fwd: SAMBA on AIX --> nsswitch.conf?
On Sun, May 13, 2007 at 11:32:01AM +0200, Urs Golla wrote: > Thanks a lot! That was the Problem > > hm... now all new files are owned by User:MYDOMAIN Group: MYDOMAIN > But if i do wbinfo -i myusername, I see > > MYDOMAIN+MYUSERNAME:*:5006:5179 (...) > > why? > > Do You know how to change this? No, sorry. The C-file comment is all I know about this module. Volker pgprwakNiP8nQ.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Fwd: SAMBA on AIX --> nsswitch.conf?
Hi Volker Thanks a lot! That was the Problem hm... now all new files are owned by User:MYDOMAIN Group: MYDOMAIN But if i do wbinfo -i myusername, I see MYDOMAIN+MYUSERNAME:*:5006:5179 (...) why? Do You know how to change this? On 5/13/07, Volker Lendecke <[EMAIL PROTECTED]> wrote: On Sun, May 13, 2007 at 10:34:46AM +0200, Urs Golla wrote: > it works if i create the user xy on AIX. > any ideas? From nsswitch/winbindd_nss_aix.c: /* To install this module copy nsswitch/WINBIND to /usr/lib/security and add "WINBIND" in /usr/lib/security/methods.cfg and /etc/security/user Note that this module also provides authentication and password changing routines, so you do not need to install the winbind PAM module. see http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixprggd/kernextc/se\ c_load_mod.htm for some information in the interface that this module implements Many thanks to Julianne Haugh for explaining some of the finer details of this interface. To debug this module use uess_test.c (which you can get from tridge) or set "options=debug" in /usr/lib/security/methods.cfg */ I don't know if this was tested recently, bu it might help. Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Fwd: SAMBA on AIX --> nsswitch.conf?
On Sun, May 13, 2007 at 10:34:46AM +0200, Urs Golla wrote: > it works if i create the user xy on AIX. > any ideas? From nsswitch/winbindd_nss_aix.c: /* To install this module copy nsswitch/WINBIND to /usr/lib/security and add "WINBIND" in /usr/lib/security/methods.cfg and /etc/security/user Note that this module also provides authentication and password changing routines, so you do not need to install the winbind PAM module. see http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/aixprggd/kernextc/se\ c_load_mod.htm for some information in the interface that this module implements Many thanks to Julianne Haugh for explaining some of the finer details of this interface. To debug this module use uess_test.c (which you can get from tridge) or set "options=debug" in /usr/lib/security/methods.cfg */ I don't know if this was tested recently, bu it might help. Volker pgpIUtHo3qUjU.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Fwd: SAMBA on AIX --> nsswitch.conf?
it works if i create the user xy on AIX. any ideas? -- Forwarded message -- From: Urs Golla <[EMAIL PROTECTED]> Date: May 13, 2007 9:26 AM Subject: SAMBA on AIX --> nsswitch.conf? To: samba@lists.samba.org Hi I am still trying to run SAMBA on AIX with "security = ads" and I have a few questions: - on AIX is no such file as /etc/nsswitch.conf --> Do I have to add the configuration somewhere else? - I allways get this "User xy is invalid on this system" if try to map a share from Windows. What does this mean? Is the user invalid on the Domain? on AIX? on SAMBA? Is the User known by SAMBA but has no access rights on this share? - Has "security = ads" on AIX ever been tested? Any help would be appreciated!!! cheers -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] wbinfo's timeout to lookup sid
Hello list,
when using "wbinfo -S " at one point it uses three times a timeout
of 5 seconds.
where is that configured, how can I increase it? Here are the details:
we are using version 3.0.22 under Linux. winbind uses an ldap backend
to store
the idmap. There are about 2 user and group account. Sometimes
the timeout of 5 seconds is too short.
Running strace on this command I see at the end:
> lstat64("/var/locks/winbindd_privileged/pipe", {st_mode=S_IFSOCK|0777,
> st_size=0, ...}) = 0
> socket(PF_FILE, SOCK_STREAM, 0) = 4
> fcntl64(4, F_GETFL) = 0x2 (flags O_RDWR)
> fcntl64(4, F_SETFL, O_RDWR|O_NONBLOCK) = 0
> fcntl64(4, F_GETFD) = 0
> fcntl64(4, F_SETFD, FD_CLOEXEC) = 0
> connect(4, {sa_family=AF_FILE,
> path="/var/locks/winbindd_privileged/pipe"}, 110) = 0
> close(3)= 0
> select(5, [4], NULL, NULL, {0, 0}) = 0 (Timeout)
> write(4, ",\7\0\0\24\0\0\0\1\6\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
> 1836) = 1836
> select(5, [4], NULL, NULL, {5, 0}) = 1 (in [4], left {5, 0})
This function uses the timeout of 5 seconds. This time it was successful,
but when it does not succeed it is tried again.
> read(4, "\24\5\0\0\2\0\0\0\241`\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
> 1300) = 1300
> fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 5), ...}) = 0
> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
> 0) = 0xb7e2a000
> write(1, "24737\n", 6) = 6
> munmap(0xb7e2a000, 4096)= 0
> exit_group(0) = ?
In include/local.h I see:
/* Tuning for server auth mutex. */
#define CLI_AUTH_TIMEOUT 5000 /* In milli-seconds. */
#define NUM_CLI_AUTH_CONNECT_RETRIES 3
/* Number in seconds to wait for the mutex. This must be less than 30
seconds. */
#define SERVER_MUTEX_WAIT_TIME ( ((NUM_CLI_AUTH_CONNECT_RETRIES) *
((CLI_AUTH_TIMEOUT)/1000)) + 5)
Which looks like these are exactly the values I was looking for, but
I increased those values and recompiled wbinfo, but it didn't make
a difference. Also there is an smb.conf option "ldap timeout" but
setting this also does not change it.
The questions now is what setting is responsible for the timeout
seen above? Is it a runtime option, or if not, what part of
samba do I have to recompile? Or is it even a system option?
Thanks for your attention,
Peter
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] SAMBA on AIX --> nsswitch.conf?
Hi I am still trying to run SAMBA on AIX with "security = ads" and I have a few questions: - on AIX is no such file as /etc/nsswitch.conf --> Do I have to add the configuration somewhere else? - I allways get this "User xy is invalid on this system" if try to map a share from Windows. What does this mean? Is the user invalid on the Domain? on AIX? on SAMBA? Is the User known by SAMBA but has no access rights on this share? - Has "security = ads" on AIX ever been tested? Any help would be appreciated!!! cheers -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
