[Samba] Authenticating to AD server fails.
I'm trying to configure a Fedora 7 machine to authenticate access to
shares via AD. This works fine on other RHEL machines, but the same
configuration on Fedora maddeningly does not.
I've tried oodles of different configurations, and am currently using
something based on:
http://wiki.samba.org/index.php/Samba_&_Active_Directory
Here is my krb5.conf file:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = ESRI.COM
ticket_lifetime = 24h
forwardable = yes
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
ESRI.COM = {
kdc = dc1.esri.com:88
admin_server = dc1.esri.com:749
default_domain = esri.com
kdc = dc1.esri.com
}
[domain_realm]
.esri.com = ESRI.COM
esri.com = ESRI.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
I am able to kinit just fine and to net ads join. wbinfo -a and more
works just fine. I can use smbclient to view shares on other members
of the domain with and without -k perfectly. winbind appears to be
running without issue.
# net ads testjoin
Join is OK
Now, my smb.conf:
[global]
workgroup = AVWORLD
realm = ESRI.COM
preferred master = no
server string = Linux Test Machine
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 500
printcap name = cups
printing = cups
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
;winbind separator = +
idmap uid = 1-99
idmap gid = 1-99
;template primary group = "Domain Users"
template shell = /bin/bash
; Some things that may or may not be useful.
;passdb backend = tdbsam
;idmap backend = ad
;winbind nss info = rfc2307
[public]
comment = gumnut public read-only share
path = /home/public
public = yes
However, when trying to access this machine (GUMNUT) from a Windows
client or using smbclient from the local machine, I get a failure --
smbclient says NT_STATUS_LOGON_FAILURE and the corresponding Samba
logfile says:
[2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_alloc(131)
Finding user AVWORLD\ray5147
[2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(75)
Trying _Get_Pwnam(), username as lowercase is avworld\ray5147
[2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(83)
Trying _Get_Pwnam(), username as given is AVWORLD\ray5147
[2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(93)
Trying _Get_Pwnam(), username as uppercase is AVWORLD\RAY5147
[2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(102)
Checking combinations of 0 uppercase letters in avworld\ray5147
[2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(108)
Get_Pwnam_internals didn't find user [AVWORLD\ray5147]!
[2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_alloc(131)
Finding user ray5147
[2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(75)
Trying _Get_Pwnam(), username as lowercase is ray5147
[2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(93)
Trying _Get_Pwnam(), username as uppercase is RAY5147
[2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(102)
Checking combinations of 0 uppercase letters in ray5147
[2007/09/06 23:19:54, 5] lib/username.c:Get_Pwnam_internals(108)
Get_Pwnam_internals didn't find user [ray5147]!
[2007/09/06 23:19:54, 1] smbd/sesssetup.c:reply_spnego_kerberos(439)
Username AVWORLD\ray5147 is invalid on this system
[2007/09/06 23:19:54, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/sesssetup.c(444) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
Given the command:
smbclient -L GUMNUT -U ray5147 -W AVWORLD
At this point I am stumped. I believe we are running Windows 2003 AD
servers and it's just not clear to me why the above is failing.
Where can I look to begin troubleshooting this?
Thanks!
Ray
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Core Dump Issue
I removed the root = administrator line in the smbusers file and it is working fine now, no core dump. Any thoughts of why this would have happened? On Sep 6, 2007, at 1:05 PM, Cody Jarrett wrote: I have a samba 3.023c server with winbind joined to a windows 2003 AD domain. The issue I'm having is from the windows computers, I can't connect to shares on the samba server using the administrator account. It works just fine with normal domain users. When I try to connect with the admin account, I the smbd process that forked to handle the request core dumps. The same thing happens when I try to user smbclient //localhost/share -U administrator. The administrator account is mapped to root in smbusers, I have it like this on multiple other servers with no issues. I'm thinking maybe something got cached wrong in some tdb file maybe? Anyone have any ideas of what might be wrong? Let me know if I need to provide any other logs. check_ntlm_password: PAM Account for user [TESTDOMAIN +administrator] succeeded [2007/09/06 11:59:34, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [Administrator] -> [root] -> [TESTDOMAIN+administrator] succeeded [2007/09/06 11:59:34, 5] auth/auth_util.c:free_user_info(1866) attempting to free (and zero) a user_info structure [2007/09/06 11:59:34, 3] passdb/lookup_sid.c:fetch_gid_from_cache (1015) fetch gid from cache 1 -> S-1-5-21-2816653866-3993825973-103212075-513 [2007/09/06 11:59:34, 0] lib/fault.c:fault_report(41) === [2007/09/06 11:59:34, 0] lib/fault.c:fault_report(42) INTERNAL ERROR: Signal 11 in pid 17245 (3.0.23c-2.el5.2.0.2) Please read the Trouble-Shooting section of the Samba3-HOWTO [2007/09/06 11:59:34, 0] lib/fault.c:fault_report(44) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2007/09/06 11:59:34, 0] lib/fault.c:fault_report(45)) [EMAIL PROTECTED]:~ $ cat file check_ntlm_password: PAM Account for user [TESTDOMAIN +administrator] succeeded [2007/09/06 11:59:34, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [Administrator] -> [root] -> [TESTDOMAIN+administrator] succeeded [2007/09/06 11:59:34, 5] auth/auth_util.c:free_user_info(1866) attempting to free (and zero) a user_info structure [2007/09/06 11:59:34, 3] passdb/lookup_sid.c:fetch_gid_from_cache (1015) fetch gid from cache 1 -> S-1-5-21-2816653866-3993825973-103212075-513 [2007/09/06 11:59:34, 0] lib/fault.c:fault_report(41) === [2007/09/06 11:59:34, 0] lib/fault.c:fault_report(42) INTERNAL ERROR: Signal 11 in pid 17245 (3.0.23c-2.el5.2.0.2) Please read the Trouble-Shooting section of the Samba3-HOWTO [2007/09/06 11:59:34, 0] lib/fault.c:fault_report(44) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2007/09/06 11:59:34, 0] lib/fault.c:fault_report(45)) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Why won't %username% variable work when adding users to samba share?
Hi all, We have a mixed network environment with Samba servers providing file storage for windows, Linux and MAC 0SX users. Authentication is handled by Active Directory on Win2K SP. On our campus we allow computer lab teachers to add users via the Active Directory MMC. However we have a couple of issues which make this far from seamless: After users are added to AD, the lab admin will add a home directory path to the users profile using the MMC. The path will be something like \\sambaserver\students\2009\%username%(the %username% variable expands to the username of the profiles owner) We are presented with an error message letting us know that the user directory couldn't be created because Domain Admins don't have sufficient privleages to create the directory, although AD will update the path in the user profile. When we look at the Share in samba however we see that the directory _was_ created, but that it is owned by root rather than the user. We then must log on the SAMBA server and chown the directory to be owned by the proper user and group. I am hoping I can adjust permission in such a way that I won't have to go back in and clean up things after a new user has been added through AD. Thanks for any ideas! John The relevant portion of smb.conf looks like this: [ALLSTUDENTS] path = /home/ALLSTUDENTS # valid users = %S readonly = no writable = yes printable = no create mode = 0700 directory mode = 0700 admin users = @"VANGUARD\domain admins" @"VANGUARD\mcmcomputer admins" vfs objects = recycle recycle: config-files = /etc/samba/samba-recycle.conf The top level of the share /home/ALLSTUDENTS under linux all have 755 permissions drwxr-xr-x 184 root root 12288 2007-09-01 18:21 2008 drwxr-xr-x 187 root root 12288 2007-09-01 18:26 2009 drwxr-xr-x 196 root root 12288 2007-09-01 19:19 2010 drwxr-xr-x 206 root root 12288 2007-09-01 17:32 2011 drwxr-xr-x 152 root root 4096 2007-09-01 18:14 2012 drwxr-xr-x 130 root root 4096 2007-09-06 07:22 2013 drwxr-xr-x 139 root root 4096 2007-09-05 19:53 2014 drwxr-xr-x 121 root root 12288 2007-09-05 19:52 2015 drwxr-xr-x 2 root root 4096 2007-09-01 15:54 2016 drwxr-xr-x 2 root root 4096 2007-08-02 13:41 2017 drwxr-xr-x 2 root root 4096 2007-08-02 13:41 2018 drwxr-xr-x 2 root root 4096 2007-08-02 13:41 2019 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] DNS registration pushing up wrong IP?
Hi there I've just had a samba-3.0.25a server (can't see any reference to this been fixed in b or c) become non-available to users, and after some serious head-scratching realized there was nothing wrong with the server - the Active Directory DNS was pointing to the wrong IP! This CentOS4.5 box actually runs two instances of Samba (and one winbind) in ADS mode. One associated with eth0 and the other with eth0:2. It has been working fine for months, but somehow after a power outage something occurred that meant the hostname associated with eth0:2 suddenly had two "A" records - the IPs from eth0 *and* eth0:2. So we had the situation where the server was working for some users some of the time, and others not - depending on what IP they resolved to first. So anyway, it sounds like there is some condition under which Samba is (re-)registering the wrong IP address during a DNS update? It doesn't appear to happen very often: I have 28 servers world-wide with this same "eth0, eth0:2" trick and this is the first time I've seen it. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with Defaulting Groups and AD
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thompson, Jimi wrote: > Jerry, > > I'm really frustrated with SAMBA. All I want to do is have my users I'd like to point out here that you're really frustrated with the default group assigned by Windows Active Directory > authenticate using the domain controller, keep them restricted to their > own individual folder and disk quota, and have them back up their > workstations. > > The weird group membership that SAMBA is defaulting is pretty much > screwing the pooch for me. Trying to over ride the SAMBA default group "domain users" is not a "weird group". It is the default group assigned by every Windows Active Directory everywhere. > membership to set it to what I know it needs to be in order for the Unix > file permissions to work isn't "pointless". It's hard to back up to a Gerry didn't say your goal was pointless, he said your configuration parameter as stated was pointless. > server that doesn't think you have write permissions. > > If you can tell me what I need to do to make it work, I'd be quite > happy. Consult the documentation and add a mapping for "domain users" to an actual group that would have write permission. Try force group = > > Thanks, > > Ms. Jimi Thompson, CISSP > Manager of Web Operations > SMU Cox School of Business CISSP - Certified Information Systems Security Professional I'll control myself. Regards, Doug -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFG4JyoFqWysr/jOHMRAtdCAJ9BPPTDNUhvOcgcNQvBnr9fhXE51gCgy+3+ pudEDdx2pRf8zGuAyQuc1nY= =jlsu -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba-4.0.0alpha1 - AC authetication
On Fri, 2007-09-07 at 00:52 +0400, Angelina Paunovic wrote: > Hi to all, > > I just installed samba-4.0.0alpha1 on RedHat ES 4 in hope it will solve my > problem to authenticate users against Active Directory 2003. Much as I'm very glad to see folks trying out Samba4, I don't think it will help you with that. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Problem with Defaulting Groups and AD
Jerry, I'm really frustrated with SAMBA. All I want to do is have my users authenticate using the domain controller, keep them restricted to their own individual folder and disk quota, and have them back up their workstations. The weird group membership that SAMBA is defaulting is pretty much screwing the pooch for me. Trying to over ride the SAMBA default group membership to set it to what I know it needs to be in order for the Unix file permissions to work isn't "pointless". It's hard to back up to a server that doesn't think you have write permissions. If you can tell me what I need to do to make it work, I'd be quite happy. Thanks, Ms. Jimi Thompson, CISSP Manager of Web Operations SMU Cox School of Business "Contemplate the mangled bodies of your countrymen and then ask yourself, What should be the reward of such sacrifices... If ye love wealth better than freedom, the tranquility of servitude than the animating contest of freedom, go from us in peace. We ask not your counsels or arms. Crouch down and lick the hands that feed you. May your chains sit lightly upon you, and may posterity forget that ye were our countrymen." - Samuel Adams This from our founding fathers. I wonder what they'd think of the Patriot Act & the Emergency Powers Act. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gerald (Jerry) Carter Sent: Thursday, September 06, 2007 3:46 PM To: Thompson, Jimi Cc: samba@lists.samba.org Subject: Re: [Samba] Problem with Defaulting Groups and AD -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jimi, > Vital Stats - AMD 64-bit CPU, Ubuntu 7.0.4 (Feisty Fawn), > Samba 3.0.24, > > Win2003 AD Domain > > I'm not sure how to make it stop doing it. When a user > "logs in" they get an automatically assigned group > of "domain users" which doesn't actually exist in > any of the file permissions. I've tried setting group > = %G and force group = %G but neither one is working. That says "force the group membership to the user's primary group" which is pointless. Not sure what you are trying to do. If you are runnign winbindd (assuming so), then just add "domain users" the acl permissions? Or some other domain group that you want. > If anyone knows how to suppress this, I'd be greatly Suppress what? > appreciative. As things stand, users can map the share < but now everything is write only, despite specifically > being stipulated at writeable. You always get the most restrictive permission set between smb.conf, share permissions, and file system permissions. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG4GbtIR7qMdg1EfYRAgGyAJwKPXop49hm8wa/i0BM1G+5CcD6yQCgj5BL 5lhcPlqpkTY5N9jF1lWgwzw= =M2Ku -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Problems with slow printing
Hello, My name is Shane Drinkwater. I have had a problem since samba-3.0.25 with printing being very, very slow. It takes about 15- 30 seconds for the print dialog box to appear. After selecting OK the print happens in a reasonable time. File serving performance seems to be similar to previous revs of samba. I did read the "Problems with slow printing (and name resolving?)" thread. I do not have any printers that have been discontinued, plus new workstations are seeing the same slowness in printing. Has anyone else seen this or have a hint as to what is happening?? I am running on Red Hat Enterprise 5 with samba-3.0.25b/Cups 1.2.4 My smb.conf [global] netbios name = medusa netbios aliases = insuranceSrv wellnessSrv accountingSrv backupSrv lisSrv personnelSrv hercules security = domain large readwrite = yes encrypt passwords = yes workgroup = CSQ server string = central file server printing = cups printcap name = cups load printers = yes domain master = no local master = no map to guest = bad user name resolve order = wins bcast host preferred master = no log file = /var/log/samba/%m.log socket options = TCP_NODELAY SO_SNDBUF=16384 SO_RCVBUF=16384 wins server = 172.27.1.17 #===Winbindd Stuff == #===Winbindd Stuff == password server = * winbind uid = 1-2 winbind gid = 1-2 winbind separator = + template shell = /bin/bash template homedir = /home/%D/%U winbind cache time = 60 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes [printers] comment = All Printers path = /var/spool/samba public = yes guest ok = yes writable = yes printable = yes [print$] comment = Printer Driver Download Area path = /home/samba/printerdrivers guest ok = yes browseable = yes read only = yes write list = @CSQ+shane,@CSQ+Administrator,@CSQ+Programmers [NT-apps] path = /home/samba/ntapps create mode = 777 directory mode = 777 writable = yes public = yes [public] path = /home/samba/public writable = yes public = yes create mask = 0777 directory mask = 0777 [cedi] path = /home/samba/cedi/cedi dos filetime resolution = yes # oplocks = false # level2 oplocks = false valid users = @CSQ+Programmers,@"CSQ+Domain Admins",@"CSQ+Domain Users" write list = @CSQ+Programmers,@"CSQ+Domain Admins",@"CSQ+Domain Users" create mode = 777 directory mode = 777 [cediarc] path = /home/samba/cedi/cediarc # oplocks = false # level2 oplocks = false valid users = @CSQ+Programmers,@"CSQ+Domain Admins",@"CSQ+Domain Users" write list = @CSQ+Programmers,@"CSQ+Domain Admins",@"CSQ+Domain Users" create mode = 777 directory mode = 777 Thank you for your time Shane NOTICE: This email may contain legally privileged information. The information is for the use of only the intended recipient(s) even if addressed incorrectly. If you are not the intended recipient, please notify the sender that you have received it in error and then delete it along with any attachments. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] can't add machine to domain after samba update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Janicko Zeppelin wrote: > Hi all. > > We have big problem with adding new machine to our domain. > 2 weeks ago we upgrade our machine to Debian 4 (etch). Than we automatic > update our samba to version 3.0.24 (from debian package). > We use LDAP backend for samba. > > When we try add Windows XP or Windows 2000 to our domain, we got this > error message on client: > Security database is corrupted. > On server we have in log file log.smbd this error messages: > ... > Unable to find the member's gid! > check_ntlm_password: Authentication for user [administrator] -> > [user] FAILED with error NT_STATUS_INTERNAL_DB_CORRUPTION Are the entries with sambaSamAccount also posixAccount objects? or do you have the gidNumber for user attributes restricted somehow? cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG4GkIIR7qMdg1EfYRArPxAKDOKfyR/PtEYMa7578ETt1CC1t9oQCgmUN9 w+EiR5/xf6aV5EEqEkqMCCA= =XFtF -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba-4.0.0alpha1 - AC authetication
Hi to all, I just installed samba-4.0.0alpha1 on RedHat ES 4 in hope it will solve my problem to authenticate users against Active Directory 2003. But the problem is smb.conf for this type of scenario. Does anyone have smb.conf only to authenticate users against Active Directory. q1. do I need still have kerberos server? q2. how to start samba as deamon (smb -D) or is there any document how to do it? Thank you in advance. Angelina -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with Defaulting Groups and AD
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jimi, > Vital Stats - AMD 64-bit CPU, Ubuntu 7.0.4 (Feisty Fawn), > Samba 3.0.24, > > Win2003 AD Domain > > I'm not sure how to make it stop doing it. When a user > "logs in" they get an automatically assigned group > of "domain users" which doesn't actually exist in > any of the file permissions. I've tried setting group > = %G and force group = %G but neither one is working. That says "force the group membership to the user's primary group" which is pointless. Not sure what you are trying to do. If you are runnign winbindd (assuming so), then just add "domain users" the acl permissions? Or some other domain group that you want. > If anyone knows how to suppress this, I'd be greatly Suppress what? > appreciative. As things stand, users can map the share < but now everything is write only, despite specifically > being stipulated at writeable. You always get the most restrictive permission set between smb.conf, share permissions, and file system permissions. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG4GbtIR7qMdg1EfYRAgGyAJwKPXop49hm8wa/i0BM1G+5CcD6yQCgj5BL 5lhcPlqpkTY5N9jF1lWgwzw= =M2Ku -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] can't add machine to domain after samba update
Hi all. We have big problem with adding new machine to our domain. 2 weeks ago we upgrade our machine to Debian 4 (etch). Than we automatic update our samba to version 3.0.24 (from debian package). We use LDAP backend for samba. When we try add Windows XP or Windows 2000 to our domain, we got this error message on client: Security database is corrupted. On server we have in log file log.smbd this error messages: [2007/09/06 22:06:46, 1] passdb/pdb_ldap.c:ldapsam_enum_group_memberships(2582) Unable to find the member's gid! [2007/09/06 22:06:46, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2007/09/06 22:06:46, 0] auth/auth_sam.c:check_sam_security(352) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_INTERNAL_DB_CORRUPTION' [2007/09/06 22:06:46, 3] auth/auth_winbind.c:check_winbind_security(80) check_winbind_security: Not using winbind, requested domain [ourdomain] was for this SAM. [2007/09/06 22:06:46, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [administrator] -> [user] FAILED with error NT_STATUS_INTERNAL_DB_CORRUPTION [2007/09/06 22:06:46, 3] smbd/error.c:error_packet(146) error packet at smbd/sesssetup.c(99) cmd=115 (SMBsesssetupX) NT_STATUS_INTERNAL_DB_CORRUPTION After samba update we had some problem with groups in LDAP and we need change last 3 digits in our samba groups SID. For ou=Computers we use group "Domain Computers" with gid 553. Thank you for any answer. Regards Janicko -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Problem with Defaulting Groups and AD
Vital Stats - AMD 64-bit CPU, Ubuntu 7.0.4 (Feisty Fawn), Samba 3.0.24, Win2003 AD Domain I'm not sure how to make it stop doing it. When a user "logs in" they get an automatically assigned group of "domain users" which doesn't actually exist in any of the file permissions. I've tried setting group = %G and force group = %G but neither one is working. If anyone knows how to suppress this, I'd be greatly appreciative. As things stand, users can map the share but now everything is write only, despite specifically being stipulated at writeable. TIA, Ms. Jimi Thompson, CISSP Manager of Web Operations SMU Cox School of Business "Contemplate the mangled bodies of your countrymen and then ask yourself, What should be the reward of such sacrifices... If ye love wealth better than freedom, the tranquility of servitude than the animating contest of freedom, go from us in peace. We ask not your counsels or arms. Crouch down and lick the hands that feed you. May your chains sit lightly upon you, and may posterity forget that ye were our countrymen." - Samuel Adams This from our founding fathers. I wonder what they'd think of the Patriot Act & the Emergency Powers Act. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Core Dump Issue
I have a samba 3.023c server with winbind joined to a windows 2003 AD domain. The issue I'm having is from the windows computers, I can't connect to shares on the samba server using the administrator account. It works just fine with normal domain users. When I try to connect with the admin account, I the smbd process that forked to handle the request core dumps. The same thing happens when I try to user smbclient //localhost/share -U administrator. The administrator account is mapped to root in smbusers, I have it like this on multiple other servers with no issues. I'm thinking maybe something got cached wrong in some tdb file maybe? Anyone have any ideas of what might be wrong? Let me know if I need to provide any other logs. check_ntlm_password: PAM Account for user [TESTDOMAIN +administrator] succeeded [2007/09/06 11:59:34, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [Administrator] -> [root] -> [TESTDOMAIN+administrator] succeeded [2007/09/06 11:59:34, 5] auth/auth_util.c:free_user_info(1866) attempting to free (and zero) a user_info structure [2007/09/06 11:59:34, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1015) fetch gid from cache 1 -> S-1-5-21-2816653866-3993825973-103212075-513 [2007/09/06 11:59:34, 0] lib/fault.c:fault_report(41) === [2007/09/06 11:59:34, 0] lib/fault.c:fault_report(42) INTERNAL ERROR: Signal 11 in pid 17245 (3.0.23c-2.el5.2.0.2) Please read the Trouble-Shooting section of the Samba3-HOWTO [2007/09/06 11:59:34, 0] lib/fault.c:fault_report(44) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2007/09/06 11:59:34, 0] lib/fault.c:fault_report(45)) [EMAIL PROTECTED]:~ $ cat file check_ntlm_password: PAM Account for user [TESTDOMAIN +administrator] succeeded [2007/09/06 11:59:34, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [Administrator] -> [root] -> [TESTDOMAIN+administrator] succeeded [2007/09/06 11:59:34, 5] auth/auth_util.c:free_user_info(1866) attempting to free (and zero) a user_info structure [2007/09/06 11:59:34, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1015) fetch gid from cache 1 -> S-1-5-21-2816653866-3993825973-103212075-513 [2007/09/06 11:59:34, 0] lib/fault.c:fault_report(41) === [2007/09/06 11:59:34, 0] lib/fault.c:fault_report(42) INTERNAL ERROR: Signal 11 in pid 17245 (3.0.23c-2.el5.2.0.2) Please read the Trouble-Shooting section of the Samba3-HOWTO [2007/09/06 11:59:34, 0] lib/fault.c:fault_report(44) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2007/09/06 11:59:34, 0] lib/fault.c:fault_report(45)) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] UPDATE - NT_STATUS_ACCESS_DENIED making remote directory
Well, I've discovered something and I'm not sure how to make it stop doing it. When a user "logs in" they get an automatically assigned group of "domain users" which doesn't actually exist in any of the file permissions. I've tried setting group = %G and force group = %G but neither one is working. If anyone knows how to suppress this, I'd be greatly appreciative. Vital Stats - AMD 64-bit CPU, Ubuntu 7.0.4 (Feisty Fawn), Samba 3.0.24, Win2003 AD Domain If I've left anything out, please feel free to ask. This *was* working yesterday until my Kerberos ticket expired. (growl) Anyway, now that Kerberos appears to be working again, all of my users still only have read access - no write access. The "temp" test works fine. Exactly as expected - full access. Nothing should have changed in the last 24 hours on the AD side so I'm not sure why all of a sudden I'm getting read only access for my user shares. Samba & the authentication seems to be working. I get sensible and complete results when I do a wbinfo -u and -g. When I try mapping the share and doing stuff from the actual Ubuntu server, I see that no user is allowed write access to their own home directory. I was hoping that one of you folk might have some insight. [global] workgroup = COX realm = ELCSB.NET server string = bakserve2 security = DOMAIN log level = 3 log file = /var/log/samba/%m max log size = 50 printcap name = cups disable spoolss = Yes show add printer wizard = No os level = 33 preferred master = No local master = No domain master = No wins server = 129.119.81.20 idmap uid = 1-2 idmap gid = 1-2 template shell = /bin/bash winbind cache time = 10 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes [homes] comment = Home Directories path = /home/%U user = %U valid users = COX\%S read only = No create mask = 0770 directory mask = 0770 writeable = Yes browseable = Yes [temp] comment = Temp Test path = /tmp writeable = Yes browseable = Yes read only = No Thanks, Ms. Jimi Thompson, CISSP Manager of Web Operations SMU Cox School of Business "Contemplate the mangled bodies of your countrymen and then ask yourself, What should be the reward of such sacrifices... If ye love wealth better than freedom, the tranquility of servitude than the animating contest of freedom, go from us in peace. We ask not your counsels or arms. Crouch down and lick the hands that feed you. May your chains sit lightly upon you, and may posterity forget that ye were our countrymen." - Samuel Adams This from our founding fathers. I wonder what they'd think of the Patriot Act & the Emergency Powers Act. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Glitches adding homedir profiles to a samba share with AD MMC?
Hi all, We have a mixed network environment with Samba servers providing file storage for windows, Linux and MAC 0SX users. Authentication is handled by Active Directory on Win2K SP. On our campus we allow computer lab teachers to add users via the Active Directory MMC. However we have a couple of issues which make this far from seamless: After users are added to AD, the lab admin will add a home directory path to the users profile using the MMC. The path will be something like \\sambaserver\students\2009\%username%(the %username% variable expands to the username of the profiles owner) We are presented with an error message letting us know that the user directory couldn't be created because Domain Admins don't have sufficient privleages to create the directory, although AD will update the path in the user profile. When we look at the Share in samba however we see that the directory _was_ created, but that it is owned by root rather than the user. We then must log on the SAMBA server and chown the directory to be owned by the proper user and group. I am hoping I can adjust permission in such a way that I won't have to go back in and clean up things after a new user has been added through AD. Thanks for any ideas! John The relevant portion of smb.conf looks like this: [ALLSTUDENTS] path = /home/ALLSTUDENTS # valid users = %S readonly = no writable = yes printable = no create mode = 0700 directory mode = 0700 admin users = @"VANGUARD\domain admins" @"VANGUARD\mcmcomputer admins" vfs objects = recycle recycle: config-files = /etc/samba/samba-recycle.conf The top level of the share /home/ALLSTUDENTS under linux all have 755 permissions drwxr-xr-x 184 root root 12288 2007-09-01 18:21 2008 drwxr-xr-x 187 root root 12288 2007-09-01 18:26 2009 drwxr-xr-x 196 root root 12288 2007-09-01 19:19 2010 drwxr-xr-x 206 root root 12288 2007-09-01 17:32 2011 drwxr-xr-x 152 root root 4096 2007-09-01 18:14 2012 drwxr-xr-x 130 root root 4096 2007-09-06 07:22 2013 drwxr-xr-x 139 root root 4096 2007-09-05 19:53 2014 drwxr-xr-x 121 root root 12288 2007-09-05 19:52 2015 drwxr-xr-x 2 root root 4096 2007-09-01 15:54 2016 drwxr-xr-x 2 root root 4096 2007-08-02 13:41 2017 drwxr-xr-x 2 root root 4096 2007-08-02 13:41 2018 drwxr-xr-x 2 root root 4096 2007-08-02 13:41 2019 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] problems with VFS_FAKE_PERMS
On Thu, 2007-06-09 at 10:01 -0400, Ryan Novosielski wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Alexander Födisch wrote: > > Hi, > > > > I want to use the module VFS_FAKE_PERMS for roaming profiles. When I use > > the option "writeable = yes" (see config [1]) the user profiles are > > write back the server (but they shouldn't, right?). > > If I delete the writeable-option (see [2]) windows brings an error when > > logging off: > > > > "Windows cannot update your roaming profile. Possible causes of this > > error include network problems or insufficient security rights. If this > > problem persists, contact your network administrator." (Event ID: 1504) Do you have posix acl's set oon your filesystem. something like: setfacl -R -m group:"YOURDOMAIN+domain admins":rwx profiles -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: Re-2: [Samba] limit login
I think that combining 'root preexec' with a script and 'utmp = Yes'
allows easily these checks.
the w command shows who is connect through smb. The script check this
before allow/deny the user.
On 9/6/07, Adam Tauno Williams <[EMAIL PROTECTED]> wrote:
> > > You are aware that once someone has logged in an
> > > administrator has to reset that account. This is *NOT*
> > > automatic if the user logs out from his first
> > > workstation. That functionality is impossible to achieve for
> > > us, Windows does not tell us when the user logs out.
> > Maybe I'm being naïve, or maybe it's just that I don't need this
> > functionality for anything, but I'd solve it by running regularly (every
> > hour, every ten minutes, whatever you determine appropriate) something
> > like this script:
> > #!/bin/bash
> > smbstatus -b | awk '{print "nobody = " $2}' > /etc/samba/smb.usermap
>
> No, this does not work.
>
> > Then set username map = /etc/samba/smb.usermap in smb.conf. This should
> > cause any user who have a share mapped not to be able to authenticate
> > because their password is tested with the user nobody - until they are
> > logged out AND the script is run again.
> > Untested, and in need of refining, loose the top lines from smbstatus -b
> > for instance, but a start?
>
> The output of smbstatus is not terribly useful for this kind of purpose.
> You may see users listed after they have disconnected and you have to
> deal with that connections may drop and be recreated (deadtime, etc...)
> - none of which is tightly coupled with a logon/logoff event. smbstatus
> doesn't provide sufficient information to solve the
> sign-on-to-single-workstation problem.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] problems with VFS_FAKE_PERMS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alexander Födisch wrote: > Hi, > > I want to use the module VFS_FAKE_PERMS for roaming profiles. When I use > the option "writeable = yes" (see config [1]) the user profiles are > write back the server (but they shouldn't, right?). > If I delete the writeable-option (see [2]) windows brings an error when > logging off: > > "Windows cannot update your roaming profile. Possible causes of this > error include network problems or insufficient security rights. If this > problem persists, contact your network administrator." (Event ID: 1504) > > > [1] > > [profiles] >path = >browseable = no >writeable = yes >guest ok = yes >vfs objects = fake_perms > > > [2] > > [profiles] >path = >browseable = no >guest ok = yes >vfs objects = fake_perms > > > > Any ideas? AFAICR, you can instead change something in the profiles themselves to make them mandatory and make Windows uninterested in writing them back to to server (something with changing the extension on NTUSER.DAT or something). This may solve your problem, but perhaps someone who knows better will chime in. - -- _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Systems Programmer II |$&| |__| | | |__/ | \| _| |[EMAIL PROTECTED] - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG4Ag6mb+gadEcsb4RAnZpAJsFF192mhyWyujmFtMbJKt80jW3ywCgjeFn cHzt6BLPTKAVFWoumMjHYt8= =RxT2 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] problems with VFS_FAKE_PERMS
Hi, I want to use the module VFS_FAKE_PERMS for roaming profiles. When I use the option "writeable = yes" (see config [1]) the user profiles are write back the server (but they shouldn't, right?). If I delete the writeable-option (see [2]) windows brings an error when logging off: "Windows cannot update your roaming profile. Possible causes of this error include network problems or insufficient security rights. If this problem persists, contact your network administrator." (Event ID: 1504) [1] [profiles] path = browseable = no writeable = yes guest ok = yes vfs objects = fake_perms [2] [profiles] path = browseable = no guest ok = yes vfs objects = fake_perms Any ideas? Thanks, Alex -- * Alexander Födisch - Central IT Department- Max Planck Institute for Evolutionary Anthropology Deutscher Platz 6 D-04103 Leipzig Germany Phone: +49 (0)341 3550-168 +49 (0)341 3550-154 Fax:+49 (0)341 3550-119 Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] File sharing and Active Directory
> I have a server SLES 10 with Samba 3.0.22, with authentication from a
> Windows 2003 server via Active Directory.
> I would like to configure a share of a folder in which can access only
> the users of a pre-determined (security) group.
> But I cannot figure how configure Samba to do this...
The traditional way of "valid users = @{groupname}" or just right click
on the share and set the permissions from an XP or later client.
--
Adam Tauno Williams, Network & Systems Administrator
Consultant - http://www.whitemiceconsulting.com
Developer - http://www.opengroupware.org
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] File sharing and Active Directory
Hi, my question is pretty complicated. I have a server SLES 10 with Samba 3.0.22, with authentication from a Windows 2003 server via Active Directory. I would like to configure a share of a folder in which can access only the users of a pre-determined (security) group. But I cannot figure how configure Samba to do this... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: Re-2: [Samba] limit login
> > You are aware that once someone has logged in an
> > administrator has to reset that account. This is *NOT*
> > automatic if the user logs out from his first
> > workstation. That functionality is impossible to achieve for
> > us, Windows does not tell us when the user logs out.
> Maybe I'm being naïve, or maybe it's just that I don't need this
> functionality for anything, but I'd solve it by running regularly (every
> hour, every ten minutes, whatever you determine appropriate) something
> like this script:
> #!/bin/bash
> smbstatus -b | awk '{print "nobody = " $2}' > /etc/samba/smb.usermap
No, this does not work.
> Then set username map = /etc/samba/smb.usermap in smb.conf. This should
> cause any user who have a share mapped not to be able to authenticate
> because their password is tested with the user nobody - until they are
> logged out AND the script is run again.
> Untested, and in need of refining, loose the top lines from smbstatus -b
> for instance, but a start?
The output of smbstatus is not terribly useful for this kind of purpose.
You may see users listed after they have disconnected and you have to
deal with that connections may drop and be recreated (deadtime, etc...)
- none of which is tightly coupled with a logon/logoff event. smbstatus
doesn't provide sufficient information to solve the
sign-on-to-single-workstation problem.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind and LDAP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Daniel L. Miller wrote: > I've been having a miserable time trying to get Winbind working. All of > the literature I've found seems to indicate it "just works" - which I'd > love - but it hasn't gone that way for me. Because I'm already using > LDAP, it seemed to make sense to use the LDAP support for Winbind. But > Winbind continues to give errors and generally be unhappy. > > Besides using the current schema, and setting the idmap > parameters in smb.conf - is there another magic trick to > getting it to work? That's pretty much it. The idmap suffix container has to already exist and be writeable by the "ldap admin dn". I'd suggest you get Winbind working with the tdb backend first though to make sure you understand how things work. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG3+L3IR7qMdg1EfYRAuT0AJsEMbYhFcQkKsL6F9KOLvJvaIm85ACgubRc JTsSOvQcCb4sbY8bZJmkE5o= =G+ZB -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: Re-2: [Samba] limit login
Greeting Pascal,
Here a code I have made yesterday. It's surely not a great piece of
code, but it's work with Windows client.
First in the netlogon section of your smb.conf, add the line:
root preexec = /pathof the scripts/test.sh %u %m
I don't have try this script with the log level with another value than
0. ( log level = 0 passdb:4 auth:4 vfs:2). The result of smbstatus was
different. Create now a script named test.sh. A error I can see is the
out.txt if multiple user log in the same tome. Maybe change this by %u.txt.
-BEGIN--
#! /bin/bash
username=$1
machine=$2
if `smbstatus -Sp | grep "${username}" | grep -v "${machine}"
1>/dev/null 2>&1`
then
#echo "Deja connecte"
smbstatus -Sp | grep "${machine}" 1>/dev/null 2>&1 >out.txt
PID =`gawk -F: '{ print $1 }' out.txt | cut -d " " -f1`
kill $PID
else
#echo "Nouvelle connexion"
exit 0
fi
-END--
au plaisir,
Robert
--
Cybionet - Solution reseautique
http://www.cybionet.com
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: Re-2: [Samba] limit login
Volker Lendecke wrote:
On Wed, Sep 05, 2007 at 12:14:25PM +, [EMAIL PROTECTED] wrote:
yes please this would fix problems with have with user
loggin on at one end of the site then at the other later.
Just to make sure:
You are aware that once someone has logged in an
administrator has to reset that account. This is *NOT*
automatic if the user logs out from his first
workstation. That functionality is impossible to achieve for
us, Windows does not tell us when the user logs out.
Maybe I'm being naïve, or maybe it's just that I don't need this
functionality for anything, but I'd solve it by running regularly (every
hour, every ten minutes, whatever you determine appropriate) something
like this script:
#!/bin/bash
smbstatus -b | awk '{print "nobody = " $2}' > /etc/samba/smb.usermap
Then set username map = /etc/samba/smb.usermap in smb.conf. This should
cause any user who have a share mapped not to be able to authenticate
because their password is tested with the user nobody - until they are
logged out AND the script is run again.
Untested, and in need of refining, loose the top lines from smbstatus -b
for instance, but a start?
-BT
--
Bjørn Tore Sund Phone: 555-84894 Email: [EMAIL PROTECTED]
IT department VIP: 81724 Support: http://bs.uib.no
Univ. of Bergen
When in fear and when in doubt, run in circles, scream and shout.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
