Re: [Samba] using MD5 to cipher password

[Michael Heydon]

Luigi Santangelo wrote:
Hi everybody, 
When I create a new user with smbpasswd -a, can I encrypt the password 
with MD5 protocol instead of NTLM protocol?
  

No.


  

Use unix or ldap password sync.

*Michael Heydon - IT Administrator *
[EMAIL PROTECTED] 


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Subfolders and permissions

[Jamrock]

"Paul Rijke" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Hi,
>
>
>
> I have currently a department called HRM which have their own share
> /data/hrm
>
>
>
> Within that share is a folder called recruitment.
>
>
>
> We recently hired an external recruiter to do some work for us. The folder
> is /data/hrm/recruitment
>
>
>
> How can I enforce that this person can only read and write in this
> directory? Look below, is this the way to go? How would you handle this?
>

A Samba account is linked to a Linux account.  I would set the security on
the Linux account.  I would do this using regular Linux file and directory
permissions.



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] change in AD authentication behaviour since 3.0.24

[Robert Cohen]

Charles Marcus CMarcus at Media-Brokers.com wrote

>>On 2/19/2008, Robert Cohen (robert.cohen at anu.edu.au) wrote: I'm not sure
>>whether its the same problem as us.

>> BTW I should mention that we're simply not using winbind. The behaviour I'm
>> talking about is when an XP client machine attempts to connect to our server
>> to get a network share.
>> 
>> So winbind doesn't enter into the equation.
>> 
>From the 3.0.25 release notes (3rd paragraph is most relevant to you):

>"Member servers, domain accounts, and smb.conf
>=

>Since Samba 3.0.8, it has been recommended that all domain accounts listed
>In smb.conf on a member server be fully qualified with the domain name.
>This is now a requirement.  All unqualified names are assumed to be local to
>the Unix host, either as part of the server's local passdb or in the local
>system list of accounts (e.g. /etc/passwd or /etc/group).
>
>The reason for this change is that smbd has transitioned from access checks
>based on string comparisons to token based authorization.  All names are
>resolved to a SID and then verified against the logged on user's NT user
>token.  Local names will resolve to a local SID, while qualified domain
>names will resolve to the appropriate domain SID.
>If the member server is not running winbindd at all, domain accounts will be
>implicitly mapped to local accounts and their tokens will be modified
>appropriately to reflect the local SID and group membership.
>


This turned out to be the problem. We hadnt been starting winbindd since I
thought it was only relevant if you were using winbind in
/etc/nsswitch.conf.
But as soon as we started winbind, along with other config settings
mentioned earlier, everything just started working.




===
Robert Cohen 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] change in AD authentication behaviour since 3.0.24

[Neal A. Lucier]

Robert Cohen wrote:

On 20/2/08 4:11 PM, "Neal A. Lucier" <[EMAIL PROTECTED]> wrote:

Robert Cohen wrote:


Ok, I thought winbind was only relevant if you were using AD as a NSS (name
service source). We have all the users in the name service from LDAP or
NIS+. We're only getting the passwords from AD.

I guess this could be an unusual combination and could be whats causing our
problems...



This is exactly what we are doing, and until 3.0.25 setting up idmap to work in 
this environment was a bit convoluted, but now it is extremely simple, mainly 
because an "nss" backend was introduced to idmap.  Generally speaking idmap is 
for authorization; however, there is some interplay with authentication.


So, to be clear, your nsswitch on the machine is only look at LDAP or NIS+, and 
in AD you have all the same users with the same username?


You need IDmap to map the uid of the owner of the files (which is coming from 
LDAP/NIS+) to the SID of the user that is accessing via Samba (which is coming 
from AD).  There are many ways to do this, by putting the SID in LDAP, the uid 
in AD, using local .tdb files, or a local mapping.  The simpliest (given that my 
assumptions about your environment are correct) is:


winbind use default domain = yes
idmap domains = XX
idmap config XX:backend = nss
idmap config XX:readonly = yes
idmap config XX:default = no

The only setting I'm not sure exactly what is does is the ":default = no", but 
IIRC that says if someone from another domain that is not defined by "idmap 
domains = " tries to connect than idmap should not use this backend as the 
default backend.


see: http://www.samba.org/~idra/samba3_newidmap.pdf



And allow trusted domains = no doesn't make any difference.



Sorry, I was thinking of "winbind trusted domains only" which has been obsoleted 
by the idmap_nss backend.


Neal
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] RE: Delegation of authentication (S4U) and SAMBA

[Andrew Bartlett]

On Wed, 2008-02-20 at 13:58 -0800, Todd Stecher wrote:
> From my readings, only the Heimdahl Kerberos distribution has S4USelf
> support, at least in the Samba 4 code base.  MIT tries to stay away
> from being PAC-cognizent.

In terms of Samba4's KDE, S4USelf is something that I need to finish
understanding, particularly in terms of interoperable behaviours etc.

> It sounds like you're trying to do something slightly different - e.g.
> Constrained Delegation, where the identity lives in the PAC, and not
> in the ticket.  There are additional security considerations which
> come into play when relying simply on the PAC, since anyone can put a
> PAC into a service ticket with a custom codebase - you can easily get
> into cases of identity theft if you also don't verify the second
> (KRBTGT HMAC of the server signature) signature in the PAC.

Why do we need to check that, expect if we think that unprivileged
processes on our box have access to the keytab?

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org
Samba Developer, Red Hat Inc.


signature.asc
Description: This is a digitally signed message part
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Need help upgrading from 3.0.4 to 3.0.28

[Douglas VanLeuven]

Joe wrote:
> I have a FreeBSD 5.2.1 machine running Samba 3.0.4.  I am going to
> upgrade Samba to 3.0.28.  The process I would follow would be...
> 
> download source
> configure
> make
> make install
> 
> My questions are...
> 
> 1. Can I "make install" with users connected to the samba
>server and using shares?

Only if you're an optimist.  It's a rare day one can migrate that many
releases without some changes in config file syntax or interpretation.

> 
> 2. Can I just restart nmbd and smbd to run the new version?
>What happens to connected users if I restart nmbd and smbd?

You could.  Your users would get (optimistically) momentarily
disconnected.  The windows offline files balloon pops up or a message
"no longer connected to ...".

> 
> 2. Will I need to change anything in smb.conf?

Probably.  I know some of the defaults have changed, but I don't have a
list handy.

> 
> 3. Will any of the samba databases (users) get destroyed/erased/
>changed?
Shouldn't, but someone else would have to say definitively.  I've
personally wiped and reinitialized most of them several times only
keeping the private tdb files secrets & passdb while regenerating the
printer tdb's and mappings.

> 
> Sorry for all the questions, I'm just nervous about creating
> a big mess during the upgrade.

If it's at all possible, your best course is to setup a test machine
(real or virtual) and test the new version in your current setup by
joining it to your domain and connecting from users.  Alternatively,
duplicate the existing OS & samba version with a different machine name
and perform the upgrade on it.  Your experience doing that is the only
real way to self answer some of your questions and make the production
upgrade as smooth as possible.

Regards, Doug
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] CTDB and LDAP: anyone?

[Andrew Bartlett]

On Tue, 2008-02-12 at 11:01 +, Alex Crow wrote:
> Hi there,
> 
> I am looking into using CTDB between a PDC and a BDC. I assume this is
> possible!
> 
> However I have a few questions:
> 
> 1: Do I have to use tdb2 as an Idmap backend? Can I not stay with ldap?
> (from the CTDB docs:
> 
> A clustered Samba install must set some specific configuration
> parameters 
> clustering = yes
>   idmap backend = tdb2
>   private dir = /a/directory/on/your/cluster/filesystem
> It is vital that the private directory is on shared storage.)

LDAP should be fine...

> 2. I have got the git tree as mentioned on the CTDB pages; however it
> seems like 3.2.0pre1 will also support this; which should I go with?
> 
> 3. Do I have to use IP takeover? All I am trying to do in this case is
> to consistently provide the home directories and profiles on both the
> PDC and BDC (I'm using GFS over iSCSI).
> 
> It doesn't matter if the IP address of either box vanishes - since they
> are both domain controllers the still-living box should be used anyway
> (background - I am using "passdb expand explicit = yes" and in LDAP I
> have home and profile paths specified prefixed by \\%L, so the user's
> profile and home dir are mapped to whatever the logon server is for that
> session).
> 
> I can see how for sharing domain member services around a cluster that
> IP takeover is required, but the PDC/BDC relationship means (IMHO) it's
> not required in this instance.

This looks like a perfectly good reason not to require IP takeover.

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org
Samba Developer, Red Hat Inc.


signature.asc
Description: This is a digitally signed message part
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] RE: Delegation of authentication (S4U) and SAMBA

[Andrew Bartlett]

On Tue, 2008-02-12 at 12:15 -0800, Ephi Dror wrote:
> Hello,
> 
>  
> 
> Does samba support the use of S4U?
> 
>  
> 
> What do we need to configure in SAMBA or krb5 to support getting a
> ticket obtained by S4U.  We are using 3.0.25 and krb5-1.4.1
> 
>  
> 
> We are getting the following error:
> 
>  
> 
> decode_pac_data: Name in PAC [EMAIL PROTECTED]
> does not match principal name in ticket
> 
>  
> 
> The ticket could be different than the PAC name because the ticket was
> obtained using S4U extension.

As you have found out, the code does not currently allow this.  

Now that we are using the PAC, it shouldn't be too hard for you to
change things so that instead of requiring the two strings does to
match, it takes the PAC in precedence (if available).

I suggest raising this on samba-technical

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org
Samba Developer, Red Hat Inc.


signature.asc
Description: This is a digitally signed message part
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Subfolders and permissions

[Scott Lovenberg]

Paul Rijke wrote:

Hi,

 


I have currently a department called HRM which have their own share
/data/hrm

 


Within that share is a folder called recruitment.

 


We recently hired an external recruiter to do some work for us. The folder
is /data/hrm/recruitment

 


How can I enforce that this person can only read and write in this
directory? Look below, is this the way to go? How would you handle this?

 


My config:

#=== Global Settings
=

[global]

dns proxy = no 


log file = /var/log/samba/log.%m

netbios name = srv01

load printers = yes

server string = srv01.mydomain.com

 


workgroup = MYDOMAIN

os level = 20

username map = /usr/local/etc/samba/smbusers




encrypt passwords = yes

hosts allow = 192.168.20. 127.

security = user

max log size = 50

 


# Share Definitions
==

 


# the "staff" group

[hrm]

writeable = yes

path = /data/hrm

write list = @hrm

force group = hrm

valid users = @hrm

create mode = 764

directory mode = 774

 


[recruitment]

comment = Recruitment Share

valid users = @recruitment

writeable = yes

path = /data/hrm/recruitment

write list = @recruitment

force group = recruitment

create mode = 764

directory mode = 774

  
Personally, I'd do this at the file system level.  Put them in a group 
such that they don't have any permissions other than traverse (751 
permissions or so) parent directories, and make them the owner of the 
recruitment directory with a 2770 permission on the directory.  If you 
need to add more recruiters, just add them to the recruitment group.



So, it'd look like this:
user: recruiter
group: recruitment

/data/hrm (perms - root.users rwxrwx--x)
/data/hrm/recruitment (perms - recruiter.recruitment rwxrwt---)

Then just give them a link to /data/hrm/recruitment on their desktop or 
something (or map a drive on logon with the logon script).  This is, of 
course, just one way to do it.

 I usually like to handle permissions at the lowest level.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Subfolders and permissions

[Paul Rijke]

Hi,

 

I have currently a department called HRM which have their own share
/data/hrm

 

Within that share is a folder called recruitment.

 

We recently hired an external recruiter to do some work for us. The folder
is /data/hrm/recruitment

 

How can I enforce that this person can only read and write in this
directory? Look below, is this the way to go? How would you handle this?

 

My config:

#=== Global Settings
=

[global]

dns proxy = no 

log file = /var/log/samba/log.%m

netbios name = srv01

load printers = yes

server string = srv01.mydomain.com

 

workgroup = MYDOMAIN

os level = 20

username map = /usr/local/etc/samba/smbusers



encrypt passwords = yes

hosts allow = 192.168.20. 127.

security = user

max log size = 50

 

# Share Definitions
==

 

# the "staff" group

[hrm]

writeable = yes

path = /data/hrm

write list = @hrm

force group = hrm

valid users = @hrm

create mode = 764

directory mode = 774

 

[recruitment]

comment = Recruitment Share

valid users = @recruitment

writeable = yes

path = /data/hrm/recruitment

write list = @recruitment

force group = recruitment

create mode = 764

directory mode = 774

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba, PAM and active directory

[Miguel Gonzalez]

Hi,

  I want that users can log on (SSH and console) a
Debian box can do it through Active Directory. I still
want that root user can log on (SSH and console) so I
created a wheel group for that.

  I can log on successfully with all AD and root
users. However, I'd like to limit the AD users to the
technology domain group.

  I've googled a lot:

  http://ubuntuforums.org/showthread.php?t=547324

  but I can't figure out how to make it to work under
my Debian box.

  Here are my settings:
  
  #
# /etc/pam.d/common-account - authorization settings
common to all services
#
# This file is included from other service-specific
PAM config files,
# and should contain a list of the authorization
modules that define
# the central access policy for use on the system. 
The default is to
# only deny service to users whose accounts are
expired in /etc/shadow.
#

account sufficientpam_succeed_if.so debug user
ingroup wheel
account sufficient  pam_succeed_if.so debug user
ingroup Technology

#
# /etc/pam.d/common-auth - authentication settings
common to all services
#
# This file is included from other service-specific
PAM config files,
# and should contain a list of the authentication
modules that define
# the central authentication scheme for use on the
system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The
default is to use the
# traditional Unix authentication mechanisms.
#
authsufficient  pam_unix.so debug
nullok_secure try_first_pass
authrequiredpam_winbind.so debug


#
# /etc/pam.d/common-password - password-related
modules common to all services
#
# This file is included from other service-specific
PAM config files,
# and should contain a list of modules that define 
the services to be
#used to change user passwords.  The default is
pam_unix

# The "nullok" option allows users to change an empty
password, else
# empty passwords are treated as locked accounts.
#
# (Add `md5' after the module name to enable MD5
passwords)
#
# The "obscure" option replaces the old
`OBSCURE_CHECKS_ENAB' option in
# login.defs. Also the "min" and "max" options enforce
the length of the
# new password.

#password   required   pam_unix.so nullok obscure
min=4 max=8 md5

# Alternate strength checking for password. Note that
this
# requires the libpam-cracklib package to be
installed.
# You will need to comment out the password line above
and
# uncomment the next two in order to use this.
# (Replaces the `OBSCURE_CHECKS_ENAB',
`CRACKLIB_DICTPATH')
#
# password required   pam_cracklib.so retry=3
minlen=6 difok=3
# password required   pam_unix.so use_authtok
nullok md5

authsufficient  pam_winbind.so
authrequiredpam_unix.so nullok obscure
min=4 max=8 md5 try_first_pass


#
# /etc/pam.d/common-session - session-related modules
common to all services
#
# This file is included from other service-specific
PAM config files,
# and should contain a list of modules that define
tasks to be performed
# at the start and end of sessions of *any* kind (both
interactive and
# non-interactive).  The default is pam_unix.
#
session requiredpam_unix.so debug
try_first_pass
session requiredpam_mkhomedir.so
skel=/etc/skel/ umask=0022
session requiredpam_winbind.so debug

I've created a test AD user that is not in the
Technology group. If I issue:

svn:/etc/pam.d# su - test
su: Permission denied
(Ignored)

the auth.log file gives:

Feb 20 13:45:27 svn su[6526]: pam_succeed_if: 'user'
resolves to 'test'
Feb 20 13:45:27 svn su[6526]: pam_succeed_if:
requirement "user ingroup wheel" not met by user
"test"
Feb 20 13:45:27 svn su[6526]: pam_succeed_if: 'user'
resolves to 'test'
Feb 20 13:45:27 svn su[6526]: pam_succeed_if:
requirement "user ingroup Technology" not met by user
"test"
Feb 20 13:45:27 svn su[6526]: Successful su for test
by root
Feb 20 13:45:27 svn su[6526]: + pts/0 root:test
Feb 20 13:45:27 svn su[6526]: (pam_unix) session
opened for user test by (uid=0)
Feb 20 13:45:27 svn pam_winbind[6526]: pam_winbind:
pam_sm_open_session handler (flags: 0x)

So is seeing that the test user is not part of any of
the allowed groups but still the user is being logged
on.

What am I doing wrong?

Thanks,

Miguel



  


   
__ 
¿Con Mascota por primera vez? Sé un mejor Amigo. Entra en Yahoo! Respuestas 
http://es.answers.yahoo.com/info/welcome

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: cifs verses smbfs for Linux clients

[Jeremy Allison]

On Wed, Feb 20, 2008 at 11:54:14AM +0100, Volker Lendecke wrote:
> On Wed, Feb 20, 2008 at 12:56:00AM -0800, Steve Langasek wrote:
> > Is this a problem practically, or is it a matter of the Samba Team's
> > licensing policy?
> > 
> > As this is a stand-alone shell script, I wouldn't expect there to be any
> > license compatibility issues; but if it's a requirement that even shell
> > scripts be GPLv3 to ship with Samba, I'll concede "GPLv2 or greater".
> 
> Well, it's not a strict requirement. But we would like it to
> be as consistent as possible.
> 
> What do others think? Can we replace smbmount with such a
> wrapper for 3.2? Jeremy? Jerry?

I think if we're going to make such a change, 3.2 is the
time to do it :-).

Still ill, sorry for the slow response.

Jeremy
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Need help upgrading from 3.0.4 to 3.0.28

[Joe]

I have a FreeBSD 5.2.1 machine running Samba 3.0.4.  I am going to
upgrade Samba to 3.0.28.  The process I would follow would be...

download source
configure
make
make install

My questions are...

1. Can I "make install" with users connected to the samba
   server and using shares?

2. Can I just restart nmbd and smbd to run the new version?
   What happens to connected users if I restart nmbd and smbd?

2. Will I need to change anything in smb.conf?

3. Will any of the samba databases (users) get destroyed/erased/
   changed?

Sorry for all the questions, I'm just nervous about creating
a big mess during the upgrade.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] LDAP adding workstation accounts fails (but not really???)

[Pat Riehecky]

This is highly weird.  I am trying to setup LDAP as the back for my
samba test system, all is going well, except for adding workstation
accounts to the server.

# net rpc join -S TESTING -U root%password
Creation of workstation account failed
Unable to join domain IWU.EDU.

Yet, if I search LDAP after the join attempt I find:

dn: uid=testing$,ou=Computers,dc=iwu,dc=edu
objectClass: top
objectClass: account
objectClass: posixAccount
cn: testing$
uid: testing$
uidNumber: 1001
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer


My LDAP logs show it is searching ou=People rather than ou=Computers to
see if it was added successfully.  What must I do to make it search
ou=Computers?

testparm reports the following in my smb.conf global section and reports
no errors.

[global]
workgroup = TESTING
netbios name = TESTING
server string = %h server
security = DOMAIN
passdb backend = ldapsam:ldap://localhost
log level = 2
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
load printers = No
add machine script = smbldap-useradd -w -s /bin/false "%u"
domain logons = Yes
preferred master = Yes
domain master = Yes
dns proxy = No
ldap admin dn = cn=admin
ldap group suffix = ou=Group
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap passwd sync = Yes
ldap suffix = dc=iwu,dc=edu
ldap ssl = no
ldap user suffix = ou=People
panic action = /usr/share/samba/panic-action %d
idmap uid = 15000-25000
idmap gid = 15000-25000



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Problem with samba+openldap with regard changing passwords from windows

[Edmundo Valle Neto]

(...)


Here you go...

http://pastebin.com/f61c911dd - logs

In answer to your questions...

Yeah that command works as root on the CLI
Samba version is 3.0.25b-1.el5_1.4
No I used the RPM's
OpenLDAP version...
slapd -V
@(#) $OpenLDAP: slapd 2.3.27 (Nov 10 2007 09:24:08) $
   
[EMAIL PROTECTED]:/builddir/build/BUILD/openldap-2.3.27/openldap-2.3.27/build-servers/servers/slapd 



Many thanks for your help.  It is much appreciated.

Alan


...
[2008/02/20 10:06:11, 3] smbd/chgpasswd.c:chat_with_program(430)
 chat_with_program: Dochild for user alan (uid=0,gid=0) (as_root = Yes)
[2008/02/20 10:06:14, 2] smbd/chgpasswd.c:expect(285)
 expect: Success
[2008/02/20 10:06:14, 3] smbd/chgpasswd.c:talktochild(316)
 Response 1 incorrect
...

Your log is showing that something is going wrong when chating with the 
passwd program.


1. Asking again, have you tried to use only "ldap passwd sync = yes and 
unix password sync = no"? This way the password program is not used.


2. Enable password chat debug "passwd chat debug = yes" and raise the 
log level to 100 in the related debug class, "log level = 3 smb:100". It 
will print even your passwords used in the chat.


You can raise the log level to a specific machine if you have other 
useless traffic together:

http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/bugreport.html

Or the error is there or you have a samba version with a broken password 
chat processing (I dont know CentOS).



Regards.

Edmundo Valle Neto
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] understanding the ldap backend

[Lionel Pinkhard]

Hi,

Can someone confirm if it's necessary to have nss? I don't have nss in my 
configuration (I'm running OpenBSD, so it's a little different) and it's not 
working, I've also tried adding LDAP users to my /etc/passwd for my samba users 
as an experiment, but I couldn't get them to authenticate with LDAP through a 
shell, nor did it help Samba in any way so I removed them again. According to 
the logs, login_ldap (the bsd_auth module for ldap authentication) is 
attempting to communicate with openldap with ldapv2, which openldap doesn't 
support, so it appears this technique is impossible as far as I could figure 
out. However, it is strange that login_ldap and openldap ship together in the 
same version of the bsd packages collection, yet they communicate with 
different versions. Anyways, I need LDAP authentication for users with shell 
access, but luckily not on this server, they will only need to authenticate 
against this server, not login to the server itself via
 SSH or shell, only log in onto the shell on Linux workstations (which can 
easily be configured to authenticate with my OpenBSD openldap server using 
ldapv3). Anyways, this is a bit off-topic I think, but does this in any way 
relate to Samba? If I don't have users in my /etc/passwd file can't they log in 
to Samba?

Btw I don't think that should break my configuration, considering that I should 
still be able to log in as root since root has account in both LDAP and 
/etc/passwd, though the problem I'm experiencing with my configuration is that 
I don't even get an opportunity to log in, it just bluntly throws at me "The 
specified network name is no longer available" (in most cases, though during 
this stage I cannot see anything being logged in Samba - maybe Windows caches 
the first attempt and then doesn't give "Access is denied" until you reboot? As 
usually when I reboot I get "Access is denied" again), though the first time it 
shows "Access is denied", the same happens with NET VIEW, yet, I'm not given a 
single opportunity to log in, on joining a domain (attempting to) it throws the 
same messages at me, dcdiag.txt also isn't much help. I have also tried setting 
my Windows username and password to match a Samba username and password 
(although I don't think this
 should be required).

Another thing, is it possible to hide a certain folder in every user's home 
directory from them when viewing with Samba? I've got a Maildir in each user's 
home directory to keep mail, but it's owned by vmail anyway (I know I should 
probably use virtual aliases and domains for this, but this seems to fit my 
scenario better), so the user can't access it, would just like them to not see 
it, if it's in any way possible. (Though this is not serious, since currently, 
my users can't even connect!)

Regards

Lionel

- Original Message 
From: Adam Williams <[EMAIL PROTECTED]>
To: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
Cc: samba@lists.samba.org
Sent: Wednesday, 20 February 2008 9:33:53
Subject: Re: [Samba] understanding the ldap backend



[EMAIL PROTECTED] wrote:
> Hello List,
>
> i am trying to understand the LDAP-backend i just set up. Maybe 
> someone can help me a little understanding the whole magic.
>
> In smb.conf i have my smbldap-tools scripts:
>  # use the smbldap-tools scripts
>  add user script = /usr/sbin//smbldap-useradd -m "%u"
>  delete user script = /usr/sbin//smbldap-userdel "%u"
>  add machine script = /usr/sbin//smbldap-useradd -w "%u"
>  add group script = /usr/sbin//smbldap-groupadd -p "%g"
>  delete group script = /usr/sbin//smbldap-groupdel "%g"
>  add user to group script = /usr/sbin//smbldap-groupmod -m "%u" "%g"
>  delete user from group script = /usr/sbin//smbldap-groupmod -x "%u" "%g"
>  set primary group script = /usr/sbin//smbldap-usermod -g "%g" "%u"
>
>
> and some ldap specific stuff:
>  passdb backend = ldapsam:ldap://127.0.0.1/
>  ldap admin dn = cn=Manager,dc=example,dc=net
>  ldap suffix = dc=example,dc=net
>  ldap group suffix = ou=Groups
>  ldap user suffix = ou=Users
>  ldap machine suffix = ou=Computers
>  ldap idmap suffix = ou=Users
>  idmap backend = ldap://127.0.0.1
>  #ldap ssl = start tls
>  ldap delete dn = Yes
>
>
>
> 1.) Now how does the authentification excatly work? Does samba talk 
> directly to the ldap database and verifies user/password?
> 2.) I guess changing/deleting passwords/users is beeing made by the 
> smblda-tools.
> 3.) How does samba get the user ids? By contacting the ldap database 
> directl again?
> 4.) How does samba get he user/group of files and folders? By nss?
> 5.) Has samba got anything to do with nss/libnss-ldap?
>
>
> Thanks, Mario

1) yes
2) you can use smbldap-passwd to change a user's password if you want to 
set the passwd chat, unix password sync, etc.  or you can just set ldap 
passwd sync = yes and let samba handle the password changing directly
3)yes
4) yes
5) i think so, i have nss_ldap working because my users need shell 
access for database/html work.  i

Re: [Samba] Problem connecting to Samba server

[Lionel Pinkhard]

Hi,

Well, thanks for reading, would appreciate *ANY* help! Here goes...

[2008/02/19 18:05:51, 0] 
/usr/obj/ports/samba-3.0.25b-cups-ldap/samba-3.0.25b/source/smbd/server.c:main(944)
  smbd version 3.0.25b started.
  Copyright Andrew Tridgell and the Samba Team 1992-2007
[2008/02/19 18:05:51, 2] 
/usr/obj/ports/samba-3.0.25b-cups-ldap/samba-3.0.25b/source/param/loadparm.c:do_section(3780)
  Processing section "[homes]"
[2008/02/19 18:05:51, 2] 
/usr/obj/ports/samba-3.0.25b-cups-ldap/samba-3.0.25b/source/param/loadparm.c:do_section(3780)
  Processing section "[netlogon]"
[2008/02/19 18:05:51, 2] 
/usr/obj/ports/samba-3.0.25b-cups-ldap/samba-3.0.25b/source/param/loadparm.c:do_section(3780)
  Processing section "[printers]"
[2008/02/19 18:05:51, 2] 
/usr/obj/ports/samba-3.0.25b-cups-ldap/samba-3.0.25b/source/param/loadparm.c:do_section(3780)
  Processing section "[tmp]"
[2008/02/19 18:05:51, 2] 
/usr/obj/ports/samba-3.0.25b-cups-ldap/samba-3.0.25b/source/param/loadparm.c:do_section(3780)
  Processing section "[profiles]"
[2008/02/19 18:05:51, 2] 
/usr/obj/ports/samba-3.0.25b-cups-ldap/samba-3.0.25b/source/param/loadparm.c:do_section(3780)
  Processing section "[public]"
[2008/02/19 18:05:51, 3] 
/usr/obj/ports/samba-3.0.25b-cups-ldap/samba-3.0.25b/source/param/loadparm.c:lp_add_ipc(2701)
  adding IPC service
[2008/02/19 18:05:51, 3] 
/usr/obj/ports/samba-3.0.25b-cups-ldap/samba-3.0.25b/source/printing/pcap.c:pcap_cache_reload(117)
  reloading printcap cache
[2008/02/19 18:05:51, 3] 
/usr/obj/ports/samba-3.0.25b-cups-ldap/samba-3.0.25b/source/printing/pcap.c:pcap_cache_reload(223)
  reload status: ok
[2008/02/19 18:05:51, 3] 
/usr/obj/ports/samba-3.0.25b-cups-ldap/samba-3.0.25b/source/printing/pcap.c:pcap_cache_reload(117)
  reloading printcap cache
[2008/02/19 18:05:51, 3] 
/usr/obj/ports/samba-3.0.25b-cups-ldap/samba-3.0.25b/source/printing/pcap.c:pcap_cache_reload(223)
  reload status: ok
[2008/02/19 18:05:56, 0] 
/usr/obj/ports/samba-3.0.25b-cups-ldap/samba-3.0.25b/source/nmbd/nmbd.c:main(697)
  Netbios nameserver version 3.0.25b started.
  Copyright Andrew Tridgell and the Samba Team 1992-2007
[2008/02/19 18:05:56, 3] 
/usr/obj/ports/samba-3.0.25b-cups-ldap/samba-3.0.25b/source/nmbd/nmbd.c:reload_nmbd_services(261)
  services not loaded
[2008/02/19 18:05:56, 2] 
/usr/obj/ports/samba-3.0.25b-cups-ldap/samba-3.0.25b/source/nmbd/nmbd.c:main(721)
  Becoming a daemon.
[2008/02/19 18:05:56, 2] 
/usr/obj/ports/samba-3.0.25b-cups-ldap/samba-3.0.25b/source/lib/tallocmsg.c:register_msg_pool_usage(105)
  Registered MSG_REQ_POOL_USAGE
[2008/02/19 18:05:56, 2] 
/usr/obj/ports/samba-3.0.25b-cups-ldap/samba-3.0.25b/source/lib/dmallocmsg.c:register_dmalloc_msgs(75)
  Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
[2008/02/19 18:05:56, 3] 
/usr/obj/ports/samba-3.0.25b-cups-ldap/samba-3.0.25b/source/nmbd/nmbd.c:main(759)
  Opening sockets 137
[2008/02/19 18:05:56, 3] 
/usr/obj/ports/samba-3.0.25b-cups-ldap/samba-3.0.25b/source/nmbd/nmbd.c:open_sockets(615)
  open_sockets: Broadcast sockets opened.
[2008/02/19 18:05:56, 2] 
/usr/obj/ports/samba-3.0.25b-cups-ldap/samba-3.0.25b/source/lib/interface.c:add_interface(81)
  added interface ip=10.0.0.1 bcast=10.255.255.255 nmask=255.0.0.0
[2008/02/19 18:05:56, 2] 
/usr/obj/ports/samba-3.0.25b-cups-ldap/samba-3.0.25b/source/nmbd/nmbd_subnetdb.c:make_subnet(144)
  making subnet name:10.0.0.1 Broadcast address:10.255.255.255 Subnet 
mask:255.0.0.0
[2008/02/19 18:05:56, 2] 
/usr/obj/ports/samba-3.0.25b-cups-ldap/samba-3.0.25b/source/nmbd/nmbd_subnetdb.c:make_subnet(144)
  making subnet name:UNICAST_SUBNET Broadcast address:10.0.0.1 Subnet 
mask:10.0.0.1
[2008/02/19 18:05:56, 2] 
/usr/obj/ports/samba-3.0.25b-cups-ldap/samba-3.0.25b/source/nmbd/nmbd_subnetdb.c:make_subnet(144)
  making subnet name:REMOTE_BROADCAST_SUBNET Broadcast address:0.0.0.0 Subnet 
mask:0.0.0.0
[2008/02/19 18:05:56, 2] 
/usr/obj/ports/samba-3.0.25b-cups-ldap/samba-3.0.25b/source/nmbd/nmbd_subnetdb.c:make_subnet(144)
  making subnet name:WINS_SERVER_SUBNET Broadcast address:0.0.0.0 Subnet 
mask:0.0.0.0
[2008/02/19 18:05:56, 2] 
/usr/obj/ports/samba-3.0.25b-cups-ldap/samba-3.0.25b/source/nmbd/nmbd_lmhosts.c:load_lmhosts_file(41)
  load_lmhosts_file: Can't open lmhosts file /etc/samba/lmhosts. Error was No 
such file or directory
[2008/02/19 18:05:56, 3] 
/usr/obj/ports/samba-3.0.25b-cups-ldap/samba-3.0.25b/source/nmbd/nmbd.c:main(778)
  Loaded hosts file /etc/samba/lmhosts
[2008/02/19 18:05:56, 3] 
/usr/obj/ports/samba-3.0.25b-cups-ldap/samba-3.0.25b/source/nmbd/nmbd_namelistdb.c:add_name_to_subnet(247)
  add_name_to_subnet: Added netbios name *<00> with first IP 10.0.0.1 ttl=0 
nb_flags=60 to subnet WINS_SERVER_SUBNET
[2008/02/19 18:05:56, 3] 
/usr/obj/ports/samba-3.0.25b-cups-ldap/samba-3.0.25b/source/nmbd/nmbd_namelistdb.c:add_name_to_subnet(247)
  add_name_to_subnet: Added netbios name *<20> with first IP 10.0.0.1 ttl=0 
nb_flags=60 to subnet WINS_SERVER_SUBNET
[2008/02/19 18:05:56, 3] 
/usr/obj/ports/samba-3.

Re: [Samba] Re: cifs verses smbfs for Linux clients

[simo]

On Wed, 2008-02-20 at 11:54 +0100, Volker Lendecke wrote:
> On Wed, Feb 20, 2008 at 12:56:00AM -0800, Steve Langasek wrote:
> > Is this a problem practically, or is it a matter of the Samba Team's
> > licensing policy?
> > 
> > As this is a stand-alone shell script, I wouldn't expect there to be any
> > license compatibility issues; but if it's a requirement that even shell
> > scripts be GPLv3 to ship with Samba, I'll concede "GPLv2 or greater".
> 
> Well, it's not a strict requirement. But we would like it to
> be as consistent as possible.
> 
> What do others think? Can we replace smbmount with such a
> wrapper for 3.2? Jeremy? Jerry?

Uhmm I think wrappers like this should be distribution specific, maybe
we can put it in the examples ?

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <[EMAIL PROTECTED]>
Senior Software Engineer at Red Hat Inc. <[EMAIL PROTECTED]>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] using MD5 to cipher password

[Luigi Santangelo]

Hi everybody, 
When I create a new user with smbpasswd -a, can I encrypt the password 
with MD5 protocol instead of NTLM protocol?
What I Would do is to insert into the smbpasswd file a new user with 
its password encrypted by MD5. 
Thanks
Best regards




Tiscali Voce 8 Mega: Telefono+Adsl SENZA LIMITI a  4,95 Euro al mese!
http://abbonati.tiscali.it/promo/mail_ol200208/

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] change in AD authentication behaviour since 3.0.24

[Charles Marcus]

On 2/19/2008, Robert Cohen ([EMAIL PROTECTED]) wrote:

I'm not sure whether its the same problem as us.

BTW I should mention that we're simply not using winbind.
The behaviour I'm talking about is when an XP client machine attempts 
to

connect to our server to get a network share.

So winbind doesn't enter into the equation.


From the 3.0.25 release notes (3rd paragraph is most relevant to you):

"Member servers, domain accounts, and smb.conf
=

Since Samba 3.0.8, it has been recommended that all domain accounts
listed in smb.conf on a member server be fully qualified with the
domain name.  This is now a requirement.  All unqualified names are
assumed to be local to the Unix host, either as part of the server's
local passdb or in the local system list of accounts (e.g. /etc/passwd
or /etc/group).

The reason for this change is that smbd has transitioned from
access checks based on string comparisons to token based
authorization.  All names are resolved to a SID and then verified
against the logged on user's NT user token.  Local names will
resolve to a local SID, while qualified domain names will resolve
to the appropriate domain SID.

If the member server is not running winbindd at all, domain
accounts will be implicitly mapped to local accounts and their
tokens will be modified appropriately to reflect the local
SID and group membership.

For example, the following share will restrict access to the
domain group "Linux Admins" and the local group srvadmin.

[restricted]
path = /data
valid users = +"DOMAIN\Linux Admins" +srvadmin"


--

Best regards,

Charles
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba crashing word and excell?

[Tamas Csabina]

>On Tue, Feb 05, 2008 at 05:31:42PM +, Benedict White wrote:
>> I am having some trouble with Samba. It was working fine on an old server 
>> with 3.0.21.
>> 
>> Now I have updated to 3.0.28 (via 3.0.25) and a bigger fatter faster server.
>> 
>> There are two problems. Firstly the new server seems slower than the old 
>> one, and some users 
>> are experiencing intermittent data loss via MS apps such as Word or Excell 
>> crashing.
>> 
>> The system runs on Arch Linux, with a slightly modified package to include 
>> winbind.

>> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8576 
>> SO_SNDBUF=8576

On Tue, Feb 05, 2008 at 09:53PM, Jeremy Allison wrote:
> Remove the socket options line. It always amazes me that people
> think they can outguess the kernel for resource allocation.

> "socket options" hails from a time long long ago, when TCP
> was not so well tuned.

> Jeremy.


Mr. White mentioned 2 problems:

sys_acl_set_file type file failed
smb_set_file_dosmode: file_set_dosmode ... (Operation not permitted)


Is this 'socket options' is related to both problems? I`m having the 
`smb_set_file_dosmode` error too. 

>From log.smbd:
[2008/02/19 10:33:09, 2] smbd/trans2.c:smb_set_file_dosmode(4151)
  smb_set_file_dosmode: file_set_dosmode of 
space/server/space/wcs/RCS/w_reset_date.c,v failed (Operation not permitted)
[2008/02/19 10:33:09, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/trans2.c(6048) cmd=50 (SMBtrans2) NT_STATUS_ACCESS_DENIED

This problem occurred after updating to 3.0.26a.


Regards,
Tamas


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba doesn't accept groups?

[[EMAIL PROTECTED]]

Hi you all!
this is my strange problem of the day!
I use Debian stable, linux 2.6.18-5-686, samba Version 3.0.24.

Here's my smb.conf

[global]
workgroup = NO1KNOWS
realm = NO1KNOWS
bios name = PBT
server string = Rob's Samba
dns proxy = no
os level = 64
log file = /var/log/samba/log.%m
max log size = 50
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = user
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
invalid users = root
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX
spassword:* %n\n .
password server = 127.0.0.1 ;   pam password change = no
socket options = TCP_NODELAY SO_SNDBUF=8192
local master = yes
domain master =yes
preferred master = yes
domain logons = yes
hosts allow = 127.0.0.1 192.168.3.2/32 192.168.3.3/32 192.168.3.4/32
192.168.3.9/32 192.168.3.22/32 192.168.3.93/32 192.168.2.93/3\
2
logon path = \\%L\profiles\%u\%m
logon script = logon.bat
logon drive = H:
logon home = \\%L\%u\.win_profile\%m
time server = yes
logon home = \\%L\%U\.profile
add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false %u
[netlogon]
comment = Network Logon Service
path = /usr/local/samba/lib/netlogon
read only = yes
write list = @admin
guest ok = no
writable = no
share modes = no
browsable = no
[homes]
comment = Home Directories
read only = no
browseable = no
writable = yes
create mask = 0600
directory mask = 0700
guest ok = no
map archive = yes

[Tutto]
path = /tutto
writable = yes
create mask = 0750
directory mask = 0750
browseable = yes
read only = no
guest ok = no

[Condivisa]
path = /condivisa
writable = yes
create mask = 0777
directory mask = 0777
browseable = yes
read only = no
guest ok = no

[EMAIL PROTECTED]:~$ smbmount  //pbt3/Condivisa /home/rob/Condivisa -o
username=rob,password=ZZ,uid=rob,gid=ufficio
[EMAIL PROTECTED]:~$

but this is what i get:

pbt:~# smbstatus 
WARNING: The "printer admin" option is deprecated

Samba version 3.0.24
PID Username  Group Machine
---
20761   rob   rob   192.168.3.93 (192.168.3.93)

Service  pid machine   Connected at
---
Tutto20761   192.168.3.93  Wed Feb 20 12:18:10 2008
Condivisa20761   192.168.3.93  Wed Feb 20 12:17:58 2008

No locked files

pbt:~#

It seems it doesn't accept GID.
any help?
tnx in adv.


signature.asc
Description: Questa è una parte del messaggio	firmata digitalmente
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: cifs verses smbfs for Linux clients

[Volker Lendecke]

On Wed, Feb 20, 2008 at 12:56:00AM -0800, Steve Langasek wrote:
> Is this a problem practically, or is it a matter of the Samba Team's
> licensing policy?
> 
> As this is a stand-alone shell script, I wouldn't expect there to be any
> license compatibility issues; but if it's a requirement that even shell
> scripts be GPLv3 to ship with Samba, I'll concede "GPLv2 or greater".

Well, it's not a strict requirement. But we would like it to
be as consistent as possible.

What do others think? Can we replace smbmount with such a
wrapper for 3.2? Jeremy? Jerry?

Volker


pgpzP0hdLzCs3.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Groupmapping Samba<->AD

[Bernd Bednarz]

Hi everyone,

I tried to map a group from my AD to my local unixgroup.
To get groups in samba I create one groupmap like this:

$ net groupmap add ntgroup="H+BEDV" unixgroup=hbedv

Now I want to map my H+BEDV group from AD to the same unixgroup.

$ net groupmap add sid=S-1-5-21-1024011789-1237596223-2747892489-1534
unixgroup=hbedv type=domain

But it don't works 'cause there is already an entry for the unixgroup.
What should I do to map my samba H+BEDV group to my AD H+BEDV group?


The background is we want to migrate and we want to do it step by step.
So we have some clients in the samba domain an some in the ad domain.
I hope you understand what I want to do.


Best regards,
Bernd Bednarz
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Problem with samba+openldap with regard changing passwords from windows

[Alan Goodman]

Edmundo Valle Neto wrote:

Alan Goodman escreveu:

Edmundo Valle Neto wrote:

Alan Goodman escreveu:
I have implemented samba with LDAP backend, domain logins and 
roaming profiles and everything is great - except for one thing.


Noone can change their passwords from windows - trying to change 
your password results in windows telling you your not allowed to do 
that!


I did smbldap-show alan and among other information the line: 
sambaPwdCanChange: 0 appeared.


From my understanding if I do smbldap-usermod -A0 -B0 alan that 
line should then be changed to have a value of 1 allowing users to 
change passwords from their windows logins, however running the 
above command does not appear to be changing these values at all 
and thus im left with manually smbldap-passwd user to change each 
persons passwords (which does work)


If someone could let me know which logs you require and how to 
obtain them I would be happy to post them up here.


OS = CentOS 5.1

Alan


Post your smb.conf.

Edmundo Valle Neto

http://pastebin.com/f5fba0114

Alan


netbios name = MARANATHACENTRA

Netbios names can have a maximum of 12 characters, it will probably be 
truncated. (but this isnt related to your problem)


You only need password options if you want that unix passwords stay in 
sync.


Then, you only need "ldap passwd sync = Yes". Its commented out, you 
already tried it? What happens?


These three options together works too.
unix password sync = Yes
passwd program = /usr/local/sbin/smbldap-passwd -u %u
passwd chat = "Changing password for*\nNew password*" %n\n "*Retype 
new password*" %n\n"


Theres a double quote that isn't needed at the end (its not opening 
nor closing any string), the old smbldap-tools documentation shows 
that way (wrong), I dont have sure if it is really a problem.


If it doesn't work as you said that it works at command line, include 
a piece of log using level 3 when a client try to change its password.


Regards.

Edmundo Valle Neto

Besides that, the configuration is right.

"/usr/local/sbin/smbldap-passwd -u anyuser" works when executed from 
the command line?

What samba version you use, you compile your own packages?

Here you go...

http://pastebin.com/f61c911dd - logs

In answer to your questions...

Yeah that command works as root on the CLI
Samba version is 3.0.25b-1.el5_1.4
No I used the RPM's
OpenLDAP version...
slapd -V
@(#) $OpenLDAP: slapd 2.3.27 (Nov 10 2007 09:24:08) $
   
[EMAIL PROTECTED]:/builddir/build/BUILD/openldap-2.3.27/openldap-2.3.27/build-servers/servers/slapd 



Many thanks for your help.  It is much appreciated.

Alan
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] sambaPwdMustChange attribute didn't get updated (3.0.27a)

[Markus Kahle]

Hi there,

i got into some trouble after updating my samba installation to 3.0.27a. 
My installation uses Samba-3.0.27a,OpenLDAP-2.2.13,smbldap-tools-0.9.2 
as a PDC NT4-domain.Originally I used the installation-guide from 
smbldap-tools and everything worked fine. I also limited the access to 
LDAP as told in the installation-guide with no problems.
After updating to 3.0.27a i realized that when using the usrmgr.exe, the 
password preferences in policies -> accounts didn't got saved - only the 
password-length option got saved.
After doing some research, i managed to solve this by adding the 
following LDAP attributes to the access rules in slapd.conf:


sambaMinPwdLength
sambaPwdHistoryLength
sambaLogonToChgPwd
sambaMaxPwdAge
sambaMinPwdAge
sambaLockoutDuration
sambaLockoutObservationWindow
sambaLockoutThreshold
sambaForceLogoff
sambaRefuseMachinePwdChange

But one problem still exists:

If Windows-users change their password via the normal Windows dialog, 
the password got changed in LDAP , also the sambaLastChange attribute 
got updated , BUT sambaPwdCanChange and sambaPwdMustChange attributes 
didn't update and so all the Maximum Password Age stuff, including 
remind users of their password expiration and force user to change their 
 password if expire didn't work anymore.


I can't find any other maybe access right problems within ldap, so why 
the sambaPwdMustChange Attribute didn't update ??


The problem also exist when adding a new user. After the user change his 
password at first login, the sambaPwdMustChange Attribute didn't update.



slapd.conf digest
--
access to 
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange

by dn="cn=samba,ou=DSA,dc=bel-gmbh,dc=lan" write
by dn="cn=smbldap-tools,ou=DSA,dc=bel-gmbh,dc=lan" write
by dn="cn=nssldap,ou=DSA,dc=bel-gmbh,dc=lan" write
by self write
by anonymous auth
by * none

access to 
attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid

by dn="cn=samba,ou=DSA,dc=bel-gmbh,dc=lan" write
by dn="cn=smbldap-tools,ou=DSA,dc=bel-gmbh,dc=lan" write
by * read

access to 
attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname

by dn="cn=samba,ou=DSA,dc=bel-gmbh,dc=lan" write
by dn="cn=smbldap-tools,ou=DSA,dc=bel-gmbh,dc=lan" write
by self write
by * read

access to 
attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,

sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,
sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial,
sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,
sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sambaOptionName,
sambaBoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption,sambaMinPwdLength,sambaPwdHistoryLength,
sambaLogonToChgPwd,sambaMaxPwdAge,sambaMinPwdAge,sambaLockoutDuration,sambaLockoutObservationWindow,sambaLockoutThreshold,
sambaForceLogoff,sambaRefuseMachinePwdChange
by dn="cn=samba,ou=DSA,dc=bel-gmbh,dc=lan" write
by dn="cn=smbldap-tools,ou=DSA,dc=bel-gmbh,dc=lan" write
by self read
by * none

access to dn.base="dc=bel-gmbh,dc=lan"
by dn="cn=samba,ou=DSA,dc=bel-gmbh,dc=lan" write
by dn="cn=smbldap-tools,ou=DSA,dc=bel-gmbh,dc=lan" write
by * none

access to dn="ou=Users,dc=bel-gmbh,dc=lan"
by dn="cn=samba,ou=DSA,dc=bel-gmbh,dc=lan" write
by dn="cn=smbldap-tools,ou=DSA,dc=bel-gmbh,dc=lan" write
by * none

access to dn="ou=Groups,dc=bel-gmbh,dc=lan"
by dn="cn=samba,ou=DSA,dc=bel-gmbh,dc=lan" write
by dn="cn=smbldap-tools,ou=DSA,dc=bel-gmbh,dc=lan" write
by * none

access to dn="ou=Computers,dc=bel-gmbh,dc=lan"
by dn="cn=samba,ou=DSA,dc=bel-gmbh,dc=lan" write
by dn="cn=smbldap-tools,ou=DSA,dc=bel-gmbh,dc=lan" write
by * none

access to *
by self read
by * read
--


Thanks in advance for all hints and suggestions..



Bye,

Markus Kahle

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Joining Domain Problem only with XP SP2

[Robert]

On Sunday 17 February 2008, Rune Tønnesen wrote:
> Robert skrev:
> > On Saturday 16 February 2008, Doug VanLeuven wrote:
> >> Robert wrote:
> >>> I've having trouble getting XP SP2's to join a domain. Whenever I try
> >>> to join, at the point I'm asked for a user name and password with
> >>> permission to join the domain, I enter root and root's password, then
> >>> get the dreaded "Unknown user or bad password" error message.
> >>>
> >>> The clients are a mixed bunch with some 98's, 1 Win2K, a few XP SP1 (I
> >>> know, I know!, but it's not a priority to management who has me
> >>> fighting other fires), and the rest being XP SP2. I *ONLY* get the
> >>> error with XP SP2. The Win2K and SP1 all join no problem, so it
> >>> shouldn't be a problem with the Samba PDC or the config file else none
> >>> should be joining. The 98's aren't a problem of course. In fact, for
> >>> reasons I can't figure out, 2 of the SP2's joined too. What is stopping
> >>> the SP2's from joining?
> >>>
> >>> I've tried creating the machine accounts by hand, but that had no
> >>> effect. I cranked up the logging and it looks to me like root
> >>> authenticates correctly, but I still get the error.
> >>>
> >>> Background: The original Samba PDC machine was getting old so
> >>> management decided to trash it. I was tasked with putting together a
> >>> replacement machine. I am using Kubuntu 7.10 (Gutsy) with Samba
> >>> 3.0.26a. I disconnected the client machines from the domain (switched
> >>> them to workgroup), then tried to reconnect with the new server online.
> >>> The old server is physically gone.
> >>>
> >>> As I stated, only the XP SP2's are not joining. I'm including my
> >>> smb.conf, but considering the XP SP1's and the one Win2K (which is
> >>> actually running as a virtual machine with XP SP2 as a host OS; this XP
> >>> SP2 won't join) all join, the config file should be correct, and I have
> >>> a root user in my smbpassword file, and I'm typing the password
> >>> correctly. Therefore it has to be something to do with the SP2's.
> >>> Possibly some registry setting??? Right now the XP SP2's are running as
> >>> workgroup computers.
> >>>
> >>> Yes, the old domain and new domain name are the same, but I've already
> >>> tried changing the new name to something different then joining but
> >>> with no luck.
> >>>
> >>> #=== Global Settings
> >>> = [global]
> >>> debug level = 2
> >>> workgroup = hap
> >>> netbios name = linuxII
> >>> hosts allow = 192.168.1. 127.
> >>> printcap name = cups
> >>> load printers = yes
> >>> printing = cups
> >>> guest account = pcguest
> >>> log file = /var/log/samba/log.%m
> >>> max log size = 50
> >>> security = user
> >>> encrypt passwords = true
> >>> passdb backend = tdbsam
> >>> unix password sync = yes
> >>> passwd program = /usr/bin/passwd %u
> >>> passwd chat = *New*UNIX*password* %n\n
> >>> *ReType*new*UNIX*password*
> >>> %n\n*passwd:*all*authentication*tokens*updated*successfully* username
> >>> map = /etc/samba/smbusers
> >>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> >>> interfaces = 192.168.1.8/32 127.0.0.1/32
> >>> bind interfaces only = true
> >>> local master = yes
> >>> os level = 34
> >>> domain master = yes
> >>> preferred master = yes
> >>> domain logons = yes
> >>> logon script =  home.bat
> >>> logon path = \\%L\profiles\%U
> >>> logon home = \\%L\%U
> >>> logon drive = H:
> >>> name resolve order = wins lmhosts bcast
> >>> wins support = yes
> >>> wins proxy = yes
> >>>  hide dot files = yes
> >>>  deadtime = 15
> >>>  disable spoolss = yes
> >>>  show add printer wizard = no
> >>>  add machine script = /usr/sbin/useradd -d /dev/null -s /bin/false %u
> >>>  time server = yes
> >>> # Share Definitions =
> >>>
> >>> [homes]
> >>>comment = Home Directory
> >>>browseable = no
> >>>writable = yes
> >>>
> >>> # Un-comment the following and create the netlogon directory for Domain
> >>> Logons [netlogon]
> >>>comment = Net
> >>>
> >>>  Logon Service
> >>>path = /home/netlogon
> >>>guest ok = yes
> >>>writable = no
> >>> #...Lots more shares...
> >>> #=end config file=
> >>
> >> Since it's just XP SP2, you might want to look at the XP firewall
> >> settings that were added by default during the SP2 update.  Get there
> >> Control Panel/Windows Firewall.  In there is file and printer sharing
> >> blocking on by default for notebooks and computers directly on the
> >> internet. Maybe you already looked at this.  Nothing else stands out.
> >>
> >> Regards, Doug
> >
> > It's a good thought. I'll check it, but I don't think that's the problem.
> > As I said, the XP SP2's are functioning as workgroup computers for now,
> > so the users can access their home shares just fine. Unless I'm badly
> > mistaken, file and printer sharing blocking, if on, should block this
> > too.
>
> Hi

Re: [Samba] change in AD authentication behaviour since 3.0.24

[John Hodrien]

On Wed, 20 Feb 2008, Robert Cohen wrote:


Ok, I thought winbind was only relevant if you were using AD as a NSS (name
service source). We have all the users in the name service from LDAP or
NIS+. We're only getting the passwords from AD.

I guess this could be an unusual combination and could be whats causing our
problems...


Probably unusual.  I do that too, running ldap/krb5 for NSS and samba server.
Setting ACLs from the client doesn't work unless winbind is running, as the
server needs to map SIDs to UIDs.

jh

--
"Clothes make the man.  Naked people have little or no influence on society."
 -- Mark Twain
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba