[Samba] point and print

[Adel ESSAFI]

Dear list
I use samba to share my linux files and printer but not as PDC. The smb.conf
is listed below.
when I log on a windows XP client and try to install a printer, the driver
is not uploaded on the server.
The driver folder remains empty. Could you help please.
Regards
Adel
PS: I have followed this tuto
http://www.tux-planet.fr/serveur-d-impression-avec-samba-sous-fedora-core/

[global]
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
invalid users = root
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n
*passwd:*password\supdated\ssuccessfully* .
socket options = TCP_NODELAY

[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
create mask = 0700
use client driver = no
write list = adel


[ADEL]
path = /home/adel/
case sensitive = no
strict locking = no
msdfs proxy = no
guest ok = yes
read only = no


[print$]
comment = Drivers pour imprimantes
path =  /var/spool/samba/drivers
browseable = yes
guest ok = yes
read only = yes
write list = root adel


-- 
PhD candidate in Computer Science
Address
BP 108, Bureau de poste Tunis republique
1001 Tunis
Tunisia
tel: +216 97 246 706
fax: +216 71 391 166
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Parameter "idmap backend" is deprecated ???

[Volker Lendecke]

On Tue, Aug 12, 2008 at 12:23:18AM +0200, Andreas Ladanyi wrote:
> why is this parameter deprecated ?
> 
> I have to set this parameter if i want to get my user/group information 
> from Active Directory with SFU AD schemata extension.
> 
> Is there a new parameter instead of "idmap backend" ???

It will come back in 3.3 :-)

Volker


pgpW4BciSWyyJ.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Removing account/passwd synchronization requirement

[Henry S]

I have a basic samba server up and running. My XP clients I can only 
connect to the samba share if have identical account names / passwds on 
both the XP client and the linux server. How can I eliminate this 
requirement so that an XP user can log into any valid account on the 
linux server and connect to the samba share ?


Thanks
Henry
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Cant Set Password on Windows Side.

[Gary Dale]

Try setting the log level to something like 10.


Jeff L wrote:

Hi Gary,

Yes to all of the above.  Yes userpasswd is what we use on all of our servers. 
This one in particular is causing trouble.

Is there a log file that gives more detail on the error? 



  

- Original Message -
From: "Gary Dale" <[EMAIL PROTECTED]>
To: 
Subject: Re: [Samba] Cant Set Password on Windows Side.

Date: Sun, 10 Aug 2008 20:41:39 -0400


There are several things that could be causing it.

1) is your passwd program really called userpasswd?
2) does the passwd chat really match what your passwd program expects?
3) have the windows machines joined the domain?
4) can the windows machines see the domain controller?



Jeff L wrote:


Hello All.

Samba ver 3.0.25b-1.1.cc

SMB.Conf

admin users = administrator
unix password sync = yes
os level = 65
domain master = yes
domain logons = yes
passwd program = /usr/sbin/userpasswd %u
passwd chat = *password:* %n\n *password:* %n\n *successfully.*
add machine script = /usr/sbin/useradd -d /dev/null -g 
samba-clients -s /bin/fa$

security = user
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
syslog = false
netbios name = server
workgroup = WKGROUP
realm = WKGROUP.LOCAL

Is there anything in my config thag will lead to this error message?

Domain users cant change their password by pressing control alt 
delete. They get an error message stating the domain doesnt exist.



=
The Secrets to Mastering Hypnosis
Bennett/Stellar University is celebrating its 10th anniversary as 
a licensed and approved school providing comprehensive 
instruction and certifications in the field of hypnosis.

http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=d96ce8b93944a0986f30bde2b5f74bf2



  

-- To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba



  



=
MRV-Firewall KVM Switch
48 server ports; 8 analog/3 IP users; 1U; UXGA 1600x1400 pixels.
http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=1925e125ed67ef034257c911b21d4c34


  


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] net ads join - DNS Update failed !

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Andreas Ladanyi wrote:
> Hi,
> 
> it seems that all is working perfectly, but if start an "net ads join" i
> get the message "DNS Update failed !" .
> 
> What is the consequence if i dont care about this message ? Is the Samba
> Server (ADS member) only not registered  in the ADS DNS tree ?


Correct.


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIoNQpIR7qMdg1EfYRAlCNAJ0RrzxyVVSH8lJkdUhkjcVTTuEnJACfV4eG
Tqttb7GzM5j0SaGMUDJL/Bk=
=//Db
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba just died? smbd/sec_ctx.c:set_sec_ctx(241)

[Jeremy Allison]

On Mon, Aug 11, 2008 at 06:07:10PM -0500, David C. Rankin wrote:
> Listmates,
> 
>   Running 3.2.1-0.1.126-1867-SUSE-SL10.3 (in standalone) I was quite 
>   surprised samba DOA. Further research show that it died shortly after 
> midnight with the last relevant log entries being:
> 
> [2008/08/10 00:24:15, 3] smbd/sec_ctx.c:set_sec_ctx(241)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2008/08/10 00:24:15, 3] smbd/connection.c:yield_connection(69)
>   Yielding connection to
> [2008/08/10 00:24:15, 3] smbd/server.c:exit_server_common(768)
> 
>   After running samba since 2.0.7, this is the first time I have had 
>   it just die on me without me doing something to cause it to die. Any 
> thoughts on the matter? Can I provide additional information?

This doesn't look like death, but orderly termination.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba just died? smbd/sec_ctx.c:set_sec_ctx(241)

[David C. Rankin]

Listmates,

	Running 3.2.1-0.1.126-1867-SUSE-SL10.3 (in standalone) I was quite surprised 
samba DOA. Further research show that it died shortly after midnight with the 
last relevant log entries being:


[2008/08/10 00:24:15, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/08/10 00:24:15, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to
[2008/08/10 00:24:15, 3] smbd/server.c:exit_server_common(768)

	After running samba since 2.0.7, this is the first time I have had it just die 
on me without me doing something to cause it to die. Any thoughts on the 
matter? Can I provide additional information?


--
David C. Rankin, J.D., P.E.
Rankin Law Firm, PLLC
510 Ochiltree Street
Nacogdoches, Texas 75961
Telephone: (936) 715-9333
Facsimile: (936) 715-9339
www.rankinlawfirm.com
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Machine-level shares on Windows server

[Jeremy Evans]

Thanks, but that didn't seem to clarify anything.

I want to use the fact that I'm already part of the domain (& hence have some 
degree of authentication with the PDC) to avoid having a user-level share for a 
shared domain folder. You need to use -P or -U to get Samba to do anything. I 
have also used -k in testing, but that involved a user logon in order to get 
the Kerberos ticket or TGT

Regards,

Jeremy

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, 12 August 2008 09:26
To: Jeremy Evans
Subject: RE: [Samba] Machine-level shares on Windows server

http://www.linuxquestions.org/questions/linux-software-2/sambaunable-to-fetch-machine-password-315230/

http://www.mail-archive.com/samba@lists.samba.org/msg74713.html


Check out these articles. Might have something to do with using the "-P" 
parameter:

[EMAIL PROTECTED]:~# smbclient -P -L //sbs
ERROR: Unable to fetch machine password



 
 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeremy Evans
Sent: Monday, August 11, 2008 3:11 PM
To: Gerald (Jerry) Carter
Cc: samba@lists.samba.org
Subject: RE: [Samba] Machine-level shares on Windows server

That's just it - as I mentioned, I *have* joined the domain OK. At what
point am I supposed to receive a machine password?

A full transcript to illustrate the problem better:


[EMAIL PROTECTED]:~# net ads join -U administrator
administrator's password:
Using short domain name -- MYCOMPANY
Joined 'BUGZILLA' to realm 'MYCOMPANY.LOCAL'
[EMAIL PROTECTED]:~# net ads testjoin
Join is OK
[EMAIL PROTECTED]:~# smbclient -P -L //sbs
ERROR: Unable to fetch machine password


My smb.conf has the following setup:

security = ADS
realm = MYCOMPANY.LOCAL
workgroup = mycompany
password server = sbs.mycompany.local
wins support = no
wins server = sbs
invalid users = root
# Winbind settings
idmap uid = 1-2
idmap gid = 1-2
# For testing
debuglevel = 2


I'm sure there's something small & stupid I've overlooked, but what???

Jeremy

> -Original Message-
> From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, 12 August 2008 03:30
> To: Jeremy Evans
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] Machine-level shares on Windows server
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Jeremy Evans wrote:
> 
> > I realise that. I *did* give a 2nd example in my original post:
> >
> > $sudo smbclient -P -L //sbs
> > ERROR: Unable to fetch machine password
> >
> >
> > "net ads testjoin" returns an OK result at my end & the PDC shows
the
> > machine as joined to the domain at the other.
> >
> > What I don't seem to be able to find out is just how the Windows PDC
> &
> > Samba interact to ensure that the Samba machine is a [trusted?]
> member
> > of the domain & therefore how to use that fact to allow
machine-level
> > shares without having to perform a user-level login.
> 
> In that case, did you join the domain?  Unless, this is just a bug,
> that seems the obvious explanation.
> 
> 
> 
> 
> cheers, jerry
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFIoFsQIR7qMdg1EfYRAlTCAKCqYd29MWtR2u+HQ5d2iJ4brcoxQwCg5Cwj
> riGXI8QLCxKz1D86icciU3M=
> =jpEz
> -END PGP SIGNATURE-
> 
> Scanned by Bizo Email Filter

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] dos dir list issues

[Jeremy Allison]

On Mon, Aug 11, 2008 at 10:08:45PM +, srinivas aradhyula wrote:
> 
> i have a samba running on the linux file systems.
> from a windows box i mapped(z:)  to the linux file systems.
>  
> from the command prompt when cd to z: and make a dir 
>  
> the output  is not sorted by the name where as on linux it is coming fine.
>  
> dos ex:
> Z:\5_8_0_5\Base\TravelersCL>dir *.sql Volume in drive Z is oracle Volume 
> Serial Number is 7B2F-0877
>  Directory of Z:\5_8_0_5\Base\TravelersCL
> 08/11/2008  05:14 PM 2,401 6000_COMPILE_STATUS.SQL08/11/2008  
> 05:14 PM   115 1000_DB_ENV.SQL
>  
>  
> from linux
> [EMAIL PROTECTED] TravelersCL]$ ls -l *.SQL-r-xr--r--  1 oracle oracle  115 
> Aug 11 17:14 1000_DB_ENV.SQL-r-xr--r--  1 oracle oracle 2401 Aug 11 17:14 
> 6000_COMPILE_STATUS.SQL
> why is the sort order different for the client

There is no guarenteed sort order in directory listing
from CIFS.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] net ads join - DNS Update failed !

[Andreas Ladanyi]

Hi,

it seems that all is working perfectly, but if start an "net ads join" i 
get the message "DNS Update failed !" .


What is the consequence if i dont care about this message ? Is the Samba 
Server (ADS member) only not registered  in the ADS DNS tree ?


Buy,

Andy

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Parameter "idmap backend" is deprecated ???

[Andreas Ladanyi]

Hi,

why is this parameter deprecated ?

I have to set this parameter if i want to get my user/group information 
from Active Directory with SFU AD schemata extension.


Is there a new parameter instead of "idmap backend" ???

Buy Andy

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] dos dir list issues

[srinivas aradhyula]

i have a samba running on the linux file systems.
from a windows box i mapped(z:)  to the linux file systems.
 
from the command prompt when cd to z: and make a dir 
 
the output  is not sorted by the name where as on linux it is coming fine.
 
dos ex:
Z:\5_8_0_5\Base\TravelersCL>dir *.sql Volume in drive Z is oracle Volume Serial 
Number is 7B2F-0877
 Directory of Z:\5_8_0_5\Base\TravelersCL
08/11/2008  05:14 PM 2,401 6000_COMPILE_STATUS.SQL08/11/2008  05:14 
PM   115 1000_DB_ENV.SQL
 
 
from linux
[EMAIL PROTECTED] TravelersCL]$ ls -l *.SQL-r-xr--r--  1 oracle oracle  115 Aug 
11 17:14 1000_DB_ENV.SQL-r-xr--r--  1 oracle oracle 2401 Aug 11 17:14 
6000_COMPILE_STATUS.SQL
why is the sort order different for the client
 
thanks
Srinivas
 
 --
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Architecture on subnetted network

[Julien Desfossez]

Hello,

I have a question regarding the samba architecture in a big subnetted network.

For the example let's say I have 2 subnets dedicated for the servers
(10.1.1.0/24 and 10.1.2.0/24) and every computer in the domain are in
different subnets (10.2.x.0/24).

For load balancing reasons, I want to have a PDC and a BDC in site A
(10.1.1.1 and 10.1.1.2) and two BDCs on site B (10.1.2.1 and
10.1.2.2).
Half the computer should logon on site A and the other half on site B.

In such a network it's impossible to depend on broadcast, so I have
setup a WINS server on the PDC.

Now the problems :
- how does the BDCs in site B discovers the PDC (remote announces ?) ?
- how will the workstations know they can logon on the BDCs if they
only know the PDC in the WINS ?
- to answer the previous question, I can setup a WINS server on the
BDCs and configure the workstations with the WINS of the PDC and the
WINS of the BDC, but sometimes when I join a machine to the domain,
it tries to do it on the BDC and it fails.
- an other option is to configure the WINS proxy in the BDCs, but if
the PDC fails, the entire domain will fails

I hope it's clear enough :-)

Any suggestion will be greatly appreciated !

Thanks,

Julien
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] HPUX and Samba 3.023 question

[Casey Dearcorn]

I am sorry if this sounds dumb, but I am sort of a newbie with samba.

 

We have upgraded our active directory domain servers to 2008 and samba
3.07 will not bind to the directory anymore.  I have been told that I
need to upgrade past 3.022 in order to make it work?  First of all is
this true?  Second, when I went to install it and run it there is an
error that it can not find libldap-2.2.so.  I am assuming this is for
the HPUX IXOPENLDAP, but I am not sure.  In either case I can not find
this version to install.  I don't want to mess my box up, but I would
like to get my samba running correctly again.  Can anyone give me any
advice or information?

 

 

  

Casey Dearcorn

Database Manager

Northwest College

231 West 6th Street

Powell, Wy 82435

 

Office: 307.754.6084 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: AD on 2003R2 NT_STATUS_NO_SUCH_USER

[Matt Anderson]

> Which leads me to my next question -- after making the change to the primary
> group, I was able to authenticate successfully against the "testing" share as
> user TEST+test01 from my Windows XP box... however, with an examination of the
> file system, I determined that any files I created in this samba session end 
> up
> having root permissions assigned to them (instead of test01).  For example:
> -rwxr--r--1 root staff 0 Aug 11 13:28 deleteme.txt
> -rwxr--r--1 root staff 0 Aug 11 13:28 test1234.txt
> 
> The group "staff" is correct, since that is gidNumber 1, however, the owner
> should be test01 instead of root.  What am I doing wrong?
> 

I solved the issue regarding writing as root -- I didn't realize that I had the
admin users property set on that share (or what it did exactly).  However, I'm
still curious about the LDAP attributes, so if anyone has any insight, I'd
really appreciate it.

Thanks!
-Matt



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Machine-level shares on Windows server

[Jeremy Evans]

That's just it - as I mentioned, I *have* joined the domain OK. At what
point am I supposed to receive a machine password?

A full transcript to illustrate the problem better:


[EMAIL PROTECTED]:~# net ads join -U administrator
administrator's password:
Using short domain name -- MYCOMPANY
Joined 'BUGZILLA' to realm 'MYCOMPANY.LOCAL'
[EMAIL PROTECTED]:~# net ads testjoin
Join is OK
[EMAIL PROTECTED]:~# smbclient -P -L //sbs
ERROR: Unable to fetch machine password


My smb.conf has the following setup:

security = ADS
realm = MYCOMPANY.LOCAL
workgroup = mycompany
password server = sbs.mycompany.local
wins support = no
wins server = sbs
invalid users = root
# Winbind settings
idmap uid = 1-2
idmap gid = 1-2
# For testing
debuglevel = 2


I'm sure there's something small & stupid I've overlooked, but what???

Jeremy

> -Original Message-
> From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, 12 August 2008 03:30
> To: Jeremy Evans
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] Machine-level shares on Windows server
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Jeremy Evans wrote:
> 
> > I realise that. I *did* give a 2nd example in my original post:
> >
> > $sudo smbclient -P -L //sbs
> > ERROR: Unable to fetch machine password
> >
> >
> > "net ads testjoin" returns an OK result at my end & the PDC shows
the
> > machine as joined to the domain at the other.
> >
> > What I don't seem to be able to find out is just how the Windows PDC
> &
> > Samba interact to ensure that the Samba machine is a [trusted?]
> member
> > of the domain & therefore how to use that fact to allow
machine-level
> > shares without having to perform a user-level login.
> 
> In that case, did you join the domain?  Unless, this is just a bug,
> that seems the obvious explanation.
> 
> 
> 
> 
> cheers, jerry
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFIoFsQIR7qMdg1EfYRAlTCAKCqYd29MWtR2u+HQ5d2iJ4brcoxQwCg5Cwj
> riGXI8QLCxKz1D86icciU3M=
> =jpEz
> -END PGP SIGNATURE-
> 
> Scanned by Bizo Email Filter

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: AD on 2003R2 NT_STATUS_NO_SUCH_USER

[Matt Anderson]

Matt Anderson  hotmail.com> writes:

I think I may have solved why users were not being found.  When I tried doing
wbinfo -i test01, I got an error stating that information for user could not be
found.  After digging a little bit through the log files, I discovered that the
SID for the Windows Primary Group was being returned, instead of gidNumber for
the user's primary group.  So, I updated the Windows Primary Group in Active
Directory to match the one specified by gidNumber -- and at that point, I was
able to run wbinfo -i test01 and get the following result:
test01:*:50002:1:test01:/home/TEST/test01:/bin/false

The username, uid, and gecos are correct, however the home directory and shell
are incorrect.  If you look back at the previous post, the attributes in Active
Directory are as follows:

uid: test01
msSFU30Name: test01
msSFU30NisDomain: test
uidNumber: 50002
gidNumber: 1
unixHomeDirectory: /home/test01
loginShell: /usr/bin/ksh

So, my question is, what do I have to do to get Samba to retrieve the correct
attributes?  Or, is it even necessary? (Again, I'm using Windows Server 2003 R2)

Which leads me to my next question -- after making the change to the primary
group, I was able to authenticate successfully against the "testing" share as
user TEST+test01 from my Windows XP box... however, with an examination of the
file system, I determined that any files I created in this samba session end up
having root permissions assigned to them (instead of test01).  For example:
-rwxr--r--1 root staff 0 Aug 11 13:28 deleteme.txt
-rwxr--r--1 root staff 0 Aug 11 13:28 test1234.txt

The group "staff" is correct, since that is gidNumber 1, however, the owner
should be test01 instead of root.  What am I doing wrong?

Thanks again for your help!
-Matt


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba print server client job queues.

[Volker Lendecke]

On Mon, Aug 11, 2008 at 03:05:10PM -0500, Chris Jeter wrote:
>   I'm working on setting up a corporate print server with samba 
> 3.2.0-2.17 on a Fedora 9 install. I've been able to get the services up
> and running and added several printers via the cups interface, also
> been able to upload the windows drivers. This all works well, printing
> also works well. 
>   The problem that I am running into is that the old print jobs
> seem to be getting stored somewhere in samba and i've been unable to
> figure out how to turn this option off. I've set the 
> 
> PreserveJobHistory No
> PreserveJobFiles No

This is fixed in 3.2.1. See
https://bugzilla.samba.org/show_bug.cgi?id=5635

Volker


pgp22kdvYBrFo.pgp
Description: PGP signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba print server client job queues.

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Chris Jeter wrote:
> Hello,
>   I'm working on setting up a corporate print server with samba 
> 3.2.0-2.17 on a Fedora 9 install. I've been able to get the services up
> and running and added several printers via the cups interface, also
> been able to upload the windows drivers. This all works well, printing
> also works well. 
>   The problem that I am running into is that the old print jobs
> seem to be getting stored somewhere in samba and i've been unable to
> figure out how to turn this option off. 

This bug was fixed in Samba 3.2.1.






cheers, jerry
- --
=
Samba--- http://www.samba.org
Likewise Software  -  http://www.likewisesoftware.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIoKKOIR7qMdg1EfYRAqktAJ4vLuliGLmkjaVg6g7eOxOW2MXkZQCeM10P
JFWdZBeMGuBhQTbr1MJMH8k=
=ob1/
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba print server client job queues.

[Jeremy Allison]

On Mon, Aug 11, 2008 at 03:05:10PM -0500, Chris Jeter wrote:
> Hello,
>   I'm working on setting up a corporate print server with samba 
> 3.2.0-2.17 on a Fedora 9 install. I've been able to get the services up
> and running and added several printers via the cups interface, also
> been able to upload the windows drivers. This all works well, printing
> also works well. 
>   The problem that I am running into is that the old print jobs
> seem to be getting stored somewhere in samba and i've been unable to
> figure out how to turn this option off. I've set the 

This is a known bug that was fixed for 3.2.1.

Sorry for the problem.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Printer driver interface different

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Matthew Forrest wrote:
> 
>> Does this driver contain a file names UNIDRV.DLL ?  It's probably a
>> difference in behavior between EMF and RAW printing.
>>
> 
> It doesn't contain UNIDRV.DLL
> It looks like it uses the generic windows PS driver PSCRIPT5.DLL with a
> bunch of extras - for the UI?
> The only difference between rpcclient -c 'enumdrivers 3' on samba vs
> win2k is that the win2k driver has a Monitorname: [RICOH Language
> Monitor2] entry.
> 
> Printer Driver Info 3:
> Version: [3]
> Driver Name: [RICOH Aficio Color5560 PS]
> Architecture: [Windows NT x86]
> Driver Path: [LOCALHOST\print$\W32X86\3\PSCRIPT5.DLL]
> Datafile: [LOCALHOST\print$\W32X86\3\RIC55603.PPD]
> Configfile: [LOCALHOST\print$\W32X86\3\PS5UI.DLL]
> Helpfile: [LOCALHOST\print$\W32X86\3\PSCRIPT.HLP]

Matthew,

Set the print processor to RAW on the Windows print server
and see if the appearance looks the same.




cheers, jerry
- --
=
Samba--- http://www.samba.org
Likewise Software  -  http://www.likewisesoftware.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIoKDGIR7qMdg1EfYRAqOpAJ9S5k1+aigYwbG7K/Jqkfotba4mngCdEMG6
1dqFPOIhkLERlxenvgcNlu8=
=hby6
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba print server client job queues.

[Chris Jeter]

Hello,
I'm working on setting up a corporate print server with samba 
3.2.0-2.17 on a Fedora 9 install. I've been able to get the services up
and running and added several printers via the cups interface, also
been able to upload the windows drivers. This all works well, printing
also works well. 
The problem that I am running into is that the old print jobs
seem to be getting stored somewhere in samba and i've been unable to
figure out how to turn this option off. I've set the 

PreserveJobHistory No
PreserveJobFiles No

options in my cupsd.conf file though this does not effect the queues
viewed by the clients, only the jobs viewable via the cups interface.
Even once the jobs have been manually deleted from the queue and no
longer show up when it is opened up, windows still shows job counts in
the printers and fax folder. 

These job counts seem to be getting stored in
the /var/lib/samba/printing*.tdb files. If i delete these the print
count goes back to 0 but will start counting back up as jobs move
through the printer.

My smb.conf is very basic 


[Global]

netbios name = twcps01
workgroup = https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Printer driver interface different

[Matthew Forrest]

On 11-Aug-08, at 10:34 AM, Gerald (Jerry) Carter wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ryan Novosielski wrote:

Had the same problem with the Aficio 350. You can just install the
driver locally and not use the Samba spool at all (direct IP  
printing).
That seems to be the best angle with my device. It's a shame,  
because it

really ought to work.


If I can't get the driver to 'look' right, the clients are still going  
thru a samba spool so I can do page accounting and restrict who prints  
color.  With the "use client driver = yes" option, I can install the  
driver locally.  The problem is I have to install the driver  
locally... I'd rather not do the walk! :)




Does this driver contain a file names UNIDRV.DLL ?  It's probably a
difference in behavior between EMF and RAW printing.



It doesn't contain UNIDRV.DLL
It looks like it uses the generic windows PS driver PSCRIPT5.DLL with  
a bunch of extras - for the UI?
The only difference between rpcclient -c 'enumdrivers 3' on samba vs  
win2k is that the win2k driver has a Monitorname: [RICOH Language  
Monitor2] entry.


Printer Driver Info 3:
Version: [3]
Driver Name: [RICOH Aficio Color5560 PS]
Architecture: [Windows NT x86]
Driver Path: [LOCALHOST\print$\W32X86\3\PSCRIPT5.DLL]
Datafile: [LOCALHOST\print$\W32X86\3\RIC55603.PPD]
Configfile: [LOCALHOST\print$\W32X86\3\PS5UI.DLL]
Helpfile: [LOCALHOST\print$\W32X86\3\PSCRIPT.HLP]

Dependentfiles: [LOCALHOST\print$\W32X86\3\JCUI.exe]
Dependentfiles: [LOCALHOST\print$\W32X86\3\RICJC32.DLL]
Dependentfiles: [LOCALHOST\print$\W32X86\3\Rc4manNT.dll]
Dependentfiles: [LOCALHOST\print$\W32X86\3\Ne60Cdat.dll]
Dependentfiles: [LOCALHOST\print$\W32X86\3\MFRICRES.dll]
Dependentfiles: [LOCALHOST\print$\W32X86\3\PS_SCHM.GDL]
Dependentfiles: [LOCALHOST\print$\W32X86\3\PSCRPTFE.NTF]
Dependentfiles: [LOCALHOST\print$\W32X86\3\PSCRIPT.NTF]
Dependentfiles: [LOCALHOST\print$\W32X86\3\E314PSHL.CHM]
Dependentfiles: [LOCALHOST\print$\W32X86\3\RI3141E3.XML]
Dependentfiles: [LOCALHOST\print$\W32X86\3\RI260CUI.DLL]
Dependentfiles: [LOCALHOST\print$\W32X86\3\RI260CRE.DLL]
Dependentfiles: [LOCALHOST\print$\W32X86\3\RIC55603.INI]

Monitorname: []
Defaultdatatype: []


Thanks,
Matt
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] High Cpu usage

[Jason A. Nunnelley]

Alex Montoanelli wrote:

In my /var/log/messages i see this message, but i dont know what is, and
what i neet to do.


This is not a high CPU use issue; it's a crash.

It's a segmentation fault, which means something crashed in samba.

You need to isolate the problem by tuning up your logs, isolating the 
problem, and removing it from the daemon's behavior.


Do you have a script of the install?  Or, do you have more logs?

1) How did you compile or install the program?
2) Provide your smb.conf.

Are you running Kerberos?  I don't know what cache is causing the 
problem, or why it's crashing from these logs, but I can tell you that 
you need to provide more information for the list to help you out. 
Someone may be able to explain it based on personal experience, but you 
can dig up more dirt.


--


Jason N
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] High Cpu usage

[Alex Montoanelli]

Hello all.

I have a samba 3.0.31, compiled and running on a freebsd 6.3-p3 and he
work´s fine.

But in some situations ( situations not discovered yet ) the use o cpu is
very high, as you can
see in the top command above.

In my /var/log/messages i see this message, but i dont know what is, and
what i neet to do.

Enable log file on smb.conf i don't see anybody strange, i guess...

So, anybody can help me ?

Thanks

Alex.


-/var/log/messages

34:16 propague smbd[55372]: [2008/08/11 16:34:16, 0]
lib/fault.c:fault_report(41)
Aug 11 16:34:16 propague smbd[55372]:
===
Aug 11 16:34:16 propague smbd[55372]: [2008/08/11 16:34:16, 0]
lib/fault.c:fault_report(42)
Aug 11 16:34:16 propague smbd[55372]:   INTERNAL ERROR: Signal 11 in pid
55372 (3.0.31)
Aug 11 16:34:16 propague smbd[55372]:   Please read the Trouble-Shooting
section of the Samba3-HOWTO
Aug 11 16:34:16 propague smbd[55372]: [2008/08/11 16:34:16, 0]
lib/fault.c:fault_report(44)
Aug 11 16:34:16 propague smbd[55372]:
Aug 11 16:34:16 propague smbd[55372]:   From:
http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
Aug 11 16:34:16 propague smbd[55372]: [2008/08/11 16:34:16, 0]
lib/fault.c:fault_report(45)
Aug 11 16:34:16 propague smbd[55372]:
===
Aug 11 16:34:16 propague smbd[55372]: [2008/08/11 16:34:16, 0]
lib/util.c:smb_panic(1627)
Aug 11 16:34:16 propague smbd[55372]:   smb_panic: clobber_region() last
called from [check_cache(414)]
Aug 11 16:34:16 propague smbd[55372]: [2008/08/11 16:34:16, 0]
lib/util.c:smb_panic(1633)
Aug 11 16:34:16 propague smbd[55372]:   PANIC (pid 55372): internal error

---




CPU states: 18.3% user,  0.0% nice, 81.7% system,  0.0% interrupt,  0.0%
idle
Mem: 336M Active, 3109M Inact, 210M Wired, 163M Cache, 214M Buf, 16M Free
Swap: 10G Total, 8K Used, 10G Free

PID USERNAME   THR PRI NICE   SIZERES STATE  C   TIME   WCPU COMMAND
26348 criacao  1 1390 40248K  8088K RUN1  22:08 21.04% smbd
51011 junior   1 1390 40588K  8112K RUN1   1:57 18.75% smbd
50753 andrea   1 1390 40244K  8060K CPU1   1  20:32 16.50% smbd
52143 criacao  1 1390 40532K  8136K RUN1   1:40 13.53% smbd
26798 adriano  1 1390 40200K  8020K RUN0  28:05 11.23% smbd
51120 root 1 1390 40404K  8004K RUN1  10:54 11.23% smbd
50727 criacao  1 1390 40516K  8108K RUN0   2:00 10.50% smbd
26337 criacao  1 1390 40116K  7976K RUN0  32:16  9.77% smbd
27184 studio   1 1390 40364K  8080K RUN0  14:11  9.77% smbd
12947 root 1 1390 47560K 15196K RUN0  11:44  8.98% smbd
52155 bianca   1 1390 40548K  8140K RUN0   1:11  8.98% smbd
50893 root 1 1390 40356K  8060K RUN1  15:32  6.01% smbd
50939 bianca   1 1390 41404K  9016K RUN1   1:27  5.22% smbd
52181 root 1  760   184M   145M select 0   0:18  0.00% smbd
16068 root 1  760 57376K 17136K select 0   0:07  0.00% smbd
51139 root 1  760 55916K 23448K select 0   0:05  0.00% smbd
--




*Alex Montoanelli*

Administração e Gerência de Redes
Unetvale Conectividade 
+55 48 3263 8700
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Mysterious new problem: nss_ldap: could not soft reconnect to LDAP server

[Wes Modes]

I didn't try that.  but if it happens again I shall.  I knew the LDAP 
servers were working, but that the Samba server (via nss) wasn't talking 
to it.


What I ended up doing, was turned off nss' use of TLS.  That fixed it.  
In RHEL, the command is authconfig.


Why it suddenly stopped talking to each other, I still don't know.

Obviously I need to come in during non-office hours and config and test 
and retest to get TLS working at both ends again.


Wes

John Drescher wrote:

On Mon, Aug 11, 2008 at 2:20 PM, Wes Modes <[EMAIL PROTECTED]> wrote:
  

Suddenly as of this morning, none of my users can authenticate to samba
because nss_ldap is producing cryptic errors.  Nothing has changed on either
the LDAP server or the Samba server.  Looks like this in /var/log/messages:

Aug 11 11:19:29 edgar smbd[8394]: nss_ldap: could not soft reconnect to LDAP
server - Server is unavailable




Have you made sure your ldap servers are working?


# slapcat

# getent group
# getent passwd

John

  


--

Wes Modes
Server Administrator & Programmer Analyst
McHenry Library
Computing & Network Services
Information and Technology Services
459-5208
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Fwd: [Samba] Mysterious new problem: nss_ldap: could not soft reconnect to LDAP server

[John Drescher]

-- Forwarded message --
From: John Drescher <[EMAIL PROTECTED]>
Date: Mon, Aug 11, 2008 at 3:28 PM
Subject: Re: [Samba] Mysterious new problem: nss_ldap: could not soft
reconnect to LDAP server
To: Wes Modes <[EMAIL PROTECTED]>


On Mon, Aug 11, 2008 at 2:20 PM, Wes Modes <[EMAIL PROTECTED]> wrote:
> Suddenly as of this morning, none of my users can authenticate to samba
> because nss_ldap is producing cryptic errors.  Nothing has changed on either
> the LDAP server or the Samba server.  Looks like this in /var/log/messages:
>
> Aug 11 11:19:29 edgar smbd[8394]: nss_ldap: could not soft reconnect to LDAP
> server - Server is unavailable
>

Have you made sure your ldap servers are working?


# slapcat

# getent group
# getent passwd

John



-- 
John M. Drescher
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Mysterious new problem: nss_ldap: could not soft reconnect to LDAP server

[Wes Modes]

Suddenly as of this morning, none of my users can authenticate to samba 
because nss_ldap is producing cryptic errors.  Nothing has changed on 
either the LDAP server or the Samba server.  Looks like this in 
/var/log/messages:


Aug 11 11:19:29 edgar smbd[8394]: nss_ldap: could not soft reconnect to 
LDAP server - Server is unavailable


Yet, the LDAP server IS available, and happily chirping away serving as 
an LDAP server for several other services.  Only Samba seems to be 
having the trouble.


Anyone else encounter this?  I believe the library staff is headed to my 
office at just this moment with pitchforks and torches.  Please help.


Wes

--

Wes Modes
Server Administrator & Programmer Analyst
McHenry Library
Computing & Network Services
Information and Technology Services
459-5208
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Uncontrolled sessions in Samba

[Craig Andrew]

We are running Samba 3.0.28a and have been running into a problem with 
sessions not closing out. A user will start using samba and be fine for 
a period of time. There is no specific time, but the session keep adding 
up. They look like this:


bender1886  4255  0 12:36 ?00:00:00 
/usr/local/samba/sbin/smbd -D
bender1887  4255  0 12:37 ?00:00:00 
/usr/local/samba/sbin/smbd -D
bender1891  4255  0 12:37 ?00:00:00 
/usr/local/samba/sbin/smbd -D
bender1893  4255  0 12:38 ?00:00:00 
/usr/local/samba/sbin/smbd -D
bender1906  4255  0 12:39 ?00:00:00 
/usr/local/samba/sbin/smbd -D
bender1909  4255  0 12:40 ?00:00:00 
/usr/local/samba/sbin/smbd -D
bender1943  4255  0 12:41 ?00:00:00 
/usr/local/samba/sbin/smbd -D
bender1979  4255  0 12:42 ?00:00:00 
/usr/local/samba/sbin/smbd -D
bender1984  4255  0 12:43 ?00:00:00 
/usr/local/samba/sbin/smbd -D


A new session every minute.  I have tried killing the sessions, but they 
eventually cause the user to not have access to the share they are 
trying to get to. My smb.conf looks like this:


[global]
debuglevel = 0
workgroup = CCDOM
server string = gobo.wi.mit.edu
hosts allow = x.x. 10.9. 10.5. x.x.x.
load printers = no
log file = /var/log/samba/smbd.log
log level = 1
max log size = 5

security = server

#winbind separator = +
winbind use default domain = yes
idmap uid = 1-2
idmap gid = 1-2
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%u
template shell = /bin/false
winbind trusted domains only = no

#idmap backend = ldap:ldap://localhost
#ldap idmap suffix = ou=Idmap
#ldap suffix = dc=samba,dc=wi,dc=mit,dc=edu
#ldap admin dn = cn=admin,dc=samba,dc=wi,dc=mit,dc=edu

nt acl support = no
use spnego = yes
password server = svr08 dc01 dc02
encrypt passwords = yes
unix password sync = no
pam password change = no
username map = /config/smbusers
obey pam restrictions = no
deadtime = 60

remote browse sync = x.x.0.0 x.x.255.255
remote announce = x.x.0.0 x.x.255.255
local master = no
os level = 33
domain master = no
preferred master = no
domain logons = no
wins support = no
wins server = x.x.x.x x.x.x.x
dns proxy = yes

nis homedir = yes
enhanced browsing = yes
kernel oplocks = yes
read raw = yes
write raw = yes
oplocks = yes
max xmit = 65535
deadtime = 15
blocking locks = no
getwd cache = yes
reset on zero vc = yes
mangled names = no

veto oplock files = /*.xls/*.doc/*.mdb/*.ppt/
veto files = /.AppleDouble/Network Trash Folder/TheVolumeSettingsFolder/
delete veto files = yes

The usual fix is a reboot, however, this is a problem in a production 
environment.


I have been getting errors in the samba log files:

[2008/08/11 08:40:35, 0] lib/util_sock.c:get_peer_addr(1232)
 getpeername failed. Error was Transport endpoint is not connected
 Denied connection from  (0.0.0.0)


The users that have had this problem are both Macintosh OS X and Windows 
XP. There is no pattern yet.


Has anyone seen this problem?

thanks,
Craig Andrew

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: AD on 2003R2 NT_STATUS_NO_SUCH_USER

[Matt Anderson]

Jason Gerfen  scl.utah.edu> writes:

> 
> Have you tried to look at the user account information using ldapsearch? 
> Just to ensure the POSIX account data is present in AD.
> 
> If you are attempting to authenticate as a domain user try the username 
> as DOMAIN\Username.
> 

Hi Jason,

Thanks for the quick reply.  I haven't tried using ldapsearch, but I have used
the lsldap command to list the attributes for test01 (which includes the R2
rfc2307 schema):
aixplay1-root /opt/pware/bin > lsldap -a passwd test01 
dn: CN=test01,OU=MIS,OU=Temecula-CA,OU=People,DC=test,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: test01
givenName: test01
distinguishedName: CN=test01,OU=MIS,OU=Temecula-CA,OU=People,DC=test,DC=local
instanceType: 4
whenCreated: 20080807000211.0Z
whenChanged: 20080808170937.0Z
displayName: test01
uSNCreated: 20660
uSNChanged: 32974
name: test01
objectGUID: |*[_B
Ud''
VQ
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 128626909010102324
lastLogoff: 0
lastLogon: 128629403833937446
pwdLastSet: 128626889779722918
primaryGroupID: 513
objectSid:
accountExpires: 9223372036854775807
logonCount: 28
sAMAccountName: test01
sAMAccountType: 805306368
userPrincipalName: [EMAIL PROTECTED]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=test,DC=local
dSCorePropagationData: 20080807001936.0Z
dSCorePropagationData: 20080807001936.0Z
dSCorePropagationData: 20080807001936.0Z
dSCorePropagationData: 20080807001150.0Z
dSCorePropagationData: 16010108151056.0Z
uid: test01
msSFU30Name: test01
msSFU30NisDomain: test
uidNumber: 50002
gidNumber: 1
unixHomeDirectory: /home/test01
loginShell: /usr/bin/ksh

And then regarding using the domain in the username (such as DOMAIN\user) -- I
have tried that on the Windows side, and that's what's failing.  However, if
you're referring the wbinfo tests, it's failing with the same
NT_STATUS_NO_SUCH_USER error:
aixplay1-root /opt/pware/bin > wbinfo -a TEST\test01%password
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc064)
error messsage was: No such user
Could not authenticate user TESTtest01%password with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc064)
error messsage was: No such user
Could not authenticate user TESTtest01 with challenge/response

I'm not sure why it's removing the '\' in the error message between the domain
and the username, but I also tried it with two backslashes, and a forward slash,
and they all failed.

What am I missing here?

Thanks again for your help,
Matt


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Machine-level shares on Windows server

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jeremy Evans wrote:

> I realise that. I *did* give a 2nd example in my original post:
> 
> $sudo smbclient -P -L //sbs
> ERROR: Unable to fetch machine password
> 
> 
> "net ads testjoin" returns an OK result at my end & the PDC shows the
> machine as joined to the domain at the other.
> 
> What I don't seem to be able to find out is just how the Windows PDC &
> Samba interact to ensure that the Samba machine is a [trusted?] member
> of the domain & therefore how to use that fact to allow machine-level
> shares without having to perform a user-level login. 

In that case, did you join the domain?  Unless, this is just a bug,
that seems the obvious explanation.




cheers, jerry
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIoFsQIR7qMdg1EfYRAlTCAKCqYd29MWtR2u+HQ5d2iJ4brcoxQwCg5Cwj
riGXI8QLCxKz1D86icciU3M=
=jpEz
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] AD on 2003R2 NT_STATUS_NO_SUCH_USER

[Jason Gerfen]

Matt Anderson wrote:

Dear Help,

We are in the process of setting up a new domain using Active Directory on
Windows Server 2003R2.  One of our goals was to use Active Directory for
authentication on our AIX box (running version 6.1).  I was able to successfully
set up Kerberos, and the LDAP client to connect to our AD server so that you can
now log in to the AIX box with users found in Active Directory.  However, no
matter what I try, I am unable to get Samba (also running on the same AIX box)
to authenticate against the same AD server.  Oh, and I'm running Samba 3.0.28
(from the AIX binaries available on the Samba website).

When I try and connect from a test machine (running Windows XP SP2) I get the
following in the logs (machine: Novel-Idea, username: test01, domain: TEST):
  check_ntlm_password:  Checking password for unmapped user
[EMAIL PROTECTED] with the new password interface
[2008/08/08 09:55:29, 3] auth/auth.c:check_ntlm_password(224)
  check_ntlm_password:  mapped user is: [EMAIL PROTECTED]
[2008/08/08 09:55:29, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2008/08/08 09:55:29, 3] smbd/uid.c:push_conn_ctx(358)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2008/08/08 09:55:29, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2008/08/08 09:55:29, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/08/08 09:55:29, 2] auth/auth.c:check_ntlm_password(319)
  check_ntlm_password:  Authentication for user [test01] -> [test01] FAILED with
error NT_STATUS_NO_SUCH_USER
[2008/08/08 09:55:29, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/sesssetup.c(105) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE

However, I can get successful results using wbinfo:

From wbinfo -u:

administrator
guest
support_388945a0
krbtgt
test02
host_aixplay1
test01
testcopy


From wbinfo -g:

BUILTIN+administrators
BUILTIN+users
domain computers
domain controllers
schema admins
enterprise admins
domain admins
domain users
domain guests
group policy creator owners
dnsupdateproxy
testgrp1
testgrp2
testgrp3
staff


From wbinfo -a test01%password:

plaintext password authentication succeeded
challenge/response password authentication succeeded


From wbinfo -K test01%password

plaintext kerberos password authentication for [test01%password] succeeded (requ
esting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0


Have you tried to look at the user account information using ldapsearch? 
Just to ensure the POSIX account data is present in AD.


If you are attempting to authenticate as a domain user try the username 
as DOMAIN\Username.




So, it makes me think that I'm missing something obvious in my smb.conf, but
after searching around, I haven't found much.

Any help would be greatly appreciated.  See my configs below:

SMB.CONF
# Global parameters
[global]
workgroup = TEST
realm = TEST.LOCAL
security = ADS
encrypt passwords = yes
password server = IP.OF.AD.SERVER
log level = 3
log file = /opt/pware/samba/3.0.28/var/log.%m
max log size = 50
#   idmap backend = ad
#   idmap uid = 10-4000
#   idmap gid = 10-4000

idmap domains = TEST
idmap config TEST:backend = ad
idmap config TEST:default = yes
idmap config TEST:schema_mode = rfc2307
idmap config DOMAIN:range = 10-4000

#   auth methods = winbind
#   use kerberos keytab = yes
#   ldap ssl = no

	winbind separator = + 
	winbind use default domain = Yes

winbind nested groups = Yes
winbind enum users = yes
winbind enum groups = yes
#   winbind nss info = rfc2307

[anyone]
path = /home/anyone
guest ok = yes
browseable = yes

[testing]
path = /home/testing
guest ok = no
valid users = test01
admin users = test01
write list = test01

KRB5.CONF
[libdefaults]
default_realm = TEST.LOCAL
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des-cbc-md5 des-cbc-crc

[realms]
TEST.LOCAL = {
kdc = adtest.test.local:88
admin_server = adtest.test.local:749
default_domain = test.local
}

[domain_realm]
.test.local = TEST.LOCAL
adtest.test.local = TEST.LOCAL

[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
default = FILE:/var/krb5/log/krb5lib.log






--
Jason Gerfen
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] winbindd behaving oddly

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Glenn Bailey wrote:
> Ok wow,
> 
> Looks like the likewise solution is exactly what I've been looking
> for, as I've been developing an internal solution that was basically
> a stripped down samba that wouldn't conflict with any other existing
> samba installs.

Cool.  Glad it helped.





jerry
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIoFhIIR7qMdg1EfYRAle6AKDjVqNE4S+oiKM1RU5UqWpjqVFOzACg1yTN
snCBv8eMRTSkfMc8n9Ci0H4=
=HJWG
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] AD on 2003R2 NT_STATUS_NO_SUCH_USER

[Matt Anderson]

Dear Help,

We are in the process of setting up a new domain using Active Directory on
Windows Server 2003R2.  One of our goals was to use Active Directory for
authentication on our AIX box (running version 6.1).  I was able to successfully
set up Kerberos, and the LDAP client to connect to our AD server so that you can
now log in to the AIX box with users found in Active Directory.  However, no
matter what I try, I am unable to get Samba (also running on the same AIX box)
to authenticate against the same AD server.  Oh, and I'm running Samba 3.0.28
(from the AIX binaries available on the Samba website).

When I try and connect from a test machine (running Windows XP SP2) I get the
following in the logs (machine: Novel-Idea, username: test01, domain: TEST):
  check_ntlm_password:  Checking password for unmapped user
[EMAIL PROTECTED] with the new password interface
[2008/08/08 09:55:29, 3] auth/auth.c:check_ntlm_password(224)
  check_ntlm_password:  mapped user is: [EMAIL PROTECTED]
[2008/08/08 09:55:29, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2008/08/08 09:55:29, 3] smbd/uid.c:push_conn_ctx(358)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2008/08/08 09:55:29, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2008/08/08 09:55:29, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/08/08 09:55:29, 2] auth/auth.c:check_ntlm_password(319)
  check_ntlm_password:  Authentication for user [test01] -> [test01] FAILED with
error NT_STATUS_NO_SUCH_USER
[2008/08/08 09:55:29, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/sesssetup.c(105) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE

However, I can get successful results using wbinfo:
>From wbinfo -u:
administrator
guest
support_388945a0
krbtgt
test02
host_aixplay1
test01
testcopy

>From wbinfo -g:
BUILTIN+administrators
BUILTIN+users
domain computers
domain controllers
schema admins
enterprise admins
domain admins
domain users
domain guests
group policy creator owners
dnsupdateproxy
testgrp1
testgrp2
testgrp3
staff

>From wbinfo -a test01%password:
plaintext password authentication succeeded
challenge/response password authentication succeeded

>From wbinfo -K test01%password
plaintext kerberos password authentication for [test01%password] succeeded (requ
esting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0

So, it makes me think that I'm missing something obvious in my smb.conf, but
after searching around, I haven't found much.

Any help would be greatly appreciated.  See my configs below:

SMB.CONF
# Global parameters
[global]
workgroup = TEST
realm = TEST.LOCAL
security = ADS
encrypt passwords = yes
password server = IP.OF.AD.SERVER
log level = 3
log file = /opt/pware/samba/3.0.28/var/log.%m
max log size = 50
#   idmap backend = ad
#   idmap uid = 10-4000
#   idmap gid = 10-4000

idmap domains = TEST
idmap config TEST:backend = ad
idmap config TEST:default = yes
idmap config TEST:schema_mode = rfc2307
idmap config DOMAIN:range = 10-4000

#   auth methods = winbind
#   use kerberos keytab = yes
#   ldap ssl = no

winbind separator = + 
winbind use default domain = Yes
winbind nested groups = Yes
winbind enum users = yes
winbind enum groups = yes
#   winbind nss info = rfc2307

[anyone]
path = /home/anyone
guest ok = yes
browseable = yes

[testing]
path = /home/testing
guest ok = no
valid users = test01
admin users = test01
write list = test01

KRB5.CONF
[libdefaults]
default_realm = TEST.LOCAL
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des-cbc-md5 des-cbc-crc

[realms]
TEST.LOCAL = {
kdc = adtest.test.local:88
admin_server = adtest.test.local:749
default_domain = test.local
}

[domain_realm]
.test.local = TEST.LOCAL
adtest.test.local = TEST.LOCAL

[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
default = FILE:/var/krb5/log/krb5lib.log



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] winbindd behaving oddly

[Glenn Bailey]

Ok wow,

Looks like the likewise solution is exactly what I've been looking
for, as I've been developing an internal solution that was basically
a stripped down samba that wouldn't conflict with any other existing
samba installs.

FYI,

I threw my group membership settings in /etc/security/pam_winbind.conf
with the following format:

[global]
require_membership_of=GROUP1
require_membership_of=GROUP2

and this worked just fine ..

-Original Message-
From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED]
Sent: Friday, August 08, 2008 6:53 AM
To: Glenn Bailey
Cc: samba@lists.samba.org
Subject: Re: [Samba] winbindd behaving oddly

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Glenn Bailey wrote:
> Hello folks,
>
> Been beating my head with an winbind and pam just behaving oddly. I
> have following various HOW-TO's, wiki's, and docs, and just can't seem
> to get past a wall. Here a some of the issues:

If you just want desktop or server logins and not File/Print, you might want to 
try likewise-open (http://www.likewisesoftware.com/community/).

> - the 1st attempt at ssh'ing to a server gives me a 'Wrong Password'
> in the logs. Here's an exact snippet:
>
> Aug  6 18:45:40 mia21654bcu001 sshd[5371]: pam_winbind(sshd): request
> failed: Wrong Password, PAM error was Authentication failure (7), NT
> error was NT_STATUS_WRONG_PASSWORD
>
> I get this w/o even entering a password. If I break out and just hit
> it 2 more times it will lock the account out as expected.
>
> - require_membership_of seems to be flat out ignored.

Works for me.  but I define it in /etc/security/pam_winbind.conf


> authrequired  /lib/security/$ISA/pam_env.so
> authsufficient/lib/security/$ISA/pam_unix.so likeauth nullok
> authsufficient/lib/security/$ISA/pam_winbind.so use_first_pass 
> use_first_pass
> authrequired  /lib/security/$ISA/pam_deny.so

I stack pam_winbind before pam_unix

> account required  /lib/security/$ISA/pam_unix.so
> account sufficient/lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
> account sufficient/lib/security/$ISA/pam_winbind.so use_first_pass
> account required  /lib/security/$ISA/pam_permit.so

Don't need use_first_pass

> passwordrequired  /lib/security/$ISA/pam_cracklib.so retry=3
> passwordsufficient/lib/security/$ISA/pam_unix.so nullok use_authtok 
> md5 shadow
> passwordsufficient/lib/security/$ISA/pam_winbind.so use_first_pass
> passwordrequired  /lib/security/$ISA/pam_deny.so

need useauthtok and not use_first_pass here.

> session required  /lib/security/$ISA/pam_limits.so
> session required  /lib/security/$ISA/pam_unix.so
> session required  /lib/security/$ISA/pam_winbind.so use_first_pass 
> require_membership_of=some_group

The require- option is enforced in auth and not session.






cheers, jerry
- --
=
Samba--- http://www.samba.org
Likewise Software  -  http://www.likewisesoftware.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFInDO3IR7qMdg1EfYRAm7eAKC75KUD+LH4BJ5JmhoX2N87sPf/wQCg0qmt
U3OgUlotANWOvyAWkLt+0mo=
=M+6M
-END PGP SIGNATURE-

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SMB over SSH tunnel

[kissg]

2008/8/11 Wojtek Bogusz <[EMAIL PROTECTED]>

> hi. thank you for reply.
> i enabled connection from firewall to windows server on 137/udp, 138/udp,
> 139/udp and 139/tcp.
> i tunnelled 137, 138 and 139 to windows server over SSH in putty.
> i switched off 'file and printer sharing in MS network'
> and it does not work? it behaves same way as i described it in my last
> email (i copy it below your email).
> any help please?
> regards, Wojtek


Try to enable file and printer sharing, it's needed to use Samba.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Printer driver interface different

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Ryan Novosielski wrote:
> Had the same problem with the Aficio 350. You can just install the
> driver locally and not use the Samba spool at all (direct IP printing).
> That seems to be the best angle with my device. It's a shame, because it
> really ought to work.

Does this driver contain a file names UNIDRV.DLL ?  It's probably a
difference in behavior between EMF and RAW printing.





cheers, jerry
- --
=
Samba--- http://www.samba.org
Likewise Software  -  http://www.likewisesoftware.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIoE4IIR7qMdg1EfYRAsuQAKDSLSGRTbxBMaUnM26ja2pCtdH0vwCeNBux
GUUek3X1spX3HftY0v35yqU=
=MFZ2
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: Fwd: [Samba] Supporting large file transfers

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

John Drescher wrote:
> On Wed, Aug 6, 2008 at 5:48 PM, Jeff L <[EMAIL PROTECTED]> wrote:
>> Hi John, I removed the lines and it fixed the problem.
>>
>> Its weird because in the Oreily samba book they recommend using it?
>>
>> http://oreilly.com/catalog/samba/chapter/book/appb_02.html
>>
> 
> Probably because the book was written for a 2.2 or 2.4 kernel.

The above link is a reference to the 1st edition.  The third ed.
was released about a year ago.





cheers, jerry
- --
=
Samba--- http://www.samba.org
Likewise Software  -  http://www.likewisesoftware.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIoErSIR7qMdg1EfYRAv8JAKDZDSYVzkp7RN8kDuXP9EUUBP+PGACdF096
FJyF4QohfgeNtZKWVz/Cmyo=
=nxKK
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Mutli-Homed Subnetting - Advice please

[J. Pilfold-Bagwell]

Hiya,

Just a few questions left;)

The setup I originally had in mind was three subnets, 172.20.0.0, 1.0
and 2.0 with the each NIC set up to serve one of the ranges. This
obviously requires routing between the subnets. Alternatively, I guess I
can bridge the NICs onto a single IP and use a central DHCP/DNS etc
server as this will handle broadcasts and other stuff transparently.

I'm sure as hell that the latter is easiest to set up but how have you
set yours up?

Cheers,

Jools 


On Mon, 2008-07-28 at 19:11 -0400, Charlie wrote:
> On Mon, Jul 28, 2008 at 1:41 PM,  <[EMAIL PROTECTED]> wrote:
> 
> > 1) I assume that as the NICs are on the same server (PDC & WINS)  the WINS
> > server part of Samba will store both NIC IPs in the wins.dat file and that
> > it'll answer WINS queries from both subnet without a problem. Dynamic data
> > will be stored on the PDC so I assume this will be easy. Am I on safe
> > ground here?
> 
> My WINS servers have 2 to 6 NICs each.  No problems there.
> 
> > 2) I plan to have a server on each subnet that will hold the static data
> > and act as BDCs relieving the load on the PDC. Effectively, the content
> > will be identical but as staff update data on one, is there a way of
> > binding the server shares together so one updates the other. I know you
> > can bind two drives on a unix box together with mount --bind. Has anyone
> > tried binding two samba shares together? Is it easier to script an rsync
> > -u .
> 
> I would make one machine a WINS, DNS, and PDC server with no shares
> other than the logon share and possibly user homes.  Then I'd set up
> two more servers that did nothing but share files, with 2 NICs in
> each.  Many of my file servers have 4 NICs in them and work fine.
> Complexity is the enemy of reliability - I would avoid synchronizing
> shares and instead architect so that a single set of shares can be
> reached by all.  NICs are cheaper than the time it takes to build
> reliable synchronized file shares.
> 
> > 3) Finally, I need to run login scripts based on group membership but with
> > static data shares mounted on a different server depending on the subnet
> > you're on. Any tips on stacking login scripts? Can samba do this.
> 
> You can dynamically generate your logon scripts.  See here:
> http://freshmeat.net/projects/exampleadvancedsambaloginscript/
> 
> > Any hints and tips appreciated. I have limited time to do this and set up
> > three web servers with limited time for testing but that's life.
> 
> I've found keeping my PDC/logon servers separate from my "heavy
> lifter" file servers saves me much pain; I can work on login and
> authentication issues separately from load and permissions problems.
> I also use DHCP to set my windows clients to "hybrid" mode.
> 
> option netbios-dd-server 192.168.0.1;
> option netbios-node-type 8;
> 
> # 1B-node: Broadcast - no WINS
> # 2P-node: Peer - WINS only.
> # 4M-node: Mixed - broadcast, then WINS
> # 8H-node: Hybrid - WINS, then broadcast
> #  It should be obvious that this is a bit-mapped value, more info in
> RFCs 1001 and 1002
> 
>   You can really clog up a network fast with broadcast name
> resolution, so you want to restrict that as much as possible.
> 
> --Charlie

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] 'getent passwd' shows duplicate user accounts

[David Collins]

Thanks for the advice, Andre.
Yes, the lines do say 'files ldap'.  I will leave it as is.


On Mon, 2008-08-11 at 08:52 +0200, André Welter wrote:

> Hi,
> 
> David Collins schrieb:
> > Hello,
> >
> > I am setting up an LDAP Samba server, and have migrated all the local
> > posix account info into it as well as creating the smb account info.
> >
> > I have now set up this server to use LDAP for authentication (rather
> > than /etc/passwd, etc.) like so ...
> > sudo apt-get --yes install ldap-auth-client
> > sudo auth-client-config -a -p lac_ldap
> >
> > When testing the result with 'getent passwd', I see all the LDAP user
> > accounts, but it seems the info in /etc/passwd file is also reported.
> >
> > Is this normal?
> >   
> 
> Have a look at your /etc/nsswitch.conf. If it contains something like this:
> passwd: files ldap
> group:  files ldap
> shadow: files ldap
> 
> (while 'files' could also read 'compat') it is indeed normal and
> normally it should be left this way so you have authentication during
> system startup before ldap becomes available.
> 
> Cheers,
> 
> Andr
> 
> 
> 
> 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] SMB over SSH tunnel

[Wojtek Bogusz]

hi. thank you for reply.
i enabled connection from firewall to windows server on 137/udp, 
138/udp, 139/udp and 139/tcp.

i tunnelled 137, 138 and 139 to windows server over SSH in putty.
i switched off 'file and printer sharing in MS network'
and it does not work? it behaves same way as i described it in my last 
email (i copy it below your email).

any help please?
regards, Wojtek

kissg wrote:
I think, you have to enable the following UDP ports on your firewall to 
use Samba:


- 137/udp
- 138/udp

Also, you have to use WINS or DNS to resolve computer names, if you need 
to. You don't have to enable any other ports to use WINS. DNS runs on 
ports 53/tcp and 53/udp. Enable these ports on your firewall, and try to 
connect to your share from the remote machine.


This worked for me through a VPN connection, I hope it will work for 
you, too.


hi, i am trying to tunnel SMB over the SSH tunnel. but it does not work 
for me :-( could you advice me please?


my setup is:
- laptop with windows xp connected somewhere to internet;
- gateway-firewall (ubuntu with shorewall) with public and local network 
address;

- windows server (with local network address);

i enabled tcp connections in shorewall (firewall) from gateway to 
windows server on port 139.
i did try to do all the steps that are described in documents like 
http://www.security-hacks.com/2007/05/18/tunneling-smb-over-ssh-secure-file-sharing


i also did other option by trying to uninstall 'file and printer sharing 
for ms networks' and i try to connect to map \\localhost\folder_name 
directly and tunnel local port 139 to the windows server port 139.


it all does not work. i get either 'no path' message or i am asked about 
the user and password while 'maping the network drive' but whatever user 
& password i provide the user/password window come back on and on.


what can i try to make it work? please advice...

best regards, Wojtek
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] unable to map windows to unix groups

[jcdole]

Thank you very much indeed.

This thread should be closed

JC DOLE

Selon Douglas VanLeuven <[EMAIL PROTECTED]>:
>
> When you do getent group you're getting what's in the local /etc/group
> and what's defined in the ldap group membership.  See gidNumber above.
> Using /etc/nsswitch.conf to define ldap lookups extends the /etc/passwd
> and /etc/group membership so passwd and group uid/gid's can be defined
> system wide and used by any unix machine.
>
> So yes.  Users belonging to group 512 are "Domain Admins".  You need to
> add users to this group when you want them to have related security
> privileges.  You should be able to chgrp 512 filename and have it show
> as "Domain Admins" when you ls the directory.  I haven't used the
> smbldap tools package, but it looks like the most common windows groups
> have already been defined for you.  All you need to do is avoid using
> the ldap passwd & group uid/gids in the local files.  Yast tools will
> probably not allow you to generate duplicates.
>
> And yes, you only need to map groups when the unix name doesn't match
> the windows name and you don't want samba to create the account on the
> fly using whatever idmap backend you pick.  Your idmap backend should
> probably be idmap_ldap and accounts generated then become available
> system wide using the same uid/gid's and network file sharing offers the
> same membership security regardless of client machine access.
>
> This is probably in a FAQ somewhere where the answer would be more
> structured.  I use the following to resolve my issues:
> http://us6.samba.org/samba/docs/man/Samba-HOWTO-Collection/
> http://us6.samba.org/samba/docs/man/Samba-Guide/
>
> Since samba is evolving almost daily, sometime the Howto syntax has been
> modified in the current manifestation of the command.  Always refer to
> the current command documentation to resolve any discrepancies.
>
> Doug
>

> [EMAIL PROTECTED] wrote:
> > As I said, I did a fresh install of opensuse 10.3, samba, ldap.
> >
> > During the process, I filled the ldap database directly with an ldif file
> built
> > using smbldap tools.
> >
> > (one item in that file -->
> >
> > dn: cn=Domain Admins,ou=Groups,dc=ldap_hathor,dc=nwk
> > objectClass: top
> > objectClass: posixGroup
> > objectClass: sambaGroupMapping
> > gidNumber: 512
> > cn: Domain Admins
> > memberUid: root
> > sambaSID: S-1-5-21-3134345319-2430187646-2919245149-512
> > sambaGroupType: 2
> > displayName: Domain Admins
> > description: Netbios Domain Administrators
> > #sambaPrimaryGroupSID: SID of the user group (512 = Admins group)
> > #description: Netbios Domain Administrators
> >  )
> >
> > So you mean by doing this it is not necessary to map the native existing
> unix
> > group "ntadmin" (gid 71) with "Domain Admins" ?
> > (ntadmin appear in /etc/group and "Domain Admins" not)
> >
> > Reading the samba documentation was not very clear for me.
> >
> > jcdole
> >
> >
> > Selon Douglas VanLeuven <[EMAIL PROTECTED]>:
> >> It looks like you already have an existing unix group called "Domain
> >> Admins" being pulled in from ldap.  When that is true, there is no need
> >> for groupmap and indeed it would appear it is illegal to map a windows
> >> group that matches an existing unix group to another unix group.
> >>
> >> Doug
> >>
> >>
> >> [EMAIL PROTECTED] wrote:
> >>> Hello.
> >>>
> >>> After fresh install.
> >>>
> >>> Samba and ldap seems to run normally ( I can join win2k workstation to
> >> linux
> >>> samba pdc ).
> >>>
> >>> Using yast I create a system group named domadmin
> >>>
> >>> But I am unable to map "Domain Admins" to domadmin
> >>> I am unable to map "Domain Admins" to existing ntadmin group
> >>>
> >>> I am unable to mofify mapping "Domain Admins" to domadmin group
> >>>
> >>> Thank you for helping.
> >>>
> >>> LINUX-SRV: # net groupmap add ntgroup="Domain Admins" unixgroup=domadmin
> >>> rid=512 type=d
> >>> adding entry for group Domain Admins failed!
> >>> LINUX-SRV: #
> >>>
> >>> LINUX-SRV: # net groupmap add ntgroup="Domain Admins" unixgroup=ntadmin
> >> rid=512
> >>> type=d
> >>> adding entry for group Domain Admins failed!
> >>> LINUX-SRV: #
> >>>
> >>> LINUX-SRV: # net groupmap modify ntgroup="Domain Admins"
> unixgroup=domadmin
> >>> Can't map to an unknown group type.
> >>> LINUX-SRV: #
> >>>
> >>> LINUX-SRV:~ # net groupmap modify ntgroup="Domain Admins"
> >> unixgroup=domadmin
> >>> type=d
> >>> Could not update group database
> >>> LINUX-SRV: #
> >>>
> >>> LINUX-SRV:~ net groupmap list
> >>> request done: ld 0x55c881e0 msgid 1
> >>> request done: ld 0x55c881e0 msgid 2
> >>> Domain Admins (S-1-5-21-3134345319-2430187646-2919245149-512) -> Domain
> >> Admins
> >>> request done: ld 0x55c881e0 msgid 3
> >>> Domain Users (S-1-5-21-3134345319-2430187646-2919245149-513) -> Domain
> >> Users
> >>> request done: ld 0x55c881e0 msgid 4
> >>> Domain Guests (S-1-5-21-3134345319-2430187646-2919245149-514) -> Domain
> >> Guests
> >>> request done: ld 0x55c881e0 msgi