AW: [Samba] Question about multiples logins at the same time
If you have a ldap and samba domain there is a way to restrict the login to a single workstation --- Daniel Müller eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-bounces+mueller=tropenklinik...@lists.samba.org [mailto:samba-bounces+mueller=tropenklinik...@lists.samba.org] Im Auftrag von Marcelo Opazo Vivallos Gesendet: Mittwoch, 1. April 2009 02:05 An: samba@lists.samba.org Betreff: [Samba] Question about multiples logins at the same time Hi, Do you have any guideline or variable in Samba in the configuration file it determines that a user can not logging at the same time, in order to avoid same login from different places at the same time. For now, what I plan is to use a startup script that through me like a flag indicating whether logged kick then through some mechanism. I accept all suggestions. Thank you Reggard from Chile -- Marcelo Opazo Vivallos Estudiante de Ing en Informatica Slackware Linux, user #372952. HomePage: http://amarzeck.googlepages.com WebLog: http://amarzeck.blogspot.com Chile. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Proper use of tdbbackup
Quoting Fabio Muzzi (li...@kurgan.org): > > I have googled a lot, but I have found no examples of the correct use of > the tdbbackup program. > > I am looking for some advice on how to use tdbbackup. I mean, I know I > can simply run "tdbbackup *.tdb", but I was looking for in-depth > information on when and how to use it, about best practices on using it, > or what NOT to do. > > The Samba documentations says I should run it in my start/stop scripts, > but it seems that no distribution actually does this. Why? Is there some To be honest, Debian has a suggestion to do it. Not in start/stop scripts but more in regular maintenance tasks: http://bugs.debian.org/473651 ...which we tagged "wontfix" on the rationale that setting such backup tasks should be up to the local administrator..just like any other backup policy. > I was thinking of running it every day as a chron job (not restarting > Samba) and saving some backlog (some days worth of old backups). Is it > useful? Since domain member machines change their domain password (am I > correct?) automatically, if I restore an old backup can this lead to > machines being unable to talk to the (samba) domain controller? In the bug report mentioned above, it was observed that several TDB files do actually deserve to be preserved. Noticeably, these are those we put in /var/lib/samba on Debian systems: bubu...@mykerinos:~> ls -l /var/lib/samba/ total 228 -rw--- 1 root root8192 mai 17 2007 account_policy.tdb -rw--- 1 root root 86016 oct 6 2007 group_mapping.ldb -rw--- 1 root root8192 mai 17 2007 group_mapping.tdb.upgraded -rw--- 1 root root8192 mai 17 2007 ntdrivers.tdb -rw--- 1 root root 696 mai 17 2007 ntforms.tdb -rw--- 1 root root8192 mai 17 2007 ntprinters.tdb -rw--- 1 root root 16384 mai 17 2007 passdb.tdb drwxr-xr-x 2 root root 6 avr 24 2007 perfmon drwxr-xr-x 10 root root 106 mai 9 2008 printers -rw--- 1 root root 65536 mar 31 19:20 registry.tdb -rw--- 1 root root8192 mai 17 2007 share_info.tdb drwxrwx--T 2 root sambashare 6 nov 17 2007 usershares -rw-r--r-- 1 root root4096 mai 31 2007 winbindd_idmap.tdb -rw-r--r-- 1 root root 247 déc 8 06:34 wins.dat This is on my laptop system where many Samba features such as printing are not used.and which may have some cruft left by old broken packages. (secrets.tdb lives in /etc/samba on Debian systems) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] try to join win2k3 r2 pdc
Hi I am trying to join a out-of-the box win2k3 AD domain controller it's been + forest prep for r2 domain samba Version 3.3.2 on Freebsd 6.3-RELEASE openldap-sasl-2.3 heimdal 0.6.3 adserver = AD DC server i installed (win2k3 box) domain = my domain name /etc/resolv.conf search domain.net nameserver adserver contents of /usr/local/etc/smb.conf [global] workgroup = DOMAIN realm = DOMAIN.NET server string = Samba Server security = ADS auth methods = winbind password server = adserver passdb backend = ldapsam:ldap://adserver.domain.net root directory = /raid5/samba lanman auth = Yes use kerberos keytab = Yes log file = /var/log/samba/log.%m max log size = 500 wins server = 192.168.0.1 ldap admin dn = cn=administrator,cn=Users,dc=domain,dc=net # admin is in default container ldap idmap suffix = ou=idmap ldap machine suffix = ou=Domain-Computers # computer OU ldap suffix = DC=DOMAIN,DC=NET ldap ssl = no ldap user suffix = ou=Domain-Users # user container idmap alloc backend = ldap idmap uid = 500-10 idmap gid = 500-10 template shell = /bin/tcsh winbind separator = / winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes idmap config DOLPHIN:backend = ldap idmap config DOLPHIN:readonly = no idmap config DOLPHIN:default = yes idmap config DOLPHIN:ldap_base_dn = ou=idmap,dc=domain,dc=net idmap config DOLPHIN:ldap_user_dn = cn="Domain-Users",dc=dolphin,dc=net idmap config DOLPHIN:ldap_url = ldap://adserver.domain.net idmap config DOLPHIN:range = 500-50 idmap alloc config:ldap_base_dn = ou=idmap,dc=domain,dc=net idmap alloc config:ldap_user_dn = cn="Domain-Users",dc=domain,dc=net idmap alloc config:ldap_url = ldap://adserver.domain.net idmap alloc config:range = 500-507 valid users = "@DOMAIN\domain users", "@domain users" admin users = DOMAIN\administrator, administrator /etc/nsswitch.conf group: files winbind ldap group_compat: nis hosts: files dns nis wins networks: files dns passwd: files winbind ldap passwd_compat: nis shells: files shadow: files winbind kinit works kinit wbinfo -t --> works net rpc testjoin --> works net ads testjoin --> works net rpc join works net ads join works wbinfo -g --> doesn't work winfo -u --> doesn't work getent passwd --> doesn't work getent group --> doesn't work in the logs i find several errors (* marks start of log line) * add_new_domain_info: failed to add domain dn= sambaDomainName=LOCALHOST,DC=DOMAIN,DC=NET with: No such attributte * smbldap_search_domain_info: Adding domain info for LOCALHOST failed with NT_STATUS_UNSUCCESSFUL * Connection to LDAP server failed for the 1 try * Unable to open new log file /var/log/samba/log.192.168.0.10: No such file or directory smbclient -L -Uadministrator%apassword works for AD domain controller, windows xp pro clients althoug NOT for windows 2003 member servers (wierd part here) also doing ldapsearch -Z > /tmp/afile I noticed that AD didn't have all information about the freebsd host I would expect (dns name, Operating system (name,version and service pack) with adsi edit (not the best way) I was able to set the DNS name(s) windows clients(xp,win2k3 member,win2k3 AD DC) keep having "popups" to login but no login possible !! Can somebody please help me with getting things working ? Victor _ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Question about multiples logins at the same time
Hi, Do you have any guideline or variable in Samba in the configuration file it determines that a user can not logging at the same time, in order to avoid same login from different places at the same time. For now, what I plan is to use a startup script that through me like a flag indicating whether logged kick then through some mechanism. I accept all suggestions. Thank you Reggard from Chile -- Marcelo Opazo Vivallos Estudiante de Ing en Informatica Slackware Linux, user #372952. HomePage: http://amarzeck.googlepages.com WebLog: http://amarzeck.blogspot.com Chile. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC & Squid NTLM Auth - Same machine
Hello Victor, did you try supplying the domain name along with the username? Like "DOMAIN\administrator". Or adding "winbind use default domain = yes" to your samba configuration. Regards, -sd 2009/3/31 Victor Medina : > David, it did not work. > > Any suggestion? > > Victor Medina > > Samuel Goldwyn - "I don't think anyone should write their > autobiography until after they're dead." > > > On Wed, Apr 1, 2009 at 12:13 PM, David Wells wrote: >> Victor Medina wrote: >>> >>> Hi Guys! >>> >>> >>> Probably this is not the best place to ask, I'll try anyway... =) >>> >>> I've been trying to configure a Samba PDC and a Squid Porxy server >>> with NTLM auth on the same machine but NTML_AUTH keeps complaining >>> about: NT_STATUS_INVALID_HANDLE I have others machines running >>> Squid and Authenticating against a Samba Server but on different >>> machines, this is the first time a try both on the same machine. >>> >>> Can I use Squid+NTLM Auth and Samba configured as PDC on the same >>> machine? Is there any winbind issue with this kind of configuration? >>> >>> I'm using SLES10+SP2 >>> Samba version as reported by rpm is 3.0.32-0.8 >>> Squid version as reported by rpm is 2.5.STABLE12-18.13 >>> >>> - >>> This is my smb.conf >>> >>> [global] >>> dos charset = 850 >>> unix charset = ISO8859-1 >>> workgroup = C1.SV >>> netbios name = PDCSRVC1SV >>> server string = >>> interfaces = eth0 >>> bind interfaces only = Yes >>> map to guest = Bad Password >>> passdb backend = ldapsam:ldap://127.0.0.1 >>> guest account = Invitado >>> time server = Yes >>> deadtime = 20 >>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 >>> printcap name = cups >>> logon path = >>> logon home = >>> domain logons = Yes >>> os level = 65 >>> preferred master = Yes >>> domain master = Yes >>> wins support = Yes >>> ldap admin dn = cn=Administrador,o=Ferreteria EPA >>> ldap delete dn = Yes >>> ldap group suffix = ou=group >>> ldap machine suffix = ou=people >>> ldap passwd sync = Yes >>> ldap suffix = ou=c1,c=sv,o=Ferreteria EPA >>> ldap user suffix = ou=people >>> idmap domains = DEFAULT >>> idmap alloc backend = ldap >>> idmap alloc config:range = 1-10 >>> idmap alloc config:ldap_url = ldap://127.0.0.1 >>> idmap alloc config:ldap_user_dn = cn=Administrador,o=Ferreteria EPA >>> idmap alloc config:ldap_base_dn = ou=idmap,ou=c1,c=sv,o=Ferreteria >>> EPA >>> idmap config DEFAULT:range = 1-10 >>> idmap config DEFAULT:ldap_url = ldap://127.0.0.1 >>> idmap config DEFAULT:ldap_user_dn = cn=Administrador,o=Ferreteria >>> EPA >>> idmap config DEFAULT:ldap_base_dn = >>> ou=idmap,ou=c1,c=sv,o=Ferreteria EPA >>> idmap config DEFAULT:default = yes >>> idmap config DEFAULT:readonly = no >>> idmap config DEFAULT:backend = ldap >>> ldapsam:editposix = yes >>> ldapsam:trusted = yes >>> create mask = 0640 >>> force create mode = 0640 >>> directory mask = 0750 >>> force directory mode = 0750 >>> case sensitive = No >>> dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd >>> >>> My relevant squid.conf lines... >>> >>> auth_param ntlm program /usr/bin/ntlm_auth >>> --helper-protocol=squid-2.5-ntlmssp C1.SV/PDCSRVC1SV >>> auth_param basic program /usr/bin/ntlm_auth >>> --helper-protocol=squid-2.5-basic C1.SV/PDCSRVC1SV >>> auth_param ntlm children 100 >>> auth_param basic children 100 >>> auth_param basic realm Squid proxy-caching web server >>> auth_param basic credentialsttl 2 hours >>> >>> >>> >>> >>> The pdc works as expected, machine join works like charm, users and >>> groups management works equally right, all accounts are placed in the >>> LDAP, getent passwd, groups and shadow shows the ldap accounts >>> >>> I also did a few tests with wbinfo >>> >>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo -u >>> invitado >>> usuarioprueba >>> e01ggen >>> e01glogis >>> e01gcont >>> e01jcomp1 >>> e01jcomp2 >>> e01jcomp3 >>> e01jcomp4 >>> e01jrepo >>> e01jreclu >>> e01rrece >>> e01gcom >>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo -g >>> BUILTIN >>> BUILTIN >>> domain users >>> domain admins >>> domain guests >>> grupoprueba >>> gcentralsv >>> gcompras >>> gcontrol >>> ggerencia >>> glogistica >>> gmercadeo >>> gpersonal >>> gventas >>> gjefecompras >>> gjefecontrol >>> gjefelogistica >>> gjefepersonal >>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo --all-domains >>> C1.SV >>> >>> >>> I also made sure squid users can read /var/lib/samba/winbindd_privileged >>> >>> >>> I also noted this error: >>> >>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo >>> --authenticate=administrator%12345678 >>> plaintext pas
RE: [Samba] Adding additional groups to a file.
You'll need to enable ACLs. I use Ubuntu but I used this guide to set up ACLs on my particular setup. http://aisalen.wordpress.com/2007/08/10/acls-on-samba/ -Original Message- From: samba-bounces+masaog=fshac@lists.samba.org [mailto:samba-bounces+masaog=fshac@lists.samba.org] On Behalf Of Wojciech Giel Sent: Tuesday, March 31, 2009 3:24 PM To: samba@lists.samba.org Subject: [Samba] Adding additional groups to a file. Hi, I have installed and configured Samba as PDC with Heimdal kerberos and openLDAP as backend for both on debian lenny. But i stuck on groups. I have created a file in my home directory mapped to my documents. I can change rwx permission on linux and windows and it works perfectly. but this file has as a group my default group. this file should be read by users from accounting and managers group too. but when i want to add additional group in security tab i get access denied. What should I do to be able to add additional groups. thanx, Wojciech my smb.conf workgroup = EXAMPLE netbios name = cannibal server string = Linux PDC/KDC (Samba %v) realm = EXAMPLE.COM use kerberos keytab = yes use spnego = yes log file = /var/log/samba/%m.log max log size = 1000 syslog = 1 log level = 4 utmp = Yes guest account = nobody map to guest = Never admin users = root addmachine vin @"Domain Admins" enable privileges = yes security = user encrypt passwords = true os level = 255 local master = yes domain master = yes preferred master = yes domain logons = yes keepalive = 30 time server = yes preserve case = yes short preserve case = yes case sensitive = no null passwords = no logon script = %U.bat logon path = \\cannibal\profiles$\%U\%a logon drive = G: logon home = \\cannibal\%U bind interfaces only = yes interfaces = eth0, lo hosts allow = 10.10.10. 127. wins support = yes dns proxy = yes passdb backend = ldapsam:ldaps://cannibal.example.com/ ldap admin dn = cn=ldapmaster/ad...@example.com,ou=KerberosPrincipals,dc=example,dc=com ldap suffix = dc=hogwarth,dc=edu ldap group suffix = ou=groups ldap user suffix = ou=KerberosPrincipals ldap machine suffix = ou=computers ldap idmap suffix = sambaDomainName=EXAMPLE ldap ssl = On ldap delete dn = Yes idmap backend = ldap:ldaps://cannibal.example.com/ idmap uid = 1-25000 idmap gid = 1-25000 Pam password change = yes ldap passwd sync = yes unix password sync = no passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = *New*password* %n *Retype*new*password* %n socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add machine script = /usr/sbin/smbldap-useradd -w "%u" add user script = /usr/sbin/smbldap-useradd -m -a "%u" delete user script = /usr/sbin/smbldap-userdel "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" dos charset = cp852 unix charset = iso8859-2 display charset = LOCALE restrict anonymous = 0 [homes] comment = Home Directories valid users = %S browseable = no writable = yes admin users = %u write list = %u read list = %u create mask = 0644 directory mask = 0755 [netlogon] path = /samba/netlogon writable = no browseable = no share modes = no admin users = @"Domain Admins" [profiles] path = /samba/profiles valid users = %U, "@Domain Admins" writeable = yes inherit permissions = yes create mask = 0644 directory mask = 0755 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Adding additional groups to a file.
Hi, I have installed and configured Samba as PDC with Heimdal kerberos and openLDAP as backend for both on debian lenny. But i stuck on groups. I have created a file in my home directory mapped to my documents. I can change rwx permission on linux and windows and it works perfectly. but this file has as a group my default group. this file should be read by users from accounting and managers group too. but when i want to add additional group in security tab i get access denied. What should I do to be able to add additional groups. thanx, Wojciech my smb.conf workgroup = EXAMPLE netbios name = cannibal server string = Linux PDC/KDC (Samba %v) realm = EXAMPLE.COM use kerberos keytab = yes use spnego = yes log file = /var/log/samba/%m.log max log size = 1000 syslog = 1 log level = 4 utmp = Yes guest account = nobody map to guest = Never admin users = root addmachine vin @"Domain Admins" enable privileges = yes security = user encrypt passwords = true os level = 255 local master = yes domain master = yes preferred master = yes domain logons = yes keepalive = 30 time server = yes preserve case = yes short preserve case = yes case sensitive = no null passwords = no logon script = %U.bat logon path = \\cannibal\profiles$\%U\%a logon drive = G: logon home = \\cannibal\%U bind interfaces only = yes interfaces = eth0, lo hosts allow = 10.10.10. 127. wins support = yes dns proxy = yes passdb backend = ldapsam:ldaps://cannibal.example.com/ ldap admin dn = cn=ldapmaster/ad...@example.com,ou=KerberosPrincipals,dc=example,dc=com ldap suffix = dc=hogwarth,dc=edu ldap group suffix = ou=groups ldap user suffix = ou=KerberosPrincipals ldap machine suffix = ou=computers ldap idmap suffix = sambaDomainName=EXAMPLE ldap ssl = On ldap delete dn = Yes idmap backend = ldap:ldaps://cannibal.example.com/ idmap uid = 1-25000 idmap gid = 1-25000 Pam password change = yes ldap passwd sync = yes unix password sync = no passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = *New*password* %n *Retype*new*password* %n socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add machine script = /usr/sbin/smbldap-useradd -w "%u" add user script = /usr/sbin/smbldap-useradd -m -a "%u" delete user script = /usr/sbin/smbldap-userdel "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" dos charset = cp852 unix charset = iso8859-2 display charset = LOCALE restrict anonymous = 0 [homes] comment = Home Directories valid users = %S browseable = no writable = yes admin users = %u write list = %u read list = %u create mask = 0644 directory mask = 0755 [netlogon] path = /samba/netlogon writable = no browseable = no share modes = no admin users = @"Domain Admins" [profiles] path = /samba/profiles valid users = %U, �...@domain Admins” writeable = yes inherit permissions = yes create mask = 0644 directory mask = 0755 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Authorizations
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 31.03.2009 20:21, schrieb Tom Duerbusch: > > linux61:/etc/samba # cat smb.conf > # Samba config file created using SWAT > # from 205.235.227.16 (205.235.227.16) > # Date: 2009/03/31 12:42:57 > > [global] > workgroup = TESTWORKS > netbios name = HOBBIT > null passwords = Yes > ldap ssl = no > > [cityworksro] > comment = cityworks read only > path = /home/documents one way could be: put the one R/W-users in one group, the R/O-users in a second group. put a line into [cityworksro]: valid users = @, @ and use setfacl for the whole directory to assign specific rights for both groups. Setting browseable = no should prevent every other user to see that share, but it could also hinder the R/W-users from finding that share via search. Cheers Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAknSbJwACgkQf3LySRiTg2wrCACfcDaneWjzi9AMuEhXa+PVRCwi 6bAAn12TQib9SSBewjmrbGOn1fXKaH7+ =i1dY -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] firewalls and winbind authentication to trusted domains
Hello, I currently have a DOMAIN-A and a DOMAIN-B with a one-way trust so that DOMAIN-B trusts DOMAIN-A. There is also a firewall separating the two domains, and I have opened the necessary ports for authentication and replication to take place between the domain controllers. This works fine. Now I have users on Domain A that need to log into machines on Domain B. This works fine when a user logs into a Windows machine. However, I've found that when logging into a Linux machine using winbind authentication, the machine is attempting to communicate with the domain controllers on DOMAIN-A. Authentication will not work unless I allow this traffic, but for security reasons, I'd rather not have to. It's almost as if the Windows machines are able to obtain information about DOMAIN-A from DOMAIN-B, but winbind cannot. Is there some way to enable this behavior? I am using samba 3.2.7 on CentOS. -- Michael Conigliaro Computer Analyst Fuss & O'Neill Technologies www.fandotech.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba Authorizations
There is one little piece I'm missing. I have a Samba directory: /home/documents I have 10 Window XP users that need R/W access to this directory. I have another 10 Window XP users that need R/O access to this directory. No other Windows users should be able to see this directory. The R/W users will get access by doing a Windows Search, Computers, and click on the directory. They may also map the directory to a drive letter, but that shouldn't be necessary. Most R/O users will be accessing this directory via UNC (i.e. double click on a document name that is imbedded in another file). I have a test Samba server. The SMB.CONF is near bear minimums: linux61:/etc/samba # cat smb.conf # Samba config file created using SWAT # from 205.235.227.16 (205.235.227.16) # Date: 2009/03/31 12:42:57 [global] workgroup = TESTWORKS netbios name = HOBBIT null passwords = Yes ldap ssl = no [cityworksro] comment = cityworks read only path = /home/documents linux61:/etc/samba # I don't have a LDAP server, but that may change in late summer. I seem to go back and forth between windows user having complete R/W access to this directory and no windows users having access to this directory. It doesn't seem to matter if I create Linux userids with Yast. Or if I create Samba users via SMBPASSWD. I've been reading "The Officail Samba 3.2.x HOWTO and Reference Guide" as well as Samba-3 by Example. They either have too simple of setup jump to a lot more complex of an example. I've been maintaining this via SWAT. So what really needs to be done? Thanks Tom Duerbusch THD Consulting -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] nis and samba
I use NIS for allowing access to my samba shares. Membership by users in their respective NIS groups, and then using those groups in my smb.conf file, will determine their ability to access specific shares. When I make changes to /etc/group on the NIS master then publish those changes to my clients samba is never aware of those changes until I stop/start the smb, nmb services. Is there another way of making samba aware of changes in my yp maps other than the disruptive stop/start method I use now? Thanks in advance, Bob Rohde -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Enable samba BDC to allow writing to local LDAP
passdb backend = ldapsam:"ldap://local_ldap.yourdomain.com ldap://remote_ldap.yourdomain.com"; Leandro LATTANZIO wrote: How to configure smb.conf of a samba BDC server to allow that all changes (user's passwords changing, joining computers) was written to local LDAP. I´ve set remotes LDAP's (BDCs) with multimaster configuration via syncrepl. LDAP Multimaster feature works fine (N-way replication works perfectly) I need this configuration to void errors when a user must to change his/her password in a remote office (BDC) connected via WAN to central office (PDC), and the link is down. I use openldap 2.4.11 and samba 3.0.33 (on Redhat Enterprise Linux Server 5.2 x86_64) Thanks in advance. Regards. Leandro. Yahoo! Cocina Recetas prácticas y comida saludable http://ar.mujer.yahoo.com/cocina/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] A secondary domain controller for remote clients
first things first. are you running LDAP? Germán Bobr wrote: Hello I have a samba PDC in an office with folder redirection. The people wants to access their files remotely, so i have set up a simple hamachi VPN. The clients can connect and sinchronize their files, but its extremely slow. Is it posible to make a second samba server in a high speed datacenter sinchronized with the office one? Can anyone give me some info about how to do that? Thank you -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC & Squid NTLM Auth - Same machine
David, it did not work. Any suggestion? Victor Medina Samuel Goldwyn - "I don't think anyone should write their autobiography until after they're dead." On Wed, Apr 1, 2009 at 12:13 PM, David Wells wrote: > Victor Medina wrote: >> >> Hi Guys! >> >> >> Probably this is not the best place to ask, I'll try anyway... =) >> >> I've been trying to configure a Samba PDC and a Squid Porxy server >> with NTLM auth on the same machine but NTML_AUTH keeps complaining >> about: NT_STATUS_INVALID_HANDLE I have others machines running >> Squid and Authenticating against a Samba Server but on different >> machines, this is the first time a try both on the same machine. >> >> Can I use Squid+NTLM Auth and Samba configured as PDC on the same >> machine? Is there any winbind issue with this kind of configuration? >> >> I'm using SLES10+SP2 >> Samba version as reported by rpm is 3.0.32-0.8 >> Squid version as reported by rpm is 2.5.STABLE12-18.13 >> >> - >> This is my smb.conf >> >> [global] >> dos charset = 850 >> unix charset = ISO8859-1 >> workgroup = C1.SV >> netbios name = PDCSRVC1SV >> server string = >> interfaces = eth0 >> bind interfaces only = Yes >> map to guest = Bad Password >> passdb backend = ldapsam:ldap://127.0.0.1 >> guest account = Invitado >> time server = Yes >> deadtime = 20 >> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 >> printcap name = cups >> logon path = >> logon home = >> domain logons = Yes >> os level = 65 >> preferred master = Yes >> domain master = Yes >> wins support = Yes >> ldap admin dn = cn=Administrador,o=Ferreteria EPA >> ldap delete dn = Yes >> ldap group suffix = ou=group >> ldap machine suffix = ou=people >> ldap passwd sync = Yes >> ldap suffix = ou=c1,c=sv,o=Ferreteria EPA >> ldap user suffix = ou=people >> idmap domains = DEFAULT >> idmap alloc backend = ldap >> idmap alloc config:range = 1-10 >> idmap alloc config:ldap_url = ldap://127.0.0.1 >> idmap alloc config:ldap_user_dn = cn=Administrador,o=Ferreteria EPA >> idmap alloc config:ldap_base_dn = ou=idmap,ou=c1,c=sv,o=Ferreteria >> EPA >> idmap config DEFAULT:range = 1-10 >> idmap config DEFAULT:ldap_url = ldap://127.0.0.1 >> idmap config DEFAULT:ldap_user_dn = cn=Administrador,o=Ferreteria >> EPA >> idmap config DEFAULT:ldap_base_dn = >> ou=idmap,ou=c1,c=sv,o=Ferreteria EPA >> idmap config DEFAULT:default = yes >> idmap config DEFAULT:readonly = no >> idmap config DEFAULT:backend = ldap >> ldapsam:editposix = yes >> ldapsam:trusted = yes >> create mask = 0640 >> force create mode = 0640 >> directory mask = 0750 >> force directory mode = 0750 >> case sensitive = No >> dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd >> >> My relevant squid.conf lines... >> >> auth_param ntlm program /usr/bin/ntlm_auth >> --helper-protocol=squid-2.5-ntlmssp C1.SV/PDCSRVC1SV >> auth_param basic program /usr/bin/ntlm_auth >> --helper-protocol=squid-2.5-basic C1.SV/PDCSRVC1SV >> auth_param ntlm children 100 >> auth_param basic children 100 >> auth_param basic realm Squid proxy-caching web server >> auth_param basic credentialsttl 2 hours >> >> >> >> >> The pdc works as expected, machine join works like charm, users and >> groups management works equally right, all accounts are placed in the >> LDAP, getent passwd, groups and shadow shows the ldap accounts >> >> I also did a few tests with wbinfo >> >> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo -u >> invitado >> usuarioprueba >> e01ggen >> e01glogis >> e01gcont >> e01jcomp1 >> e01jcomp2 >> e01jcomp3 >> e01jcomp4 >> e01jrepo >> e01jreclu >> e01rrece >> e01gcom >> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo -g >> BUILTIN >> BUILTIN >> domain users >> domain admins >> domain guests >> grupoprueba >> gcentralsv >> gcompras >> gcontrol >> ggerencia >> glogistica >> gmercadeo >> gpersonal >> gventas >> gjefecompras >> gjefecontrol >> gjefelogistica >> gjefepersonal >> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo --all-domains >> C1.SV >> >> >> I also made sure squid users can read /var/lib/samba/winbindd_privileged >> >> >> I also noted this error: >> >> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo >> --authenticate=administrator%12345678 >> plaintext password authentication failed >> error code was NT_STATUS_NO_SUCH_USER (0xc064) >> error messsage was: No such user >> Could not authenticate user administrator%12345678 with plaintext password >> winbind separator was NULL! >> challenge/response password authentication failed >> error code was NT_STATUS_INVALID_HANDLE (0xc008) >> error messsage was: Invalid handle >> Could n
[Samba] Printer permissions
I have been reading through the Samba docs and have successfully setup cups for our Canon and HP printers, I have Samba sharing out all the cups printers and have also setup the print$ share and used rpcclient to add the drivers. This is working fine and the Windows clients can successfully connect and download the drivers. However, I cannot seem to find out how to specifically setup access to each printer so only certain users have access to print and most specifically set it up such that all users have the required permissions to change print settings like choose paper type and saddle stitch. Any pointers to this aspect would be appreciated! Thanks, jlc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC & Squid NTLM Auth - Same machine
Victor Medina wrote: Hi Guys! Probably this is not the best place to ask, I'll try anyway... =) I've been trying to configure a Samba PDC and a Squid Porxy server with NTLM auth on the same machine but NTML_AUTH keeps complaining about: NT_STATUS_INVALID_HANDLE I have others machines running Squid and Authenticating against a Samba Server but on different machines, this is the first time a try both on the same machine. Can I use Squid+NTLM Auth and Samba configured as PDC on the same machine? Is there any winbind issue with this kind of configuration? I'm using SLES10+SP2 Samba version as reported by rpm is 3.0.32-0.8 Squid version as reported by rpm is 2.5.STABLE12-18.13 - This is my smb.conf [global] dos charset = 850 unix charset = ISO8859-1 workgroup = C1.SV netbios name = PDCSRVC1SV server string = interfaces = eth0 bind interfaces only = Yes map to guest = Bad Password passdb backend = ldapsam:ldap://127.0.0.1 guest account = Invitado time server = Yes deadtime = 20 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = cups logon path = logon home = domain logons = Yes os level = 65 preferred master = Yes domain master = Yes wins support = Yes ldap admin dn = cn=Administrador,o=Ferreteria EPA ldap delete dn = Yes ldap group suffix = ou=group ldap machine suffix = ou=people ldap passwd sync = Yes ldap suffix = ou=c1,c=sv,o=Ferreteria EPA ldap user suffix = ou=people idmap domains = DEFAULT idmap alloc backend = ldap idmap alloc config:range = 1-10 idmap alloc config:ldap_url = ldap://127.0.0.1 idmap alloc config:ldap_user_dn = cn=Administrador,o=Ferreteria EPA idmap alloc config:ldap_base_dn = ou=idmap,ou=c1,c=sv,o=Ferreteria EPA idmap config DEFAULT:range = 1-10 idmap config DEFAULT:ldap_url = ldap://127.0.0.1 idmap config DEFAULT:ldap_user_dn = cn=Administrador,o=Ferreteria EPA idmap config DEFAULT:ldap_base_dn = ou=idmap,ou=c1,c=sv,o=Ferreteria EPA idmap config DEFAULT:default = yes idmap config DEFAULT:readonly = no idmap config DEFAULT:backend = ldap ldapsam:editposix = yes ldapsam:trusted = yes create mask = 0640 force create mode = 0640 directory mask = 0750 force directory mode = 0750 case sensitive = No dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd My relevant squid.conf lines... auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp C1.SV/PDCSRVC1SV auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic C1.SV/PDCSRVC1SV auth_param ntlm children 100 auth_param basic children 100 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours The pdc works as expected, machine join works like charm, users and groups management works equally right, all accounts are placed in the LDAP, getent passwd, groups and shadow shows the ldap accounts I also did a few tests with wbinfo e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo -u invitado usuarioprueba e01ggen e01glogis e01gcont e01jcomp1 e01jcomp2 e01jcomp3 e01jcomp4 e01jrepo e01jreclu e01rrece e01gcom e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo -g BUILTIN BUILTIN domain users domain admins domain guests grupoprueba gcentralsv gcompras gcontrol ggerencia glogistica gmercadeo gpersonal gventas gjefecompras gjefecontrol gjefelogistica gjefepersonal e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo --all-domains C1.SV I also made sure squid users can read /var/lib/samba/winbindd_privileged I also noted this error: e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo --authenticate=administrator%12345678 plaintext password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc064) error messsage was: No such user Could not authenticate user administrator%12345678 with plaintext password winbind separator was NULL! challenge/response password authentication failed error code was NT_STATUS_INVALID_HANDLE (0xc008) error messsage was: Invalid handle Could not authenticate user administrator with challenge/response Does someone have any idea of could go wrong? When I use squid and samba on different machines i usually join the squid machine to the domain using a net join, is this necesary when the pdc and squid are on the same machine? Victor Medina Samuel Goldwyn - "I don't think anyone should write their autobiography until after they're dead." I think you should add lo to the interfaces listed in smb.conf Best regards, David Wells. -- To unsubscribe from this list go to the following URL and read the instructions: https://
[Samba] Samba PDC & Squid NTLM Auth - Same machine
Hi Guys! Probably this is not the best place to ask, I'll try anyway... =) I've been trying to configure a Samba PDC and a Squid Porxy server with NTLM auth on the same machine but NTML_AUTH keeps complaining about: NT_STATUS_INVALID_HANDLE I have others machines running Squid and Authenticating against a Samba Server but on different machines, this is the first time a try both on the same machine. Can I use Squid+NTLM Auth and Samba configured as PDC on the same machine? Is there any winbind issue with this kind of configuration? I'm using SLES10+SP2 Samba version as reported by rpm is 3.0.32-0.8 Squid version as reported by rpm is 2.5.STABLE12-18.13 - This is my smb.conf [global] dos charset = 850 unix charset = ISO8859-1 workgroup = C1.SV netbios name = PDCSRVC1SV server string = interfaces = eth0 bind interfaces only = Yes map to guest = Bad Password passdb backend = ldapsam:ldap://127.0.0.1 guest account = Invitado time server = Yes deadtime = 20 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = cups logon path = logon home = domain logons = Yes os level = 65 preferred master = Yes domain master = Yes wins support = Yes ldap admin dn = cn=Administrador,o=Ferreteria EPA ldap delete dn = Yes ldap group suffix = ou=group ldap machine suffix = ou=people ldap passwd sync = Yes ldap suffix = ou=c1,c=sv,o=Ferreteria EPA ldap user suffix = ou=people idmap domains = DEFAULT idmap alloc backend = ldap idmap alloc config:range = 1-10 idmap alloc config:ldap_url = ldap://127.0.0.1 idmap alloc config:ldap_user_dn = cn=Administrador,o=Ferreteria EPA idmap alloc config:ldap_base_dn = ou=idmap,ou=c1,c=sv,o=Ferreteria EPA idmap config DEFAULT:range = 1-10 idmap config DEFAULT:ldap_url = ldap://127.0.0.1 idmap config DEFAULT:ldap_user_dn = cn=Administrador,o=Ferreteria EPA idmap config DEFAULT:ldap_base_dn = ou=idmap,ou=c1,c=sv,o=Ferreteria EPA idmap config DEFAULT:default = yes idmap config DEFAULT:readonly = no idmap config DEFAULT:backend = ldap ldapsam:editposix = yes ldapsam:trusted = yes create mask = 0640 force create mode = 0640 directory mask = 0750 force directory mode = 0750 case sensitive = No dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd My relevant squid.conf lines... auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp C1.SV/PDCSRVC1SV auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic C1.SV/PDCSRVC1SV auth_param ntlm children 100 auth_param basic children 100 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours The pdc works as expected, machine join works like charm, users and groups management works equally right, all accounts are placed in the LDAP, getent passwd, groups and shadow shows the ldap accounts I also did a few tests with wbinfo e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo -u invitado usuarioprueba e01ggen e01glogis e01gcont e01jcomp1 e01jcomp2 e01jcomp3 e01jcomp4 e01jrepo e01jreclu e01rrece e01gcom e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo -g BUILTIN BUILTIN domain users domain admins domain guests grupoprueba gcentralsv gcompras gcontrol ggerencia glogistica gmercadeo gpersonal gventas gjefecompras gjefecontrol gjefelogistica gjefepersonal e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo --all-domains C1.SV I also made sure squid users can read /var/lib/samba/winbindd_privileged I also noted this error: e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo --authenticate=administrator%12345678 plaintext password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc064) error messsage was: No such user Could not authenticate user administrator%12345678 with plaintext password winbind separator was NULL! challenge/response password authentication failed error code was NT_STATUS_INVALID_HANDLE (0xc008) error messsage was: Invalid handle Could not authenticate user administrator with challenge/response Does someone have any idea of could go wrong? When I use squid and samba on different machines i usually join the squid machine to the domain using a net join, is this necesary when the pdc and squid are on the same machine? Victor Medina Samuel Goldwyn - "I don't think anyone should write their autobiography until after they're dead." -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] to idmap_ldap or not to idmap_ldap
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello list, since we're going to authenticate all users against AD and winbind I'm asking myself if I need idmap_ldap in my setup. We will have a DC, mainly for citrix, in a single domain in every branch, smb.conf will be mostly the same for every server. Will idmap use the same mapping on every server? Esp: on my main server I got uid=10001, will in branch a) the user assigned the same uid 10001? OR should i setup ldap on our main server and configure it on every branch server for r/w? Should the main LDAP replicate to the branches and have there a local ldap, too, for speed-reasons or when the WAN-link kicked the bucket? Qustions over questions ;) Cheers Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAknSQQgACgkQf3LySRiTg2wXNACeNOGel2qNbSsI4KiCmHzVf76O q+wAn11nwYHTj0CvkZjswMIy8LbORbt6 =D4RZ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [Announce] Samba 3.2.9 Maintenance Release Available
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 "In summer, the song sings itself." William Carlos Williams Release Announcements = This is a maintenance release of the Samba 3.2 series. Major enhancements included in Samba 3.2.9 are: o Migrating from 3.0.x to 3.3.x can fail to update passdb.tdb correctly (bug #6195). o Fix guest authentication in setups with "security = share" and "guest ok = yes" when Winbind is running. o Fix corruptions of source path in tar mode of smbclient (bug #6161). ## Changes ### Changes since 3.2.8 - --- o Michael Adam * Add script fill-templates. * Make update-pkginfo callable from any directory. o Jeremy Allison * BUG 6099: Samba returns incurrate capabilities list. * BUG 6133: Cannot delete non-ACL files on Solaris/ZFS/NFSv4 ACL filesystem. * BUG 6161: smbclient corrupts source path in tar mode. * BUG 6195: Migrating from 3.0.x to 3.3.x can fail to update passdb.tdb correctly. * BUG 6196: Unable to serve files with colons to Linux CIFS/VFS client. * BUG 6224: nmbd waits 5 minutes at startup before checking if it needs to run elections. * Correctly use chroot(). * Parameterize in local.h the MAX_RPC_DATA_SIZE, and ensure that "offered" read from the rpc packet in spoolss is under that size. * Fix Coverity ID 602. * Backport the semantics of when to delete alternate data streams on a file truncate. * Allow set attributes on a stream fnum to be redirected to the base filename. * Fix use of streams modules with CIFSFS client. * Fix more POSIX path lstat calls. * Allow DFS client paths to work when POSIX pathnames have been selected. * Try and fix the build farm RAW-STREAMS errors. * Ensure files starting with multiple dots are hidden. o Steven Danneman * Fix guest auth when Winbind is running. o Günther Deschner * BUG 6102: NetQueryDisplayInformation could return wrong information. * BUG 6193: Avoid messing with sync_context in fetch_database_to_ldif(). * Fix memleak in get_remote_printer_publishing_data(). * Add pidl in order to be able to regenerate librpc functions. * Fix Coverity IDs 722, 762. o Steve French * cifs mount fix for handling -V parameter. * Fix guest mounts. o Holger Hetterich * Enable total anonymization in vfs_smb_traffic_analyzer. o Björn Jacke * Enable IPv6 support for NetBSD and FreeBSD. * Prefer gssapi header files from subdirectory. * Fix build on old Heimdal based systems. * Use parentheses in if condition to make negation clear. o Günter Kukkukk * Don't try and delete a default ACL from a file. o Jeff Layton * Initialize rc to 0 in main. o Volker Lendecke * BUG 6100: Complete fix. * BUG 6130: Don't crash in winbindd_rpc lookup_groupmem() on unmapped members. * BUG 6097: Fix smbd segfault. * Fix remotely adding a share via MMC. * Fix resume handle for _samr_EnumDomainGroups. * Fix Coverity IDs 742, 744, 745, 879, 880. * Fix a buffer handling bug when adding lots of registry keys. * Fix a O(n^2) algorithm in regdb_fetch_keys(). * Fix an uninitialized variable warning. * Fix a valgrind error / segfault in dns_register_smbd(). * Don't log NDR_PRINT_DEBUG at level 0, this always ends up in syslog. * Fix a malloc/talloc mismatch when cli_initialise() fails. * Fix a valgrind error. * Fix two memleaks in the encryption code. * Fix gcc 4.4 compile warning. * Fix a scary "fill_share_mode_lock failed" message. o Derrell Lipman * BUG 6228: Fix SMBC_open_ctx failure due to path resolve failure doesn't set errno. o Stefan Metzmacher * BUG 6100: Implement _netr_LogonGetCapabilities() with NT_STATUS_NOT_IMPLEMENTED. * Add S-1-22-X-Y sids to the local token. * Add idl for netr_LogonGetCapabilities(). * Fix the build on SLES8. * Fix smb signing for fragmented trans/trans2/nttrans requests. o Glenn Machin * Don't miss an absolute pathname as a kerberos keytab path. o Shirish Pargaonkar * Clean-up entries in /etc/mtab after unmount. * Add fakemount (-f) and nomtab (-n) flags to mount.cifs. o Ted Percival * Fix a crash during name resolution when log level >= 10 and libc segfaults if printf is passed NULL for a "%s" arg (e.g. Solaris). o Tim Prouty * Fix SMB_VFS_RECVFILE/SENDFILE macros. * Parse_packet can return NULL which is then dereferenced in match_mailslot_name. o Dan Sledz * Fix double free caused by incorrect talloc_steal usage. o Aravind Sriniva
[Samba] Error: Rejecting auth request from client MAILBKP1 machine account MAILBKP1$
I have a Samba 3.3.2 member server, named mailbkp1, which I joined to a Samba 3.3.2 domain controller. At joining time, I got two errors on the domain controller, which I report here: [2009/03/31 14:08:47, 0] rpc_server/srv_netlog_nt.c:_netr_ServerAuthenticate2(546) _netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting auth request from client MAILBKP1 machine account MAILBKP1$ After joining, users can logon properly, and everything seems to work, but every time the member server gets a new connection, and contacts the DC to authenticate the user, I get that error again. I have searched through the bug tracking system, and found that older versions of Samba showed this behaviour, but I supposed that this was corrected on later versions. I have also tried joining a 3.3.2 Samba server to a NT4 PDC, and while the Samba member server works properly, I get similar messages (the machine failed to authenticate itself) in the Event Viewer of the NT4 PDC. Is there an open bug abut this? I have found none. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Some users / Access Denied
Hi everyone, I'm requesting your help about an issue i'm faced with since 2 weeks. I've setting up a Solaris Server (Solaris 10 Update 6) with zoning. On a zone I've enable the samba service (samba v 3.0.28). In my smb.conf, my auth section looks like that : workgroup = Mydomain netbios name = MyComputer server string = MyComputer security = ADS use kerberos keytab = true winbind separator = - winbind use default domain = yes winbind enum users = yes winbind enum groups = yes # winbind cache time = 1800 idmap uid = 10-20 idmap gid = 10-20 template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes client NTLMv2 auth = yes password server = MyDC, MyDC2, MyDC3 realm = MyDomain.DOM passdb backend = smbpasswd # encrypt passwords = yes wins support = no wins server = MyDC wins proxy = no dns proxy = no nt acl support = no add user script = /usr/sbin/useradd %u add group script = /usr/sbin/groupadd %g add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u delete user script = /usr/sbin/userdel %u delete user from group script = /usr/sbin/deluser %u %g delete group script = /usr/sbin/groupdel %g For the shares : [share] path = /partage/%S writable = yes acl check permissions = False vfs objects = zfsacl create mask = 0700 directory mask = 0700 In addition, I have a krb5.conf for kerberos. Everything works fine for me and most of users but some of them can't access some shares. The strange thing is that they are in groups which normally allowed them to. When i exec a wbinfo -r user, I saw them in the right group (the one put on the share) !!! In the log I just see an NT_ACCESS_DENIED without more explanation. So if someone could help ... Thanks, Benjamin-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Proper use of tdbbackup
I have googled a lot, but I have found no examples of the correct use of the tdbbackup program. I am looking for some advice on how to use tdbbackup. I mean, I know I can simply run "tdbbackup *.tdb", but I was looking for in-depth information on when and how to use it, about best practices on using it, or what NOT to do. The Samba documentations says I should run it in my start/stop scripts, but it seems that no distribution actually does this. Why? Is there some drawback that I don't understand? I was thinking of running it every day as a chron job (not restarting Samba) and saving some backlog (some days worth of old backups). Is it useful? Since domain member machines change their domain password (am I correct?) automatically, if I restore an old backup can this lead to machines being unable to talk to the (samba) domain controller? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
