Re: [Samba] how to join to AD ?

[Kevin Keane]

> -Original Message-
> From: samba-boun...@lists.samba.org [mailto:samba-
> boun...@lists.samba.org] On Behalf Of mistofeles
> Sent: Wednesday, November 25, 2009 1:52 PM
> To: samba@lists.samba.org
> Subject: Re: [Samba] how to join to AD ?
> 
> 
> 
> Jason Gerfen-2 wrote:
> >
> > ADS server type will allow domain authentication for samba
> directories
> > You will need Samba which provides winbindd, sasl, openldap,
> kerberos.
> > Samba should be configured with ads, acl, ldap, kerberos, pam,
> winbind
> > options if you are building from source.
> > I would configure it with the following options for optimum
> scalability:
> > kerberos, acl, caps, cups, ipv6, ldap, pam, python, readline,
> winbind,
> > ads, async, automount, doc, examples, fam, quotas, selinux, swat,
> syslog.
> >
> 
> - Huh. In the beginning I tought all that is needed is packed to samba
> packet, which is installed with 'apt-get install samba'. Your list
> contains
> an unbelievable long list of packets and options I have seen no mention
> anywhere. Now it seems that I got to rip the packet open and check it
> thoroughly ?!?

Probably not. Samba should already be compiled correctly on most distributions. 
It's actually not all that bad. The remaining packages are simply packages that 
Samba uses. I don't know about your distribution, but OpenSuSE (and most other 
distribution) will automatically pull in all the required packages as 
dependencies.

Winbindd is part of Samba itself (but often split into a separate package). 
Kerberos and sasl are required because Active Directory uses Kerberos for 
authentication. Rather than reimplement it, Samba uses the Kerberos and sasl 
libraries others already wrote. Similarly, openldap is what everybody in the 
Linux world uses to access LDAP servers - Active Directory is an LDAP server.

The remaining items Jason mentioned are configurations for recompiling Samba.

> The only thing I'm sure, I will not include, is this damned IPv6.

You might want to rethink this. Expect in about two years a cutover on the 
Internet, similar to the recent conversion of broadcast TV to HDTV. We are 
getting very close to the point where Internet providers won't give you IPv4 
addresses any more but IPv6 addresses.

Right now, IPv4 is still the better choice (because Windows XP and Samba both 
only have limited IPv6 support). Of course you can still run IPv4 on your 
private network, but at some point it will be as quaint as trying to run IPX 
today.

Windows already uses IPv6 as the primary protocol; Microsoft actually 
implements most new features as IPv6-only.

> It seems odd in my eyes, that you can set samba make the tasks we ask
> it
> just editing the smb.conf file, if we set 'security = user', but
> checking
> the passwords from an external server needs editing and installing so
> many
> files.
> I'm not very enthusiastic to compile anything.

In my experience (OpenSUSE) no compiling necessary, but you do have to tell 
Kerberos where to look for authentication. I also had to configure PAM, but I 
think that was for something different, not Samba.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] NAS on 2 sites connected via slow link

[Koen Linders]

I hope I'm clear about what I try to do and what I hope would happen :)
I thought the data didn't had to be transferred over the link.

Lets say
Site A: PDC 192.168.1.2/24
Site B: NAS 192.168.5.2/24

I thought I could mount the NAS on a directory defined as share on the PDC.
And when mounted that when they log on to the PDC and copy/access the data
on the share (NAS) traffic stays local because it happens all in the same
subnet? 
Accessing the data would be from Explorer in Windows XP SP3.

I'm probably wrong reading your reaction. So maybe I'm better off installing
a 2d server on site B?

> -Oorspronkelijk bericht-
> Van: samba-boun...@lists.samba.org [mailto:samba-
> boun...@lists.samba.org] Namens Kevin Keane
> Verzonden: donderdag 26 november 2009 8:41
> Aan: samba@lists.samba.org
> Onderwerp: Re: [Samba] NAS on 2 sites connected via slow link
> 
> Seems like a nightmare in the making... Basically, no matter what you
> do, the data has to be transferred.
> 
> How are users going to access the files on site B? If it is through a
> Web browser, then a caching proxy in Site A might be your best answer.
> 
> Your best option might be to cache the files on Site A, and use rsync
> to copy them to/from site B. If the NAS doesn't support rsync, look
> into FTP - it's probably the fastest data transfer protocol around.
> 
> Don't use NFS over slow links. It's one of the weaknesses of NFS.
> 
> > -Original Message-
> > From: samba-boun...@lists.samba.org [mailto:samba-
> > boun...@lists.samba.org] On Behalf Of Koen Linders
> > Sent: Wednesday, November 25, 2009 10:38 PM
> > To: samba@lists.samba.org
> > Subject: [Samba] NAS on 2 sites connected via slow link
> >
> > Lets say: 2 sites: 2 subnets connected via slow link (1M)
> > Site A: Samba 3 PDC
> > Site B: NAS for large videofiles
> >
> > People will work with/view the files on site B. Data will grow in
> time.
> > I want to mount the NAS on the PDC so I can integrate it in a share
> on
> > site
> > A.
> >
> > Anyone has good/bad experience with this kind of situation? Maybe a
> NAS
> > system which works without a problem?
> > Anything I should check for (NFS support I guess)?
> >
> > Greeting,
> > Koen Linders
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] how to join to AD ?

[Diego Zuccato]

Jason Gerfen wrote:


auth   sufficient   pam_winbind.so

[...]

auth   sufficient   pam_krb5.so use_first_pass

[...]

accountsufficient   pam_krb5.so ignore_root
accountsufficient   pam_winbind.so
Why are you using both pam_winbind and pam_krb5 ? Shouldn't winbind 
already handle krb5 auth?


--
Diego Zuccato
Servizi Informatici
Dip. di Astronomia - Università di Bologna
Via Ranzani, 1 - 40126 Bologna - Italy
tel.: +39 051 20 95786
mail: diego.zucc...@unibo.it
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] NAS on 2 sites connected via slow link

[Kevin Keane]

Seems like a nightmare in the making... Basically, no matter what you do, the 
data has to be transferred.

How are users going to access the files on site B? If it is through a Web 
browser, then a caching proxy in Site A might be your best answer.

Your best option might be to cache the files on Site A, and use rsync to copy 
them to/from site B. If the NAS doesn't support rsync, look into FTP - it's 
probably the fastest data transfer protocol around.

Don't use NFS over slow links. It's one of the weaknesses of NFS.

> -Original Message-
> From: samba-boun...@lists.samba.org [mailto:samba-
> boun...@lists.samba.org] On Behalf Of Koen Linders
> Sent: Wednesday, November 25, 2009 10:38 PM
> To: samba@lists.samba.org
> Subject: [Samba] NAS on 2 sites connected via slow link
> 
> Lets say: 2 sites: 2 subnets connected via slow link (1M)
> Site A: Samba 3 PDC
> Site B: NAS for large videofiles
> 
> People will work with/view the files on site B. Data will grow in time.
> I want to mount the NAS on the PDC so I can integrate it in a share on
> site
> A.
> 
> Anyone has good/bad experience with this kind of situation? Maybe a NAS
> system which works without a problem?
> Anything I should check for (NFS support I guess)?
> 
> Greeting,
> Koen Linders
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Windows 7 domain issues

[Kevin Keane]

> -Original Message-
> From: samba-boun...@lists.samba.org [mailto:samba-
> boun...@lists.samba.org] On Behalf Of Alex Ferrara
> Sent: Wednesday, November 25, 2009 2:17 PM
> To: samba@lists.samba.org
> Subject: Re: [Samba] Windows 7 domain issues
> 
> The DNS update issue I have resolved by insisting that DHCPD perform
> the update, and ignore the client request. I found that Windows 7 tells
> DHCPD that it will perform the DNS update, and by default, DHCPD will
> then let it. The directive in dhcpd.conf is "deny client-updates".

Yes, I think that is what I remembered so vaguely. In the end, though, I turned 
off secure DNS updates. I can't remember exactly what the difference was, but 
there was something that the update by Windows 7 did that DHCP didn't. Might 
have been setting up the PTR records. I think it did have something to do with 
IPv6.

> As for the password related issues, I think you might be right, and the
> answer lies in the password strength required.

It is slowly coming back to me; I think it was also related to SMB block 
signing.

> I too am holding my breath for Samba4. I have been considering
> implementing either Franky, or Samba4 alpha in the role of PDC, and
> using Samba3 to do the file sharing. I'm just a little concerned that
> it might eat my cat.

LOL! I am not so much concerned about that. If I understand it correctly, the 
main reason Samba4 isn't released yet is security rather than functionality.

I am also concerned about what version of Active Directory it will end up 
having. It's been close to ten years in the making, and Active Directory is 
very much a moving target. Microsoft has moved from Windows 2000 to Windows 
2008 in the meantime. Some applications need the latest AD. For instance, will 
you be able to install Exchange 2007 on a member server, and will Samba allow 
the necessary schema updates?

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] NAS on 2 sites connected via slow link

[Koen Linders]

Lets say: 2 sites: 2 subnets connected via slow link (1M)
Site A: Samba 3 PDC 
Site B: NAS for large videofiles

People will work with/view the files on site B. Data will grow in time.
I want to mount the NAS on the PDC so I can integrate it in a share on site
A.

Anyone has good/bad experience with this kind of situation? Maybe a NAS
system which works without a problem?
Anything I should check for (NFS support I guess)? 

Greeting,
Koen Linders


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] domain printer issues

[Brian May]

Hello,

As of today we seem to be having printer issues. As in computers that
were working fine suddenly decided to stop working.

One one computer.  No printers won't work at all. For some printers, if
I remove and reinstall, it complains that there are no printer drivers
on the server (incorrect). When past this stage, none of the printers
work. When I click the print test page button I get an immediate generic
"failure to print" type response.

Just in case I deleted all printers and then deleted all drivers, but it
doesn't seem to have helped.

On another computer all printers work except for one, which produces
the same generic failure message.

On another computer everything works fine. Including deleting printers,
adding printers, etc.

Any ideas?

Samba 3.4.2
Window XP clients

Thanks

Brian May

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba 3.4.3 DC breaks Windows groups

[Gaiseric Vandal]

I think I have found the problem:

Samba 3.0.x looks for group mappings in the "ldap group suffix" param.  On
my systems this is "ldap group suffix = ou=smb_groups."   Regular unix
groups are just in ou=groups.   Initially we had used NIS (then LDAP) for
unix groups, and had used tdbsam for the samba account backend.  Group
mappings were also in tdb.  When we moved to ldap backend, group mappings
were imported into ou=smb_groups.

Samba 3.4.x reads thru the entire ldap tree.Since I have both "cn=Domain
Administrators,ou=smb_groups" and "cn=smb_domadmins,ou=group" both with the
same gidNumber, group membership processing fails.

Therefore I think the solution will be to consolidate entries.  For example,

Replace cn=smb_domadmins,ou=group" with "cn=Domain
Administrators,ou=group"
  Copy the sambaSID from "cn=Domain Administrators,ou=smb_groups" to
"cn=Domain Administrators,ou=group"
Repeat for all the other mapped groups 
Update smb.conf on the 3.0.x servers to use "ldap group suffix =
ou=group."   


This is assuming of course that Solaris doesn't have problems with group
names with spaces.




-Original Message-
From: Gaiseric Vandal [mailto:gaiseric.van...@gmail.com] 
Sent: Wednesday, November 25, 2009 10:01 PM
To: samba@lists.samba.org
Subject: RE: [Samba] samba 3.4.3 DC breaks Windows groups

I have done the following 

  - Added index for sambaSID and other attributes as per the following

 http://wiki.samba.org/index.php/2.0:_Configuring_LDAP

   - replaced the samba 3.0 schema file in my LDAP Server (Sun Directory
Server) with the 3.2 version 

   -  installed samba 3.4.3 packages from sun freeware to replace those I
compiled from from source. 

   - Reindexed with "dsconf reindex -h ldapserver  -t sambaSID
o=mydomain.com"

Unfortunately did not resolve the group membership problem  (i.e. a user
account only appears to be in its primary group )


Querying the Samba 3.4.x BDC 

# net rpc user info Administrator -U Administrator -S BDC2
Enter Administrator's password:
Domain Users
#


Querying the Samba 3.0.x PDC

# net rpc user info Administrator -U Administrator -S PDC
Enter Administrator's password:
Domain Admins
Domain Users
# 


As far as I can tell from the comments at the top of each ldif file, the
only change was the addition of sambaTrustedDomainPassword objectClasses.




On 11/25/09 03:41, Jan Wenzel wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Gaiseric Vandal schrieb:
>
>> I assume an index is not an actual LDAP attribute or object like
>> sambaSID but is more like a database index for optimizing searches?
>>  
> You're right :) But in some cases like substring search (samba searches
> i.e. for sambaSID=S-1-5-32-* to get the local groups) they are needed to
> get results. I don't know where to configure the indexes exactly in SDS,
> but I'm sure it is possible.
>
>
>
>> I use Sun's Directory Server (LDAP server) as the backend.  I use
Apache
>> Directory Studio for managing objects and attributes with in ldap.I
>> should be able to use Sun's web-based console for creating the indexes.
>>
>> Is there something I need to specify in smb.conf to tell Samba to use
>> the index?
>>  
> Samba does not know anything about the configuration details of the LDAP
> server,
> it only talks LDAP - so it should instantly show groups when the index
> is present.
>
>
>> I also noticed that if I try to compile samba with Active Directory
>> support, configure fails with
>>
>> configure: error: Active Directory support requires ldap_initialize
>>  
> I would prefer to use the prebuilt linux packages from ftp.sernet.de (if
> you have a linux system).
>
>
>> Since sun has ldap client support included in the OS I do not have
>> openldap installed.I don't need Active Directory but it makes me
>> suspect that there may be some other ldap compatibility issues when
>> using Sun ldap client vs Openldap client.
>>
>>
>> Thanks
>>  
> HTH
> Jan
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAksM7Z0ACgkQzaoFHMzBsBplVwCcCCaCYgq87CWuGmjxvpS/ox/k
> WdQAn19bryFfw+aWa7TMUZZCzU2UKHsN
> =4Old
> -END PGP SIGNATURE-
>


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba 3.4.3 DC breaks Windows groups

[Gaiseric Vandal]

I have done the following 

  - Added index for sambaSID and other attributes as per the following

 http://wiki.samba.org/index.php/2.0:_Configuring_LDAP

   - replaced the samba 3.0 schema file in my LDAP Server (Sun Directory
Server) with the 3.2 version 

   -  installed samba 3.4.3 packages from sun freeware to replace those I
compiled from from source. 

   - Reindexed with "dsconf reindex -h ldapserver  -t sambaSID
o=mydomain.com"

Unfortunately did not resolve the group membership problem  (i.e. a user
account only appears to be in its primary group )


Querying the Samba 3.4.x BDC 

# net rpc user info Administrator -U Administrator -S BDC2
Enter Administrator's password:
Domain Users
#


Querying the Samba 3.0.x PDC

# net rpc user info Administrator -U Administrator -S PDC
Enter Administrator's password:
Domain Admins
Domain Users
# 


As far as I can tell from the comments at the top of each ldif file, the
only change was the addition of sambaTrustedDomainPassword objectClasses.




On 11/25/09 03:41, Jan Wenzel wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Gaiseric Vandal schrieb:
>
>> I assume an index is not an actual LDAP attribute or object like
>> sambaSID but is more like a database index for optimizing searches?
>>  
> You're right :) But in some cases like substring search (samba searches
> i.e. for sambaSID=S-1-5-32-* to get the local groups) they are needed to
> get results. I don't know where to configure the indexes exactly in SDS,
> but I'm sure it is possible.
>
>
>
>> I use Sun's Directory Server (LDAP server) as the backend.  I use Apache
>> Directory Studio for managing objects and attributes with in ldap.I
>> should be able to use Sun's web-based console for creating the indexes.
>>
>> Is there something I need to specify in smb.conf to tell Samba to use
>> the index?
>>  
> Samba does not know anything about the configuration details of the LDAP
> server,
> it only talks LDAP - so it should instantly show groups when the index
> is present.
>
>
>> I also noticed that if I try to compile samba with Active Directory
>> support, configure fails with
>>
>> configure: error: Active Directory support requires ldap_initialize
>>  
> I would prefer to use the prebuilt linux packages from ftp.sernet.de (if
> you have a linux system).
>
>
>> Since sun has ldap client support included in the OS I do not have
>> openldap installed.I don't need Active Directory but it makes me
>> suspect that there may be some other ldap compatibility issues when
>> using Sun ldap client vs Openldap client.
>>
>>
>> Thanks
>>  
> HTH
> Jan
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAksM7Z0ACgkQzaoFHMzBsBplVwCcCCaCYgq87CWuGmjxvpS/ox/k
> WdQAn19bryFfw+aWa7TMUZZCzU2UKHsN
> =4Old
> -END PGP SIGNATURE-
>


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] How do I increase the 20000 millisecond timeout?

[Jeremy Allison]

On Fri, Nov 13, 2009 at 11:57:46PM -0600, Chris Baker wrote:
>  
> 
> Perhaps, this issue has already been posted here. However, I have already a
> lot of searching on this problem.
> 
> I have Fedora Core 8 with samba-client-3.0.33-0.fc8.
> 
> As you may know, this client has a timeout of 20,000 milliseconds. I would
> like to increase this timeout as it causes numerous problems for my
> programs, mainly BackupPC.
> 
> Has anyone done this? And are there some detailed instructions on this? I
> have heard that I basically have to recomplie the client.

Yes, you do currently. Sorry.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Windows 7 domain issues

[Alex Ferrara]

The DNS update issue I have resolved by insisting that DHCPD perform the 
update, and ignore the client request. I found that Windows 7 tells DHCPD that 
it will perform the DNS update, and by default, DHCPD will then let it. The 
directive in dhcpd.conf is "deny client-updates".

As for the password related issues, I think you might be right, and the answer 
lies in the password strength required.

I too am holding my breath for Samba4. I have been considering implementing 
either Franky, or Samba4 alpha in the role of PDC, and using Samba3 to do the 
file sharing. I'm just a little concerned that it might eat my cat.

aF
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] how to join to AD ?

[mistofeles]

Jason Gerfen-2 wrote:
> 
> ADS server type will allow domain authentication for samba directories
> You will need Samba which provides winbindd, sasl, openldap, kerberos.
> Samba should be configured with ads, acl, ldap, kerberos, pam, winbind 
> options if you are building from source.
> I would configure it with the following options for optimum scalability:
> kerberos, acl, caps, cups, ipv6, ldap, pam, python, readline, winbind, 
> ads, async, automount, doc, examples, fam, quotas, selinux, swat, syslog.
> 

- Huh. In the beginning I tought all that is needed is packed to samba
packet, which is installed with 'apt-get install samba'. Your list contains
an unbelievable long list of packets and options I have seen no mention
anywhere. Now it seems that I got to rip the packet open and check it
thoroughly ?!?
The only thing I'm sure, I will not include, is this damned IPv6. 
It seems odd in my eyes, that you can set samba make the tasks we ask it
just editing the smb.conf file, if we set 'security = user', but checking
the passwords from an external server needs editing and installing so many
files.
I'm not very enthusiastic to compile anything. 


Jason Gerfen-2 wrote:
> 
> In gentoo linux the following will give you everything you need:
> USE="kerberos acl caps cups ipv6 ldap pam python readline winbind ads
> async automount doc examples fam quotas selinux swat syslog" /
> emerge mit-krb5 pam_krb5 pam_ldap openldap nss_ldap openssl cyrus-sasl ntp
> samba -va
> 
Got to go through this and check what is there already in the Ubuntu samba
deb packet :(


Jason Gerfen-2 wrote:
> 
> Here is are a few file configuration examples to get you going:
> /etc/krb5.conf
> /etc/nsswitch.conf
> /etc/samba/smb.conf
> /etc/pam.d/system-auth
> ===
> #%PAM-1.0
> auth   required pam_mount.so
> . . .
> sessionoptional pam_krb5.so
> ===
> I hope that helps. Also if you look at the pam configuration above you 
> will see some of the best pam modules to install with ubunu package
> manager.
> 
Do you mean by 'module' for example pam_krb5.so ?
I tought they are built in the deb packet 

Thank you.
It will take me a day to go through all that you recommend.
-- 
View this message in context: 
http://old.nabble.com/how-to-join-to-AD---tp26513594p26520905.html
Sent from the Samba - General mailing list archive at Nabble.com.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Serious grief with a Samba connection

[Gaiseric Vandal]

encrypted passwords should be the default-  no reason to turn that off.


On 11/25/09 16:22, Dan White wrote:

Thanks for the reply !
I can try those commands on Monday -- long Thanksgiving holiday weekend.
I do not have admin on the Sun box, but my tech lead does.

The link says to turn off password encryption.  I cannot do that.  The 
network people (government run network) will not allow that.

The samba machine is set for encrypted passwords.

On Nov 25, 2009, at 3:21 PM, Gaiseric Vandal wrote:

My guess is that they may have required NTLMv2 or something thing 
similar on the Win machines.  If these machines are part of an Active 
Directory domain,  it would be relatively easy for this to be done.


http://www.dennek.com/2009/03/system-error-1240-the-account-is-not-authorized-to-login-from-this-station/ 



You can use gpedit.msc on XP to check your security settings.


"smbd -v" would tell you the samba version.
"testparm -v | more "  would let you check the various settings.


Are you the sys admin for the solaris box?



On 11/25/09 14:52, Dan White wrote:

The server is on a Sun box (uname says SunOS 5.8)
I do not know what version of samba is running

For the last year and a half, I have made a daily connection from a 
Windows XP box with the following command:


new use G: \\server\volume /USER:userid password

This makes a "G" network drive that serves the purpose.

About a month ago, network folks upstream from us spewed a bunch of 
policy updates that caused serious trouble.  The worst being mine.


Now, if I try the same command on an XP box, the command executes 
successfully, the G-drive appears and then blinks to say 
"Disconnected Network Drive"


Because some of our team use them, I tried from a Windows 2000 box.  
The same command responds with :


System Error 1240 has occurred.  The account is not authorized to 
log in from this station"


I checked the smb.conf file and found that the samba server is 
configured for encrypted passwords.  This error makes no sense.


The local network folks are convinced this is a Unix problem.

Any clues out there for this clueless one ?


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Serious grief with a Samba connection

[Dan White]

Thanks for the reply !
I can try those commands on Monday -- long Thanksgiving holiday weekend.
I do not have admin on the Sun box, but my tech lead does.

The link says to turn off password encryption.  I cannot do that.   
The network people (government run network) will not allow that.

The samba machine is set for encrypted passwords.

On Nov 25, 2009, at 3:21 PM, Gaiseric Vandal wrote:

My guess is that they may have required NTLMv2 or something thing  
similar on the Win machines.  If these machines are part of an  
Active Directory domain,  it would be relatively easy for this to  
be done.


http://www.dennek.com/2009/03/system-error-1240-the-account-is-not- 
authorized-to-login-from-this-station/


You can use gpedit.msc on XP to check your security settings.


"smbd -v" would tell you the samba version.
"testparm -v | more "  would let you check the various settings.


Are you the sys admin for the solaris box?



On 11/25/09 14:52, Dan White wrote:

The server is on a Sun box (uname says SunOS 5.8)
I do not know what version of samba is running

For the last year and a half, I have made a daily connection from  
a Windows XP box with the following command:


new use G: \\server\volume /USER:userid password

This makes a "G" network drive that serves the purpose.

About a month ago, network folks upstream from us spewed a bunch  
of policy updates that caused serious trouble.  The worst being mine.


Now, if I try the same command on an XP box, the command executes  
successfully, the G-drive appears and then blinks to say  
"Disconnected Network Drive"


Because some of our team use them, I tried from a Windows 2000  
box.  The same command responds with :


System Error 1240 has occurred.  The account is not authorized to  
log in from this station"


I checked the smb.conf file and found that the samba server is  
configured for encrypted passwords.  This error makes no sense.


The local network folks are convinced this is a Unix problem.

Any clues out there for this clueless one ?


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Serious grief with a Samba connection

[Gaiseric Vandal]

My guess is that they may have required NTLMv2 or something thing 
similar on the Win machines.  If these machines are part of an Active 
Directory domain,  it would be relatively easy for this to be done.


http://www.dennek.com/2009/03/system-error-1240-the-account-is-not-authorized-to-login-from-this-station/

You can use gpedit.msc on XP to check your security settings.


"smbd -v" would tell you the samba version.
"testparm -v | more "  would let you check the various settings.


Are you the sys admin for the solaris box?



On 11/25/09 14:52, Dan White wrote:

The server is on a Sun box (uname says SunOS 5.8)
I do not know what version of samba is running

For the last year and a half, I have made a daily connection from a 
Windows XP box with the following command:


new use G: \\server\volume /USER:userid password

This makes a "G" network drive that serves the purpose.

About a month ago, network folks upstream from us spewed a bunch of 
policy updates that caused serious trouble.  The worst being mine.


Now, if I try the same command on an XP box, the command executes 
successfully, the G-drive appears and then blinks to say "Disconnected 
Network Drive"


Because some of our team use them, I tried from a Windows 2000 box.  
The same command responds with :


System Error 1240 has occurred.  The account is not authorized to log 
in from this station"


I checked the smb.conf file and found that the samba server is 
configured for encrypted passwords.  This error makes no sense.


The local network folks are convinced this is a Unix problem.

Any clues out there for this clueless one ?


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP error in windows xp while ACL

[D.Rajan]

r...@sangam:~# pdbedit -Lv
ldapsam_setsampwent: LDAP search failed: Size limit exceeded

r...@sangam:~# testpartm -sv
 
Output
***
[Global]
dos charset = 850
unix charset = ISO8859-1
display charset = LOCALE
workgroup = RAYALA
realm = 
netbios name = SANGAM
netbios aliases = 
netbios scope = 
server string = Samba Server %v
interfaces = 
bind interfaces only = No
security = USER
auth methods = 
encrypt passwords = Yes
update encrypted = No
client schannel = Auto
server schannel = Auto
allow trusted domains = Yes
map to guest = Bad User
null passwords = No
obey pam restrictions = No
password server = *
smb passwd file = /etc/samba/smbpasswd
private dir = /etc/samba
passdb backend = ldapsam:ldap://127.0.0.1/
algorithmic rid base = 1000
root directory = 
guest account = nobody
enable privileges = Yes
pam password change = No
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = "Changing UNIX*\nNew password*" %n\n "*Retype new password*" %n\n"
passwd chat debug = No
passwd chat timeout = 2
check password script = 
username map = 
password level = 0
username level = 0
unix password sync = Yes
restrict anonymous = 0
lanman auth = No
ntlm auth = Yes
client NTLMv2 auth = No
client lanman auth = Yes
client plaintext auth = No
preload modules = 
use kerberos keytab = No
log level = 0
syslog = 0
syslog only = No
log file = /var/log/samba/log.%m
max log size = 10
debug timestamp = Yes
debug prefix timestamp = No
debug hires timestamp = No
debug pid = No
debug uid = No
enable core files = Yes
smb ports = 445 139
large readwrite = Yes
max protocol = NT1
min protocol = CORE
read bmpx = No
read raw = Yes
write raw = Yes
disable netbios = No
reset on zero vc = No
acl compatibility = auto
defer sharing violations = Yes
nt pipe support = Yes
nt status support = Yes
announce version = 4.9
announce as = NT
max mux = 50
max xmit = 16644
name resolve order = lmhosts wins host bcast
max ttl = 259200
max wins ttl = 518400
min wins ttl = 21600
time server = Yes
unix extensions = Yes
use spnego = Yes
client signing = auto
server signing = No
client use spnego = Yes
enable asu support = No
svcctl list = 
deadtime = 10
getwd cache = Yes
keepalive = 300
lpq cache time = 30
max smbd processes = 0
paranoid server security = Yes
max disk size = 0
max open files = 1
open files database hash size = 10007
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
use mmap = Yes
hostname lookups = No
name cache timeout = 660
load printers = Yes
printcap cache time = 750
printcap name = cups
cups server = 
iprint server = 
disable spoolss = No
addport command = 
enumports command = 
addprinter command = 
deleteprinter command = 
show add printer wizard = Yes
os2 driver map = 
mangling method = hash2
mangle prefix = 1
max stat cache size = 1024
stat cache = Yes
machine password timeout = 604800
add user script = /usr/sbin/smbldap-useradd -m "%u"
rename user script = 
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
shutdown script = 
abort shutdown script = 
username map script = 
logon script = logon.bat
logon path = 
logon drive = 
logon home = 
domain logons = Yes
os level = 65
lm announce = Auto
lm interval = 60
preferred master = Yes
local master = Yes
domain master = Yes
browse list = Yes
enhanced browsing = Yes
dns proxy = Yes
wins proxy = No
wins server = 
wins support = Yes
wins hook = 
kernel oplocks = Yes
lock spin time = 200
oplock break wait time = 0
ldap admin dn = cn=admin,dc=camsonline,dc=com
ldap delete dn = No
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap passwd sync = Yes
ldap replication sleep = 1000
ldap suffix = dc=camsonline,dc=com
ldap ssl = 
ldap timeout = 15
ldap page size = 1024
ldap user suffix = ou=Users
ldap debug level = 0
ldap debug threshold = 10
add share command = 
change share command = 
delete share command = 
eventlog list = 
config file = 
preload = 
lock directory = 
pid directory = /var/run/samba
utmp directory = 
wtmp directory = 
utmp = No
default service = 
message command = /bin/sh -c '/usr/bin/linpopup
get quota command = 
set quota command = 
remote announce = 
remote browse sync = 
socket address = 0.0.0.0
homedir map = auto.home
afs username map = 
afs token lifetime = 604800
log nt token command = 
time offset = 0
NIS homedir = No
usershare allow guests = No
usershare max shares = 100
usershare owner only = Yes
usershare path = /var/lib/samba/usershares
usershare prefix allow list = 
usershare prefix deny list = 
usershare template share = 
panic action = /usr/share/samba/panic-action %d
host msdfs = Ye

[Samba] Serious grief with a Samba connection

[Dan White]

The server is on a Sun box (uname says SunOS 5.8)
I do not know what version of samba is running

For the last year and a half, I have made a daily connection from a  
Windows XP box with the following command:


new use G: \\server\volume /USER:userid password

This makes a "G" network drive that serves the purpose.

About a month ago, network folks upstream from us spewed a bunch of  
policy updates that caused serious trouble.  The worst being mine.


Now, if I try the same command on an XP box, the command executes  
successfully, the G-drive appears and then blinks to say  
"Disconnected Network Drive"


Because some of our team use them, I tried from a Windows 2000 box.   
The same command responds with :


System Error 1240 has occurred.  The account is not authorized to log  
in from this station"


I checked the smb.conf file and found that the samba server is  
configured for encrypted passwords.  This error makes no sense.


The local network folks are convinced this is a Unix problem.

Any clues out there for this clueless one ?
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba 3.4.3 DC breaks Windows groups

[Gaiseric Vandal]

I added the index.  (The Sun DS Admin guide has pretty simple 
instructions on doing this.)


I also added some additional indexes as per the following

http://wiki.samba.org/index.php/2.0:_Configuring_LDAP

Unfortunately did not resolve the problem.


It does look like I have the 3.0 schema installed.  The samba source 
directory includes a 3.2 version.


examples/LDAP/samba-schema-netscapeds5.x.
(The Sun Directory server is derived from the Netscape DS.)


I may try updating this off-hours.

Thanks



On 11/25/09 03:41, Jan Wenzel wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Gaiseric Vandal schrieb:
   

I assume an index is not an actual LDAP attribute or object like
sambaSID but is more like a database index for optimizing searches?
 

You're right :) But in some cases like substring search (samba searches
i.e. for sambaSID=S-1-5-32-* to get the local groups) they are needed to
get results. I don't know where to configure the indexes exactly in SDS,
but I'm sure it is possible.


   

I use Sun's Directory Server (LDAP server) as the backend.  I use Apache
Directory Studio for managing objects and attributes with in ldap.I
should be able to use Sun's web-based console for creating the indexes.

Is there something I need to specify in smb.conf to tell Samba to use
the index?
 

Samba does not know anything about the configuration details of the LDAP
server,
it only talks LDAP - so it should instantly show groups when the index
is present.

   

I also noticed that if I try to compile samba with Active Directory
support, configure fails with

configure: error: Active Directory support requires ldap_initialize
 

I would prefer to use the prebuilt linux packages from ftp.sernet.de (if
you have a linux system).

   

Since sun has ldap client support included in the OS I do not have
openldap installed.I don't need Active Directory but it makes me
suspect that there may be some other ldap compatibility issues when
using Sun ldap client vs Openldap client.


Thanks
 

HTH
Jan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAksM7Z0ACgkQzaoFHMzBsBplVwCcCCaCYgq87CWuGmjxvpS/ox/k
WdQAn19bryFfw+aWa7TMUZZCzU2UKHsN
=4Old
-END PGP SIGNATURE-
   


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Remove atributes from user

[Gaiseric Vandal]

Apache Directory Studio (Windows and Linux) is pretty good too.

On 11/25/09 11:27, Nick Pappin wrote:

Check out luma it is a graphical ldap editor that allows you to only delete
a certain attribute.

--
W. Nick Pappin


On Wed, Nov 25, 2009 at 6:53 AM, Bruno Steven  wrote:

   

Hello

I need remove the follow atributes  from my user bruno

sambaHomePath: \\PDC-SRV\root
sambaHomeDrive: H:
sambaProfilePath: \\PDC-SRV\profiles\root


I don´t found any option using smbldap-usermod  , somebody have any idea ?

Thanks ..


--
Bruno Steven - Administrador de sistemas.
LPIC-1 - LPI ID: lpi000119659 / Code: p2e4wz47e4
https://www.lpi.org/caf/Xamman/certification

MCP-Windows 2003 - TranscriptID: 793804 / Access Code: 080089100
https://mcp.microsoft.com/authenticate/validatemcp.aspx


P Antes de imprimir pense em sua responsabilidade e comprometimento com o
Meio Ambiente. Before printing this message, think about your ecologic
responsability and environment commitment.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

 


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Remove atributes from user

[Nick Pappin]

Check out luma it is a graphical ldap editor that allows you to only delete
a certain attribute.

--
W. Nick Pappin


On Wed, Nov 25, 2009 at 6:53 AM, Bruno Steven  wrote:

> Hello
>
> I need remove the follow atributes  from my user bruno
>
> sambaHomePath: \\PDC-SRV\root
> sambaHomeDrive: H:
> sambaProfilePath: \\PDC-SRV\profiles\root
>
>
> I don´t found any option using smbldap-usermod  , somebody have any idea ?
>
> Thanks ..
>
>
> --
> Bruno Steven - Administrador de sistemas.
> LPIC-1 - LPI ID: lpi000119659 / Code: p2e4wz47e4
> https://www.lpi.org/caf/Xamman/certification
>
> MCP-Windows 2003 - TranscriptID: 793804 / Access Code: 080089100
> https://mcp.microsoft.com/authenticate/validatemcp.aspx
>
>
> P Antes de imprimir pense em sua responsabilidade e comprometimento com o
> Meio Ambiente. Before printing this message, think about your ecologic
> responsability and environment commitment.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] reverse name resolving of winbind 3.4.x

[Alexander Födisch]

Hi,

unfortunately the hole logfile is filled with:

[2009/11/25 15:59:20,  2] winbindd/winbindd.c:878(remove_client)
  final write to client failed: Broken pipe

what is that??


our winbind-config:

idmap backend = rid:EVAN=1-5
idmap gid = 1-5
idmap uid = 1-5
winbind enum users = yes
winbind enum groups = yes
winbind trusted domains only = no
winbind use default domain = yes
allow trusted domains = no

strict locking = no
wide links = no
socket options = SO_SNDBUF=131072 SO_RCVBUF=131072 TCP_NODELAY 
IPTOS_LOWDELAY SO_KEEPALIVE
use sendfile = yes
max xmit = 65535
read raw = no
write raw = no
large readwrite = yes



Best
Alex



Robert LeBlanc schrieb:
On Wed, Nov 25, 2009 at 6:15 AM, Alexander Födisch > wrote:


Does nobody have the same problem? Same behaviour w/ 3.4.3
It also takes a "long" time resolving names:

# date; id ; date
Mi Nov 25 14:08:55 CET 2009
uid=<...> Gruppen=<...>
Mi Nov 25 14:09:01 CET 2009

Sometimes it tooks more than 10 seconds...

Sometimes users get an error message "Access denied", even
filesystem permissions and samba settings are correct. I think samba
/winbind is running in a timout while resolving names and so samba
cannot grant access to files / folders.


Any ideas what we can do?


Can you find any hints in the log.winbindd log or the log.wb- 
log. I had problems like that in the past, but they sem to be resolved 
in 3.4.2. You may have a different problem.



Robert LeBlanc
Life Sciences & Undergraduate Education Computer Support
Brigham Young University
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] static compile of samba ?

[Frank Bonnet]

Hello

Is it possible to compile Samba with ALL librairies linked statically 
into the smbd nmbd binaries ? I tried  to use the --disable-shared 
option of the configure script but it failed.



Thanks a lot

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Remove atributes from user

[Bruno Steven]

Hello

I need remove the follow atributes  from my user bruno

sambaHomePath: \\PDC-SRV\root
sambaHomeDrive: H:
sambaProfilePath: \\PDC-SRV\profiles\root


I don´t found any option using smbldap-usermod  , somebody have any idea ?

Thanks ..


-- 
Bruno Steven - Administrador de sistemas.
LPIC-1 - LPI ID: lpi000119659 / Code: p2e4wz47e4
https://www.lpi.org/caf/Xamman/certification

MCP-Windows 2003 - TranscriptID: 793804 / Access Code: 080089100
https://mcp.microsoft.com/authenticate/validatemcp.aspx


P Antes de imprimir pense em sua responsabilidade e comprometimento com o
Meio Ambiente. Before printing this message, think about your ecologic
responsability and environment commitment.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] how to join to AD ?

[Jason Gerfen]

mistofeles wrote:
We have a small Ubuntu 9.10 file server in a large Win 2003/2008 domain. 
There is no X nor web browser in the server.

I have rights to join machines to the domain, but I'm not an Administrator
There is about 10 users in this server, who want to authenticate with domain
passwords when they mount their home directories to WindowsXP workstations.
The ssh passwords should be local and separated from domain passwords.
The server should not try to play any master roles.
Just deliver directories to windows.

  

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ServerType.html#id2560147

ADS server type will allow domain authentication for samba directories

We have tried this for about a month and gone through many books, web pages
and forums. 
  

You will need Samba which provides winbindd, sasl, openldap, kerberos.

Samba should be configured with ads, acl, ldap, kerberos, pam, winbind 
options if you are building from source.


I would configure it with the following options for optimum scalability:
kerberos, acl, caps, cups, ipv6, ldap, pam, python, readline, winbind, 
ads, async, automount, doc, examples, fam, quotas, selinux, swat, syslog.


In gentoo linux the following will give you everything you need:

%> USE="kerberos acl caps cups ipv6 ldap pam python readline winbind ads async 
automount doc examples fam quotas selinux swat syslog" /
   emerge mit-krb5 pam_krb5 pam_ldap openldap nss_ldap openssl cyrus-sasl 
ntp samba -va



After reading Samba documentation we don't even understand what programs we
need. in some documents we are told to use PAM, LDAP, krb or winbind. In
some documents you are advised NOT to use this if you are using that.  It is
a total chaos.

Is there any example of a working case like this ?
Is there any script which takes care of the configuration ?
  

Here is are a few file configuration examples to get you going:

/etc/krb5.conf


[libdefaults]
   default_realm = DOMAIN.COM

[realms]
   UTAH.EDU = {
   kdc = 192.168.xxx.xxx
   }

[domain_realm]
   .domain.com = DOMAIN.COM

[loggin]
   default = FILE:/var/log/krb5.log

[appdefaults]
   pam = {
   ticket_lifetime = 365d
   renew_lifetime = 365d
   forwardable = true
   proxiable = false
   retain_after_close = true
   minimum_uid = 0
   }

=

/etc/nsswitch.conf
=

passwd:  compat winbind
shadow:  compat
group:   compat winbind

# passwd:db files nis
# shadow:db files nis
# group: db files nis

hosts:   files dns wins
networks:files dns

services:db files
protocols:   db files
rpc: db files
ethers:  db files
netmasks:files
netgroup:files
bootparams:  files

automount:   files
aliases: files

==

/etc/samba/smb.conf
Change anything with DOMAIN.COM to match your own domain
==

[global]
   workgroup = DOMAIN
   realm = DOMAIN.COM
   server string = servername.domain.com
   netbios name = servername

   password server = *
   encrypt passwords = true
   security = ads

   lanman auth = no
   ntlm auth = no

   os level = 20

   allow trusted domains = yes
   auth methods = winbind

   interfaces = eth0, lo
   bind interfaces only = yes
   socket options = TCP_NODELAY

   hosts allow = 192.168.xxx.xxx/24 #add more subnets if needed
   hosts deny = 0.0.0.0/0

   log level = 40
   log file = /var/log/samba/log.%m
   max log size = 50

   client signing = yes
   client schannel = no
   client use spnego = yes
   client lanman auth = no
   client NTLMv2 auth = yes
   client plaintext auth = no

   preferred master = no
   local master = no
   domain master = no
   wins proxy = no
   dns proxy = No

   obey pam restrictions = yes

   template shell = /bin/bash
   nt acl support = yes
   inherit permissions = yes
   create mask = 0022
   template homedir = /home/Authenticated Users/%U

   winbind uid = 1000-200
   winbind gid = 500-200
   winbind separator = +
   winbind enum users = yes
   winbind enum groups = yes
   winbind nested groups = yes
   winbind use default domain = yes
   winbind offline logon = true
   winbind nss info = rfc2307

   idmap uid = 1000-200
   idmap gid = 500-200
   idmap domains = SCL
   idmap config DOMAIN:backend = ad
   idmap config DOMAIN:default = yes
   idmap config DOMAIN:schema_mode = rfc2307
   idmap config DOMAIN:range = 1000 - 3

[classes]
   comment = Class software
   browsable = yes
   writeable = no
   create mask = 0022
   force create mode = 0022
   directory mask = 0022
   force directory mode = 0022
   inherit permissions = yes
   path = /path/to/share

[staff]
   comment = Staff 

[Samba] how to join to AD ?

[mistofeles]

We have a small Ubuntu 9.10 file server in a large Win 2003/2008 domain. 
There is no X nor web browser in the server.
I have rights to join machines to the domain, but I'm not an Administrator
There is about 10 users in this server, who want to authenticate with domain
passwords when they mount their home directories to WindowsXP workstations.
The ssh passwords should be local and separated from domain passwords.
The server should not try to play any master roles.
Just deliver directories to windows.

We have tried this for about a month and gone through many books, web pages
and forums. 
After reading Samba documentation we don't even understand what programs we
need. in some documents we are told to use PAM, LDAP, krb or winbind. In
some documents you are advised NOT to use this if you are using that.  It is
a total chaos.

Is there any example of a working case like this ?
Is there any script which takes care of the configuration ?
-- 
View this message in context: 
http://old.nabble.com/how-to-join-to-AD---tp26513594p26513594.html
Sent from the Samba - General mailing list archive at Nabble.com.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Moving a PDC

[Charles Marcus]

> We're running a Debian Etch Server with Samba 3.0.24 as primary domain
> controller for a XP dominated network. For various reasons, we're
> migrating our server to a new machine running on Centos 5.4 (and Samba
> 3.0.33). Additionally, I decided to get rid of our messy LDAP setup,
> as it is quite a pain to use and IMHO overkill for our small software
> shop (~15 machines / users), so I've set up the new system to work
> with tdbsam instead.

Wouldn't it be easier to simply convert your existing server from ldap
to tdbsam, then you can just set up the new server with the SAME domain
name, copy everything over to the new server, and flip a switch over the
weekend and noone would no the difference?

I wouldn't be able to tell you how to do the above, but if memory
serves, I've seen mention of it and I don't think its difficult to do...

-- 

Best regards,

Charles
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] reverse name resolving of winbind 3.4.x

[Robert LeBlanc]

On Wed, Nov 25, 2009 at 6:15 AM, Alexander Födisch wrote:

> Does nobody have the same problem? Same behaviour w/ 3.4.3
> It also takes a "long" time resolving names:
>
> # date; id ; date
> Mi Nov 25 14:08:55 CET 2009
> uid=<...> Gruppen=<...>
> Mi Nov 25 14:09:01 CET 2009
>
> Sometimes it tooks more than 10 seconds...
>
> Sometimes users get an error message "Access denied", even filesystem
> permissions and samba settings are correct. I think samba /winbind is
> running in a timout while resolving names and so samba cannot grant access
> to files / folders.
>
>
> Any ideas what we can do?
>

Can you find any hints in the log.winbindd log or the log.wb- log. I
had problems like that in the past, but they sem to be resolved in 3.4.2.
You may have a different problem.


Robert LeBlanc
Life Sciences & Undergraduate Education Computer Support
Brigham Young University
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] reverse name resolving of winbind 3.4.x

[Alexander Födisch]

Does nobody have the same problem? Same behaviour w/ 3.4.3
It also takes a "long" time resolving names:

# date; id ; date
Mi Nov 25 14:08:55 CET 2009
uid=<...> Gruppen=<...>
Mi Nov 25 14:09:01 CET 2009

Sometimes it tooks more than 10 seconds...

Sometimes users get an error message "Access denied", even filesystem permissions and samba settings are correct. I 
think samba /winbind is running in a timout while resolving names and so samba cannot grant access to files / folders.



Any ideas what we can do?

Thanks,
Alex



Alexander Födisch schrieb:

Hi all,

I did upgrade from samba 3.0.28 to 3.4.1 on a domain member server. Now 
it seems there is a problem with reverse name resolving of winbind.


The tools "ls" and "getfacl" shows UIDs instead of the usernames. When I 
run id "" the username and the UID are shown correctly. After 
using "id" the name is also listed fine in the output of "ls" or 
"getfacl" for this user.


The problem also exists w/ samba 3.4.2.


Any ideas?


Thanks,
Alex

PS:
"id ", "getent passwd " and "wbinfo -u" are working 
fine.




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Unknown panic actions

[Michael Wood]

Hi

2009/11/24 Ralph Kutschera :
> Hallo again,
>
>  Well, after installing logwatch I found the following. Maybe this can help?
>
> TIA,
>  Ralph
>
>  lib/fault.c:dump_core(168)  unable to change to
> /var/log/samba/cores/smbdrefusing to dump core : 9 Time(s)

Make sure /var/log/samba/cores/smbd exists and that smbd will be able
to write core dumps there.

Although, since you are getting the stack traces anyway, I suppose
there might not be much point to doing that.

-- 
Michael Wood 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Need proper steps for correct use of net setlocalsid

[David Whitney]

Hi, all.

I have discovered that I botched a migration from a 2.2.8a Samba PDC to
Samba 3.3.4; in particular the domain sid was not preserved. Users of the
domain have been authenticating presumably against cached local machine
credentials, mapping them to their old domain SIDS. That's ultimately how I
discovered the domain SID had been trashed - every machine started showing
unmapped users and groups with what I finally realized were SID's prefixed
with the old domain's SID.

Fortunately, I have the old domain SID, which leads me to believe I could
use net setdomainsid to restore it. However, having botched the migration in
the first place, I'm snakebit for some information - in particular, what,
exactly, do I need to do (if anything) prior to executing setdomainsid? Do I
need to change the group SIDs manually as well? What about the SIDS of the
individual users?

Whatever the steps are, I just want to make sure I a) know them all, and b)
execute them in the proper order.

Many thanks,
David
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Windows 7 domain issues

[Kevin Keane]

> -Original Message-
> From: samba-boun...@lists.samba.org [mailto:samba-
> boun...@lists.samba.org] On Behalf Of Alex Ferrara
> Sent: Tuesday, November 24, 2009 8:33 PM
> To: samba@lists.samba.org
> Subject: [Samba] Windows 7 domain issues
> 
> I am running Windows 7 Professionaly 64-bit with domain membership to a
> Samba domain. I have noticed some weird behaviour.

Personally, I have sworn off Samba as a PDC, and am desperately waiting for 
Samba 4 with Active Directory. The PDC architecture is by now more than 10 
years old. Trying to use Windows 7 without Active Directory (and in particular 
without Group Policies) really limits the usefulness. AD was quite useful with 
XP, and even more so with Vista. Windows 7, I find, really requires Group 
Policies. I am using Samba as a domain-member file server; it really shines in 
that role.

> 1) For some reason, dhcp3-server does not add the forward dns entry
> into bind9. This works perfectly with Windows 7 if it is not a domain
> member, or other operating systems (XP, OS/X and Linux). I know this
> isn't specifically a Samba issue, but I thought I should mention it.

Windows 7 has different network security policies depending on whether you are 
on a public, private or domain network. I believe that this is because Windows 
7 in a domain will by default insist on secure DNS updates. You can turn that 
off (with a group policy. Or probably by editing the registry directly if you 
find the right setting).

> 2) Strange entries in log files. Authentication for user [AC2161$] ->
> [AC2161$] FAILED with error NT_STATUS_PASSWORD_EXPIRED. I did run the
> Windows 7 64bit RC and after about 1 month, the trust relationship
> broke down and I would have to re-join the domain to make it work
> again. This could be related.

Windows 7 by default requires 128 bit encryption for SMB traffic; my guess is 
that that is the problem. You can turn that off.

> 3) Password issues. I use a LDAP backend, and use LAM to manage the
> directory. If I set a password in LAM, it generates the UNIX and SMB
> passwords, and then stores them in LDAP. This works perfectly for XP
> but not for Windows 7. Logons persist to use the old password, and I
> have a feeling that the password being used is a cached password.

The same as item 2.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Fetching DOMAIN database Failed

[Nobody ist perfect]

I am trying to migrate our Windows NT 4 Domain to Samba 3.4.3 and got
the error message below when I run the command:

"net join -S myPDC -I 172.30.1.1 -U administrator%mypasswd"
worked ok

"net rpc vampire -S myPDC -U administrator%mypasswd"

Fetching DOMAIN database Failed to fetch domain database:
NT_STATUS_ACCESS_DENIED

What I want to accomplish is to remove Windows NT 4.0 server as PDC and
make Samba our Primary Domain Controller.  Looking at Chapter 9
"Migrating NT 4 Domain to Samba 3" on Samba-3 By Example book that it is
possible to merge or migrate NT domain to Samba using ldap & smbldap-tools

Can someone please point me to the right direction.
Thanks

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Moving a PDC

[Dominik Rau]

Hi Gaiseric.

Thanks for your input.

Gaiseric Vandal schrieb:

RVNET\A and RVNET2\A will be completely separate users.But unless the
SID is stored with-in one files itself I would think it would be just a
matter of changing the file permissions on the profile as you described.
  


Yes, the fact that they are seperate users is clear (and requires the 
usage of chown here and there on the server). However, are there any 
common situations when the SID is stored somewhere and could make 
trouble after shutting the old server down?



The windows 2003 Res Kit tools include a "moveuser" command that may help
with the profile.Once about a time I converted some machines from a
Workgroup to a Domain model.  Previously, each computer had a local account
for the primary user (and the server had to have an account for all the
users.)  The move user command let me reallocate an "PC1/user1" profile to
"DOMAIN/user1."  Although they were local profiles and not roaming.
  


I had a look at the tool some days ago, but it required Win 2003 and 
didn't install on my machine.



You would have to test this out with a test machine and account to be sure.
  


Definitely.


The other alternative would be to configure the new machine as BDC for the
existing domain (since you already have the LDAP infrastructure in place),
then at some point reverse the PDC and BDC roles.   The LDAP server would
still be on the old server.  Once you dropped the old DC you could probably
user pbedit -E  and pdbedit -I to dump the account data back to TDB.  
  


I think I'll go with the "manual copy" but thanks for the hint.


This may also be a time to look at moving to Samba 3.2 or 3.4  (maybe on
Fedora) if you expect to support Win 7 machines. 
  


Thanks for reminding me, the first Windows 7 systems will be in the 
network soon. I just upgraded to 3.4.3 using the sernet rpms and it 
seems to work fine.


Yours,
Dominik




-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
On Behalf Of Dominik Rau
Sent: Tuesday, November 24, 2009 5:25 PM
To: samba@lists.samba.org
Subject: [Samba] Moving a PDC

Hi list.

We're running a Debian Etch Server with Samba 3.0.24 as primary domain 
controller for a XP dominated network. For various reasons, we're 
migrating our server to a new machine running on Centos 5.4 (and Samba 
3.0.33). Additionally, I decided to get rid of our messy LDAP setup, as 
it is quite a pain to use and IMHO overkill for our small software shop 
(~15 machines / users), so I've set up the new system to work with 
tdbsam instead.


So basically, we currently got two fully working domain controllers in 
our network, one serving RVNET (old) and the other RVNET2(new) , RVNET 
with an ldap backend and users A,B,C... and the new RVNET2 with equally 
named "plain" Linux/samba users-Users A, B, C.Adding new users to the 
new domain works fine, adding new machines and storing profiles too.


Now the question is: How do I move the profiles from the old machine to 
the new one correctly? And how can I convince Windows XP to ignore the 
fact, that user RVNET\A is now user RVNET2\A. My naive approach would be...


* Make sure all users store their profiles on the server and log off.
* Copy the contents of /samba/profiles from old to new machine and 
adjust user right properly to local system users.
*  Get in front of every machine, login as local administrator, move the 
old Documents and Settings\A directory out of the way (not deleting, 
just to be sure)

* Leave the old and join the new domain, reboot.
* Logon as RVNET2\A, fetching my "old" profile from the server and go on 
doing my work as in the old domain.


The fact that I might to have reset rights on the new machine (e.g. User 
RVNET2\A might have administrator rights on  a particular machine) and 
that my users must play with their home directories is not a big issue 
in our small environment and acceptable. The big advantage in my opinion 
would be that I can move one machine/user after another and it involves 
only tools that I know.


However, I googled quite a lot the last few days and found many posts 
etc. about wrong SIDs in the registry, NTUSER.dat, getting in and out a 
domain, various Windows tools for related tasks, but either it didn't 
match my situation or the tools didn't work on my system, to expensive, 
overkill etc. ...


So, the bottomlineof all this: Does my approach work? Is it ok to do 
what I just described (considering the fact that I accept to do some 
administrative work on every machine)? If not, what else to consider / 
change?


Thanks a lot for your time,
Dominik

 

  


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba-swat

[John Doe]

From: muhammad wasim 
> m facing problem installing swat on redhat enterprise 5.3 samba is
> already installed
> some body help me m new in linux

And what would be this problem...?
What about: yum install samba-swat

JD


  
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba