Re: [Samba] Samba 3.4.2 Winbind problem IDMAP GID range full
Hmmm. Well, I don't have any of the idmap settings in smb.conf so it would be whatever is default. I am using winbind just for the name resolution functionality. But is this a misconfiguration? What other settings are critical? -Original Message- From: Ryan Suarez [mailto:ryan.sua...@sheridanc.on.ca] Sent: Saturday, December 05, 2009 1:17 AM To: isk...@gmail.com Cc: samba@lists.samba.org Subject: Re: [Samba] Samba 3.4.2 Winbind problem IDMAP GID range full Greg wrote: > I get these same sort of errors repeated in my log files. They are present > when I start samba and everything seems to work fine. However, after some > long period of time, I won't be able to connect to the samba shares from a > client. If I restart samba (/etc/init.d/samba restart), these errors are > entered again at that time but I will then be able to connect. I haven't > been able to find many answers yet... > What do you have idmap gid set to in smb.conf? And have you used up this range? No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.426 / Virus Database: 270.14.92/2543 - Release Date: 12/04/09 19:34:00 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] domain printer issues
On Mon, Dec 07, 2009 at 01:08:54PM -0500, Ryan Suarez wrote: >> One explanation might be that right now much >> paid development goes into Active Directory and clustered >> file servers, print support is mostly a hobby thing by >> individuals right now. >> > > I took a look at using clustering samba print servers with ctdb a while > back. > > Unfortunately, all the printing tdb's were not clustered. A member of > the ctdb team said this was planned in the works but provided no > timeline. > > Is this closer to being a reality? No, but with the dbwrap abstraction it's also not too difficult. The interface to the printing tdbs is not too large. And, maybe at some not too distant point in time, Samba will do it properly and store the nt*.tdb in the registry.tdb where it belongs. Then you get the cluster-awareness for free, the registry is already there. Volker signature.asc Description: Digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Joining winXP SP3 in samba 3.3.9 + openldap backend, why does't work?
On Mon, Dec 7, 2009 at 6:00 AM, Vinicius Abrahao wrote: > Hello Dear Fellows, > > I'm trying to join my vbox windows xp sp3 machine, to my samba server. > When I inform my administrator user: "root", and his password XP says: > "Erro durante a tentativa de ingresso no domínio "CORP_TRIARIUS": > O domínio especificado não existe ou não pôde ser contatado." > > Sorry, I forgot to send my conf files: http://www.pastie.org/732497 And I have an another test, with an Win2003, and his can't join to my domain too. Thanks again for any help! Vinicius -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] pam_winbind adding "BUILTIN+users" secondary group to non-AD account?
I'm working on a PAM setup that will ignore winbind/AD completely for users listed in /etc/passwd, and do the samba thing for all other users. Mostly it seems to work, but there's one weird side-effect. For non-AD users (only), an AD group "BUILTIN+users" is being added as a secondary group. If I kill winbind, it still gets added, although only the gid is available (no name). I've googled around a while and get the impression that this behavior somehow supports 'winbind nested groups'. I don't see how or why this is happening given that I am (I believe) short-circuiting the pam config so that no pam_winbind nor pam_krb5 modules get stepped through for these local users. I can't understand how pam_winbind is (apparently) managing to mess with secondary groups in this case. My best theory at the moment, not knowing any of this very well, is that maybe pam_winbind is "cheating" on the PAM api, and somehow adding this secondary group in some init or close function (where it should not be). Any ideas? Mike account [default=2 success=ignore] pam_localuser.so account sufficient pam_unix2.so account requisite pam_deny.so account sufficient pam_krb5.so account requisite pam_deny.so authrequiredpam_env.so auth[default=2 success=ignore] pam_localuser.so authsufficient pam_unix2.so authrequisite pam_deny.so authsufficient pam_krb5.so authrequiredpam_winbind.so use_first_pass password[default=2 success=ignore] pam_localuser.so passwordsufficient pam_unix2.sonullok passwordrequisite pam_deny.so passwordsufficient pam_winbind.so passwordsufficient pam_krb5.so passwordrequisite pam_deny.so session optional pam_mkhomedir.so session requiredpam_limits.so session [default=2 success=ignore] pam_localuser.so session sufficient pam_unix2.so session requisite pam_deny.so session optionalpam_krb5.so session requiredpam_winbind.so session optionalpam_umask.so -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbtorture config issue?
Kristy, I put up some ideas and things to think about in-line. I hope it helps out. Does anyone in the group coding for samba4 have anything to weigh in as well, esp the smb.conf and documentation issues? On Fri, 4 Dec 2009, Kristy Kallback-Rose wrote: Date: Fri, 4 Dec 2009 16:11:55 -0500 From: Kristy Kallback-Rose To: samba@lists.samba.org Subject: [Samba] smbtorture config issue? Hello, I'm trying to run smbtorture against another system. I have installed version 4.0.0alpha9 locally. The remote system is registered with ADS as: Any reason you are using samba4 for this testing? Documentation is pretty scarce. distinguishedName: CN=bl-uits-cictest,CN=Computers,DC=ads,DC=iu,DC=edu name: bl-uits-cictest dNSHostName: bl-uits-cictest.ads.iu.edu servicePrincipalName: HOST/bl-uits-cictest.ads.iu.edu servicePrincipalName: HOST/BL-UITS-CICTEST The server itself is cictest.cic.iu.edu, and I can connect to the remote server with smbclient as such: smbclient -s /usr/local/samba/etc/smb.conf -n bl-uits-cictest.ads.iu.edu -Ukallbac //cictest.cic.iu.edu/projects Password: Domain=[ADS] OS=[Unix] Server=[Samba 3.2.11-ctdb-65] smb: \> quit This is using ntlmv2 if you have that directive in your smb.conf and not kerberos. client use ntlmv2 = yes The problem is this: 1) smbtorture complains about the ads security setting: /usr/local/samba/bin/smbtorture --realm=ads.iu.edu -T samba3 -d 3 -W ADS --netbiosname=BL-UITS-CICTEST -U cictestuser3 //cictest.cic.iu.edu/projects RAW-QFSINFO lp_load: refreshing parameters from /usr/local/samba/etc/smb.conf params.c:pm_process() - Processing configuration file "/usr/local/samba/etc/smb.conf" Processing section "[global]" Unknown enumerated value 'ADS' for 'security' params.c:pm_process() - Failed. Error returned from params.c:parse(). I have tried both ads and ADS, it doesn't seem to like either I no longer see the directive "security" mentioned in samba4, but I do see statements similar to "server-role" which may cover for security. http://wiki.samba.org/index.php/Samba4/HOWTO#Step_4:_Provision_Samba4 Not only is there no directive in the regular man pages (samba 3) for "server-role", but last I looked there was question as to whether the traditional smb.conf file would be used when samba4 would be released: http://lists.samba.org/archive/samba-technical/2005-March/039741.html 2) smbtorture proceeds to complain as such: Server is not registered with our KDC: Miscellaneous failure (see text): Server (cifs/cictest.cic.iu@ads.iu.edu) unknown SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed to parse: NT_STATUS_INVALID_PARAMETER Got challenge flags: Got NTLMSSP neg_flags=0x60898215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60088215 Server is not registered with our KDC: Miscellaneous failure (see text): Server (cifs/cictest.cic.iu@ads.iu.edu) unknown SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed to parse: NT_STATUS_INVALID_PARAMETER Got challenge flags: Got NTLMSSP neg_flags=0x60898215 Password for [ADS\cictestuser3]: Fwiw, my krb5.conf has a default realm of ADS.IU.EDU as well as a realms section for ADS.IU.EDU I can provide other information if it would be helpful. Does your server have a cifs principal (ie cifs/fqdn.domain@ads.iu.edu) for either bl-uits-cictest.ads.iu.edu or cictest.cic.iu.edu? It seems to be wanting to get the principal for "cifs/cictest.cic.iu@ads.iu.edu". Can anyone offer some suggestions to troubleshoot this? Many thanks, Kristy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba ---Robert Freeman-Day --- I would really like you to be on my side, but the side you show me isn't what I had in mind. -Judybats GPG Public Key: http:keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] LDAP Account Manager 2.9.0.RC1 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 LDAP Account Manager (LAM) 2.9.0.RC1 - December 7th, 2009 = LAM is a web frontend for managing accounts stored in an LDAP directory. Announcement: - - LAM now supports managing Asterisk accounts and extensions. All documentation was moved to the new LAM manual. LAM Pro supports nisObject entries and custom scripts for the self service. This release also fixes some bugs. This is a test release. Please do not install it in your production environment. Please report any bugs until 2009-12-11. Full changelog: http://www.ldap-account-manager.org/lamcms/changelog Features: - - * management of various account types * Unix * Samba 3 * Kolab 2 * Asterisk * phpGroupwWare * DHCP * SSH keys * profiles for account creation * account creation via file upload * automatic creation/deletion of home directories * setting quotas * PDF output for all accounts * editor for organizational units * schema browser * tree view * multiple configuration files * multi-language support: Catalan, Chinese (Traditional + Simplified), Czech, Dutch, English, French, German, Hungarian, Italian, Japanese, Polish, Portuguese, Russian and Spanish * support for LDAP+SSL/TLS Availability: - - This software is available under the GNU General Public License V2.0. You can get the newest version at http://www.ldap-account-manager.org. File formats: DEB, RPM, tar.gz There is also a FreeBSD port. Debian users may use the packages in unstable. Demo installation: - -- You can try our demo installation online. http://www.ldap-account-manager.org/lamcms/liveDemo Support: - If you find a bug please file a bug report. For questions or implementing new features please use the mailinglist and feature request tracker at our homepage http://www.ldap-account-manager.org. Authors & Copyright: - Copyright (C) 2003 - 2009: Michael Duergner Roland Gruber Tilo Lutz LAM is published under the GNU General Public License. The complete list of licenses can be found in the copyright file. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAksdSuoACgkQq/ywNCsrGZ4ToACcCKqe7b3N3DaUSwCl4HwSP0hm V4UAn1BgUmetSveWCATSoEG4q9H/GHCT =aZbJ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] domain printer issues
Hi, Volker Lendecke wrote: One explanation might be that right now much paid development goes into Active Directory and clustered file servers, print support is mostly a hobby thing by individuals right now. I took a look at using clustering samba print servers with ctdb a while back. Unfortunately, all the printing tdb's were not clustered. A member of the ctdb team said this was planned in the works but provided no timeline. Is this closer to being a reality? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] License agreement
On Mon, Dec 07, 2009 at 11:28:39AM +, Vincent Maury wrote: > Hello, > > > I plan to create a commercial software that would automate the running of a > few IT security tools and build a nice report, in order to help security > auditors in their work. > I saw your smbclient tool that could be really appropriate. As this tool is > GPL'd, I would like to make sure you agree with the usage (running and > parsing) I plan. Of course, should you have any requirement (e.g. quoting the > tool or adding some mention), please let me know. > > I'm looking forward to your answer, The only thing you need to do is to give your customers an offer to receive the source code for the smbclient binary you are using in your product, as required in the GPLv3 licence that smbclient is released under. You don't need to quote your use of Samba (although that is always appreciated :-). If you have any follow up questions Simo is our license compliance expert, so I suggest you follow up with him (i...@samba.org). Cheers, Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] License agreement
With GPL software, you don't have to ask permission (and you can't ask permission here anyway, since most people on this list - including me - are simply users, not authorized to speak on behalf of the Samba copyright holders). You must meet certain terms, though. Hire an intellectual-property lawyer who is familiar with the GPL to determine exactly which terms apply to your situation. There actually are many proprietary products that use Samba, so it can be done. The general rules are: You can redistribute GPL code freely as long as you also redistribute the source code. You can make any changes you like, as long as you also redistribute the changed version under the GPL (and make the source code available). Now if you want to use it in a proprietary product, your easiest option is to change your product's licensing, and also make it available under the GPL. Or you can keep smbclient segregated from your code. I believe usually the rule is: if you link to GPL software, you must GPL your software as well. If you merely use it as a separate utility, you can use your own license without a problem. Of course, you are always free to contact Andrew Tridgell directly to ask if he is willing to license Samba to you under different terms (and of course you'd have to pay for that privilege). To be honest, my guess is that chances are likely very slim. > -Original Message- > From: samba-boun...@lists.samba.org [mailto:samba- > boun...@lists.samba.org] On Behalf Of Vincent Maury > Sent: Monday, December 07, 2009 3:29 AM > To: sa...@samba.org > Subject: [Samba] License agreement > > Hello, > > > I plan to create a commercial software that would automate the running > of a few IT security tools and build a nice report, in order to help > security auditors in their work. > I saw your smbclient tool that could be really appropriate. As this > tool is GPL'd, I would like to make sure you agree with the usage > (running and parsing) I plan. Of course, should you have any > requirement (e.g. quoting the tool or adding some mention), please let > me know. > > I'm looking forward to your answer, > Best regards, > > Vincent > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] License agreement
Hello, I plan to create a commercial software that would automate the running of a few IT security tools and build a nice report, in order to help security auditors in their work. I saw your smbclient tool that could be really appropriate. As this tool is GPL'd, I would like to make sure you agree with the usage (running and parsing) I plan. Of course, should you have any requirement (e.g. quoting the tool or adding some mention), please let me know. I'm looking forward to your answer, Best regards, Vincent -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.4.2 Winbind problem IDMAP GID range full
I get these same sort of errors repeated in my log files. They are present when I start samba and everything seems to work fine. However, after some long period of time, I won't be able to connect to the samba shares from a client. If I restart samba (/etc/init.d/samba restart), these errors are entered again at that time but I will then be able to connect. I haven't been able to find many answers yet... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] LDAP_NO_SUCH_OBJECT upon new user creation in s4/OpenLDAP
Hi all, for some weeks now I am trying to set up Samba4 (alpha9) with an OpenLDAP 2.4.17 backend as an AD PDC for my XP/7 clients. It was working for some time with Samba's integrated LDAP facility, however I could not figure out how to use this database e.g. to authenticate my IMAP users against (bind-dn, port etc.). OpenLDAP was compiled from source using --enable-modules=yes and --enable-overlays=yes. Provisioning samba using the command line setup/provision --ldap-backend-type=openldap --slapd-path="/usr/sbin/slapd" --username=samba-admin --realm=localdomain --domain=Heimnetz --server-role='domain controller' --adminpass=somepass ran through, although there were errors about slapd (id2entry.bdb not found, NT_STATUS_UNEXPECTED_NETWORK_ERROR, slapd unable to start). Afterwards, slapd and samba start fine, I can join machines to the domain "Heimnetz" (DNS is also working properly), login using the "administrator" account and have a look at the AD via dsa.msc. Was is NOT working is the creation of new users. Doing that in dsa.msc failes with an error message about password policies, but this is probably not yet implemented, right? Going the howto-way, "/setup/newuser blah" prompts for a password, displays messages about skipping the loading of schema, naming context details and domain details, and then failes with the following error message: _ldb.LdbError: (32, 'objectclass: Cannot add CN=blah,CN=Users,DC=localdomain, parent does not exist!') Parsing the logs of slapd I see that "newuser" performs several searches in the directory that slapd all answers with err=32 (LDAP_NO_SUCH_OBJECT), although in phpLDAPadmin I can see that the requested objects exist, including CN=Users,DC=localdomain with 19 entries after a fresh provisioning. Any help would be greatly appreciated. Regards, Eric -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 + Samba domain issues
Just for completeness, when I successfully join the domain I get the following in /var/log/syslog Dec 7 19:50:33 percy slapd[2514]: conn=219 op=6 do_bind: invalid dn (NTLM) Dec 7 19:50:33 percy slapd[2514]: conn=220 op=6 do_bind: invalid dn (NTLM) Dec 7 19:50:34 percy dhcpd: DHCPREQUEST for 192.168.0.114 from 00:1c:c0:57:b4:9d (AC-1391) via eth0 Dec 7 19:50:34 percy dhcpd: DHCPACK on 192.168.0.114 to 00:1c:c0:57:b4:9d (AC-1391) via eth0 Dec 7 19:50:34 percy slapd[2514]: conn=218 op=27 do_search: invalid dn (sambaDomainName=,sambaDomainName=DOMAIN,dc=domain,dc=local) and I get the following in the machines samba log [2009/12/07 19:50:34, 0] passdb/pdb_get_set.c:210(pdb_get_group_sid) pdb_get_group_sid: Failed to find Unix account for ac-1391$ [2009/12/07 19:50:41, 0] smbd/map_username.c:140(map_username) can't open username map /etc/samba/smbusers. Error No such file or directory [2009/12/07 19:50:41, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: Checking password for unmapped user [domain]\[ac-139...@[ac-1391] with the new password interface [2009/12/07 19:50:41, 3] auth/auth.c:225(check_ntlm_password) check_ntlm_password: mapped user is: [domain]\[ac-139...@[ac-1391] [2009/12/07 19:50:41, 0] passdb/pdb_get_set.c:210(pdb_get_group_sid) pdb_get_group_sid: Failed to find Unix account for ac-1391$ [2009/12/07 19:50:41, 1] auth/auth_sam.c:178(sam_account_ok) sam_account_ok: Account for user 'ac-1391$' password expired!. [2009/12/07 19:50:41, 1] auth/auth_sam.c:179(sam_account_ok) sam_account_ok: Password expired at 'Mon, 07 Dec 2009 19:50:34 EST' (1260175834) unix time. [2009/12/07 19:50:41, 3] auth/auth_winbind.c:54(check_winbind_security) check_winbind_security: Not using winbind, requested domain [DOMAIN] was for this SAM. [2009/12/07 19:50:41, 2] auth/auth.c:320(check_ntlm_password) check_ntlm_password: Authentication for user [AC-1391$] -> [AC-1391$] FAILED with error NT_STATUS_PASSWORD_EXPIRED aF -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Windows 7 + Samba domain issues
Hi all, Earlier I emailed the list on some issues I was having with Windows 7, and one of those issues was the trust relationship breaking down after one month. I think I have some more light to shed on this topic. First, some environmental facts I am running Ubuntu Karmic 9.10 with Samba 3.4.0-3ubuntu5.1 I have installed the latest LDAP schema into OpenLDAP 2.4.18-0ubuntu1 I have a working LDAP directory with users and machine trust accounts. This is continuing to work flawlessly with XP clients. I have applied the two registry hacks into my Windows 7 workstations to enable legacy domains, and to turn off the dns resolution requirement. When I join the domain, everything happens as advertised, and I do get the error message from Windows 7 about DNS that I read on wiki.samba.org can be safely ignored. Immediately after joining the domain, and after the mandatory reboot, I can log in as advertised. However, after a period of time (not sure how long), the Windows 7 clients start using their cached credentials, and no longer communicate properly with the Samba PDC. After a period of about 1 month, the clients no longer use their cached credentials, as they probably expire, and then I can no longer log in, with the message that "The trust relationship between this workstation and the primary domain failed." After some digging, I noticed that the problem in the machines log file was that the machine trust account could not be found. [2009/12/07 19:33:13, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: Checking password for unmapped user []...@[ac-1391] with the new password interface [2009/12/07 19:33:13, 3] auth/auth.c:225(check_ntlm_password) check_ntlm_password: mapped user is: [domain]...@[ac-1391] [2009/12/07 19:33:13, 3] auth/auth.c:271(check_ntlm_password) check_ntlm_password: guest authentication for user [] succeeded [2009/12/07 19:33:13, 0] passdb/pdb_get_set.c:210(pdb_get_group_sid) pdb_get_group_sid: Failed to find Unix account for ac-1391$ [2009/12/07 19:33:13, 0] rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client AC-1391 machine account AC-1391$ [2009/12/07 19:33:13, 0] passdb/pdb_get_set.c:210(pdb_get_group_sid) pdb_get_group_sid: Failed to find Unix account for ac-1391$ [2009/12/07 19:33:13, 0] rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client AC-1391 machine account AC-1391$ [2009/12/07 19:33:26, 0] lib/util_sock.c:537(read_socket_with_timeout) [2009/12/07 19:33:26, 0] lib/util_sock.c:1468(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected read_socket_with_timeout: client 0.0.0.0 read error = Connection reset by peer. The interesting line there is "Failed to find Unix account for ac-1391$". This implies that the account is missing, but when I look at the LDAP directory with my browser, it is there. Now it gets interesting... At the time I am trying to log in, I get the following in /var/log/syslog Dec 7 19:46:27 server slapd[2514]: conn=184 op=2 do_search: invalid dn (sambaDomainName=,sambaDomainName=DOMAIN,dc=domain,dc=local) Invalid dn indeed. sambaDomainName=DOMAIN,dc=domain,dc=local exists, but sambaDomainName=,sambaDomainName=DOMAIN,dc=domain,dc=local does not. Does anyone know why Samba would be performing this as a lookup? I have seen other people with these symptoms, but I have not been able to find an answer. aF -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to join to AD ?
mistofeles wrote: There is these lines in smb.conf and I have found no good information about them: idmap uid = 1-200 idmap gid = 5000-200 idmap config MY_DOMAIN:range = 1000 - 3 If you want to avoid troubles, keep the values coherent. In a single-domain, if you don't need a consistent mapping of the users across different clients (for example to have multiple clients access a NFS server) you can keep the range quite limited. If you need consistent mapping, you can use RID backend -- but you'll have to use a wide range to avoid collisions. It seems that the users get their local UID / GUID as 1 / 5000 or above as set in 'idmap uid' and 'idmap gid'. What is the meaning of this 'idmap config MY_DOMAIN:range' and how should I set it ? The same as idmap uid. Or just remove that line. I have a right to join a PC to our domain. Before I could do that, I had to adduser myself in my server with the username I have in the domain. After that 'kinit' and 'net ads join' work. Try using kinit user.n...@full.uppercase.realm After that, you'll use "net ads join -U user.name" BTW: is krb5 necessary for the authentication ? pam_krb5 is not -- winbind handles it. But it needs krb5 client libs. -- Diego Zuccato Servizi Informatici Dip. di Astronomia - Università di Bologna Via Ranzani, 1 - 40126 Bologna - Italy tel.: +39 051 20 95786 mail: diego.zucc...@unibo.it -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Joining winXP SP3 in samba 3.3.9 + openldap backend, why does't work?
Hello Dear Fellows, I'm trying to join my vbox windows xp sp3 machine, to my samba server. When I inform my administrator user: "root", and his password XP says: "Erro durante a tentativa de ingresso no domínio "CORP_TRIARIUS": O domínio especificado não existe ou não pôde ser contatado." What in english means somthing like: "An error occurs when try to join to CORP_TRIARIUS domain: The domain specified does not exist or can't be contacted." But (...): 1) From "thome" (my samba server): config file is fine: # testparm /usr/local/etc/smb.conf Load smb config files from /usr/local/etc/smb.conf Processing section "[homes]" Processing section "[profiles]" Processing section "[netlogon]" Processing section "[disco]" Loaded services file OK. Server role: ROLE_DOMAIN_PDC 2) From "thome" (my samba server): error when trying join without specify an server: # net rpc testjoin Unable to find a suitable server for domain CORP_TRIARIUS Join to domain 'CORP_TRIARIUS' is not valid: NT_STATUS_UNSUCCESSFUL 3) From "thome" (my samba server): testjoin ok when server is specified: # net -S thome rpc testjoin Join to 'CORP_TRIARIUS' is OK # net -S 192.168.1.1 rpc testjoin Join to 'CORP_TRIARIUS' is OK 4) From "vinnix" (another freebsd host): smbd service seems ok: # smbclient -L thome -N Server's Role (logon server) NOT ADVISED with domain-level security Anonymous login successful Domain=[CORP_TRIARIUS] OS=[Unix] Server=[Samba 3.3.9] Sharename Type Comment - --- disco Disk Diretorio publico IPC$IPC IPC Service (FreeBSD PDC) Anonymous login successful Domain=[CORP_TRIARIUS] OS=[Unix] Server=[Samba 3.3.9] Server Comment ---- THOMEFreeBSD PDC WorkgroupMaster ---- CORP_TRIARIUSTHOME 5) From "vinnix": I can mount an volume as CORP_TRIARIUS\root: # /usr/sbin/mount_smbfs -I thome //r...@thome/root ./teste Password: # df Filesystem1K-blocks Used Avail Capacity Mounted on (...) //r...@thome/ROOT 1012974 437266 57570843%/mnt/teste 6) I dig some log when I was trying to join from vbox (named "triarius-wp1"), but I'm really don't understood this very well. Ex. I don't recognize this "MAILSLOT". I'm really don't know. [2009/12/07 04:58:40, 5] libsmb/nmblib.c:read_packet(802) Received a packet of len 245 from (192.168.1.56) port 138 [2009/12/07 04:58:40, 9] nmbd/nmbd_namelistdb.c:find_name_on_subnet(126) find_name_on_subnet: on subnet 192.168.1.1 - found name CORP_TRIARIUS<1c> source=2 [2009/12/07 04:58:40, 4] nmbd/nmbd_packets.c:process_dgram(1281) process_dgram: datagram from TRIARIUS-WP1<00> to CORP_TRIARIUS<1c> IP 192.168.1.56 for \MAILSLOT\NET\NETLOGON of type 18 len=71 [2009/12/07 04:58:40, 4] nmbd/nmbd_processlogon.c:process_logon_packet(116) process_logon_packet: Logon from 192.168.1.56: code = 0x12 [2009/12/07 04:58:40, 5] nmbd/nmbd_processlogon.c:process_logon_packet(354) process_logon_packet: Logon from 192.168.1.56: code = 0x12 [2009/12/07 04:58:40, 5] nmbd/nmbd_processlogon.c:process_logon_packet(354) process_logon_packet: LOGON_SAM_LOGON_REQUEST sidsize 0, len = 71 [2009/12/07 04:58:40, 5] nmbd/nmbd_processlogon.c:process_logon_packet(361) process_logon_packet: len = 71 PTR_DIFF(q, buf) = 63 [2009/12/07 04:58:40, 3] nmbd/nmbd_processlogon.c:process_logon_packet(386) process_logon_packet: LOGON_SAM_LOGON_REQUEST sidsize 0 ntv 11 [2009/12/07 04:58:40, 5] nmbd/nmbd_processlogon.c:process_logon_packet(395) process_logon_packet: LOGON_SAM_LOGON_REQUEST user [2009/12/07 04:58:40, 5] nmbd/nmbd_processlogon.c:process_logon_packet(402) process_logon_packet: LOGON_SAM_LOGON_REQUEST request from TRIARIUS-WP1(192.168.1.56) for , returning logon svr \\THOME domain CORP_TRIARIUS code 13 token= [2009/12/07 04:58:40, 4] lib/util.c:dump_data(2233) [000] 15 00 5C 00 5C 00 54 00 48 00 4F 00 4D 00 45 00 ..\.\.T. H.O.M.E. [010] 00 00 00 00 43 00 4F 00 52 00 50 00 5F 00 54 00 C.O. R.P._.T. [020] 52 00 49 00 41 00 52 00 49 00 55 00 53 00 00 00 R.I.A.R. I.U.S... [030] 01 00 00 00 FF FF FF FF [2009/12/07 04:58:40, 3] nmbd/nmbd_processlogon.c:process_logon_packet(667) process_logon_packet: processing delayed initial logon reply for client TRIARIUS-WP1(192.168.1.56) [2009/12/07 04:58:40, 4] nmbd/nmbd_packets.c:send_mailslot(1962) send_mailslot: Sending to mailslot \MAILSLOT\NET\GETDC782 from THOME<00> IP 192.168.1.1 to TRIARIUS-WP1<00> IP 192.168.1.56 [2009/12/07 04:58:40, 4] nmbd/nmbd_packets.c:debug_browse_data(95) debug_browse_data(): 0 char ..\.\.T.H.O.M.E. hex 15 00 5c 00 5c 00 54 00 48 00 4f 00 4d 00 45 00 10 char C.O.R.P._.T. hex 00 00 00 00 43 00 4f 00 52 00 50 00 5f 00 54 00 20 char R.I.A.R.I.U.S... hex 52 00 49 00 41 00 52 00 49 00 55 00 53 00 00 00 30 char hex 01