Re: [Samba] Absolute path of file transferred using samba

[HariK]

Hi,
Will the VFS audit feature work in samba running in a uclinux embedded
system?


John M. Drescher wrote:
> 
> On Tue, Dec 22, 2009 at 1:55 AM, HariK  wrote:
>>
>> Hi Jeremy,
>>
>> I have used samba as a blackbox and not adept with its internals. My
>> requirement is as follows:
>> I started smbd session in linux and in windows, gave the ip address of
>> the
>> linux pc. When I transfer a file to the linux pc, I want the smbd
>> application to print the absolute path of the file's destination. For
>> example, assume the linux pc ip is 10.142.14.100 and samba path is /tmp.
>> Suppose I transfer a file temp.txt to a folder /tmp/dir1, then smbd must
>> print the path "/tmp/dir1/temp.txt".
>>
>> For this to happen, what are the code changes to be done in smbd module?
>>
> 
> smbd print where?
> 
> Sounds like you want to use the audit module
> 
> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/VFS.html
> 
> John
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 

-- 
View this message in context: 
http://old.nabble.com/Absolute-path-of-file-transferred-using-samba-tp26883560p26884923.html
Sent from the Samba - General mailing list archive at Nabble.com.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Absolute path of file transferred using samba

[John Drescher]

On Tue, Dec 22, 2009 at 1:55 AM, HariK  wrote:
>
> Hi Jeremy,
>
> I have used samba as a blackbox and not adept with its internals. My
> requirement is as follows:
> I started smbd session in linux and in windows, gave the ip address of the
> linux pc. When I transfer a file to the linux pc, I want the smbd
> application to print the absolute path of the file's destination. For
> example, assume the linux pc ip is 10.142.14.100 and samba path is /tmp.
> Suppose I transfer a file temp.txt to a folder /tmp/dir1, then smbd must
> print the path "/tmp/dir1/temp.txt".
>
> For this to happen, what are the code changes to be done in smbd module?
>

smbd print where?

Sounds like you want to use the audit module

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/VFS.html

John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Absolute path of file transferred using samba

[HariK]

Hi Jeremy,

I have used samba as a blackbox and not adept with its internals. My
requirement is as follows:
I started smbd session in linux and in windows, gave the ip address of the
linux pc. When I transfer a file to the linux pc, I want the smbd
application to print the absolute path of the file's destination. For
example, assume the linux pc ip is 10.142.14.100 and samba path is /tmp.
Suppose I transfer a file temp.txt to a folder /tmp/dir1, then smbd must
print the path "/tmp/dir1/temp.txt".

For this to happen, what are the code changes to be done in smbd module?

Please clarify.


Jeremy Allison wrote:
> 
> On Mon, Dec 21, 2009 at 09:14:40PM -0800, HariK wrote:
>> 
>> Hi,
>> 
>> When I transfer a file from Windows to my unix machine using Samba, is it
>> possible in Samba to get the absolute path of the destination directory
>> in
>> the unix machine to which the file is being copied to?
> 
> No. Well  if you did a shareinfo RPC request on \\SRVSVC, asking for
> info level 2 on the sharename then you'd get the absolute path in Windows
> path format. But you'd have to have rights to do so.
> 
> Jeremy.
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 

-- 
View this message in context: 
http://old.nabble.com/Absolute-path-of-file-transferred-using-samba-tp26883560p26884618.html
Sent from the Samba - General mailing list archive at Nabble.com.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] long file name not supported

[vishesh kumar]

Dear all
 I have samba 3.0.28 on RHEL 5.2. From last 2 days i am facing a strange
issue , one of my samba share on a specific xp client ask for short filename
, when i try to paste a file with long filename. Ealier same setup never
asked for any change in filename and even  currently other xp client don't
ask for short filename. It would be great help for me if someone guide me
right direction.

Thanks


-- 
http://linuxinterviews.blogspot.com
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Absolute path of file transferred using samba

[Jeremy Allison]

On Mon, Dec 21, 2009 at 09:14:40PM -0800, HariK wrote:
> 
> Hi,
> 
> When I transfer a file from Windows to my unix machine using Samba, is it
> possible in Samba to get the absolute path of the destination directory in
> the unix machine to which the file is being copied to?

No. Well  if you did a shareinfo RPC request on \\SRVSVC, asking for
info level 2 on the sharename then you'd get the absolute path in Windows
path format. But you'd have to have rights to do so.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Absolute path of file transferred using samba

[HariK]

Hi,

When I transfer a file from Windows to my unix machine using Samba, is it
possible in Samba to get the absolute path of the destination directory in
the unix machine to which the file is being copied to?

Please clarify.
-- 
View this message in context: 
http://old.nabble.com/Absolute-path-of-file-transferred-using-samba-tp26883560p26883560.html
Sent from the Samba - General mailing list archive at Nabble.com.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] config backend = registry; printers not shown

[Zoolook]

Hello,

I couldn't find an answer to this small question in google/man/faq:
why do I use lose my printer if I use registry backend?


config backend = file (full config file below):

...
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
browseable = No
guest ok = yes
...

$ smbclient -kL //venkman
...
EPSON_Stylus_CX5900 Printer   EPSON Stylus CX5900
...


config backend = files, delete everything except [printers] and
include "include = registry":

...
[global]
include = registry

[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
browseable = No
guest ok = yes
...

$ smbclient -kL //venkman
...
EPSON_Stylus_CX5900 Printer   EPSON Stylus CX5900
...


**BUT** if I change to config backend = registry, I no longer see my printer

...
[global]
   config backend = registry
...

$ smbclient  -kL //venkman
Domain=[BENSA] OS=[Unix] Server=[Samba 3.4.0]

Sharename   Type  Comment
-     ---
IPC$IPC   IPC Service (venkman server (Samba, Ubuntu))
zoolook Disk  Home Directory
print$  Disk  Printer Drivers
Domain=[BENSA] OS=[Unix] Server=[Samba 3.4.0]

Server   Comment
----
VENKMAN  venkman server (Samba, Ubuntu)

WorkgroupMaster
----
BENSAVENKMAN


Why? (and no, disabling kerberos makes no difference...)

samba is 2:3.4.0-3ubuntu5.3, ubuntu karmic.

Here's my net conf list

$ sudo net conf list
[global]
workgroup = BENSA
server string = %h server (Samba, Ubuntu)
map to guest = Bad User
obey pam restrictions = Yes
passdb backend = ldapsam:ldap://localhost
dedicated keytab file = /etc/samba/smb.keytab
kerberos method = dedicated keytab
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
announce version = 5.9
time server = Yes
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd '%g'
delete group script = /usr/sbin/smbldap-userdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -t 0 -w '%u'
domain logons = Yes
os level = 255
preferred master = Yes
dns proxy = No
wins support = Yes
ldap admin dn = cn=admin,dc=bensa,dc=ar
ldap group suffix = ou=groups
ldap idmap suffix = ou=idmap
ldap machine suffix = ou=machines
ldap passwd sync = yes
ldap suffix = dc=bensa,dc=ar
ldap ssl = no
ldap user suffix = ou=users
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
realm = BENSA.AR

[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
browseable = No
guest ok = yes

[print$]
comment = Printer Drivers
path = /var/lib/samba/printers

[homes]
comment = Home Directory
browseable = No
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Looking for Windows port

[Kevin Keane]

There isn't a Windows "port" but a Samba-clone. It was made by a company called 
Microsoft. You should check them out someday, some of their software actually 
doesn't suck.

Seriously, a Windows port of Samba wouldn't make much sense since the whole 
point of Samba is to do what Windows already does natively. It also likely 
wouldn't be possible to run Samba because Windows listens on the same ports 
that Samba would be using.

Also, if licensing was your reason for wanting Samba: Samba wouldn't allow you 
to sidestep any of the Windows license limitations in the first place. The 
license limitations apply regardless of which software you use to share files.

> -Original Message-
> From: samba-boun...@lists.samba.org [mailto:samba-
> boun...@lists.samba.org] On Behalf Of P Tend
> Sent: Monday, December 21, 2009 12:18 PM
> To: samba@lists.samba.org
> Subject: [Samba] Looking for Windows port
> 
> Samba has been around for several years and seems mature but I cannot
> find a
> Windows port anywhere?
> I want to write code once and run same on Linux and Windows but this
> gap
> prevents me.
> 
> Has anybody tried?
> 
> Thanks for your consideration.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Looking for Windows port

[John Drescher]

> Samba has been around for several years

We have had it in our production servers for around 10 years. Meaning
that the conversion from a windows NT / active directory domain to a
samba one happened for us in 2000. It works great, much easier to
manage than windows servers and no need to make design decisions (and
limitations) based on how much the license will cost.

> and seems mature but I cannot find a
> Windows port anywhere?
> I want to write code once and run same on Linux and Windows but this gap
> prevents me.

So you want to make an application that somehow modifies the SMB/CIFS protocol?

>
> Has anybody tried?
>

I do not think this would be an easy task. First off you have to
disable windows the windows SMB and all of its services. This is in
addition to Server and Workstation. I would doubt that many windows
users would want / allow this.

John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Looking for Windows port

[P Tend]

Samba has been around for several years and seems mature but I cannot find a
Windows port anywhere?
I want to write code once and run same on Linux and Windows but this gap
prevents me.

Has anybody tried?

Thanks for your consideration.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba password complexity help?

[Morgan Toal]

Fixed.

Thank you John for your comment, which made me realize that crackcheck 
was something I needed to compile myself. I had though this was perhaps 
a version difference between older and newer versions of cracklib. In my 
case I was using prebuilt RPM's. Please see my notes below for my steps 
to resolution (cc: to samba list for posterity).


Also, thank you Jack for your suggestion. I was able to get passwd sync 
to work, but since the users never log into the samba box directly I 
wanted to keep this entirely "within samba" so to speak and not deal 
with setting up the pam restrictions on unix accounts.


thanks again...

mtoal

On 12/21/2009 9:17 AM, j...@hytronix.com wrote:


I'll repost this, as I'm kind of needing to get some resolution on this
issue. If anyone has some documentation they could point me to I'd
appreciate it, or perhaps a sample check password script suitable for
Fedora 11.


Look in your samba source, under examples->auth->crackcheck, if you built
from source - since you have the cracklib stuff already you have all you
need.

If you are using prebuilt RPMs, it's in one of them, but I don't recall
which.

-John


# create-cracklib-dict /usr/share/dict/words
we need to be sure we have created our password dictionary
it is created for us in /usr/share/cracklib/pw_dict.pwd
this is referred to in smb.conf when we set up password checking

I received a suggestion that crackcheck was to be compiled from samba 
source, exists in examples/auth/crackcheck


# yum install samba-doc
didn't have crackcheck in it.
look for the main samba source rpm.

# rpm -ivh samba-3.4.2-0.42.fc11.src.rpm
i got it from rpmseek.com
/examples/auth/crackcheck.c is present in this directory:
/root/rpmbuild/SOURCES/samba-3.4.2/examples/auth/crackcheck
Now, what do I need to compile it?
we at least need to install gcc, maybe cracklib-dev

# yum install gcc
make didn't work yet, probably need cracklib-devel

# yum install cracklib-devel
make worked
crackcheck executable resides in:
/root/rpmbuild/SOURCES/samba-3.4.2/examples/auth/crackcheck

copy this to somewhere more sensible:
cp crackcheck /usr/local/sbin

# /usr/local/sbin/crackcheck -d /usr/share/cracklib/pw_dict
erjioerjfiorfjeirfjoeri
(returns nothing implying the password was acceptable)

# /usr/local/sbin/crackcheck -d /usr/share/cracklib/pw_dict
crappy
ERR - it is based on a dictionary word
(returns an error indicating password is not acceptable)

# vi /etc/samba/smb.conf
check password script = /usr/local/sbin/crackcheck -d 
/usr/share/cracklib/pw_dict


# service smb reload

try it now from a windows client that is on that domain.

things to check if all passwords are rejected even good ones...
...is pw_dict an empty or very small file? remake it.
...is crackcheck executable where you think it is?
...is the path to crackcheck executable valid? (I had a typo)
...is the path to the pw_dict valid?

--
Morgan Toal, CFCE, RHCE, CEH
Network Manager
City of Burlington, Iowa
319-759-8882
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Fw: W2KSP4 Problem

[Zoolook]

2009/12/21 Diego Vera :
> [global]
>        workgroup = DCHOMO
>        netbios name = DCHOMO

Change your workgroup name or your netbios name. Both can't be the same.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Issue Joining Win7 to Samba Domain ( tried wiki instructions)

[David Southwell]

> Linda Walsh wrote:
> >Moray Henderson wrote:
> >> Something to do with the name of the machine?
> >
> >---
> > SMB server name is 'ishtar', Domain 'Bliss' (Ha!, wishful
> 
> thinking...
> 
> >it's a goal!)), and Win7 client is 'athenae'. All are in DNS domain
> >'sc.tlinx.org'
> >(an internal domain name).  Theoretically straightforward.
> 
> 
> 
> >---my smb.conf is below:
> >
> >[global]
> > acl group control = yes
> > add user script = /usr/sbin/useradd -m %u
> > add group script = /usr/sbin/groupadd %g
> > add machine script = /usr/sbin/useradd -g machines -c Machine -d
> >/dev/null -s /bin/false %u
> > #aio read size = 65536
> > #aio write size = 65536
> > bind interfaces only = Yes
> > block size = 4096
> > browseable = Yes
> > create mask = 3755
> > delete user script = /usr/sbin/userdel %u
> > delete group script = /usr/sbin/groupdel %g
> > display charset = UTF8
> > dns proxy = yes
> > domain logons = Yes
> > domain master = Yes
> > ea support = yes
> > enable asu support = yes
> > guest account = guest
> > guest ok = Yes
> > #include= /etc/samba/dhcp.conf
> > interfaces = 127.0.0.1/32 192.168.3.0/24
> > log file = /var/log/samba/log.%m
> > log level = 2
> > logon home = \\%D\%U
> > logon path = \\%D\%U
> > # unused; relative to netlogon(w9x) logon script =
> 
> scripts\%U.bat
> 
> > map acl inherit = yes
> > max log size = 4096
> >#max xmit = 66576
> >#min receivefile size = 65536
> > name resolve order = wins lmhosts host
> > netbios aliases = web-proxy clock socks-proxy Bliss
> > #netbios name = Bliss
> > os level = 65
> > passdb backend = tdbsam:/etc/samba/.internals/passwd.tdb
> > passwd program = /usr/bin/passwd '%u'
> > printing = bsd
> > read only = No
> > recycle: keeptree = true
> > set primary group script = /usr/sbin/usermod -g '%g' '%u'
> > server signing = auto
> > server string = Ishtar
> > security = user
> > show add printer wizard = no
> > smb ports = 139
> > time server = Yes
> > unix password sync = yes
> > use sendfile = true
> > recycle: keeptree=true
> > username map = /etc/samba/smbusers
> > wins support = Yes
> > workgroup = Bliss
> 
> The server string is Ishtar, but that is not the server name; you need
> to set "netbios name" for that.  Your domain is Bliss, but you also have
> a netbios alias for Bliss; could that be confusing something?  My setup
> has "server signing = No", and I don't know the recycle option.
> 
> Do you see anything useful in /var/log/samba/log.smbd or log.athenae if
> you bump up the debug level?  Could something have changed on your
> server between the successful join a few weeks ago and the attempt to
> rejoin after reinstalling?  Do you have other Win7 clients that do work?
> Could there be another server on your network intercepting domain
> requests?  From Linux,
> 
> nmblookup "BLISS#1C"
> 
> should list the IP address of the Domain Controllers of Bliss.
> 
> You said you had used Wireshark; have you also tried tcpdump at the
> server end?  Win XP had a command line utility called nbtstat; does Win7
> still have it?  If so, try something like
> 
> nbtstat -a Ishtar
> nbtstat -c
> 
> and see if it gives you what you expect.  Ishtar should have something
> like this:
> 
>NetBIOS Remote Machine Name Table
> 
>Name   Type Status
> -
> ISHTAR <00>  UNIQUE  Registered
> ISHTAR <03>  UNIQUE  Registered
> ISHTAR <20>  UNIQUE  Registered
> ..__MSBROWSE__.<01>  GROUP   Registered
> BLISS  <1D>  UNIQUE  Registered
> BLISS  <1B>  UNIQUE  Registered
> BLISS  <1C>  GROUP   Registered
> BLISS  <1E>  GROUP   Registered
> BLISS  <00>  GROUP   Registered
> 
> (See http://www.windowsnetworking.com/nt/atips/atips316.shtml for an
> explanation of the service codes.)
> 
> 
> Moray.
> "To err is human.  To purr, feline"
> 
Just want to ask the obvious questions as I did not see it mentioned.. what 
version of Windows 7 is the client machine?

David
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Fw: W2KSP4 Problem

[Diego Vera]

I was having a problem with my Samba PDC with LDAP backend.
Some of my workstations  (W2kSP4)  couln't  log  into  the  domain. I removed 
the machines   from   the   domain,  changed  the  name,  created  a  new
machine-account, but I still can't add the machine to the domain.

smbclient -L localhost
Enter root's password:
Anonymous login successful
Domain=[DCHOMO] OS=[Unix] Server=[Samba 3.2.11-0.28]
S.O.=Red Hat Enterprise Linux Server (2.6.18-164.6.1.el5)
 
Sharename   Type  Comment
-     ---
netlogonDisk  Network Logon Service
public  Disk  Public Stuff
IPC$IPC   IPC Service (Samba Server Domain Homo)
Anonymous login successful
Domain=[DCHOMO] OS=[Unix] Server=[Samba 3.2.11-0.28]
 
Server   Comment
----
DCHOMO   Samba Server Domain Homo
 
WorkgroupMaster
----
DCHOMO   DCHOMO
 
 
api_rpcTNP: rpc command: SAMR_CONNECT4
[2009/12/18 17:27:53,  3] lib/util_seaccess.c:se_access_check(249)
[2009/12/18 17:27:53,  3] lib/util_seaccess.c:se_access_check(252)
  se_access_check: user sid is S-1-5-21-2188918441-1838679514-704389668-512
  se_access_check: also S-1-22-2-11752
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-11
  se_access_check: also S-1-22-1-11752
[2009/12/18 17:27:53,  3] rpc_server/srv_pipe_hnd.c:free_pipe_context(519)
  free_pipe_context: destroying talloc pool of size 984
[2009/12/18 17:27:53,  3] smbd/process.c:process_smb(1550)
  Transaction 20 of length 140 (0 toread)
[2009/12/18 17:27:53,  3] smbd/process.c:switch_message(1361)
  switch message SMBtrans (pid 28881) conn 0x9698f70
[2009/12/18 17:27:53,  3] smbd/ipc.c:handle_trans(436)
  trans <\PIPE\> data=52 params=0 setup=2
[2009/12/18 17:27:53,  3] smbd/ipc.c:named_pipe(387)
  named pipe command on <> name
[2009/12/18 17:27:53,  3] smbd/ipc.c:api_fd_reply(345)
  Got API command 0x26 on pipe "samr" (pnum 751a)
[2009/12/18 17:27:53,  3] rpc_server/srv_pipe_hnd.c:free_pipe_context(519)
  free_pipe_context: destroying talloc pool of size 0
[2009/12/18 17:27:53,  3] rpc_server/srv_pipe.c:api_rpcTNP(2308)
  api_rpcTNP: rpc command: SAMR_ENUMDOMAINS
[2009/12/18 17:27:53,  2] 
rpc_server/srv_samr_nt.c:access_check_samr_function(246)
  _samr_EnumDomains: ACCESS DENIED (granted: 0x0002;  required: 0x0010)
[2009/12/18 17:27:53,  3] rpc_server/srv_pipe_hnd.c:free_pipe_context(519)
  free_pipe_context: destroying talloc pool of size 0
[2009/12/18 17:27:53,  3] smbd/process.c:process_smb(1550)
  Transaction 21 of length 140 (0 toread)
[2009/12/18 17:27:53,  3] smbd/process.c:switch_message(1361)
  switch message SMBtrans (pid 28881) conn 0x9698f70
[2009/12/18 17:27:53,  3] smbd/ipc.c:handle_trans(436)
  trans <\PIPE\> data=52 params=0 setup=2
[2009/12/18 17:27:53,  3] smbd/ipc.c:named_pipe(387)
  named pipe command on <> name
[2009/12/18 17:27:53,  3] smbd/ipc.c:api_fd_reply(345)
  Got API command 0x26 on pipe "samr" (pnum 751a)
[2009/12/18 17:27:53,  3] rpc_server/srv_pipe_hnd.c:free_pipe_context(519)
  free_pipe_context: destroying talloc pool of size 0
[2009/12/18 17:27:53,  3] rpc_server/srv_pipe.c:api_rpcTNP(2308)
  api_rpcTNP: rpc command: SAMR_ENUMDOMAINS
[2009/12/18 17:27:53,  2] 
rpc_server/srv_samr_nt.c:access_check_samr_function(246)
  _samr_EnumDomains: ACCESS DENIED (granted: 0x0002;  required: 0x0010)
[2009/12/18 17:27:53,  3] rpc_server/srv_pipe_hnd.c:free_pipe_context(519)
  free_pipe_context: destroying talloc pool of size 0
[2009/12/18 17:27:53,  3] smbd/process.c:process_smb(1550)
  Transaction 22 of length 132 (0 toread)
[2009/12/18 17:27:53,  3] smbd/process.c:switch_message(1361)
  switch message SMBtrans (pid 28881) conn 0x9698f70
[2009/12/18 17:27:53,  3] smbd/ipc.c:handle_trans(436)
 
[2009/12/18 17:27:54,  3] auth/auth.c:check_ntlm_password(269)
  check_ntlm_password: sam authentication for user [u40003] succeeded
[2009/12/18 17:27:54,  3] smbd/sec_ctx.c:push_sec_ctx(224)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
 
[2009/12/18 17:27:54,  3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(337)
  NTLMSSP Sign/Seal - Initialising with flags:
[2009/12/18 17:27:54,  3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
  Got NTLMSSP neg_flags=0xe2088215
[2009/12/18 17:27:54,  3] smbd/password.c:register_existing_vuid(320)
  register_existing_vuid: User name: u40003 Real name: PEREZ, JUAN JAVIER
[2009/12/18 17:27:54,  3] smbd/password.c:register_existing_vuid(332)
  register_existing_vuid: UNIX uid 11752 is UNIX user u40003, and will be vuid 
100
[2009/12/18 17:27:54,  3] smbd/password.c:register_existing_vuid(353)
  Adding homes service for user 'u40003' using home directory: '/home/u40003'
[2009/12/18 17:27:54,  3] smbd/process.c:process_smb(1550)
  Transaction 3 of length 90 (0 toread)
[2009/12/18 17:27:54,  3] smbd/process.c:switch_mess

Re: [Samba] Issue Joining Win7 to Samba Domain (tried wiki instructions)

[Moray Henderson]

Linda Walsh wrote:
>Moray Henderson wrote:
>>
>> Something to do with the name of the machine?
>---
>   SMB server name is 'ishtar', Domain 'Bliss' (Ha!, wishful
thinking...
>it's a goal!)), and Win7 client is 'athenae'. All are in DNS domain
>'sc.tlinx.org'
>(an internal domain name).  Theoretically straightforward.

>---my smb.conf is below:
>
>[global]
>   acl group control = yes
>   add user script = /usr/sbin/useradd -m %u
>   add group script = /usr/sbin/groupadd %g
>   add machine script = /usr/sbin/useradd -g machines -c Machine -d
>/dev/null -s /bin/false %u
>   #aio read size = 65536
>   #aio write size = 65536
>   bind interfaces only = Yes
>   block size = 4096
>   browseable = Yes
>   create mask = 3755
>   delete user script = /usr/sbin/userdel %u
>   delete group script = /usr/sbin/groupdel %g
>   display charset = UTF8
>   dns proxy = yes
>   domain logons = Yes
>   domain master = Yes
>   ea support = yes
>   enable asu support = yes
>   guest account = guest
>   guest ok = Yes
>   #include= /etc/samba/dhcp.conf
>   interfaces = 127.0.0.1/32 192.168.3.0/24
>   log file = /var/log/samba/log.%m
>   log level = 2
>   logon home = \\%D\%U
>   logon path = \\%D\%U
>   # unused; relative to netlogon(w9x) logon script =
scripts\%U.bat
>   map acl inherit = yes
>   max log size = 4096
>#  max xmit = 66576
>#  min receivefile size = 65536
>   name resolve order = wins lmhosts host
>   netbios aliases = web-proxy clock socks-proxy Bliss
>   #netbios name = Bliss
>   os level = 65
>   passdb backend = tdbsam:/etc/samba/.internals/passwd.tdb
>   passwd program = /usr/bin/passwd '%u'
>   printing = bsd
>   read only = No
>   recycle: keeptree = true
>   set primary group script = /usr/sbin/usermod -g '%g' '%u'
>   server signing = auto
>   server string = Ishtar
>   security = user
>   show add printer wizard = no
>   smb ports = 139
>   time server = Yes
>   unix password sync = yes
>   use sendfile = true
>   recycle: keeptree=true
>   username map = /etc/samba/smbusers
>   wins support = Yes
>   workgroup = Bliss

The server string is Ishtar, but that is not the server name; you need
to set "netbios name" for that.  Your domain is Bliss, but you also have
a netbios alias for Bliss; could that be confusing something?  My setup
has "server signing = No", and I don't know the recycle option.

Do you see anything useful in /var/log/samba/log.smbd or log.athenae if
you bump up the debug level?  Could something have changed on your
server between the successful join a few weeks ago and the attempt to
rejoin after reinstalling?  Do you have other Win7 clients that do work?
Could there be another server on your network intercepting domain
requests?  From Linux, 

nmblookup "BLISS#1C"

should list the IP address of the Domain Controllers of Bliss.

You said you had used Wireshark; have you also tried tcpdump at the
server end?  Win XP had a command line utility called nbtstat; does Win7
still have it?  If so, try something like 

nbtstat -a Ishtar
nbtstat -c

and see if it gives you what you expect.  Ishtar should have something
like this:

   NetBIOS Remote Machine Name Table

   Name   Type Status
-
ISHTAR <00>  UNIQUE  Registered
ISHTAR <03>  UNIQUE  Registered
ISHTAR <20>  UNIQUE  Registered
..__MSBROWSE__.<01>  GROUP   Registered
BLISS  <1D>  UNIQUE  Registered
BLISS  <1B>  UNIQUE  Registered
BLISS  <1C>  GROUP   Registered
BLISS  <1E>  GROUP   Registered
BLISS  <00>  GROUP   Registered

(See http://www.windowsnetworking.com/nt/atips/atips316.shtml for an
explanation of the service codes.)


Moray.
"To err is human.  To purr, feline"




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba password complexity help?

[Jack Downes]

If you've got password synchronization working, you should be able to
depend on system complexity tests.  I think in RH, those settings are in
/etc/pam.d/system-auth  or /etc/pam.d/common-password.  I can't recall
for sure.  But try taking a look at that route. Might work, who knows...

Morgan Toal wrote:
> Hi there,
>
> I'll repost this, as I'm kind of needing to get some resolution on
> this issue. If anyone has some documentation they could point me to
> I'd appreciate it, or perhaps a sample check password script suitable
> for Fedora 11.
>
> Thanks!!!
>
> mtoal
>
>  Original Message 
> Subject: [Samba] samba password complexity help?
> Date: Thu, 17 Dec 2009 14:38:34 -0600
> From: Morgan Toal 
> To: samba@lists.samba.org
>
> Hi there,
>
> Here are the facts:
> - I have samba 3.4.2-0.42.fc11 running on a Fedora 11 system.
> - Samba is acting as a domain controller, no Windows server involved.
> - I am using tdbsam.
> - I need to enforce certain password requirements.
>
> The password requirements are:
> - min 8 characters
> - expiration 90 days
> - last 10 passwords may not be reused
> - not a dictionary word
>
> Per the Samba 3.2 FAQ, the first three requirements are easily
> accomplished via pdbedit:
> # pdbedit -P "min password length" -C 8
> # pdbedit -P "password history" -C 10
> # pdbedit -P "maximum password age" -C 90
>
> These items appear to work with no difficulty. However this does not
> address the dictionary/complexity requirement.
>
> I have seen the following suggestion elsewhere on the samba list:
>
> check password script = /usr/local/sbin/crackcheck -d
> /var/cache/cracklib/cracklib_dict
>
> I am not able to use this suggestion directly. No file "crackcheck" is
> present on my system. There is a /usr/sbin/cracklib-check but it seems
> to work on a file or stream, like grep or something, as opposed to
> returning a value as a function. And it does not seem to accept a "-d"
> switch. There seems to be no man page for cracklib-check. I have a
> dictionary in /usr/share/cracklib
>
> Here is what cracklib-check does...
>
> # cracklib-check
> test
> test: it is too short
> booger
> booger: it is based on a dictionary word
> bfg9000
> bfg9000: OK
> ^C
> # cracklib-check booger   <-- attempting to check password "booger"
> ^C<-- sits there for input, ctrl-c to get out
>
> It does not seem to be a program that "returns" something, so I don't
> think it can return an error code to Samba if I use a crappy password.
> But I try this anyway, but it does not seem to accomplish anything. I
> see nothing in /var/log/messages or in /var/log/samba/log.smbd
>
> check password script = /usr/sbin/cracklib-check
> /usr/share/cracklib/pw_dict
>
> Well, it doesn't seem to work when I change my password from a windows
> client. Does anyone have any suggestions? Thanks.
>
> So what it boils down to is:
>
> 0) what am I missing here?
>
> 1) where can I get an example crackcheck script file?
>
> 2) I have seen other suggestions to use pam. This might supersede some
> of the tdbsam policy requirements. Is this a better method?
>
>
>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + LDAP: Changing user's group

[davefu]

Bump


Wes Deviers wrote:
> 
> I'm having this same problem, but it's new.  Using 3.4.2 Debian packages, 
> recently upgraded.  I never had any type of LDAP group caching problem
> until 
> the last 2 weeks.  I added a user to an LDAP group as normal because they 
> needed access to a new share.  Cleared the nscd caches as normal.  The
> service 
> definition uses
> 
> force group = +groupName
> valid users = @admins, @groupName
> write list = @admins, @groupName
> 
> All of the people previously in @groupName retain access to the share. 
> The 
> person I just added cannot access it.  getent, groups, etc all return the 
> correct group membership.  If I add the account explicitly to valid users
> & 
> write list, it works as soon as I do an smbd reload.  
> 
> Did some behavior change or have we stumbled on a new bug?
> 
> Wes
> 
> 
> 
> On Monday 30 November 2009 07:29:33 am davefu wrote:
>> 
>> Hi, thanks for answering.
>> 
>> I have only 1 Samba server. When I mentioned changes on groups, I meant
>> on
>> LDAP server. LDAP is used on both system and samba environments. When
>> changing groups on users, those changes are instant on the system
>> environment, but not on Samba.
>> 
>> - I create a new "Folder A", with full permissions for "Group A"
>> - "User B" (belonging to group B), logs via SSH to the server, and can't
>> access the "Folder A".
>> - "User B" logs via Samba using his Windows desktop machine, and can't
>> access the "Folder A" (previously configured inside a Samba Resource).
>> - Now I add "User B" to "Group A" via LDAP. He belongs now to "Group A"
>> and
>> "Group B".
>> - Getent group | grep "User B" shows correctly both groups on the user.
>> - "User B" correctly access "Folder A", write files, etc via console,
>> ssh,
>> or any kind of regular system authentication (since system is using pam
>> libraries, configured to use LDAP as backend).
>> - "User B" still can't access "Folder A" in any way. Samba has cached
>> "User
>> B" credentials, and haven't checked LDAP again for a while. The only
>> option
>> is to restart Samba, or wait randomly until Samba refreshes / syncs LDAP
>> info about that user again.
>> 
>> Hope this little story explains my problem better.
>> Sorry for my english.
>> 
>> Thanks!
>> 
>> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 

-- 
View this message in context: 
http://old.nabble.com/Samba-%2B-LDAP%3A-Changing-user%27s-group-tp26421317p26870920.html
Sent from the Samba - General mailing list archive at Nabble.com.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba password complexity help?

[Morgan Toal]

Hi there,

I'll repost this, as I'm kind of needing to get some resolution on this 
issue. If anyone has some documentation they could point me to I'd 
appreciate it, or perhaps a sample check password script suitable for 
Fedora 11.


Thanks!!!

mtoal

 Original Message 
Subject: [Samba] samba password complexity help?
Date: Thu, 17 Dec 2009 14:38:34 -0600
From: Morgan Toal 
To: samba@lists.samba.org

Hi there,

Here are the facts:
- I have samba 3.4.2-0.42.fc11 running on a Fedora 11 system.
- Samba is acting as a domain controller, no Windows server involved.
- I am using tdbsam.
- I need to enforce certain password requirements.

The password requirements are:
- min 8 characters
- expiration 90 days
- last 10 passwords may not be reused
- not a dictionary word

Per the Samba 3.2 FAQ, the first three requirements are easily
accomplished via pdbedit:
# pdbedit -P "min password length" -C 8
# pdbedit -P "password history" -C 10
# pdbedit -P "maximum password age" -C 90

These items appear to work with no difficulty. However this does not
address the dictionary/complexity requirement.

I have seen the following suggestion elsewhere on the samba list:

check password script = /usr/local/sbin/crackcheck -d
/var/cache/cracklib/cracklib_dict

I am not able to use this suggestion directly. No file "crackcheck" is
present on my system. There is a /usr/sbin/cracklib-check but it seems
to work on a file or stream, like grep or something, as opposed to
returning a value as a function. And it does not seem to accept a "-d"
switch. There seems to be no man page for cracklib-check. I have a
dictionary in /usr/share/cracklib

Here is what cracklib-check does...

# cracklib-check
test
test: it is too short
booger
booger: it is based on a dictionary word
bfg9000
bfg9000: OK
^C
# cracklib-check booger   <-- attempting to check password "booger"
^C<-- sits there for input, ctrl-c to get out

It does not seem to be a program that "returns" something, so I don't
think it can return an error code to Samba if I use a crappy password.
But I try this anyway, but it does not seem to accomplish anything. I
see nothing in /var/log/messages or in /var/log/samba/log.smbd

check password script = /usr/sbin/cracklib-check /usr/share/cracklib/pw_dict

Well, it doesn't seem to work when I change my password from a windows
client. Does anyone have any suggestions? Thanks.

So what it boils down to is:

0) what am I missing here?

1) where can I get an example crackcheck script file?

2) I have seen other suggestions to use pam. This might supersede some
of the tdbsam policy requirements. Is this a better method?



--
Morgan Toal, CFCE, RHCE, CEH
Network Manager
City of Burlington, Iowa
319-759-8882
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Issue Joining Win7 to Samba Domain (tried wiki instructions)

[Linda Walsh]

Moray Henderson wrote:


Something to do with the name of the machine?

---
SMB server name is 'ishtar', Domain 'Bliss' (Ha!, wishful thinking...
it's a goal!)), and Win7 client is 'athenae'. All are in DNS domain 
'sc.tlinx.org'
(an internal domain name).  Theoretically straightforward.  


 You said you had to reinstall this machine - if Samba thinks it already is a 
member of the domain, and Windows is trying to rejoin, that could confuse it.  
Are there any characters besides alphanumeric in the name?

	Well, I 'sorta' unjoined from the domain before I reinstalled, but I don't know if it 'took'.  It didn't pause a bit like it was talking to the PDC, and the reason I unjoined is I got a 'failure of trust relationship with PDC'.  So I wanted to try unjoining and rejoining to see if that would fix it.  I unjoined, and never was able to rejoin before the machine got rebuilt.  I unjoined on another machine and had problems joining for a bit due to some network testing I was doing -- but after I restored the config, the XP machine was able to rejoin the network.  The win7 machine is still out in the cold, so to speak.  

	I even tried joining using the "net dom join" syntax (using -S /-U for the machine and user on the win7 machine that had perms to join) -- the PDC, did talk to the machine, as if I specified a non-existant or bad password for the user on the client machine, I got not authorized or user not found message, but when I had a correct user/pw for the client machine, I got same message on the SMB PDC "The Name cannot be found'.  It sounds like it can't find the PDC Domain name Domain...what else is the name?  It knows the client machine name.  The client machine name was still in /etc/passwd (I just tried it with the userid deleted -- same same). 


One odd thing, but it should make no difference, is the win7 client is 
the only all-uppercase machine in the 'net sam list workstations' .. all the 
rest are all lower case with a '$' after them.  The Win7's name is all 
uppercase w/$.  I tried
unjoining, as well, from the PDC, and got message that the unjoin couldn't be 
done because the join had failed.

---my smb.conf is below:

[global]
acl group control = yes
add user script = /usr/sbin/useradd -m %u
add group script = /usr/sbin/groupadd %g
add machine script = /usr/sbin/useradd -g machines -c Machine -d 
/dev/null -s /bin/false %u
#aio read size = 65536
#aio write size = 65536
bind interfaces only = Yes
block size = 4096
browseable = Yes
create mask = 3755
delete user script = /usr/sbin/userdel %u
delete group script = /usr/sbin/groupdel %g 
display charset = UTF8
dns proxy = yes
domain logons = Yes
domain master = Yes
ea support = yes
enable asu support = yes
guest account = guest
guest ok = Yes
#include= /etc/samba/dhcp.conf
interfaces = 127.0.0.1/32 192.168.3.0/24
log file = /var/log/samba/log.%m
log level = 2
logon home = \\%D\%U
logon path = \\%D\%U
# unused; relative to netlogon(w9x) logon script = scripts\%U.bat
map acl inherit = yes
max log size = 4096
#   max xmit = 66576
#   min receivefile size = 65536
name resolve order = wins lmhosts host
netbios aliases = web-proxy clock socks-proxy Bliss
#netbios name = Bliss
os level = 65
passdb backend = tdbsam:/etc/samba/.internals/passwd.tdb
passwd program = /usr/bin/passwd '%u'
printing = bsd
read only = No
recycle: keeptree = true
set primary group script = /usr/sbin/usermod -g '%g' '%u'
server signing = auto
server string = Ishtar
security = user
show add printer wizard = no
smb ports = 139
time server = Yes
unix password sync = yes
use sendfile = true
recycle: keeptree=true
username map = /etc/samba/smbusers
wins support = Yes
workgroup = Bliss


[public]
comment =  public include files
path = /home/public
read only = Yes
browseable = Yes
guest ok = yes

[profiles]
comment = Network Profiles Service
path = /home/profiles
read only = No
browseable = Yes
	profile acls = Yes 
	vfs objects = recycle

recycle: keeptree=true

[homes]
browseable=no
comment = Home Dir (Generic Homes, u=%u, U=%U, s=%S, d=%D, w=%w)
path = /home/%U
valid users = %S, %D%w%S
read only = No
create mask = 0750
vfs objects = recycle readahead
	recycle: keeptree=true 



[home]
comment = /home (allhomes)
path = /home
valid users = @trusted_local_net_users
read only = No
browseable = yes
vfs objects = recycle
	recycle: keeptree=true 


[root$]
comme

Re: [Samba] new user can't log

[David Whitney]

Check the default group (and any others, for that matter) associated with
the users that cannot logon. If Samba sees a group with a SID not from its
own domain, it will detect a clash and fail the logon.

Mind you, this is an issue in your database that is causing new users in
*your* domain to be associated with group SIDS likely from the "legacy"
domain from which your database originated. You must purge from your
database all references to SIDS from that old domain, or variations of this
issue may recur.

Best of luck in solving the issue.

Warm regards,
David

On Dec 21, 2009 5:39 AM, "Leonardo Carneiro" 
wrote:

Hi guys.

I'm still stuck with that user that can't logon. This is what i got with
some commands:

  fileserver:~# net groupmap list
  Domain Admins (S-1-5-21-874179082-3571801642-3889913597-512) ->
  Domain Admins
  Domain Users (S-1-5-21-874179082-3571801642-3889913597-513) ->
  Domain Users
  Domain Guests (S-1-5-21-874179082-3571801642-3889913597-514) ->
  Domain Guests
  Domain Computers (S-1-5-21-874179082-3571801642-3889913597-515) ->
  Domain Computers
  Administrators (S-1-5-32-544) -> Administrators
  Account Operators (S-1-5-32-548) -> Account Operators
  Print Operators (S-1-5-32-550) -> Print Operators
  Backup Operators (S-1-5-32-551) -> Backup Operators
  Replicators (S-1-5-32-552) -> Replicators
  admfin (S-1-5-21-874179082-3571801642-3889913597-3001) -> admfin
  industrial (S-1-5-21-874179082-3571801642-3889913597-3003) -> industrial
  qualidade (S-1-5-21-874179082-3571801642-3889913597-3019) -> qualidade
  todos (S-1-5-21-874179082-3571801642-3889913597-3023) -> todos
  infra (S-1-5-21-874179082-3571801642-3889913597-47827) -> infra
  diretoria (S-1-5-21-874179082-3571801642-3889913597-17759) -> diretoria
  comercial (S-1-5-21-874179082-3571801642-3889913597-90607) -> comercial
  instalacao (S-1-5-21-874179082-3571801642-3889913597-111769) ->
  instalacao
  atendimento (S-1-5-21-874179082-3571801642-3889913597-68367) ->
  atendimento
  veltrac (S-1-5-21-874179082-3571801642-3889913597-3031) -> software
  hardware (S-1-5-21-874179082-3571801642-3889913597-3021) -> hardware
  mapas (S-1-5-21-874179082-3571801642-3889913597-120591) -> mapas
  importacao (S-1-5-21-874179082-3571801642-3889913597-130555) ->
  importacao
  fileserver:~# net getlocalsid
  SID for domain DOMINIO is: S-1-5-21-874179082-3571801642-3889913597
  fileserver:~# net getdomainsid
  SID for local machine DOMINIO is:
  S-1-5-21-874179082-3571801642-3889913597
  SID for domain DOMINIO is: S-1-5-21-874179082-3571801642-3889913597

Apparently, the domain sid matchs with most part of the groups sid. can you
guys see something wrong here?

*Leonardo de Souza Carneiro* *Veltrac - Tecnologia em Logística.*
lscarne...@veltrac.com.br  > The database from ldap was a copy from another domain, that existed in
another network. i've do...
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] new user can't log

[Leonardo Carneiro]

Hi Zoolook and others.

Indeed, the smbldap.conf  was with the wrong sid. i've changed, but i do 
not have a terminal server to test remote. once i get in there i'll 
test, but i'm pretty confident that this was the problem. tks a lot!


*Leonardo de Souza Carneiro*
*Veltrac - Tecnologia em Logística.*
lscarne...@veltrac.com.br 
http://www.veltrac.com.br 
/Fone Com.: (43)2105-5601/
/Av. Higienópolis 1601 Ed. Eurocenter Sl. 803/
/Londrina- PR/
/Cep: 86015-010/



Zoolook escreveu:

2009/12/21 Leonardo Carneiro :
  

It's strange. I've found that this problem isn't with this particular user,
but with every new user that i create. How can i make the smbldap-useradd to
create the users with the right sid?



Check your smbldap config. I'm sure the SID there doesn't match.
Either remove it or change it to the right value.

  

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] new user can't log

[Zoolook]

2009/12/21 Leonardo Carneiro :
> It's strange. I've found that this problem isn't with this particular user,
> but with every new user that i create. How can i make the smbldap-useradd to
> create the users with the right sid?

Check your smbldap config. I'm sure the SID there doesn't match.
Either remove it or change it to the right value.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] new user can't log

[Leonardo Carneiro]

It's strange. I've found that this problem isn't with this particular 
user, but with every new user that i create. How can i make the 
smbldap-useradd to create the users with the right sid?


*Leonardo de Souza Carneiro*
*Veltrac - Tecnologia em Logística.*
lscarne...@veltrac.com.br 
http://www.veltrac.com.br 
/Fone Com.: (43)2105-5601/
/Av. Higienópolis 1601 Ed. Eurocenter Sl. 803/
/Londrina- PR/
/Cep: 86015-010/



Zoolook escreveu:

2009/12/21 Leonardo Carneiro :
  

Hi guys.

I'm still stuck with that user that can't logon. This is what i got with
some commands:



was that the user with SID   S-1-5-21-4161212321-1980848047-2820993626-3468 ?

his SID doesn't match your domain.

  

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] new user can't log

[Zoolook]

2009/12/21 Leonardo Carneiro :
> Hi guys.
>
> I'm still stuck with that user that can't logon. This is what i got with
> some commands:

was that the user with SID   S-1-5-21-4161212321-1980848047-2820993626-3468 ?

his SID doesn't match your domain.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] new user can't log

[Leonardo Carneiro]

Hi guys.

I'm still stuck with that user that can't logon. This is what i got with 
some commands:


   fileserver:~# net groupmap list
   Domain Admins (S-1-5-21-874179082-3571801642-3889913597-512) ->
   Domain Admins
   Domain Users (S-1-5-21-874179082-3571801642-3889913597-513) ->
   Domain Users
   Domain Guests (S-1-5-21-874179082-3571801642-3889913597-514) ->
   Domain Guests
   Domain Computers (S-1-5-21-874179082-3571801642-3889913597-515) ->
   Domain Computers
   Administrators (S-1-5-32-544) -> Administrators
   Account Operators (S-1-5-32-548) -> Account Operators
   Print Operators (S-1-5-32-550) -> Print Operators
   Backup Operators (S-1-5-32-551) -> Backup Operators
   Replicators (S-1-5-32-552) -> Replicators
   admfin (S-1-5-21-874179082-3571801642-3889913597-3001) -> admfin
   industrial (S-1-5-21-874179082-3571801642-3889913597-3003) -> industrial
   qualidade (S-1-5-21-874179082-3571801642-3889913597-3019) -> qualidade
   todos (S-1-5-21-874179082-3571801642-3889913597-3023) -> todos
   infra (S-1-5-21-874179082-3571801642-3889913597-47827) -> infra
   diretoria (S-1-5-21-874179082-3571801642-3889913597-17759) -> diretoria
   comercial (S-1-5-21-874179082-3571801642-3889913597-90607) -> comercial
   instalacao (S-1-5-21-874179082-3571801642-3889913597-111769) ->
   instalacao
   atendimento (S-1-5-21-874179082-3571801642-3889913597-68367) ->
   atendimento
   veltrac (S-1-5-21-874179082-3571801642-3889913597-3031) -> software
   hardware (S-1-5-21-874179082-3571801642-3889913597-3021) -> hardware
   mapas (S-1-5-21-874179082-3571801642-3889913597-120591) -> mapas
   importacao (S-1-5-21-874179082-3571801642-3889913597-130555) ->
   importacao
   fileserver:~# net getlocalsid
   SID for domain DOMINIO is: S-1-5-21-874179082-3571801642-3889913597
   fileserver:~# net getdomainsid
   SID for local machine DOMINIO is:
   S-1-5-21-874179082-3571801642-3889913597
   SID for domain DOMINIO is: S-1-5-21-874179082-3571801642-3889913597

Apparently, the domain sid matchs with most part of the groups sid. can 
you guys see something wrong here?


*Leonardo de Souza Carneiro*
*Veltrac - Tecnologia em Logística.*
lscarne...@veltrac.com.br 
http://www.veltrac.com.br 
/Fone Com.: (43)2105-5601/
/Av. Higienópolis 1601 Ed. Eurocenter Sl. 803/
/Londrina- PR/
/Cep: 86015-010/



Leonardo Carneiro escreveu:
The database from ldap was a copy from another domain, that existed in 
another network. i've done a slapcat in the old domain and did a 
slapadd in this new one (both domain have the same name). But this 
happened about 2 years ago. After a samba and ldap upgrade via 
apt-get, the duplicated domains message start to pop (abouth 3 months 
ago). Just now i've solved, but now, this =S.


I'll try some of the stuff you guys sugested me.

tks and sorry for my poor english.

*Leonardo de Souza Carneiro*
*Veltrac - Tecnologia em Logística.*
lscarne...@veltrac.com.br 
http://www.veltrac.com.br 
/Fone Com.: (43)2105-5601/
/Av. Higienópolis 1601 Ed. Eurocenter Sl. 803/
/Londrina- PR/
/Cep: 86015-010/



David Whitney escreveu:

Unless I've blown my memory on Windows internals, each user's SID is
comprised of the domain's SID, then a "self-refential" RID portion. That
means a user from the domain DOMINIOS should NOT have what amounts to a
"prefix" that looks as though it came from a different domain. But 
unless
I'm mistaken, your logs are telling you exactly that - the domain 
portion of
the group and user SID's indicate different domains, and that 
indicates a

problem.

One theory is that perhaps your domain was created, groups and users 
were
created, but then for some reason your domain SID changed, and 
perhaps that

led to your described duplicate domain entry (?) problem.

Anyway, I'd take a look at the SIDS of other users and groups and see if
this problem exists for other users or groups on your domain.

-David
  

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Issue logging in to Samba Domain (was: Issue Joining Win7 to Samba Domain (tried wiki instructions))

[Moray Henderson]

Maciej Czub wrote:
>I have similar problem. I can join to domain but can't log in to user
>account.

Different problem - the others were having trouble joining the domain; you have 
joined but can't log in.

>Samba 3.4.3
>Windows 7 Professional x64
>
>>From WinXP workstation everything works great.
>
>> Last time I saw something like this, it was because the client (Win XP)
>> did not have a WINS server set, and couldn’t find the domain.  Can you
>> ping the server from the problem client - by IP address and by name?  Is
>> its firewall blocking any SMB ports?
>
>ping [serwerip] - works OK.
>ping [serverhostname] - works OK.
>
>"ipconfig /all" on workstation displays [domainname] on DNS suffix search
>list.
>I've modified local DNS server configuration (new zone, new A record) to
>handle "[serverhostname].[domainname]" requests.
>
>ping [serverhostname].[domainname] - works OK.
>
>Still - I can't log in to user account.

Have you set:
HKLM\System\CCS\Services\LanmanWorkstation\Parameters
DWORD  DomainCompatibilityMode = 1
DWORD  DNSNameResolutionRequired = 0
HKLM\System\CCS\Services\Netlogon\Parameters
   DWORD  RequireSignOrSeal = 1
   DWORD  RequireStrongKey = 1

Do you see anything useful in either Windows' Event Viewer or Samba's 
/var/log/log.smbd?


Moray.
"To err is human.  To purr, feline"




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Issue Joining Win7 to Samba Domain (tried wiki instructions)

[Moray Henderson]

Linda Walsh wrote:
>Moray Henderson wrote:
>> Last time I saw something like this, it was because the client (Win XP)
>> did not have a WINS server set, and couldn’t find the domain.  Can you
>> ping the server from the problem client - by IP address and by name?  Is
>> its firewall blocking any SMB ports?
>---
>
>   FWIW, I checked my Win7 client.  It still has its win server set to
>the Samba PDC.  The PDC has 'smb ports = 139' set to attempt to use the %m
>macro in the config file.  The win7 client currently has firewall set to
>disabled, as it's located on a isolated subnet.

Something to do with the name of the machine?  You said you had to reinstall 
this machine - if Samba thinks it already is a member of the domain, and 
Windows is trying to rejoin, that could confuse it.  Are there any characters 
besides alphanumeric in the name?


Moray.
"To err is human.  To purr, feline"




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba