Re: [Samba] Listing Domain Local Groups from a Samba Member (NT4 PDC)
Hi Gary, Sorry for the late response just looking through my spams folder and my eye caught this one, phew... I since then have tweaked my yahoo mail settings and all Samba contents is going to a specified Samba folder... Anyhow Back to your question: I installed ubuntu 10.04 and if i remember i did the "Apt-get install samba" which brought this version down... r...@wfmmon-gbl:~# smbd -version r...@wfmmon-gbl:~# smbd r...@wfmmon-gbl:~# smbd --version Version 3.0.28a r...@wfmmon-gbl:~# mmm i did change my "/etc/apt/sources.list" to a local server here in Hungary, because of my impatience... But i have set it back to default and currently waiting for "apt-get update" to finish.. Seems we might be onto something here. :o) I will let you know , and Thanks for your response! Regards M. --- On Thu, 1/7/10, Guy Rouillier wrote: > From: Guy Rouillier > Subject: Re: [Samba] Listing Domain Local Groups from a Samba Member (NT4 PDC) > To: samba@lists.samba.org > Date: Thursday, 1 July, 2010, 0:11 > On 6/30/2010 2:30 AM, Mark Sheard > wrote: > > I have Ubuntu version 10.04 > > Samba ver "3.0.28a-1ubuntu4.12" > > I just did a fresh install of 10.04 x86 32-bit, and smbd > reports version 3.4.7. How did you end up with > 3.0.28? Try "smbd -version" and see what that > reports. > > -- Guy Rouillier > -- To unsubscribe from this list go to the following URL > and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] pam_smbpass.so passdb.tdb support
On 07/05/2010 11:33 PM, kandukuru_sur...@emc.com wrote: > Dear John T and samba list, > > Can you please help me to understand following things. I have browsed > the net , points are not clear to me. > > 1) What exactly doesn't work with the existing smbpasswd based > mechanism? > -- > from > http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#i > d2593073 This form of password backend does not store any of the MS > Windows NT/200x SAM (Security Account Manager) information required to > provide the extended controls that are needed for more comprehensive > interoperation with MS Windows NT4/200x servers. Here is a comparison of what is stored in smbpasswd v's tdbsam/ldapsam: Description smbpasswd tdbsam/ldapsam - -- --- unix username yes yes Unix UIDyes no LanManPassword (*) can can NTPassword yes yes NT username no yes Account Flags yes yes User SIDno yes Primary Group SID no yes Full Name no yes Home Directory no yes Homedir Drive no yes Logon scriptno yes Profile Pathno yes Domain no yes Account Description no yes Workstationsno yes Munged dial string no yes Logon time no yes Logoff time no yes Password last set yes (**)yes Password can change no yes Password must changeno yes Last bad password no yes Bad password count no yes Logon hours no yes Note (*): LanManPassword is obsoleted, is needed only for Windows 9X clients. Note (**): The password last set info is represented as LCT time in smbpasswd. The information that can not be stored in smbpasswd can be generated on-the-fly from smb.conf default settings, but it is not possible to store these on a per-user basis. > > what exactly is the above point? is it the only one limitation?. is > there any other limitations?.please let me know if any other. Please refer to Microsoft Windows NT4 knowledge-base resource to learn more of why the tsbsam and ldapsam parameters are important. > 2) Can we easily convert an existing smbpasswd file to the new format > and allow system authentication to work uninterrupted? The smbpasswd file can be migrated to the tdbsam/ldapsam formats by executing: pdbedit -i smbpasswd -e tdbsam or pdbedit -i smbpasswd -e ldapsam The reverse is also possible. - John T. > Thanks > Suresh > > -Original Message- > From: Kandukuru, Suresh > Sent: Saturday, July 03, 2010 9:02 PM > To: 'j...@samba.org' > Subject: RE: [Samba] pam_smbpass.so passdb.tdb support > > Thanks John, Created bug at > https://bugzilla.samba.org/show_bug.cgi?id=7546. > > Thanks again. > Suresh > > -Original Message- > From: John H Terpstra [mailto:j...@samba.org] > Sent: Saturday, July 03, 2010 7:56 PM > To: Kandukuru, Suresh > Cc: samba@lists.samba.org > Subject: Re: [Samba] pam_smbpass.so passdb.tdb support > > On 07/03/2010 08:50 AM, kandukuru_sur...@emc.com wrote: >> Dear JHT, >> Thanks for the quick reply.in >> http://www.samba.org/samba/history/samba-3.4.0.html . >> Samba team is recommending to use tdbsam. > > Not just recommending - it is the default now. The smbpasswd file can > not contain the information needed to fully support current MS Windows > clients. The result is the smbpasswd format storage of MS Windows > networking credentials has been obsoleted. > >> just wanted to know one thing, >> from samba 3.4 default backend has been changed to tdbsam , why for > one >> of the module "pam_smbpass" in samba code is still looking for > passwords >> in smbpasswd?.is there any patch for that?. > > The pam_smbpasswd module has not been updated because noone has > contributed the necessary patches. The tdbsam backend has been > available since September 2003, so my take on this is that VERY few > people use pam_smbpasswd. If more were using it, someone might by now > have done something about the lack of support for tsbsam (and ldapsam > for that matter) in the pam_smbpasswd module. > >> will this be removed in higher versions of samba than > 3.4? > > Probably. Why don't you file a bug report on https://bugzilla.samba.org > ? - that is the only way you might get action on this. > >> I find several people asking the question on net.did not find any >> answer.anticipating your reply. > > Sorry to disappoint you. > > cheers, > John T. > >> Configuration changes >> = >> >> !!! ATTENTION !!! >> The default passdb bac
Re: [Samba] pam_smbpass.so passdb.tdb support
Dear John T and samba list, Can you please help me to understand following things. I have browsed the net , points are not clear to me. 1) What exactly doesn't work with the existing smbpasswd based mechanism? -- from http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#i d2593073 This form of password backend does not store any of the MS Windows NT/200x SAM (Security Account Manager) information required to provide the extended controls that are needed for more comprehensive interoperation with MS Windows NT4/200x servers. what exactly is the above point? is it the only one limitation?. is there any other limitations?.please let me know if any other. 2) Can we easily convert an existing smbpasswd file to the new format and allow system authentication to work uninterrupted? Thanks Suresh -Original Message- From: Kandukuru, Suresh Sent: Saturday, July 03, 2010 9:02 PM To: 'j...@samba.org' Subject: RE: [Samba] pam_smbpass.so passdb.tdb support Thanks John, Created bug at https://bugzilla.samba.org/show_bug.cgi?id=7546. Thanks again. Suresh -Original Message- From: John H Terpstra [mailto:j...@samba.org] Sent: Saturday, July 03, 2010 7:56 PM To: Kandukuru, Suresh Cc: samba@lists.samba.org Subject: Re: [Samba] pam_smbpass.so passdb.tdb support On 07/03/2010 08:50 AM, kandukuru_sur...@emc.com wrote: > Dear JHT, > Thanks for the quick reply.in > http://www.samba.org/samba/history/samba-3.4.0.html . > Samba team is recommending to use tdbsam. Not just recommending - it is the default now. The smbpasswd file can not contain the information needed to fully support current MS Windows clients. The result is the smbpasswd format storage of MS Windows networking credentials has been obsoleted. > just wanted to know one thing, > from samba 3.4 default backend has been changed to tdbsam , why for one > of the module "pam_smbpass" in samba code is still looking for passwords > in smbpasswd?.is there any patch for that?. The pam_smbpasswd module has not been updated because noone has contributed the necessary patches. The tdbsam backend has been available since September 2003, so my take on this is that VERY few people use pam_smbpasswd. If more were using it, someone might by now have done something about the lack of support for tsbsam (and ldapsam for that matter) in the pam_smbpasswd module. > will this be removed in higher versions of samba than > 3.4? Probably. Why don't you file a bug report on https://bugzilla.samba.org ? - that is the only way you might get action on this. > I find several people asking the question on net.did not find any > answer.anticipating your reply. Sorry to disappoint you. cheers, John T. > Configuration changes > = > > !!! ATTENTION !!! > The default passdb backend has been changed to 'tdbsam'! That breaks > existing > setups using the 'smbpasswd' backend without explicit declaration! > Please use > 'passdb backend = smbpasswd' if you would like to stick to the > 'smbpasswd' > backend or convert your smbpasswd entries using e.g. 'pdbedit -i > smbpasswd -e > tdbsam'. > > The 'tdbsam' backend is much more flexible concerning per user settings > like 'profile path' or 'home directory' and there are some commands > which do not > work with the 'smbpasswd' backend at all. > - > > Thanks > Suresh > > > > -Original Message- > From: samba-boun...@lists.samba.org > [mailto:samba-boun...@lists.samba.org] On Behalf Of John H Terpstra > Sent: Saturday, July 03, 2010 6:31 PM > To: samba@lists.samba.org > Subject: Re: [Samba] pam_smbpass.so passdb.tdb support > > On 07/03/2010 05:29 AM, kandukuru_sur...@emc.com wrote: >> Hi, >> >> Recently I have installed samba 3.4.8 on my device. Since then ftp >> (vsftp,proftpd) which is taking users from samba database with >> pam_smbpass.so is not working. After enabling detailed log I have >> noticed it is looking for the passwords in smbpasswd >> (/etc/samba/private) which is of zero size . I think all users passwd >> are located in passwd.tdb.I could fix this by giving "passdb >> backend=smbpasswd" . >> >> >> >> somewhere I read smbpasswd is obsolete , and recommended to use tdbsam >> .. >> >> >> >> and /etc/pam.d/ftp file is >> - >> r...@storage:/# cat /etc/pam.d/ftp >> auth required /lib/security/pam_smbpass.so >> accountrequired /lib/security/pam_nologin.so >> accountrequired /lib/security/pam_smbpass.so >> password required /lib/security/pam_smbpass.so >> sessionrequired /lib/security/pam_unix.so >> >> --- >> >> >> >> How can I tell pam_smbpass module to use passdb.tdb (tdbsam) .?. > Please >> tell me I have been trying for last 2 days. Did not find anything. > > You can not do that without changing the pam_smbpasswd code. This module > specifically operates against the smbpasswd file. > > -John T. -- To unsubscribe
[Samba] Samba4 + OpenLDAP + Dovecot
Hello Samba list. I have a question which I am unable to find the answer in the world wide web. My current setup I wish to upgrade is as follows: OpenLDAP with user acount information (names, passwords, etc.) against which Linux and Windows clients do authenticate. Cyrus with its own user account information (emails, aliases, passwords, etc.). I want to accomplish a setup which gives me to possibility to store all user data in one backend and let all clients authenticate against. So my question now is. Is it possible to setup a samba4 domain controller with openLDAP backend and extend the user data so that I can use kerberos authentication for my windows and linux (ubuntu and debian) clients and let dovecot get its authentication information from the same ldap directory. Also I would like to know if I have to store the userpassword in more than on ldap field (one for kerberos and one for dovecot). If so, how can I keep this two passwords in sync ? I am grateful for any hint. Thanks in advance. Markus -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Synchronisation using LDAP
Unfortunately I'm not seeing a similar extension point on s4. I wouldn't imagine adding one would be too terrible though. On Mon, Jul 5, 2010 at 3:58 PM, Jorijn Schrijvershof wrote: > Hi, > > On Jul 5, 2010, at 21:52 :42, Michael Wood wrote: > >> No, I don't think so. From Jorijn's e-mail I thought Google's LDAP >> server stored in these formats. Perhaps I misunderstood. >> >> I think it depends on which direction the sync is supposed to happen. >> From google to Samba or the other way or both ways. > > > It is supposed to be sync'ed from samba to google. Google accepts passwords > stored in sha1, md5 or plaintext. So I need a way to make samba additionally > store these passwords in a separate LDAP attribute. I know there is a DLL for > windows so theoretically it would be possible. > > -- > Jorijn Schrijvershof > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Transferring PDC responsibility without LDAP
On Sat, 19 Jun 2010, I wrote: > Can anyone answer my original question, which is whether my original > strategy (use "net rpc getsid" without LDAP, but stop old PDC forever > before starting the new one) is sound? After no one answered, last week I decided to just try it and see. Except for the fact I needed to add a "-S" option to the getsid command to make it work, it seems to be holding up fine. Michael Deutschmann -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] sambaLogonScript [another] problem
But it happens that when i create a new user, the sambaLogonScript entry in the ldap database is set to %G.bat, exactly the entry i MUST NOT have to load the script. Since i'm expanding my network and tons of new users are coming, i trying to keep things very organized. I'll need to change this entry for every new user or there is a smarter way to do this? I don't quite understand your problem here. From one of your previous posts, I understand that you are using smbldap-tools. So, upon creating a new user, why don't you add the parameter -E "" to smbldap-useradd? See "man smbldap-useradd" for all parameters. Either way, there are good web front ends to LDAP available, such as: LAM - LDAP Account Manager http://www.ldap-account-manager.org/ phpLDAPadmin http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page And two programs: LDAP Admin (a Windows program) http://ldapadmin.sourceforge.net/index.html Apache Directory Studio (very complete, runs on several platforms) http://directory.apache.org/studio/ All of them are worth a try. I use all of them, to different purposes and on different occasions. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Synchronisation using LDAP
Hi, On Jul 5, 2010, at 21:52 :42, Michael Wood wrote: > No, I don't think so. From Jorijn's e-mail I thought Google's LDAP > server stored in these formats. Perhaps I misunderstood. > > I think it depends on which direction the sync is supposed to happen. > From google to Samba or the other way or both ways. It is supposed to be sync'ed from samba to google. Google accepts passwords stored in sha1, md5 or plaintext. So I need a way to make samba additionally store these passwords in a separate LDAP attribute. I know there is a DLL for windows so theoretically it would be possible. -- Jorijn Schrijvershof -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Synchronisation using LDAP
On 5 July 2010 18:16, Ryan Bair wrote: > It looks like the new sync module also supports SHA1 and MD5 hashed passwords. > > "To synchronize passwords from LDAP, you will need an LDAP attribute that > stores > passwords in plain text, MD5 or SHA1 format. " > > Not sure if Samba4 stores in these formats or not though... No, I don't think so. From Jorijn's e-mail I thought Google's LDAP server stored in these formats. Perhaps I misunderstood. I think it depends on which direction the sync is supposed to happen. >From google to Samba or the other way or both ways. -- Michael Wood -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Client Windows accessing Samba Share (krb5/ad2008/winbind)
I have a Samba server, its joinning on AD2008, the commands bellow has sucess when I test: # net ads testjoin Join is OK # wbinfo -t checking the trust secret via RPC calls succeeded # wbinfo -u # wbinfo -g # net ads user # net ads group # net ads user info administrator # wbinfo -u # wbinfo -g However, I need to open your share on the Windows Client(WinXP), but it doesn't work, stay asking login/passwd. Follows the logs: ==> log.___10.215.0.232 <== [2010/07/05 15:21:55, 3] smbd/oplock.c:init_oplocks(875) init_oplocks: initializing messages. [2010/07/05 15:21:55, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(241) Linux kernel oplocks enabled [2010/07/05 15:21:55, 3] smbd/process.c:process_smb(1570) Transaction 0 of length 137 (0 toread) [2010/07/05 15:21:55, 3] smbd/process.c:switch_message(1374) switch message SMBnegprot (pid 6326) conn 0x0 [2010/07/05 15:21:55, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/07/05 15:21:55, 3] smbd/negprot.c:reply_negprot(568) Requested protocol [PC NETWORK PROGRAM 1.0] [2010/07/05 15:21:55, 3] smbd/negprot.c:reply_negprot(568) Requested protocol [LANMAN1.0] [2010/07/05 15:21:55, 3] smbd/negprot.c:reply_negprot(568) Requested protocol [Windows for Workgroups 3.1a] [2010/07/05 15:21:55, 3] smbd/negprot.c:reply_negprot(568) Requested protocol [LM1.2X002] [2010/07/05 15:21:55, 3] smbd/negprot.c:reply_negprot(568) Requested protocol [LANMAN2.1] [2010/07/05 15:21:55, 3] smbd/negprot.c:reply_negprot(568) Requested protocol [NT LM 0.12] [2010/07/05 15:21:55, 3] smbd/negprot.c:reply_nt1(392) using SPNEGO [2010/07/05 15:21:55, 3] smbd/negprot.c:reply_negprot(673) Selected protocol NT LM 0.12 [2010/07/05 15:21:55, 3] smbd/process.c:process_smb(1570) Transaction 1 of length 240 (0 toread) [2010/07/05 15:21:55, 3] smbd/process.c:switch_message(1374) switch message SMBsesssetupX (pid 6326) conn 0x0 [2010/07/05 15:21:55, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/07/05 15:21:55, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1409) wct=12 flg2=0xc807 [2010/07/05 15:21:55, 2] smbd/sesssetup.c:setup_new_vc_session(1363) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2010/07/05 15:21:55, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173) Doing spnego session setup [2010/07/05 15:21:55, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208) NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2010/07/05 15:21:55, 3] smbd/sesssetup.c:reply_spnego_negotiate(800) reply_spnego_negotiate: Got secblob of size 40 [2010/07/05 15:21:55, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0xa2088207 [2010/07/05 15:21:55, 3] smbd/process.c:process_smb(1570) Transaction 2 of length 358 (0 toread) [2010/07/05 15:21:55, 3] smbd/process.c:switch_message(1374) switch message SMBsesssetupX (pid 6326) conn 0x0 [2010/07/05 15:21:55, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/07/05 15:21:55, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1409) wct=12 flg2=0xc807 [2010/07/05 15:21:55, 2] smbd/sesssetup.c:setup_new_vc_session(1363) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2010/07/05 15:21:55, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173) Doing spnego session setup [2010/07/05 15:21:55, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208) NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2010/07/05 15:21:55, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(745) Got user=[thiago.ferreira] domain=[GRANSAPORE] workstation=[TI-09] len1=24 len2=24 ==> log.ti-09 <== [2010/07/05 15:21:55, 3] auth/auth.c:check_ntlm_password(220) check_ntlm_password: Checking password for unmapped user [gransapore]\[thiago.ferrei...@[ti-09] with the new password interface [2010/07/05 15:21:55, 3] auth/auth.c:check_ntlm_password(223) check_ntlm_password: mapped user is: [gransapore]\[thiago.ferrei...@[ti-09] [2010/07/05 15:21:55, 3] smbd/sec_ctx.c:push_sec_ctx(224) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/07/05 15:21:55, 3] smbd/uid.c:push_conn_ctx(357) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/07/05 15:21:55, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/07/05 15:21:55, 3] smbd/sec_ctx.c:pop_sec_ctx(432) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/07/05 15:21:55, 2] auth/auth.c:check_ntlm_password(318) check_ntlm_password: Authentication for user [thiago.ferreira] -> [thiago.ferreira] FAILED with error NT_STATUS_NO_SUCH_USER [2010/07/05 15:21:55, 3] smbd/error.c:error_packet_set(61) error packet at smbd/sesssetup.c(127) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2010/07/05 15:21:55, 3] smbd/process.c:smbd_process(2068) receive_messa
Re: [Samba] Default Hidden Disk Shares
On 05/07/10 05:00 AM, Atkinson, Robert wrote: Before I reply, please take my response in the light it's meant, which is curious interest and intrigue. I'm not and don't want to drag this out into a full blown dissemination of Windows security. The 'admins' directive in the CONF file holds a list of Admin users, and gives elevated privileges to those accounts. I'm at a loss to see how this differs from also giving root visibility to the same users. I see this one of two ways. Either there isn't enough faith in the SAMBA code to feel that it's a robust secure system (I personally think it is), or there's a paranoia amongst the community. Given the way Windows is constantly hacked, this second observation may well be indirectly true. My background is over 20 years administrating an OpenVMS system (THE most secure O/S available). The reason I say this is because a single cluster could (and does) have hundreds of visible volumes, that change frequently. To continually reconfigure the CONF file although not impossible, would be somewhat arduous. As has already been stated, Samba doesn't allow for the automatic 'hidden' presentation of these volumes. The product I was using (Pathworks) which emulates a Windows NT member server did, and despite some of the posts, it is a nice feature to have. I'm happy to leave it there and work with what's available, or hear peoples opinions on the above. Thanks, Robert (A Grateful OpenSource Developer and User) You have to remember that Windows was never intended to be a enterprise-level OS. It's been evolving but still has a lot of hard to remove vestiges of it's desktop past. Some of them are hard to remove and often date back to a time when MS-DOS ran on 64k machines. The notion of automatically sharing files may have made some sense way back when it was hard enough to get a PC network to even operate, but it is a security hole that shouldn't exist. The problem, like many Windows problems, is when a bug is old enough it becomes a feature. No one should need access to the entire file system as a share. In all my years looking after Windows servers, I certainly never did. Nor did I ever hear anyone have a good reason for doing so. I'm not saying that they don't exist, but if you really need to share a file system, Samba doesn't stop you from doing it. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] sambaLogonScript [another] problem
Hi there, i'm having another problem with the samba logon scripts. Like i said in the previous thread, in my smb.conf is defined to users use group defined logon scripts: logon script = %G.bat In the previous thread we also reached the conclusion that when the desired logon script of the users matches the logon script defined in the smb.conf, i can't have it defined in the ldap database, otherwise the script would not load. But it happens that when i create a new user, the sambaLogonScript entry in the ldap database is set to %G.bat, exactly the entry i MUST NOT have to load the script. Since i'm expanding my network and tons of new users are coming, i trying to keep things very organized. I'll need to change this entry for every new user or there is a smarter way to do this? I'm using Samba 3.4.7. Tks in advance and sorry for my poor english. -- Leonardo Carneiro -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba Digest, Vol 91, Issue 5
Dddd 0d __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Default Hidden Disk Shares
The Windows client will hide any share that ends with a '$' whether or not it is an administrator share, it's doesn't know or care. In this case there is no difference between hidden and normal because to Windows they are both hidden. Give it a try sometime. If you hit the server with a Mac client, it shows all the shares (at least it used to, I haven't tried in a long time), even the c$, d$, etc. I think the Linux SMB clients also do the same. So to rely on 'server' to 'hide' these shares, is a very false sense of security. It's the actual client that does the hiding from normal users. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University On Mon, Jul 5, 2010 at 2:43 AM, Atkinson, Robert wrote: > Robert, the discussion was around the hidden ‘$’ shares, not normal ones. > > > > Rob. > > > > *From:* Robert LeBlanc [mailto:rob...@leblancnet.us] > *Sent:* 02 July 2010 19:15 > *To:* Atkinson, Robert > *Cc:* Jeremy Allison; samba@lists.samba.org > > *Subject:* Re: [Samba] Default Hidden Disk Shares > > > > On Fri, Jul 2, 2010 at 2:05 AM, Atkinson, Robert > wrote: > > Interesting to see you say it's dangerous. The way the Windows version > works > is that you have to be part of the Administrator group to be able to see > them, which I would have thought secure enough? > > > > This is not true, the share is advertised to anyone who asks. The Windows > client only hides shares that end with a '$'. By default Windows gives > access only to administrators (by default), but they are by no means hidden. > > > Robert LeBlanc > Life Sciences & Undergraduate Education Computer Support > Brigham Young University > > > *** > > Any opinions expressed in email are those of the individual and not > necessarily those of the company. This email and any files transmitted with > it are confidential and solely for the use of the intended recipient or > entity to whom they are addressed. It may contain material protected by > attorney-client privilege. If you are not the intended recipient, or a > person responsible for delivering to the intended recipient, be advised that > you have received this email in error and that any use is strictly > prohibited. > > > > Random House Group + 44 (0) 20 7840 8400 > > http://www.randomhouse.co.uk > > http://www.booksattransworld.co.uk > > http://www.kidsatrandomhouse.co.uk > > Generic email address - enquir...@randomhouse.co.uk > > > > Name & Registered Office: > > THE RANDOM HOUSE GROUP LIMITED > > 20 VAUXHALL BRIDGE ROAD > > LONDON > > SW1V 2SA > > Random House Group Ltd is registered in the United Kingdom with company No. > 00954009, VAT number 102838980 > > > *** > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba group members
Hi everyone, When i add someone to a group using smbldap-usermod -G +(groupname) (username) it does not add the user to the group in the ldap backend: smbldap-groupshow (groupname) | grep memberUid The new member is not there! I have to mannualy add it to the user to the groups again. This is the expected behavior or i'm missing something? -- Leonardo Carneiro -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Synchronisation using LDAP
It looks like the new sync module also supports SHA1 and MD5 hashed passwords. "To synchronize passwords from LDAP, you will need an LDAP attribute that stores passwords in plain text, MD5 or SHA1 format. " Not sure if Samba4 stores in these formats or not though... On Mon, Jul 5, 2010 at 3:28 AM, Jorijn Schrijvershof wrote: > Hi, > > On Mon, Jul 5, 2010 at 9:03 AM, Michael Wood wrote: > >> Hi >> >> Sorry, I accidentally did not send my initial reply to the list. >> >> I am not sure this will be possible unless you use plain text >> passwords because I believe Windows uses its own hashing algorithms. >> I don't know anything about Google's LDAP server/schema, but if you >> authenticate as an admin user I think you should be able to access the >> passwords. You might need to fiddle with the access control settings >> if you have access to that. >> >> -- >> Michael Wood >> > > Thanks for your reply, I don't mind using plain text passwords, I tend to > protect the database carefully and syncronisation is a must, since we're > deploying google apps to all our users. When logging in with the built in > administrator the passwords attributes seems empty (userPassword, > unicodePwd, etc.). Any ideas? > > -- > Jorijn Schrijvershof > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Possible to use idmap hash with nss info adex (and have them cooperate not just coexist)
I am wanting the auto uid/gid mapping of idmap hash, but the rest of the functionality of idmap/nss info adex. I do not know if this is possible. Below are my questions. A few questions about idmap and nss info. I like the idea of idmap_hash. I want to us it. However, I would like to use nss info adex. Can these two be used together? Or do they conflict somehow? Also, if I have six domains (DOM1-DOM7 for simplicity), and they all trust each other. Given the definition for the local domain (all 7 on their machines) as: idmap backend = hash idmap uid = 1000-40 idmap gid = 1000-40 winbind nss info = adex winbind normalize names = yes Would I then do: idmap config DOM# : backend = ad idmap config DOM# : range = 1000-40 Or: idmap config DOM# : backend = hash idmap config DOM# : range = 1000-40 If the answer is that I must create an idmap_adex_hash, is anyone else interested in such a hybrid? Thank you, Trever Adams -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Errors while provisioning Samba4
Hi. I tried to install latest version of Samba4 and failed on provisioning with the following messages: Adding DomainDN: DC=vegagroup,DC=vega,DC=fcyb,DC=mirea,DC=ru pdc_fsmo_init: no domain object present: (skip loading of domain details) Adding configuration container naming_fsmo_init: no partitions dn present: (skip loading of naming contexts details) Setting up sam.ldb schema Reopening sam.ldb with new schema naming_fsmo_init: no partitions dn present: (skip loading of naming contexts details) naming_fsmo_init: no partitions dn present: (skip loading of naming contexts details) Setting up sam.ldb configuration data Setting up display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up sam.ldb users and groups Traceback (most recent call last): File "./setup/provision", line 258, in useeadb=eadb, next_rid=opts.next_rid) File "bin/python/samba/provision.py", line 1457, in provision am_rodc=am_rodc, next_rid=next_rid) File "bin/python/samba/provision.py", line 1150, in setup_samdb "KRBTGTPASS_B64": b64encode(krbtgtpass), File "bin/python/samba/provision.py", line 344, in setup_add_ldif ldb.add_ldif(data, controls) File "bin/python/samba/__init__.py", line 217, in add_ldif self.add(msg,controls) _ldb.LdbError: (1, 'Operations error (1)') I have no clue how to solve this whatsoever. Help me out, please. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] sambaLogonScript problem [SOLVED]
Miguel tip worked for me. In my smb.conf i't specified that users should run "%G.bat", so i removed this attribute ( "smbldap-usermod -E "" user" ) and WORKED. This is something that is documented somewhere and i missed? I suspected that this would be the problem because I had already banged my head against it when I installed my first Samba PDC a couple of years ago :-) If I remember well, what gave me some hint to the solution was the following entry on "The Official Samba 3.5.x HOWTO and Reference Guide": Current PDF version, paragraph 11.4.4.8: LDAP Special Attributes for sambaSamAccounts « • sambaHomePath • sambaLogonScript • sambaProfilePath • sambaHomeDrive These attributes are only stored with the sambaSamAccount entry if the values are non-default values. » Or online here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#id2593073 Hence, I removed the entry from the LDAP database and it "magically" started working. It seems to me that it was on version 3.1x at the time and also on version 3.2x. I cannot confirm it with any other version because I never had a specific use for that attribute and therefore I never tried it. I am glad that you solved the problem. Regards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] sambaLogonScript problem [SOLVED]
On 07/05/2010 08:21 AM, Leonardo Carneiro - Veltrac wrote: On 07/03/2010 12:38 PM, Steve Thompson wrote: On Sat, 3 Jul 2010, Miguel Medalha wrote: One thing I once noticed was that the Samba account attribute "sambaLogonScript" must ONLY be set for a user if it DIFFERS from what is specified in "smb.conf". Otherwise, the script wouldn't run. I found this with the Samba 3.1x family, I don't know if that still applies. I am using both Samba 3.0.33 and 3.5.1, and this does not apply to me for both versions. Every user has sambaLogonScript set to the same value as that which appears in smb.conf, and it does get run (using ldapsam). Steve Hi Steve and Miguel, This is something that i haven't tried yet, and definitely worths a shot. I'll try and comment the results here. Hello everyone, Miguel tip worked for me. In my smb.conf i't specified that users should run "%G.bat", so i removed this attribute ( "smbldap-usermod -E "" user" ) and WORKED. This is something that is documented somewhere and i missed? It's interesting that this works for me in the 3.4.7 version and does not work for Steve in 3.0.33 and 3.5.1 versions. Anyway, tks to everyone who help me to solve this riddle, specially to Miguel Medalha who gave me the killing tip. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] sambaLogonScript problem
On Mon, Jul 5, 2010 at 8:46 AM, Leonardo Carneiro - Veltrac wrote: > On 07/05/2010 08:28 AM, Miguel Medalha wrote: >> >> Did you verify that end lines of the scripts are in DOS format (CR+LF)? >> >> You can use unix2dos to convert them from Unix format (LF) to DOS format >> (CR+LF). >> >> %G.bat is working correctly for me. Samba PDC over CentOS 5.5 with LDAP >> back end. >> >> Pardon me for being so obvious, but of course your scripts have the exact >> same name as the groups, don't they? >> >> Regards >> Miguel > > Hi Miguel, i doubt that this could be the problem, since when i specify the > name of the script, it runs OK. And yes, the names of the scripts are ok. > Tks again. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > Check what is the primary group of the users (%G maps to the primary group only, not any group that the users belong to). Also check which variable you need to use, %g is the primary group of the Unix user, and %G is the primary group of the Samba user (they can be different) -- Sebastián Abate 15-3589-7730 sebastianab...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] sambaLogonScript problem
On 07/05/2010 08:28 AM, Miguel Medalha wrote: Did you verify that end lines of the scripts are in DOS format (CR+LF)? You can use unix2dos to convert them from Unix format (LF) to DOS format (CR+LF). %G.bat is working correctly for me. Samba PDC over CentOS 5.5 with LDAP back end. Pardon me for being so obvious, but of course your scripts have the exact same name as the groups, don't they? Regards Miguel Hi Miguel, i doubt that this could be the problem, since when i specify the name of the script, it runs OK. And yes, the names of the scripts are ok. Tks again. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] sambaLogonScript problem
On 07/03/2010 12:38 PM, Steve Thompson wrote: On Sat, 3 Jul 2010, Miguel Medalha wrote: One thing I once noticed was that the Samba account attribute "sambaLogonScript" must ONLY be set for a user if it DIFFERS from what is specified in "smb.conf". Otherwise, the script wouldn't run. I found this with the Samba 3.1x family, I don't know if that still applies. I am using both Samba 3.0.33 and 3.5.1, and this does not apply to me for both versions. Every user has sambaLogonScript set to the same value as that which appears in smb.conf, and it does get run (using ldapsam). Steve Hi Steve and Miguel, This is something that i haven't tried yet, and definitely worths a shot. I'll try and comment the results here. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] sambaLogonScript problem
On 07/03/2010 12:22 PM, Chris Smith wrote: On Sat, Jul 3, 2010 at 10:10 AM, Leonardo Carneiro - Veltrac wrote: I'm having trouble in deploying by group sambaLogonScript. My scripts consist only im mapping network folders. I'm using Samba 3.4.7. Is there a way to debug this? The logs does not show anything about the logon scripts. All my users are set with "%G.bat" in the ldap backend, but the vast majority of the users are not running the scripts, or running partially. First debugging step, if you haven't done this already, would be to verify a specifically named logon script, that is one that doesn't use a variable, such as "testlogon.cmd" runs properly. Chris Hi Chris, tks for your answer. I've already done that, and it works. In fact, that's the way is used to work, but i want to keep the things a little more organized, so i'm trying to setup by groups. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Preserve create/modify dates and attributes in samba
I have configured Samba 3.4.7 with extended attributes enabled to preserve file create/modify dates. I went ahead and tried to map a network drive, and successfully copied a file over to samba, though the create date is set to the modified date on the copy. For my /etc/fstab, I have set the following options set for a ext4 filesystem: auto,relatime,errors=remount-ro,user_xattr Do I have to change the default kernel configuration for Ubuntu 10.04 or apply a patch to the filesystem to get extended attributes to work? Do I have to upgrade to Samba 3.5? Derek -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Migrate windows 200 AD to Samba / LDAP
hi, I want to migrate from Active Directory (Windows 2000 server) to Samba / LDAP (Ubuntu 10.4 LTS) I followed these steps : - Install Ubuntu 10.4 as BDC of the domain - set SSID in Samba - use net vampire process to extract information of AD - Stop Windows 2000 server - Restart Samba as PDC of the domain. Now, Windows client were unable to connect to my domain. Have I to pass client in WORKGROUP and add to my domain ? I would like it to be transparent for computers, is it possible or I have to configure all computers again ? Any idea ? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Default Hidden Disk Shares
Before I reply, please take my response in the light it's meant, which is curious interest and intrigue. I'm not and don't want to drag this out into a full blown dissemination of Windows security. The 'admins' directive in the CONF file holds a list of Admin users, and gives elevated privileges to those accounts. I'm at a loss to see how this differs from also giving root visibility to the same users. I see this one of two ways. Either there isn't enough faith in the SAMBA code to feel that it's a robust secure system (I personally think it is), or there's a paranoia amongst the community. Given the way Windows is constantly hacked, this second observation may well be indirectly true. My background is over 20 years administrating an OpenVMS system (THE most secure O/S available). The reason I say this is because a single cluster could (and does) have hundreds of visible volumes, that change frequently. To continually reconfigure the CONF file although not impossible, would be somewhat arduous. As has already been stated, Samba doesn't allow for the automatic 'hidden' presentation of these volumes. The product I was using (Pathworks) which emulates a Windows NT member server did, and despite some of the posts, it is a nice feature to have. I'm happy to leave it there and work with what's available, or hear peoples opinions on the above. Thanks, Robert (A Grateful OpenSource Developer and User) -Original Message- From: Jeremy Allison [mailto:j...@samba.org] Sent: 02 July 2010 17:34 To: Atkinson, Robert Cc: Jeremy Allison; samba@lists.samba.org Subject: Re: [Samba] Default Hidden Disk Shares On Fri, Jul 02, 2010 at 09:05:52AM +0100, Atkinson, Robert wrote: > Interesting to see you say it's dangerous. The way the Windows version works > is that you have to be part of the Administrator group to be able to see > them, which I would have thought secure enough? Sure, we could make it a root-only export. The problem is, if we have a security issue (and these have been known to happen from time to time), you've exported your entire filesystem out *without a way to turn it off*. That's the problem with doing it by default. > Who would I contact to request this as a feature enhancement? Just add the relevent share to your smb.conf files. Jeremy. *** Any opinions expressed in email are those of the individual and not necessarily those of the company. This email and any files transmitted with it are confidential and solely for the use of the intended recipient or entity to whom they are addressed. It may contain material protected by attorney-client privilege. If you are not the intended recipient, or a person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use is strictly prohibited. Random House Group + 44 (0) 20 7840 8400 http://www.randomhouse.co.uk http://www.booksattransworld.co.uk http://www.kidsatrandomhouse.co.uk Generic email address - enquir...@randomhouse.co.uk Name & Registered Office: THE RANDOM HOUSE GROUP LIMITED 20 VAUXHALL BRIDGE ROAD LONDON SW1V 2SA Random House Group Ltd is registered in the United Kingdom with company No. 00954009, VAT number 102838980 *** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Default Hidden Disk Shares
Robert, the discussion was around the hidden '$' shares, not normal ones. Rob. From: Robert LeBlanc [mailto:rob...@leblancnet.us] Sent: 02 July 2010 19:15 To: Atkinson, Robert Cc: Jeremy Allison; samba@lists.samba.org Subject: Re: [Samba] Default Hidden Disk Shares On Fri, Jul 2, 2010 at 2:05 AM, Atkinson, Robert wrote: Interesting to see you say it's dangerous. The way the Windows version works is that you have to be part of the Administrator group to be able to see them, which I would have thought secure enough? This is not true, the share is advertised to anyone who asks. The Windows client only hides shares that end with a '$'. By default Windows gives access only to administrators (by default), but they are by no means hidden. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University *** Any opinions expressed in email are those of the individual and not necessarily those of the company. This email and any files transmitted with it are confidential and solely for the use of the intended recipient or entity to whom they are addressed. It may contain material protected by attorney-client privilege. If you are not the intended recipient, or a person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use is strictly prohibited. Random House Group + 44 (0) 20 7840 8400 http://www.randomhouse.co.uk http://www.booksattransworld.co.uk http://www.kidsatrandomhouse.co.uk Generic email address - enquir...@randomhouse.co.uk Name & Registered Office: THE RANDOM HOUSE GROUP LIMITED 20 VAUXHALL BRIDGE ROAD LONDON SW1V 2SA Random House Group Ltd is registered in the United Kingdom with company No. 00954009, VAT number 102838980 *** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] SMB Trans2 Response and STATUS_OBJECT_NAME_NOT_FOUND
Good Morning, let me explain the problem: i need to establish a connection with a Windows host (Windows 7) via smbclient (from ubuntu linux), to run a script which needs to get some file informations (eg. size, version, etc..). Connection and authentication works perfectly. From linux, i can execute the following command: smb: \> allinfo test.txt altname: test.txt create_time:Thu 01 Jul 2010 11:06:30 AM CEST CEST access_time:Thu 01 Jul 2010 11:06:30 AM CEST CEST write_time: Thu 01 Jul 2010 11:06:30 AM CEST CEST change_time:Thu 01 Jul 2010 12:12:07 PM CEST CEST stream: [::$DATA], 0 bytes response from Windows: 20 bytes (data_len within cli_qpathinfo_alt_name() But, when i try to do the same thing on another file (let's say Windows\twain.dll or any other exe or dll) i got: smb: \Windows\> allinfo twain.dll ERRSRV - ERRerror (Non-specific error code.) getting alt name for \Windows\twain.dll response from Windows: 0 bytes (?) Wireshark say: SMB - Trans2 Request, QUERY_PATH_INFO, Query File Alt Name Info, Path:\Windows\twain.dll SMB - Trans2 Response, QUERY_PATH_INFO, Error: STATUS_OBJECT_NAME_NOT_FOUND (0xc034) However, for the same file, the GET command works without any problem. It looks like i've an issue on Windows :/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] windows 7 samba domain
Hi, I succesfuly joined five windows 7 client to a samba (version 3-3.2.15-40) domain with passdb backend = tdbsam, the client works correctly, user domain, network share printers etc, after 2 weeks the client does not access to domain, with this error: the trust relationship between this workstation and the primary domain failed, to resolve I remove the client from domain and join again, the problem reappears after a few days. I read in a forum that could be a cache password problem related with nscd, now i disabled service ncsd and enable winbind. i have also modified add machine script with /usr/sbin/useradd -g machines -c"client pc" -s /bin/false -M %u && nscd -i passwd && sleep 2s *My smb.conf* with samba samba3-3.2.15-40.suse101 workgroup = DOMAIN netbios name = MASTERGS obey pam restrictions = No logon script = scripts\%U.bat logon path = \\MASTERGS\profiles\%U logon home = \\MASTERGS\%U logon drive = Z: domain logons = Yes domain master = Yes guest account = nobody time server = Yes preferred master = yes wins support = yes os level = 44 passdb backend = tdbsam security = user smb ports = 139 445 server string = %h server (Samba, Suse) username map = /etc/samba/smbusers name resolve order = wins bcast bind hosts dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd veto oplock files = /*.pdf/*.PST/*.odb/*.ott/*.ods/*.odt/*.sxw/*.doc/ veto files = /*.mp3/ /*.wav/ /*.mpeg/ /*.avi/ /*.nbu /*.tmp /*.TMP host msdfs = No show add printer wizard = yes # Useradd scripts ### add user script = /usr/sbin/useradd -m %u delete user script = /usr/sbin/userdel -r %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/sbin/usermod -G %g %u add machine script = /usr/sbin/useradd -g machines -c"client pc" -s /bin/false -M %u && nscd -i passwd && sleep 2s idmap uid = 15000-2 idmap gid = 15000-2 passwd program = /usr/bin/passwd %u passwd chat = *Inserisci\snuova\sUNIX\spassword:* %n\n *Conferma\snuova\sUNIX\spassword:* %n\n . passwd chat debug = yes unix password sync = no # set the loglevel log level = 1 log file = /var/log/samba/%m.log ### [homes] comment = Directory Privata path = /home/samba/private/%S valid users = %S read only = No browseable = No [netlogon] comment = NLService path = /home/samba/netlogon guest ok = Yes browseable = No [profiles] comment = Roaming Profiles path = /home/samba/profiles create mask = 0600 directory mask = 0700 browseable = No guest ok = Yes force user = %U valid users = %U "Domain Admins" read only = No profile acls = Yes hide files = /DESKTOP.INI/desktop.ini/Desktop.ini */etc/nsswitch.conf* passwd: compat group: compat hosts: files dns networks: files dns services: files protocols: files rpc:files ethers: files netmasks: files netgroup: files nis publickey: files bootparams: files automount: files nis aliases:files *Windows 7 reg modification* [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters] "DNSNameResolutionRequired"=dword: "DomainCompatibilityMode"=dword:0001 *Error in client.log * rpc_server/srv_netlog_nt.c:_netr_ServerAuthenticate2(555) _netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting auth request from clientPCCLIENT machine account PCCLIENT$ Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] pam_smbpass.so passdb.tdb support
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/03/2010 10:25 AM, John H Terpstra wrote: > On 07/03/2010 08:50 AM, kandukuru_sur...@emc.com wrote: >> Dear JHT, >> Thanks for the quick reply.in >> http://www.samba.org/samba/history/samba-3.4.0.html . >> Samba team is recommending to use tdbsam. > > Not just recommending - it is the default now. The smbpasswd file can > not contain the information needed to fully support current MS Windows > clients. The result is the smbpasswd format storage of MS Windows > networking credentials has been obsoleted. > >> just wanted to know one thing, >> from samba 3.4 default backend has been changed to tdbsam , why for one >> of the module "pam_smbpass" in samba code is still looking for passwords >> in smbpasswd?.is there any patch for that?. > > The pam_smbpasswd module has not been updated because noone has > contributed the necessary patches. The tdbsam backend has been > available since September 2003, so my take on this is that VERY few > people use pam_smbpasswd. If more were using it, someone might by now > have done something about the lack of support for tsbsam (and ldapsam > for that matter) in the pam_smbpasswd module. I was using it, and was somewhat disappointed to lose it when I had to switch to tdbsam, but by that time it had become much less important to share Windows and UNIX credentials on the same system. - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$&| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwxe7IACgkQmb+gadEcsb5OgQCggR+d7JHCYt8Q8/S4nwIAlAtr VHoAn2HEMUP3h/8Oq6TXQe4GR9SZ/Une =YFIu -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Synchronisation using LDAP
Hi, On Mon, Jul 5, 2010 at 9:03 AM, Michael Wood wrote: > Hi > > Sorry, I accidentally did not send my initial reply to the list. > > I am not sure this will be possible unless you use plain text > passwords because I believe Windows uses its own hashing algorithms. > I don't know anything about Google's LDAP server/schema, but if you > authenticate as an admin user I think you should be able to access the > passwords. You might need to fiddle with the access control settings > if you have access to that. > > -- > Michael Wood > Thanks for your reply, I don't mind using plain text passwords, I tend to protect the database carefully and syncronisation is a must, since we're deploying google apps to all our users. When logging in with the built in administrator the passwords attributes seems empty (userPassword, unicodePwd, etc.). Any ideas? -- Jorijn Schrijvershof -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Synchronisation using LDAP
Hi Sorry, I accidentally did not send my initial reply to the list. On 5 July 2010 08:26, Jorijn Schrijvershof wrote: > On Fri, Jul 2, 2010 at 3:53 PM, Michael Wood wrote: >> >> For a start just try: >> $ ldapsearch -x -h localhost >> >> That should print out a whole bunch of stuff. >> >> You can also restrict your search to a certain part of the tree like this: >> >> $ ldapsearch -x -h localhost -b CN=Users,DC=samba,DC=example,DC=com >> >> (assuming your realm is samba.example.com.) >> >> And if you just want their Windows login name, try: >> >> $ ldapsearch -x -h localhost -b CN=Users,DC=samba,DC=example,DC=com >> sAMAccountName >> >> If you want to try authenticating to the LDAP server, try: >> >> ldapsearch -x -h localhost -b CN=Users,DC=samba,DC=example,DC=com -D >> CN=Administrator,CN=Users,DC=samba,DC=example,DC=com -W sAMAccountName >> >> or like this: >> >> $ sudo apt-get install libsasl2-modules-gssapi-heimdal >> (or libsasl2-modules-gssapi-mit) >> $ kinit Administrator >> $ ldapsearch -Y gssapi -h localhost -b >> CN=Users,DC=samba,DC=example,DC=com sAMAccountName >> >> I hope that helps. > > Thank you all, this helped a lot. I am able to connect and browse the > internal ldap server now. Now for the passwords; > Google supports sha1, md5 and plaintext passwords during synchronisation, > where are these located, and if not supported, how to make them supported? > Thanks a lot :-) I am not sure this will be possible unless you use plain text passwords because I believe Windows uses its own hashing algorithms. I don't know anything about Google's LDAP server/schema, but if you authenticate as an admin user I think you should be able to access the passwords. You might need to fiddle with the access control settings if you have access to that. -- Michael Wood -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
