Re: [Samba] winbind and group permissions

2011-01-03 Thread Bob Miller 
Gaiseric,
thank you sooo much for the reply
I will make comments inline:

On Mon, 2011-01-03 at 20:06 -0500, Gaiseric Vandal wrote:
> Winbind is used for allowing unix things like file system access, getent
> passwd and getent group to handle windows users (windows users and groups
> get unix uid's and gid's allocated.)

To say this another way; getent maps users/groups and their respective
uids/gids/sids, winbind is what determines if those uids/gids have
permission to do what is being requested?

> I don't use winbind to login to a
> unix system as a windows user but I do use it to allow the unix file system
> on a samba server to handle file perms for windows users.  Winbind would
> have nothing to do with subnet issues.

So wbinfo commands are not affected by working across a vpn...

> WINS (Windows Internet Naming Service, or something like that) is really
> useful for having a windows client (e.g. an  XP machine) find a Windows
> server (a Samba server or a real Windows server)-   this is really useful
> when subnet issues are involved, and actually a WINS server should be a
> standard item even on a local network.

Understood and agreed, I always enable wins server even on the simplest
samba installs.

> Depending on your VPN, your
> "remote" client may have a virtual NIC on the "office" LAN.   

The VPN is an openswan site-to-site tunnel.  I have just spent the last
hour or two checking, double-checking, re-double-checking,
triple-checking, and re-triple-checking that everything is in order.
All traffic from several different protocols are travelling in both
directions without restriction.  I never say never with networks and
computers, but I am quite certain this is not the problem.

> The big problem I found with Samba member servers and winbind was that the
> "Windows" user on a member server might have a unix uid or gid that is not
> consistent with the PDC or other member servers.   But this doesn't seem to
> be your problem. 

As I understand it, having a map be consistent across multiple samba
servers is required in the case of BDCs and PDCs, where a BDC may be
required to authorize a user on behalf of the PDC.  In that case, the
BDC must have the same info as the PDC else a user may end up with
different access to different files depending on which member server it
connects too.  I also understand it to be that using ldap will nicely
work around this problem.  
In my case, there is only one PDC, and my member server is purely a
client that is not going to share anything, so as I understand it, that
is not a concern here.

> 
> Can you post your smb.conf section for the idmap settings?  

Very gladly, and anything else you think might be useful to look at:

This is from the PDC (debian - samba=3.5.6):
;winbind
idmap backend = tdb
idmap uid = 15000-2
idmap gid = 15000-2
;winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 300
template homedir =
template shell = /bin/false

This is from the DMC (ubuntu - samba=3.4.7):

;Workstation Settings
idmap backend = tdb
idmap uid = 15000-2
idmap gid = 15000-2
wins server = 192.168.150.10
;winbind use default domain = yes
winbind enum groups = yes
winbind enum users = yes
password server = 192.168.150.10
template shell = /bin/bash 
template homedir = /home/%D/%U 

Some notes: I did have it set up more like your file at first, using
idmap config instead of idmap alloc.  Two days ago I read every line of
the man page, and set it up without the idmap config, and instead used
the plain idmap parameters.  It seemed to me that this was a better
implementation of the 'Keep It Simple' principle.
I read a post that suggested that if the uid and gid idmap were not "all
encompassing" enough that groups and users would not get displayed.  I
have increased the range and moved the winbind_cache.tdb and
idmap_cache.tdb to create new ones, but no joy. 
I have commented the default domain directive so as to tell what whether
wbinfo -u is returning a local user or a domain user.  
as far as I know all other winbind settings are default values.
I can make the rest of the file available and other stuff as well.

> The syntax for
> samba 3.0.x, 3.2.x, 3.3.x, and 3.4.x varies.   The docs on samba.org may not
> be current so you should check man pages for idmap_tdb etc.   Some versions
> may let you spec "idmap uid =- " and "idmap gid =-" 
> 
> 
> I have the following entry (samba 3.4.x with LDAP backend)-  
> 
> idmap alloc backend = ldap
> idmap alloc config:ldap_url = ldap://ldapserver1.mydomain.com
> idmap alloc config:ldap_base_dn = ou=alloc,ou=idmap,o=mydomain.com
> idmap alloc config:ldap_user_dn = cn=xx
> idmap alloc config:range = 5 - 7
> 
> 
> 
> I have some issues with getting new id's allocated, but it  you have users
> working but not groups , at least winbind allocation is generally working. 

I spent a considerable amount of time investigating the possibi

[Samba] %N 3.0.28 on centos/rhel 4.7 (wanting to split up the profile shares to multiple servers)

2011-01-03 Thread Jason Pyeron 
I am having a hard time finding documentation on the %N construct.

I have /etc/auto.master loading /etc/auto.smb and in /etc/auto.smb it reads
username-fstype-smb,username=accountant ://otherhost/username

In the log file I get:

'/home/username' does not exist or ... Error was No such file or directory


I am trying to move certain users' profiles to another server for load
distribution. I am I going about this wrong or where do I get more information
on making %N work for me.

-Jason

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-   -
- Jason Pyeron  PD Inc. http://www.pdinc.us -
- Principal Consultant  10 West 24th Street #100-
- +1 (443) 269-1555 x333Baltimore, Maryland 21218   -
-   -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] authentication using both ADS and smbpasswd

2011-01-03 Thread Smith, Cathy 
Hi

My Samba configuration uses ADS for user authentication.  I have a request to 
grant users access who are not members of ADS.  Is it possible to set up both 
smbpasswd and ADS authentication?  I've looked through the archives without any 
success.  If Samba 3.0 doesn't support this, can someone tell me how they have 
resolved this situation?

Thank you for your help.


Regards,


Cathy
---
Cathy L. Smith
IT Engineer
Pacific Northwest National Laboratory

Phone:  509.375.2687
Fax:    509.375.2330
Email: cathy.sm...@pnl.gov



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind and group permissions

2011-01-03 Thread Gaiseric Vandal 
Winbind is used for allowing unix things like file system access, getent
passwd and getent group to handle windows users (windows users and groups
get unix uid's and gid's allocated.)I don't use winbind to login to a
unix system as a windows user but I do use it to allow the unix file system
on a samba server to handle file perms for windows users.  Winbind would
have nothing to do with subnet issues.


WINS (Windows Internet Naming Service, or something like that) is really
useful for having a windows client (e.g. an  XP machine) find a Windows
server (a Samba server or a real Windows server)-   this is really useful
when subnet issues are involved, and actually a WINS server should be a
standard item even on a local network.Depending on your VPN, your
"remote" client may have a virtual NIC on the "office" LAN.   

The big problem I found with Samba member servers and winbind was that the
"Windows" user on a member server might have a unix uid or gid that is not
consistent with the PDC or other member servers.   But this doesn't seem to
be your problem. 

Can you post your smb.conf section for the idmap settings?  The syntax for
samba 3.0.x, 3.2.x, 3.3.x, and 3.4.x varies.   The docs on samba.org may not
be current so you should check man pages for idmap_tdb etc.   Some versions
may let you spec "idmap uid =- " and "idmap gid =-" 


I have the following entry (samba 3.4.x with LDAP backend)-  

idmap alloc backend = ldap
idmap alloc config:ldap_url = ldap://ldapserver1.mydomain.com
idmap alloc config:ldap_base_dn = ou=alloc,ou=idmap,o=mydomain.com
idmap alloc config:ldap_user_dn = cn=xx
idmap alloc config:range = 5 - 7



I have some issues with getting new id's allocated, but it  you have users
working but not groups , at least winbind allocation is generally working.  




-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
On Behalf Of Bob Miller
Sent: Monday, January 03, 2011 5:13 PM
To: samba@lists.samba.org
Subject: [Samba] winbind and group permissions

Hello,

I have spent the last week and a bit searching google and reading
documentation trying to get this figured.  At this point, I have read
the same things so many times, I am not even sure I would notice the
answer any more time to ask for some help.  
Having gone through what seems like hundreds of posts, I have begun to
see where the problem gets lost in the information provided when posts
are really large.  To this end, I will try to keep this as short as
possible by not posting all my configs and logs (though I can certainly
make all of that available).  It takes considerable time to go through
everything and I don't expect anyone to do that, so I am not looking for
someone to review every config file and log entry, but I am hoping
someone can say what they have done to troubleshoot similar
situations.  

The situation:
I have a network of ~50 XP machines all authenticating to a Samba PDC.
This has been working without flaw for the last two years.  There are
three shares; a public one that all users have access too, individual
shares for each user that can only be accessed by the user, and a
departmental share that contains folders that are governed by group
ownerships.  The PDC runs debian, and has samba 3.5.6 installed, and the
XP workstations all seem to be working as expected.  I am not using
ldap.

The goal:
More computers are required, so we have been going through the retired
computers and pulling out a number of them that are suitable for running
ubuntu.  We need these ubuntu machines to authenticate against the PDC,
and the shares should be mounted automatically on login.

The added challenge:
Since the office where the LAN exists is closed over the holiday break
and there are no existing ubuntu workstations on that LAN, I am forced
to get the test ubuntu workstation to work over a vpn.  This is soon a
requirement anyway, but for the time being, I cannot remove the vpn from
the mix.  I do have ssh access to the Samba PDC, and can vnc to windows
workstations inside the network.  Given that the vast majority of
everything seems to be working, I am doubtful the vpn is the problem,
however it must be mentioned in the name of giving a complete picture...

The path I have followed:
Documentation has me understanding that in order to authenticate across
different subnets or as a DMS or DMC, winbind is the answer.  I have
configured winbind as per the online Samba 3 documentation.  There are
also a prolific number of tutorials on the web that I have consulted,
though most of them seem to be geared towards having an MS ADS instead
of a Samba PDC.  
On the PDC, I have modified the nsswitch.conf file to have passwd and
group use compat winbind (tried file winbind too, same effect).  I have
also configured in there the hosts entry to use wins.  
On the ubuntu workstation, I have done the same with the nsswitch.conf
file, and I have modified the pam.d/comm

[Samba] winbind and group permissions

2011-01-03 Thread Bob Miller 
Hello,

I have spent the last week and a bit searching google and reading
documentation trying to get this figured.  At this point, I have read
the same things so many times, I am not even sure I would notice the
answer any more time to ask for some help.  
Having gone through what seems like hundreds of posts, I have begun to
see where the problem gets lost in the information provided when posts
are really large.  To this end, I will try to keep this as short as
possible by not posting all my configs and logs (though I can certainly
make all of that available).  It takes considerable time to go through
everything and I don't expect anyone to do that, so I am not looking for
someone to review every config file and log entry, but I am hoping
someone can say what they have done to troubleshoot similar
situations.  

The situation:
I have a network of ~50 XP machines all authenticating to a Samba PDC.
This has been working without flaw for the last two years.  There are
three shares; a public one that all users have access too, individual
shares for each user that can only be accessed by the user, and a
departmental share that contains folders that are governed by group
ownerships.  The PDC runs debian, and has samba 3.5.6 installed, and the
XP workstations all seem to be working as expected.  I am not using
ldap.

The goal:
More computers are required, so we have been going through the retired
computers and pulling out a number of them that are suitable for running
ubuntu.  We need these ubuntu machines to authenticate against the PDC,
and the shares should be mounted automatically on login.

The added challenge:
Since the office where the LAN exists is closed over the holiday break
and there are no existing ubuntu workstations on that LAN, I am forced
to get the test ubuntu workstation to work over a vpn.  This is soon a
requirement anyway, but for the time being, I cannot remove the vpn from
the mix.  I do have ssh access to the Samba PDC, and can vnc to windows
workstations inside the network.  Given that the vast majority of
everything seems to be working, I am doubtful the vpn is the problem,
however it must be mentioned in the name of giving a complete picture...

The path I have followed:
Documentation has me understanding that in order to authenticate across
different subnets or as a DMS or DMC, winbind is the answer.  I have
configured winbind as per the online Samba 3 documentation.  There are
also a prolific number of tutorials on the web that I have consulted,
though most of them seem to be geared towards having an MS ADS instead
of a Samba PDC.  
On the PDC, I have modified the nsswitch.conf file to have passwd and
group use compat winbind (tried file winbind too, same effect).  I have
also configured in there the hosts entry to use wins.  
On the ubuntu workstation, I have done the same with the nsswitch.conf
file, and I have modified the pam.d/common-auth and pam.d/common-account
files to use winbind.  I have installed pam_mount for the auto-mounting
part and modified the pam.d files accordingly.

What works and what doesn't:
On the ubuntu workstation, I can log into gdm using my domain
credentials.  pam_mount successfully mounts the shares as expected.
However, when I try to access the folders in the departmental share that
are governed by group permissions, I am denied access.  At this point, I
do not log out of gdm on the workstation reliably either, but that is
not the problem I am working on at the moment.
On the workstation and PDC, it seems I can successfully use all wbinfo
commands except -g (ie, wbinfo -t, -a, -G, -Y, -S, -s, -n, etc all work
as expected).

my troubleshooting so far:
On the ubuntu workstation, I can issue wbinfo -u and I get expected
results like DOM\user.name, and I get as many as I expect to get.
However, wbinfo -g returns nothing, no error and no groups.  getent
passwd returns contents of the local password folder and the list of DOM
\user.names as expected.  getent group returns only the contents
of /etc/group.
When I su to my domain user, it tells me it cannot get the names of my
groups, yet I can use wbinfo to retrieve this information:

r...@test1:~# su - DOM\\bob.miller
reenter password for pam_mount:
groups: cannot find name for group ID 15004
groups: cannot find name for group ID 15005
groups: cannot find name for group ID 15006
dom\bob.mil...@test1:~$ i=$(wbinfo -G 15004); wbinfo -s $i
DOM\accpac 4
dom\bob.mil...@test1:~$ i=$(wbinfo -G 15005); wbinfo -s $i
DOM\public 4
dom\bob.mil...@test1:~$ i=$(wbinfo -G 15006); wbinfo -s $i
DOM\it 4

Permissions on the workstation are like so:

dom\bob.mil...@test1:~/Departments$ ls -al
d---rws--- 14 DOM\bob.miller DOM\none0 2010-12-29 13:22 Finance
d---rws---  9 DOM\bob.miller DOM\none0 2010-12-14 15:24 IT

and permissions on the server are like so:

d---rws--- 14 root accpac 4096 2010-12-29 13:22 Finance
d---rws---  9 root it 4096 2010-12-14 15:24 IT

On the PDC, wbinfo -u returns only the conte

Re: [Samba] Remote connection to Samba service doesn't work

2011-01-03 Thread tms3 






No, it's not.
And as I've said I'm already using Samba shares from a two different
servers on my Windows 7. I've already tried to change Windows settings
via local policies and registry. No effect. Windows says it can't find
the specified network name, smbclient on cygwin can't even open a
connection. Just like there's a magical firewall blocking just the
samba. There is no single log with my ip in it.
Is there any simple way to test the connection itself? By telnet or
sending just one packet, perhaps?
You can try the host yourself, it's "revik.one.pl", ip 88.198.15.203.


OK
prism# nbtscan -v 88.198.15.203
Doing NBT name scan for addresses from 88.198.15.203


NetBIOS Name Table for Host 88.198.15.203:

Incomplete packet, 227 bytes long.
Name Service  Type

REVIK<00> UNIQUE
REVIK<03> UNIQUE
REVIK<20> UNIQUE
__MSBROWSE__  <01>  GROUP
WORKGROUP<1d> UNIQUE
WORKGROUP<1e>  GROUP
WORKGROUP<00>  GROUP

Adapter address: 00-00-00-00-00-00


I would probably lock that down if I were you.





Samba is currently up and running. Even a successful connection try
would tell something.

On Mon, Jan 3, 2011 at 10:01 AM, Daniel Müller 


wrote:



Windows XP should work on the fly! Isn't it???
For Windows 7 you got to hack the registry. All entries HKLM.
You find the enties: google Windows 7 samba




On Fri, 31 Dec 2010 14:03:05 +0100, Mateusz Szymaniec

wrote:


Hi.
I've got a nasty problem with Samba. Basically, I can't connect to my
Samba service from a home laptop (running Windows 7). I guess that on
this side everything is fine, I'm using my corporate Samba shares via
VPN, I've been using Samba on my previous server and it was running
OK. I've asked my buddy living nearby to connect and it didn't work
for him, as well as for 15 other people across living my country. The
weirdest thing is, that there are actually people that are able to
connect. They were using both Windows XP and 7 and I can't really tell
why. I see their connections in logs, but I can't really tell a
difference between my and theirs setup.
I've tried to use default Debian Etch 2.x Samba, 3.x backports
version, compiled 3.x from sources, even reinstalled operating system
on the server. I've used default config, copied one from my previous
server, wrote it from stretch server times. Every single time it was
possible to connect locally (smbclient -L localhost). On the client
side, I've tried using default Windows 7 (and XP) smb/cifs
implementation and cygwin's smbclient.
My server ISP tells that they don't block anything and it's the first
time someone has reported problem like this. My iptables are clean at
the moment.
Currently I'm using v. 3.2.5 with default config with one share and
added user by smbpasswd.

revik:~# smbclient localhost\\test
Enter root's password:
Domain=[REVIK] OS=[Unix] Server=[Samba 3.2.5]
smb: \> ls
 .   D0  Fri Dec 31 13:57:25

2010


 ..  D0  Fri Dec 31 13:57:16

2010


 testfile 0  Fri Dec 31 13:57:25

2010



   35201 blocks of size 8388608. 33290 blocks available
I don't really can think of any single idea how to make it work or
where the problem actually lies.
I'd appreciate any help, thanks.


--

To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Remote connection to Samba service doesn't work

2011-01-03 Thread Daniel Müller 
you try to connect vi internet??

and your local net? Can you work with your shares??
Is in your "hosts allow=" the subnet of your vpn??
I am doing remote domain login with openvpn without any errors.
Your host can be pinged
ping 88.198.15.203
Ping wird ausgeführt für 88.198.15.203 mit 32 Bytes Daten:
Antwort von 88.198.15.203: Bytes=32 Zeit=17ms TTL=55

No telnet:
telnet 88.198.15.203
Verbindungsaufbau zu 88.198.15.203...Es konnte keine Verbindung mit dem
Host her
gestellt werden, auf Port 23: Verbinden fehlgeschlagen
Putty,ssh:
OK. You can login from remote to your Host!

I think with (ex mine ) the hosts allow = 127.0.0.1  192.168.129.0/24
192.168.133.0/24 192.168.134.0/24 192.
168.132.0/24 192.168.135.0/24 10.0.11.0/24
where 10.0.11.0.0/24 is my vpn range
Fix the host allow to your vpn range.
Good Luck
Daniel

On Mon, 3 Jan 2011 10:51:58 +0100, Mateusz Szymaniec 
wrote:
> No, it's not.
> And as I've said I'm already using Samba shares from a two different
> servers on my Windows 7. I've already tried to change Windows settings
> via local policies and registry. No effect. Windows says it can't find
> the specified network name, smbclient on cygwin can't even open a
> connection. Just like there's a magical firewall blocking just the
> samba. There is no single log with my ip in it.
> Is there any simple way to test the connection itself? By telnet or
> sending just one packet, perhaps?
> You can try the host yourself, it's "revik.one.pl", ip 88.198.15.203.
> Samba is currently up and running. Even a successful connection try
> would tell something.
> 
> On Mon, Jan 3, 2011 at 10:01 AM, Daniel Müller 
> wrote:
>>
>> Windows XP should work on the fly! Isn't it???
>> For Windows 7 you got to hack the registry. All entries HKLM.
>> You find the enties: google Windows 7 samba
>>
>>
>>
>>
>> On Fri, 31 Dec 2010 14:03:05 +0100, Mateusz Szymaniec
>> 
>> wrote:
>>> Hi.
>>> I've got a nasty problem with Samba. Basically, I can't connect to my
>>> Samba service from a home laptop (running Windows 7). I guess that on
>>> this side everything is fine, I'm using my corporate Samba shares via
>>> VPN, I've been using Samba on my previous server and it was running
>>> OK. I've asked my buddy living nearby to connect and it didn't work
>>> for him, as well as for 15 other people across living my country. The
>>> weirdest thing is, that there are actually people that are able to
>>> connect. They were using both Windows XP and 7 and I can't really tell
>>> why. I see their connections in logs, but I can't really tell a
>>> difference between my and theirs setup.
>>> I've tried to use default Debian Etch 2.x Samba, 3.x backports
>>> version, compiled 3.x from sources, even reinstalled operating system
>>> on the server. I've used default config, copied one from my previous
>>> server, wrote it from stretch server times. Every single time it was
>>> possible to connect locally (smbclient -L localhost). On the client
>>> side, I've tried using default Windows 7 (and XP) smb/cifs
>>> implementation and cygwin's smbclient.
>>> My server ISP tells that they don't block anything and it's the first
>>> time someone has reported problem like this. My iptables are clean at
>>> the moment.
>>> Currently I'm using v. 3.2.5 with default config with one share and
>>> added user by smbpasswd.
>>>
>>> revik:~# smbclient localhost\\test
>>> Enter root's password:
>>> Domain=[REVIK] OS=[Unix] Server=[Samba 3.2.5]
>>> smb: \> ls
>>>  .                                   D        0  Fri Dec 31 13:57:25
>> 2010
>>>  ..                                  D        0  Fri Dec 31 13:57:16
>> 2010
>>>  testfile                                     0  Fri Dec 31 13:57:25
>> 2010
>>>
>>>                35201 blocks of size 8388608. 33290 blocks available
>>> I don't really can think of any single idea how to make it work or
>>> where the problem actually lies.
>>> I'd appreciate any help, thanks.
>>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] error adding a user

2011-01-03 Thread Marco Ciampa 
On Mon, Jan 03, 2011 at 09:54:39AM +0100, Daniel Müller wrote:
> First of all which kind of Windows are you using. Usermgr with XP is ok
> with Windows Vista/7 no chance.

ok I'm using XP...

> To use usrmgr under xp and 2000 you must fit your ldap.conf and your
> smb.conf and youse smbldap-tools or similar:
> in your smb.conf there should be something like:
> add user script = /usr/local/sbin/smbldap-useradd  -A 1 -B 1 -m -k /dummy
> "%u"

if I use:

 add user script = smbldap-useradd -a -m "%u"

it gives me the error reported above. If I use:

 add user script = smbldap-useradd -m "%u"

it works. It seems that Samba creates the samba specific objects to the
ldap server directly. If I am no wrong, the option -a to smbldap-useradd
should be used only if the script is called from outside samba (as in a
user populating script, for example...)

Am I write or am I wrong? I understand that these basic concepts are
important. I can't do forward without before clarifying this ... :-(

> 
> to fit the right params for your linux OS you have to try.
> 
> 
> or ldap.conf, ex :
> basedc=your,dc=domain
> nss_base_passwd ou=Users,dc=your,dc=domain?sub
> nss_base_passwd ou=Computers,dc=your,dc=domain?sub
> nss_base_shadow ou=Users,dc=your,dc=domain?sub
> nss_base_group ou=Groups,dc=yourc,dc=domain?one
> 
> In your slapd.conf , ex:
> access to attrs=sambaLMPassword
> by self write
> by anonymous auth
> by dn="cn=admin,dc=your,dc=domain" write
> by * none
> 
> access to attrs=sambaNTPassword
> by self write
> by anonymous auth
> by dn="cn=admin,dc=your,dc=domain" write
> by * none
> 
> access to attrs=sambaPwdLastSet,sambaPwdMustChange
> by self write
> by anonymous auth
> by dn="cn=admin,dc=your,dc=domain" write
> by * none
> 

My slapd.conf is this, for what I understand, it could be right...

access to attrs=userPassword,sambaNTPassword,sambaLMPassword
by dn="cn=admin,dc=lsgalilei,dc=org" write
by anonymous auth
by self write
by * none

Ok

Next problem:

User deleting through usermanager is not able to delete the home directory.

Maybe it is this fault:

 ldap delete dn = yes

if Samba delete the ldap object the smbldap-userdel script have no chance to 
delete an already deleted user...

setting 

 ldap delete dn = no

seems to cure. Again: am I right or am I totally wrong?

Next problem:

I can't browse the groups during user creation step in the usermanager
or, after creating the user, browse its groups...

It seems (looking into samba logs) that it insists to search a group
"Users" instead of "Domain Users"... mmm where could it be wrong?
Ldap or Samba ... tomorrow I will investigate more deeply...

Thank you _very much_ for your help and support.

Very often happens to me that just the action of trying to expose a
problem to someonelse help me a lot clarifying myself...

-- 


Marco Ciampa

++
| Linux User  #78271 |
| FSFE fellow   #364 |
++
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Need Help Getting Windows XP To Use Samba Properly[Closed]

2011-01-03 Thread Hodges, Robert CTR USAF AFMC 520 SMXS/MXDEC 
Nope - didn't fix it.  Same error.

But an excellent suggestion though, thanks.

Bob



-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On 
Behalf Of Hodges,Robert CTR USAF AFMC 520 SMXS/MXDEC
Sent: Monday, January 03, 2011 8:39 AM
To: Chris Smith
Cc: samba@lists.samba.org
Subject: Re: [Samba] Need Help Getting Windows XP To Use Samba Properly[Closed]

Could be.  I'm trying it now just out of curiosity.  Who knows, maybe we'll get 
lucky and this will be a fix.

:-)


-Original Message-
From: Chris Smith [mailto:smb...@chrissmith.org] 
Sent: Monday, January 03, 2011 8:25 AM
To: Hodges, Robert CTR USAF AFMC 520 SMXS/MXDEC
Cc: samba@lists.samba.org
Subject: Re: [Samba] Need Help Getting Windows XP To Use Samba Properly [Closed]

On Mon, Jan 3, 2011 at 10:17 AM, Hodges, Robert CTR USAF AFMC 520
SMXS/MXDEC  wrote:
> A key item I have to keep remembering is that all of this works great in 
> Windows 2000.  It's only XP that's having the problem.

Don't know if I would put so much weight on that - a difference, yes,
but not a key item. XP may just be more finicky when it comes to
things like proper naming conventions.
I haven't run a Samba-2.x installation in years but I have at one time
or another had Samba working successfully with everything from the
workgroup add-on for MS-DOS to Windows 7.

Chris
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Need Help Getting Windows XP To Use Samba Properly [Closed]

2011-01-03 Thread Hodges, Robert CTR USAF AFMC 520 SMXS/MXDEC 
Could be.  I'm trying it now just out of curiosity.  Who knows, maybe we'll get 
lucky and this will be a fix.

:-)


-Original Message-
From: Chris Smith [mailto:smb...@chrissmith.org] 
Sent: Monday, January 03, 2011 8:25 AM
To: Hodges, Robert CTR USAF AFMC 520 SMXS/MXDEC
Cc: samba@lists.samba.org
Subject: Re: [Samba] Need Help Getting Windows XP To Use Samba Properly [Closed]

On Mon, Jan 3, 2011 at 10:17 AM, Hodges, Robert CTR USAF AFMC 520
SMXS/MXDEC  wrote:
> A key item I have to keep remembering is that all of this works great in 
> Windows 2000.  It's only XP that's having the problem.

Don't know if I would put so much weight on that - a difference, yes,
but not a key item. XP may just be more finicky when it comes to
things like proper naming conventions.
I haven't run a Samba-2.x installation in years but I have at one time
or another had Samba working successfully with everything from the
workgroup add-on for MS-DOS to Windows 7.

Chris
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Need Help Getting Windows XP To Use Samba Properly [Closed]

2011-01-03 Thread Chris Smith 
On Mon, Jan 3, 2011 at 10:17 AM, Hodges, Robert CTR USAF AFMC 520
SMXS/MXDEC  wrote:
> A key item I have to keep remembering is that all of this works great in 
> Windows 2000.  It's only XP that's having the problem.

Don't know if I would put so much weight on that - a difference, yes,
but not a key item. XP may just be more finicky when it comes to
things like proper naming conventions.
I haven't run a Samba-2.x installation in years but I have at one time
or another had Samba working successfully with everything from the
workgroup add-on for MS-DOS to Windows 7.

Chris
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Pdbedit problem

2011-01-03 Thread Chris Smith 
On Fri, Dec 31, 2010 at 10:38 AM, Michel, Loubert
 wrote:
> I am not using ldap however. Is that the reason why it is not working.

Are you using:
passdb backend = tdbsam
?

With:
passdb backend = smbpasswd
you will find some limitations.

Chris
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Need Help Getting Windows XP To Use Samba Properly [Closed]

2011-01-03 Thread Hodges, Robert CTR USAF AFMC 520 SMXS/MXDEC 
No, I didn't.  Nor can I because of the impact it would have on a number of 
different issues that are unchangeable/written in stone.

A key item I have to keep remembering is that all of this works great in 
Windows 2000.  It's only XP that's having the problem.

Bob

 

-Original Message-
From: Chris Smith [mailto:smb...@chrissmith.org] 
Sent: Monday, January 03, 2011 8:13 AM
To: Hodges, Robert CTR USAF AFMC 520 SMXS/MXDEC
Cc: Jeremy Allison; samba@lists.samba.org
Subject: Re: [Samba] Need Help Getting Windows XP To Use Samba Properly [Closed]

On Mon, Jan 3, 2011 at 8:36 AM, Hodges, Robert CTR USAF AFMC 520
SMXS/MXDEC  wrote:
> Workgroup only, no domain
> Solaris with Samba loaded, a few shares, enabled as WINS server,
> configured as Master Browser

Did you ever correct the underscore in the hostname issue and then test?

Chris
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Need Help Getting Windows XP To Use Samba Properly [Closed]

2011-01-03 Thread Chris Smith 
On Mon, Jan 3, 2011 at 8:36 AM, Hodges, Robert CTR USAF AFMC 520
SMXS/MXDEC  wrote:
> Workgroup only, no domain
> Solaris with Samba loaded, a few shares, enabled as WINS server,
> configured as Master Browser

Did you ever correct the underscore in the hostname issue and then test?

Chris
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] A device attached to the system is not functioning -When adding a computer to the domain

2011-01-03 Thread Chris Beach 
Thank you, I'll give it a read and do some more research on it.. To be
honest my predecessor set up Samba before I got here (6-7 years ago), so
that's what I was left with (BLAH.COM), and not knowing any better, have
used it ever since.

Just FYI, my Domain name (workgroup in smb.conf) is BLAH.COM ... the netbios
name of the actual samba server is HAPPINESS

On Mon, Jan 3, 2011 at 9:32 AM,  wrote:

>
>
>
> On Monday 03/01/2011 at 4:58 am, Chris Beach wrote:
>
> I wanted to send this out a 2nd (and last) time.. I got suggestions not to
> use BLAH.COM and to use BLAH instead for my domain name, however I don't
> think that's causing my problem as it's been this way for 6 years?
>
> Then  you have done no research regarding NetBIOS names.
>
> NetBIOS
> Restictions
> Characters
> Unicode characters, numbers, white space, symbols: ! @ # $ % ^ & ' ) ( . -
> _ { } ~
>
> See chart top of page:
>
> http://technet.microsoft.com/en-us/library/cc959336.aspx
>
> Machine trusts MUST be able to resolve NetBIOS names.  The preferred method
> is via WINS.  Misconfigured NetBIOS names will make this, shall we say,
> difficult.
>
> Any way I
> still can't add machines to my domain and am fairly panicked (this is
> production, 140~ users).
>
> Any other suggestions?
>
> Thank you.
>
> On Thu, Dec 30, 2010 at 1:35 PM, Chris Beach  wrote:
>
> Hi all,
>
> I just setup a Samba 3.3.14, with an ldap back-end.
>
> I migrated the ldap back end and samba shares from my old samba server.
> I've found when adding a machine (WinXP) to the domain, I get the following
> error on XP:
>
> The following error occurred attempting to join the domain "Blah.com":
> A device attached to the system is not functioning.
>
> in my /var/log/messages I have:
>
> Dec 30 09:40:24 hap smbd[29379]: [2010/12/30 09:40:24, 0]
> passdb/pdb_get_set.cdb_get_group_sid(210)
> Dec 30 09:40:24 hap smbd[29379]: pdb_get_group_sid: Failed to find Unix
> account for OAKRND02$
>
> repeated about 6 times.
>
> My smb.conf looks like this for the scripts to run:
>
> * add machine script = /usr/sbin/smbldap-useradd -w "%u"
> add user script = /usr/sbin/smbldap-useradd -m -a "%u"
> delete user script = /usr/sbin/smbldap-userdel -r "%u"
> add group script = /usr/sbin/smbldap-groupadd -p "%g"
> delete group script = /usr/sbin/smbldap-groupdel "%g"
> add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
> delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
> set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
>
> ldap passwd sync = yes
> passwd program = /usr/sbin/smbldap-passwd %u
> passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new
> password*" %n\n"*
>
> When I do an LDAP search, I see there is an entry in LDAP for it the
> machine, so some of the add machine script must have worked:
>
> ldapsearch -b "dc=mydomain,dc=com" -x "(uid=oakrnd01$)"
>
> # OAKRND01$, Computers, mydomain, com
> dn: uid=OAKRND01$,ou=Computers,dc=pintys,dc=com
> uid: OAKRND01$
> sambaSID: S-1-5-21-3318375643-2463009161-75282-41448
> sambaPrimaryGroupSID: S-1-5-21-3318375643-2463009161-75282-515
> sambaAcctFlags: [W ]
> objectClass: sambaSamAccount
> objectClass: account
> objectClass: top
> objectClass: inetOrgPerson
> objectClass: posixAccount
> sambaPwdCanChange: 1291378566
> sambaPwdMustChange: 1299154566
> sambaNTPassword: EED67D5B90ED8B5C2C168FB90DC4D313
> sambaPwdLastSet: 1291378566
>
> Also, I get results in pdbedit:
>
> [r...@happiness ~]# pdbedit -v oakrnd01$
> Unix username: OAKRND01$
> NT username: OAKRND01$
> Account Flags: [W ]
> User SID: S-1-5-21-3318375643-2463009161-75282-41448
> *pdb_get_group_sid: Failed to find Unix account for OAKRND01$*
> *Primary Group SID: (NULL SID)*
> Full Name:
> Home Directory:
> HomeDir Drive:
> Logon Script: logon.exe
> Profile Path:
> Domain: MYDOMAIN.COM
> Account desc:
> Workstations:
> Munged dial:
> Logon time: 0
> Logoff time: never
> Kickoff time: never
> Password last set: Fri, 03 Dec 2010 06:16:06 CST
> Password can change: Fri, 03 Dec 2010 06:16:06 CST
> Password must change: Thu, 03 Mar 2011 06:16:06 CST
> Last bad password : 0
> Bad password count : 0
> Logon hours : FF
>
> Also:
>
> /usr/sbin/smbldap-useradd -w OAKRND02
> failed to add entry: Unexpected EOF at /usr/sbin//smbldap_tools.pm line
> 616.
>
> And then my slapd dies out (crashes)... this same behaviour happens when
> trying to use USRMGR.exe to add a new user (but doing it manually via
> smbldap DOES work for adding a new user).
>
> What's most annoying is I tested joining a Windows 7 machine to the domain
> before I went live with this server, and it was successful, so I've no clue
> why this isn't working now
>
> Any help I can get it REALLY APPRECIATED, right now I've got a PC I can't
> get on the domain, so a user how can't work.
>
>
>
>
> --
> Chris Beach
> IT Analyst
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http

Re: [Samba] A device attached to the system is not functioning -When adding a computer to the domain

2011-01-03 Thread tms3 





On Monday 03/01/2011 at 4:58 am, Chris Beach  wrote:
I wanted to send this out a 2nd (and last) time.. I got suggestions 
not to
use BLAH.COM and to use BLAH instead for my domain name, however I 
don't

think that's causing my problem as it's been this way for 6 years?

Then  you have done no research regarding NetBIOS names.

NetBIOS
Restictions
Characters
Unicode characters, numbers, white space, symbols: ! @ # $ % ^ & ' ) ( 
. - _ { } ~


See chart top of page:

http://technet.microsoft.com/en-us/library/cc959336.aspx

Machine trusts MUST be able to resolve NetBIOS names.  The preferred 
method is via WINS.  Misconfigured NetBIOS names will make this, shall 
we say, difficult.


Any way I
still can't add machines to my domain and am fairly panicked (this is
production, 140~ users).

Any other suggestions?

Thank you.

On Thu, Dec 30, 2010 at 1:35 PM, Chris Beach  
wrote:




Hi all,

I just setup a Samba 3.3.14, with an ldap back-end.

I migrated the ldap back end and samba shares from my old samba 
server.
I've found when adding a machine (WinXP) to the domain, I get the 
following

error on XP:

The following error occurred attempting to join the domain "Blah.com":
A device attached to the system is not functioning.

in my /var/log/messages I have:

Dec 30 09:40:24 hap smbd[29379]: [2010/12/30 09:40:24, 0]
passdb/pdb_get_set.cdb_get_group_sid(210)
Dec 30 09:40:24 hap smbd[29379]: pdb_get_group_sid: Failed to find 
Unix

account for OAKRND02$

repeated about 6 times.

My smb.conf looks like this for the scripts to run:

* add machine script = /usr/sbin/smbldap-useradd -w "%u"
add user script = /usr/sbin/smbldap-useradd -m -a "%u"
delete user script = /usr/sbin/smbldap-userdel -r "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" 
"%g"

set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"

ldap passwd sync = yes
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = "Changing password for*\nNew password*" %n\n "*Retype 
new

password*" %n\n"*

When I do an LDAP search, I see there is an entry in LDAP for it the
machine, so some of the add machine script must have worked:

ldapsearch -b "dc=mydomain,dc=com" -x "(uid=oakrnd01$)"

# OAKRND01$, Computers, mydomain, com
dn: uid=OAKRND01$,ou=Computers,dc=pintys,dc=com
uid: OAKRND01$
sambaSID: S-1-5-21-3318375643-2463009161-75282-41448
sambaPrimaryGroupSID: S-1-5-21-3318375643-2463009161-75282-515
sambaAcctFlags: [W ]
objectClass: sambaSamAccount
objectClass: account
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
sambaPwdCanChange: 1291378566
sambaPwdMustChange: 1299154566
sambaNTPassword: EED67D5B90ED8B5C2C168FB90DC4D313
sambaPwdLastSet: 1291378566

Also, I get results in pdbedit:

[r...@happiness ~]# pdbedit -v oakrnd01$
Unix username:OAKRND01$
NT username:  OAKRND01$
Account Flags:[W  ]
User SID: S-1-5-21-3318375643-2463009161-75282-41448
*pdb_get_group_sid: Failed to find Unix account for OAKRND01$*
*Primary Group SID:(NULL SID)*
Full Name:
Home Directory:
HomeDir Drive:
Logon Script: logon.exe
Profile Path:
Domain:   MYDOMAIN.COM
Account desc:
Workstations:
Munged dial:
Logon time:   0
Logoff time:  never
Kickoff time: never
Password last set:Fri, 03 Dec 2010 06:16:06 CST
Password can change:  Fri, 03 Dec 2010 06:16:06 CST
Password must change: Thu, 03 Mar 2011 06:16:06 CST
Last bad password   : 0
Bad password count  : 0
Logon hours : FF

Also:

/usr/sbin/smbldap-useradd -w OAKRND02
failed to add entry: Unexpected EOF at /usr/sbin//smbldap_tools.pm 
line

616.

And then my slapd dies out (crashes)... this same behaviour happens 
when

trying to use USRMGR.exe to add a new user (but doing it manually via
smbldap DOES work for adding a new user).

What's most annoying is I tested joining a Windows 7 machine to the 
domain
before I went live with this server, and it was successful, so I've no 
clue

why this isn't working now

Any help I can get it REALLY APPRECIATED, right now I've got a PC I 
can't

get on the domain, so a user how can't work.





--
Chris Beach
IT Analyst
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Need Help Getting Windows XP To Use Samba Properly [Closed]

2011-01-03 Thread Hodges, Robert CTR USAF AFMC 520 SMXS/MXDEC 
You bet.

http://search.yahoo.com/search;_ylt=AsEw2kKriectewf3wTL9r42bvZx4?p=Windows+XP+%2B+Samba+%2B+%22The+specified+network+name+is+no+longer+available%22&toggle=1&cop=mss&ei=UTF-8&fr=yfp-t-312

Bob



-Original Message-
From: Ryan Novosielski [mailto:novos...@umdnj.edu] 
Sent: Monday, January 03, 2011 7:28 AM
To: Hodges, Robert CTR USAF AFMC 520 SMXS/MXDEC; Jeremy Allison
Cc: samba@lists.samba.org
Subject: Re: [Samba] Need Help Getting Windows XP To Use Samba Properly [Closed]

Might you be able to provide a couple of links to other places you've seen this 
on the internet (or sample search terms)? Perhaps one has some of the 
information that could be used to look into the problem further, or something 
that could be used to triangulate the problem. Would be neat to get it nailed 
down one way or another.


-- Sent from my Palm Pre



On Jan 3, 2011 8:36, Hodges, Robert CTR USAF AFMC 520 SMXS/MXDEC 
 wrote: 

Jeremy, All, 

I truly appreciate your willingness to help me work on this further. 
Unfortunately, we have simply run out of time. 

To make matters worse, I cannot provide traces, logs, etc because this 
is a classified government system that cannot be exposed in any way, 
which means rather difficult and sometimes problematic troubleshooting 
limitations that may keep this problem from being solved. However, this 
error is found all over the internet and rarely do you ever see a fix 
for it. When I have seen one, it's not a fix that works for me. 

To make matters worse, Microsoft stamped a "Microsoft has confirmed this 
to be a problem with the products specified" on WinXP and Samba. 
Microsoft has no fix, they have tried many times before, and as it now 
stands, appears to be disinterested in providing a hot fix due to the 
remaining shelf life of XP. Any support you get form Microsoft on this 
particular issue is what they call a "best effort", and do not guarantee 
a fix like they do with their own products. 

For anyone that wants to play around with this, here's the config: 

All static IPs 
Workgroup only, no domain 
Solaris with Samba loaded, a few shares, enabled as WINS server, 
configured as Master Browser 
No DNS server 
XP has WINS setting pointing at Samba box, hosts file used instead of 
DNS, lmjosts file NTO in use because of WINS on Samba, XP's Computer 
Browser service disabled to force XP to see Samba box as master browser 
(otherwise will elect itself as master browser and totally ignore Samba) 

Behavior: 
WinXP can map to any resource on Samba with zero problems - it is not a 
permissions issue. Attempting to browse to a Samba resource, however, 
produces "The specified network name is no longer available" in XP. If 
Computer Browser service enabled on XP, XP may or may not be able to 
browse to Samba box (this is entirely unstable, because within 15 
minutes, if XP has elected itself as master browser, XP will eventually 
time out and lose the server list, and "Specified network no longer 
available" error returns). 
Never, is WinXP able to retrieve the browse list from Samba. Microsoft 
claims that this is because the network configuration is too simplified 
and because real WINS and DNS servers are not in use. All we're trying 
to do is get one stinkin' XP workstation to talk to one stinkin' Samba 
box in a simple workgroup. That's it. So far, it's got everyone that 
looks at this problem absolutely baffled as to how this could not work. 

Those who have looked at it and given up: 

Microsoft 
US Air Force 
US Marine Corps 
Various private military contractors 
Samba email list group (best support so far, but still no dice) 

Again, thanks to all who have tried figuring this out. I know I haven't 
given you much to work with, so don't feel bad. It's just that I have 
simply run out of time to get this resolved. 

Bob 



-Original Message- 
From: Jeremy Allison [mailto:j...@samba.org] 
Sent: Thursday, December 30, 2010 3:04 PM 
To: Hodges, Robert CTR USAF AFMC 520 SMXS/MXDEC 
Cc: samba 
Subject: Re: [Samba] Need Help Getting Windows XP To Use Samba Properly 
[Closed] 

On Thu, Dec 30, 2010 at 12:29:53PM -0700, Hodges, Robert CTR USAF AFMC 
520 SMXS/MXDEC wrote: 
> Well, here's what's happening. 
> 
> Microsoft Tech Support confirms that this is a problem with Windows 
XP. 
> There is no fix, and I don't expect one coming considering XP's end of 
> life in 2012. All Microsoft has are workarounds. 

Don't throw in the towel just yet. I've never seen a WindowsXP 
box that won't work with Samba, we just need more info. 

> Microsoft's recommendations are to add more servers to the mix (DNS, 
> WINS, etc) and if that doesn't work, then one of their several 
> "workarounds" is to dump the use of Samba altogether. None of the 
> proposed workarounds work for us, we're locked into a specific 
> configuration. 
> 
> So both Microsoft and my shop are throwing in the towel on this one 
and 
> we're resorting to simply mapping to all

Re: [Samba] Need Help Getting Windows XP To Use Samba Properly [Closed]

2011-01-03 Thread Ryan Novosielski 
Might you be able to provide a couple of links to other places you've seen this 
on the internet (or sample search terms)? Perhaps one has some of the 
information that could be used to look into the problem further, or something 
that could be used to triangulate the problem. Would be neat to get it nailed 
down one way or another.

-- Sent from my Palm Pre
On Jan 3, 2011 8:36, Hodges,Robert CTR USAF AFMC 520 SMXS/MXDEC 
 wrote: 

Jeremy, All,



I truly appreciate your willingness to help me work on this further.

Unfortunately, we have simply run out of time.



To make matters worse, I cannot provide traces, logs, etc because this

is a classified government system that cannot be exposed in any way,

which means rather difficult and sometimes problematic troubleshooting

limitations that may keep this problem from being solved.  However, this

error is found all over the internet and rarely do you ever see a fix

for it.  When I have seen one, it's not a fix that works for me.



To make matters worse, Microsoft stamped a "Microsoft has confirmed this

to be a problem with the products specified" on WinXP and Samba.

Microsoft has no fix, they have tried many times before, and as it now

stands, appears to be disinterested in providing a hot fix due to the

remaining shelf life of XP.  Any support you get form Microsoft on this

particular issue is what they call a "best effort", and do not guarantee

a fix like they do with their own products.



For anyone that wants to play around with this, here's the config:



All static IPs

Workgroup only, no domain

Solaris with Samba loaded, a few shares, enabled as WINS server,

configured as Master Browser

No DNS server

XP has WINS setting pointing at Samba box, hosts file used instead of

DNS, lmjosts file NTO in use because of WINS on Samba, XP's Computer

Browser service disabled to force XP to see Samba box as master browser

(otherwise will elect itself as master browser and totally ignore Samba)



Behavior:

WinXP can map to any resource on Samba with zero problems - it is not a

permissions issue.  Attempting to browse to a Samba resource, however,

produces "The specified network name is no longer available" in XP.  If

Computer Browser service enabled on XP, XP may or may not be able to

browse to Samba box (this is entirely unstable, because within 15

minutes, if XP has elected itself as master browser, XP will eventually

time out and lose the server list, and "Specified network no longer

available" error returns).

Never, is WinXP able to retrieve the browse list from Samba.  Microsoft

claims that this is because the network configuration is too simplified

and because real WINS and DNS servers are not in use.  All we're trying

to do is get one stinkin' XP workstation to talk to one stinkin' Samba

box in a simple workgroup.  That's it.  So far, it's got everyone that

looks at this problem absolutely baffled as to how this could not work.



Those who have looked at it and given up:



Microsoft

US Air Force

US Marine Corps

Various private military contractors

Samba email list group (best support so far, but still no dice)



Again, thanks to all who have tried figuring this out.  I know I haven't

given you much to work with, so don't feel bad.  It's just that I have

simply run out of time to get this resolved.



Bob







 -Original Message-

From: Jeremy Allison [mailto:j...@samba.org] 

Sent: Thursday, December 30, 2010 3:04 PM

To: Hodges, Robert CTR USAF AFMC 520 SMXS/MXDEC

Cc: samba

Subject: Re: [Samba] Need Help Getting Windows XP To Use Samba Properly

[Closed]



On Thu, Dec 30, 2010 at 12:29:53PM -0700, Hodges, Robert CTR USAF AFMC

520 SMXS/MXDEC wrote:

> Well, here's what's happening.

> 

> Microsoft Tech Support confirms that this is a problem with Windows

XP.

> There is no fix, and I don't expect one coming considering XP's end of

> life in 2012.  All Microsoft has are workarounds.



Don't throw in the towel just yet. I've never seen a WindowsXP

box that won't work with Samba, we just need more info.



> Microsoft's recommendations are to add more servers to the mix (DNS,

> WINS, etc) and if that doesn't work, then one of their several

> "workarounds" is to dump the use of Samba altogether.  None of the

> proposed workarounds work for us, we're locked into a specific

> configuration.

> 

> So both Microsoft and my shop are throwing in the towel on this one

and

> we're resorting to simply mapping to all the shares instead of having

> users browse to them.  Sounds simple, but this represents a huge

config

> and documentation change on many levels for us, a lot bigger than

anyone

> could know.  A very frustrating and expensive workaround if you knew

the

> scope.



Don't do this yet. I haven't seen any debug logs from

you, or a network trace. Changing your config without

proper investigation is completely premature IMHO.



> This decision to pull the

Re: [Samba] A device attached to the system is not functioning - When adding a computer to the domain

2011-01-03 Thread Chris Beach 
Turns out it is only the one machine having this problem, I've just tried
joining a Windows 7 and Windows XP client to the domain and it's worked
without problems, so whatever is causing this error is local to one machine
(thank god).

Thanks to those who replied!

On Mon, Jan 3, 2011 at 8:13 AM, Volker Lendecke
wrote:

> On Mon, Jan 03, 2011 at 07:57:35AM -0500, Chris Beach wrote:
> > I wanted to send this out a 2nd (and last) time.. I got suggestions not
> to
> > use BLAH.COM and to use BLAH instead for my domain name, however I don't
> > think that's causing my problem as it's been this way for 6 years? Any
> way I
> > still can't add machines to my domain and am fairly panicked (this is
> > production, 140~ users).
> >
> > Any other suggestions?
>
> If you're 100% sure that you don't have nscd running, this
> might be a case sensivity bug. I think we fixed that some
> time ago. We used to not try the case-insensitive search in
> all cases. Please try 3.5.6.
>
> With best regards,
>
> Volker Lendecke
>
> --
> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
> phone: +49-551-37-0, fax: +49-551-37-9
> AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
>



-- 
Chris Beach
IT Analyst
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Need Help Getting Windows XP To Use Samba Properly [Closed]

2011-01-03 Thread Hodges, Robert CTR USAF AFMC 520 SMXS/MXDEC 
Jeremy, All,

I truly appreciate your willingness to help me work on this further.
Unfortunately, we have simply run out of time.

To make matters worse, I cannot provide traces, logs, etc because this
is a classified government system that cannot be exposed in any way,
which means rather difficult and sometimes problematic troubleshooting
limitations that may keep this problem from being solved.  However, this
error is found all over the internet and rarely do you ever see a fix
for it.  When I have seen one, it's not a fix that works for me.

To make matters worse, Microsoft stamped a "Microsoft has confirmed this
to be a problem with the products specified" on WinXP and Samba.
Microsoft has no fix, they have tried many times before, and as it now
stands, appears to be disinterested in providing a hot fix due to the
remaining shelf life of XP.  Any support you get form Microsoft on this
particular issue is what they call a "best effort", and do not guarantee
a fix like they do with their own products.

For anyone that wants to play around with this, here's the config:

All static IPs
Workgroup only, no domain
Solaris with Samba loaded, a few shares, enabled as WINS server,
configured as Master Browser
No DNS server
XP has WINS setting pointing at Samba box, hosts file used instead of
DNS, lmjosts file NTO in use because of WINS on Samba, XP's Computer
Browser service disabled to force XP to see Samba box as master browser
(otherwise will elect itself as master browser and totally ignore Samba)

Behavior:
WinXP can map to any resource on Samba with zero problems - it is not a
permissions issue.  Attempting to browse to a Samba resource, however,
produces "The specified network name is no longer available" in XP.  If
Computer Browser service enabled on XP, XP may or may not be able to
browse to Samba box (this is entirely unstable, because within 15
minutes, if XP has elected itself as master browser, XP will eventually
time out and lose the server list, and "Specified network no longer
available" error returns).
Never, is WinXP able to retrieve the browse list from Samba.  Microsoft
claims that this is because the network configuration is too simplified
and because real WINS and DNS servers are not in use.  All we're trying
to do is get one stinkin' XP workstation to talk to one stinkin' Samba
box in a simple workgroup.  That's it.  So far, it's got everyone that
looks at this problem absolutely baffled as to how this could not work.

Those who have looked at it and given up:

Microsoft
US Air Force
US Marine Corps
Various private military contractors
Samba email list group (best support so far, but still no dice)

Again, thanks to all who have tried figuring this out.  I know I haven't
given you much to work with, so don't feel bad.  It's just that I have
simply run out of time to get this resolved.

Bob



 -Original Message-
From: Jeremy Allison [mailto:j...@samba.org] 
Sent: Thursday, December 30, 2010 3:04 PM
To: Hodges, Robert CTR USAF AFMC 520 SMXS/MXDEC
Cc: samba
Subject: Re: [Samba] Need Help Getting Windows XP To Use Samba Properly
[Closed]

On Thu, Dec 30, 2010 at 12:29:53PM -0700, Hodges, Robert CTR USAF AFMC
520 SMXS/MXDEC wrote:
> Well, here's what's happening.
> 
> Microsoft Tech Support confirms that this is a problem with Windows
XP.
> There is no fix, and I don't expect one coming considering XP's end of
> life in 2012.  All Microsoft has are workarounds.

Don't throw in the towel just yet. I've never seen a WindowsXP
box that won't work with Samba, we just need more info.

> Microsoft's recommendations are to add more servers to the mix (DNS,
> WINS, etc) and if that doesn't work, then one of their several
> "workarounds" is to dump the use of Samba altogether.  None of the
> proposed workarounds work for us, we're locked into a specific
> configuration.
> 
> So both Microsoft and my shop are throwing in the towel on this one
and
> we're resorting to simply mapping to all the shares instead of having
> users browse to them.  Sounds simple, but this represents a huge
config
> and documentation change on many levels for us, a lot bigger than
anyone
> could know.  A very frustrating and expensive workaround if you knew
the
> scope.

Don't do this yet. I haven't seen any debug logs from
you, or a network trace. Changing your config without
proper investigation is completely premature IMHO.

> This decision to pull the plug was made after I came across an online
> forum where someone had this very same issue, worked with Microsoft
Tech
> Support for 7 months(!), and it never got resolved.

We have been networking Windowx XP boxes to Samba
for longer than anyone still working in Microsoft
Tech support, trust me on that :-). So I'd still
like to fix this properly.

> So, it sucks to be me.  

Please get the network trace and debug level 10 log
of the Windows XP box trying to connect to Samba, this
should give us the information we need to fix it.

Jeremy.
-- 
To unsubscribe from this l

Re: [Samba] A device attached to the system is not functioning - When adding a computer to the domain

2011-01-03 Thread Volker Lendecke 
On Mon, Jan 03, 2011 at 07:57:35AM -0500, Chris Beach wrote:
> I wanted to send this out a 2nd (and last) time.. I got suggestions not to
> use BLAH.COM and to use BLAH instead for my domain name, however I don't
> think that's causing my problem as it's been this way for 6 years? Any way I
> still can't add machines to my domain and am fairly panicked (this is
> production, 140~ users).
> 
> Any other suggestions?

If you're 100% sure that you don't have nscd running, this
might be a case sensivity bug. I think we fixed that some
time ago. We used to not try the case-insensitive search in
all cases. Please try 3.5.6.

With best regards,

Volker Lendecke

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-37-0, fax: +49-551-37-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] A device attached to the system is not functioning - When adding a computer to the domain

2011-01-03 Thread Chris Beach 
I wanted to send this out a 2nd (and last) time.. I got suggestions not to
use BLAH.COM and to use BLAH instead for my domain name, however I don't
think that's causing my problem as it's been this way for 6 years? Any way I
still can't add machines to my domain and am fairly panicked (this is
production, 140~ users).

Any other suggestions?

Thank you.

On Thu, Dec 30, 2010 at 1:35 PM, Chris Beach  wrote:

> Hi all,
>
> I just setup a Samba 3.3.14, with an ldap back-end.
>
> I migrated the ldap back end and samba shares from my old samba server.
> I've found when adding a machine (WinXP) to the domain, I get the following
> error on XP:
>
> The following error occurred attempting to join the domain "Blah.com":
> A device attached to the system is not functioning.
>
> in my /var/log/messages I have:
>
> Dec 30 09:40:24 hap smbd[29379]: [2010/12/30 09:40:24, 0]
> passdb/pdb_get_set.cdb_get_group_sid(210)
> Dec 30 09:40:24 hap smbd[29379]: pdb_get_group_sid: Failed to find Unix
> account for OAKRND02$
>
> repeated about 6 times.
>
> My smb.conf looks like this for the scripts to run:
>
> * add machine script = /usr/sbin/smbldap-useradd -w "%u"
> add user script = /usr/sbin/smbldap-useradd -m -a "%u"
> delete user script = /usr/sbin/smbldap-userdel -r "%u"
> add group script = /usr/sbin/smbldap-groupadd -p "%g"
> delete group script = /usr/sbin/smbldap-groupdel "%g"
> add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
> delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
> set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
>
> ldap passwd sync = yes
> passwd program = /usr/sbin/smbldap-passwd %u
> passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new
> password*" %n\n"*
>
> When I do an LDAP search, I see there is an entry in LDAP for it the
> machine, so some of the add machine script must have worked:
>
> ldapsearch -b "dc=mydomain,dc=com" -x "(uid=oakrnd01$)"
>
> # OAKRND01$, Computers, mydomain, com
> dn: uid=OAKRND01$,ou=Computers,dc=pintys,dc=com
> uid: OAKRND01$
> sambaSID: S-1-5-21-3318375643-2463009161-75282-41448
> sambaPrimaryGroupSID: S-1-5-21-3318375643-2463009161-75282-515
> sambaAcctFlags: [W ]
> objectClass: sambaSamAccount
> objectClass: account
> objectClass: top
> objectClass: inetOrgPerson
> objectClass: posixAccount
> sambaPwdCanChange: 1291378566
> sambaPwdMustChange: 1299154566
> sambaNTPassword: EED67D5B90ED8B5C2C168FB90DC4D313
> sambaPwdLastSet: 1291378566
>
> Also, I get results in pdbedit:
>
> [r...@happiness ~]# pdbedit -v oakrnd01$
> Unix username:OAKRND01$
> NT username:  OAKRND01$
> Account Flags:[W  ]
> User SID: S-1-5-21-3318375643-2463009161-75282-41448
> *pdb_get_group_sid: Failed to find Unix account for OAKRND01$*
> *Primary Group SID:(NULL SID)*
> Full Name:
> Home Directory:
> HomeDir Drive:
> Logon Script: logon.exe
> Profile Path:
> Domain:   MYDOMAIN.COM
> Account desc:
> Workstations:
> Munged dial:
> Logon time:   0
> Logoff time:  never
> Kickoff time: never
> Password last set:Fri, 03 Dec 2010 06:16:06 CST
> Password can change:  Fri, 03 Dec 2010 06:16:06 CST
> Password must change: Thu, 03 Mar 2011 06:16:06 CST
> Last bad password   : 0
> Bad password count  : 0
> Logon hours : FF
>
> Also:
>
> /usr/sbin/smbldap-useradd -w OAKRND02
> failed to add entry: Unexpected EOF at /usr/sbin//smbldap_tools.pm line
> 616.
>
> And then my slapd dies out (crashes)... this same behaviour happens when
> trying to use USRMGR.exe to add a new user (but doing it manually via
> smbldap DOES work for adding a new user).
>
> What's most annoying is I tested joining a Windows 7 machine to the domain
> before I went live with this server, and it was successful, so I've no clue
> why this isn't working now
>
> Any help I can get it REALLY APPRECIATED, right now I've got a PC I can't
> get on the domain, so a user how can't work.
>
>


-- 
Chris Beach
IT Analyst
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba OpenLDAP TLS

2011-01-03 Thread Willy Offermans 
Dear Michael and Samba friends,

On Fri, Dec 31, 2010 at 11:50:49PM +0200, Michael Wood wrote:
> Hi
> 
> On 30 December 2010 14:35, Willy Offermans  wrote:
> > Dear Samba friends,
> >
> > I have setup a samba server 3.5 on FreeBSD 8.1-RELEASE-p2 with
> > openldap-sasl-server-2.4. I have specified ``TLSVerifyClient demand'' in
> > slapd.conf and want to enforce the clients to connect and show a
> > valid certificate to the ldap server. As far as I have understood, Samba
> > will act as a client as well and in order to access the ldap server it will
> > need a client certificate as well. I do know how to generate a client
> > certificate, but I do not know where to tell samba to use this
> > client certificate. Is this supported by Samba or do I need to lower the
> > constraints regarding the TLSVerifyClient? Maybe to ``TLSVerifyClient try''?
> 
> Just a guess, but have you tried the TLS_CERT and TLS_KEY options from
> the LDAP client config?  They're listed in ldap.conf(5) as "user-only
> options", so should be specified in $HOME/.ldaprc or ldaprc in the
> current directory.  Not sure where $HOME or the current directory are
> for Samba, though, but perhaps that will point you in the right
> direction.
> 
> Hope that helps.
> 
> -- 

Thanks for your answer!

I guess $HOME is the home directory of root in this case, but I'm not sure
yet. I have created the following file:

/root/ldaprc

with the following content:


#
# User specific LDAP settings
#

# Override global directive (if set)
TLS_REQCERT demand

# client authentication
TLS_CERT /root/certs/root.pem
TLS_KEY /root/certs/keys/root.key


It helped me to work with ldapadd -ZZ ... commands from the command prompt.

I hope that samba works in a similar way, meaning that it will make use of
/root/ldaprc to show its client certificate. I have not yet tested samba,
because I'm still setting up this server and I was distracted by the
installation of other programs.

If somebody has already experienced that /root/ldaprc will not work for samba, 
then please give me a hint on how to setup this correctly.


-- 
Met vriendelijke groeten,
With kind regards,
Mit freundlichen Gruessen,

Willy

*
W.K. Offermans
Home:   +31 45 544 49 44
Mobile: +31 681 15 87 68
e-mail: wi...@offermans.rompen.nl

   Powered by 

(__)
 \\\'',)
   \/  \ ^
   .\._/_)

   www.FreeBSD.org
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Remote connection to Samba service doesn't work

2011-01-03 Thread Daniel Müller 

Windows XP should work on the fly! Isn't it???
For Windows 7 you got to hack the registry. All entries HKLM.
You find the enties: google Windows 7 samba




On Fri, 31 Dec 2010 14:03:05 +0100, Mateusz Szymaniec 
wrote:
> Hi.
> I've got a nasty problem with Samba. Basically, I can't connect to my
> Samba service from a home laptop (running Windows 7). I guess that on
> this side everything is fine, I'm using my corporate Samba shares via
> VPN, I've been using Samba on my previous server and it was running
> OK. I've asked my buddy living nearby to connect and it didn't work
> for him, as well as for 15 other people across living my country. The
> weirdest thing is, that there are actually people that are able to
> connect. They were using both Windows XP and 7 and I can't really tell
> why. I see their connections in logs, but I can't really tell a
> difference between my and theirs setup.
> I've tried to use default Debian Etch 2.x Samba, 3.x backports
> version, compiled 3.x from sources, even reinstalled operating system
> on the server. I've used default config, copied one from my previous
> server, wrote it from stretch server times. Every single time it was
> possible to connect locally (smbclient -L localhost). On the client
> side, I've tried using default Windows 7 (and XP) smb/cifs
> implementation and cygwin's smbclient.
> My server ISP tells that they don't block anything and it's the first
> time someone has reported problem like this. My iptables are clean at
> the moment.
> Currently I'm using v. 3.2.5 with default config with one share and
> added user by smbpasswd.
> 
> revik:~# smbclient localhost\\test
> Enter root's password:
> Domain=[REVIK] OS=[Unix] Server=[Samba 3.2.5]
> smb: \> ls
>  .                                   D        0  Fri Dec 31 13:57:25
2010
>  ..                                  D        0  Fri Dec 31 13:57:16
2010
>  testfile                                     0  Fri Dec 31 13:57:25
2010
> 
>                35201 blocks of size 8388608. 33290 blocks available
> I don't really can think of any single idea how to make it work or
> where the problem actually lies.
> I'd appreciate any help, thanks.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] error adding a user

2011-01-03 Thread Daniel Müller 
First of all which kind of Windows are you using. Usermgr with XP is ok
with Windows Vista/7 no chance.
To use usrmgr under xp and 2000 you must fit your ldap.conf and your
smb.conf and youse smbldap-tools or similar:
in your smb.conf there should be something like:
add user script = /usr/local/sbin/smbldap-useradd  -A 1 -B 1 -m -k /dummy
"%u"

to fit the right params for your linux OS you have to try.


or ldap.conf, ex :
basedc=your,dc=domain
nss_base_passwd ou=Users,dc=your,dc=domain?sub
nss_base_passwd ou=Computers,dc=your,dc=domain?sub
nss_base_shadow ou=Users,dc=your,dc=domain?sub
nss_base_group ou=Groups,dc=yourc,dc=domain?one

In your slapd.conf , ex:
access to attrs=sambaLMPassword
by self write
by anonymous auth
by dn="cn=admin,dc=your,dc=domain" write
by * none

access to attrs=sambaNTPassword
by self write
by anonymous auth
by dn="cn=admin,dc=your,dc=domain" write
by * none

access to attrs=sambaPwdLastSet,sambaPwdMustChange
by self write
by anonymous auth
by dn="cn=admin,dc=your,dc=domain" write
by * none

On Sun, 2 Jan 2011 22:44:20 +0100, Marco Ciampa  wrote:
> On Fri, Dec 31, 2010 at 04:34:05AM +0100, Marco Ciampa wrote:
>> Sorry for (I'm shure) my stupid question (and my bad english)...
>> 
>> If this is not the right place to post this kind of question forgive me
>> and please point me to the right mailinglist.
>> 
>> I've a Samba 3 that works with an openldap server as a sole domain
>> controller.
>> 
>> I used to use the Microsoft usermanager.
>> After a general migration/upgrate I am not able to create new users
>> anymore.
>> I can do it with the smbldap-tools, manually only from the root user
but
>> if I do it through the usermanager it gives me an error.
>> A net user add command done with the same adminitrator user give me
this
>> error:
>> 
>> Failed to add user 'pippo' with: WERR_GENERAL_FAILURE.
>> 
>> from the logs:
>> 
>> [2010/12/31 04:30:44,  0]
passdb/pdb_ldap.c:2197(ldapsam_add_sam_account)
>>   ldapsam_add_sam_account: User 'pippo' already in the base, with samba
>>   attributes
>> 
>> Any hint?
> 
> Need some other info?
> 
> I've seen in the Internet many times asked this question so it seems a
> recurring problem but with generic answers (check all your conf
> data/permission/so on...) or no answer at all...
> 
> Maybe it is a generic-catch-all error message a la Windows so it could
> be fired by a hundred reasons or what?
> 
> Sorry I am not a Samba nor LDAP expert... you see...
> 
> -- 
> 
> 
> Marco Ciampa
> 
> ++
> | Linux User  #78271 |
> | FSFE fellow   #364 |
> ++
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba 3.5.6 and AIO on Linux

2011-01-03 Thread Ofer H 
Hi list,

I have been trying to enable AIO on ARMv5 Samba built with kernel headers
2.6.31.8, the configure indicated that AIO is supported via kernel headers
and all went smooth (regarding the build process).

Once I added the smb.conf 'aio write size=1' and tried to perform a file
copy to the Samba share I noticed that 32K of the file (of the 1GB file)
have been copied to the share but the file copy stalled and did not finish.
I had to restart Samba to see that share since it was stuck, I have
experienced the same fenomenon with XPsp2 and W7 clients.

I also noticed that the Samba daemon that was forked as root (not as nobody
as it usually does) and stayed blocked on some FUTEX taken.

Can anyone confirm that AIO actually works on Linux, I have seen xBSD
related mail claiming that it does work and brings nice performance
improvement.

-Frank
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba