Re: [Samba] Managing win7 machines..
On 21/01/2011 2:41 AM, Collen Blijenberg wrote: I'm curious how others manage their windows 7 machines on a samba 3.x.x domain .. especial the part of policies and scripts. i got the win7 running in the samba domain, but i'm stuck in the policies part.. and i don't want to use nitrobit for this. how do other users do this.. ?! thx, Collen I played around with using WPKG to add policy stuff to the client registries. We were already using it to install software, so it was easy enough to fiddle with for me. It's probably not the tidiest option, but it works. TB -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Account lockouts
Hi, I have a Windows 2003 AD domain and samba / winbind unix boxes authenticating with the domain. I changed the account policy on my AD domain to include a 5 attempt invalid attempt lockout. After implementing this change 4 users are having their accounts locking out every hour or so. I checked if any of these users had running processes on the unix box and they did at the time when the change was implemented. I have since killed their orphan processes. However, I still keep getting the following errors on my security log (and the accounts keep locking out): [snip] Pre-authentication failed: User Name: user1 User ID:DOMAIN\user1 Service Name: krbtgt/DOMAIN.COM Pre-Authentication Type:0x0 Failure Code: 0x12 Client Address: 192.168.246.134 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. [/snip] In the Directory Service logs I see the following entry: [snip] Active Directory could not update the following object with changes received from the domain controller at the following network address because Active Directory was busy processing information. Object: CN=User 1,OU=Testing Services Team,OU=TESTER V,DC=domain,DC=com Network address: e5523049-53f1-4274-858b-c68971599acf._msdcs.domain.com This operation will be tried again later. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. [/snip] The samba daemon runs at 192.168.246.134 with a kerberos setup. Any help would be most appreciated. Thanks and regards, -- Rajat Swarup www.rajatswarup.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems with a trust relation between sambaandsambadifferent subnet
--- Original message --- Subject: Re: [Samba] Problems with a trust relation between sambaandsambadifferent subnet From: Alberto Moreno To: Date: Friday, 21/01/2011 3:32 PM On Fri, Jan 21, 2011 at 3:20 PM, wrote: Two domains. Well this is a test systems. But my current production system are separate by a P2P link. What u recommend? Location A --> PDC Wins Server +LDAP server Location B --> BDC +LDAP server smb.conf to point to local ldap servers. ? Them, u say 1 wins to rule them all I have to work with this. Thanks!!! -- LIving the dream... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba U suggest to build a PDC+Ldap and the other end BDC+Ldap and setup the replica of ldap right? Yes. Multimaster-syn-repl is my choice. The only issue is that, we already have 2 domains, I need to delete one and just work with one, but what about the SID of the clients that will lose there PDC, this will be a issue, because I will have to add them to the domain again right? Yes. That's a bit messy. If you have a large number of users, that might be a serious problem. I'm correct? This thread is giving me a lot of tips to try :-), thanks guys!!! -- LIving the dream... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems with a trust relation between samba andsambadifferent subnet
On Fri, Jan 21, 2011 at 3:20 PM, wrote: > > > > Two domains. > > Well this is a test systems. > > But my current production system are separate by a P2P link. What u > recommend? > > Location A --> PDC Wins Server > > +LDAP server > > Location B --> BDC > > +LDAP server > > smb.conf to point to local ldap servers. > > ? > > Them, u say 1 wins to rule them all I have to work with this. > > Thanks!!! > > -- > LIving the dream... > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > U suggest to build a PDC+Ldap and the other end BDC+Ldap and setup the replica of ldap right? The only issue is that, we already have 2 domains, I need to delete one and just work with one, but what about the SID of the clients that will lose there PDC, this will be a issue, because I will have to add them to the domain again right? I'm correct? This thread is giving me a lot of tips to try :-), thanks guys!!! -- LIving the dream... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems with a trust relation between samba and sambadifferent subnet
> MUST use the same WINS server for trusts to work. Do you mean you must actually use a WINS service, or just a working DNS service? It's been a couple of years now, but while I was taking classes on SBS Server at the local Microsoft offices, their instructors were telling the class to remove WINS, and only use their dns service. WINS was Microsoft's very early attempt at creating a dns service back when it shipped NT 3.5. It has issues. It offers nothing over a modern dns service. And you don't have to use Microsoft's dns service - it can be any dns service you want on your lan. I've set up Windows Servers for several types of businesses and clinics over the years, and none of them have missed WINS. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems with a trust relation between samba andsambadifferent subnet
Two domains. Well this is a test systems. But my current production system are separate by a P2P link. What u recommend? Location A --> PDC Wins Server +LDAP server Location B --> BDC +LDAP server smb.conf to point to local ldap servers. ? Them, u say 1 wins to rule them all I have to work with this. Thanks!!! -- LIving the dream... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SMB2 Negotiate Request
On Fri, Jan 21, 2011 at 02:51:42PM -0800, Mike Smith wrote: > Entered on Bugzilla, #7931. Thanks. I'll take care of it for 3.6.0 final. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SMB2 Negotiate Request
Entered on Bugzilla, #7931. On 11-01-20 11:24 AM, Jeremy Allison wrote: On Wed, Jan 19, 2011 at 05:51:45PM -0800, Mike Smith wrote: Thanks for the reply. I have set "max protocol = smb2" and I can use the SMB2 protocol fine. I'll try and explain my issue better: When I say "negotiate request" and I talking about the packets that are sent between the client and server. The SMB2 protocol is driven by requests from the client and responses from the server. The very first packet that is sent from client to server contains a header and a message (SMB2_NEGOTIATE) that tells the server what dialects of the protocol the client understands. When I send this packet the samba server does not respond to it, and I time out. Windows 7 responds to this packet as expected. If I use a SMB packet (instead of SMB2) and use that to negotiate a SMB2 connection, it will work, but what I want to know is if there is a reason it's not responding the the SMB2 packet as it (apparently) should. Can you test this against v3-6-test please ? If it still fails report as a bug in bugzilla and I'll get it fixed asap. SMB2 isn't really supported in 3.5.x, 3.6.0 will be the first production release with complete SMB2 support. Thanks, Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems with a trust relation between samba and sambadifferent subnet
On Fri, Jan 21, 2011 at 10:46 AM, wrote: > > > My friends I want to make to domains running samba+ldap to share > resources, I want to create a trust relation in two directions. Both > domains have wins enable but are on different subnet. > > MUST use the same WINS server for trusts to work. Why have two domains? > > > Domain Name: DOM1 Netbios Name = DOM1PDC 192.168.50.0/24 > Domain Name: DOM2 Netbios Name = DOM2PDC 192.168.40.0/24 > > Both networks are separate, each one with his own switch, a FW is what > help me they can communicate. > > OS: Centos 5.5 > Samba 3.3.x. > > First, I follow the instructions from the bible of samba and say that > I need to create the Interdomain account on each network: > > smbldap-useradd -a -i DOMAIN-NAME > > Done. > > smbldap-usershow I have the I flag on each account. > > I have enable the ports in my fw to communicate both domainsm done. > > Now went I run the command: > > net rpc trustdom establish DOM1 on PDC DOM2 I got the error > > net rpc trustdom establish DOM1 running on PDC DOM2 > > [2011/01/21 07:17:16, 0] libsmb/namequery.c:internal_resolve_name(1609) > resolve_name: unknown name switch type lmhost > [2011/01/21 07:17:16, 0] utils/net_rpc.c:rpc_trustdom_establish(5565) > Couldn't find domain controller for domain DOM1 > > Some search pages point me that in this case I need to setup the file > lmhosts to make this happen because no service is helping my PDC to > reach the other end, I read the MS KB where it say how to setup a > LMHOSTS and have this > on my PDC DOM2: > > 127.0.0.1 localhost > 192.168.50.3 "DOM1 \0x1b" #PRE > 192.168.50.3 DOM1PDC #PRE #DOM:DOM1 > > on DOM1 I have > > 192.168.40.3 "DOM2 \0x1b" #PRE > 192.168.40.3 DOM2PDC #PRE #DOM:DOM2 > > In samba smb.conf I have: > > hosts allow = 192.168.40. 192.168.50. 127. > name resolve order = wins hosts bcast lmhost > > nsswitch have the line: > > hosts: files wins dns > > I try again and in DOM1 PDC: > > net rpc trustdom establish DOM2 > > [2011/01/21 07:22:13, 0] libsmb/namequery.c:internal_resolve_name(1609) > resolve_name: unknown name switch type lmhost > [2011/01/21 07:22:13, 0] utils/net_rpc.c:rpc_trustdom_establish(5565) > Couldn't find domain controller for domain DOM2 > > There is something I forget to setup or what I'm doing wrong, hope > some could give some tips and point my errors, I will appreciated, > thanks!!! > > -- > LIving the dream... > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > Two domains. Well this is a test systems. But my current production system are separate by a P2P link. What u recommend? Location A --> PDC Wins Server Location B --> BDC ? Them, u say 1 wins to rule them all I have to work with this. Thanks!!! -- LIving the dream... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Permission to access shared folders on XP client
2011/1/21 Alex Crow > > > In that case why not use the Domain users/groups to assign the permissions > to said shares? They should still be available on the XP machines. > > That is the question. I add some users to the domain admins, and that users cant access to any xp shared folder. Why can happen that? thanks and regards. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Possible bug in nss_winbind with ad backend and rfc2307
More info on this topic: Without giving my AD domain's Domain Users group an Unix gid, getent passwd enumerates no AD users. With the Domain Users group having a gid in the range of the idmap config range, I do get my users enumerated with a getent passwd. In winbindd.log, for each cached user with rfc2307 information, it logs for nss_get_info_cached: result: homedir = '/home/user' shell = '/bin/bash' gecos = '(null)' (because I'm not using gecos attrib) gid = '6' but the getent passwd result is user:*:10043:12011:User Name:/home/user:/bin/bash where 12011 is the gid I gave to "Domain Users." rfc2307 should have returned gid 6 as per the nss_get_info_cached result. If I do: getent passwd user the result is: user:*:10043:6:User Name:/home/user:/bin/bash as it should be. gid 6 is a local group, not an AD-defined group, so as not to depend on AD for filesystem group ownership/permissions. If getent passwd doesn't enumerate the user data with the user having the proper default group, they will not inherit the proper permissions. > -Original Message- > From: Jim Stalewski > Sent: Thursday, January 20, 2011 7:26 PM > To: samba@lists.samba.org > Subject: [Samba] Possible bug in nss_winbind with ad backend > and rfc2307 > > I ran some tests to see why getent passwd was not enumerating > my domain users and discovered this: > > If I getent passwd it returns the user information > including the primary group defined in the Unix attributes. > If I add a Unix GID in the idmap config range to the domain's > Domain Users group and getent passwd, it returns all of my > domain users with all of the Unix attributes as defined in AD > for them, BUT it replaces the primary group GID with the GID > I defined for the Domain Users group. > > Apparently, some genius decided that the best way to look up > users in AD is by membership in "Domain Users" rather than > iterating through the directory looking for users that have > rfc2307 attributes defined, totally ignoring the rfc2307 > group attribute on the user objects. > > The suspected bug is that it is not using the rfc2307 primary > GID attribute, but rather is defaulting the "Domain Users" > group as the primary group for all users regardless of the > rfc2307 attributes. > > Is there a way to force Winbind not to use the Domain Users > group as the primary group for the winbindd_getpwent process, > so it returns the > rfc2307 group attribute as it used to / should? Or do I have > to redo all of my group file ownership/permissions on all of > my servers to match "Domain Users" for some ungodly reason? > > Currently running Samba 3.4.3 on SLES 11.1, and > authenticating against Windows 2003R2 AD, but I suspect this > same bug/feature was introduced with the idmap changes in > 3.30 and above so should apply to all versions above 3.30. I > don't know if the same logic is being used in v4 winbind > idmap process... > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] idmap troubles with any version 3.30 or later
Michael, Thanks for the response. As to the other symlinks question referenced in this, please disregard. I believe I have a handle on what is causing my troubles, and have posted my theory in another thread. I believe it has something to do with libnss_winbind.so.2 (or a component thereof) looking by default for a group called "Domain Users" with an Unix GID, and only iterating members of said group, instead of simply looking for users with RFC2307 attributes populated as it used to do pre 3.30. If that's the case, it would have been nice to have something in a wiki or help or man page explaining that specific aspect of the change to idmap functionality, at the very least. There's still a flaw with that process regardless, which I will follow in the other thread. Thanks again, Jim. -Original Message- From: Michael Adam [mailto:ob...@samba.org] Sent: Friday, January 21, 2011 5:53 AM To: Jim Stalewski Cc: samba@lists.samba.org Subject: Re: [Samba] idmap troubles with any version 3.30 or later Hi Jim, Jim Stalewski wrote: > Hello list. > > The issue I have is that with the changes made to the idmap > functionality of winbind, as regards the enumeration of rfc2307 users > and groups using getent passwd and getent group, only those AD users > that are not in the domains included in the "idmap config (domain)" > statements (the ones in trusted domains that get their ID mappings > auto-assigned by the TDB backend with id's in the idmap uid / gid > ranges) get enumerated. The ones that have the RFC2307 attributes > defined within the idmap group (domain) range statements will return > their uid/gid/homedir/shell info only if you specify "getent passwd > (username)" but they do not enumerate with a "getent passwd." Same > with getent group (groupname) vs getent group. If this is a case, then it is a bug and needs fixing. There have been bugs with enumeration in the past and I need to go recheck bugzilla. Maybe such bug reappeared or there is a fix that is not yet in the versions you tested. Otherwise, we need to file a new bug. Could you be more precise and send your smb.conf file and indicate for which of the idmap configs listed, users are not enumerated? > I have had to create the symlinks in /usr/lib and /usr/lib64 for the > /lib/nss_winbind.so.2, /lib/nss_wins.so.2, /lib64/nss_winbind.so.2 and > /lib64/nss_wins.so.2 libs manually because the installer did not > create them for me, and until I did so, getent passwd and getent group > only displayed the local /etc/passwd and /etc/group entries. Hm, so you compiled and installed samba manually? This can also be considered a bug. Usually, on linux, this is taken care of by the distribution packagers in the RPMs /.debs and whatnot. This may be the reason why this did not pop up prominently yet. Could provide more info about your system? OS, version, architecture, build system, ... > Question - are there any other symlinks that should be created for any > other aspect of the nss idmap functionality that may not have been > created by the install process, that would be breaking the user / > group enumeration functionality of nss_winbind.so, and if so, what > libs need to be symlinked to which folders using what names? This question is too general instead. Usually each component providing nss backends should take care of installing the correct libs/symlinks in its installer itself. If you are manually installing samba, then you might have to There should Could you paste your /etc/nsswitch.conf ? Best regards, Michael > I have tried version 3.3x, 3.4.3 and 3.5.4 all with the same lack of > results from getent passwd and getent group but it functioned properly > under 3.2.7, so it can't be > > Thanks in advance, > > Jim. > > > > This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete it. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. > No employee or agent is authorized to conclude any binding agreement on behalf of?Visa Lighting with another party by email without express written confirmation by?an authorized representative of the Company. > Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender and delete it. Please note that any views or opinions presented in this email
[Samba] ANNOUNCE: cifs-utils release 4.8.1 available for download
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 It turns out that the 4.8 release had some mis-generated autoconf files. In particular, the aclocal files for libcap-ng were not properly included. This would lead to mount.cifs not being built with support for dropping capabilities via libcap-ng. This minor release fixes that and only that. People who install mount.cifs as a setuid root program should consider upgrading (unless they did an autoreconf or similar at build time). webpage:http://linux-cifs.samba.org/cifs-utils/ tarball:ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/ git:git://git.samba.org/cifs-utils.git gitweb: http://git.samba.org/?p=cifs-utils.git;a=summary Detailed changelog: commit eb0f1cad7ed85e9d98fef4f8dfbecdac67477e76 Author: Jeff Layton Date: Wed Jan 19 21:04:14 2011 -0500 autoconf: bump release to 4.8.1 The 4.8 release had mis-generated autoconf files (they didn't include the libcap-ng autoconf goop). 4.8.1 will have that fixed. Signed-off-by: Jeff Layton - -- Jeff Layton -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.16 (GNU/Linux) iEYEARECAAYFAk05210ACgkQyP0gxQMdzIBtQwCeLWGJYotDqXgUw0awG2/Bd84Z rloAn0Kk2MIFLfKGwJsTAStxriKZK9r5 =HZ7F -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems with a trust relation between samba and sambadifferent subnet
My friends I want to make to domains running samba+ldap to share resources, I want to create a trust relation in two directions. Both domains have wins enable but are on different subnet. MUST use the same WINS server for trusts to work. Why have two domains? Domain Name: DOM1Netbios Name = DOM1PDC 192.168.50.0/24 Domain Name: DOM2Netbios Name = DOM2PDC 192.168.40.0/24 Both networks are separate, each one with his own switch, a FW is what help me they can communicate. OS: Centos 5.5 Samba 3.3.x. First, I follow the instructions from the bible of samba and say that I need to create the Interdomain account on each network: smbldap-useradd -a -i DOMAIN-NAME Done. smbldap-usershow I have the I flag on each account. I have enable the ports in my fw to communicate both domainsm done. Now went I run the command: net rpc trustdom establish DOM1 on PDC DOM2 I got the error net rpc trustdom establish DOM1 running on PDC DOM2 [2011/01/21 07:17:16, 0] libsmb/namequery.c:internal_resolve_name(1609) resolve_name: unknown name switch type lmhost [2011/01/21 07:17:16, 0] utils/net_rpc.c:rpc_trustdom_establish(5565) Couldn't find domain controller for domain DOM1 Some search pages point me that in this case I need to setup the file lmhosts to make this happen because no service is helping my PDC to reach the other end, I read the MS KB where it say how to setup a LMHOSTS and have this on my PDC DOM2: 127.0.0.1 localhost 192.168.50.3 "DOM1 \0x1b" #PRE 192.168.50.3 DOM1PDC #PRE #DOM:DOM1 on DOM1 I have 192.168.40.3 "DOM2 \0x1b" #PRE 192.168.40.3 DOM2PDC #PRE #DOM:DOM2 In samba smb.conf I have: hosts allow = 192.168.40. 192.168.50. 127. name resolve order = wins hosts bcast lmhost nsswitch have the line: hosts: files wins dns I try again and in DOM1 PDC: net rpc trustdom establish DOM2 [2011/01/21 07:22:13, 0] libsmb/namequery.c:internal_resolve_name(1609) resolve_name: unknown name switch type lmhost [2011/01/21 07:22:13, 0] utils/net_rpc.c:rpc_trustdom_establish(5565) Couldn't find domain controller for domain DOM2 There is something I forget to setup or what I'm doing wrong, hope some could give some tips and point my errors, I will appreciated, thanks!!! -- LIving the dream... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems with a trust relation between samba and samba different subnet
I have successfully created trust relationships with Samba 3.3.8 on CentOS 5.5. My /etc/samba/lmhosts file looks like on both PDCs looks similar to the following: 127.0.0.1 localhost 10.208.7.198server1.domain.br#20 10.208.7.198server1#20 10.208.7.198df-cgu#1b 10.208.7.198df-cgu#1c 10.208.38.2 server2.domain.br#20 10.208.38.2 server2#20 10.208.38.2 ac-cgu#1b 10.208.38.2 ac-cgu#1c where server1 is the PDC for domain df-cgu and server2 is the PDC for domain AC-CGU Hope this helps. On 01/21/2011 01:25 PM, Alberto Moreno wrote: Hi, well once u try lot and no good result is time to ask. My friends I want to make to domains running samba+ldap to share resources, I want to create a trust relation in two directions. Both domains have wins enable but are on different subnet. Domain Name: DOM1Netbios Name = DOM1PDC 192.168.50.0/24 Domain Name: DOM2Netbios Name = DOM2PDC 192.168.40.0/24 Both networks are separate, each one with his own switch, a FW is what help me they can communicate. OS: Centos 5.5 Samba 3.3.x. First, I follow the instructions from the bible of samba and say that I need to create the Interdomain account on each network: smbldap-useradd -a -i DOMAIN-NAME Done. smbldap-usershow I have the I flag on each account. I have enable the ports in my fw to communicate both domainsm done. Now went I run the command: net rpc trustdom establish DOM1 on PDC DOM2 I got the error net rpc trustdom establish DOM1 running on PDC DOM2 [2011/01/21 07:17:16, 0] libsmb/namequery.c:internal_resolve_name(1609) resolve_name: unknown name switch type lmhost [2011/01/21 07:17:16, 0] utils/net_rpc.c:rpc_trustdom_establish(5565) Couldn't find domain controller for domain DOM1 Some search pages point me that in this case I need to setup the file lmhosts to make this happen because no service is helping my PDC to reach the other end, I read the MS KB where it say how to setup a LMHOSTS and have this on my PDC DOM2: 127.0.0.1 localhost 192.168.50.3 "DOM1 \0x1b" #PRE 192.168.50.3 DOM1PDC #PRE #DOM:DOM1 on DOM1 I have 192.168.40.3 "DOM2 \0x1b" #PRE 192.168.40.3 DOM2PDC #PRE #DOM:DOM2 In samba smb.conf I have: hosts allow = 192.168.40. 192.168.50. 127. name resolve order = wins hosts bcast lmhost nsswitch have the line: hosts: files wins dns I try again and in DOM1 PDC: net rpc trustdom establish DOM2 [2011/01/21 07:22:13, 0] libsmb/namequery.c:internal_resolve_name(1609) resolve_name: unknown name switch type lmhost [2011/01/21 07:22:13, 0] utils/net_rpc.c:rpc_trustdom_establish(5565) Couldn't find domain controller for domain DOM2 There is something I forget to setup or what I'm doing wrong, hope some could give some tips and point my errors, I will appreciated, thanks!!! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Problems with a trust relation between samba and samba different subnet
Hi, well once u try lot and no good result is time to ask. My friends I want to make to domains running samba+ldap to share resources, I want to create a trust relation in two directions. Both domains have wins enable but are on different subnet. Domain Name: DOM1Netbios Name = DOM1PDC 192.168.50.0/24 Domain Name: DOM2Netbios Name = DOM2PDC 192.168.40.0/24 Both networks are separate, each one with his own switch, a FW is what help me they can communicate. OS: Centos 5.5 Samba 3.3.x. First, I follow the instructions from the bible of samba and say that I need to create the Interdomain account on each network: smbldap-useradd -a -i DOMAIN-NAME Done. smbldap-usershow I have the I flag on each account. I have enable the ports in my fw to communicate both domainsm done. Now went I run the command: net rpc trustdom establish DOM1 on PDC DOM2 I got the error net rpc trustdom establish DOM1 running on PDC DOM2 [2011/01/21 07:17:16, 0] libsmb/namequery.c:internal_resolve_name(1609) resolve_name: unknown name switch type lmhost [2011/01/21 07:17:16, 0] utils/net_rpc.c:rpc_trustdom_establish(5565) Couldn't find domain controller for domain DOM1 Some search pages point me that in this case I need to setup the file lmhosts to make this happen because no service is helping my PDC to reach the other end, I read the MS KB where it say how to setup a LMHOSTS and have this on my PDC DOM2: 127.0.0.1 localhost 192.168.50.3 "DOM1 \0x1b" #PRE 192.168.50.3 DOM1PDC #PRE #DOM:DOM1 on DOM1 I have 192.168.40.3 "DOM2 \0x1b" #PRE 192.168.40.3 DOM2PDC #PRE #DOM:DOM2 In samba smb.conf I have: hosts allow = 192.168.40. 192.168.50. 127. name resolve order = wins hosts bcast lmhost nsswitch have the line: hosts: files wins dns I try again and in DOM1 PDC: net rpc trustdom establish DOM2 [2011/01/21 07:22:13, 0] libsmb/namequery.c:internal_resolve_name(1609) resolve_name: unknown name switch type lmhost [2011/01/21 07:22:13, 0] utils/net_rpc.c:rpc_trustdom_establish(5565) Couldn't find domain controller for domain DOM2 There is something I forget to setup or what I'm doing wrong, hope some could give some tips and point my errors, I will appreciated, thanks!!! -- LIving the dream... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] fetch passwords from AD and group membership from /etc/group
Hi, > > > >> While you need not run winbindd if you want to use Active Directory > >> for authentication, if you need to run, idmap_nss map help you? > > > > i want to use winbind to be able to log in just by providing the > accountname, not domainname\accountname. > > "winbind use default domain = yes" is what you want ? logging in with only username not domainname\username already works fine. The missing part is that users cannot delete files in shares which are created by other users from the same unix group although the group has write ermissions. This starts working as soon as i switch winbind off, but then the domainname needs to be given during login, therefore i need change winbinds behavior. what i do not understand is that the logs show "connected to service xy ... as user abc (uid=n gid=m)" but the user still has problems deleting files although its gid seems right according to the logfile. Any mor hints? Marius -- Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] fetch passwords from AD and group membership from /etc/group
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 20/01/2011, at 19:29, marius klausen wrote: > Hi List, > > I want to use Active Directory for my samba users passwords and /etc/group > for storing group membership. > > /etc/nsswitch.conf looks like: > > group: file > > Problem: the tests i ran show that the samba server does not know about group > membership (deleting file from other user belonging to the same group > fails). The same test works as expectet when winbindd is switched off. What > do i have to do to fix this while having winbindd running? > It wont know anything about your groups at all with NSSwitch like this. You need to make it group: files winbind OR configure NSS_LDAP and make it group: files ldap Samba4 (And active directory on windows also) supports posix schemas in its ldap objects by default, so using the samba-tool group add , then doing an object modification on that in ldap to add your needed posix data is the most robust way (since GID's will be consistent and controllable on all workstations) Just be aware that AD does not allow anonymous reads, so your NSS_LDAP will need to be setup with a user account (preferably unprivileged) to read the ldap tree. You will need a Domain Admin account to actually do the modify operation also. > Regards, Marius > -- > Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir > belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba William Brown Research & Teaching, Technology Services The University of Adelaide, AUSTRALIA 5005 CRICOS Provider Number 00123M - - IMPORTANT: This message may contain confidential or legally privileged information. If you think it was sent to you by mistake, please delete all copies and advise the sender. For the purposes of the SPAM Act 2003, this email is authorised by The University of Adelaide. pgp.mit.edu -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iQIcBAEBAgAGBQJNOZxoAAoJEDwKxtqy+Sii59UQAJDbWBkdTVWfY0pDdFVTt59T 94sRina2BgqVpFdGRUkEizQivTzIJL6Z30cqn4VSFNx660AsMtzyPrYkBMGgFKU9 wrX6PaKBcjOnnPVB0SHBeZV7pBjrInk2lbigpwFJQJlNV+Y1EnkvfCXqYgZfnUhP 8QwjzcpWRUqHOYC2qbC8g55vYTfG8eH36iHTisi2q2F44l8z3H7jEmT62TFkvT22 oFn7fvOQ1OMEbY+XNbZ8vKXMBdFO0TWUaPf04a5XVnXrExexjHutHe2HtYLUQtcD YtaxOIBMZlBeNXWIp3ExEBQtXu8Z4SlMz41loMtXUl4GOS4ZdWRIpgTC8/RHdeha +FncJ9CTgxG46d7EEpctdOSyeq+57N7UAWnLbGhqUMPQ5h385cxCUOp212hvzF+8 Bhxl3eOucg4mG20GQlb0J+RCITIjZornqKnWuqp2DufVp+UZwJd+VGJDuxKJeRJz 4cU9xNqEfxt+zDX9Yze3nFT5tv1JhNfCjMuiMir5gr9D+svHJv7Mn8sIBJiTlNLQ 2t5w4gQ70ZpKtdi2tLe9ZyUoSDcTDs0/hsoJ+aFnNIIxRylwReYvgmLHQfpAziF/ jKwTNSmVOkI9Fh7/ovAcG9MaD1guZylF1XyvJCEhbKnGA2eUY0Sdnl/isGOu9NAA 3hoe9QvFAMIdT7XV0Q/9 =WR8F -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] fetch passwords from AD and group membership from /etc/group
2011/1/21 marius klausen : > Hi Takahashi, > >> While you need not run winbindd if you want to use Active Directory >> for authentication, if you need to run, idmap_nss map help you? > > i want to use winbind to be able to log in just by providing the accountname, > not domainname\accountname. "winbind use default domain = yes" is what you want ? --- TAKAHASHI Motonobu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [samba] is mandatory to execute smb service before that nmb?
Hi, it is better to start nmbd before smbd. Also start winbindd before smbd. Cheers - Michael sisu . wrote: > > > Hi group, > > Does anybody know if is mandatory to execute smb service before that nmb? > > I searched it on the samba's official doc and I didn't find anything, it just > to be sure. > > Thanks a lot. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba pgpURhji9dAid.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Permission to access shared folders on XP client
On 20/01/11 17:14, PedroTron wrote: Hi. I have a samba PDC on lenny, using roaming profiles. All work fine, but i have a question. Some station need share folders with others station, but i dont know how to permit access only to some users to that shared folders. All the permission work fine on the samba shared folders, for group users; but if i need share from XP, the users cant access to that. By Example: An user in the Human resources dept need share some local folders only for the same dept users. How can i permit that from samba? I cant create local users to manage the permission, because all use roaming profiles, so i cant depend of the local users. Thanks and regards. In that case why not use the Domain users/groups to assign the permissions to said shares? They should still be available on the XP machines. Alex -- This message is intended only for the addressee and may contain confidential information. Unless you are that person, you may not disclose its contents or use it in any way and are requested to delete the message along with any attachments and notify us immediately. "Transact" is operated by Integrated Financial Arrangements plc Domain House, 5-7 Singer Street, London EC2A 4BQ Tel: (020) 7608 4900 Fax: (020) 7608 5300 (Registered office: as above; Registered in England and Wales under number: 3727592) Authorised and regulated by the Financial Services Authority (entered on the FSA Register; number: 190856) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [samba] is mandatory to execute smb service before that nmb?
Hi group, Does anybody know if is mandatory to execute smb service before that nmb? I searched it on the samba's official doc and I didn't find anything, it just to be sure. Thanks a lot. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] idmap troubles with any version 3.30 or later
Hi Jim, Jim Stalewski wrote: > Hello list. > > The issue I have is that with the changes made to the idmap > functionality of winbind, as regards the enumeration of rfc2307 users > and groups using getent passwd and getent group, only those AD users > that are not in the domains included in the "idmap config (domain)" > statements (the ones in trusted domains that get their ID mappings > auto-assigned by the TDB backend with id's in the idmap uid / gid > ranges) get enumerated. The ones that have the RFC2307 attributes > defined within the idmap group (domain) range statements will return > their uid/gid/homedir/shell info only if you specify "getent passwd > (username)" but they do not enumerate with a "getent passwd." Same with > getent group (groupname) vs getent group. If this is a case, then it is a bug and needs fixing. There have been bugs with enumeration in the past and I need to go recheck bugzilla. Maybe such bug reappeared or there is a fix that is not yet in the versions you tested. Otherwise, we need to file a new bug. Could you be more precise and send your smb.conf file and indicate for which of the idmap configs listed, users are not enumerated? > I have had to create the symlinks in /usr/lib and /usr/lib64 for the > /lib/nss_winbind.so.2, /lib/nss_wins.so.2, /lib64/nss_winbind.so.2 and > /lib64/nss_wins.so.2 libs manually because the installer did not create > them for me, and until I did so, getent passwd and getent group only > displayed the local /etc/passwd and /etc/group entries. Hm, so you compiled and installed samba manually? This can also be considered a bug. Usually, on linux, this is taken care of by the distribution packagers in the RPMs /.debs and whatnot. This may be the reason why this did not pop up prominently yet. Could provide more info about your system? OS, version, architecture, build system, ... > Question - are there any other symlinks that should be created for any > other aspect of the nss idmap functionality that may not have been > created by the install process, that would be breaking the user / group > enumeration functionality of nss_winbind.so, and if so, what libs need > to be symlinked to which folders using what names? This question is too general instead. Usually each component providing nss backends should take care of installing the correct libs/symlinks in its installer itself. If you are manually installing samba, then you might have to There should Could you paste your /etc/nsswitch.conf ? Best regards, Michael > I have tried version 3.3x, 3.4.3 and 3.5.4 all with the same lack of > results from getent passwd and getent group but it functioned properly > under 3.2.7, so it can't be > > Thanks in advance, > > Jim. > > > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. If > you have received this email in error please notify the sender and delete it. > Please note that any views or opinions presented in this email are solely > those of the author and do not necessarily represent those of the company. > No employee or agent is authorized to conclude any binding agreement on > behalf of?Visa Lighting with another party by email without express written > confirmation by?an authorized representative of the Company. > Finally, the recipient should check this email and any attachments for the > presence of viruses. The company accepts no liability for any damage caused > by any virus transmitted by this email. > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba pgpVO6cyBTDh4.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] fetch passwords from AD and group membership from /etc/group
Hi Takahashi, > While you need not run winbindd if you want to use Active Directory > for authentication, if you need to run, idmap_nss map help you? > i want to use winbind to be able to log in just by providing the accountname, not domainname\accountname. i now added the following to my smb.conf: idmap domains = MYDOMAIN idmap uid = 6000-61000 idmap gid = 100-3000 idmap config MYDOMAIN: backend = nss which does not change anything so far (smb+winbind restarted). The uid/gid ranges cover values which are given to the account in /etc/passwd /etc/group - maybe that is wrong? best regard, Marius -- Neu: GMX De-Mail - Einfach wie E-Mail, sicher wie ein Brief! Jetzt De-Mail-Adresse reservieren: http://portal.gmx.net/de/go/demail -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba