Re: [Samba] How to samba ldap and ssl
Le 04/08/2011 08:04, Ander Punnar a écrit : in debian. Since slapd is compiled with GnuTLS in Debian, you will run into problems (I did): http://www.openldap.org/lists/openldap-devel/200802/msg00072.html I recompiled Debian openldap source package with openssl. # apt-get build-dep openldap # apt-get source openldap # apt-get install libssl-dev cd to openldap source dir edit debian/configure.options find "--with-tls", and change it to "--with-tls=openssl". # dpkg-buildpackage -us -uc And then you need self-signed certs and two lines in your slapd.conf. Note: I haven't actually installed recompiled packages yet, so I don't know if it helps. But if you try it, please let me know :) I have installed SAMBA + OpenLDAP + TLS successfully with the debian packages. There is no need to rebuild openldap from scratch. My config : Debian Queeze amd64 OpenLDAP: slapd 2.4.23 (Jun 15 2011 13:31:57) Samba v3.5.6 OpenSSL 0.9.8o 01 Jun 2010 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 on debian squeeze
Quoting John G. Heim (jh...@math.wisc.edu): > I'd prefer to install from debian packages because that will make > the upgrade to samba4 seameless once samba4 is in the stable > repository. If I install from a tarball, its probably not going to > install stuff where debian likes it. But I figure that even a > package from experimental will install most stuff where it belongs > in debian. I've installed packages from experimental & unstable on > systems running debian stable before but this time it doesn't work. > Blow is my sources.list and a screen cap of the output from the > apt-get attempt: This mostly shows that samba4 from experimental requires several packages that are not in > The following packages have unmet dependencies: > samba4 : Depends: libdcerpc0 but it is not going to be installed > Depends: libgensec0 but it is not going to be installed > Depends: libldb0 but it is not installable *that* is the problem. samba4 packages are linked against libldb0 which is not installable. See http://packages.qa.debian.org/s/samba4.html I suspect that samba4 uploaded yesterday by Jelmer in experimental will solve this, but this package introduces new binary packages and is therefore waiting in the NEW queue, for being processed by Debian ftpmasters (any source package introducing binaries goes this way). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
Am 03.08.2011 18:43, schrieb TAKAHASHI Motonobu: net rpc getsid hi, yes i did this step and just repeated it to be sure. sudo net rpc getsid bdc: [sudo] password for bdc: Storing SID S-1-5-21-3842863818-2180709222-141296495 for Domain WORKGROUP in secrets.tdb pdc: sudo smbldap-useradd -a test bdc: pdbedit -v test Unix username:test NT username: test Account Flags:[UX ] User SID: S-1-5-21-3842863818-2180709222-141296495-3174 Primary Group SID:(NULL SID) Full Name:test Home Directory: \\pdc\test HomeDir Drive:H: Logon Script: test.bat Profile Path: \\pdc\profiles\test Domain: BDC Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set:0 Password can change: 0 Password must change: 0 Last bad password : 0 Bad password count : 0 Logon hours : FF im completely lost, as you surely mentioned :) greetings and thanks juergen. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] R: question about groups
No, the -->2<-- 770 2 is the sticky bit for the group. You do not need inherit acls at all --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Andrea Lanza Gesendet: Mittwoch, 3. August 2011 13:20 An: 'Dale Schroeder' Cc: 'samba@lists.samba.org' Betreff: [Samba] R: question about groups At last I succeded in trying your solution... Perfect ! No need to do anything other apart what you said. create mask = 2770 directory mask = 2770 force directory mode = 2770 inherit acls = Yes when listing the dir in linux I can read: rwxrws--- I think that "s" means the inheritance of group-acl flagged on... Thank you very much again, Andrea > -Messaggio originale- > Da: Dale Schroeder [mailto:d...@briannassaladdressing.com] > Inviato: venerdì 29 luglio 2011 19:31 > A: Andrea Lanza > Cc: 'samba@lists.samba.org' > Oggetto: Re: [Samba] question about groups > > Andrea, > > How about doing 'chmod 2770 /path/to/share' and also on all existing > subfolders of /path/to/share. > In the share definition, you could also add > > directory mask = 2770 > force directory mode = 2770 > > Dale > > On 07/29/2011 6:03 AM, Andrea Lanza wrote: > > Hi all, > > I have a (simple?) question about groups. > > > > this is my scenario: > > > > Windows Active directory domain > > > > Samba file server ADS integrated > > > > 2 shares on this last server (share1, share2) > > > > 2 groups on the AD (group1 and group2) > > > > First share is only fully available to group1: this is easily done > > > > second share is fully available to group2 > > --- > > > > Then I have some users belonging to both group1 and group2; > > anyway group1 is the principal group. > > > > when a user of this kind create a folder or a file on the share2, the > file is created > > as "userxxx" and "group1", so beiing unaccessible to user on the > group2. > > (permission:770, so if one user is in group2 cannot access this file > belonging to group1) > > > > I tried several combination of "inherit acl", "possible user" and so > on, but no hope to make it works. > > > > How can I achieve this result ? > > > > And sorry if it was already answered elsewhere: I found a lot of > discussion (also very old, 2003 and so on) > > but no one helped me. > > > > I am running samba : > > > > 3.5.xxx on opensuse 11.4 > > > > thanks in advance, > > Andrea > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Solaris Samba 3.5.8 [homes] configuration - intermittent connection failures
On Wed, Aug 03, 2011 at 01:48:03PM -0300, D G Teed wrote: > The smbclient from a Linux client always look like this: > > smbclient -U myusername //myserver/homes > Enter myusername's password: > Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 3.5.8] > tree connect failed: NT_STATUS_CONNECTION_INVALID If you can repeat this reliably, please send a debug level 10 log of smbd while doing it. Thanks, Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to samba ldap and ssl
> in debian. Since slapd is compiled with GnuTLS in Debian, you will run into problems (I did): http://www.openldap.org/lists/openldap-devel/200802/msg00072.html I recompiled Debian openldap source package with openssl. # apt-get build-dep openldap # apt-get source openldap # apt-get install libssl-dev cd to openldap source dir edit debian/configure.options find "--with-tls", and change it to "--with-tls=openssl". # dpkg-buildpackage -us -uc And then you need self-signed certs and two lines in your slapd.conf. Note: I haven't actually installed recompiled packages yet, so I don't know if it helps. But if you try it, please let me know :) -- Sent from my PC. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.4, Windows 7, Roaming profiles and Folder redirection
Just wanted to say thanks for the help! I've now got it working. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba4 on debian squeeze
I'm setting up a debian squeeze file server with NFS mounted home directories and authentication via ldap. Now I want to give Windows users access to those same home directories. I thought I'd try samba4. I figure I have nothing to lose since this is a virtual machine and if I don't like the results, I can just restore from a snapshot. Its not a production machine yet. I'd prefer to install from debian packages because that will make the upgrade to samba4 seameless once samba4 is in the stable repository. If I install from a tarball, its probably not going to install stuff where debian likes it. But I figure that even a package from experimental will install most stuff where it belongs in debian. I've installed packages from experimental & unstable on systems running debian stable before but this time it doesn't work. Blow is my sources.list and a screen cap of the output from the apt-get attempt: # Sources.list deb http://debian.mirrors.tds.net/debian/ experimental main deb http://debian.mirrors.tds.net/debian/ unstable main # end sources.list # apt-get install -fy samba4 Reading package lists... Done Building dependency tree Reading state information... Done Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation: The following packages have unmet dependencies: samba4 : Depends: libdcerpc0 but it is not going to be installed Depends: libgensec0 but it is not going to be installed Depends: libldb0 but it is not installable Depends: libndr-standard0 but it is not going to be installed Depends: libndr0 but it is not going to be installed Depends: libsamba-hostconfig0 but it is not going to be installed Depends: libsamba-util0 but it is not going to be installed Depends: python-samba but it is not going to be installed Recommends: samba-ldb-tools but it is not going to be installed -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Migrate tdb to ctdb ?
Hi I want to replace a samba AD member file and printserver to a ctdb based clustered system. Is there a chance to migrate the old TDB Files (with printer settings, winbind user mapping) to the new clusterd TDB? Regards Hansjörg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Cannot delete existing files in shared folder
Hi All, We've upgraded our DC to Windows 2008 R2 from Windows 2003 recently. Since then the users cannot modify or delete the existing files in the Samba shared directories after the Samba server(samba 3.5.9) is joined to 2008 R2 DC from the windows machines, but they are able to create/modify/delete the new directories/files from the windows machines. However, when the samba server is joined back to 2003 DC then everything is working fine. The users can do create/modify/delete the existing files and new ones from windows machines. Any idea would be very much appreciate. By the way here is my settings for the samba shared directory [sqabot] path = /home/sqabot comment = SQAbot read only = No writeable = yes browseable = yes directory mask = 0775 create mask = 0775 oplocks = False Thanks in advance Anh. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SSO's availability
Le 03/08/2011 10:30, Bruce Richardson a écrit : On Tue, Aug 02, 2011 at 08:17:01PM +0200, Frédéric Bérard wrote: Is it possible to configure a system of authentication based on SSO samba (and certainly ldap and lot of others things) ? Which things need to authenticate? At my current workplace, I've set up Samba with an LDAP backend. Linux machines, switches, web applications and various devices authenticate directly against the LDAP backend; Windows machines (or anything which needs Windows authentication and file services) use Samba. It all plays nicely and satisfies all our current needs. What are your needs? Do you have a specific requirement for Active Directory (or equivalent)? Is it possible to do this without any windows's system which act as any authority ? Absolutely. Wat I mean is that I would like to do this only one linux's computer Unless your network is very small, I'd recommend using a minimum of two, so that your whole system doesn't fail because of a problem on your only domain controller. Hello all, In first step I want to authenticate my users to allow them to go on Internet through my squidguard which is filtering the asked request by groups without oblige the users to re-enter their login/password couple each time they send a request. After I would like to allow all my users who works both on Windows's computers and Linux's computers with only one centralized profile. No I have no need to any Active Directory, I don't know what that could helps to me and I don't know exactly what it is. And my last and most important requirement, I would like to be able to do everything with Linux OS. Thanks a lot for your answer which has confirmed me lots of things... If you have any howto to purpose it will be very pleasant, -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SSO's availability
Le 02/08/2011 23:49, Nico Kadel-Garcia a écrit : On Tue, Aug 2, 2011 at 3:05 PM, Mauricio Tavares wrote: 2011/8/2 Frédéric Bérard: Hello all, I will introduce myself, I'm french, about 34 years old and works for a mechanic company. I've discovered linux in 2006 and I'm really enjoyed by all the things that can be done with. Now this is questions : Is it possible to configure a system of authentication based on SSO samba (and certainly ldap and lot of others things) ? Is it possible to do this without any windows's system which act as any authority ? Wat I mean is that I would like to do this only one linux's computer Yes if you use Samba 4 as it can be your AD server. And, if in addition to your windows boxes you make your other linux/OSX machines authenticate against it, you are all set. And the last one of my questions : Could you help me ? Can but try, right? Thanks In advance for all of your answers, Which Linux flavor? And what services are you planning to share with SSO? SSH access, web access, file access via Samba? Hello all, About Linux flavor maybe you want to know which OS, isn't it ? My flavor is Fedora (actually F14 and F15) About shared services with SSO, my first step will be for squidguard's authentication, after I would like to be able have centralized profiles for my users who are able to work both on Linux and Windows. And my last step will be to uniform everything between web access, file access via samba and directly between Linux's computers. Thanks for your help and answer, -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Solaris Samba 3.5.8 [homes] configuration - intermittent connection failures
Our Solaris 5.10 was running Samba 3.0 with ADS security against winbind and krb5.conf, and all users were able to access it from any Windows system. Following the upgrade to a new AD server running 2008 RC2, we had to upgrade samba on most Unix systems. On Solaris, the new version was 3.5.8 from Sun. I found more config options were required to get the [homes] section to succeed, although I can't say it is 100% correct, because the mounted drive intermittently disconnects and reconnects every little while. Multiple users report this so it can't be just my Windows client. Also, smbclient from remote system will never connect. Here is the important stuff from the smb.conf: [global] workgroup = myworkgroup server string = My Server security = ADS hosts allow = xxx.yyy. log file = /var/log/samba/%m.log max log size = 50 dns proxy = no password server = ad.example.com loglevel = 3 template shell = /bin/false winbind use default domain = true winbind enum users = yes winbind enum groups = yes winbind nested groups = yes encrypt passwords = yes realm = AD.EXAMPLE.COM idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 nt acl support = no allow trusted domains = Yes [homes] comment = Home Directories path = %H browseable = yes writable = yes follow symlinks = yes wide links = yes unix extensions = no force user = %U valid users = MYDOMAIN\%U guest ok = no read only = no myworkgroup, MYDOMAIN, xxx.yyy and example.com are obscured values, but have not changed from the former working configuration under 3.0. Authentication doesn't appear to be the issue, as I can connect OK usually. Sometimes it requires two attempts with no changes between. The network is working OK on the Solaris server as it is running an Oracle DB, with backup services over the network, no problems with network connectivity, ssh service, etc. The smbclient from a Linux client always look like this: smbclient -U myusername //myserver/homes Enter myusername's password: Domain=[MYDOMAIN] OS=[Unix] Server=[Samba 3.5.8] tree connect failed: NT_STATUS_CONNECTION_INVALID We run Samba on many Linux platforms such as Debian with 3.5.6 and the same configuration without a problem. I've followed the log file with tail -f and see no messages associated with the temporary loss of connection. It impacts use of mounted drives in specific ways. I can usually copy many files from the Sun server to Windows desktop, but opening a small file from say wordpad on the Sun server drive letter will fail. Writes to the share seem more problematic than reads. I have a support ticket in with Sun/Oracle, but there might be someone on this list with ideas of what is wrong or what to test or try. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
From: "J. Echter" Date: Tue, 02 Aug 2011 14:12:05 +0200 > I thought im done setting domain to WORKGROUP, as its set in smbldap.conf. > > I don't get why smbldap tools thinks im on a domain called BDC. > > Would it help if i post some output from pdbedit or stuff like that? I > really don't get where this error comes from. Have you set the SID same as PDC on BDC? For example - bdc# net rpc getsid Storing SID S-1-5-21-2535719703-1779805756-2758924810 for Domain DomanName in secrets.tdb - Remembet that before running the command, you have to set smb.conf correctly as BDC. > here's the conf of my testing smb machine: > > [global] > domain master = no > domain logons = no > passdb backend = ldapsam:ldap://mule > idmap backend = ldap:ldap://mule > idmap uid = 1-15000 > idmap gid = 1-15000 You have to set "domain logons = yes" to make this machine act as BDC. And are you running Winbind? If not, idmap backend/uid/gid does not mean anything. > there's something wrong with my config... the successful logins are only > able because the users are already there as local unix accounts. > > i created a new user 'test' and this one can't even login. Have you correctly set nss-ldap on BDC? For example /etc/nss_ldap.conf "getent passwd " on BDC shows his entry? --- TAKAHASHI Motonobu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] question about groups
On 8/3/2011 6:19 AM, Andrea Lanza wrote: At last I succeded in trying your solution... Perfect ! Excellent! No need to do anything other apart what you said. create mask = 2770 Do you intend for all files to have the execute bit set? If not, then create mask = 2660 force create mode = 2660 directory mask = 2770 force directory mode = 2770 inherit acls = Yes when listing the dir in linux I can read: rwxrws--- I think that "s" means the inheritance of group-acl flagged on... That is correct. Dale Thank you very much again, Andrea -Messaggio originale- Da: Dale Schroeder [mailto:d...@briannassaladdressing.com] Inviato: venerdì 29 luglio 2011 19:31 A: Andrea Lanza Cc: 'samba@lists.samba.org' Oggetto: Re: [Samba] question about groups Andrea, How about doing 'chmod 2770 /path/to/share' and also on all existing subfolders of /path/to/share. In the share definition, you could also add directory mask = 2770 force directory mode = 2770 Dale On 07/29/2011 6:03 AM, Andrea Lanza wrote: Hi all, I have a (simple?) question about groups. this is my scenario: Windows Active directory domain Samba file server ADS integrated 2 shares on this last server (share1, share2) 2 groups on the AD (group1 and group2) First share is only fully available to group1: this is easily done second share is fully available to group2 --- Then I have some users belonging to both group1 and group2; anyway group1 is the principal group. when a user of this kind create a folder or a file on the share2, the file is created as "userxxx" and "group1", so beiing unaccessible to user on the group2. (permission:770, so if one user is in group2 cannot access this file belonging to group1) I tried several combination of "inherit acl", "possible user" and so on, but no hope to make it works. How can I achieve this result ? And sorry if it was already answered elsewhere: I found a lot of discussion (also very old, 2003 and so on) but no one helped me. I am running samba : 3.5.xxx on opensuse 11.4 thanks in advance, Andrea -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Incoming External Trust
Please CC to samba@lists.samba.org From: Aaron Clausen Date: Tue, 26 Jul 2011 10:32:41 -0700 > On Tue, Jul 26, 2011 at 08:52, TAKAHASHI Motonobu wrote: > > Another question. Since the AD and Samba domains are on separate > segments, I'm assuming attempt to establish the trust is going to fail > because Samba cannot see the AD domain controller. How do you get > around that? You have to resolve required NetBIOS names (for example domainname#1B and domainname#1C) correctly by using WINS or LMHOSTS file. The required NetBIOS names are same as that required to establish the trust between AD and Windows NT domain. AFAIK, you also have to create an account on AD whose name and password is same as the user using to establish on Samba. --- TAKAHASHI Motonobu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba connections - Issues and suggestions
On Mon, Aug 01, 2011 at 06:24:05PM -0400, Thirumalai, Sivakumar wrote: > Hi, > > For the past six months, we are having users complain few of following > issues. I have summarized the hardware and software specifications below as > well. Please let us know your suggestions! > > Symptoms# New Users cannot mount shares [ network exception / hung > service ]. Some times existing users get kicked out. Samba connections spike > up [ Sometimes go up to 1300 with in an hour ]. > Resolution # As of now we are restarting Samba which will eventually > kill of all existing connections and users were able to connect back. > How frequent# At least once in a month, was more than twice in the month > of May-2011. > OS # SunOS Generic_117350-44 sun4u sparc SUNW,Sun-Fire-880 > Samba version # 3.0.25a > > I have also attached the smb.conf for better clarity! Samba 3.0.25a is a very old version. I suggest upgrading to a supported version. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem with samba share file permissions: Write protection is not working as expected
From: raj kernel Date: Wed, 3 Aug 2011 20:11:20 +0530 > Thanks for the reply. Here is the info you have requested for. > > cat /usr/local/samba/lib/smb.conf > - > [global] (snip) > security = share (snip) > guest account = root (snip) >[data1] > path = /mnt/data1 > guest ok = yes (snip) > I have created two subdir's 'private' and 'public' under /mnt/data1. > public has all access permissions '777', but private has only read > permissions. > I am able to write/create files to both 'public' as well as > 'private' directory when these shares are accessed from Windows7 > machine. You set "guest account = root" and "guest ok = yes", so all accesses are made as root. Thus you can always access every files regardless of permissions. --- TAKAHASHI Motonobu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem with samba share file permissions: Write protection is not working as expected
From: raj kernel Date: Wed, 3 Aug 2011 18:35:16 +0530 > I have configured samba server on a Linux machine. My smb.conf for the samba > share is as follows: > > [data1] > path = /mnt/data1 > guest ok = yes > public = yes > writable = yes > read only = no > create mode = 0777 > directory mode = 0777 > printable = no > > I have created two subdir's 'private' and 'public' under /mnt/data1. public > has all access permissions '777', but private has only read permissions. > I am able to write/create files to both 'public' as well as 'private' > directory when these shares are accessed from Windows7 machine. Write/create > operation has to be denied for 'private' dir as it only has 'read' > permission enabled, but it's not denied, file write/create operation still > succeeds :( > > Could someone help me what am I missing? > Do I need to add ACL support to my file system and samba for the > directory/read permissions to work? It seems that your "data1" configuration is not bad. Show the result of "ls -la /mnt/data1" and your global section. --- TAKAHASHI Motonobu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP + SMBLDAP-Tools + Roaming Profiles
Am 02.08.2011 14:54, schrieb J. Echter: Am 02.08.2011 14:40, schrieb Julien Celle: Le 02/08/2011 14:22, J. Echter a écrit : Am 02.08.2011 14:06, schrieb Julien Celle: pdbedit output indicates that the profile is stored on '\\pdc...' and that the user is defined on the domain 'BDC'. oh i forgot, profiles are on \\pdc. cheers. Hi, There may be a problem trying to access your profiles on \\pdc while authenticating against \\bdc. Your users try to access a share without giving your PDC credentials it can validate. Try moving your profile for your user test to \\bdc\profile... You could also post your whole smb.conf for your BDC. Cheers, Julien. first both of my configs... BDC: [global] domain master = no domain logons = yes passdb backend = ldapsam:ldap://mule idmap backend = ldap:ldap://mule idmap uid = 1-15000 idmap gid = 1-15000 ldap suffix = dc=workgroup,dc=local ldap user suffix = ou=smb-usr ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap idmap suffix = ou=idmap ldap admin dn = cn=admin,dc=workgroup,dc=local ldap ssl = no ldap passwd sync = yes printing = bsd netbios name = BDC server string = BDC (%h) workgroup = workgroup interfaces = eth0,lo security = user encrypt passwords = true map to guest = bad user guest account = nobody logon path = \\pdc\profile\%U logon script = %U.bat logon drive = H: panic action = /usr/share/samba/panic-action %d PDC: [global] printing = bsd netbios name = PDC server string = PDC (%h) workgroup = workgroup interfaces = eth0,lo security = user encrypt passwords = true map to guest = bad user guest account = nobody ## LDAP passdb backend = ldapsam:ldap://127.0.0.1 idmap backend = ldap:ldap://127.0.0.1 idmap uid = 1-15000 idmap gid = 1-15000 ldap suffix = dc=workgroup,dc=local ldap user suffix = ou=smb-usr ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap idmap suffix = ou=idmap ldap admin dn = cn=admin,dc=workgroup,dc=local ldap ssl = no ldap passwd sync = yes add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u" add user script = /usr/sbin/smbldap-useradd -a '%u' delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -a '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' local master = yes preferred master = yes domain master = yes domain logons = yes logon path = \\pdc\profile\%U logon script = %U.bat logon drive = H: panic action = /usr/share/samba/panic-action %d atm i have domain logons = no, to avoid negative interaction with my running pdc. hope this helps. ok, what i know now :) there get's a second domain added to ldap directory if i, for example, add an user on pdc and do a pdbedit -v an-user i have a second SambaDomainName in my ldap tree. This one is called the same as my bdc is configured in its smb.conf. is it forbidden to name the server bdc or similar? i have set workgroup = workgroup in smb.conf on pdc and bdc. im lost with this... thanks juergen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SAMBA4 Alpha12 password changing problem
Thank you Michael, I upgraded to Samba 4 Alpha16. Although the problem still occurred, I then set this: *samba-tool pwsettings set --min-pwd-age=0* and things worked fine. Thank you again! -- View this message in context: http://samba.2283325.n4.nabble.com/SAMBA4-Alpha12-password-changing-problem-tp3713860p3715440.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SSO's availability
On 08/03/2011 04:30 AM, Bruce Richardson wrote: On Tue, Aug 02, 2011 at 08:17:01PM +0200, Frédéric Bérard wrote: Is it possible to configure a system of authentication based on SSO samba (and certainly ldap and lot of others things) ? Which things need to authenticate? At my current workplace, I've set up Samba with an LDAP backend. Linux machines, switches, web applications and various devices authenticate directly against the LDAP backend; Windows machines (or anything which needs Windows authentication and file services) use Samba. It all plays nicely and satisfies all our current needs. What are your needs? Do you have a specific requirement for Active Directory (or equivalent)? Is it possible to do this without any windows's system which act as any authority ? Absolutely. Wat I mean is that I would like to do this only one linux's computer Unless your network is very small, I'd recommend using a minimum of two, so that your whole system doesn't fail because of a problem on your only domain controller. I have a similar backend, with Samba 3.x DC's. When you change your Windows password, samba will also change your unix password. Linux users can use the "smbpasswd" command to change their unix+samba passwords in one step. So, in effect, there is a "single" unix/ldap/windows password. I use oracle (sun) directory server which supports multi-master replication.this allows me to have multiple domain controllers, since each DC has a writable backend. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Testing samba4 ( alfa11 ) from Cebtos6 rpm
On Wed, 2011-08-03 at 19:04 +1000, Andrew Bartlett wrote: > On Fri, 2011-07-29 at 16:49 -0400, Konstantin Pobudzey wrote: > > Hello > > > > #On Centos6 I did : > > yum install samba4 > > As I understand it: > > Red Hat did not decide to ship and support Samba4 except for the minimal > required to support OpenChange, to support MAPI access in evolution. > > The rest of Samba4 is simply not packaged in the RHEL6 RPMs. This is correct, RHEL only ships samba4 libraries for now. Simo. -- Simo Sorce Samba Team GPL Compliance Officer Principal Software Engineer at Red Hat, Inc. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] R: question about groups
At last I succeded in trying your solution... Perfect ! No need to do anything other apart what you said. create mask = 2770 directory mask = 2770 force directory mode = 2770 inherit acls = Yes when listing the dir in linux I can read: rwxrws--- I think that "s" means the inheritance of group-acl flagged on... Thank you very much again, Andrea > -Messaggio originale- > Da: Dale Schroeder [mailto:d...@briannassaladdressing.com] > Inviato: venerdì 29 luglio 2011 19:31 > A: Andrea Lanza > Cc: 'samba@lists.samba.org' > Oggetto: Re: [Samba] question about groups > > Andrea, > > How about doing 'chmod 2770 /path/to/share' and also on all existing > subfolders of /path/to/share. > In the share definition, you could also add > > directory mask = 2770 > force directory mode = 2770 > > Dale > > On 07/29/2011 6:03 AM, Andrea Lanza wrote: > > Hi all, > > I have a (simple?) question about groups. > > > > this is my scenario: > > > > Windows Active directory domain > > > > Samba file server ADS integrated > > > > 2 shares on this last server (share1, share2) > > > > 2 groups on the AD (group1 and group2) > > > > First share is only fully available to group1: this is easily done > > > > second share is fully available to group2 > > --- > > > > Then I have some users belonging to both group1 and group2; > > anyway group1 is the principal group. > > > > when a user of this kind create a folder or a file on the share2, the > file is created > > as "userxxx" and "group1", so beiing unaccessible to user on the > group2. > > (permission:770, so if one user is in group2 cannot access this file > belonging to group1) > > > > I tried several combination of "inherit acl", "possible user" and so > on, but no hope to make it works. > > > > How can I achieve this result ? > > > > And sorry if it was already answered elsewhere: I found a lot of > discussion (also very old, 2003 and so on) > > but no one helped me. > > > > I am running samba : > > > > 3.5.xxx on opensuse 11.4 > > > > thanks in advance, > > Andrea > > > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 and discrepancies in the Wiki documentation
Hi Andrew, On Wed, Aug 3, 2011 at 11:08 AM, Andrew Bartlett wrote: > On Tue, 2011-08-02 at 08:54 +0200, Ian Coetzee wrote: >> Hi all, >> >> I am in the process of testing Samba4 Alpha (latest git pull as of 1 >> Aug 2011, reports itself as Alfpha17) as an additional DC in our >> network but ran into a few problems. First of all I am using this >> guide http://wiki.samba.org/index.php/Samba4/HOWTO#Samba4_HOWTO to >> install it and on step 4 I followed the link to this guide >> http://wiki.samba.org/index.php/Samba4_joining_a_domain#Samba4_joining_a_domain_as_a_DC >> to join it to the existing DC. >> >> All works, the compile succeeded, no problems reported on "make >> quicktest", however following these steps in guide 2: >> >> > Joining the existing domain as a DC >> > >> > Run the following command as root: >> > >> >> bin/net vampire samba.example.com -Uadministrator >> >> --realm=samba.example.com >> > >> > Or, if you're using a recent checkout from GIT (later than 2010/11/10) >> > then use samba-tool instead: >> > >> >> bin/samba-tool join samba.example.com DC -Uadministrator >> >> --realm=samba.example.com >> > >> > It should show a set of debug messages about replicating the domain >> > contents, like this: >> > >> >> Partition[CN=Configuration,DC=sample,DC=example,DC=com] objects[1596] >> >> linked_values[1] >> > >> > then it will show a message like this: >> > >> >> Joined domain V2 (SID S-1-5-21-3565189888-2228146013-2029845409) as a DC >> > >> > at this point you have joined your Samba4 server to the existing domain, >> > and you are ready to start your Samba domain controller. >> >> I try to run bin/samba-tool from the source directory, but it returns >> the following error: >> >> > ERROR: No such command 'join' > > You correctly notice that we have been updating the structure of the > 'samba-tool' command. We are trying to both document it and give it a > logical structure. We have not had a chance to update the wiki yet. Ah, well that would explain everything, thank you for letting me know, I really thought I was going around the bend :) > > 'samba-tool join' has become 'samba-tool domain join' Well, that actually makes logical sense, I will keep it in mind for next time. Regards Ian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 backup and restore
On Mon, 2011-07-25 at 01:20 +0200, arakim...@gmail.com wrote: > Hi, > > After testing samba4 for few days (works great !!), i'm planning to run > it as production server for 20 XP clients. > > I'm looking for a way to backup all data of the samba4 domain in order > to restore them after a crash or a bad update. > > So, if saving the smb.conf in samba3 was enough, what are the files to > backup in samba4 ? It isn't enough to just save the smb.conf in Samba3, and similarly in Samba4 you must save the databases. See source4/scripting/bin/samba_backup for a script to help with this. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 and discrepancies in the Wiki documentation
On Tue, 2011-08-02 at 08:54 +0200, Ian Coetzee wrote: > Hi all, > > I am in the process of testing Samba4 Alpha (latest git pull as of 1 > Aug 2011, reports itself as Alfpha17) as an additional DC in our > network but ran into a few problems. First of all I am using this > guide http://wiki.samba.org/index.php/Samba4/HOWTO#Samba4_HOWTO to > install it and on step 4 I followed the link to this guide > http://wiki.samba.org/index.php/Samba4_joining_a_domain#Samba4_joining_a_domain_as_a_DC > to join it to the existing DC. > > All works, the compile succeeded, no problems reported on "make > quicktest", however following these steps in guide 2: > > > Joining the existing domain as a DC > > > > Run the following command as root: > > > >> bin/net vampire samba.example.com -Uadministrator --realm=samba.example.com > > > > Or, if you're using a recent checkout from GIT (later than 2010/11/10) then > > use samba-tool instead: > > > >> bin/samba-tool join samba.example.com DC -Uadministrator > >> --realm=samba.example.com > > > > It should show a set of debug messages about replicating the domain > > contents, like this: > > > >> Partition[CN=Configuration,DC=sample,DC=example,DC=com] objects[1596] > >> linked_values[1] > > > > then it will show a message like this: > > > >> Joined domain V2 (SID S-1-5-21-3565189888-2228146013-2029845409) as a DC > > > > at this point you have joined your Samba4 server to the existing domain, > > and you are ready to start your Samba domain controller. > > I try to run bin/samba-tool from the source directory, but it returns > the following error: > > > ERROR: No such command 'join' You correctly notice that we have been updating the structure of the 'samba-tool' command. We are trying to both document it and give it a logical structure. We have not had a chance to update the wiki yet. 'samba-tool join' has become 'samba-tool domain join' > along with the usage of the command, next I fall back to bin/net in > the source directory which replies with: If you have a bin/net binary, it will be very old, and will not link with the rest of Samba. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Testing samba4 ( alfa11 ) from Cebtos6 rpm
On Fri, 2011-07-29 at 16:49 -0400, Konstantin Pobudzey wrote: > Hello > > #On Centos6 I did : > yum install samba4 As I understand it: Red Hat did not decide to ship and support Samba4 except for the minimal required to support OpenChange, to support MAPI access in evolution. The rest of Samba4 is simply not packaged in the RHEL6 RPMs. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SSO's availability
On Tue, Aug 02, 2011 at 08:17:01PM +0200, Frédéric Bérard wrote: > Is it possible to configure a system of authentication based on SSO > samba (and certainly ldap and lot of others things) ? Which things need to authenticate? At my current workplace, I've set up Samba with an LDAP backend. Linux machines, switches, web applications and various devices authenticate directly against the LDAP backend; Windows machines (or anything which needs Windows authentication and file services) use Samba. It all plays nicely and satisfies all our current needs. What are your needs? Do you have a specific requirement for Active Directory (or equivalent)? > Is it possible to do this without any windows's system which act as > any authority ? Absolutely. > Wat I mean is that I would like to do this only one linux's computer Unless your network is very small, I'd recommend using a minimum of two, so that your whole system doesn't fail because of a problem on your only domain controller. -- Bruce It is impolite to tell a man who is carrying you on his shoulders that his head smells. signature.asc Description: Digital signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Odd timestamps/replication latencies with Samba4
Hi While Samba 4 is still in Alpha, you should post questions like this to the samba-technical mailing list (as per the Samba 4 HOWTO). I've copied my reply there. On 2 August 2011 20:48, Adam Thorn wrote: > Hi, > > I've recently joined a Samba4 (alpha16) DC to an existing Windows domain > (with multiple Windows DCs). A few hours after joining, one of the > Windows servers raised an "Active Directory 1864" error. I can't find an > obvious MS page to describe that one, but it's due to Windows believing > that it hasn't received replication info from a DC. Indeed, if I run > > repadmin /showvector /latency dc=ad,dc=ch,dc=cam,dc=ac,dc=uk > > then the line for the new Samba4 DC reads > > Default-First-Site-Name\VICTORY @ USN 31765 @ Time 4184-12-00 > 07:00:00 > > so I think the problem is just that Windows is really confused by that > incorrect timestamp - so far as I can tell replication is actually > happening correctly. > > Adam -- Michael Wood -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SAMBA4 Alpha12 password changing problem
On 2 August 2011 23:44, bakytn wrote: > Hello, > > I have successfully installed SAMBA4 Alpha12 as PDC. Why such an ancient version? You should consider upgrading to e.g. the Alpha 16 release. > I added two machines. Ubuntu 11.04 Linux and Windows 7. > > They both can authenticate and log in to the machines. WHich is great. > > The problem comes when users trying to change their password. > This is not working! It's constantly complaining for the complexity. However > I used strong and absolutely different to any previous password. For Alpha 12, use the following to see the password complexity settings: net pwsettings show Use the following to see how to change these options: net pwsettings --help set e.g. to change the minimum password length: net pwsettings set --min-pwd-length=6 With later versions of Samba you'd use the "samba-tool" command instead of "net". > Can you help me and tell how people can change their own passwords. > > Thank you very much! Samba4 rocks! > > P.S: Let me know if you need any additional information. -- Michael Wood -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] PDC forgot it was part of domain... "official" (ha!) samba hack around to fix...
Among various problems since I upgraded to 3.6 (none of which got answered really, -- so I backgraded to 3.5.10 and started debugging from there, considering 3.6.0 too unstable/too incompatible for 'whatever' reason... One of the probs I had was 'root' couldn't use "net rpc" -- kept getting auth failures. Wasn't the passwd, -- could reset it via smbpasswd, no prob, and my normal UID could do an rpc user, but didn't have the auth to the local files to read them (so got no results back). Steps... 1) add self to group root 2) in /var/lib/samba and /etc/samba: find . -gid 0 -print0|xargs -0 chmod g+rw find . -gid 0 -type d|xargs -0 chmod g+xs Then I noted that my 'user' could no longer auth either! Bonus! turned on -d10 on net rpc cmd, Noted, it was trying to look up '*' for a pw server, '*' doesn't resolve so well on my DNS server. My domain name does, but it was trying to contact '*' for a pw server instead of using itself (this used to work before I tried upgrading to 3.6, FWIW)... Anyway, explicit hackaround: added: passwd server=localhost to my smb.conf. Now the PDC is smart enough to know to look up passwords on itself rather than going out and looking for '*', which "wbinfo" REALLY didn't like -- lots of "*" not found messages from wbinfo... Along with the idmap tdb format becoming incompat, (or maybe that's the only one involved), apparently during the 'upgrade'[sic], I didn't get the benefit of '*' added to my wbinfo... Of course, as noted earlier, my wbinfo also doesn't seem to know about builtin SID's either .. so am having to add them... (writing script ...) ) { printf "net groupmap add %s",$_; } ' /tmp/domsid: "Administrators" sid="S-1-5-32-544" type=builtin "Users" sid="S-1-5-32-545" type=builtin "Domain Controllers" sid="S-1-5-32-516" type=builtin "Guests" sid="S-1-5-32-546" type=builtin "Power Users" sid="S-1-5-32-547" type=builtin "Account Operators" sid="S-1-5-32-552" type=builtin For some reason part of the refrain to the theme from Gilligan's Island just popped into my head... "As primitive as can be" You'd think there'd be a better way, but ...C'est la vie... linda (always winning friends and influencing people...*cough* (To do what?)...) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba