Re: [Samba] Samba4 and sysvol share

[Andrew Bartlett]

On Mon, 2011-11-07 at 08:34 -0500, fe...@epepm.cupet.cu wrote:
> > Hello Felix,
> >
> > Sorry for the very late answer,
> >
> > Well I remade a test today, in gpmc.msc (group policy management
> console), I have no errors from Windows about the ACLs of the folders for
> my policies.
> 
> Thanks a lot for your answers, Matthieu and Christopher. It makes me happy
> to know that you guys don't forget to answer the questions of samba users.
> 
> My first solution was changing the permissions of the sysvol directory in
> my linux box to 755 (I think 644 could work too) after defining the
> policies I needed for my domain.
> 
> I'm a newbie in Linux and in Samba that's why at the begining I didn't
> realize that my filesystem did not support the user_xattr option and I had
> skipped that part of the HowTo. I'm so sorry for taking some of your
> precious time.
> 
> Now I'm learning how to compile a kernel to include the needed options and
> I'm pretty sure that will fix my issue.
> 
> For beginners, I would like to contribute with the steps I followed to
> make Bind, Ntp and Samba4 work together on Debian Lenny. How can I do it?

Make a wiki account, and then let me know the username.  Try not to make
a duplicate of the main HOWTO, but feel free to create a page with
distribution-specific assistance. 

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Issue with compile of 3.5.12 -- krb related

[Andrew Bartlett]

On Tue, 2011-11-08 at 15:12 -0500, James Chase wrote:
> After compiling samba 3.5.12 from source on CentOS 5.7, I test the 
> configuration with 'testparm lib/smb.conf' and I get the following output
> 
> WARNING: Ignoring invalid value 'ADS' for parameter 'security'
> Unknown parameter encountered: "realm"
> Ignoring unknown parameter "realm"
> 
> I figured this might be due to a compile problem and I re-checked the 
> HOWTO pdf and saw that I needed to find the following in include/config.h
> 
> #define HAVE_KRB5 1
> #define HAVE_LDAP 1
> 
> I was missing the KRB5 line so I installed krb5-devel (centos 5.7) and 
> then re-configured. During the make command I now get the following error:
> 
> cifs.upcall.c:(.text+0x360): undefined reference to
> `smb_krb5_principal_get_realm'
> cifs.upcall.c:(.text+0x3d3): undefined reference to `smb_krb5_unparse_name'
> collect2: ld returned 1 exit status
> make: *** [bin/cifs.upcall] Error 1
> 
> I first installed every krb5 package I could find (didn't fix the 
> compile errors) and then I tried disabling this cifsupcall feature but 
> then got the same errors using testparm. So maybe this feature  is 
> required for the 'ads' option and 'realm' parameter. Arg -- does this 
> indicate my krb5 libraries are too old and missing some new function?

Did you make clean?  

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Issue with compile of 3.5.12 -- krb related

[James Chase]

After compiling samba 3.5.12 from source on CentOS 5.7, I test the 
configuration with 'testparm lib/smb.conf' and I get the following output


WARNING: Ignoring invalid value 'ADS' for parameter 'security'
Unknown parameter encountered: "realm"
Ignoring unknown parameter "realm"

I figured this might be due to a compile problem and I re-checked the 
HOWTO pdf and saw that I needed to find the following in include/config.h


#define HAVE_KRB5 1
#define HAVE_LDAP 1

I was missing the KRB5 line so I installed krb5-devel (centos 5.7) and 
then re-configured. During the make command I now get the following error:


cifs.upcall.c:(.text+0x360): undefined reference to
`smb_krb5_principal_get_realm'
cifs.upcall.c:(.text+0x3d3): undefined reference to `smb_krb5_unparse_name'
collect2: ld returned 1 exit status
make: *** [bin/cifs.upcall] Error 1

I first installed every krb5 package I could find (didn't fix the 
compile errors) and then I tried disabling this cifsupcall feature but 
then got the same errors using testparm. So maybe this feature  is 
required for the 'ads' option and 'realm' parameter. Arg -- does this 
indicate my krb5 libraries are too old and missing some new function?








--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind auth, specifying shell

[Dale Schroeder]

On 11/08/2011 11:35 AM, Eddy Sturg wrote:

On Thu, Nov 3, 2011 at 10:22 AM, Eddy Sturg  wrote:


Hey folks,

I'm using winbind authentication against MS Active Directory, and it's
working great.  Because of

template shell = /bin/bash

in smb.conf, new users are getting assigned the bash shell, which is great
in most cases.  Some users, however, prefer a different shell (tcsh).

How can I specify, on a user by user basis, the preferred shell?

I'm guessing this is an attribute in AD somewhere, but what's the best way
to get at that?

(Windows AD 2008)

Thanks,

Eddy


I think I've determined that the user's shell is not stored in AD.  Can
winbind / samba provide different shells to different users when using
winbind / AD integrated authentication?

Eddy,

I found this.  Hopefully, it's still accurate.

http://serverfault.com/questions/224340/override-template-shell-on-linux-system-in-active-directory-domain

Dale
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind auth, specifying shell

[Eddy Sturg]

On Thu, Nov 3, 2011 at 10:22 AM, Eddy Sturg  wrote:

> Hey folks,
>
> I'm using winbind authentication against MS Active Directory, and it's
> working great.  Because of
>
> template shell = /bin/bash
>
> in smb.conf, new users are getting assigned the bash shell, which is great
> in most cases.  Some users, however, prefer a different shell (tcsh).
>
> How can I specify, on a user by user basis, the preferred shell?
>
> I'm guessing this is an attribute in AD somewhere, but what's the best way
> to get at that?
>
> (Windows AD 2008)
>
> Thanks,
>
> Eddy
>

I think I've determined that the user's shell is not stored in AD.  Can
winbind / samba provide different shells to different users when using
winbind / AD integrated authentication?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba ghost folder on roaming profile

[sebastien PROUFF]

Hello,

a got a annoying  issue with my samba pdc. ( v3.4.7)

Here is my config :
samba/ldap Pdc v3.4.7 (for samba) on ubuntu 10.04 lts
I used roaming profile for my users, which are mostly with W7 OS.

I got a synchronisation profile issue.
If a delete a folder after I openned a session, when i close the 
session, and re oppen it, the folder is back again.


It does not happen all the time, mostly when the folder is present from 
a while. ( several weeks)

The files inside the folder are deleted.

Does anybody encounter this issue ?
What is the magic option in smb.conf to solve this problem ?

Thanks in advance

Sébastien


--
Sébastien Prouff
_
Responsable du pôle TICE
CDDP de la Charente Maritime
tel : 05 46 00 34 73
http://web.crdp-poitiers.org/cddp17

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent passwd not returning users/groups

[James Chase]

Yes, definitely

On 11/8/2011 10:55 AM, Eddy Sturg wrote:

Does nsswitch.conf have winbind listed?

On Mon, Nov 7, 2011 at 11:09 AM, James Chase > wrote:


I tried a second install of CentOS with X, thinking perhaps the
GUI setup might do something that I was missing in terms of
getting samba connected to active directory. However I still can't
get this to work (now wbinfo doesn't seem to work either) in
CentOS. I also tried Fedora 14.

Then I tried a Ubuntu 11 install and followed their instructions
from the wiki:
https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto

And it worked! I tried to apply the same settings to CentOS setup
but I still get no output from 'getent passwd'.

Ubuntu is running version 3.5.11 while CentoS is 3.5.4. Think my
best bet is building from source and trying 3.5.11 or 3.5.12 on
CentOS? Are there any critical flags that need to be set during
the configuration to make sure samba will work with active
directory/winbind?

James


I'm trying to get my CentOS 5.6 machine setup as a Active
Directory Domain Member with Windows 2008 level domain and
samba 3.5. I haven't tried this before.

I can successfully join the domain and return users using
'wbinfo -u' and groups with 'wbinfo -g' but when I try 'getent
passwd' I only get the local users. I'm not sure what element
that indicates is failing in the process. I'm not confident in
my pam.d/ setup since different guides show different methods
of setting this up. The /etc/nsswitch.conf file has been
edited to include winbind as a source for passwd/shadow/group.

The only insightful error message I see in the samba logs is
this (repeated over and over in all the logs) but I haven't
found the solution. Is this the cause of my problems? How do I
disable spinlocks? I'm using a prebuilt package from sernet

[2011/11/01 16:46:19.979981,  1] lib/util_tdb.c:385(tdb_log)
 tdb(unnamed): tdb_open_ex: spinlocks no longer supported

Here is my samba configuration dumped from smbtest:

[root@sambatest ~]# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
Processing section "[test]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
   workgroup = SHAMOFFICE
   realm = SHAMBHALA-OFFICE.LOCAL
   interfaces = 127.0.0.1, eth0
   bind interfaces only = Yes
   security = ADS
   printcap name = cups
   idmap backend = ad
   idmap uid = 1-2
   idmap gid = 3-4
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind use default domain = Yes
   idmap config SHAMOFFICE : schema_mode = rfc2307
   idmap config SHAMOFFICE : range = 4000-5000
   idmap config SHAMOFFICE : backend = ad
   idmap config * : range = 2000-3000
   idmap config * : backend = tdb

[test]
   comment = Directory for storing pictures by jims users
   path = /local/test
   read only = No
   guest ok = Yes





-- 
To unsubscribe from this list go to the following URL and read the

instructions: https://lists.samba.org/mailman/options/samba



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] getent passwd not returning users/groups

[Eddy Sturg]

Does nsswitch.conf have winbind listed?

On Mon, Nov 7, 2011 at 11:09 AM, James Chase wrote:

> I tried a second install of CentOS with X, thinking perhaps the GUI setup
> might do something that I was missing in terms of getting samba connected
> to active directory. However I still can't get this to work (now wbinfo
> doesn't seem to work either) in CentOS. I also tried Fedora 14.
>
> Then I tried a Ubuntu 11 install and followed their instructions from the
> wiki: 
> https://help.ubuntu.com/**community/**ActiveDirectoryWinbindHowto
>
> And it worked! I tried to apply the same settings to CentOS setup but I
> still get no output from 'getent passwd'.
>
> Ubuntu is running version 3.5.11 while CentoS is 3.5.4. Think my best bet
> is building from source and trying 3.5.11 or 3.5.12 on CentOS? Are there
> any critical flags that need to be set during the configuration to make
> sure samba will work with active directory/winbind?
>
> James
>
>
>  I'm trying to get my CentOS 5.6 machine setup as a Active Directory
>> Domain Member with Windows 2008 level domain and samba 3.5. I haven't tried
>> this before.
>>
>> I can successfully join the domain and return users using 'wbinfo -u' and
>> groups with 'wbinfo -g' but when I try 'getent passwd' I only get the local
>> users. I'm not sure what element that indicates is failing in the process.
>> I'm not confident in my pam.d/ setup since different guides show different
>> methods of setting this up. The /etc/nsswitch.conf file has been edited to
>> include winbind as a source for passwd/shadow/group.
>>
>> The only insightful error message I see in the samba logs is this
>> (repeated over and over in all the logs) but I haven't found the solution.
>> Is this the cause of my problems? How do I disable spinlocks? I'm using a
>> prebuilt package from sernet
>>
>> [2011/11/01 16:46:19.979981,  1] lib/util_tdb.c:385(tdb_log)
>>  tdb(unnamed): tdb_open_ex: spinlocks no longer supported
>>
>> Here is my samba configuration dumped from smbtest:
>>
>> [root@sambatest ~]# testparm
>> Load smb config files from /etc/samba/smb.conf
>> rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
>> Processing section "[test]"
>> Loaded services file OK.
>> Server role: ROLE_DOMAIN_MEMBER
>> Press enter to see a dump of your service definitions
>>
>> [global]
>>workgroup = SHAMOFFICE
>>realm = SHAMBHALA-OFFICE.LOCAL
>>interfaces = 127.0.0.1, eth0
>>bind interfaces only = Yes
>>security = ADS
>>printcap name = cups
>>idmap backend = ad
>>idmap uid = 1-2
>>idmap gid = 3-4
>>winbind enum users = Yes
>>winbind enum groups = Yes
>>winbind use default domain = Yes
>>idmap config SHAMOFFICE : schema_mode = rfc2307
>>idmap config SHAMOFFICE : range = 4000-5000
>>idmap config SHAMOFFICE : backend = ad
>>idmap config * : range = 2000-3000
>>idmap config * : backend = tdb
>>
>> [test]
>>comment = Directory for storing pictures by jims users
>>path = /local/test
>>read only = No
>>guest ok = Yes
>>
>>
>>
>>
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  
> https://lists.samba.org/**mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba3 & ADMT, cannot migrate SIDs

[Andrew Bartlett]

On Mon, 2011-11-07 at 15:41 -0500, Adam Tauno Williams wrote:
> I'm attempting to migrate a Samba 3.x / NT domain to Active Directory.
> I have a Windows 2003 SE host and ADMT.  I've established trusts between
> the Samba 3 domain and the Windows 2003 AD domain.  I can use "User
> Account Migration Wizard" up to the "Account Transition Options".  Then
> of I check the option to Migrate SIDs it fails with - 
> 
> "Could not verify auditing and TcpipClientSupport on domains." Will not
> be able to migrate Sids. The system cannot find the file specified.
> 
> Is there something that can be done to enable SID migration from S3?

The best way would be the 'samba-tool domain samba3upgrade', and then
any migration from there.  I know you have not had great luck with that,
and I spent some time today staring at the valgrind log without success.
The other script around is the 'myldap-pub.py' script, which has been
used for real-life s3 -> AD migrations, via Samba4.

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Problem while log on: Windows Server 2008 R2 in samba domain

[Alexander Födisch]

Hi,

I have a strange problem with a Windows Server 2008 R2-System as a member of a 
samba domain (Samba-Version on PDC: 3.4.12).
Join was successfully, but when I log on Windows I got an error "Unknown user name 
or bad password." (Event ID 4625).



Here an abstract of logfile for Windows Server 2008 R2-System (log level 10). 
Maybe some of you has an idea:

[2011/11/07 16:37:15,  9] passdb/passdb.c:2245(pdb_increment_bad_password_count)
  No lockout policy, don't track bad passwords
[2011/11/07 16:37:15,  3] smbd/sec_ctx.c:210(push_sec_ctx)
  push_sec_ctx(999, 514) : sec_ctx_stack_ndx = 1
[2011/11/07 16:37:15,  3] smbd/uid.c:428(push_conn_ctx)
  push_conn_ctx(100) : conn_ctx_stack_ndx = 0
[2011/11/07 16:37:15,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2011/11/07 16:37:15,  5] auth/token_util.c:522(debug_nt_user_token)
  NT user token: (NULL)
[2011/11/07 16:37:15,  5] auth/token_util.c:548(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2011/11/07 16:37:15,  4] passdb/pdb_ldap.c:2015(ldapsam_update_sam_account)
  ldapsam_update_sam_account: user foedisch to be modified has dn: 
uid=foedisch,dc=xxx,dc=xxx,dc=xx
[2011/11/07 16:37:15,  2] passdb/pdb_ldap.c:1199(init_ldap_from_sam)
  init_ldap_from_sam: Setting entry for user: foedisch
[2011/11/07 16:37:15,  4] passdb/pdb_ldap.c:2029(ldapsam_update_sam_account)
  ldapsam_update_sam_account: mods is empty: nothing to update for user: 
foedisch
[2011/11/07 16:37:15,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
  pop_sec_ctx (999, 514) - sec_ctx_stack_ndx = 0
[2011/11/07 16:37:15,  5] auth/auth.c:274(check_ntlm_password)
  check_ntlm_password: sam authentication for user [foedisch] FAILED with error 
NT_STATUS_WRONG_PASSWORD
[]
[2011/11/07 16:37:15,  5] rpc_server/srv_netlog_nt.c:1041(_netr_LogonSamLogon)
  _netr_LogonSamLogon: check_password returned status NT_STATUS_WRONG_PASSWORD
[2011/11/07 16:37:15,  1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
   netr_LogonSamLogon: struct netr_LogonSamLogon
  out: struct netr_LogonSamLogon
  return_authenticator : *
  return_authenticator: struct netr_Authenticator
  cred: struct netr_Credential
  data : fafde2c3dc0af8fc
  timestamp: Mon Nov  7 16:38:40 2011 CET
  validation   : *
  validation   : union netr_Validation(case 3)
  sam3 : *
  sam3: struct netr_SamInfo3
  base: struct netr_SamBaseInfo
  last_logon   : NTTIME(0)
  last_logoff  : NTTIME(0)
  acct_expiry  : NTTIME(0)
  last_password_change : NTTIME(0)
  allow_password_change: NTTIME(0)
  force_password_change: NTTIME(0)
  account_name: struct lsa_String
  length   : 0x (0)
  size : 0x (0)
  string   : NULL
  full_name: struct lsa_String
  length   : 0x (0)
  size : 0x (0)
  string   : NULL
  logon_script: struct lsa_String
  length   : 0x (0)
  size : 0x (0)
  string   : NULL
  profile_path: struct lsa_String
  length   : 0x (0)
  size : 0x (0)
  string   : NULL
  home_directory: struct lsa_String
  length   : 0x (0)
  size : 0x (0)
  string   : NULL
  home_drive: struct lsa_String
  length   : 0x (0)
  size : 0x (0)
  string   : NULL
  logon_count  : 0x (0)
  bad_password_count   : 0x (0)
  rid   

[Samba] Trust relationship between Windows Domains

[Emilio Iglesias Martinez]

Hello,

  we have the following scenario:

- Samba v3.0.23d runing under AIX v5.3

- Two Windows Domains, lets call them D1 and D2, that have a trust 
relationship between them so that any user on D1 can access resources on 
D2 without need to re-authenticate.

Now, for business needs we would like to set up a common repository in our 
AIX server that is accessible from all our AIX and Windows machines. Our 
goal is that any user (independently of the environment or Domain he is 
in) is able to access this repository without need to re-enter any 
credentials.

We have tried associating the Samba instance to domain "D2" and we 
expected that users on domain D1 would be able to access it as well (as it 
happens on Windows machines due to the trust relationship). However, we 
have seen that this is not the case. Users on "D1" can not access the 
Samba repository without re-authenticating using "D2" credentials. It 
seems like Samba is not able to apply the trust relationship that was 
defined at Windows level.

Is there any way we can configure Samba to achieve our goal of granting 
access to the AIX repository to both users on D1 and D2 without need to 
re-authenticate?

Two possible solutions have occurred to us, but we don't know whether they 
are technically feasible or not or how hard they would be to 
implement/maintain:

Option 1) Configure Samba in such a way so that it is able to apply the 
trust relationship that exists between the two windows domains (D1 and 
D2). 
---
Option 2) Configure and run a second instance of Samba on the AIX machine. 
One instance would be assigned to D1 and the other instance to D2.
---

Can you please advise on the feasibility of these options or provide 
alternatives we have not thought of?

thanks!

EMILIO J. IGLESIAS
ALM - Application Lifecycle Management Engineer
CSC Asturias
WSS | office: +34 985 120341 | email: eiglesias...@csc.com | www.csc.com
Advanced Leave notice:  July 29th to Aug 22nd


CSC • This is a PRIVATE message. If you are not the intended recipient, 
please delete without copying and kindly advise us by e-mail of the 
mistake in delivery.  NOTE: Regardless of content, this e-mail shall not 
operate to bind CSC to any order or other contract unless pursuant to 
explicit written agreement or government initiative expressly permitting 
the use of e-mail for such purpose • Computer Sciences España, SA • 
Registered Office: Avenida Diagonal, 545 Pl. 6, Edificio L’Illa, 08029 
Barcelona, Spain • Registered in Spain No: C.i.f. A59425546

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba