Re: [Samba] Fw: Convert Unix users to Samba users
On Thu, Dec 29, 2011 at 12:28 PM, Ryan Novosielski wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > We used the pam_smbpasswd module, which does not work for either TDBSAM > or LDAPSAM I don't think. It's OK if you want to maintain an smbpasswd > file, but I think you really don't for more than X number of users and > I'm not sure how well it works with Active Directory (this was back > before AD was big that we were using Samba). > > The way that that worked was to take advantage of other password > manipulation people had done (eg. authenticate successfully using > anything) and that that time the PAM module would get the unencrypted > password and write it using the proper hash for the new Samba auth > method. That is a pretty slick idea and if it does not exist for LDAP or > TDBSAM, I do wonder why not. Handling unencrypted passwords on a server is always nasty. Even if you trust the people you work with, it's an excellent target for any cracker who gets into your systems to steal admin passwords. This sort of poor security hack is way, way, way too common. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fw: Convert Unix users to Samba users
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 We used the pam_smbpasswd module, which does not work for either TDBSAM or LDAPSAM I don't think. It's OK if you want to maintain an smbpasswd file, but I think you really don't for more than X number of users and I'm not sure how well it works with Active Directory (this was back before AD was big that we were using Samba). The way that that worked was to take advantage of other password manipulation people had done (eg. authenticate successfully using anything) and that that time the PAM module would get the unencrypted password and write it using the proper hash for the new Samba auth method. That is a pretty slick idea and if it does not exist for LDAP or TDBSAM, I do wonder why not. On 12/20/2011 02:36 PM, Samba wrote: > No-one has had this problem before? > > - Forwarded by Raymond Hoogerdijk/home on 20-12-2011 20:36 - > > From: Samba > To: Samba Maillist > Date: 14-12-2011 21:37 > Subject:[Samba] Convert Unix users to Samba users > Sent by:samba-boun...@lists.samba.org > > > > Hi, > > I just installed a new Centos 6.1 machine with Samba 3.5.6-86.el6_1.4 . I > use Webmin to administer the server and configuring Samba (SWAT is also > available in Webmin). I have chosen the option to convert the Linux users > to Samba users and the command completes and says the users have been > converted. However, when I then look at the Samba users the list is empty. > > Restarted the Samba services and also the complete box, however, it still > doesn't work. > > I have the following error message in the log.SMBD file: > > [2011/12/14 20:52:13.289684, 0] smbd/server.c:500(smbd_open_one_socket) > smbd_open_once_socket: open_socket_in: Address already in use > [2011/12/14 20:52:13.291029, 0] smbd/server.c:500(smbd_open_one_socket) > smbd_open_once_socket: open_socket_in: Address already in use > > And the SWAT logfile: > > [2011/12/14 20:52:36.578244, 0] > lib/util_sock.c:1441(get_peer_addr_internal) > getpeername failed. Error was Socket operation on non-socket > [2011/12/14 20:52:36.584471, 0] > lib/util_sock.c:1441(get_peer_addr_internal) > getpeername failed. Error was Socket operation on non-socket > > Why is this going wrong? Where do I need to look to fix it? > > Kind regards, > > Raymond - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$&| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk78oyUACgkQmb+gadEcsb4JQQCeNYldR5CDdGR5XUy2DyMEZqTD PNoAn1Gy/4njeHF8ahcrlk+8480slwbW =Ox7d -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] login via Samba 4 LDAP
2011-12-29 12:56 keltezéssel, steve írta: > On 29/12/11 11:58, Gémes Géza wrote: >> 2011-12-29 10:11 keltezéssel, steve írta: >>> On 29/12/11 10:00, steve wrote: On 28/12/11 21:59, Bernd Markgraf wrote: >> You should create a user in AD for nss-ldap and extract a keytab >> for it >> (samba-tool domain exportkeytab --principal=) and configure >> nss-ldap >> to use that keytab for authenticating. Most probably you aren't >> allowed >> to bind anonymously to your AD server (you can try with >> ldapsearch -x) > LDAP works with an anonymous bind. You need the Kerberos keytab for > authentication though. > steve@hh3:~> ldapsearch -x # extended LDIF # # LDAPv3 # base (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 2020: Operation unavailable without authentication # numResponses: 1 I found this usage: samba-tool export keytab PATH_TO_KEYTAB How can I find my PATH_TO_KEYTAB ? Thanks >>> Can't get the syntax right: >>> >>> samba-tool domain exportkeytab /var/lib/named/master --principal >>> >>> Usage: samba-tool domain exportkeytab [options] >>> >>> samba-tool domain exportkeytab: error: --principal option requires an >>> argument >>> >> samba-tool domain exportkeytab >> /path/to/the/keytab/file/you/want/to/create/or/update >> --principal=the_name(samAccountName_or_spn_created_with_samba-tool_spn)_of_the_principal_you_want_to_extract >> >> >> Regards >> >> Geza > Tried: > samba-tool domain exportkeytab /etc/krb5.keytab --principal=steve4 > > restarted samba but: > > su steve4 > su: user steve4 does not exist > > Am I getting close or should I give up now?! > > Steve > > > You still need to configure nss-ldap to do a kerberized bind. I've found example configurations for nslcd (the daemon part of nss-ldapd a fork of nss-ldap) at: http://lists.arthurdejong.org/nss-pam-ldapd-users/2010/msg00125.html http://ubuntuforums.org/archive/index.php/t-1335022.html Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fw: Convert Unix users to Samba users
On 29/12/11 12:59, Nico Kadel-Garcia wrote: On Tue, Dec 20, 2011 at 2:36 PM, Samba wrote: No-one has had this problem before? Hi Yes. We had that problem when we added win 7 boxes to our Lan. Fortunately, openSUSE has a tool which lets you do just that. You have a LDAP server which handles the Linux and the Windows accounts via a samba schema. Delete the Linux user (but not his home directory) and add the same user as a LDAP user. Tick the samba attributes box. That's it. Yast does the rest and you can then use single sign on for both Linux and Windows clients. I must admit that without Yast, I wouldn't have attempted it. This only works with Samba 3/LDAP. I'm struggling to get it working with Samba 4 at the moment. Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fw: Convert Unix users to Samba users
On Tue, Dec 20, 2011 at 2:36 PM, Samba wrote: > No-one has had this problem before? The problem is too generic. It depends, very heavily, on what your authentication technology is. To keep Windows and Linux authentication in sync, they need to use the same password handling tools. This is ideally Kerberos, since that's what Active Directory uses with the name scraped off and concealed. Migrating non-Kerberos users to Kerberos is its own adventure. The passwords are stored very differently, and there's no way to simplay transfer one to the other without someone putting in passwords. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] login via Samba 4 LDAP
On 29/12/11 11:58, Gémes Géza wrote: 2011-12-29 10:11 keltezéssel, steve írta: On 29/12/11 10:00, steve wrote: On 28/12/11 21:59, Bernd Markgraf wrote: You should create a user in AD for nss-ldap and extract a keytab for it (samba-tool domain exportkeytab --principal=) and configure nss-ldap to use that keytab for authenticating. Most probably you aren't allowed to bind anonymously to your AD server (you can try with ldapsearch -x) LDAP works with an anonymous bind. You need the Kerberos keytab for authentication though. steve@hh3:~> ldapsearch -x # extended LDIF # # LDAPv3 # base (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 2020: Operation unavailable without authentication # numResponses: 1 I found this usage: samba-tool export keytab PATH_TO_KEYTAB How can I find my PATH_TO_KEYTAB ? Thanks Can't get the syntax right: samba-tool domain exportkeytab /var/lib/named/master --principal Usage: samba-tool domain exportkeytab [options] samba-tool domain exportkeytab: error: --principal option requires an argument samba-tool domain exportkeytab /path/to/the/keytab/file/you/want/to/create/or/update --principal=the_name(samAccountName_or_spn_created_with_samba-tool_spn)_of_the_principal_you_want_to_extract Regards Geza Tried: samba-tool domain exportkeytab /etc/krb5.keytab --principal=steve4 restarted samba but: su steve4 su: user steve4 does not exist Am I getting close or should I give up now?! Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] login via Samba 4 LDAP
On 29/12/11 11:58, Gémes Géza wrote: 2011-12-29 10:11 keltezéssel, steve írta: On 29/12/11 10:00, steve wrote: On 28/12/11 21:59, Bernd Markgraf wrote: You should create a user in AD for nss-ldap and extract a keytab for it (samba-tool domain exportkeytab --principal=) and configure nss-ldap to use that keytab for authenticating. Most probably you aren't allowed to bind anonymously to your AD server (you can try with ldapsearch -x) LDAP works with an anonymous bind. You need the Kerberos keytab for authentication though. steve@hh3:~> ldapsearch -x # extended LDIF # # LDAPv3 # base (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 2020: Operation unavailable without authentication # numResponses: 1 I found this usage: samba-tool export keytab PATH_TO_KEYTAB How can I find my PATH_TO_KEYTAB ? Thanks Can't get the syntax right: samba-tool domain exportkeytab /var/lib/named/master --principal Usage: samba-tool domain exportkeytab [options] samba-tool domain exportkeytab: error: --principal option requires an argument samba-tool domain exportkeytab /path/to/the/keytab/file/you/want/to/create/or/update --principal=the_name(samAccountName_or_spn_created_with_samba-tool_spn)_of_the_principal_you_want_to_extract Regards Geza OK Got as far as this: samba-tool domain exportkeytab /your/key.tab --principal=SERVICE/host@realm so I used: samba-tool domain exportkeytab /etc/krb5.keytab --principal=DNS/HH3.SITE But that's not the SERVICE I need I don't think. THanks Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] login via Samba 4 LDAP
2011-12-29 10:11 keltezéssel, steve írta: > On 29/12/11 10:00, steve wrote: >> On 28/12/11 21:59, Bernd Markgraf wrote: You should create a user in AD for nss-ldap and extract a keytab for it (samba-tool domain exportkeytab --principal=) and configure nss-ldap to use that keytab for authenticating. Most probably you aren't allowed to bind anonymously to your AD server (you can try with ldapsearch -x) >>> LDAP works with an anonymous bind. You need the Kerberos keytab for >>> authentication though. >>> >> >> steve@hh3:~> ldapsearch -x >> # extended LDIF >> # >> # LDAPv3 >> # base (default) with scope subtree >> # filter: (objectclass=*) >> # requesting: ALL >> # >> >> # search result >> search: 2 >> result: 1 Operations error >> text: 2020: Operation unavailable without authentication >> >> # numResponses: 1 >> >> >> >> I found this usage: >> >> samba-tool export keytab PATH_TO_KEYTAB >> >> How can I find my PATH_TO_KEYTAB >> ? >> Thanks > > Can't get the syntax right: > > samba-tool domain exportkeytab /var/lib/named/master --principal > > Usage: samba-tool domain exportkeytab [options] > > samba-tool domain exportkeytab: error: --principal option requires an > argument > samba-tool domain exportkeytab /path/to/the/keytab/file/you/want/to/create/or/update --principal=the_name(samAccountName_or_spn_created_with_samba-tool_spn)_of_the_principal_you_want_to_extract Regards Geza -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Erro na instalação do samba
Hi 2011/12/19 adenelvado silva : > > ta ocorrendo um problema na instalação do samba3.6 no Freebsd na release > 8.2errro: make: don't know how to make intall. Stop# make clean===> Cleaning > for libgcrypt-1.5.0===> Cleaning for cups-client-1.5.0# make install===> > Vulnerability check disabled, database not found===> License LGPL21 accepted > by the user===> Found saved configuration for cups-client-1.5.0===> > Extracting for cups-client-1.5.0=> SHA256 Checksum OK for > cups-1.5.0-source.tar.bz2.===> Patching for cups-client-1.5.0===> Applying > FreeBSD patches for cups-client-1.5.0===> cups-client-1.5.0 depends on > executable: pkg-config - found===> cups-client-1.5.0 depends on executable: > gmake - found===> cups-client-1.5.0 depends on shared library: gcrypt.18 - > not found===> Verifying install for gcrypt.18 in > /usr/ports/security/libgcrypt===> Vulnerability check disabled, database not > found===> License GPLv2 LGPL21 accepted by the user===> Extracting for > libgcrypt-1.5.0=> SHA256 Checksum OK for libgcrypt-1.5.0.tar.bz2.===> > Patching for libgcrypt-1.5.0===> Applying FreeBSD patches for > libgcrypt-1.5.0===> libgcrypt-1.5.0 depends on package: libgpg-error>=1.8 - > found===> libgcrypt-1.5.0 depends on package: libtool>=2.4 - not found===> > Found libtool-2.2.10, but you need to upgrade to libtool>=2.4.*** Error code > 1 > Stop in /usr/ports/security/libgcrypt.*** Error code 1 > Stop in /usr/ports/print/cups-client.*** Error code 1 > Stop in /usr/ports/print/cups-client. This looks more like A FreeBSD ports problem than a Samba problem. Also it looks like you're building the cups-client port and not Samba? Try asking on a FreeBSD list. -- Michael Wood -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] DNS update failed! - Samba 3 joining Samba 4 AD Domain
Hi On 16 December 2011 15:34, Mike Howard wrote: > Hi All, > > I've got samba4 set up as AD domain controller (from latest git), works > fine. I'm now attemptng to use a separate samba 3 box as the file server (as > I'm assuming this is current best practice?) but when joining the domain > (which succeeds) I get the message 'DNS update failed!'. I've seen a lot of > issues with this whilst trawling the net but no solutions. > > Windows clients can join the domain, it's only samba3 clients that can't. I > haven't done anything special on the S3 clients (as I didn't need to with > the windows clients) but maybe I need to? > > Anyway, if anybody has any ideas I'd be grateful. Search the samba-technical list archives. There have been various messages about Samba 4 DNS and problems with dynamic DNS updates from Samba 3. Also, try running bind, Samba 4 and Samba 3 with the debugging turned up and see what the actual error is. Maybe something to do with Kerberos? I haven't tried joining Samba 3 to Samba 4, so not sure I can help more than that. -- Michael Wood -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] login via Samba 4 LDAP
On 29/12/11 10:00, steve wrote: On 28/12/11 21:59, Bernd Markgraf wrote: You should create a user in AD for nss-ldap and extract a keytab for it (samba-tool domain exportkeytab --principal=) and configure nss-ldap to use that keytab for authenticating. Most probably you aren't allowed to bind anonymously to your AD server (you can try with ldapsearch -x) LDAP works with an anonymous bind. You need the Kerberos keytab for authentication though. steve@hh3:~> ldapsearch -x # extended LDIF # # LDAPv3 # base (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 2020: Operation unavailable without authentication # numResponses: 1 I found this usage: samba-tool export keytab PATH_TO_KEYTAB How can I find my PATH_TO_KEYTAB ? Thanks Can't get the syntax right: samba-tool domain exportkeytab /var/lib/named/master --principal Usage: samba-tool domain exportkeytab [options] samba-tool domain exportkeytab: error: --principal option requires an argument -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] login via Samba 4 LDAP
On 28/12/11 21:59, Bernd Markgraf wrote: You should create a user in AD for nss-ldap and extract a keytab for it (samba-tool domain exportkeytab --principal=) and configure nss-ldap to use that keytab for authenticating. Most probably you aren't allowed to bind anonymously to your AD server (you can try with ldapsearch -x) LDAP works with an anonymous bind. You need the Kerberos keytab for authentication though. steve@hh3:~> ldapsearch -x # extended LDIF # # LDAPv3 # base (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 2020: Operation unavailable without authentication # numResponses: 1 I found this usage: samba-tool export keytab PATH_TO_KEYTAB How can I find my PATH_TO_KEYTAB ? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba