[Samba] Roaming profiles not being loaded
I tried to build a setup to model and hence learn how to configure samba servers for the setup that I described below. However, a user login in which the profile is defined to be on a samba server that is not the PDC never gets a roaming profile -- instead the user always gets a temporary profile. Looking at the Windows logs, it is complaining about a permissions issue. However, once logged in (with the temporary profile), that user can create and modify files in the profile directory. I have turned logging level to 3, but I don't see anything useful. The PDC is running SAMBA 3.5.11, while the other server (modeling the fileserver in the proposed network) is running SAMBA 3.5.10. The usernames exist in the /etc/passwd files on both machines (although I think that I should not need this if I can get winbindd working properly). Home directories for the suers exist on both machines. Some specifics: 1. smb.conf from the "fileserver" (Not the PDC, but the machine where the profile directories are found): [global] workgroup = MATTHEWS server string = Samba Server Version %v netbios name = sambatest log file = /var/log/samba/log.%m max log size = 50 log level = 3 security = domain passdb backend = tdbsam password server = firewall idmap backend = tdb idmap uid = 9000- idmap gid = 9000- local master = no load printers = yes cups options = raw [homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes [profiles] comment = profiles path = /export/profiles browseable = yes guest ok = yes smb.conf from the PDC: [global] workgroup = MATTHEWS netbios aliases = SERVER, firewall, newfirewall server string = Samba Server %v interfaces = 192.168.89.1, 127.0.0.1, 192.168.89.2, 192.168.89.6, 10.9.0.1 bind interfaces only = Yes security = user log file = /var/log/samba3/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = /etc/printcap os level = 90 preferred master = Yes domain master = Yes domain logons = yes dns proxy = No wins server = 192.168.89.1 wins support = Yes admin users = root, simon, @wheel hosts allow = 192.168.0.0/255.255.0.0, 10.8.0.0/24 hosts deny = 0.0.0.0/0 passdb backend = tdbsam logon path = \\%N\profiles\%U logon home = \\firewall\%U\winprofile [profiles] comment = profiles path = /export/profiles read only = No [homes] comment = Home Directories path = /home/%u read only = No [allhomes] comment = Home Directories path = /home guest ok = Yes [print$] path = /var/lib/samba/printers guest ok = Yes [CD] path = /mnt/cdrom/ guest ok = Yes [certs] path = /home/certs guest ok = Yes [pub] path = /home/pub read only = No guest ok = Yes [HP] comment = HP Printer path = /tmp guest ok = Yes printable = Yes print command = lpr -P HP -oraw -r -l %s lpq command = lpq -P'HP' lprm command = lprm -P'HP' %j use client driver = Yes [Laser] path = /tmp printable = Yes pdb data for user that cannot get a profile: pdbedit -v simontest Unix username:simontest NT username: Account Flags:[U ] User SID: S-1-5-21-812011073-3920078087-27638135-1004 Primary Group SID:S-1-5-21-812011073-3920078087-27638135-513 Full Name: Home Directory: \\firewall\simontest\winprofile HomeDir Drive: Logon Script: Profile Path: \\sambatest\profiles\simontest Domain: MATTHEWS Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Wed, 06 Feb 2036 07:06:39 PST Kickoff time: Wed, 06 Feb 2036 07:06:39 PST Password last set:Sat, 24 Mar 2012 15:09:20 PDT Password can change: Sat, 24 Mar 2012 15:09:20 PDT Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF Does anyone have any suggestions on what might be wrong? If it needs entries from the log files, I can add these. Simon On Sat, Mar 24, 2012 at 12:09 PM, Simon Matthews wrote: > I currently have a server which is both the PDC for my domain and the file > server for the network. > > I need to split these functions and move the PDC function to another box, > while leaving the original server as the file server on which home > directories and roaming profiles are stored. User credentials are stored in > a tdbsam database and I am running Samba 3.5. > > Does anyone have any pointers on what to move and any potential pitfalls > in the process? I have always used the same machine for both the PDC and > file server, so this is somewhat unknown territory for me. I assume that > the file server will still
[Samba] winbindd not providing supplementary groups with server 2003 AD
I have Windows server 2003 AD controller and Samba 3 (3.5.11 or 3.6.3) member server running on FreeBSD 8.2/9.0. I don't use MS Services for Unix and my setup relies on Winbindd for idmapping. I can see all users / groups with wbinfo -g, wbinfo -u, getent group, getent passwd. I can see all user's group with id . I had to solve more complicated tasks including ACLs and granting rights to AD groups. I was surprised that only primary groups for users were honored but supplementary not. I tested with share on filesystem without ACL to exclude error in ACLs - same problem. Using debuglevel 10 I saw that somehow appears incorrect list of supplementary groups. wbinfo -r username returns ONLY primary group of the user. smbserver:/var/log/samba# id AD-DOMAIN_user13 uid=10014(AD-DOMAIN_user13) gid=10013(AD-DOMAIN_domain users) groups=10013(AD-DOMAIN_domain users),10022(AD-DOMAIN_accounting) (this is correct, the user is member of these two groups only) getent groups shows (all IDMapped groups from AD): AD-DOMAIN_helpservicesgroup:x:10002:AD-DOMAIN_support_388 AD-DOMAIN_telnetclients:x:10003 AD-DOMAIN_wins users:x:10004 AD-DOMAIN_dhcp users:x:10005 AD-DOMAIN_dhcp administrators:x:10006 AD-DOMAIN_domain computers:x:10007 AD-DOMAIN_domain controllers:x:10008 AD-DOMAIN_schema admins:x:10009:AD-DOMAIN_job_acc,AD-DOMAIN_marti,AD-DOMAIN_administrator AD-DOMAIN_enterprise admins:x:10010:AD-DOMAIN_job_acc,AD-DOMAIN_marti,AD-DOMAIN_administrator AD-DOMAIN_cert publishers:x:10011 AD-DOMAIN_domain admins:x:10012:AD-DOMAIN_atan,AD-DOMAIN_job_acc,AD-DOMAIN_administrator AD-DOMAIN_domain users:x:10013:AD-DOMAIN_marti,AD-DOMAIN_interbase,AD-DOMAIN_iii,AD-DOMAIN_plll,AD-DOMAIN_lid,AD-DOMAIN_ita AD-DOMAIN_domain guests:x:10014 AD-DOMAIN_group policy creator owners:x:10015:AD-DOMAIN_job_acc,AD-DOMAIN_marti,AD-DOMAIN_administrator AD-DOMAIN_ras and ias servers:x:10016 AD-DOMAIN_dnsadmins:x:10017 AD-DOMAIN_dnsupdateproxy:x:10018 AD-DOMAIN_management:x:10019:AD-DOMAIN_iva,AD-DOMAIN_marti AD-DOMAIN_manufacture:x:10020:AD-DOMAIN_poli,AD-DOMAIN_kanc,AD-DOMAIN_delc,AD-DOMAIN_kol,AD-DOMAIN_pash,AD-DOMAIN_nik AD-DOMAIN_offices:x:10021:AD-DOMAIN_nesh,AD-DOMAIN_stef,AD-DOMAIN_jon,AD-DOMAIN_dimi AD-DOMAIN_accounting:x:10022:AD-DOMAIN_user01,AD-DOMAIN_pet,AD-DOMAIN_user13,AD-DOMAIN_georg,AD-DOMAIN_acct1 AD-DOMAIN_stock_management:x:10023:AD-DOMAIN_stef,AD-DOMAIN_pash,AD-DOMAIN_nik AD-DOMAIN_trz:x:10024:AD-DOMAIN_ivan,AD-DOMAIN_georg AD-DOMAIN_backup:x:10025 AD-DOMAIN_test2:x:10026 As I try to access shared folder with the following permissions: (UIDs/GIDs) drwxrwx--- 2 10012 10022 512 Mar 23 18:14 accshart (user and group names) drwxrwx--- 2 AD-DOMAIN_user01 AD-DOMAIN_accounting512 Mar 23 18:14 accshart with debuglevel 10 I see the following strange messages: [2012/03/23 18:58:16.606992, 5] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (10): SID[ 0]: S-1-5-21-1579055750-3724707312-788426950-1136 SID[ 1]: S-1-5-21-1579055750-3724707312-788426950-513 SID[ 2]: S-1-1-0 SID[ 3]: S-1-5-2 SID[ 4]: S-1-5-11 SID[ 5]: S-1-22-1-10014 SID[ 6]: S-1-22-2-10013 SID[ 7]: S-1-22-2-1 SID[ 8]: S-1-22-2-10001 SID[ 9]: S-1-22-2-10027 Privileges (0x 0): Rights (0x 0): [2012/03/23 18:58:16.607095, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 10014 Primary group is 10013 and contains 4 supplementary groups Group[ 0]: 10013 Group[ 1]: 1 Group[ 2]: 10001 Group[ 3]: 10027 [2012/03/23 18:58:16.607157, 5] smbd/uid.c:317(change_to_user_internal) Impersonated user: uid=(0,10014), gid=(0,10013) [2012/03/23 18:58:16.607176, 4] smbd/vfs.c:780(vfs_ChDir) vfs_ChDir to /usr/accshart [2012/03/23 18:58:16.607202, 4] smbd/vfs.c:780(vfs_ChDir) vfs_ChDir to /usr/accshart [2012/03/23 18:58:16.607223, 3] smbd/service.c:190(set_current_service) chdir (/usr/accshart) failed, reason: Permission denied [2012/03/23 18:58:16.607270, 3] smbd/error.c:81(error_packet_set) error packet at smbd/process.c(1558) cmd=50 (SMBtrans2) NT_STATUS_ACCESS_DENIED As you can see only the primary group [0] is correct, supplementary groups [1],[2],[3] are not existing. wbinfo -r AD-DOMAIN_user13 returns only primary GID: 10013 This is equal with both available versions of Samba via FreeBSD ports: 3.5.11 and 3.6.3. Here is my Samba config: [global] workgroup = AD-DOMAIN realm = AD-DOMAIN.LOCAL server string = Samba Server interfaces = localhost, nfe0 bind interfaces only = Yes security = ADS map untrusted to domain = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 500 template homedir = /var/spool/vacation/AD-DOMAIN template shell = /sbin/nologin winbind separator = _ winbind enum users = Yes winbind enum groups = Yes winbind nested group
[Samba] Suggestions for moving a PDC function
I currently have a server which is both the PDC for my domain and the file server for the network. I need to split these functions and move the PDC function to another box, while leaving the original server as the file server on which home directories and roaming profiles are stored. User credentials are stored in a tdbsam database and I am running Samba 3.5. Does anyone have any pointers on what to move and any potential pitfalls in the process? I have always used the same machine for both the PDC and file server, so this is somewhat unknown territory for me. I assume that the file server will still run samba, and I will change the "domain master = " and "domain logins = " to no in both cases. Also "security =" should be set to "security = domain" and add set up a machine account on the file server which is then joined to the domain? What files need to be moved to the new samba server? I see that there are files in /var/cache/samba (it's a Gentoo system) which I assume also have to be put into the proper place on the new server. Is there anything else I need to look for. Many thanks for any suggestions. Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] windows 2008 not able to access Samba Shares
Hi, I am have SAMBA configured on Linux, Solaris & HP UX machine. All version are lower than 3.4.7. I am able to access SAMBA Shares from Windows XP, Windows NT / 2003 Server. Recently we added Windows 7 and Windows 2008 Std Edition as client but I am unable to access Samba Shares from Windows 2008 system. After changed following registry in Windows 7 Now i am able to access Samba Shares. HKLM\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel But Problem is still with Windows 2008. I have gone through no of postings and made changes in security option but no luck. Any idea what how to resolve this issue. Following Global Parameters are set. workgroup = WG01 realm = localdomain.com server string = File server%v on (%L) netbios name = security = SERVER encrypt passwords = Yes update encrypted = Yes password server = 192.168.x.x log level = 3 log file = /var/log/samba/samba.log.%m.%R name resolve order = wins dns bcast hosts wins server = 192.168.x.x case sensitive = Yes Thanks in advance. Reagrds, VK -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Users can't login any more
On 23-03-12 21:01, Gaiseric Vandal wrote: Samba 3.5.3 should recent enough to work properly. You should probably trouble shoot your Windows 98 and XP machines separately. Do you have any real XP machines? Were you XP machines working prior to this problem? Do you get the errors in the smbd log everytime you restart samba? Have you restarted samba recently? Does "smbclient" work if you specify a user name (Administrator or another user?) Do the accounts look ok in "pdbedit -Lv" ? Hi, Thank you for your reply. I hope I solved my problem (I can't test for the moment, I'm at home). The cause was (I hope) a "misconfiguration" of some switches. Thursday-afternoon I needed to monitor a port on a switch for trafic. I saw a configuration I didn't see yet : Auto DoS. I believed this would prevent DoS attacks, so I enabled it, and on two other switches. It seems it's the opposite, it prevents some trafic, effectively creating a DoS. I just googled, and it's a known problem of that switch type : HP ProCurve 1810G. I reverted that, I'll have to see what's happening monday. But your suggestions are noted for future troubleshooting. So, thanks again. Regards, Koenraad Lelong. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] IDMAP dump and restore for second server.
On Fri, Mar 23, 2012 at 10:51:47AM +, Johan Hendriks wrote: > Thanks for the reply. > > probably my lack of understanding the whole thing is making it a little > confusing for me. > > Is there a way to get the same id's on a second server. You could move to using an LDAP backend, then it'll always be consistent between the servers. If you set up LDAP on both controllers, you can have replication and a solution that will scale well as you add servers. -- Bruce It is impolite to tell a man who is carrying you on his shoulders that his head smells. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: ID mapping is hard
On 24/03/12 01:20, Andrew Bartlett wrote: On Fri, 2012-03-23 at 23:54 +0100, steve wrote: What is working well for us in tests is giving Domain Users a uid, gid, setting their primaryGroupID to that of a posix-ified security group and storing these attributes in their entry in sam.ldb. The only problem I have with this is that adding the posixGroup objectClass to a security group removes the ability to be able to list its members in ADUC and it is really unfortunate that I can't test this against a windows server. Because I don't have one. Trial copies of Windows are available for download: https://www.microsoft.com/en-us/server-cloud/windows-server/2008-r2-trial.aspx This is merely an inconvenience as the posix-ified security group behaves exactly as if it were a normal domain group. If we want point and click we can use phpldapadmin. So, uid gid mapping and the interoperability of domain and posix groups like this is really simple. What we fear may happen is that when an official s4 mapping method comes along, it will make changes to either the schema or sam.ldb which will disallow our storing our attributes in the directory. Any valid schema modification that is supported in windows will continue to be supported. The schema as shipped is the official AD schema, and it and the implementation of the mayContains rules associated are both highly unlikely to change. Are we wasting time proceding with this or does it make at least a little sense? Our aim is simply to have a single sign on linux/windows. As s4 does not provide an official mechanism for this at the moment we invented this. For Linux clients, the supported solution is using Samba3's winbindd. Patches to modify Samba4's id mapping to internally honour the same id mapping behaviour of the Samba3 winbindd you deploy on clients would be welcome and appreciated. Binding nss_ldap directly against any AD implementation has always been a bad idea. We built winbindd for this reason, and recommend it's use against Samba4. Winbind with samba4 does not work (or please tell me how to do it). If I replace my ldap with winbind in nsswitch.conf, mappings are no longer under our control. We use nss-ldapd to extract the posix attributes directly from the s4 ldap. It's simple, 100% reliable and fast. The posix attributes need no manipulation as they are stored alongside the windows stuff under the user dn. Our fileserver on the Linux side is kerberized nfs which is also rock solid. nss-pam-ldapd/nslcd (not the old nss-ldap) just works. Why is this a bad idea? winbind seems overly complicated when Linux tools are already in place to do what we need. I'm sure I'm missing the obvious here though. Please let us not forget that Linux workstations are just as important on a lan as those with windows. Le'ts serve them equally well. Our concern is that this method will not work for future releases of Samba4. Your note about the mayContain is most welcome however. Thanks so much for taking time to explain this for us. It really does help put an understandable slant on s4 from an ordinary user pov. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba