[Samba] Samba 4 with FreeIPA as Backend
Hi everyone, I am new to this mailing list. At the moment I would like to migrate all of my users from Microsoft Active Directory to Open Source, and what I have in mind is getting it into Samba 4. In extending the functionality of it, I decided to intergrate FreeIPA as the backend to Samba 4. I saw some obsolete reference on how to use FreeIPA as Samba 4 backend, but I don't know where are the new reference. Herewith I would seek advise on how to go for my mission. Thank you Regards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The problem with setting up AD domain to Samba 4
On Thu, 2013-06-27 at 17:28 +0400, Vladimir A Fomkin wrote: How add one parameter by ldbedit without interactive editor? (for scripting) ldbmodify There are scripts here: http://linuxcostablanca.blogspot.com.es/p/s4bind.html hth -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 AD and mail auth
Hi list Does anyone has experience in setting up dovecot or any other mail system with user auth against a Samba4 AD ? If yes could I get some advice on that Topic or even a link to a ressource where I can get some Information. Googled a lot but didn't find something yet. Thankx in advance. -- Mit freundlichem Gruß Carsten Laun-De Lellis Hauptstrasse 13 D-67705 Trippstadt Phone: +49 6306 992140 Fax: +49 6306 992142 Mobile: +49 151 27530865 email: carsten.delel...@delellis.net http://www.linkedin.com/in/carstenlaundelellis [1] Links: -- [1] http://www.linkedin.com/in/carstenlaundelellis -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 AD and mail auth
Am 28.06.2013 10:31, schrieb Carsten Laun-De Lellis: Hi list Does anyone has experience in setting up dovecot or any other mail system with user auth against a Samba4 AD ? If yes could I get some advice on that Topic or even a link to a ressource where I can get some Information. Googled a lot but didn't find something yet. Thankx in advance. I did it with dovecot/postfix on debian wheezy, there is alot more info if you look for dovecot setup agains Microsoft AD. First create an user for ldap queries: samta-tool user add ldap [password] Configure dovecot passdb against Samba4 AD, add or change this in your dovecot.conf bzw. auth-ldap-conf.ext (on wheezy) # Authentication for LDAP users passdb { driver = ldap args = /etc/dovecot/dovecot-ldap-passdb.conf.ext } Create /etc/dovecot/dovecot-ldap-passdb.conf.ext, can be you have to use sAMAccountName instead of cn for auth_bind_userdn and pass_filter. On my side these are identical because i migrated from samba3/openldap. Filter is looking for person classes with matchin cn and an exiting mail attribute. hosts = localhost auth_bind = yes auth_bind_userdn = cn=%u,cn=Users,dc=yourdomain,dc=local ldap_version = 3 base = cn=Users,dc=yourdomain,dc=local pass_filter = ((objectClass=person)(cn=%u)(mail=*)) Use differen ldap settings for other user lookups, this goes again into dovecot.conf # Users userdb { driver = ldap args = /etc/dovecot/dovecot-ldap-userdb.conf.ext } Create /etc/dovecot/dovecot-ldap-uesrdb.conf.ext, again you may have to change cn to sAMAccountName in user_filter and iter_attrs. On my side I use one system user vmail (uid:999, gid:999) for all maildirs and those are stored under /var/lib/vmail. With such an setup attributes like uidNumber and gidNumber are not required for every user entry in ldap so i can hardcode all neccesary userdb lookup variables. I use /var/lib/vmail/[cn] as the dovecot user homedir (for things like sieve settings etc.) and /var/lib/vmail/[cn]/mail for the maildir. hosts = localhost dn = cn=ldap,cn=Users,DC=yourdomain,DC=local dnpass = [password] ldap_version = 3 base = cn=Users,DC=yourdomain,DC=local user_attrs = =uid=999,=gid=999,=home=/var/lib/vmail/%u,mail=/var/lib/vmail/%u/mail user_filter = ((objectClass=person)(cn=%u)(mail=*)) # Attributes and filter to get a list of all users iterate_attrs = cn=user iterate_filter = (objectClass=person) For refernce these are my maildir settings in dovecot.conf (10-mail.conf on wheezy). ## Maildir locations and settings mail_plugins = acl mail_home = /var/lib/vmail/%u mail_location = maildir:/var/lib/vmail/%u/mail mail_uid = 999 mail_gid = 999 first_valid_uid = 999 first_valid_gid = 999 #mail_full_filesystem_access = no mail_shared_explicit_inbox = no maildir_very_dirty_syncs = yes namespace { list = no location = maildir:/var/lib/vmail/%%u/mail:INDEX=/var/lib/vmail/%u/mail/shared/%%u prefix = shared/%%u/ separator = / subscriptions = no type = shared } namespace inbox { inbox = yes location = maildir:/var/lib/vmail/%u/mail prefix = separator = / type = private } If you want to use kerberos with dovecot (works well with thunderbird on domain meber workstations) you have to create an spn and an keytab. samba-tool spn add imap/server.yourdomain.local@YOURDOMAIN.LOCAL ldap I had trouble with the keytab but this worked so far (use ldap users password if asked). cd /etc/dovecot ktutil addent -password -p imap/server.yourdomain.local@YOURDOMAIN.LOCAL -k 1 -e arcfour-hmac wkt dovecot.keytab If you use dovecot for postfix authentification as well: samba-tool spn add smtp/server.yourdomain.local@YOURDOMAIN.LOCAL ldap cd /etc/dovecot ktutil addent -password -p imap/server.yourdomain.local@YOURDOMAIN.LOCAL -k 1 -e arcfour-hmac addent -password -p smtp/server.yourdomain.local@YOURDOMAIN.LOCAL -k 1 -e arcfour-hmac wkt dovecot.keytab The neccesary settings in dovecot.conf (10-auth.conf on wheezy) are. The only way i got it working was with auth_gssapi_hostname = $ALL which may be abit insecure. auth_mechanisms = plain login gssapi # Kerberos auth_gssapi_hostname = $ALL auth_krb5_keytab = /etc/dovecot/dovecot.keytab Hope that helps. achim~ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 AD and mail auth
Hi Achim First of all thankx for your input. The way you set it up was the way I did it. But when I go thru your ldap configuration it doesn't really solves my Problem or, maybe more likely, I don't understand it. For Auth I want my users to connect to dovecot with user/Password token. In your config I can't see where you match the Password to the AD Password. Maybe I wasn't specific enough, what I want to do. Or I don't understand where I you match again the user Password. And again there is a good Chance that the Problem is myself. :'( Thankx again. --- Mit freundlichem Gruß Carsten Laun-De Lellis Hauptstrasse 13 D-67705 Trippstadt Phone: +49 6306 992140 Fax: +49 6306 992142 Mobile: +49 151 27530865 email: carsten.delel...@delellis.net http://www.linkedin.com/in/carstenlaundelellis [2] Am 2013-06-28 13:13, schrieb Achim Gottinger: Am 28.06.2013 10:31, schrieb Carsten Laun-De Lellis: Hi list Does anyone has experience in setting up dovecot or any other mail system with user auth against a Samba4 AD ? If yes could I get some advice on that Topic or even a link to a ressource where I can get some Information. Googled a lot but didn't find something yet. Thankx in advance. I did it with dovecot/postfix on debian wheezy, there is alot more info if you look for dovecot setup agains Microsoft AD. First create an user for ldap queries: samta-tool user add ldap [password] Configure dovecot passdb against Samba4 AD, add or change this in your dovecot.conf bzw. auth-ldap-conf.ext (on wheezy) # Authentication for LDAP users passdb { driver = ldap args = /etc/dovecot/dovecot-ldap-passdb.conf.ext } Create /etc/dovecot/dovecot-ldap-passdb.conf.ext, can be you have to use sAMAccountName instead of cn for auth_bind_userdn and pass_filter. On my side these are identical because i migrated from samba3/openldap. Filter is looking for person classes with matchin cn and an exiting mail attribute. hosts = localhost auth_bind = yes auth_bind_userdn = cn=%u,cn=Users,dc=yourdomain,dc=local ldap_version = 3 base = cn=Users,dc=yourdomain,dc=local pass_filter = ((objectClass=person)(cn=%u)(mail=*)) Use differen ldap settings for other user lookups, this goes again into dovecot.conf # Users userdb { driver = ldap args = /etc/dovecot/dovecot-ldap-userdb.conf.ext } Create /etc/dovecot/dovecot-ldap-uesrdb.conf.ext, again you may have to change cn to sAMAccountName in user_filter and iter_attrs. On my side I use one system user vmail (uid:999, gid:999) for all maildirs and those are stored under /var/lib/vmail. With such an setup attributes like uidNumber and gidNumber are not required for every user entry in ldap so i can hardcode all neccesary userdb lookup variables. I use /var/lib/vmail/[cn] as the dovecot user homedir (for things like sieve settings etc.) and /var/lib/vmail/[cn]/mail for the maildir. hosts = localhost dn = cn=ldap,cn=Users,DC=yourdomain,DC=local dnpass = [password] ldap_version = 3 base = cn=Users,DC=yourdomain,DC=local user_attrs = =uid=999,=gid=999,=home=/var/lib/vmail/%u,mail=/var/lib/vmail/%u/mail user_filter = ((objectClass=person)(cn=%u)(mail=*)) # Attributes and filter to get a list of all users iterate_attrs = cn=user iterate_filter = (objectClass=person) For refernce these are my maildir settings in dovecot.conf (10-mail.conf on wheezy). ## Maildir locations and settings mail_plugins = acl mail_home = /var/lib/vmail/%u mail_location = maildir:/var/lib/vmail/%u/mail mail_uid = 999 mail_gid = 999 first_valid_uid = 999 first_valid_gid = 999 #mail_full_filesystem_access = no mail_shared_explicit_inbox = no maildir_very_dirty_syncs = yes namespace { list = no location = maildir:/var/lib/vmail/%%u/mail:INDEX=/var/lib/vmail/%u/mail/shared/%%u prefix = shared/%%u/ separator = / subscriptions = no type = shared } namespace inbox { inbox = yes location = maildir:/var/lib/vmail/%u/mail prefix = separator = / type = private } If you want to use kerberos with dovecot (works well with thunderbird on domain meber workstations) you have to create an spn and an keytab. samba-tool spn add imap/server.yourdomain.local@YOURDOMAIN.LOCAL ldap I had trouble with the keytab but this worked so far (use ldap users password if asked). cd /etc/dovecot ktutil addent -password -p imap/server.yourdomain.local@YOURDOMAIN.LOCAL -k 1 -e arcfour-hmac wkt dovecot.keytab If you use dovecot for postfix authentification as well: samba-tool spn add smtp/server.yourdomain.local@YOURDOMAIN.LOCAL ldap cd /etc/dovecot ktutil addent -password -p imap/server.yourdomain.local@YOURDOMAIN.LOCAL -k 1 -e arcfour-hmac addent -password -p smtp/server.yourdomain.local@YOURDOMAIN.LOCAL -k 1 -e arcfour-hmac wkt dovecot.keytab The neccesary settings in dovecot.conf (10-auth.conf on wheezy) are. The only way i got it working was with auth_gssapi_hostname =
Re: [Samba] Successful Mail Delivery Report
Sorry Achim I didn't want to be rude, but I forgot to answer on your last Suggestion. Using Kerberos is not really an Option for me, because I want to use smartphones as well with no Thunderbird and no Domain Membership. Regards, --- Mit freundlichem Gruß Carsten Laun-De Lellis Hauptstrasse 13 D-67705 Trippstadt Phone: +49 6306 992140 Fax: +49 6306 992142 Mobile: +49 151 27530865 email: carsten.delel...@delellis.net http://www.linkedin.com/in/carstenlaundelellis [2] Am 2013-06-28 13:24, schrieb mailer-dae...@samba.org: This is the mail system at host mail.samba.org. Your message was successfully delivered to the destination(s) listed below. If the message was delivered to mailbox you will receive no further notifications. Otherwise you may still receive notifications of mail delivery errors from other systems. The mail system samba@lists.samba.org: delivery via local: alias expanded Return-Path: carsten.delel...@delellis.net Received: from mail.samba.org (localhost [127.0.0.1]) by mail.samba.org (Postfix) with ESMTP id DBA78AD303 for samba@lists.samba.org; Fri, 28 Jun 2013 05:24:12 -0600 (MDT) Received: from www.delellis.biz [1] (www.delellis.biz [1] [178.254.18.116]) by mail.samba.org (Postfix) with ESMTP id 450C4AD2EB for samba@lists.samba.org; Fri, 28 Jun 2013 05:24:09 -0600 (MDT) Received: from localhost (localhost [127.0.0.1]) by www.delellis.biz [1] (Postfix) with ESMTP id CDFEE45E0B15; Fri, 28 Jun 2013 13:24:08 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at v37143.1blu.de Received: from www.delellis.biz [1] ([127.0.0.1]) by localhost (v37143.1blu.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6P4RsfschdKY; Fri, 28 Jun 2013 13:24:06 +0200 (CEST) Received: from www.delellis.biz [1] (localhost [127.0.0.1]) by www.delellis.biz [1] (Postfix) with ESMTPSA; Fri, 28 Jun 2013 13:24:06 +0200 (CEST) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_17e6628ac7caeaac19c494af3e336995 Date: Fri, 28 Jun 2013 13:24:01 +0200 From: Carsten Laun-De Lellis carsten.delel...@delellis.net To: Achim Gottinger ac...@ag-web.biz Cc: samba@lists.samba.org Subject: Re: [Samba] Samba4 AD and mail auth Reply-To: carsten.delel...@delellis.net Mail-Reply-To: carsten.delel...@delellis.net In-Reply-To: 51cd6fd2.3000...@ag-web.biz References: 06261b763782810a773729e097fb3...@delellis.net 51cd6fd2.3000...@ag-web.biz Return-Receipt-To: Carsten Laun-De Lellis carsten.delel...@delellis.net Disposition-Notification-To: Carsten Laun-De Lellis carsten.delel...@delellis.net Message-ID: 779dcb1b657cd532f8a8b4123f55b...@delellis.net X-Sender: carsten.delel...@delellis.net User-Agent: Roundcube Webmail/RCMAIL_VERSION Links: -- [1] http://www.delellis.biz [2] http://www.linkedin.com/in/carstenlaundelellis -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 AD and mail auth
Am 28.06.2013 13:24, schrieb Carsten Laun-De Lellis: Hi Achim First of all thankx for your input. The way you set it up was the way I did it. But when I go thru your ldap configuration it doesn't really solves my Problem or, maybe more likely, I don't understand it. For Auth I want my users to connect to dovecot with user/Password token. In your config I can't see where you match the Password to the AD Password. For authetification dovecot uses what is configured in passdb in the corresponding ldap config you can see it uses auth_bind=yes and auth_bind_userdn defines the dn used to auth against samb4 ldap. As said on my side cn is identical with sAMAccountName, if it's not on your side you may have to use cn/Password instead of sAMAccountName/Password . Maybe I wasn't specific enough, what I want to do. Or I don't understand where I you match again the user Password. And again there is a good Chance that the Problem is myself. Weinend Thankx again. --- Mit freundlichem Gruß Carsten Laun-De Lellis Hauptstrasse 13 D-67705 Trippstadt Phone: +49 6306 992140 Fax: +49 6306 992142 Mobile: +49 151 27530865 email: carsten.delel...@delellis.net mailto:carsten.delel...@delellis.net http://www.linkedin.com/in/carstenlaundelellis Am 2013-06-28 13:13, schrieb Achim Gottinger: Am 28.06.2013 10:31, schrieb Carsten Laun-De Lellis: Hi list Does anyone has experience in setting up dovecot or any other mail system with user auth against a Samba4 AD ? If yes could I get some advice on that Topic or even a link to a ressource where I can get some Information. Googled a lot but didn't find something yet. Thankx in advance. I did it with dovecot/postfix on debian wheezy, there is alot more info if you look for dovecot setup agains Microsoft AD. First create an user for ldap queries: samta-tool user add ldap [password] Configure dovecot passdb against Samba4 AD, add or change this in your dovecot.conf bzw. auth-ldap-conf.ext (on wheezy) # Authentication for LDAP users passdb { driver = ldap args = /etc/dovecot/dovecot-ldap-passdb.conf.ext } Create /etc/dovecot/dovecot-ldap-passdb.conf.ext, can be you have to use sAMAccountName instead of cn for auth_bind_userdn and pass_filter. On my side these are identical because i migrated from samba3/openldap. Filter is looking for person classes with matchin cn and an exiting mail attribute. hosts = localhost auth_bind = yes auth_bind_userdn = cn=%u,cn=Users,dc=yourdomain,dc=local ldap_version = 3 base = cn=Users,dc=yourdomain,dc=local pass_filter = ((objectClass=person)(cn=%u)(mail=*)) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Successful Mail Delivery Report
Am 28.06.2013 13:28, schrieb Carsten Laun-De Lellis: Sorry Achim I didn't want to be rude, but I forgot to answer on your last Suggestion. Using Kerberos is not really an Option for me, because I want to use smartphones as well with no Thunderbird and no Domain Membership. Regards, If you add gssapi to auth_mechanisms, kerberos is just another option for authetification, i use it with smartphones and plain auth as well. To clarify the dn issue, if you create your users with RSAT on windows the dn usually looks like CN=[Firstname] [Surname],CN=Users,DC=yourdomain,DC=local so in that case you will have to use [Firstname] [Surname] instead of user(sAMAcoountName) as the username. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Transfer FSMO roles
Hello, I'm trying to transfer roles from two DCs running samba 4.0.6 When I run srv2:~# samba-tool fsmo transfer --role=all FSMO transfer of 'rid' role successful FSMO transfer of 'pdc' role successful FSMO transfer of 'naming' role successful FSMO transfer of 'infrastructure' role successful FSMO transfer of 'schema' role successful from the second DC, it seems ok, but if I try to demote the old DC, I give this srv1:~# samba-tool domain demote ERROR: Current DC is still the owner of 2 role(s), use the role command to transfer roles to another DC. Which is the correct method to transfer roles? Thank you. -- Umberto Peserico -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 AD and mail auth
Hi Achim Don't wanna bothering you, but I still got error Messages. Jun 28 15:09:57 rv1325 dovecot: auth: Debug: auth client connected (pid=2157) Jun 28 15:09:57 rv1325 dovecot: auth: Debug: client in: AUTH#0111#011NTLM#011service=imap#011session=KkN8mDbgGABUmsab#011lip=178.254.21.125#011rip=84.154.198.155#011lport=143#011rport=49432 Jun 28 15:09:57 rv1325 dovecot: auth: Debug: client passdb out: CONT#0111#011 Jun 28 15:09:57 rv1325 dovecot: auth: Debug: client in: CONT#0111#011TlRMTVNTUAABB4IIogAGAvAjDw== (previous base64 data may contain sensitive data) Jun 28 15:09:57 rv1325 dovecot: auth: Debug: client passdb out: CONT#0111#011TlRMTVNTUAACDAAMADAFAooAzlGLZuaYgz0AABQAFAA8cgB2ADEAMwAyADUAAwAMAHIAdgAxADMAMgA1AAA= Jun 28 15:09:58 rv1325 dovecot: auth: Debug: client in: CONT#0111#011TlRMTVNTUAADGAAYAHYAAADAAMAAjgBYEAAQAFgOAA4AaABOAQAABQKIAgYC8CMP6HRQNL0+o3yODw5hHqFFvHQAZQBzAHQAdQBzAGUAcgBXADAAMAAwADAAMAA1ABnluuxW4N/hRueL6TyYm30BAQAAAB2Yjc4AdM4B6LKt7eH6AGUAAwAMAHIAdgAxADMAMgA1AAgAMAAwAAEAIAAABJBPeBFKFDBXIh0KoOgHioqV/yHKS7i3O2lbwelRVv4KABkAMABpAG0AYQBwAC8AcgB2ADEAMwAyADUALgBkAGUAbABlAGwAbABpAHMALgBuAGUAdA== (previous base64 data may contain sensitive data) Jun 28 15:09:58 rv1325 dovecot: auth: Debug: password(testuser,84.154.198.155,KkN8mDbgGABUmsab): passdb doesn't support credential lookups Jun 28 15:09:58 rv1325 dovecot: auth: Debug: password(testuser,84.154.198.155,KkN8mDbgGABUmsab): passdb doesn't support credential lookups Jun 28 15:10:00 rv1325 dovecot: auth: Debug: client passdb out: FAIL#0111#011user=testuser Jun 28 15:10:00 rv1325 dovecot: auth: Debug: client in: AUTH#0112#011DIGEST-MD5#011service=imap#011session=KkN8mDbgGABUmsab#011lip=178.254.21.125#011rip=84.154.198.155#011lport=143#011rport=49432 Jun 28 15:10:04 rv1325 dovecot: auth: Debug: client passdb out: CONT#0112#011cmVhbG09IiIsbm9uY2U9Ii9nZndwbWd1TTlDMlVkekhZRld0R0E9PSIscW9wPSJhdXRoIixjaGFyc2V0PSJ1dGYtOCIsYWxnb3JpdGhtPSJtZDUtc2VzcyI= Jun 28 15:10:04 rv1325 dovecot: auth: Debug: client in: CONT#0112#011dXNlcm5hbWU9InRlc3R1c2VyIixyZWFsbT0iIixub25jZT0iL2dmd3BtZ3VNOUMyVWR6SFlGV3RHQT09IixkaWdlc3QtdXJpPSJpbWFwL3J2MTMyNS5kZWxlbGxpcy5uZXQiLGNub25jZT0iMjQ0NTRjZjAxNjVmOTE3YmVjMTJhMjk5OTc1ZGQ0MTYiLG5jPTAwMDAwMDAxLHJlc3BvbnNlPWVjZWI4MjJhZDFiZWY4NjU1OTYzMTk0YzhlZDQ0NmYxLHFvcD1hdXRoLGNoYXJzZXQ9dXRmLTg= (previous base64 data may contain sensitive data) Jun 28 15:10:04 rv1325 dovecot: auth: Debug: password(testuser,84.154.198.155,KkN8mDbgGABUmsab): passdb doesn't support credential lookups Jun 28 15:10:06 rv1325 dovecot: auth: Debug: client passdb out: FAIL#0112#011user=testuser Jun 28 15:10:06 rv1325 dovecot: auth: Debug: client in: AUTH#0113#011PLAIN#011service=imap#011session=KkN8mDbgGABUmsab#011lip=178.254.21.125#011rip=84.154.198.155#011lport=143#011rport=49432#011resp=AHRlc3R1c2VyAHRlc3R1c2Vy (previous base64 data may contain sensitive data) My auth.conf file Looks like: hosts = localhost auth_bind = yes auth_bind_userdn = sAMAccountName=%u,cn=Users,dc=delellis,dc=net base = cn=Users,dc=delellis,dc=net ldap_version = 3 pass_filter = ((objectClass=user)(sAMAccoutName=%u)(mail=*)) And I have no idea why it doesn't work. --- Mit freundlichem Gruß Carsten Laun-De Lellis Hauptstrasse 13 D-67705 Trippstadt Phone: +49 6306 992140 Fax: +49 6306 992142 Mobile: +49 151 27530865 email: carsten.delel...@delellis.net http://www.linkedin.com/in/carstenlaundelellis [2] Am 2013-06-28 14:04, schrieb Achim Gottinger: Am 28.06.2013 13:55, schrieb Carsten Laun-De Lellis: Hi Achim Thankx a lot. I will try. Have a nice Weekend. NP take a look at this http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds [1] --- Mit freundlichem Gruß Carsten Laun-De Lellis Hauptstrasse 13 D-67705 Trippstadt Phone: +49 6306 992140 Fax: +49 6306 992142 Mobile: +49 151 27530865 email: carsten.delel...@delellis.net http://www.linkedin.com/in/carstenlaundelellis [2] Am 2013-06-28 13:35, schrieb Achim Gottinger: Am 28.06.2013 13:24, schrieb Carsten Laun-De Lellis: Hi Achim First of all thankx for your input. The way you set it up was the way I did it. But when I go thru your ldap configuration it doesn't really solves my Problem or, maybe more likely, I don't understand it. For Auth I want my users to connect to dovecot with user/Password token. In your config I can't see where you match the Password to the AD Password. For authetification dovecot uses what is configured in passdb in the corresponding ldap config you can see it uses auth_bind=yes and auth_bind_userdn defines the dn used to auth against samb4 ldap. As said on my side cn is identical with sAMAccountName, if it's not on your side you may have to use cn/Password instead of sAMAccountName/Password . Maybe I wasn't specific enough, what I want to do. Or I don't
Re: [Samba] Samba4 AD and mail auth
Dear Achim Thank you very much for your Support so far. I think I am really close, but not there yet. I got the following log Messages: Jun 28 20:12:33 rv1325 dovecot: auth: Debug: client passdb out: FAIL#0115#011user=test Jun 28 20:12:33 rv1325 dovecot: auth: Debug: client in: AUTH#0116#011LOGIN#011service=smtp#011nologin#011lip=178.254.21.125#011rip=84.154.198.155#011secured Jun 28 20:12:37 rv1325 dovecot: auth: Debug: client passdb out: CONT#0116#011VXNlcm5hbWU6 Jun 28 20:12:37 rv1325 dovecot: auth: Debug: client in: CONT#0116#011dGVzdA== (previous base64 data may contain sensitive data) Jun 28 20:12:37 rv1325 dovecot: auth: Debug: client passdb out: CONT#0116#011UGFzc3dvcmQ6 Jun 28 20:12:37 rv1325 dovecot: auth: Debug: client in: CONT#0116#011dGVzdHVzZXI= (previous base64 data may contain sensitive data) Jun 28 20:12:37 rv1325 dovecot: auth: Debug: ldap(test,84.154.198.155): bind search: base=cn=Users, dc=delellis, dc=net filter=((objectClass=person)(sAMAccountName=test)) Jun 28 20:12:37 rv1325 dovecot: auth: Debug: ldap(test,84.154.198.155): result: sAMAccountName=test; sAMAccountName unused Jun 28 20:12:37 rv1325 dovecot: auth: Debug: ldap(test,84.154.198.155): result: sAMAccountName=test Jun 28 20:12:37 rv1325 dovecot: auth: Debug: client passdb out: OK#0116#011user=test#011u%=test As you can see the sAMAccountName is set to test, what is right, but what I don't understand is the line saying sAMAccountName is unused. Does anyone could give me the last push. I would really appreciate. Regards, --- Mit freundlichem Gruß Carsten Laun-De Lellis Hauptstrasse 13 D-67705 Trippstadt Phone: +49 6306 992140 Fax: +49 6306 992142 Mobile: +49 151 27530865 email: carsten.delel...@delellis.net http://www.linkedin.com/in/carstenlaundelellis [2] Am 2013-06-28 19:14, schrieb Achim Gottinger: Am 28.06.2013 18:49, schrieb Carsten Laun-De Lellis: Hi Achim Don't wanna bothering you, but I still got error Messages. Never mind got curious by myself. replacing cn with sAMAccountNName can not work because the dn's are defined with cn. I mailed oyu that link before http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds [1]. It describes two ways for passdb lookups and you must use the DN lookup type, which does an anonymous query with pass_filter for the dn first and then tries to autheticate with that dn against samba4/ldap. You can eighter configure samba4 to allow anonymous queries or use an samba user account like i did with userpadd = dn/dnpass. Try this, worked here. hosts = localhost dn = cn=ldap,cn=Users,dc=delellis,dc=net dnpass = [password] auth_bind = yes ldap_version = 3 base = cn=Users,dc=delellis,dc=net pass_attrs = sAMAccountName=user pass_filter = ((objectClass=person)(sAMAccountName=%u)(mail=*)) My auth.conf file Looks like: hosts = localhost auth_bind = yes auth_bind_userdn = sAMAccountName=%u,cn=Users,dc=delellis,dc=net base = cn=Users,dc=delellis,dc=net ldap_version = 3 pass_filter = ((objectClass=user)(sAMAccoutName=%u)(mail=*)) And I have no idea why it doesn't work. --- Mit freundlichem Gruß Carsten Laun-De Lellis Hauptstrasse 13 D-67705 Trippstadt Phone: +49 6306 992140 Fax: +49 6306 992142 Mobile: +49 151 27530865 email: carsten.delel...@delellis.net http://www.linkedin.com/in/carstenlaundelellis [2] Am 2013-06-28 14:04, schrieb Achim Gottinger: Am 28.06.2013 13:55, schrieb Carsten Laun-De Lellis: Hi Achim Thankx a lot. I will try. Have a nice Weekend. NP take a look at this http://wiki2.dovecot.org/AuthDatabase/LDAP/AuthBinds [1] --- Mit freundlichem Gruß Carsten Laun-De Lellis Hauptstrasse 13 D-67705 Trippstadt Phone: +49 6306 992140 Fax: +49 6306 992142 Mobile: +49 151 27530865 email: carsten.delel...@delellis.net http://www.linkedin.com/in/carstenlaundelellis [2] Am 2013-06-28 13:35, schrieb Achim Gottinger: Am 28.06.2013 13:24, schrieb Carsten Laun-De Lellis: Hi Achim First of all thankx for your input. The way you set it up was the way I did it. But when I go thru your ldap configuration it doesn't really solves my Problem or, maybe more likely, I don't understand it. For Auth I want my users to connect to dovecot with user/Password token. In your config I can't see where you match the Password to the AD Password. For authetification dovecot uses what is configured in passdb in the corresponding ldap config you can see it uses auth_bind=yes and auth_bind_userdn defines the dn used to auth against samb4 ldap. As said on my side cn is identical with sAMAccountName, if it's not on your side you may have to use cn/Password instead of sAMAccountName/Password . Maybe I wasn't specific enough, what I want to do. Or I don't understand where I you match again the user Password. And again there is a good Chance that the Problem is myself. Weinend Thankx again. --- Mit freundlichem Gruß Carsten Laun-De Lellis Hauptstrasse 13
[Samba] Win8 account sees its home share, but does not have permissions to access
Hello, I am a beginner to Samba and I RTFMd carefully but cannot get started. I want to access my user account mark home directory on Linux, with the same account name on Windows 8. The user mark has the same password on Linux and Windows 8. In addition I did this on Linux smbpasswd -a mark and gave the same password. Following the manuals on samba website I edited the samba configuration smb.conf file so: [global] hosts allow = ALL client signing = no # log files split per-machine: log file = /var/log/samba/log.%m # maximum size of 50KB per log file, then rotate: max log size = 50 security = user [homes] valid users = %S read only = No and successfully started the samba service. I can then see mark share on that Linux machine from Windows, I can map it to a drive letter in Windows Explorer, and I also see this: [root@v64-sw-dev003-mark /]# smbstatus Samba version 3.6.12-1.fc17 PID Username Group Machine --- 14678 mark mark mark-pc (192.168.221.76) Service pid machine Connected at --- mark 14678 mark-pc Fri Jun 28 15:56:39 2013 No locked files This all looks very good to me, as Samba server sees my client with the correct username, Windows machine name and IP address. YET, when I actually try to double-click on the share in the Windows Explorer, I get an error dialog: Windows cannot access \\192.168.221.32\mark You do not have permission to access \\192.168.221.32\mark\. Contact your network administrator to request access. 192.168.221.32 is the Linux machine address. Please, what am I doing wrong?? Thank you, Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch v4-0-test updated
The branch, v4-0-test has been updated via 67a77db WHATSNEW: Add release notes for Samba 4.0.7. from cc13903 torture: Add tests for LDAP substring search with no strings provided http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test - Log - commit 67a77db2693dd50ea5ebc722dee1b74f2352e725 Author: Karolin Seeger ksee...@samba.org Date: Thu Jun 27 10:18:24 2013 +0200 WHATSNEW: Add release notes for Samba 4.0.7. Signed-off-by: Karolin Seeger ksee...@samba.org Autobuild-User(v4-0-test): Karolin Seeger ksee...@samba.org Autobuild-Date(v4-0-test): Fri Jun 28 10:30:31 CEST 2013 on sn-devel-104 --- Summary of changes: WHATSNEW.txt | 112 - 1 files changed, 110 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index c8f08da..6ab15c8 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,112 @@ = + Release Notes for Samba 4.0.7 + July 2, 2013 + = + + +This is is the latest stable release of Samba 4.0. + +Major enhancements in Samba 4.0.7 include: + +o Fix a core dump with invalid lock order while opening/editing + or copying MS files (bug #9794). +o Fix crash bug from search of mail= (bug #9967). +o winbind4: talloc use after free (bug #9832). + + +Changes since 4.0.6: + + +o Michael Adam ob...@samba.org +* BUG 9909: build: Add missing new line to replaced python shebang line. + + +o Jeremy Allison j...@samba.org +* BUG 9794: Fix a core dump with invalid lock order while opening/editing + or copying MS files. + + +o Andrew Bartlett abart...@samba.org +* BUG 9465: s3-rpc_server: Ensure we are root when starting and using + gensec. +* BUG 9906: Doc fixes for 4.0. +* BUG 9907: Build fixes for 4.0 found during autoconf or debian packaging + work. +* BUG 9967: Fix crash bug from search of mail=. +* BUG 9968: Fix build with system Heimdal of samba4kgetcred. + + +o Björn Baumbach b...@sernet.de +* BUG 9947: Check for netbios aliases in ad_get_referrals. + + +o Kai Blin k...@samba.org +* BUG 9485: Add support for MX queries. +* BUG 9559: dns: Delete dnsNode objects when they are empty. +* BUG 9632: dns: Support larger queries when asking forwarder. + + +o David Disseldorp dd...@samba.org +* BUG 8997: Change libreplace GPL source to LGPL. +* BUG 9900: is_printer_published GUID retrieval. +* BUG 9910: PIE builds not supported. + + +o Peng Haitao pen...@cn.fujitsu.com +* BUG 9941: Fix a bug of drvupgrade of smbcontrol. + + +o Björn Jacke b...@sernet.de +* BUG 9880: Use of wrong RFC2307 primary group field. + + +o Volker Lendecke v...@samba.org +* BUG 9832: winbind4: talloc use after free. +* BUG 9953: Fix tevent_poll on 32-bit machines (Coverity ID 989236). + + +o Stefan Metzmacher me...@samba.org +* BUG 9805: s3:lib/server_mutex: Open mutex.tdb with CLEAR_IF_FIRST. +* BUG 9929: s4:winbind: Don't leak libnet_context into the main event + context. + + +o Andreas Schneider a...@samba.org +* BUG 9881: Check for system libtevent. + + +o Michael Wood esiot...@gmail.com +* BUG 9964: docs: Avoid mentioning a possibly misleading option. + + +o Vadim Zhukov persg...@gmail.com +* BUG 9888: More generic check for OpenBSD platform. + + +## +Reporting bugs Development Discussion +### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.0 product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +== + + +Release notes for older releases follow: + + + = Release Notes for Samba 4.0.6 May 21, 2013 = @@ -96,8 +204,8 @@ database (https://bugzilla.samba.org/). == -Release notes for older releases follow: -
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via af41eb6 docs-xml/manpages/smbclient.1.xml: fix case of -T flag in example. from 59462f2 winbindd and nmbd don't set their umask to zero on startup like smbd does. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit af41eb6bd4889a7cd0c7a0bd1553e3534f8f06ad Author: Aurélien Aptel aurelien.ap...@gmail.com Date: Fri Jun 28 17:34:26 2013 +0200 docs-xml/manpages/smbclient.1.xml: fix case of -T flag in example. Signed-off-by: Aurélien Aptel aurelien.ap...@gmail.com Reviewed-by: David Disseldorp dd...@samba.org Autobuild-User(master): David Disseldorp dd...@samba.org Autobuild-Date(master): Fri Jun 28 17:45:31 CEST 2013 on sn-devel-104 --- Summary of changes: docs-xml/manpages/smbclient.1.xml |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/docs-xml/manpages/smbclient.1.xml b/docs-xml/manpages/smbclient.1.xml index d7a017c..328fd50 100644 --- a/docs-xml/manpages/smbclient.1.xml +++ b/docs-xml/manpages/smbclient.1.xml @@ -446,7 +446,7 @@ paraCreate the same tar file as above, but now use a DOS path name. /para - paracommandsmbclient //mypc/myshare -N -tc backup.tar + paracommandsmbclient //mypc/myshare -N -Tc backup.tar users\edocs /command/para paraCreate a tar file of the files listed in the file filenametarlist/filename./para -- Samba Shared Repository
autobuild: intermittent test failure detected
The autobuild test system has detected an intermittent failing test in the current master tree. The autobuild log of the failure is available here: http://git.samba.org/autobuild.flakey/2013-06-29-0253/flakey.log The samba3 build logs are available here: http://git.samba.org/autobuild.flakey/2013-06-29-0253/samba3.stderr http://git.samba.org/autobuild.flakey/2013-06-29-0253/samba3.stdout The source4 build logs are available here: http://git.samba.org/autobuild.flakey/2013-06-29-0253/samba.stderr http://git.samba.org/autobuild.flakey/2013-06-29-0253/samba.stdout The top commit at the time of the failure was: commit af41eb6bd4889a7cd0c7a0bd1553e3534f8f06ad Author: Aurélien Aptel aurelien.ap...@gmail.com Date: Fri Jun 28 17:34:26 2013 +0200 docs-xml/manpages/smbclient.1.xml: fix case of -T flag in example. Signed-off-by: Aurélien Aptel aurelien.ap...@gmail.com Reviewed-by: David Disseldorp dd...@samba.org Autobuild-User(master): David Disseldorp dd...@samba.org Autobuild-Date(master): Fri Jun 28 17:45:31 CEST 2013 on sn-devel-104