[Samba] Winbind problem (Trusting domains)
HI all, I have install 2 domains both on linux servers running debian samba 3.0.20b-2+b1. (Latest) I have both domains trusting each other. Domain A have 300 users and the other domain B have 3000 users. I have winbind on the nsswitch.conf for both PDCs. I have not errors runnning wbinfo -u, or wbinfo -g except when I run it on Domain A PDC. Domain users group which all 3000 users are at failed to show up at the output. The rest of the domain groups are displayed. Looking in the winbindd log:- (Domain B PDC = BAUGLIR; Domain B=UWCSTU) [2005/12/14 18:36:42, 10] nsswitch/winbindd_rpc.c:lookup_groupmem(539) rpc: lookup_groupmem UWCSTU sid=S-1-5-21-2723404422-2550591724-2764062575-513 [2005/12/14 18:36:52, 0] rpc_client/cli_pipe.c:rpc_api_pipe(438) cli_pipe: return critical error. Error was Call timed out: server did not respond after 1 milliseconds [2005/12/14 18:36:52, 0] rpc_client/cli_pipe.c:rpc_api_pipe(438) cli_pipe: return critical error. Error was Call timed out: server did not respond after 1 milliseconds [2005/12/14 18:36:52, 10] nsswitch/winbindd_rpc.c:lookup_groupmem(539) rpc: lookup_groupmem UWCSTU sid=S-1-5-21-2723404422-2550591724-2764062575-513 [2005/12/14 18:36:52, 3] nsswitch/winbindd_cm.c:connection_ok(819) Connection to BAUGLIR for domain UWCSTU has died or was never started (fd == -1) [2005/12/14 18:36:52, 0] rpc_client/cli_pipe.c:cli_rpc_close(1767) cli_rpc_open failed on pipe \samr to machine BAUGLIR. Error was Call timed out: server did not respond after 1 milliseconds Can anyone know who to cache winbind well or increase the pagesize? I guess the timeout is because of the 3000 entries. Regards, adrian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind problem (Trusting domains)
Hi, are you telling me to install nscd and it will solve my problem? Also i read somewhere in the samba website that you should not run nscd with winbind. Is that true?If it is, what are some ways of improving the performance of winbind and how can I make it scale? Thanks for your replies. adrian Vijay Avarachen wrote: I am not sure if this will help but I was getting strange errors and often dead winbinds due to the large amount of users and groups. I have had great success with setting up OpenLDAP for idmap backend. Now all my Linux machines are authenticating users and I also use nscd to speed things up and ease the load on OpenLDAP. On 12/14/05, *Adrian Chow* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: HI all, I have install 2 domains both on linux servers running debian samba 3.0.20b-2+b1. (Latest) I have both domains trusting each other. Domain A have 300 users and the other domain B have 3000 users. I have winbind on the nsswitch.conf for both PDCs. I have not errors runnning wbinfo -u, or wbinfo -g except when I run it on Domain A PDC. Domain users group which all 3000 users are at failed to show up at the output. The rest of the domain groups are displayed. Looking in the winbindd log:- (Domain B PDC = BAUGLIR; Domain B=UWCSTU) [2005/12/14 18:36:42, 10] nsswitch/winbindd_rpc.c:lookup_groupmem(539) rpc: lookup_groupmem UWCSTU sid=S-1-5-21-2723404422-2550591724-2764062575-513 [2005/12/14 18:36:52, 0] rpc_client/cli_pipe.c:rpc_api_pipe(438) cli_pipe: return critical error. Error was Call timed out: server did not respond after 1 milliseconds [2005/12/14 18:36:52, 0] rpc_client/cli_pipe.c:rpc_api_pipe(438) cli_pipe: return critical error. Error was Call timed out: server did not respond after 1 milliseconds [2005/12/14 18:36:52, 10] nsswitch/winbindd_rpc.c:lookup_groupmem(539) rpc: lookup_groupmem UWCSTU sid=S-1-5-21-2723404422-2550591724-2764062575-513 [2005/12/14 18:36:52, 3] nsswitch/winbindd_cm.c:connection_ok(819) Connection to BAUGLIR for domain UWCSTU has died or was never started (fd == -1) [2005/12/14 18:36:52, 0] rpc_client/cli_pipe.c:cli_rpc_close(1767) cli_rpc_open failed on pipe \samr to machine BAUGLIR. Error was Call timed out: server did not respond after 1 milliseconds Can anyone know who to cache winbind well or increase the pagesize? I guess the timeout is because of the 3000 entries. Regards, adrian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba https://lists.samba.org/mailman/listinfo/samba -- Knowledge is the only wealth that grows as you spend it, and diminishes as you save it. -- ancient Sanskrit saying -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Mapping Samba Server as a drive?
Yeah... but the problem is how to you make sure people have permissions can only see that directory? I was using the include option in the global section for every user to limit what they can browse. Thanks for your response. adrian Collen wrote: Nope, just make 1 drive mapping with the right directories below it. it's the same effect. ? so instead of seeing all shares from a server, you have 1 share with all direcrories below it! (and if you have ACL installed, you can also do something with permissions!) Just an option.. Collen Adrian Chow wrote: Hi Matthew, I was talking about mapping a samba server to a drive NOT a share from the samba server to a drive. net use h: \\servername Any way of doing that? Regards, adrian -- Original Message -- From: Matthew White [EMAIL PROTECTED] Date: Thu, 7 Apr 2005 09:43:21 -0700 you can map a samba server to a drive just like you'd map a windows-based server: net use h: \\servername\share or right click on My Network Places and select Map Network Drive... On Fri, Apr 08, 2005 at 12:28:18AM +0800, Adrian Chow ([EMAIL PROTECTED]) wrote: Hi, I was just wondering whether can we map a samba server as a drive? If can, it would be GREAT! This is because we can make users who log on to the server see different directories (like novell) and i thought it would be EXCELLENT if we can map the samba server as a drive itself. If we can, how can we achieve that? Thanks. adrian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Matthew White District Systems Administrator Tigard/Tualatin School District -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Mapping Samba Server as a drive?
Hi, I was just wondering whether can we map a samba server as a drive? If can, it would be GREAT! This is because we can make users who log on to the server see different directories (like novell) and i thought it would be EXCELLENT if we can map the samba server as a drive itself. If we can, how can we achieve that? Thanks. adrian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: Re: [Samba] Mapping Samba Server as a drive?
Hi Matthew, I was talking about mapping a samba server to a drive NOT a share from the samba server to a drive. net use h: \\servername Any way of doing that? Regards, adrian -- Original Message -- From: Matthew White [EMAIL PROTECTED] Date: Thu, 7 Apr 2005 09:43:21 -0700 you can map a samba server to a drive just like you'd map a windows-based server: net use h: \\servername\share or right click on My Network Places and select Map Network Drive... On Fri, Apr 08, 2005 at 12:28:18AM +0800, Adrian Chow ([EMAIL PROTECTED]) wrote: Hi, I was just wondering whether can we map a samba server as a drive? If can, it would be GREAT! This is because we can make users who log on to the server see different directories (like novell) and i thought it would be EXCELLENT if we can map the samba server as a drive itself. If we can, how can we achieve that? Thanks. adrian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Matthew White District Systems Administrator Tigard/Tualatin School District -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Excel files Locking up problem
Hi Jeremy, So far so good from my users. Thanks a lot. adrian -- Original Message -- From: Jeremy Allison [EMAIL PROTECTED] Reply-To: Jeremy Allison [EMAIL PROTECTED] Date: Mon, 4 Apr 2005 10:04:11 -0700 On Mon, Apr 04, 2005 at 11:30:29AM +0800, Adrian Chow wrote: Hi, My samba is 3.0.13 version. I got a funny problem. UserA logs on to a shared (all users can read/write/execute rights) drive and opens an excel file. UserA closes the file or modifies it. When UserA reopens the file in 5 secs or less, the file seems to be lock by the computer that UserA is on! When UserA had closed the file, UserB on another computer tries to open the file and it says it is locked by UserA. There is no way to release it unless to wait or restart samba. Any ideas what I should do? They are using Windows XP SP2. Some other users are using Windows 2000. Does Norton AntiVirus play a part? Any ideas how to solve this? Try setting dos filetimes = yes on that share. I've made this the default for the next release. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Excel files Locking up problem
Hi, My samba is 3.0.13 version. I got a funny problem. UserA logs on to a shared (all users can read/write/execute rights) drive and opens an excel file. UserA closes the file or modifies it. When UserA reopens the file in 5 secs or less, the file seems to be lock by the computer that UserA is on! When UserA had closed the file, UserB on another computer tries to open the file and it says it is locked by UserA. There is no way to release it unless to wait or restart samba. Any ideas what I should do? They are using Windows XP SP2. Some other users are using Windows 2000. Does Norton AntiVirus play a part? Any ideas how to solve this? Regards, adrian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] setgid to sub directories
Hi, Does the inherit permissions = yes statement also sets the setgid for the sub directories? Looks like it does not. What is the equivalent settings for inherit permissions = yes? Cos I want to tweak the individual settings (e.g create mask) a bit. Thanks. adrian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] ACLS and samba
HI, I guess this question have been asked before:- I am running 3.0.12 for samba with acls. I have a samba share folder called abc with groups art able to write. group:art:rwx Whenever i write with a user from the art group to the folder, the group id of the file changes to the id of the user instead of remaining as art. What do i need to configure so that art group stays as the group id for that file? Thanks. adrian P/s: What does inherit permissions in the smb.conf do? Does it help? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Syslog has CUPS error
Hi, My syslog got this error smbd [2005/03/24 01:34:02, 0] printing/print_cups.c:cups_cache_reload(85) smbd[15707]: Unable to connect to CUPS server localhost - Connection refused smbd[15707]: [2005/03/24 01:34:02, 0] printing/print_cups.c:cups_cache_reload(85) smbd[15707]: Unable to connect to CUPS server localhost - Connection refused I don't have (never had) CUPS installed on my machine and I just upgraded to samba 3.0.12 for my debian sarge box. I did a apt-get install to install the packages. Any idea what can I do to get rid of the message? Thanks and regards, adrian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ACLS and samba
Hi jeremy, Thanks. But if after I did that and I create a directory underneath it, The new directory will not have guid set... how to solve it? Thanks again. adrian - Original Message - From: Jeremy Allison [EMAIL PROTECTED] To: Adrian Chow [EMAIL PROTECTED] Cc: samba@lists.samba.org Sent: Thu, 24 Mar 2005 02:37:08 +0800 Subject: Re: [Samba] ACLS and samba On Thu, Mar 24, 2005 at 12:06:56AM +0800, Adrian Chow wrote: HI, I guess this question have been asked before:- I am running 3.0.12 for samba with acls. I have a samba share folder called abc with groups art able to write. group:art:rwx Whenever i write with a user from the art group to the folder, the group id of the file changes to the id of the user instead of remaining as art. What do i need to configure so that art group stays as the group id for that file? You need to set the set GID bit on the directory. This ensures that files created within it inherit the group of the directory, not the effective group id of the creating process. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Secondary group problem in include statement
Hi, Scenario :- User A belongs primarily to GroupA and secondary to GroupB. Somedirectory contains GroupA.conf and GroupB.conf Have anyone got include = /somedirectory/%g.conf in smb.conf to work such that scripts in groupA.conf and groupb.conf will be executed when UserA logins? Am I using the correct syntax? If not, what is the correct syntax? I am on Debian with 3.0.10 version of samba. Thanks a lot. adrian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] IPC$ when login as trusted user
Hi all, I am just curious with the following setup and hope to hear some good response on this:- 1. Why when I login as a trusted domain user on a computer, it logins anonymously? I have 2 domains that fully trust each other, Domain_A and Domain_B. Computer_A joins domain_A. I login as user_B (select the option Domain_B when login) on Computer_A. It was a successful login but with no login scripts. It was loginning in as a anonymous user. (logs shows it) 2. Why when I disable IPC$ share in the smb.conf, I cannot login as user_B onto Computer_A (as scenario above) at all? I don't even see the option to choose Domain_B. Disable IPC$ will not allow me to do a smbclient -L Anyone knows why? adrian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Trusting and trusted domain (home mapping) problem
Hi Igor (and samba team), I have done the following:- -I have upgraded the samba versions of the both servers to be the same. -The ldap servers are in the same version. -DomainAPDC and DomainBPDC has winbind in nsswitch -wbinfo all works. -getent group and getent passwd shows ldap entries of local domain and winbind entries of the remote domain. -However I still cannot map the home directory of the Domain_B_user when I log into Domain_B on Domain_A_XP computer. - smbclient //domain_A_PDC/shared -U domain_B/domain_B_user is working. The command I run on the command prompt (which will work) if I am Domain_A_user into Domain_A on Domain_A_XP_computer is net use x: /home. But before I map it, the home directory is already mapped based on the sambahomepath and sambahomedrive in the ldap entries. I am using the net use command to do testing. If I were to run the same net use x: /home command as a Domain_B_User logging into Domain_B on Domain_A_XP_computer, the home directory never gets mapped. Igor has make it work on his server but I am still stuck. (Igor, if you run net use z: /home command as the Domain_B_User logging into Domain_B on DOmain_A_XP, does it work?) On my winbind log on Domain_A_PDC, I get the following :- legend:- uwcstu is domain_B grade2 is domain_B_user 1 is gid of DomainB\Domain Users group on Domain_A_PDC. staff is domain A - [2004/11/05 19:10:16, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(124) [29440]: getpwnam uwcstu\grade2 [2004/11/05 19:10:16, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1030) [29440]: getgroups UWCSTU\grade2 [2004/11/05 19:10:16, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(374) [29440]: gid to sid 1 [2004/11/05 19:10:16, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(124) [29440]: getpwnam uwcstu\grade2 [2004/11/05 19:10:16, 3] nsswitch/winbindd_group.c:winbindd_getgrnam(243) [29440]: getgrnam grade2 [2004/11/05 19:10:16, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2008) ldapsam_getgroup: Did not find group [2004/11/05 19:10:16, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298) group grade2 in domain STAFF does not exist Questions:- 1. Why domain_A_PDC will try to getgrnam grade2? How did grade2 ended up as a group and not a user? 2. Isn't it supposed to be getgrnam UWCSTU\Domain Users since winbindd_gid_to_sid is converting 1 to UWCSTU\Domain Users? 3. Any commands for me to test getgroups? 4. Any ideas how to proceed on? Thanks so much. adrian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Trusting and trusted domain (home mapping) problem
Hi Igor, Thanks so much for troubleshooting all this while and we found out none of our configuration is the problem but the source code. Hope that the samba team will modify to a working code so that I can deploy it. Actually my dateline to deploy is coming soon and I do not know what to do now. when do you think the code will be modified and be released? Thanks so much for your help. adrian -- Original Message -- From: Igor Belyi [EMAIL PROTECTED] Date: Fri, 05 Nov 2004 12:03:46 -0500 Adrian Chow wrote: Hi Igor (and samba team), I have done the following:- -I have upgraded the samba versions of the both servers to be the same. -The ldap servers are in the same version. -DomainAPDC and DomainBPDC has winbind in nsswitch -wbinfo all works. -getent group and getent passwd shows ldap entries of local domain and winbind entries of the remote domain. -However I still cannot map the home directory of the Domain_B_user when I log into Domain_B on Domain_A_XP computer. - smbclient //domain_A_PDC/shared -U domain_B/domain_B_user is working. The command I run on the command prompt (which will work) if I am Domain_A_user into Domain_A on Domain_A_XP_computer is net use x: /home. But before I map it, the home directory is already mapped based on the sambahomepath and sambahomedrive in the ldap entries. I am using the net use command to do testing. If I were to run the same net use x: /home command as a Domain_B_User logging into Domain_B on Domain_A_XP_computer, the home directory never gets mapped. Igor has make it work on his server but I am still stuck. (Igor, if you run net use z: /home command as the Domain_B_User logging into Domain_B on DOmain_A_XP, does it work?) I think there's some miscommunication involved. :) User's home directory does get mapped during login according to sambaHomePath and sambaHomeDrive LDAP entries. I can verify this by looking at the net use output. However, when I run net use x: /home it gives me an error: The user's home directory could not be determined. Accroding to DomainA log during this call the user's home share get created on ServerA (PDC for DomainA) instead of using the one specified as sambaHomePath: [2004/11/05 08:17:44, 3] param/loadparm.c:lp_add_home(2341) adding home's share [testA] for user 'DOMAINA\testA' at '/home/DOMAINA/testA' I'm still investigating if this is based solely on XP request (XP side problem) of if this is a way Samba responds on a general net use x: /home request (Samba side problem). On my winbind log on Domain_A_PDC, I get the following :- legend:- uwcstu is domain_B grade2 is domain_B_user 1 is gid of DomainB\Domain Users group on Domain_A_PDC. staff is domain A - [2004/11/05 19:10:16, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(124) [29440]: getpwnam uwcstu\grade2 [2004/11/05 19:10:16, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1030) [29440]: getgroups UWCSTU\grade2 [2004/11/05 19:10:16, 3] nsswitch/winbindd_sid.c:winbindd_gid_to_sid(374) [29440]: gid to sid 1 [2004/11/05 19:10:16, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(124) [29440]: getpwnam uwcstu\grade2 [2004/11/05 19:10:16, 3] nsswitch/winbindd_group.c:winbindd_getgrnam(243) [29440]: getgrnam grade2 [2004/11/05 19:10:16, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2008) ldapsam_getgroup: Did not find group [2004/11/05 19:10:16, 1] nsswitch/winbindd_group.c:winbindd_getgrnam(298) group grade2 in domain STAFF does not exist Questions:- 1. Why domain_A_PDC will try to getgrnam grade2? How did grade2 ended up as a group and not a user? 2. Isn't it supposed to be getgrnam UWCSTU\Domain Users since winbindd_gid_to_sid is converting 1 to UWCSTU\Domain Users? 3. Any commands for me to test getgroups? 4. Any ideas how to proceed on? I have similar problem - the same errors in winbind log. I'm investigating this as well. I actually have 2 groups for userA and one gets mapping into user's name with domain stripped out, another into 'tty'. I suspect it's a Samba bug. But, again - it does not cause problems with automatic map of user home. The only suggestion I have at the moment is to look into the source... Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Trusting and trusted domain (home mapping) problem
Hi Igor, Regarding the home mapping problem:- I changed my log to level 3. And I got the following log which I think is weird. (maybe the reason why it cannot map). The problem is :- Logging user_A with domain_A at Domain_A_computer gets home directory mapped but Logging user_B with domain_B at Domain_A_computers does not get home directory mapped. This is the log from domain_A_pdc. The XP computer joins domain_A. I am logging in as user_B from domain_B where domain_B_pdc have mutual trust with domain_A_pdc. The log file is /var/log/samba/xp_computer_name from domain_A_pdc. It is when I run net use x: /home or logon to the domain. [2004/11/04 17:20:05, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [grade2] - [grade2] - [UWCSTU\grade2] succeeded [2004/11/04 17:20:05, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319) NTLMSSP Sign/Seal - Initialising with flags: [2004/11/04 17:20:05, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0x60088215 [2004/11/04 17:20:05, 3] smbd/password.c:register_vuid(222) User name: UWCSTU\grade2 Real name: Grade 2 User [2004/11/04 17:20:05, 3] smbd/password.c:register_vuid(241) UNIX uid 10002 is UNIX user UWCSTU\grade2, and will be vuid 109 [2004/11/04 17:20:05, 3] smbd/password.c:register_vuid(270) Adding homes service for user 'UWCSTU\grade2' using home directory: '/home/UWCSTU/grade2' [2004/11/04 17:20:05, 3] param/loadparm.c:lp_add_home(2341) adding home's share [grade2] for user 'UWCSTU\grade2' at '/home/UWCSTU/grade2' -- Why is it adding homes services? domain_A_pdc should get domain_b_user info from domain_b_pdc (which it uses ldap to get the sambaHomeDrive and sambaHomePath). It is like when winbind successfully maps the user, it does not know the homepath or the homedrive. This is the result when I add winbind into nsswitch.conf. But if I don't (like your case)... I cannot even login as user_b for domain_b at the xp computer. It is because the user_b is not even found in the local database file. With winbind in nsswitch.conf, getent passwd and getent group will return the user and group in the trusted domain. And the shares will have problem with valid users = @Domain_B\Domain Users. Igor, I really wonder how your scenario works... Questions:- 1. Does your getent passwd and getent group show the trusted domain accounts? 2. Does your smb.conf for shares work if you want certain groups in the trusted domain to access it? Can you give an example of how to do it? (e.g valid users = ... ) 3. I have the proper sambaHomePath and sambaHomeDrive as yours. Is there any winbind settings you have in the smb.conf that cause it to work? 4. Do you specify the auth methods in the smb.conf? 5. You have winbind running? 6. Do you have pam_winbind in your pam.d directory files (e.g login, ssh...)? Thats all the questions I can think of now. Thanks for helping. adrian Igor Belyi wrote: Adrian Chow wrote: Hi Igor, Do you have trustdomains in your auth methods? Currently I removed the winbind from nsswitch.conf. And smbclient //domain_B_PDC//shared -U domain_A/domain_A_user does not work. Have you tried smbclient //domain_B_PDC//shared -W domain_A -U domain_A_user? If I put winbind in the nsswitch.conf, then I will be able to authenticated but cannot connect to shared folder with the following error:- Domain=[Domain_B] OS=[Unix] Server=[Samba 3.0.7-Debian] tree connect failed: NT_STATUS_ACCESS_DENIED I would also guess that since valid users and write list accept only UNIX and NIS groups you will need to have winbind in your nsswitch.conf for @Domain_A\Domain Users to work... Does Samba allows Domain_A\domain_a_user to access this share if you list the user without domain specification: valid users = domain_a_user? The log file from the Domain_B_PDC:- [2004/11/02 20:50:03, 4] smbd/reply.c:reply_tcon_and_X(408) Client requested device type [?] for share [SHARED] [2004/11/02 20:50:03, 5] smbd/service.c:make_connection(812) making a connection to 'normal' service shared [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2004/11/02 20:50:03, 2] smbd/service.c:make_connection_snum(314) user 'Domain_A\domain_a_user' (from session setup) not permitted to access this share (Shared) [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(105) error string = No such file or directory [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(129) error packet at smbd/reply.c(416) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED -- My smb.conf :- [Shared] path = /shared valid users = @Domain Users, @Domain_A\Domain Users write list = @Domain Users, @Domain_A\Domain Users
Re: [Samba] Re: Trusting and trusted domain (home mapping) problem
Hi Igor, Got some logs from the Domain_A_PDC on the domain_A_XP when domain_B user (grade2) logs into domain_B on domain_A_XP. [2004/11/05 11:18:45, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [EMAIL PROTECTED] with the new password interface [2004/11/05 11:18:45, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [EMAIL PROTECTED] [2004/11/05 11:18:45, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(65534, 65534) : sec_ctx_stack_ndx = 1 [2004/11/05 11:18:45, 3] smbd/uid.c:push_conn_ctx(365) push_conn_ctx(100) : conn_ctx_stack_ndx = 0 [2004/11/05 11:18:45, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2004/11/05 11:18:45, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0 [2004/11/05 11:18:45, 3] libsmb/namequery_dc.c:rpc_dc_name(145) rpc_dc_name: Returning DC GLOIN (172.16.7.227) for domain UWCSTU [2004/11/05 11:18:45, 3] libsmb/cliconnect.c:cli_start_connection(1376) Connecting to host=GLOIN [2004/11/05 11:18:45, 3] lib/util_sock.c:open_socket_out(752) Connecting to 172.16.7.227 at port 445 [2004/11/05 11:18:46, 3] auth/auth_util.c:make_server_info_info3(1114) User grade2 does not exist, trying to add it [2004/11/05 11:18:46, 0] auth/auth_util.c:make_server_info_info3(1122) make_server_info_info3: pdb_init_sam failed! [2004/11/05 11:18:46, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(65534, 65534) : sec_ctx_stack_ndx = 1 [2004/11/05 11:18:46, 3] smbd/uid.c:push_conn_ctx(365) push_conn_ctx(100) : conn_ctx_stack_ndx = 0 Cannot understand why going to GLOIN (Domain_B_PDC) will not get grade2 (domain_B_user) user and trying to add it!!?? Any ideas? Thanks. adrian Igor Belyi wrote: Adrian Chow wrote: Hi Igor, Do you have trustdomains in your auth methods? Currently I removed the winbind from nsswitch.conf. And smbclient //domain_B_PDC//shared -U domain_A/domain_A_user does not work. Have you tried smbclient //domain_B_PDC//shared -W domain_A -U domain_A_user? If I put winbind in the nsswitch.conf, then I will be able to authenticated but cannot connect to shared folder with the following error:- Domain=[Domain_B] OS=[Unix] Server=[Samba 3.0.7-Debian] tree connect failed: NT_STATUS_ACCESS_DENIED I would also guess that since valid users and write list accept only UNIX and NIS groups you will need to have winbind in your nsswitch.conf for @Domain_A\Domain Users to work... Does Samba allows Domain_A\domain_a_user to access this share if you list the user without domain specification: valid users = domain_a_user? The log file from the Domain_B_PDC:- [2004/11/02 20:50:03, 4] smbd/reply.c:reply_tcon_and_X(408) Client requested device type [?] for share [SHARED] [2004/11/02 20:50:03, 5] smbd/service.c:make_connection(812) making a connection to 'normal' service shared [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2004/11/02 20:50:03, 2] smbd/service.c:make_connection_snum(314) user 'Domain_A\domain_a_user' (from session setup) not permitted to access this share (Shared) [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(105) error string = No such file or directory [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(129) error packet at smbd/reply.c(416) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED -- My smb.conf :- [Shared] path = /shared valid users = @Domain Users, @Domain_A\Domain Users write list = @Domain Users, @Domain_A\Domain Users browsable = yes guest ok = no writeable =no --- Do you have winbind in your nsswitch.conf? No, I don't. How did you managed to get the mapped home directory for domain_a_user when he log on to the joined_domain_B_computer? Yes, I have XP computer joined domain_A and this domain has mutual trust with domain_B. I can login on this computer as user_a into domain_A and as user_b into domain_B and their corresponding home directories get correctly mapped into drive H: dn: uid=user_a,ou=People,dc=domain_A,dc=org sambaHomeDrive: H: sambaHomePath: \\server_A\homes dn: uid=user_b,ou=People,dc=domain_B,dc=org sambaHomeDrive: H: sambaHomePath: \\server_B\homes Hope to hear from you on this... thanks a lot. adrian p/s: hope you got my previous mail cos I forgotten to cc to sambalists Yes, I did. I apologize for delays - I work with Samba only in my spare time. Igor Igor Belyi wrote: == (Header) e-mail Filtrado == I would guess that it means that DomainA trust DomainB but DomainB does not trust DomainA. Can you verify that trust is mutual between them? Check 'net rpc trustom list' on both machines. No, I do not use winbind for NSS (no winbind in /etc/nsswitch.conf). Winbind is used only by Samba when it maps users from trust
Re: [Samba] Re: Trusting and trusted domain (home mapping) problem
You are right... I need winbind... this log is when it does not have... trying to emulate what you are doing.. adrian Igor Belyi wrote: Adrian Chow wrote: Hi Igor, Got some logs from the Domain_A_PDC on the domain_A_XP when domain_B user (grade2) logs into domain_B on domain_A_XP. [2004/11/05 11:18:45, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [EMAIL PROTECTED] with the new password interface [2004/11/05 11:18:45, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [EMAIL PROTECTED] [2004/11/05 11:18:45, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(65534, 65534) : sec_ctx_stack_ndx = 1 [2004/11/05 11:18:45, 3] smbd/uid.c:push_conn_ctx(365) push_conn_ctx(100) : conn_ctx_stack_ndx = 0 [2004/11/05 11:18:45, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2004/11/05 11:18:45, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0 [2004/11/05 11:18:45, 3] libsmb/namequery_dc.c:rpc_dc_name(145) rpc_dc_name: Returning DC GLOIN (172.16.7.227) for domain UWCSTU [2004/11/05 11:18:45, 3] libsmb/cliconnect.c:cli_start_connection(1376) Connecting to host=GLOIN [2004/11/05 11:18:45, 3] lib/util_sock.c:open_socket_out(752) Connecting to 172.16.7.227 at port 445 [2004/11/05 11:18:46, 3] auth/auth_util.c:make_server_info_info3(1114) User grade2 does not exist, trying to add it [2004/11/05 11:18:46, 0] auth/auth_util.c:make_server_info_info3(1122) make_server_info_info3: pdb_init_sam failed! [2004/11/05 11:18:46, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(65534, 65534) : sec_ctx_stack_ndx = 1 [2004/11/05 11:18:46, 3] smbd/uid.c:push_conn_ctx(365) push_conn_ctx(100) : conn_ctx_stack_ndx = 0 Cannot understand why going to GLOIN (Domain_B_PDC) will not get grade2 (domain_B_user) user and trying to add it!!?? Any ideas? Thanks. adrian Was this is for the case with winbind in the /etc/nsswitch.conf or without it? As I've described in my previouse message - I was wrong - you do need winbind in /etc/nsswitch.conf for things to work. I'd suggest to increase log level to 5 - there could be more helpful information. Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Trusting and trusted domain (home mapping) problem
Hi Igor, I did smbclient //domain_B_PDC//shared -W domain_A -U domain_A_user and I got :- Domain=[UWCSTU] OS=[Unix] Server=[Samba 3.0.7-Debian] tree connect failed: NT_STATUS_ACCESS_DENIED I think it has to do with the UNIX and NIS groups required for @Domain_A\Domain Users to work. On the Domain_B_PDC 's log file on Domain_A, it is like this:- [2004/11/04 08:40:48, 5] lib/username.c:Get_Pwnam(293) Finding user STAFF\achow [2004/11/04 08:40:48, 5] lib/username.c:Get_Pwnam_internals(223) Trying _Get_Pwnam(), username as lowercase is staff\achow [2004/11/04 08:40:52, 5] lib/username.c:Get_Pwnam_internals(251) Get_Pwnam_internals did find user [STAFF\achow]! [2004/11/04 08:40:52, 5] auth/auth_util.c:fill_sam_account(960) fill_sam_account: located username was [STAFF\achow] [2004/11/04 08:40:52, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2004/11/04 08:40:52, 3] smbd/uid.c:push_conn_ctx(365) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2004/11/04 08:40:52, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2004/11/04 08:40:52, 5] auth/auth_util.c:debug_nt_user_token(486) NT user token: (NULL) [2004/11/04 08:40:52, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2004/11/04 08:40:52, 5] lib/smbldap.c:smbldap_search(963) smbldap_search: base = [ou=Group,ou=studentnet,dc=uwcsea,dc=org], filter = [((objectClass=sambaGroupMapping)(gidNumber=1))], scope = [2] [2004/11/04 08:40:52, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2008) ldapsam_getgroup: Did not find group [2004/11/04 08:40:52, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2004/11/04 08:40:52, 4] lib/substitute.c:automount_server(323) Home server: gloin [2004/11/04 08:40:52, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 10139 Primary group is 1 and contains 3 supplementary groups Group[ 0]: 1 Group[ 1]: 10013 Group[ 2]: 10014 [2004/11/04 08:40:52, 3] auth/auth.c:check_ntlm_password(268) check_ntlm_password: winbind authentication for user [achow] succeeded [2004/11/04 08:40:52, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2004/11/04 08:40:52, 3] smbd/uid.c:push_conn_ctx(365) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2004/11/04 08:40:52, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2004/11/04 08:40:52, 5] auth/auth_util.c:debug_nt_user_token(486) NT user token: (NULL) [2004/11/04 08:40:52, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2004/11/04 08:40:52, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2004/11/04 08:40:52, 5] auth/auth.c:check_ntlm_password(292) check_ntlm_password: PAM Account for user [STAFF\achow] succeeded [2004/11/04 08:40:52, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [achow] - [achow] - [STAFF\achow] succeeded [2004/11/04 08:40:52, 5] auth/auth_util.c:free_user_info(1306) attempting to free (and zero) a user_info structure [2004/11/04 08:40:52, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319) NTLMSSP Sign/Seal - Initialising with flags: [2004/11/04 08:40:52, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0x60080215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH [2004/11/04 08:40:52, 3] smbd/password.c:register_vuid(222) User name: STAFF\achowReal name: Adrian Chow [2004/11/04 08:40:52, 3] smbd/password.c:register_vuid(241) UNIX uid 10139 is UNIX user STAFF\achow, and will be vuid 100 [2004/11/04 08:40:52, 3] smbd/password.c:register_vuid(270) Adding homes service for user 'STAFF\achow' using home directory: '/home/STAFF/achow' [2004/11/04 08:40:52, 3] param/loadparm.c:lp_add_home(2341) adding home's share [achow] for user 'STAFF\achow' at '/home/STAFF/achow' [2004/11/04 08:40:52, 3] smbd/process.c:process_smb(1092) Transaction 3 of length 84 [2004/11/04 08:40:52, 5] lib/util.c:show_msg(439) [2004/11/04 08:40:52, 5] lib/util.c:show_msg(449) size=80 smb_com=0x75 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=51201 smb_tid=0 smb_pid=26725 smb_uid=100 smb_mid=4 smt_wct=4 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]=0 (0x0) smb_vwv[ 2]=0 (0x0) smb_vwv[ 3]=1 (0x1) smb_bcc=37 [2004/11/04 08:40:52, 3] smbd/process.c:switch_message(887) switch message SMBtconX (pid 20987) conn 0x0 [2004/11/04 08:40:52, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2004/11/04 08:40:52, 5] auth/auth_util.c:debug_nt_user_token(486) NT user
Re: [Samba] Re: Trusting and trusted domain (home mapping) problem
Hi Igor, I left out something. Regarding your question:- Does Samba allows Domain_A\domain_a_user to access this share if you list the user without domain specification: valid users = domain_a_user? The answer is yes ONLY if valid users = Domain_A\domain_A_user. Valid users = domain_a_user does not work. adrian Igor Belyi wrote: Adrian Chow wrote: Hi Igor, Do you have trustdomains in your auth methods? Currently I removed the winbind from nsswitch.conf. And smbclient //domain_B_PDC//shared -U domain_A/domain_A_user does not work. Have you tried smbclient //domain_B_PDC//shared -W domain_A -U domain_A_user? If I put winbind in the nsswitch.conf, then I will be able to authenticated but cannot connect to shared folder with the following error:- Domain=[Domain_B] OS=[Unix] Server=[Samba 3.0.7-Debian] tree connect failed: NT_STATUS_ACCESS_DENIED I would also guess that since valid users and write list accept only UNIX and NIS groups you will need to have winbind in your nsswitch.conf for @Domain_A\Domain Users to work... Does Samba allows Domain_A\domain_a_user to access this share if you list the user without domain specification: valid users = domain_a_user? The log file from the Domain_B_PDC:- [2004/11/02 20:50:03, 4] smbd/reply.c:reply_tcon_and_X(408) Client requested device type [?] for share [SHARED] [2004/11/02 20:50:03, 5] smbd/service.c:make_connection(812) making a connection to 'normal' service shared [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2004/11/02 20:50:03, 2] smbd/service.c:make_connection_snum(314) user 'Domain_A\domain_a_user' (from session setup) not permitted to access this share (Shared) [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(105) error string = No such file or directory [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(129) error packet at smbd/reply.c(416) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED -- My smb.conf :- [Shared] path = /shared valid users = @Domain Users, @Domain_A\Domain Users write list = @Domain Users, @Domain_A\Domain Users browsable = yes guest ok = no writeable =no --- Do you have winbind in your nsswitch.conf? No, I don't. How did you managed to get the mapped home directory for domain_a_user when he log on to the joined_domain_B_computer? Yes, I have XP computer joined domain_A and this domain has mutual trust with domain_B. I can login on this computer as user_a into domain_A and as user_b into domain_B and their corresponding home directories get correctly mapped into drive H: dn: uid=user_a,ou=People,dc=domain_A,dc=org sambaHomeDrive: H: sambaHomePath: \\server_A\homes dn: uid=user_b,ou=People,dc=domain_B,dc=org sambaHomeDrive: H: sambaHomePath: \\server_B\homes Hope to hear from you on this... thanks a lot. adrian p/s: hope you got my previous mail cos I forgotten to cc to sambalists Yes, I did. I apologize for delays - I work with Samba only in my spare time. Igor Igor Belyi wrote: == (Header) e-mail Filtrado == I would guess that it means that DomainA trust DomainB but DomainB does not trust DomainA. Can you verify that trust is mutual between them? Check 'net rpc trustom list' on both machines. No, I do not use winbind for NSS (no winbind in /etc/nsswitch.conf). Winbind is used only by Samba when it maps users from trust domain into local space. Adrian Chow wrote: Hi Igor, I got stuck now. I did my best. I got stuck at the winbind which I suspected is the reason why the domainA_computer cannot map the domain_B user's home directory. 1. What are the settings of your winbind? I have the following winbind related entries in smb.conf: ldap idmap suffix = ou=Idmap idmap backend = ldap:ldap://localhost idmap uid = 1-2 idmap gid = 1-2 To see if winbind works you can also try to resolve a name into SID and SID into gid. For examle, if wbinfo -g returns you 'STAFF\wheel'. Try to do the following: wbinfo -n 'STAFF\wheel' wbinfo -Y SID return in a previous command 2. Do you use only winbind in your libnss_ldap or use ldap as well? In my /etc/nsswitch.conf I have only ldap without winbind. As far as I understand this, winbind usage via NSS can confuse Samba into thinking that those users and groups are defined locally and maybe allowing Samba to use winbind directly is a better approach for trust between domains. I don't know why would you want to put winbind into libnss_ldap which is configuration for LDAP interface for NSS (when you use 'ldap' in /etc/nssswitch.conf file) 3. My winbind works with :- (For both sides) wbinfo -t wbinfo -p wbinfo -u wbinfo -g getent passwd (For DomainA) getent group shows all the local groups and also the groups shown in wbinfo -g (For DomainB) getent group shows all the local groups and only
Re: [Samba] Re: Trusting and trusted domain (home mapping) problem
Hi Igor, Just to let you now that the smbclient //domain_b_pdc/shared -U domain_a/domain_a_user is working. To make it work, I have to put winbind in the nsswitch.conf. The reason why it did not work is 2 fold:- 1. The Domain Users in the domain_A is very large (397 users). When I did getent group on domain_b, it does not actually show up domain_A\domain users. But after a while after restarting the daemon, it will appear. Maybe through out my testing, every change in the smb.conf file, I will restart the winbind daemon and hence have lots of problem. 2. I did not test the smbclient on domain_b_pdc. smbclient //domain_a_pdc/shared -U domain_b/domain_b_user would also have work earlier as the domain users in domain_b is very small. Also to let you know that I have upgraded to samba 3.07 for both PDCs. I think partial to the problem I had earlier, it is because of using different versions (3.04 and 3.07). HOWEVER, the original problem of mapping the home directory still exist. adrian Igor Belyi wrote: Adrian Chow wrote: Hi Igor, Do you have trustdomains in your auth methods? Currently I removed the winbind from nsswitch.conf. And smbclient //domain_B_PDC//shared -U domain_A/domain_A_user does not work. Have you tried smbclient //domain_B_PDC//shared -W domain_A -U domain_A_user? If I put winbind in the nsswitch.conf, then I will be able to authenticated but cannot connect to shared folder with the following error:- Domain=[Domain_B] OS=[Unix] Server=[Samba 3.0.7-Debian] tree connect failed: NT_STATUS_ACCESS_DENIED I would also guess that since valid users and write list accept only UNIX and NIS groups you will need to have winbind in your nsswitch.conf for @Domain_A\Domain Users to work... Does Samba allows Domain_A\domain_a_user to access this share if you list the user without domain specification: valid users = domain_a_user? The log file from the Domain_B_PDC:- [2004/11/02 20:50:03, 4] smbd/reply.c:reply_tcon_and_X(408) Client requested device type [?] for share [SHARED] [2004/11/02 20:50:03, 5] smbd/service.c:make_connection(812) making a connection to 'normal' service shared [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2004/11/02 20:50:03, 2] smbd/service.c:make_connection_snum(314) user 'Domain_A\domain_a_user' (from session setup) not permitted to access this share (Shared) [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(105) error string = No such file or directory [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(129) error packet at smbd/reply.c(416) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED -- My smb.conf :- [Shared] path = /shared valid users = @Domain Users, @Domain_A\Domain Users write list = @Domain Users, @Domain_A\Domain Users browsable = yes guest ok = no writeable =no --- Do you have winbind in your nsswitch.conf? No, I don't. How did you managed to get the mapped home directory for domain_a_user when he log on to the joined_domain_B_computer? Yes, I have XP computer joined domain_A and this domain has mutual trust with domain_B. I can login on this computer as user_a into domain_A and as user_b into domain_B and their corresponding home directories get correctly mapped into drive H: dn: uid=user_a,ou=People,dc=domain_A,dc=org sambaHomeDrive: H: sambaHomePath: \\server_A\homes dn: uid=user_b,ou=People,dc=domain_B,dc=org sambaHomeDrive: H: sambaHomePath: \\server_B\homes Hope to hear from you on this... thanks a lot. adrian p/s: hope you got my previous mail cos I forgotten to cc to sambalists Yes, I did. I apologize for delays - I work with Samba only in my spare time. Igor Igor Belyi wrote: == (Header) e-mail Filtrado == I would guess that it means that DomainA trust DomainB but DomainB does not trust DomainA. Can you verify that trust is mutual between them? Check 'net rpc trustom list' on both machines. No, I do not use winbind for NSS (no winbind in /etc/nsswitch.conf). Winbind is used only by Samba when it maps users from trust domain into local space. Adrian Chow wrote: Hi Igor, I got stuck now. I did my best. I got stuck at the winbind which I suspected is the reason why the domainA_computer cannot map the domain_B user's home directory. 1. What are the settings of your winbind? I have the following winbind related entries in smb.conf: ldap idmap suffix = ou=Idmap idmap backend = ldap:ldap://localhost idmap uid = 1-2 idmap gid = 1-2 To see if winbind works you can also try to resolve a name into SID and SID into gid. For examle, if wbinfo -g returns you 'STAFF\wheel'. Try to do the following: wbinfo -n 'STAFF\wheel' wbinfo -Y SID return in a previous command 2. Do you use only winbind in your libnss_ldap or use ldap as well? In my /etc
Re: [Samba] Re: Trusting and trusted domain (home mapping) problem
Hi Igor, I did not change any settings in the PDC and suddenly getent group in domain_B_pdc does not show Domain Users of domain_A_pdc (397 users). The log says this : [2004/11/04 13:27:00, 1] nsswitch/winbindd_group.c:fill_grent_mem(133) could not lookup membership for group rid S-1-5-21-1803233979-822103454-943392455-513 in domain STAFF (error: NT_STATUS_UNSUCCESSFUL) [2004/11/04 13:27:00, 0] nsswitch/winbindd_group.c:winbindd_getgrent(795) could not lookup domain group STAFF\Domain Users [2004/11/04 13:27:00, 4] nsswitch/winbindd_group.c:get_sam_group_entries(564) get_sam_group_entries: Native Mode 2k domain; enumerating local groups as well How should I proceed? Is it a winbind memory cache issue? adrian Igor Belyi wrote: Adrian Chow wrote: Hi Igor, Do you have trustdomains in your auth methods? Currently I removed the winbind from nsswitch.conf. And smbclient //domain_B_PDC//shared -U domain_A/domain_A_user does not work. Have you tried smbclient //domain_B_PDC//shared -W domain_A -U domain_A_user? If I put winbind in the nsswitch.conf, then I will be able to authenticated but cannot connect to shared folder with the following error:- Domain=[Domain_B] OS=[Unix] Server=[Samba 3.0.7-Debian] tree connect failed: NT_STATUS_ACCESS_DENIED I would also guess that since valid users and write list accept only UNIX and NIS groups you will need to have winbind in your nsswitch.conf for @Domain_A\Domain Users to work... Does Samba allows Domain_A\domain_a_user to access this share if you list the user without domain specification: valid users = domain_a_user? The log file from the Domain_B_PDC:- [2004/11/02 20:50:03, 4] smbd/reply.c:reply_tcon_and_X(408) Client requested device type [?] for share [SHARED] [2004/11/02 20:50:03, 5] smbd/service.c:make_connection(812) making a connection to 'normal' service shared [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2004/11/02 20:50:03, 2] smbd/service.c:make_connection_snum(314) user 'Domain_A\domain_a_user' (from session setup) not permitted to access this share (Shared) [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(105) error string = No such file or directory [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(129) error packet at smbd/reply.c(416) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED -- My smb.conf :- [Shared] path = /shared valid users = @Domain Users, @Domain_A\Domain Users write list = @Domain Users, @Domain_A\Domain Users browsable = yes guest ok = no writeable =no --- Do you have winbind in your nsswitch.conf? No, I don't. How did you managed to get the mapped home directory for domain_a_user when he log on to the joined_domain_B_computer? Yes, I have XP computer joined domain_A and this domain has mutual trust with domain_B. I can login on this computer as user_a into domain_A and as user_b into domain_B and their corresponding home directories get correctly mapped into drive H: dn: uid=user_a,ou=People,dc=domain_A,dc=org sambaHomeDrive: H: sambaHomePath: \\server_A\homes dn: uid=user_b,ou=People,dc=domain_B,dc=org sambaHomeDrive: H: sambaHomePath: \\server_B\homes Hope to hear from you on this... thanks a lot. adrian p/s: hope you got my previous mail cos I forgotten to cc to sambalists Yes, I did. I apologize for delays - I work with Samba only in my spare time. Igor Igor Belyi wrote: == (Header) e-mail Filtrado == I would guess that it means that DomainA trust DomainB but DomainB does not trust DomainA. Can you verify that trust is mutual between them? Check 'net rpc trustom list' on both machines. No, I do not use winbind for NSS (no winbind in /etc/nsswitch.conf). Winbind is used only by Samba when it maps users from trust domain into local space. Adrian Chow wrote: Hi Igor, I got stuck now. I did my best. I got stuck at the winbind which I suspected is the reason why the domainA_computer cannot map the domain_B user's home directory. 1. What are the settings of your winbind? I have the following winbind related entries in smb.conf: ldap idmap suffix = ou=Idmap idmap backend = ldap:ldap://localhost idmap uid = 1-2 idmap gid = 1-2 To see if winbind works you can also try to resolve a name into SID and SID into gid. For examle, if wbinfo -g returns you 'STAFF\wheel'. Try to do the following: wbinfo -n 'STAFF\wheel' wbinfo -Y SID return in a previous command 2. Do you use only winbind in your libnss_ldap or use ldap as well? In my /etc/nsswitch.conf I have only ldap without winbind. As far as I understand this, winbind usage via NSS can confuse Samba into thinking that those users and groups are defined locally and maybe allowing Samba to use winbind directly is a better approach for trust between domains. I don't
Re: [Samba] Re: Trusting and trusted domain (home mapping) problem
Hi Igor, Do you have trustdomains in your auth methods? Currently I removed the winbind from nsswitch.conf. And smbclient //domain_B_PDC//shared -U domain_A/domain_A_user does not work. If I put winbind in the nsswitch.conf, then I will be able to authenticated but cannot connect to shared folder with the following error:- Domain=[Domain_B] OS=[Unix] Server=[Samba 3.0.7-Debian] tree connect failed: NT_STATUS_ACCESS_DENIED The log file from the Domain_B_PDC:- [2004/11/02 20:50:03, 4] smbd/reply.c:reply_tcon_and_X(408) Client requested device type [?] for share [SHARED] [2004/11/02 20:50:03, 5] smbd/service.c:make_connection(812) making a connection to 'normal' service shared [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2004/11/02 20:50:03, 5] lib/username.c:user_in_netgroup_list(315) Unable to get default yp domain [2004/11/02 20:50:03, 2] smbd/service.c:make_connection_snum(314) user 'Domain_A\domain_a_user' (from session setup) not permitted to access this share (Shared) [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(105) error string = No such file or directory [2004/11/02 20:50:03, 3] smbd/error.c:error_packet(129) error packet at smbd/reply.c(416) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED -- My smb.conf :- [Shared] path = /shared valid users = @Domain Users, @Domain_A\Domain Users write list = @Domain Users, @Domain_A\Domain Users browsable = yes guest ok = no writeable =no --- Do you have winbind in your nsswitch.conf? How did you managed to get the mapped home directory for domain_a_user when he log on to the joined_domain_B_computer? Hope to hear from you on this... thanks a lot. adrian p/s: hope you got my previous mail cos I forgotten to cc to sambalists Igor Belyi wrote: == (Header) e-mail Filtrado == I would guess that it means that DomainA trust DomainB but DomainB does not trust DomainA. Can you verify that trust is mutual between them? Check 'net rpc trustom list' on both machines. No, I do not use winbind for NSS (no winbind in /etc/nsswitch.conf). Winbind is used only by Samba when it maps users from trust domain into local space. Adrian Chow wrote: Hi Igor, I got stuck now. I did my best. I got stuck at the winbind which I suspected is the reason why the domainA_computer cannot map the domain_B user's home directory. 1. What are the settings of your winbind? I have the following winbind related entries in smb.conf: ldap idmap suffix = ou=Idmap idmap backend = ldap:ldap://localhost idmap uid = 1-2 idmap gid = 1-2 To see if winbind works you can also try to resolve a name into SID and SID into gid. For examle, if wbinfo -g returns you 'STAFF\wheel'. Try to do the following: wbinfo -n 'STAFF\wheel' wbinfo -Y SID return in a previous command 2. Do you use only winbind in your libnss_ldap or use ldap as well? In my /etc/nsswitch.conf I have only ldap without winbind. As far as I understand this, winbind usage via NSS can confuse Samba into thinking that those users and groups are defined locally and maybe allowing Samba to use winbind directly is a better approach for trust between domains. I don't know why would you want to put winbind into libnss_ldap which is configuration for LDAP interface for NSS (when you use 'ldap' in /etc/nssswitch.conf file) 3. My winbind works with :- (For both sides) wbinfo -t wbinfo -p wbinfo -u wbinfo -g getent passwd (For DomainA) getent group shows all the local groups and also the groups shown in wbinfo -g (For DomainB) getent group shows all the local groups and only the GUESTs group. Very weird. The rest of the groups in wbinfo -g does not come up. The logs is something like this:- --- nsswitch/winbindd_group.c:fill_grent_mem(133) could not lookup membership for group rid S-1-5-21-1803233979-822103454-943392455-3005 in domain STAFF (error: NT_STATUS_NO_SUCH_GROUP) [2004/11/01 00:13:10, 0] nsswitch/winbindd_group.c:winbindd_getgrent(795) could not lookup domain group STAFF\wheel --- Do you mean that this error message was reported during getent group in DomainB? Because, without this error message I would assume that you have winbind written in /etc/nsswithc.conf on your DomainA server but not on your DomainB server. The error message means that Samba thinks that 'wheel' is a Domain group of the 'STAFF' domain and fails to find its mapping. I would expect this error to come up during login of a Domain user whose primary group is a local 'wheel' group instead of a Domain group. If this user is supposed to have 'wheel' as a primary group you probably forgot to create a groupmap from a Domain group for it. Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Trusting and trusted domain (home mapping) problem
Hi Igor, I got stuck now. I did my best. I got stuck at the winbind which I suspected is the reason why the domainA_computer cannot map the domain_B user's home directory. 1. What are the settings of your winbind? 2. Do you use only winbind in your libnss_ldap or use ldap as well? 3. My winbind works with :- (For both sides) wbinfo -t wbinfo -p wbinfo -u wbinfo -g getent passwd (For DomainA) getent group shows all the local groups and also the groups shown in wbinfo -g (For DomainB) getent group shows all the local groups and only the GUESTs group. Very weird. The rest of the groups in wbinfo -g does not come up. The logs is something like this:- --- nsswitch/winbindd_group.c:fill_grent_mem(133) could not lookup membership for group rid S-1-5-21-1803233979-822103454-943392455-3005 in domain STAFF (error: NT_STATUS_NO_SUCH_GROUP) [2004/11/01 00:13:10, 0] nsswitch/winbindd_group.c:winbindd_getgrent(795) could not lookup domain group STAFF\wheel --- Any ideas what had happened? Thanks. adrian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Trusting and trusted domain (home mapping) problem
Hi Igor, Once again, thanks for keeping up with me. I have been migrating my master ldap server to 2.1 version so to keep it the same with the PDCs version of LDAP. Now they are the same. I have rectified such that wbinfo -u on both sides worked now. I am made net rpc trustdom list worked. It was not working before. I had to put stuadmin = root in the student PDC's smbusers file. And I had to put Administrator = root in the staff's PDC's smbusers file to get the net rpc trustdom list to work. I did not have a uid=root you see. Now net use x: /home by the Dom B user (grade2 in this case) on the Domain_A_machine still does not work. The /var/log/samba/Dom_A_machine from the Domain_A_PDC will be sent separately as I don want to post it on the lists. The /var/log/samba/Domain_A_PDC from Domain_B_PDC will be sent to you too. My view on the logs - I believe by reading it, it will hold the key why it did not work. I believe during authentication, Domain_A_PDC got the information of Domain_B_user from Domain_B_PDC properly. But it cannot find Domain_B\Domain_B_user in the Get_Pwnam_internals function. It can only find Domain_B_user in the Get_Pwnam_internals function! Now because it finds Domain_B_user and not Domain_B\Domain_B_user, Domain_A_PDC will NOT use the data that it has gotten from the Domain_B_PDC. Now, I then think that it has something to do with libnssldap.conf, pam_ldap.conf and ldap.conf file. Here is my config:- libnssldap.conf, pam_ldap.conf and ldap.conf is configured to see both domain's data. On the smb.conf, the ldapsam backend is ONLY seeing its own domain data. getent passwd on either PDC will see both domain's users. my nsswitch.conf is doing compat ldap rather than compat winbind. Hence getent passwd will then give user as domain_b_user rather than domain_B\domain_b_user. Is this the right way to do it? If I make sure the getent passwd is ONLY seeing its own domain ,then I cannot login into the other domain !! Hope when I sent you the files, you will be able to help. Thanks for giving that hope that you made it working before. Thanks for not posting up the logs and the conf files. Cheers, adrian Igor Belyi wrote: Adrian Chow wrote: Hi Igor, Here are my smb.conf files for feanor and gloin. They are the PDCs for the staff and student domain. My ldaps in the PDCs are configured to update to the master LDAP which have the lower version of LDAP. Upon update the master, the master will then update the slave ldaps which are the PDCs. Setup looks fine. At least, I don't see any problem with it. The next step then will be to collect 'log level = 5' trace during login and LDAP entries for both users from DomainA and DomainB which you use to test home mounts. But I would recommend to update Samba to 3.0.7 in both PDCs first. I did not post it up to the samba lists cause i wonder would it bleach the security for my servers. Hope you understand. Let me know your concerns in this. I always thought that people avoid posing their config files due to liability problems (don't want their users to know that they have problems) than due to security concerns.. But, I can be wrong and probably this information could be used for mischief. But be warn that smbd logs usually have more information than config files. It's fine with me if you don't want to post your config on the list as long as you post the solution to your problem afterwards. :) Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Trusting and Trusted Domain Samba LDAP (mapping Home Directories)Problem
Hi Igor, I think it is default in the smb.conf script that if you login as a user that is not found in the PDC, and that the user is found in the remote domain that is trusted, the add user script = will be activated. You can prevent users from being created if u do not specify add user script in the smb.conf. adrian Igor Belyi wrote: I've tried to login with a user testB which exists in DomainB but not in DomainA (Client XP is a DomainA member) and noticed that there's an attempt in DomainA to create a local user testB. I'm trying to investigate if there any problem with my winbind setup in DomainA... I'll keep you posted. Igor Igor Belyi wrote: Adrian Chow wrote: Hi Igor, Thanks for your prompt reply. Just curious whether you have read my previous email regarding the different setup for my side. I have :- Domain A controller :- openldap 2.1.23 (slave), samba 3.04 (PDC) Domain B controller :- openldap 2.1.30-3 (slave), samba 3.07 (PDC) Main LDAP server : - openldap 2.0.27-3.bunk (master). So you have the same LDAP directory for both PDCs? Can you show smb.conf for both PDCs? How did you configure your LDAP slaves - do they have write access to the entries PDC uses? Question 1:- Wonder if there will be a problem with the openldap setup? Should I upgrade all the LDAP to have same version? Since we don't know yet what kind of problem you face it's difficult to say if LDAP version matters. My guess is it does not and that the newer version you have the better. Question 2:- If I were to upgrade Domain A to samba 3.07 (as I thought there could be a potential problem with the trusting/trusted domains), any clue of how can I upgrade to samba 3.07 without losing the SID or any problems?I was thinking of doing the following:- 1. Backup the smb.conf file I don't think smb.conf gets changed during upgrade, but backups never hurt. 2. smbldap-conf file (containing the SID number). It will make sense if you plan to update smbldap tools as well. Note, that Domain SID which Samba uses is kept in LDAP entry and the one written in smbldap-conf file should mirror it. And since it is kept in LDAP upgrade of Samba 3.x should not cause its change. I don't remember big changes in smbldap-conf between 3.0.4 and 3.0.7 Sambas but I would recommend to look at the 'diff' between backuped and newly installed versions to verify that. Is there any thing I left out? Will the SID be changed? The reason I ask was because I already got a domain member server under domain A (samba 3.04) and I do not want to lose the SID cos I have like 260 users's home directory in that domain member server (windows 2003 server). Thanks in advance. Regards, adrian Igor Belyi wrote: Sorry... Got busy with something else. I'll try to do the test with different users tomorrow. There could be a problem with my previous test since the user present in both Domains also has the same password and this may allow credentials from one domain to somehow be used in another. If you would collect trace for both 'login' and 'net user x: /home' times - it will be great. Make sure that trace is with 'log level = 5' and if you have more than one machine that you collect trace for the Client XP machine (probably, by including %m in the 'log file'). I apologize for the delay. Igor Adrian Chow wrote: Hi Igor, Wondering have you tried to one the scenario when a domain B user logins on domain A machine where the domain B username is not found in domain A machine? Can you still map the drives? Also you were asking for the smbd files how should I get them? During when I login or during when I typed the commmand net use x: /home on the dos prompt? Thanks. Just concerned as I have not heard from you. adrian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Trusting and Trusted Domain Samba LDAP (mapping Home Directories)Problem
Hi Igor, Wondering have you tried to one the scenario when a domain B user logins on domain A machine where the domain B username is not found in domain A machine? Can you still map the drives? Also you were asking for the smbd files how should I get them? During when I login or during when I typed the commmand net use x: /home on the dos prompt? Thanks. Just concerned as I have not heard from you. adrian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Trusting and Trusted Domain Samba LDAP (mapping Home Directories)Problem
Hi Igor, Thanks for your prompt reply. Just curious whether you have read my previous email regarding the different setup for my side. I have :- Domain A controller :- openldap 2.1.23 (slave), samba 3.04 (PDC) Domain B controller :- openldap 2.1.30-3 (slave), samba 3.07 (PDC) Main LDAP server : - openldap 2.0.27-3.bunk (master). Question 1:- Wonder if there will be a problem with the openldap setup? Should I upgrade all the LDAP to have same version? Question 2:- If I were to upgrade Domain A to samba 3.07 (as I thought there could be a potential problem with the trusting/trusted domains), any clue of how can I upgrade to samba 3.07 without losing the SID or any problems?I was thinking of doing the following:- 1. Backup the smb.conf file 2. smbldap-conf file (containing the SID number). Is there any thing I left out? Will the SID be changed? The reason I ask was because I already got a domain member server under domain A (samba 3.04) and I do not want to lose the SID cos I have like 260 users's home directory in that domain member server (windows 2003 server). Thanks in advance. Regards, adrian Igor Belyi wrote: Sorry... Got busy with something else. I'll try to do the test with different users tomorrow. There could be a problem with my previous test since the user present in both Domains also has the same password and this may allow credentials from one domain to somehow be used in another. If you would collect trace for both 'login' and 'net user x: /home' times - it will be great. Make sure that trace is with 'log level = 5' and if you have more than one machine that you collect trace for the Client XP machine (probably, by including %m in the 'log file'). I apologize for the delay. Igor Adrian Chow wrote: Hi Igor, Wondering have you tried to one the scenario when a domain B user logins on domain A machine where the domain B username is not found in domain A machine? Can you still map the drives? Also you were asking for the smbd files how should I get them? During when I login or during when I typed the commmand net use x: /home on the dos prompt? Thanks. Just concerned as I have not heard from you. adrian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Trusting and Trusted Domain Samba LDAP (mapping Home Directories)Problem
Hi Igor, I am no samba expert. Reading your email produce 2 thots. 1. If I have not read wrongly, you DID NOT managed to reproduce my scenario cos when you joined Domain A , login as user of DomB , you got the expected result, the Domain B's sambahomepath and drive gets map to the user B. Mine result was this: I joined Domain A, login as user of Dom B, I did NOT get Domain B's sambahomepath and drive for the specific user of Dom B. I am mentioning this cos you said I've tried to reproduce your problem and was surprised to see that I've got your expected behavior. 2. If you managed to map wherever you joined, GREAT. That means I've got hope. Got I wanted to give up on samba already. Do you believe I tried 2 days just to troubleshoot this problem? I do not know what logs you want. Maybe you can specify for me. Anyway i get call you? I am anxious to get the domain running. I do not know how to paste as well cos it is very long. My ldap settings may be weird. I got the same tree for my ldap settings. the main suffix is dc=uwcsea,dc=org. Then the DomA is ou=staffnet,dc=uwcsea,dc=org. Dom B is ou=studentnet,dc=uwcsea,dc=org. All the domain controllers are replica of the main LDAP server which is running version 2.0 of OpenLDAP. (DEBIAN). On my libnssldap.conf, pam_ldap.conf and ldap.conf are using base=dc=uwcsea,dc=org cos I need to see both sides of the domain right? Getent passwd works. But some other stuff may not work as expected. The main thing is that logging in as users of both domains are fine. BTW, I do not have uid=root. One side is uid=Administrator and the other uid=stuadmin. All their uids are 0. I noted that uid=root is very required to do net rpc trustdom list. Anyway my brains are stuffed. Thanks for the glimpse of hope. Please give suggestions as I really need them. THANKS a lot for testing out on your side. adrian -- Original Message -- From: Igor Belyi [EMAIL PROTECTED] Date: Fri, 22 Oct 2004 18:26:08 -0400 Adrian Chow wrote: Hi Igor, Thanks for giving it a shot. Maybe by asking questions I get to clarify something. 1. What do you mean by Shares specified with Domain? When you run 'net user X: /homes' you do not specify a domain to get [homes] shares from. On the other hand using \\DomB\homes - does. My 2 PDCs are having the default \\%N\%U at the logon home path in the smb.conf. However, under LDAP, each user (in both domains) are having a sambaHomePath and sambaHomeDrive attribute. And the home path is not necessary pointing to the PDC. It could be a remote server which is a domain member of the respective PDC. Hence I have setup such that the each domain have a different atttribute. I did not change the smb.conf configuration on the logon home. Domain A user may point to \\domain_member_server_of_DomA\%U Domain B user may point to \\PDC_of_DomB\%U I also tested that the attributes in LDAP overwrites the smb.conf logon home. Likewise I got the same signs. ClientXP joins Domain A. Logins as Domain A user. Able to map all drive specified in LDAP for domain A and also load the login script specified in LDAP for Domain A. ClientXP then logins as Domain B user. Unable to map anything and fail to load the login scripts. Vice Versa. It depends whether the Client joins which Domain. In the syslogs on both PDCs, (Client Joins DomA) I found out that some how they are querying the LDAP_DomA for the user_DomB, when I login to the dom B. It is weird, it should just query PDC_Dom_B for the user and then allow it to map. However on the syslog, I saw it queries PDC_DomB first and then queries LDAP_DomA for user_Dom B. it is weird. As if the query failed for asking from PDC_Dom_B. But on the syslog, NO errors and PDC_Dom_B checks its own LDAP and returns all the attributes for the users. I've tried to reproduce your problem and was surprised to see that I've got your expected behavior. I've got DomainA, served by ServerA and DomainB, served by ServerB. I have a user 'user' in both domains but in DomainA it has 'sambaHomeDrive = Z:' and 'sambaHomePath = \\ServerA\user' while in DomainB it has 'sambaHomeDrive = X:' and 'sambaHomePath = \\ServerB\user'. I joined ClientXP to DomainA. When I login as a user 'user' into DomainA on this ClientXP I get home mapped on Z: and files are from ServerA. When I login as a user 'user' into DomainB I get home mapped on X: and files are from ServerB. I haven't try this yet with users present only in one domain and not in the other. BTW, can you share your smbd logs? It could help to understand what happens in your setup. Thanks, Igor Thanks. adrian Igor Belyi wrote: I can give a shoot at explaining the behavior and if I'm too off I hope I'll be corrected. When you select Domain into which you want to login you specify the Domain where your credentials (username
[Samba] Trusting and Trusted Domain Samba LDAP (mapping Home Directories) Problem
Hi, Here is my scenario:- 1. I got 1 LDAP server with two domains (A B) configured to it. 2. Both domain PDCs are fully trusted to one another. I did the trustdom establish both ways. 3. I have 1 XP client that has joined Dom A. The login bar can allow you to login to 2 domains. 4. I can managed to login to both domains. 5. I got all the sambaHomePath and home drive done properly on both servers in terms of LDAP portions. Problem:- When I login (from XP client) to Dom A, no problem. The home drive gets mapped. When I login to Dom B, the home drive never gets mapped. The login scripts never run. net use x: /home on the xp client says: the user home directory cannot be determined. But \\domB\homes on windows explorer worked!! I turn all syslog to debug and check everything on BOTH PDCs. NO errors! What is going wrong? Funny thing is that the Dom A PDC will query the Dom B for passwd auth check during the net use x: /home. Then it will query itself for the sambaHomeDrive details and such no errors at all... but logging in to Dom B cannot do it. I have also tried unjoining Dom A and rejoining Dom B. The results is vice versa. That means Logging in to Dom B got no problems in terms of mapping. But Logging in to Dom A got problems. Can anyone shed a light for me in this? I was about to do mass deployment. My version of Samba is 3.07 for Dom B and 3.04 for Dom A. They are running on Debian. Thanks. adrian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Trusting and Trusted Domain Samba LDAP (mapping Home Directories) Problem
Hi Igor, Thanks for giving it a shot. Maybe by asking questions I get to clarify something. 1. What do you mean by Shares specified with Domain? My 2 PDCs are having the default \\%N\%U at the logon home path in the smb.conf. However, under LDAP, each user (in both domains) are having a sambaHomePath and sambaHomeDrive attribute. And the home path is not necessary pointing to the PDC. It could be a remote server which is a domain member of the respective PDC. Hence I have setup such that the each domain have a different atttribute. I did not change the smb.conf configuration on the logon home. Domain A user may point to \\domain_member_server_of_DomA\%U Domain B user may point to \\PDC_of_DomB\%U I also tested that the attributes in LDAP overwrites the smb.conf logon home. Likewise I got the same signs. ClientXP joins Domain A. Logins as Domain A user. Able to map all drive specified in LDAP for domain A and also load the login script specified in LDAP for Domain A. ClientXP then logins as Domain B user. Unable to map anything and fail to load the login scripts. Vice Versa. It depends whether the Client joins which Domain. In the syslogs on both PDCs, (Client Joins DomA) I found out that some how they are querying the LDAP_DomA for the user_DomB, when I login to the dom B. It is weird, it should just query PDC_Dom_B for the user and then allow it to map. However on the syslog, I saw it queries PDC_DomB first and then queries LDAP_DomA for user_Dom B. it is weird. As if the query failed for asking from PDC_Dom_B. But on the syslog, NO errors and PDC_Dom_B checks its own LDAP and returns all the attributes for the users. Thanks. adrian Igor Belyi wrote: I can give a shoot at explaining the behavior and if I'm too off I hope I'll be corrected. When you select Domain into which you want to login you specify the Domain where your credentials (username and password) should be verified but shares specified without Domain will be retrieved from the Domain your XP client belongs to. I think what you want is to have 'logon home = \\%D\%U' instead of the one you get by default: '\\%N\%U' Hope it helps, Igor Adrian Chow wrote: Hi, Here is my scenario:- 1. I got 1 LDAP server with two domains (A B) configured to it. 2. Both domain PDCs are fully trusted to one another. I did the trustdom establish both ways. 3. I have 1 XP client that has joined Dom A. The login bar can allow you to login to 2 domains. 4. I can managed to login to both domains. 5. I got all the sambaHomePath and home drive done properly on both servers in terms of LDAP portions. Problem:- When I login (from XP client) to Dom A, no problem. The home drive gets mapped. When I login to Dom B, the home drive never gets mapped. The login scripts never run. net use x: /home on the xp client says: the user home directory cannot be determined. But \\domB\homes on windows explorer worked!! I turn all syslog to debug and check everything on BOTH PDCs. NO errors! What is going wrong? Funny thing is that the Dom A PDC will query the Dom B for passwd auth check during the net use x: /home. Then it will query itself for the sambaHomeDrive details and such no errors at all... but logging in to Dom B cannot do it. I have also tried unjoining Dom A and rejoining Dom B. The results is vice versa. That means Logging in to Dom B got no problems in terms of mapping. But Logging in to Dom A got problems. Can anyone shed a light for me in this? I was about to do mass deployment. My version of Samba is 3.07 for Dom B and 3.04 for Dom A. They are running on Debian. Thanks. adrian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Idealx programs and ldap backend
Hi, I got the following setup. I got a openLDAP server. This server is the master server for LDAP functions. I named this ldapsrv. I got a samba server with openLDAP install on it as well. This LDAP server is the slave to ldapsrv. I named this sambasrv. The sambasrv currently have the following setup in /etc/smb.conf:- passdb backend = ldapsam:ldap://ldapsrv.domain idmap backend = ldap://ldapsrv.domain add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u' delete user script = /var/lib/samba/sbin/smbldap-userdel.pl '%u' add group script = /var/lib/samba/sbin/smbldap-groupadd.pl -p '%g' delete group script = /var/lib/samba/sbin/smbldap-groupdel.pl '%g' add user to group script = /var/lib/samba/sbin/smbldap-groupmod.pl -m '%u' '%g' delete user from group script = /var/lib/samba/sbin/smbldap-groupmod.pl -x '%u' '%g' set primary group script = /var/lib/samba/sbin/smbldap-usermod.pl -g '%g' '%u' add machine script = /var/lib/samba/sbin/smbldap-useradd.pl -w '%u' shutdown script = /var/lib/samba/scripts/shutdown.sh I want to use sambasrv's openldap directory to read off the passwords instead of reading it off the network from ldapsrv. Note that all changes have to be done on ldapsrv in order to be propogated to sambasrv. Will I have any issues if I shift the 'passdb backend' and 'idmap backend' to point to ldapsrv? Can i do the above with the smbldap_conf.pm file untouched? The smbldap_conf.pm files currently point to ldapsrv as the changes will need to be done on it. The reason I asked is that during clients authentication or connecting to the sambasrv, will it modify the ldap entries since smb.conf will point to sambasrv which is the slave LDAP. I think all changes need to start from ldapsrv. Any feedback will be great. Thanks. adrian email : [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Idealx programs and ldap backend
Hi Paul, thanks for the reply. 2 questions:- 1. In the smbldap-useradd.pl file, there are lines that are commented out. SInce my add machine script is only with -w, and my with_smbpasswd variable in the smbldap_conf is =0, i found that it will only create a posix account on the ldap. I don't see it creating the samba portion in the ldap. Does it do it automatically? My ldap shows that the samba portion is done automatically. [However I think I have to join the domain 2 times for each machine don't know why the first time it joins it fails.. The second time succeeds.] 2. Can I know what happens if my refferals is not done properly and I point my passwd backend to the ldap slave server? Does it have an effect only when a machine joins the domain? Thanks. adrian -- Original Message -- From: Paul Gienger [EMAIL PROTECTED] Date: Wed, 16 Jun 2004 07:50:31 -0500 Adrian Chow wrote: Hi, I got the following setup. I got a openLDAP server. This server is the master server for LDAP functions. I named this ldapsrv. I got a samba server with openLDAP install on it as well. This LDAP server is the slave to ldapsrv. I named this sambasrv. The sambasrv currently have the following setup in /etc/smb.conf:- passdb backend = ldapsam:ldap://ldapsrv.domain idmap backend = ldap://ldapsrv.domain add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u' delete user script = /var/lib/samba/sbin/smbldap-userdel.pl '%u' add group script = /var/lib/samba/sbin/smbldap-groupadd.pl -p '%g' delete group script = /var/lib/samba/sbin/smbldap-groupdel.pl '%g' add user to group script = /var/lib/samba/sbin/smbldap-groupmod.pl -m '%u' '%g' delete user from group script = /var/lib/samba/sbin/smbldap-groupmod.pl -x '%u' '%g' set primary group script = /var/lib/samba/sbin/smbldap-usermod.pl -g '%g' '%u' add machine script = /var/lib/samba/sbin/smbldap-useradd.pl -w '%u' shutdown script = /var/lib/samba/scripts/shutdown.sh I want to use sambasrv's openldap directory to read off the passwords instead of reading it off the network from ldapsrv. Note that all changes have to be done on ldapsrv in order to be propogated to sambasrv. Will I have any issues if I shift the 'passdb backend' and 'idmap backend' to point to ldapsrv? Can i do the above with the smbldap_conf.pm file untouched? The smbldap_conf.pm files currently point to ldapsrv as the changes will need to be done on it. The reason I asked is that during clients authentication or connecting to the sambasrv, will it modify the ldap entries since smb.conf will point to sambasrv which is the slave LDAP. I think all changes need to start from ldapsrv. If you have referrals set up properly then the slave will send the modify requests up the the master that can write to the db. One note however, if you switch all references over to the slave, try a domain join in test before you roll out. My particular ldap servers are over a WAN and samba would actually time out before the account would replicate to my local slave unless I hacked a sleep in to the add machine function. -- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Cell: 701-306-6254 Information Systems Consultant Fax: 701-281-1322 URL: www.ae-solutions.commailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Idealx programs and ldap backend
Hi Paul, Thanks for your insights. I have corrected my add_posix_machine function. It should work fine. Ok. Maybe I was confused to ask my original question because my reason for starting this conversation is because I got a connection everytime I try to connect to the server. Maybe my passwd backend is pointing to a slow ldap master in the network. I don't have referrals since all my data is in the same tree of the ldap master. I did not dedicate any of the sort (eg. ou=people,dc=domain) to other ldap slaves. The reason is that since my sambasrv is also a ldap slave and contain all the entries, I wanted to point to itself (sambasrv) rather than the slow ldap master (ldapsrv) in the network to see whether the connection process can be hastened. However due to my limit knowledge, I am afraid that if I do that I will updated data in the ldap slave (sambasrv) and not the master ldapsrv. Currently my master ldapsrv is replicating to a few ldap slaves beside sambasrv. I wonder is it only when I am trying to join machines to the domain that I need to point to the ldap master? If that is so, I can point the passwd backend locally (sambasrv) and when I need to add machines, I point the passwd backend to the master ldap master. Tricky process but I just want to increase the performance of the connection. My ldap master (ldapsrv) is running on a very slow machine. Pentium 1? 2nd question: - Can I turn off add user scripts option as I don't want any connection to the samba server to create a new user on the server? Thanks a lot for your input. Also Stephanie's. adrian Paul Gienger wrote: Adrian Chow wrote: Hi Paul, thanks for the reply. 2 questions:- 1. In the smbldap-useradd.pl file, there are lines that are commented out. SInce my add machine script is only with -w, and my with_smbpasswd variable in the smbldap_conf is =0, i found that it will only create a posix account on the ldap. I don't see it creating the samba portion in the ldap. Does it do it automatically? My ldap shows that the samba portion is done automatically. [However I think I have to join the domain 2 times for each machine don't know why the first time it joins it fails.. The second time succeeds.] This sounds exactly like what I was seeing. The first time it would create the posix user, but fail looking for it to modify to add the samba objectClass and attributes. The second time you try to create it, the posix info is there, and it can find it so it proceeds to modify it for samba use. I found this was happening in my situation because the replication wasn't happening fast enough. I modified my sub add_posix_machine function to have a wait at the end: sleep(5); right before the function ends. This gave the ldif data time to come from our remote master server. 2. Can I know what happens if my refferals is not done properly and I point my passwd backend to the ldap slave server? Does it have an effect only when a machine joins the domain? That I couldn't tell you for sure since our referrals have been working since before samba had anything to do with LDAP. I would guess that you wouldn't be able to join at all, no matter how many times you try. The add/modify request would never make it up to the master LDAP server. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Pdbedit NTTIME
Hi, I ran pdbedit -L -v on my samba 3.0beta PDC. And I found out that the logoff time and most of the timing are way off the current time. It is like 1914 Dec. Anyway of rectifying it? The XP clients connecting to the PDC are reflecting the correct time Any clue of solving this? Thanks. adrian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.x PDC and Error 53 on clients
Hi, Wonder if any one encounter this weirdness ? When I tried to connect using Win2k clients to Samba 3.x server (on the same subnet) by doing \\server on the Windows Explorer, it have no problem. I could see all the shares. But when a Win2k client on another subnet (separated by a router) tried to connect to the same Samba 3.x server, there is a Error 53 kinda of error. Cannot even browse the share folders. Error 53 is when I type net view \\server on the dos prompt. the win2k client on the other subnet could ping server. thanks. Any idea how to solve it? adrian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Password expired on XP for Samba 3.0 beta as PDC
Hi, I got a Samba 3.0 beta running on Linux as PDC. I don't have any settings for obey pam restriction but I have compiled it with PAM option. BUt I am not using the LDAP option. Then the password expiration message keeps popping out of my XP to tell me to change the password. Any way to get rid of that feature? Thanks. adrian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.x and some confusion
Hi, I got 2 samba servers acting as PDC on the same subnet. 1 server is a 2.2.7 server and another is a 3.0beta server. I got XP, win98 clients on a subnet that is different than the PDCs. And win2k client on the same network as the PDC. The common wins server is 2.2.7 server. (Client means it DOES NOT join it as a domain. ) For Win2k, I got no problems pinging the PDCs. Wins can resolve it. Neither Win98 and XP on the other subnet got problems pinging. They all worked fine The problem is when accessing the servers' shared directory. The Win98 and XP got problem accessing the shared directory of the 3.0beta server, but not the 2.2.7 server!! It cannot find the 3.0beta server and net view \\samba3.0server gave error 53. Win98 machine has logged in to itself as a username and password which is the same as a user created in the smbpasswd file of the samba3.0server. The 2 machines doesn't have a prompt that seeks for username and password. The win2k machine got no problems accessing any of the servers. It got prompted for the username and password. Any idea any settings in the 3.0server that I need to set?? Or is it a subnet problem and that I need to explicitly set something to make it work Any idea of how to start troubleshooting Thanks. adrian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba acls
Hi, Can I know when a Samba user (one that is connecting to the Samba server via a Windows Client) creates a file in the shared folder or modifies a file in the shared folder, what would the acls of the file be? (I meant the gid and uid of the file) Mine worked as if it is always created as a root user.I thought the file should have the uid and gid or the person who created the file (respect to the /etc/passwd and /etc/group in the Samba server). I got Samba 3.0beta running on the Redhat 9.0 (downgraded to a kernel 2.4.20) with acls patches from acl.bestbits.at. Thanks. adrian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Roaming Profile XP
HI, I have put the wallpapers found in c:\windows\web\wallpapers into Samba's shared directory. And I point the desktop wallpaper to the Samba shared directory. But it did not work when i tried logging in another machine. Please help. Any way to copy stuff from Local Settings to Samba? adrian On Fri, Jun 20, 2003 at 06:01:47PM +0800, Adrian Chow wrote: I have configured roaming profile on WIndows Xp client that is connect to the Samba. Login works fine except that when I change the wallpaper on one machine, log off and goes to another machine, the wallpaper was not changed on the other one. Other files created on the desktop are changed. Can anyone explain or help ? Adrian, I ran into this too. This is what happens. Say I set my background to be something OTHER THAN a bitmap like mypic.jpg. XP converts the jpg to a bitmap and stores the bitmap under Local Settings in the profile, which of course doesn't roam. The simple fix that I've been telling my users is to first convert their background to a bitmap image and store it on a network drive, then set your background to that image and your background roams with you. Works for me. Nathan -- nre :wq -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Roaming Profile XP
hi, Does this only occur when you use Samba as the domain controller? Or does it even occur when you use Windows Server as the domain controller as well for the roaming profile? Another question:- Besides the wallpaper does not roam, is there other things that does not roam? adrian On Fri, Jun 20, 2003 at 06:01:47PM +0800, Adrian Chow wrote: I have configured roaming profile on WIndows Xp client that is connect to the Samba. Login works fine except that when I change the wallpaper on one machine, log off and goes to another machine, the wallpaper was not changed on the other one. Other files created on the desktop are changed. Can anyone explain or help ? Adrian, I ran into this too. This is what happens. Say I set my background to be something OTHER THAN a bitmap like mypic.jpg. XP converts the jpg to a bitmap and stores the bitmap under Local Settings in the profile, which of course doesn't roam. The simple fix that I've been telling my users is to first convert their background to a bitmap image and store it on a network drive, then set your background to that image and your background roams with you. Works for me. Nathan -- nre :wq -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Roaming Profile XP
Hi, I have configured roaming profile on WIndows Xp client that is connect to the Samba. Login works fine except that when I change the wallpaper on one machine, log off and goes to another machine, the wallpaper was not changed on the other one. Other files created on the desktop are changed. Can anyone explain or help ? Thanks. adrian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba XP
Hi, (Please reply to this address rather than the one posted previously) I am a newbie when it comes to XP and samba. I am planning to install samba domain controller for XP, 2000 machines. I read a bit about the registry hacking and some documents on the internet. But I need the following details to set up the server:- 1. Samba version 2. Linux kernel version (preferably what distribution and what version) THe lesser the bugs the better. 3. What patch level should I have for the samba 4. Any more sites that tells me how to setup the XP Pro Clients with the samba server? Thanks. adrian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Hide files in samba share using Window
Hi, The following is done on a samba share:- When I want to hide files in on the Windows interface, I right-click the file and check on the hidden attribute, but the file still appears there. Must I rename the file with a dot in front in order to hide it? Any alternative to allow the use of Windows interface to hide it? Thanks. adrian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Hide files in samba share using Window
I don't have show hidden file chosen from Microsoft. After I check the hidden attribute using Windows, I right-click again and the hidden box is still uncheck !!! adrian Michael Noble [EMAIL PROTECTED] 03/11/03 12:20PM take a look at vito files. also make sure that you do not have show hidden file chosen from Microsoft or it will still show hidden files. Mike On Mon, 2003-03-10 at 18:41, Adrian Chow Seng Yien wrote: Hi, The following is done on a samba share:- When I want to hide files in on the Windows interface, I right-click the file and check on the hidden attribute, but the file still appears there. Must I rename the file with a dot in front in order to hide it? Any alternative to allow the use of Windows interface to hide it? Thanks. adrian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- Michael G. Noble RF Magic, Inc. Senior System Administrator 10182 Telesis Ct., 4th Floor San Diego, CA. 92121 mailto:[EMAIL PROTECTED] voice: (858) 546-2401 x207 fax: (858) 546-2402 -- There is Sanity in my Madness! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Explaination for file permissions
Hi, I am confused about the file permission set. I have samba compiled with ACL option. Running Redhat 8.0 with ACL compiled and Samba 2.2.7. I have created a read-only share /test/xyz and under write list put userA and userB in it. UserA creates a file (test1) and under Windows I can see that only UserA owns that file and permissions is 660. UserA and UserB are different in groups. But when UserB logins, he can delete that file! Why? If so, how can I set files or directories below the shared directory such that I have different user/group permissions for different file/directories and be sure that unauthorized user cannot just go in and delete the files? **The read-only share directory /test/xyz is having permission 777 cos it is created by root and, UserA UserB does not belong to same group as root. I am deeply confused whether samba share permission overwrites file permissions...but very different from the documentation from o'reilly's. Thanks. adrian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Ldap Samba and problems compiling
Hi, I got 2 problems :- 1. I was compiling samba-2.2.7-4.src.rpm on Redhat 8.0 system and with the option --with-pam_smbpass. It always fail when I am doing a rpmbuild -ba samba.specs. The error is similar to the person who posted on http://lists.samba.org/pipermail/samba-technical/2002-September/039415.html but no one answered him. I was also compiling with the following extra options:- --with-msdfs --with-profile --disable-static --with-ldapsam When I compile it without --with-pam_smbpass, it compiles perfectly. Any idea how I can compile pam_smbpass separately? Please give me the steps and the download site if any thanks. Or anyone can give me the solution to this? 2. My scenario is as follows:- I got 1 Netware 6.0 server running ldap. I have successfully used pam_ldap and nss_ldap on my Redhat box to query the netware server and have configured login and ssh to authenticate with the Netware 6.0. Now I have included Samba into the server. And I want the samba users to authenticate with the Netware 6.0 ldap server. I know that I have to extend the schema for the netware ldap server for samba entries but I cannot import smbpasswd into the netware 6.0 server. So this option is out. And I don't know how to input the ldap data into the netware server. Win2k machines uses different hashing for the password compared with the posixAccount password in the Netware 6.0 server. Is there any way that I can do some unhashing on the samba server when it gets the password from the login user(hidden work) and then compare that password with my netware 6.0 password? Basically I want samba users to authenticate to Netware 6.0 server. Can pam_smbpass do the job? From what I read it cannot. Please justify if it can help me. Any person out there who have successfully did it with a Netware 6.0 ldap server? Please give some solutions/ideas if you have. Samba newbie adrian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Help on ACLs and samba
Hi Noel, Thanks for the reply. So I can create the same user id. How about the groups? Eg groupname with 2 or more words? How can I create them in Samba? Is there a possibility that I can map like abc group in Samba with abc group in NT4 PDC? Are you saying that if you copy files from the NT4 PDC to Samba Linux, the ACLs will be lost? No way to preserve them? adrian Noel Kelly [EMAIL PROTECTED] 11/15/02 04:49PM To use ACLs you will need an ACL-enabled kernel/filesystem and build Samba on top of this. Some distros like Mandrake now come with ACLs built in. Otherwise you will need to patch your kernel. However, if your current shares are done with whole groups then you probably don't need ACLs and can simply use the security in Samba using parameters like 'valid users=', 'write list=', 'read list=', 'force group=' etc. Much simpler from both an administration and setup point of view. There is no way to transfer your NT ACLs to Samba automatically (same as if you transferred stuff between any two volumes - you will always lose the ACLs). I don't think there is a way of grabbing the whole SAM database automatically from an existing NT domain in Samba 2.2.6 (there is something like this in 3.0 i believe?). You will need to create each user in your Samba PDC manually but if you have a large number then you could use winbindd to get a text listing of the users on the current domain and then use a script to create each of them on the Samba PDC. HTH, Noel -Original Message- From: Adrian Chow Seng Yien [mailto:chowadrian;icr.a-star.edu.sg] Sent: 15 November 2002 02:16 To: [EMAIL PROTECTED] Subject: [Samba] Help on ACLs and samba Hi, Firstly I want to declare I am a newbie to Samba. I am installing samba over Redhat 8.0 I need to know whether Samba can replace my NT4 PDC in the following aspects and how to do it:- 1. ACLs. Must i create the every user name in Samba as in the NT4 PDC? How do I create groups like Protocol Stack with space in between the groupname? (Making sure that the ACls are mapped properly when transfering files over to Linux Samba) 2. If I were to transfer files from the NT4 PDC to Linux Samba, can I retains the ACLs being set on NT4? How must I do to ensure the ACls are retained? (Similar to question 1) 3. Is there any method to transfer the SAM over without creating every user and group all over again? FYi, my PDC is doing file sharing only with permissions set for different groups in different levels of the directories. I am going to remove the NT4 server and use Samba ultimately. If cannot answer in 1 email, please refer me to the right documentation to do so. Thanks. newbie adrian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.410 / Virus Database: 231 - Release Date: 31/10/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.410 / Virus Database: 231 - Release Date: 31/10/2002 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] ACL problem
Hi, I am running Redhat linux 8.0. rpm -qa | grep acl gives the following result libacl-2.0.11-2 acl-2.0.11-2 libacl-devel-2.0.11-2 How can I know whether I got acl support install on my NT machine? Do I need to specify acl support in the smb.conf file? I got problem giving permission to another person for rwx to a file. Thanks. adrian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Help on ACLs and samba
Hi, Firstly I want to declare I am a newbie to Samba. I am installing samba over Redhat 8.0 I need to know whether Samba can replace my NT4 PDC in the following aspects and how to do it:- 1. ACLs. Must i create the every user name in Samba as in the NT4 PDC? How do I create groups like Protocol Stack with space in between the groupname? (Making sure that the ACls are mapped properly when transfering files over to Linux Samba) 2. If I were to transfer files from the NT4 PDC to Linux Samba, can I retains the ACLs being set on NT4? How must I do to ensure the ACls are retained? (Similar to question 1) 3. Is there any method to transfer the SAM over without creating every user and group all over again? FYi, my PDC is doing file sharing only with permissions set for different groups in different levels of the directories. I am going to remove the NT4 server and use Samba ultimately. If cannot answer in 1 email, please refer me to the right documentation to do so. Thanks. newbie adrian -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba