Re: [Samba] 3.0.20 -> 3.0.23 SID/group error?? Won't connect.
On Friday 11 August 2006 18:04, david rankin wrote: > >From: "Gerald (Jerry) Carter" <[EMAIL PROTECTED]> > > > > david rankin wrote: > >> OK, Help, what am I doing wrong with the patch?? How do is > >> get the patch installed? Here is what I did that didn't work. > > > > run the following commands > > > > $ wget \ > > http://www.samba.org/~jerry/patches/samba-3.0.23b-lookup_name_smbconf_v2. > >patch $ tar zxvf samba-3.0.23b.tar.gz > > $ cd samba-3.0.23b > > All done, that's how I compiled it from source the first time. > > > $ patch -p1 < ../samba-3.0.23b-lookup_name_smbconf_v1.patch > > $ cd source > > $ make proto > > $ make > > I must be having a really really bad day > > [EMAIL PROTECTED] samba-3.0.23b]# patch -p1 < > ../samba-3.0.23b-lookup_name_smbconf_v1.patch Notice you are still using v1: the patch ends in v2 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Issues with cifs mounts following Samba upgrade to 3.0.23a
On Tuesday 01 August 2006 17:47, Jeremy Allison wrote: > On Tue, Aug 01, 2006 at 08:18:42PM +, Damian Sinclair wrote: > > I guess there's a bit of concern that this problem will cause a fair > > number of systems to stop working in a way that isn't entirely easy to > > diagnose or resolve, so causing a lot of frustration. I have no idea how > > the community handles issues like these, but have the samba team notified > > the relevant repository and distro managers about the bug? > > I'm sorry about the problem but fixed it as soon as I knew about it, > and we'll be releasing a 3.0.23b asap to fix this issue. Package > maintainers for Samba on distros should be on samba-technical, so > we haven't done any asynchronous notification - we only do that > for security bugs via vendor-sec. Why not publish a patch for 3.0.23a? Many people find it easier to apply a patch than to browse svn and fetch patches from it (once they know which revision as the correct fix). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem using 2.0.23 client in a domain with a Samba 2.0.20c PDC.
On Thu, Jul 13, 2006 at 01:49:46PM -0500, Gerald (Jerry) Carter wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Andreas Hasenack wrote: > > >>I got the following patch (inline) attached from Volker's > >> original message, hope it helps. Kind regards, > > > > Thanks > > > > I think there is a new one, though: > > > > http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/branches/SAMBA_3_0/source/auth/auth_util.c?rev=17016&sortby=date&view=log > > http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/branches/SAMBA_3_0/source/auth/auth_util.c?r1=17011&r2=17016&rev=17016&sortby=date > > fyiwe're still debating the best fix for 3.0.23a. Thanks for the heads up -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem using 2.0.23 client in a domain with a Samba 2.0.20c PDC.
On Thu, Jul 13, 2006 at 02:43:31PM -0300, Felipe Augusto van de Wiel wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 07/13/2006 01:27 PM, Andreas Hasenack escreveu: > > On Thu, Jul 13, 2006 at 01:01:27PM +0200, Volker Lendecke wrote: > >>The attached patch adds the S-1-22-1- to the user's > >>token. It is a bit larger than strictly necessary, but the > >>minimum diff size would have made the code a bit clumsy. > > > > I think the patch was removed, or you forgot to attach it. If > > the later, could you please send it again? Has it been commited > > already? > > I got the following patch (inline) attached from Volker's > original message, hope it helps. Kind regards, Thanks I think there is a new one, though: http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/branches/SAMBA_3_0/source/auth/auth_util.c?rev=17016&sortby=date&view=log http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/branches/SAMBA_3_0/source/auth/auth_util.c?r1=17011&r2=17016&rev=17016&sortby=date -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem using 2.0.23 client in a domain with a Samba 2.0.20c PDC.
On Thu, Jul 13, 2006 at 01:01:27PM +0200, Volker Lendecke wrote: > The attached patch adds the S-1-22-1- to the user's > token. It is a bit larger than strictly necessary, but the > minimum diff size would have made the code a bit clumsy. I think the patch was removed, or you forgot to attach it. If the later, could you please send it again? Has it been commited already? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba3 and heimdal: both using ldap as backends
Em Dom 19 Mar 2006 02:58, Gémes Géza escreveu:
> >>An example ldif:
> >>
> >>dn: uid=test,ou=users,dc=example,dc=net
> >>
> >>objectClass: person
> >>
> >>objectClass: organizationalPerson
> >>
> >>objectClass: inetOrgPerson
> >>
> >>objectClass: posixAccount
> >>
> >>objectClass: top
> >>
> >>objectClass: shadowAccount
> >>
> >>objectClass: sambaSamAccount
> >>
> >>objectClass: krb5Principal
> >>
> >>sn: Account
> >>
> >>userPassword: [EMAIL PROTECTED]
What is the user creation sequence you are using? First posixAccount and
sambaSamAccount (for example, with smbldap-tools), then add the krb5Principal
class and its attributes, set password to use {SASL} and then what? kadmin?
kpasswd?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba3 and heimdal: both using ldap as backends
Em Sáb 18 Mar 2006 13:54, Gémes Géza escreveu: (...) Thanks, it worked (somewhat) after I ran "kpasswd" for that user. > An example ldif: > > dn: uid=test,ou=users,dc=example,dc=net > > objectClass: person > > objectClass: organizationalPerson > > objectClass: inetOrgPerson > > objectClass: posixAccount > > objectClass: top > > objectClass: shadowAccount > > objectClass: sambaSamAccount > > objectClass: krb5Principal > > sn: Account > > userPassword: [EMAIL PROTECTED] I see you are authenticating simple binds with an SASL mechanism. I assume it's gssapi? Via saslauthd? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba3 and heimdal: both using ldap as backends
samba-3.0.21c, heimdal-0.7.2 The heimdal documentation[1] talks about a samba integration when both samba and heimdal are using ldap as their backends. I quote: "Now you can proceed as in See Using LDAP to store the database. Heimdal will pick up the Samba LDAP entries if they are in the same search space as the Kerberos entries." There is absolutely no further documentation. I tried with this tree: dc=mycnc,dc=com ou=People,dc=mycnc,dc=com heimdal is configured to use ou=people (I also tried with ou=KerberosPrincipals), where I already have some entries. My goal is to use only one password to avoid the sambaNTPassword/userPassword/kerberos mess (three passwords). I was under the impression that this setup should get me that. If I add a principal with a name that is already in ou=people as a posix and samba account, I get this: (...) [EMAIL PROTECTED]'s Password: Verifying - [EMAIL PROTECTED]'s Password: kadmin: kadm5_create_principal: ldap_search_s: No such object kadmin: adding joao: Principal or policy already exists The ldap logs show these queries (first collumn is the number of entries returned): 1 SRCH base="ou=People,dc=mycnc,dc=com" scope=2 deref=0 filter="(&(objectClass=krb5Principal)([EMAIL PROTECTED]))" 0 SRCH base="uid=heimdal,dc=services,dc=mycnc,dc=com" scope=2 deref=0 filter="(objectClass=krb5Principal)" 1 SRCH base="ou=People,dc=mycnc,dc=com" scope=2 deref=0 filter="(&(objectClass=krb5Principal)([EMAIL PROTECTED]))" 0 SRCH base="uid=heimdal,dc=services,dc=mycnc,dc=com" scope=2 deref=0 filter="(objectClass=krb5Principal)" 0 SRCH base="ou=People,dc=mycnc,dc=com" scope=2 deref=0 filter="(&(objectClass=krb5Principal)([EMAIL PROTECTED]))" 1 SRCH base="ou=People,dc=mycnc,dc=com" scope=2 deref=0 filter="(&(|(objectClass=sambaSamAccount)(objectClass=account))(uid=joao))" A few questions: a) Why is it searching at base uid=heimdal,dc=services,dc=mycnc,dc=com? That's the binddn after authz-regexp; b) It found my user's entry (last search), why doesn't it add the kerberos attributes to it? Or, better yet, what is supposed to be happening? If I run kadmin to add an user that doesn't exist with posixAccount/sambaSamAccount, then a krb5PrincipalEntry dn is created, which samba doesn't see. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Limit of group membership for a user?
Em Qua 15 Mar 2006 03:11, mallapadi niranjan escreveu: > Hi list > > I too have the same problem , i also posted the bug in bugzilla, but jerry > posted that > it was fault of glibc, i have Red Hat Enterprise Linux ES release 4 > (Nahant) with 2.6.9.5 > with glib version glibc-2.3.4-2 and gcc version gcc-3.4.3-9.EL4, Check your limit with getconf: $ getconf NGROUPS_MAX 65536 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC/BDC Load-Balanced?
On Fri, Dec 02, 2005 at 05:16:59PM +0100, Matthias Spork wrote: > Hallo, > > I've setup a BDC in the same subnet like my PDC. I observed that some > User take the BDC to logon. > The Domain-Join of some PCs will also done at the BDC. > > Is this behavior normal and wanted? If done so, I have to rsync the It's the client that chooses which xDC it will use any given time. So yes, it can be either the BDCs or the PDC. > profiles or only netlogon? [netlogon] is a must to keep in sync. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] can't mount smb shares
On Fri, Dec 02, 2005 at 04:00:03PM +0100, Valéry Roché wrote: > Hi again, > > Although the PDC is configured as a wins server, I added 2 lines in > lmhost.sam on a client machine : lmhost.sam is just a SAMple file. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] win98 opening remote lmhosts as read-write
I'm playing with the #INCLUDE directive available for windows' \windows\LMHOSTS file. It works like this: 192.168.1.10PANDORA #PRE #INCLUDE \\PANDORA\public\lmhosts This makes windows (at least the 98 version I'm testing) fetch the remote lmhosts file. During boot, windows 98 fetches this file allright. But with a catch: for some reason, it opens it in read-write mode, even though nothing is written to it. This is bad :( It means I would need to expose this file for anonymous remote read-write access. I thought about using the fake_perms VFS module to overcome this, but it only intercepts stat() and fstat(). Would it be a bad idea to extend it to also intercept the open call and lie about the file being opened as read-write? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] The "single WINS" problem
On Thu, Dec 01, 2005 at 09:11:22AM +0100, Michael Gasch wrote: > thanks, you?re a great help for us! > all machines are in the same subnet incl. PDC/BDC. > > so it should be no prob as expected if WINS fails (DNS/Broadcast > fallback) ... That's correct. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] The "single WINS" problem
On Wed, Nov 30, 2005 at 10:23:44AM -0600, Gerald (Jerry) Carter wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Andreas Hasenack wrote: > > |> so what really happens when WINS server dies (or the PDC at all)? > |> we have a PDC/BDC samba setup. > | > | Name resolution for servers outside the > | local subnet fails. > | > |> it would be a mess if the BDC could not be asked > |> for logons because WINS of PDC fails, when PDC is down!!! > | > | That's what happens in my case, the BDC is useless > | because the machine hosting the WINS service crashed. > > Right. We dont't do wins replication right now. > > But if people really want WINS replication, we can do > it. There's been a few patches and metze has made > amazing progress with it in the Samba 4 tree. It's > more an issue of developer resources. > > Nothing is impossible in software :-) I would be very happy with something that did replication among samba servers, I wouldn't even worry about windows server compatibility. After all, samba already does the PDC BDC dance without windows compatibility and it works very well (thanks!). Searching for alternatives I even found an interesting one that I didn't know about: #INCLUDE \\server\share\file in windows' LMHOSTS ;) A poor man's read-only wins ;) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] The "single WINS" problem
On Wed, Nov 30, 2005 at 04:15:51PM +0100, Michael Gasch wrote: > so what really happens when WINS server dies (or the PDC at all)? > we have a PDC/BDC samba setup. Name resolution for servers outside the local subnet fails. > it would be a mess if the BDC could not be asked for logons because WINS > of PDC fails, when PDC is down!!! That's what happens in my case, the BDC is useless because the machine hosting the WINS service crashed. > should i install a seperate samba box just for WINS? You will have the same single point of failure in WINS, just in another machine. > WINS can really help much in a win-network but i don?t like the idea of > messing up the network if it fails :( The workstation fallback tends to be broadcast name resolution, which helps if you have a domain controller in the same subnet. But name resolution for machines outside your local subnet will fail without wins. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Losing wallpapers on roaming profiles
On Wed, Nov 30, 2005 at 07:46:37AM -0600, Gerald (Jerry) Carter wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Andreas Hasenack wrote: > | Em Terça 29 Novembro 2005 19:57, Thomas Widhalm escreveu: > |> A > |>>> Has anyone encountered the same problem and found some solutions? > |>> I have a similar problem. I found out that the wallpaper change was > |>> learned by the workstations, but not applied. If I right-click on the > |>> desktop I see the new wallpaper name, but it's not applied (i.e., I > |>> still see the old one). Clicking OK at that dialog (without changing > |>> anything else) then applies the wallpaper to the desktop. > |> And have you found some solution to it? > | > | Not yet > > The common solution is to use bitmaps and not jpgs. > This is more of a windows client issue from what > I understand. I tried with the sample wallpapers that came with windows. I didn't check if they were bitmap or jpegs, though. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Losing wallpapers on roaming profiles
Em Terça 29 Novembro 2005 19:57, Thomas Widhalm escreveu: > A > > > Has anyone encountered the same problem and found some solutions? > > > > I have a similar problem. I found out that the wallpaper change was > > learned by the workstations, but not applied. If I right-click on the > > desktop I see the new wallpaper name, but it's not applied (i.e., I > > still see the old one). Clicking OK at that dialog (without changing > > anything else) then applies the wallpaper to the desktop. > > And have you found some solution to it? Not yet -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] does "wins proxy" also cache?
Does a samba server (3.0.20b) configured to use a remote wins server and also with "wins proxy = yes" cache the name lookups responses it gets from the wins server? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Losing wallpapers on roaming profiles
On Sun, Nov 27, 2005 at 01:11:19PM +0100, Thomas Widhalm wrote: > Hi! > > I'm getting difficulties with wallpapers on roaming profiles on a samba > 3.0.9-2.3 under SuSE 9.2 with Windows XP Professional Clients. I discovered, > by reading other postings concerning this topic, that Windows won't use jpegs > as wallpapers on roaming profiles (converts them to bmp and stores them in > "Local Settings", which doesn't roam). So I converted the pictures to bmp > myself an used them as wallpaper. Still they got lost most of the time. > > Has anyone encountered the same problem and found some solutions? I have a similar problem. I found out that the wallpaper change was learned by the workstations, but not applied. If I right-click on the desktop I see the new wallpaper name, but it's not applied (i.e., I still see the old one). Clicking OK at that dialog (without changing anything else) then applies the wallpaper to the desktop. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] 'wins proxy' not working very well
I have setup the 10.0.2.177 machine with: wins server = 192.168.1.10 wins proxy = yes 192.168.1.10 is a PDC, and 192.168.2.10 is a BDC. Querying 192.168.1.10 directly works: # nmblookup -R -U 192.168.1.10 domain#1c querying domain on 192.168.1.10 192.168.1.10 domain<1c> 192.168.2.10 domain<1c> Querying the local subnet (10.0.7.255) doesn't work very well: # nmblookup domain#1c querying domain on 10.0.7.255 192.168.1.10 domain<1c> It only returns the PDC server and ignores the BDC. If I repeat it: # nmblookup domain#1c querying domain on 10.0.7.255 name_query failed to find name domain#1c So, the "wins proxy = yes" machine just forgot things. And, when it remembers (only the first run), it doesn't know about the BDC. Am I doing something wrong here? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] The "single WINS" problem
Em Segunda 28 Novembro 2005 01:24, Marcus White escreveu: > Are you replicating the LDAP database to each network? I am. Is there some sort of ldap backend for wins? ;) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] The "single WINS" problem
Em Sexta 25 Novembro 2005 21:45, John H Terpstra escreveu: > With all due respect, I belive that your alarm and concern is a little > excessive. > > What sort of response are you looking for? What are you hoping to achieve > from > your request? The point is not how often the wins service (or its machine) fails, but what happens to the rest of the network when it does. Considering netbios name resolution is not just about mapping name->IP, but also about locating services (who is the logon server? who is the domain master browser?), a single wins makes the windows network, which is already fragile, even more so. I've seen a wins server fail (kernel panic), and it wasn't pretty to the rest of the network. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] The "single WINS" problem
Em Quinta 24 Novembro 2005 18:17, Andreas Hasenack escreveu: > Everybody encourages Samba admins to enable WINS whenever possible, and > I agree that it helps a lot to solve these networks' problems. It's so > good that, when it fails, it's a disaster. > > How are people coping with the samba limitation of not being able to > replicate the WINS database and thus its inability to have more than one > WINS server in a domain? Nobody else? :( -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] The "single WINS" problem
On Fri, Nov 25, 2005 at 11:11:50AM +0100, Jeroen van Meeuwen wrote: > I don't understand what you mean with "DOMAIN<1B>" or "DOMAIN<1C>"... Does It means finding the Domain Master Browser (PDC) and all the logon servers (1C) for DOMAIN. It is done with a netbios query, but since you don't use netbios I was wondering how these netbios specific attributes (1C, 1B, 00, 20, etc) are stored in DNS. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] The "single WINS" problem
On Thu, Nov 24, 2005 at 10:04:10PM +0100, Jeroen van Meeuwen wrote: > The Netbios names that are set in smbd/nmbd, are already registered with DNS > when the network comes up (Dynamic DNS). This will only work properly if you > have one single Netbios name per machine (Or run several instances on a > multi-homed box). So you can't use DNS for that sixteenth field of netbios names (like <1C>, <1B>, etc). Or can you? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] The "single WINS" problem
On Thu, Nov 24, 2005 at 09:38:29PM +0100, Jeroen van Meeuwen wrote: > > > Subject: [Samba] The "single WINS" problem > > > > Everybody encourages Samba admins to enable WINS whenever possible, and > > I agree that it helps a lot to solve these networks' problems. It's so > > good that, when it fails, it's a disaster. > > > > How are people coping with the samba limitation of not being able to > > replicate the WINS database and thus its inability to have more than one > > WINS server in a domain? > > > > I'm in a hybrid environment using both linux and Windows, and I prefer not Who is the PDC? Linux or Windows? > to use WINS. It would mess up the DDNS environment I currently have set up, > since at some point Windows still gives WINS a higher priority over DNS. > Linux, of course, doesn't really care ;) So you use DNS for netbios name resolution? Or have you configured samba to not use netbios? Is it a single network (i.e., broadcast name resolution works)? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] The "single WINS" problem
Everybody encourages Samba admins to enable WINS whenever possible, and I agree that it helps a lot to solve these networks' problems. It's so good that, when it fails, it's a disaster. How are people coping with the samba limitation of not being able to replicate the WINS database and thus its inability to have more than one WINS server in a domain? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Mounting smbfs
Em Terça 22 Novembro 2005 19:42, Chuck Downing escreveu: > sudo mount -t smbfs -o > username=myusername,passwork=myuserpassword //esotericVAIO/Downloads /mnt/vaioDownloads > > I get to following error message > > mount: wrong fs type, bad option, bad superblock > on //esotericVAIO/Downloads, >missing codepage or other error >In some cases useful info is found in syslog - try >dmesg | tail or so > > > I see the following error message in dmesg > > smbfs: mount_data version 1919251317 is not supported > > What does the dmesg mean? I saw this same type of error message when the user in question had a high uidnumber (like a few million). I switched to CIFS and never looked back. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] POLEDIT replacement?
Em Dom 23 Out 2005 22:45, Eric A. Hall escreveu: > One possibility is to use the poledit.exe that comes with Win2k SP4 > instead of the one for NT. The newer tool seems like it can read the newer Thanks! I'll try that. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC and BDC: how to sync profiles
Em Sex 21 Out 2005 00:57, Philip Washington escreveu: > Andreas > I currently have a NT4 Domain that I am trying to migrate to Samba. I'm > really interested in your setup. I currently am concerned because the > documentation (Samba3-Example) I have seen so far sets up a BDC that > points to the ldap on the PDC. As far as I can tell that means if my Actually, you should point the BDC to a slave ldap, preferably on the same machine. That's what I'm doing anyway. The only thing I depend on being on the PDC alone is the wins server, since samba can't replicate it yet. I just choose to place the wins server at the PDC, but it could be any other machine. But only one (no backups). > PDC goes down my network is down. If you could provide me with any > information on where to find the HOWTO or copies of your configuration > it would be greatly appreciated. I followed this: http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Why need to add a machine account to /etc/passwd first with Samba+LDAP
On Thu, Mar 10, 2005 at 12:56:26PM -0800, Steve Zeng wrote: > Hi, > > I am using Samba 3.0.10 PDC with LDAP as password DB. Before we use > smbpasswd as passwd DB and every time I need to add a machine account > into /etc/passwd so that the mahcine can join the domain. My > understanding for LDAP is, this step is not needed any more since we > will put all machine account into "ou=Computers". But I am proved to be > wrong. Putting machine accounts into ou=Computers works just fine provided: - smb.conf is configured to look into that branch - nss_ldap is also configured to go into that branch Regarding nss_ldap, you can point it either at the top of your tree, so that it can reach both ou=Computers and ou=People using a subtree search, or specify nss_base_passwd twice: once for ou=Computers and once for ou=People. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] %macros not expanded in ldap attributes?
On Thu, Nov 25, 2004 at 09:53:46PM +1100, Andrew Bartlett wrote: > On Wed, 2004-11-24 at 10:01 -0600, Gerald (Jerry) Carter wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > Andreas wrote: > > | samba-3.0.8 > > | > > | Are the % macros not expanded in LDAP attributes? For example, > > | the following is the only way sambaProfilePath works: > > | \\SERVER\share\path > > | > > | If I substitute sambaProfilePath with, say, \\%L\%U\path, then > > | it doesn't work anymore, although the same string works with > > | logon path in smb.conf. > > > > Known issue at the momemnt. Sorry for the inconvienence. > > Patches welcome (since we haven't been able to get to this bug > > very quickly). > > From rom my point of view (when I was hacking on the code) it was by design, > but I can understand the %L case. My feeling at the time was that most > of the other cases are either best handled by a script setting the > values into LDAP (%U for example) or just using the smb.conf parameter > (ie, don't set it in LDAP). > > Anyway, that's a bit of the history here. No problem, it was just unexpected. I agree that, since the attribute goes right under the user's entry, %U or %u in there would be moot. The smbldap-tools allow %U substitution, but the catch is that it's the scripts themselves which perform the substitution, not samba, so it was a bit confusing at first. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Roaming Profiles XPSP2 - SAMBA 3.0.9
On Wed, Nov 24, 2004 at 06:59:11PM +0100, Jan Kellerhoff wrote: > Hi can anyone help please? > > I recently updated from 3.0.7 to3.0.8 to 3.0.9. 3.0.8 had a bug in this area. Are you sure 3.0.9 is not working also? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] net ads vampire?
Is there an equivalent of "net rpc vampire" for w2k in samba3? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] openldap as a win2k AD slave?
Has anybody tried yet to use openldap as a slave server for windows' Active Directory? At least for the user accounts? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] query on security = server, domain
Em Tue, Feb 04, 2003 at 04:57:23PM +0530, akshaysalkar escreveu: > in other words why have security = server > when security = domain can be put. AFAIK, you can't have domain logons in the samba machine when it has security = domain. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] any news on samba as a BDC?
Are there any news on samba as a BDC for NT or w2k? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Account Lockout using Security=Server
Em Fri, Jan 31, 2003 at 04:28:50PM -0600, Evans Chris - cevans escreveu: >I was wondering if any of you could help me out. I am not a Samba user > although we have several instances of Samba running in our organization. We > are running into a problem with Samba machines locking out user accounts in > our Windows 2000 domain. I have found a little information about this but > nothing in depth. The Samba servers are configured to use security=server > and are using our domain controllers as password servers. Every time a user > accesses one of the samba boxes 2 incorrect password attempts is logged on This is expected and is a drawback in this security mode. Check: http://us1.samba.org/samba/docs/Samba-HOWTO-Collection.html#AEN393 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [found something] Problems making use of 2K PDC
Em Fri, Jan 31, 2003 at 04:05:06PM +, John H Terpstra escreveu: > My clear preference is to make the samba server a full Win2K domain > member. Of course the Win2K needs to be running either in NT4 domain > security mode _or_ Active Directory in mixed mode. John, many thanks for your help. I'm doing exactly this now, samba has joined the w2k domain and security = domain, the winxp client has also joined the w2k domain and can access the samba server without a hitch. winbind is also working. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [found something] Problems making use of 2K PDC
Em Fri, Jan 31, 2003 at 03:01:30PM +, John H Terpstra escreveu: > > And, since the w2k server is on a different subnet, I don't think I can make it > > the logon server for my clients, or can I? I mean, broadcasts mean a lot in a > > MS network... > > You must use WINS to avoid broadcast traffic. With WINS the important UDP > traffic will be unicast. WINS can reduce UDP broadcast traffic by up to > 95%. Using WINS, you clients will readilly locate the logon server. I > would recommend not using file and print shares over the WAN link though. But how does the windows client find out who the domain controller is for a specific domain? Does WINS advertise that info too? When I make a windows client join a domain, it never asks me for the name of the domain controller... Just the name of the domain. > > Should I then just make the clients authenticate against the remote w2k machine > > anyway? I know, in both scenarios, the w2k server will be contacted anyway, either > > by the samba server or by the linux client. > > Correct. That's my recommendation. What about using security = server, point the password server at the w2k machine and set domain logons = yes? Should this work? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [found something] Problems making use of 2K PDC
Em Thu, Jan 30, 2003 at 10:14:47PM +, John H Terpstra escreveu: > If your Win2K DC is your authentication server for your domain, then DO > NOT set "domain logons = Yes" on samba - it can cripple your Win2K DC! > > Instead, in your smb.conf [globals] you want: > security = domain > password server = * > > Then join the domain by: > smbpasswd -r 'PDC_name' -j 'Domain_Name' > > This way your MS Windows clients should be domain members and will log > onto the Win2K DC and will be able to seemlessly access your samba server. The win2k machine is on the other side of a WAN link, a different subnet, but the windows clients will be accessing shares on the local samba server. Users will be created and managed in the win2k machine, that's why I need the samba server to check passwords against the remote win2k machine. And, since the w2k server is on a different subnet, I don't think I can make it the logon server for my clients, or can I? I mean, broadcasts mean a lot in a MS network... Should I then just make the clients authenticate against the remote w2k machine anyway? I know, in both scenarios, the w2k server will be contacted anyway, either by the samba server or by the linux client. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [found something] Problems making use of 2K PDC
Em Thu, Jan 30, 2003 at 07:35:58PM -0200, Andreas Hasenack escreveu: > > cli_net_auth2: srv:\\TESTE011 acct:PANDORA$ sc:6 mc: PANDORA chal C72569B51FC1D884 >neg: 1ff > > cli_net_auth2: Error NT_STATUS_NO_TRUST_SAM_ACCOUNT > > Ok, finally found something. It's in smb.conf. > > If I leave "domain logons = yes" in /etc/smb.conf, then the above smbpasswd command > fails. If I comment "domain logons", then the above command works. > > Also, without domain logons, I can issue: > > smbclient -L PANDORA -U user%pass > > and it will happily authenticate "user" against my W2K server. Just to recap in case someone is actually following this: PANDORA: samba-2.2.7a TESTE011: w2k server on a different subnet (I'm using /etc/lmhosts to reach this server) user: exists in PANDORA's /etc/passwd, but not in /etc/smbpasswd -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [found something] Problems making use of 2K PDC
Em Thu, Jan 30, 2003 at 04:29:04PM -0200, Andreas Hasenack escreveu: > Immediately afterwards I run: > smbpasswd -t DISTRO -r TESTE011 -D 4 > > and get: > (...) > cli_net_req_chal: LSA Request Challenge from TESTE011 to PANDORA: 934D0AA570E6938A > cred_session_key > cred_create > cli_net_auth2: srv:\\TESTE011 acct:PANDORA$ sc:6 mc: PANDORA chal C72569B51FC1D884 >neg: 1ff > cli_net_auth2: Error NT_STATUS_NO_TRUST_SAM_ACCOUNT Ok, finally found something. It's in smb.conf. If I leave "domain logons = yes" in /etc/smb.conf, then the above smbpasswd command fails. If I comment "domain logons", then the above command works. Also, without domain logons, I can issue: smbclient -L PANDORA -U user%pass and it will happily authenticate "user" against my W2K server. Now I need a way to make my workstations (winxp) try to logon on the linux samba server but authenticate against my w2k server. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problems making use of 2K PDC
Em Thu, Jan 30, 2003 at 10:37:29AM -0600, Kenny Mann escreveu: > I'm able to "join" the comain. I'm not, still getting errors... smbpasswd -j says I joined the domain. I can confirm that the samba machine shows up in the w2k AD. Nothing unusual in the logs but the excerpt below from the smbpasswd -j run: (...) Domain=[DISTRO] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager] lsa_io_sec_qos: length c does not match size 8 <--- what is this? Joined domain DISTRO. Immediately afterwards I run: smbpasswd -t DISTRO -r TESTE011 -D 4 and get: (...) cli_net_req_chal: LSA Request Challenge from TESTE011 to PANDORA: 934D0AA570E6938A cred_session_key cred_create cli_net_auth2: srv:\\TESTE011 acct:PANDORA$ sc:6 mc: PANDORA chal C72569B51FC1D884 neg: 1ff cli_net_auth2: Error NT_STATUS_NO_TRUST_SAM_ACCOUNT cli_nt_setup_creds: auth2 challenge failed modify_trust_password: unable to setup the PDC credentials to machine TESTE011. Error was : NT_STATUS_NO_TRUST_SAM_ACCOUNT. 2003/01/30 16:21:20 : change_trust_account_password: Failed to change password for domain DISTRO. Event viewer says: "The session setup from the computer PANDORA failed because there is no trust account in the security database for this computer. The name of the account referenced in the security database is PANDORA$." Now, is this a bug? Where should the missing $ be? mc? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Error was : NT_STATUS_OK
Em Wed, Jan 29, 2003 at 06:01:39PM -0200, Andreas Hasenack escreveu: > Em Wed, Jan 29, 2003 at 01:31:59PM -0600, Gerald (Jerry) Carter escreveu: > > > [2003/01/29 15:30:47, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157) > > > cli_net_auth2: Error NT_STATUS_NO_TRUST_SAM_ACCOUNT > > ^^^ > > > > This is the actual problem. Are you sure you are joined to the domain? > > Well, smbpasswd -j says so: > > # smbpasswd -j DISTRO -r TESTE011 -U Administrator > Password: > Joined domain DISTRO. Should the following command work immediately afterwards? # smbpasswd -t DISTRO -r TESTE011 cli_net_auth2: Error NT_STATUS_NO_TRUST_SAM_ACCOUNT cli_nt_setup_creds: auth2 challenge failed modify_trust_password: unable to setup the PDC credentials to machine TESTE011. Error was : NT_STATUS_NO_TRUST_SAM_ACCOUNT. 2003/01/29 18:34:35 : change_trust_account_password: Failed to change password for domain DISTRO. :( I'm trying to read the security logs in the event viewer now, and I saw once something about a wrong machine name, it was BLA and should be BLA$. Does this ring a bell? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Error was : NT_STATUS_OK
Em Wed, Jan 29, 2003 at 01:31:59PM -0600, Gerald (Jerry) Carter escreveu: > > [2003/01/29 15:30:47, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157) > > cli_net_auth2: Error NT_STATUS_NO_TRUST_SAM_ACCOUNT > ^^^ > > This is the actual problem. Are you sure you are joined to the domain? Well, smbpasswd -j says so: # smbpasswd -j DISTRO -r TESTE011 -U Administrator Password: Joined domain DISTRO. The samba machine appears as a computer account on the w2k server (Active Directory Users and Computers). Anything else I can do to check? I'm about to start over and remove /etc/secrets.tdb and /var/lock/samba/*, readd the machines, etc. It would just give me a better feeling if I knew someone else is using "security = server" or "security = domain" with a w2k server and that it's working. :) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Error was : NT_STATUS_OK
What kind of error is "NT_STATUS_OK"? Logs below: [2003/01/29 15:30:46, 3] libsmb/namequery.c:resolve_lmhosts(768) resolve_lmhosts: Attempting lmhosts lookup for name TESTE011<0x20> [2003/01/29 15:30:46, 3] lib/util_sock.c:open_socket_out(845) Connecting to 192.168.100.1 at port 445 [2003/01/29 15:30:47, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157) cli_net_auth2: Error NT_STATUS_NO_TRUST_SAM_ACCOUNT [2003/01/29 15:30:47, 0] rpc_client/cli_login.c:cli_nt_setup_creds(72) cli_nt_setup_creds: auth2 challenge failed [2003/01/29 15:30:47, 0] smbd/password.c:connect_to_domain_password_server(1367) connect_to_domain_password_server: unable to setup the PDC credentials to machine TESTE011. Error was : NT_STATUS_OK. [2003/01/29 15:30:47, 0] smbd/password.c:domain_client_validate(1599) domain_client_validate: Domain password server not available. Setup: * samba-2.2.7a joined a domain on a w2k machine (called TESTE011) with NT compatibility enabled. The samba machine appears under "Computers" in the Active Directory Users and Computers control panel/mmc snapin. * winxp client (with signorseal reg change applied) tries to log onto this domain using this samba server above. * the winxp client also has a computer account on the samba server. The logon works if I change security = server to security = user and create an user entry in /etc/smbpasswd * the samba machine has that user in the system password file (/etc/passwd), it just doesn't have that user in the smbpasswd file. What is missing? Why couldn't samba use the w2k machine as a password server (last message in the log excerpt above)? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba 2.2.7a, security=server, password server = win2k, winxp client
Hello, I'm having some problems with the this setting. I'm trying to have a winxp client logon to a samba-2.2.7a machine which is using a win2k server as password server. It works if I use a linux client (smbclient): smbclient -L pandora -U bush%george Pandora is the samba machine, and it contacts the w2k server and validates bush's password. This is working, but only with smbclient. I can't do it with the winxp logon. The logs show that, for some reason, the winxp client is connecting to the samba server as anonymous. Nowhere does the "bush" username appears, not even in tcpdump. This bush user exists on the samba server and on win2k, but not in /etc/smbpasswd (since I expect the password to be validated against w2k). If I change security to user and add the bush user to /etc/smbpasswd, then the winxp client can logon just fine into this domain. I have the pandora (linux) machine added to win2k, and the winxp machine is also added to /etc/smbpasswd on pandora. Another info: since the linux samba server and w2k server are on the same subnet, I put them on different domains (w2k is a controller for domain A, and both winxp and linux server are on domain B). Could this be it? I'm doing it because the w2k machine will be on a different subnet in the final setup, and then I plan on using the same domain. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 2.2.5 + OpenLDAP 2.x - Caveats?
Em Mon, Sep 30, 2002 at 11:34:55AM +1000, Andrew Bartlett escreveu: > > Any other comments? > > Samba can hit your LDAP server *hard*. I would suggest keeping LDAP on Hard indeed. I'm running a small script that first lists all shares available to an user (smbclient -L), and then uses smbclient again but to connect to each share and run "dir". I run this script once for each user I have (about 300). The load on the ldap machine, a PII-300 128Mb soars to 32 and stays there. Samba is running on another machine, while openldap 2.0.25 is on this PII-300. Load on the samba machine is between 1.5 and 2.5 most of the time during this test. (the samba machine is a celeron 500). -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba 2.2.3a with-ldapsam, pwdMustchange solved
Em Sat, Apr 27, 2002 at 06:31:54AM -0700, [EMAIL PROTECTED] escreveu: > > some days ago there was a discussion, where the pwdMustChange attribute > > was set to 0 to force the account to change the password at the next > > logon. unfortunatly samba did not set back the pwdMustChange, so the > > next time the user logs on, he needs again to change the password. > > This is correct in HEAD BTW, but I would not be supprised to heard that it > didn't make it into 2.2. > > Andrew Bartlett I think it didn't indeed. I was trying to get this to work with samba-2.2.3a + ldap enabled and it just didn't work. In fact, I couldn't make the windows client prompt to change the password at logon time. Sniffing the network showed that samba always replied with FF (more or less F, probably meaning -1) to the "must change" field/whatever. Ethereal translated it to "Never". -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
