Re: [Samba] Re: [homes] share problems
james schrieb: Robert rob.smb at connectfree.co.uk writes: I am experiencing the following problems with the [homes] shares. Using Samba 3.0.9 and winbind on SLES9 with NT PDC. Running wbinfo -a authenticates users ok but I cannot connect using smbclient. If I comment out 'valid users = %S' from [homes] in smb.conf then it is possible to connect using valid user/password combinations but otherwise I get tree connect failed: NT_STATUS_ACCESS_DENIED Could anyone please throw some light on this while I still have some hair left. Thanks Rob Help also wanted with the same issue:- I am using the the same version of Samba, same version of SLES and experiencing an identical problem with the valid users=%S setting on the homes share - tree connect failed: NT_STATUS_ACCESS_DENIED. One key difference between my environment and Rob's is my environment is relying on a Windows AD server for authentication and I am running smbclient -k. smbclient work okay with the %S commented out but fails when uncommented Any help would be appreciated Thanks James Hi all, some month ago i had the same problem and was told to replace %S by %U. That solved the problem for me. BUT i have a standalone samba-pdc, so it may help you or not, but it's worth a try, isn't it? Christoph -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Intended behaviour of add user and smbpasswd
Hi, Ritch Melton schrieb: Hi, I'd like to upgrade my 2.2 samba to the latest 3.x stable, so I'm experimenting with the new features of 3.x on a RHEL 3 clone. I've run into some difficulty when using usrmgr.exe for administrating users. I've filled out the 'add user script' define with: add user script = /usr/sbin/useradd -g sambausers -c Samba User -d /dev/null -s /bin/false -M %u Mine looks pretty much as your's but i have '-m %u' as last parameter. And *i can use usrmgr.exe* to administrate my users. Have a look at your useradd manpage to verify the parameters you give to it... Christoph When I try an add a user using usrmgr.exe, I get an 'Access is Denied' message. I turned on debugging and I could see the request being made, and I noticed that the unix account was being created, but the smb backend account was not. It seems like the desired behaviour of 'add user' would add the smb account in my backend (smbpasswd file) I've searched high and low on Google, but I've been unable to find an answer to this question. I have been able to find several smb.conf files that look like mine. I'd appreciate any input. Blue Skies, Ritch Melton -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Firewall piercing - The Specified network name is no longer available.
Hi, i think you do not get the point: This is not a single point of failure. Getting your server sharing to the internet will give you nothing. Why? 1st showstopper: The admin of the pc you want to access your server from will have denied outgoing traffic for all smb-packets from the local LAN to the internet. Because windows machines tend to do heavy broadcasts to sync their browselists over these ports. This is unwanted traffic which must be paid for and which reduces available bandwidth. So the Admins block these ports to *save money* 2nd showstopper: Even if your ISP does not, many many ISPs silently drop all traffic on the smb-ports. why? Because there a to much homeusers not using firewalls and therefor their Windows-machines brodcast to the internet to sync their browselists. If ISPs would forward these packets (or answers to them) it would eat their bandwidth and money for nothing. That's the point why they drop these packets: *MONEY* 3rd showstopper: SMB is not designed for unreliable networks with many routers and their latency involved. SMB over internet simply will not work reliable. Christoph JLB schrieb: Also, my arrogant attitude is largely due to the fact that nobody's reading my points. I DO NOT want to install OpenVPN. I DO NOT want to run WinSCP. I DO NOT want to run an anonymous FTP server. I want to go: Start Run smb://IP_ADDRESS/sharename (username) (password) POOF. That is what I want. Period. It's not unreasonable; this is Samba, not some Win95 box waiting to be h4x0red. On Thu, 10 Feb 2005, Gordon Russell wrote: Date: Thu, 10 Feb 2005 09:22:48 -0500 From: Gordon Russell [EMAIL PROTECTED] Cc: JLB [EMAIL PROTECTED], samba@lists.samba.org Subject: Re: [Samba] Firewall piercing - The Specified network name is no longer available. Dude -- Your arrogant attitude towards getting help and resolving your problem is not getting you anywhere -- its obviously problematic to pump SMB/CIFS into the internet the way you would like to. Why don't you look at a simpler solution like running an anonymous ftp server and then your pathetic windoze users can just type: ftp://server/directory POOF Please read my points on this sort of solution in the past. The whole REASON I want to use Plain Vanilla SMB is so I can walk up to ANY Windoze machine on the entire flippin' Internet and go: Start Run \\IP_ADDRESS\sharename (username) (password) POOF. -- J. L. Blank, Systems Administrator, twu.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] problem creating trusts between NT4 and samba
Hi, [...] However, when I run smbpasswd -a -i rumba I get the following: phoenix:~ # smbpasswd -a -i ada New SMB password: Retype new SMB password: Failed to initialise SAM_ACCOUNT for user ada$. Does this user exist in the UNIX password database ? Failed to modify password entry for user ada$ ^ You see this? the user you have to create is ada$ not ada as this is the username for a machine-account, not a normal user Hope it helps... Christoph -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Logon Hours problems (really stuck)
Hi, yes that definitly sounds like a problem with the timezone-settings on the local server, or a mismatch between timezones set on the server and the clients. Doubblecheck they are consistent and in sync. Last year i had on client pc of a customer beleave it was summertime but in fact that ended a week before. Result were, all files from this client stored to the samba server got timestamps 2 hours back in time. I guess if they had defined kickofftimes this machine would have been kicked 2 hours too early. doesn't that sound a little familiar to you? Fixed the clients timesetting and all was fine again. Christoph David Wilson schrieb: Hi Christoph, I haven't tried what you suggested yet however there is definitely something wrong with the time on my Samba server: In my smb.conf I have the following under my [netlogon] share which creates a log indicating user login times: preexec = echo %u logged into %h from %m (%I) at %T running %a. /tmp/samba-login.log What is interesting is that the time indicated in my /tmp/samba-login.log is two hours behind the actual time on the server (which is synched to an international time server). This is what I get in the log: aw088 logged into tux from lab4_6_208 (10.0.6.208) at 2005/02/04 08:39:25 running WinXP. If I type date on the server this is what I get: Fri Feb 4 10:39:06 SAST 2005 As you can see, Samba believes it's two hours behind the actual (correct) time of the server. The time offset = 120 option in the smb.conf does not seem to make any difference. Is this still related to the hardware clock issues etc. you've mentioned below ? Thanks for all your help so far, greatly appreciated. Kindest regards David Wilson ___ D c D a t a Tel +27 33 342 7003 Fax +27 33 345 4155 Cell +27 82 4147413 http://www.dcdata.co.za [EMAIL PROTECTED] Powered by Linux, driven by passion ! ___ Computers are not intelligent. They only think they are. - Original Message - From: Christoph Scheeder [EMAIL PROTECTED] To: David Wilson [EMAIL PROTECTED] Cc: samba@lists.samba.org Sent: Thursday, February 03, 2005 11:44 AM Subject: Re: [Samba] Re: Logon Hours problems (really stuck) Hi, what i do is the following setup for linux-servers and time: 1.) set hardware-clock to GMT, 2.) tell the system the hardwareclock is set to GMT (how depends on distro) 3.) set local timezone to GMT+2 (again, depends on distro) 4.) check all win-Clients to have the correct timezone set after that your system-clock should be showing the correct time in linux, and samba should use the correct kickoff times. as a sideefect it gives you the possibility to use ntp to sync your clock with any timeserver out there in the internet. Christoph David Wilson schrieb: Hi guys, Unfortunately this is still happening I've tried restarting Samba. Users who should be denied access after 21:00 are being denied access at 19:00. Our time zone in South Africa is GMT+2. Perhaps I should set the timezone on the server to UTC/GMT ? Do you think this will help ? Should I then leave the time set to the current time in South Africa ? Or should I set the time to the time at UTC/GMT ? There's something I must be missing here. Kindest regards David Wilson ___ D c D a t a Tel +27 33 342 7003 Fax +27 33 345 4155 Cell +27 82 4147413 http://www.dcdata.co.za [EMAIL PROTECTED] Powered by Linux, driven by passion ! ___ Computers are not intelligent. They only think they are. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Logon Hours problems (really stuck)
Hi, what i do is the following setup for linux-servers and time: 1.) set hardware-clock to GMT, 2.) tell the system the hardwareclock is set to GMT (how depends on distro) 3.) set local timezone to GMT+2 (again, depends on distro) 4.) check all win-Clients to have the correct timezone set after that your system-clock should be showing the correct time in linux, and samba should use the correct kickoff times. as a sideefect it gives you the possibility to use ntp to sync your clock with any timeserver out there in the internet. Christoph David Wilson schrieb: Hi guys, Unfortunately this is still happening I've tried restarting Samba. Users who should be denied access after 21:00 are being denied access at 19:00. Our time zone in South Africa is GMT+2. Perhaps I should set the timezone on the server to UTC/GMT ? Do you think this will help ? Should I then leave the time set to the current time in South Africa ? Or should I set the time to the time at UTC/GMT ? There's something I must be missing here. Kindest regards David Wilson ___ D c D a t a Tel +27 33 342 7003 Fax +27 33 345 4155 Cell +27 82 4147413 http://www.dcdata.co.za [EMAIL PROTECTED] Powered by Linux, driven by passion ! ___ Computers are not intelligent. They only think they are. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.9 and vfs recycle on SLES9
Hi, J. Strohschnitter schrieb: Hi list, I have problems working samba 3.0.9 with VFS recycle. I have made an exculde to a folder on the share, but any file that was deleted out of this folder, still moved to trash. Also all files from exclude (like .tmp ...) were stored to trash. Another problem is, that any file that was saved on the share from the application (like MSOffice) was also copied to the trash. So if I save a file the the network drive, the file was also saved to the trash-repository with complete tree. Is there anything wrong in my conf ? Hope someone can find the bug: vfs objects = recycle this has to read vfs object = recycle not objects recycle:repository = .Papierkorb/%U recycle:keeptree = Yes recycle:touch = No recycle:versions = No recycle:exclude = *.tmp|*.temp|*.o|*.obj|*.pqi|*.scr|*.eml|*.mpg|*.mpe|*.mpeg|*.mov|~$* recycle:excludedir = /pmail|/PMAIL recycle:maxsize = 209715200 Thx :-) no problem... Christoph -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Linux server client in Win2k3 AD domain
Hi, you didn't tell us your distribution etc, so this is a bit guesswork. you need a verry recent version of kerberos libraries on your system. If you use MIT-kerberos you need at least version 1.3.4. for heimdal i can't recall the exact version. Please search the list-archives for the minimal required versions. After installing these libraries you'll have to recompile samba against them. Christoph Jonas Printzén schrieb: Hello folks! I am trying to make sure we can use Linux/Win2k3 mix in my company. After reading up in the documentation I fealt it sounded so good I would propably get there with little effort... Well, halfway there I got fast enough. But that won't do... I have successfully joined the AD-Domain from my Linux host. And I also can authenticate a AD user in the Linux host. I used nsswitch and pam.d/system-auth with winbind... However I can't get to the shared files from a Windows client. I can browse, with a LOT of waiting, so I can see the machine and shares. But I can't login and access files. I tried this both from the Win2k3 AD machine and from my XP desktop. Windows client says the user/password is wrong. In the /var/log/samba/machine logfile i get: [2005/01/29 15:21:48, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! Painfull as it is I have to admit I don't know enough to get any further. Please advice!! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba-3 problem joining ws to domain
Hi, This was a limitation in samba 3.0.x up until 3.0.11-pre1. Only the user mapped to root was able to join machines to a samba-domain. In the latest version (samba-3.0.11-rc1) there have been added some rights to allow joining of machines for other users. have a look at http://samba.org/~jerry/Samba-Rights-HOWTO this link was posted from Jerry Carter to document the new features 7 Days ago. Hope it helps Christoph cj schrieb: G'day Rauno, Just wondering if you ever found a solution to your problem (http://lists.samba.org/archive/samba/2003-September/073997.html) regarding Windows 2K workstations joining a Samba3 domain. I seem to be experiencing the same problems - with the access denied message. Any ideas would be most appreciated. Regards Corey Johnston. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba PDC and home share
Hi, could you be a little more informative about your setup? we can't read your mind, nor can we look at your HD to find out what version of samba you have installed, whats your os , distribution, version, smb.conf, client-OS, patchlevel. these are all informations needed to answer your question ;-) have a nice day Christoph Mika Syvänen schrieb: Hi! We hawe samba pdc with open ldap server. Domain login work ok but home share not work. If we try map home or other disk share. we can see error message. [2005/01/29 18:11:12, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [hoppa] - [hoppa] FAILED with error NT_STATUS_WRONG_PASSWORD Mika -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problems with Access Control for Shares on Samba 2
Hi again, two things: 1.) you did restart samba after making the changes true? 2.) you have changed your line guest = ok to guest ok = yes Did you? Christoph remote schrieb: Hi Christoph, thanks for the help unfortunately your suggestion doesn´t change the server´s behavior. hobbit5 still has both read and write permission (as intended), but other users still can´t enter the directory. Any other ideas ? Thanks, Jörg hi, to achive what you want the [hobbit5] should read [hobbit5] comment = hobbit5 path = /ALPHA-DATA/hobbit5 browseable = yes read only = yes guest ok = yes write list = hobbit5 ;force user = hobbit5 Christoph remote schrieb: Hi all ! I have a question regarding the access control in Samba 2. I want to make shares available to the Windows Network for which only the owner of the share has write access. Other users however should be able to read and browse these shares. My smb.conf : global] workgroup = leat guest account = nobody keep alive = 30 os level = 2 kernel oplocks = false security = user [hobbit5] comment = hobbit5 path = /ALPHA-DATA/hobbit5 browseable = yes read only = no guest = ok valid user = hobbit5 ;force user = hobbit5 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Setting file and directory permissions using Windows Explorer
Hi, you did activate the acl's in /etc/fstab for the filesystems in question and restarted the server afterwards? Christoph Allen Miller schrieb: I am using Samba-3.0.10 on a Red Hat 9.0 server. I compiled Samba --with-acl-support. I am using kernel linux-2.6.10 also compiled with acl support, I believe. The Samba server is the PDC with Windows 2K and XP Pro machines joined to that domain. I can authenticate as user root and map drives to any share available. As root I cannot change permissions. When I right-click on a directory and click properties, I click the Security tab. When I click Apply to save changes, all boxes are blank. I am so close, I think, at having a Samba server mimic a Window$ server. This one feature still eludes me. Any help would be greatly appreciated. Al Miller -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Unable to map drives to samba shares
Hi, i guess nobody answered for some reasons: 1.) samba 2.2.0 is old today, verry old. 2.) you probably didn't give enough details on your problem. what version of windows, what servicepack, what is in your smb.conf, is the error reproducible, does it occure for specific users, is the samba-server the only server, or does it authenticate against a windows-domaincontroler you get the point? 3.) after thinking some time about it, i remember i had this issue long ago (around 1998 perhaps) with 2.2x, it turned out it didn't default to 0 for max connections, it used 32 or 64 as value. set the value explicit to 0 and it never occured again. Christoph Lord, Alistair J. schrieb: Hi, Nobody responded to my original query - is this because it's unsolvable? I'd be extremely grateful for any help that could be given on this issue... Many thanks, Alistair Lord -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Lord, Alistair J. Sent: 21 January 2005 16:22 To: samba@lists.samba.org Subject: [Samba] Unable to map drives to samba shares Hello, We're running SCO open server 5.0.6 and Samba 2.2.0 and get recurring problems when people try to map drives. Windows produces the error: No more connections can be made to this remote computer at this time [...] already as many connections as the computer can accept. The max connections parameter is not set in our smb.conf file. From what the man page says, it defaults to 0, and should mean there is no restriction on the number of connections, but we don't have a vast number of people connecting anyway (currently smbstatus -S shows about 11 shares). Does anyone know how to resolve this issue? Many thanks, Alistair Lord -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with network share
Hi, this Z:mapping is a standard feature of win2k/xp if you do domain-logons and have set logon path to a real path. set it to logon path = This disables roaming profiles and the mapping of the Z: drive completly. if you need roaming profiles you can alternatively set logon drive = Y: to make windows map the profile-share to Y: instead of Z: Christoph Fabio Viero schrieb: Hi I have the following problem. I had just added a windows XP Pro machine to a domain. This process was just fine, but when a user logs on the system creates the needed shares they are: H: for homes (default, i think) Other 2 shares for apps needed and Z: share also mapped to the home folder. My problem is Z. Beyond being re-shared this Z drive is used by a network application of vital importance. The use of startup system on the machine itself is not a solution. I just want this Z drive to be gone...so can map it to the correct place. This drive IS NOT being mapped by any logon scripts on the samba server neither on the WIN XP machine. Thanks in advance for any help. Cheers. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind + NIS + winbind trusted domains
Hi, that behavior is logical correct, i would say. What happens is: the user is found from nis, and gets an userid not from the winbind-range. As a result samba is not able to verify this uid against the AD, as it is not an AD-user-id. i guess to achive what you want you would have to add the nis-users to the local smbpasswd-database with the correct username and password and tell samba to loock up users first in local database and then in AD. But i don't know if this is possible, i never tried it. question to the developpers, IF the AD-mode is implemented as a normal TDB-Backend i guess it would work, but i think this is a little bit a diffrent beast, isn't it? wouldn't it be a nifty feature for futere versions of samba, giving it much more flexibility? Christoph Plant, Dean schrieb: Hello list, I need to setup a samba file server with user access from a Windows AD domain and a separate Solaris NIS domain. All of our users have an account on the AD domain but only some of our users have a Unix account. I would like Windows users that have a Unix account to have files written as per their Unix uid and users that do not have an account to have a uid assigned from winbind. I had thought of using winbind with winbind trusted domains only = yes with the nsswitch.conf file listing passwd: files winbind nis shadow: files winbind nis group: files winbind nis which I thought would match known user names to NIS id's and unknown user names to winbind uid's. This does not work as I expected as all users are given winbind uid's If I change nsswitch.conf to passwd: files nis winbind shadow: files nis winbind group: files nis winbind Users that have Unix accounts are given the NIS uid but users without a Unix account are asked for a username/password when connecting to Samba. Can anyone confirm that what I am trying to do is possible and if so any idea's what I have missed. I am testing with 3.0.9 on FC3 My smb.conf below [global] workgroup = AD server string = Samba printcap name = /etc/printcap load printers = yes cups options = raw log file = /var/log/samba/%m.log max log size = 50 security = ads socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 name resolve order = wins bcast wins server = 192.168.2.19 dns proxy = no idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/false password server = * realm = AD.MYDOMAIN.CO.UK winbind trusted domains only = yes winbind use default domain = no Thanks in advance Dean Plant -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbindd forgetting the user maps
Hi, this is a symptom of having the samba .tdb files in a place where they get deleted by the bootup-scripts of your distribution. That is a very bad place for them. Either modify the bootup-script(s) or recompile samba giving configure a safe place for the .tdb files. Christoph Mark Le Noury schrieb: Hi, I have a bit of a problem - everytime our samba server reboots, winbindd seems to forget its user and group id mapping. Also after I have rebooted, I need to run getent passwd and getent group otherwise it looks like this: drwx--2 10183root 4096 Dec 8 16:12 dir0080 After I have run those commands, the directories are owned by different users. Thanks for any help, Mark Le Noury Barone, Budge Dominick Tel. (+2711)532 8415 Cell. +27825624412 E-mail: [EMAIL PROTECTED] This e-mail is confidential and subject to the disclaimer published on the website http://www.bbd.co.za/emaildisclaimer.htm. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Logon Script
Norman Zhang schrieb: Hi, Is [netlogon] only applicable for Samba Domain Controllers? I like to create use root preexec script to create home folders for first time users. I'm currently running ADS mode, and using KiXtart logon script. Would this work? Regards, Norman Zhang Hi, Creating homedirs for firsttime users is much better achived using the pam_mkhomdir.so pam module. This way the homedir gets created the first time the user authenticates by the pam system. You don't need to script this process, which can be tricky... Christoph -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ADS Authentication
Hi again, the answer is simple : you don't need net groupmap at all. thats what the id-ranges in smb.conf are for: the ADS-users and the ADS-groups are mapped by winbind to user /group id's from the ranges specified and era presented by nsswitch to the os like any other user group from local files or nis. This means if you want a dir SomeDir to be owed by lets say domain-users do a chown someuser.domain-users SomeDir thats all you need. same for acls, just use the ADS-group like any unix-group. Christoph Tom Skeren schrieb: OK Christopher, samba is authenticating, if a bit oddly (some XP machines can use \\sserver\fsk others need to use \\ipaddy\fsk---not a huge problem). However I don't think I'm grasping the net groupmap function. I was of the belief that if I did this: net groupmap add ntgroup=nt-group unixgroup=(some group in /etc/group), then ADS members in nt-group would be mapped to the unix group. Thus when I setfacl on that directory with the unix mapped group rwx, then ADS members of the nt-group would have rwx permissions. However, when I log in to the share, the smaba server terminal burps up: smbd[582] chdir (/home/FSK) failed I must be missing something. Any thoughts would be appreciated. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and internet!
Hi, i would guess you have problems with name-resolution in DNS and/or WINS. Either configure a local dns-server for your subnet on the samba-machine(s) or setup the hosts/lmhosts files on all your machines to show all other machines in the subnet. Christoph Marcus Andersson schrieb: Hi everybody! I have a problem wich has pusseled me for sometime time. I have put samba on an internal subnet wich is the same as the windowsclients. Everything works great as long as internet is up and running but if internet goes down then the windowsclients can't find the sambaserver or just simly times out when trying to log in. On one installation I have a netgear router wich handels the traffic and is dhcpserver for the internal net and in the other the windows machine has a isdn-connection localy which gives it connection to the internet and also routes the internal net (sambaserver) to the internet. I also has a third installation where the server running samba also is the gateway to internet and this problem never occurs there. If internet goes down then the clients can still login whitout problem. I would really appreciate some input on this problem since it keeps me awake at nights :) I have searced the internet but couldn't find anything that explains it. Thanks in advance /marcus -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem connecting to domain
Hi, is it possible you have other versions of samba/kerberos libraries floating around in your system and the systemloader first finds wrong versions of libraries when loading? does ldd /usr/local/samba/bin/net show the correct/expectet dll's to load? Christoph Chris Vaughan schrieb: Greetings, I have compiled samba 3.0.9 to use kerberos 1.3.5 that I have also compiled from source. However, when I attempt to conect the host to an Active Directory domain, it fails with the following error after a lengthy delay: /usr/local/samba/bin/net: relocation error: /usr/local/samba/bin/net: undefined symbol: krb5_cc_close What can I do to resolve this? *** This message is intended for the addressee named and may contain confidential information. If you are not the intended recipient, please delete it and notify the sender. Views expressed in this message are those of the individual sender, and are not necessarily the views of the Department of Lands. This email message has been swept by MIMEsweeper for the presence of computer viruses. *** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ADS Authentication
Hi, Your pam.d/logon file locks nice, mostly.. as you stated, the winbind part is authenticating correct, so you would be able to login with an ADS account, if not the pam system would try to verify the posix-account too. This is why you get asked for the second password. As i'm running linux and you FreeBSD there are differences in the syntax of the pam-files. There must be an option like use_first_pass in your system too, and i guess it would apply to the lines calling the system-module. You'll have to check your pam documentation for this. It is definitly not a samba problem. After winbind authenticated the user there is no part of samba involved in the login process anymore. Christoph Tom Skeren schrieb: Christoph Scheeder wrote: Hi, 2 points: 1.) use the smb.conf which gives you a working wbinfo. 2.) this sounds like missconfigured pam to me. -you have to tell pam that winbind is sufficient for auth and account with the lines Here's the /etc/pam.d/logon file info. This must be working because of the dual authentication when logging in at the terminal. In fact if you open a new terminal sessions and log in there, the primary [F1] screen will show pam_winbind[451]: user 'root' granted access. Further, when attempting to log on with an ADS account, although the log in fails, pam_winbind grants access. Here's the file info: # # $FreeBSD: src/etc/pam.d/login,v 1.16 2003/06/14 12:35:05 des Exp $ # # PAM configuration for the login service # # auth authrequiredpam_nologin.so no_warn authsufficient pam_self.so no_warn authinclude system authsufficient /usr/local/lib/pam_winbind.so # account account requisite pam_securetty.so account include system account sufficient /usr/local/lib/pam_winbind.so # session session include system # password passwordinclude system account sufficient pam_winbind.so and auth sufficient pam_winbind.so this drops the need for the local posix-account. -And for the auth modify the line with pam_unix.so to read like auth required pam_unix.so use_first_pass nullok this gets you rid of the second password-prompt. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] printing server
Okay, lets see if i understand this correct ;-) you have a network with: 1 gateway/firewall to the internet (ip 192.168.0.1) 1 linux-pc which shall share his printer to the local network (ip 192.168.0.4) several other linux/windows pc's which shall be able to print. all trafic is *not* passing through the gateway. [snip] # Global parameters [global] workgroup = MYGROUP server string = Samba Server interfaces = 192.168.0.4/24, 192.168.0.1/24 then this line is complete rubish. it should read interfaces = 192.168.0.4/24, 127.0.0.1/8 log file = /var/log/samba/%m.log max log size = 50 samba is telling you that (if my rudimentary frech doesn't fool me...) [snip] [2004/12/08 03:03:54, 0] lib/util_sock.c:open_socket_in(708) bind failed on port 137 socket_addr = 192.168.0.1. Error = Ne peut attribuer l'adresse demandée it trys to open a socket on an interface with adress 192.168.0.1, which will not succeed as it has no such interface. Christoph -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ADS Authentication
first:
STOP,
you want your samba-server to be a membersever in ADS, do you?,
then *remove* *all* bits referencing ldap from your smb.conf.
you entrust all user and groupmanagment to ADS via winbindd
and only via winbindd.
second:
you have configured winbindd not to give you the domain part
from ADS by setting:
winbindd use default domain = Yes
set it to no and you will get the domain part for your
domain users/groups
third:
don't use / as domain-seperator in linux/unix.
it has special meaning (path-seperator) and using it probably will give
you strange problems.
Christoph
Tom Skeren schrieb:
Edward Wissner wrote:
I have similar issues, but am not using an ldap server, rather a W2k
Active Directory domain controller.
Yes, so am I. The ldap server listed in ldap.conf is named w2000
And am not interested in lging into the linux server with AD.
Domain users and groups list without the domain ID for me as well. I
don't know if that is proper as I have never seen a working setup.
No...it should be DOMAIN_NAME/user1 DOMAIN_NAME/group1 etc. The / is
specified in smb.conf as winbindd separator.
I see my shares on the samba server from a w2k client, but am prompted
again for usr/passwd when attempting to open a shared directory.
That's when I get a failure.
Try mapping a drive by \\ip-addy\sharebet it works.
I'm ready to toss it and start over, migrating completely away from
w2k AD and setting up an ldap directory instead.
I can't unfortunately.
Samba works great if I create my users locally.
It works pretty well as an NT style PDC, yes, but this project requires
a samba server become a member server in ADS.
ed
-Original Message-
*From:* Tom Skeren [mailto:[EMAIL PROTECTED]
*Sent:* Wednesday, December 08, 2004 10:32 AM
*To:* Edward Wissner; samba
*Subject:* Re: [Samba] ADS Authentication
Edward Wissner wrote:
What did you change in your smb.conf file?
Well, I managed to get samba to authenticate, however, continued
winbindd problems make the setup worthless. Group searches fail,
or are incomplete. Domain users and groups list without domain
id. net groupmap fails. Attempts to re-join via net ads join
fail.
If your interested, I have copied all the relevant config files here:
_*smb.conf:*_
workgroup = FSK
realm = FSKLAW.NET
server string = SSERVER
netbios name = SSERVER
security = ADS
client schannel = Yes
server schannel = Yes
passdb backend = ldapsam:ldap://w2000.fsklaw.net
socket options = TCP_NODELAY
dns proxy = No
ldap admin dn = cn=Administrator,cn=users,DC=fsklaw,DC=net
ldap suffix = DC=fsklaw,DC=net
idmap uid = 1-2
idmap gid = 1-2
winbind separator = /
winbind enum users = No
winbind enum groups = No
winbind use default domain = Yes
dos filemode = Yes
acl compatibility = win2k
inherit acls = yes
inherit permissions = yes
[FSK]
path = /home/FSK
public = yes
only guest = no
browseable = yes
writeable = yes
printable = no
create mask = 0777
force create mode = 0777
force directory mode = 0777
directory security mask = 0777
_*ldap.conf:
*_
host w2000.fsklaw.net
base dc=fsklaw,dc=net
ldap_version 3
URI ldaps:w2000.fsklaw.net
scope sub
pam_login_attribute Administrator
pam_password md5
idle_timelimit 3600
nss_base_passwd cn=Users,dc=fsklaw,dc=net?one
nss_base_group cn=Users,dc=fsklaw,dc=net?one
ssl on
TLS_CACERT /etc/CA/fsk.pem
tls_ciphers TLSv1
sasl_secprops maxssf=0
krb5_ccname FILE:/tmp/krb5cc_0
_*nsswitch.conf:
*_
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: dns winbind ldap files nis
automount: files winbind ldap nisplus
aliases: files winbind ldap nisplus
_*krb5.conf:*_
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = FSKLAW.NET
dns_lookup_realm = false
dns_lookup_kdc = false
default_etypes = des-cbc-crc des-cbc-md5
default_etypes_des = des-cbc-crc des-cbc-md5
default_keytab-name = FILE:/etc/krb5.keytab
[realms]
FSKLAW.NET = {
kdc = KERBEROS.FSKLAW.NET
admin_server = w2000.fsklaw.net
default_domain= fsklaw.net
}
[domain_realm]
.fsklaw.net = FSKLAW.NET
fsklaw.net = FSKLAW.NET
.FSKLAW.NET = FSKLAW.NET
.kerberos.server = KERBEROS.FSKLAW.NET
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
_*pam.d/login:
*_
#
# $FreeBSD: src/etc/pam.d/login,v 1.16 2003/06/14 12:35:05 des Exp $
#
# PAM
Re: [Samba] ADS Authentication
Hi, 2 points: 1.) use the smb.conf which gives you a working wbinfo. 2.) this sounds like missconfigured pam to me. -you have to tell pam that winbind is sufficient for auth and account with the lines account sufficient pam_winbind.so and auth sufficient pam_winbind.so this drops the need for the local posix-account. -And for the auth modify the line with pam_unix.so to read like auth required pam_unix.so use_first_pass nullok this gets you rid of the second password-prompt. hope it helps. Christoph Tom Skeren schrieb: Jeremy Allison wrote: On Mon, Dec 06, 2004 at 02:29:29PM -0800, Tom Skeren wrote: I'm about ready to smash my head through a wall...I could use a few answers. 1. When using security = ads, and completing net ads join, it was my understanding that samba authenticated username/pword against ads, and local posix accounts were nolonger needed, is this true? Yes, so long as you have nsswitch and pam set up correctly. It sounds like you don't. Well, I've followed every how to that I can find. I have some strangeness. When I log into the unix terminal I have to supply 2 root passwords...the posix one and the one for root in ADS (they're different)to login. The same for a user with both posix and ADS accounts. Non posix account users cannot login with an ADS account to the terminal. Depending on changes to the smb.conf file I get wild results with winbindd. One config gives users and groups with a wbinfo -u/g command. Others error out with differing reasons for the errors. I'm really not sure where the error is...it should be working, but it is not. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Reg connecting win3.11 clients to samba
Hm, this should work out of the box, but you must install the tcp/ip-protocol (preferably the tcp32b-version from microsoft) to your win3.11 clients and you should remove all other protocols from these clients. Samba only talks netbios over tcp, not native netbios. Hope this helps Christoph jai schrieb: Dear sir, We are using Rethat linux 9 with which we got samba 2.2.7a. we are able to connect windows 98 and win xp machines, but the problem is we are not able to connect win 3.11 machines is there any add-on package for connecting win 3.11 clients ( windows workgrops ) or the procedure to followed to get the sares slice of linux m/c to win 3.11 m/c.. with regards Jayaram Prasad, Sr.Dy.Systems Engineer. Systems Dept. Hyderabad. jayaram __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Messages in log file every 5 min ... how to stop or redirect to a different log file.
Robert Warner schrieb: Hi, Semi-not new to samba, used a previous version a long time ago. I'm using samba on SuSE 9.0, samba version 'Version 2.2.8a-SuSE' 2 network cards on this machine, eth01. I've enabled the samba server on this machine and it is functional. However, i only want samba to serve the file system on one of the network cards and not the other. Is this just a simple configuration item i'm missing? The firewall on this machine is preventing samba from accessing the other network card, but every 5 min it attempts to try the other network (which it is firewalled against attempting). This attempt places many failure messages in my 'messages' log file. I would prefer not to see these messages. Is there a way to redirect these messages or stop them all together (while still keeping samba running ;) )? Example of messages: [Names and IP number changed to protect the innocent ;)] Nov 19 19:07:55 WS nmbd[7532]: [2004/11/19 19:07:55, 0] libsmb/nmblib.c:send_udp(756) Nov 19 19:07:55 WS nmbd[7532]: Packet send failed to XXX.XXX.XXX.XX(137) ERRNO=Operation not permitted Nov 19 19:07:55 WS nmbd[7532]: [2004/11/19 19:07:55, 0] nmbd/nmbd_packets.c:send_netbios_packet(172) Nov 19 19:07:55 WS nmbd[7532]: send_netbios_packet: send_packet() to IP XXX.XXX.XXX.XXX port 137 failed Nov 19 19:07:55 WS nmbd[7532]: [2004/11/19 19:07:55, 0] nmbd/nmbd_namequery.c:query_name(265) Nov 19 19:07:55 WS nmbd[7532]: query_name: Failed to send packet trying to query name ME1d The ip number is the broadcast ip for the network which i do not want it to have access to. Thanks in advance for your reply. bob Hi, i guess setting bind interfaces only = Yes and interfaces = lo eth0 will do the trick, replace eth0 with the name of the correct interface. lo has to be listed too, the exact reason is mentioned in the manpage. Christoph -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Recycle VFS Second Pair of Eyes
Hi, one smal but bad typo: Tim Hodgkinson schrieb: Here is my set up: Fedora Core 2 Samba 3.0.7 Smb.conf: [infosys] comment = Information Systems Drive path = /home/depts/infosys valid users = @SSVMTN+it admin users = @SSVMTN+Domain Admins create mask = 0770 directory mask = 0770 force create mode = 0770 force directory mode = 0770 security mask = 0770 force group = SSVMTN+it vfs objects = recycle here: ^ has to be vfs object = recycle Christoph -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Recycle VFS Second Pair of Eyes
Holger Krull schrieb: Christoph Scheeder schrieb: Hi, one smal but bad typo: vfs objects = recycle here: ^ has to be vfs object = recycle That's no typo. Both forms are allowed. From the docs (http://sambafr.idealx.org/samba/docs/man/smb.conf.5.html): vfs object This parameter is a synonym for vfs objects. vfs objects (S) This parameter specifies the backend names which are used for Samba VFS I/O operations. By default, normal disk I/O operations are used but these can be overloaded with one or more VFS objects. Default: vfs objects = Example: vfs objects = extd_audit recycle you're right, my fault. but while checking i found another difference between his recylcle conf and mine, dont't know if it matters: he has: recycle:exclude = *.tmp *.temp *.~?? recycle:excludedir = /tmp /temp /cache i have: recycle:exclude = *.tmp, *.temp, *.~?? recycle:excludedir = /tmp, /temp, /cache it's worth a try to insert these commas as seperators. but thinking about it something other pops to my mind: what are the permisions on his .recycle folder? AFAIR the files get moved as the connected user-id, the users have to have at least UNIX-write permision to that dir, or the files will silently get lost. Christoph -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Windows 98 user doubt
Thiago Lima schrieb: I'm using Windows98 and I want to authenticate into samba with a user that is not the one I'm logged in. XP/2000 allows me to do that. In 98 I can't. There's any way to do it? Ex: I'm logged as thiago in windows98, but I want do access \\sambaserver as tlima user Thanks alot Thiago lima. Hi AFAIK this is not possible with windows9x, it simply does not support it. Christoph -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Administrator
Hi, this is no problem at all with samba 3.x, all you need is to get your groupmapping set up correct and all is fine. Have a look at the net groupmap command in 3.x. In samba 3.x the handling of NT/Windows-groups was changed complete. for details read through the fine doc's at samba.org about setting up a PDC with samba 3.x Christoph Ronald James schrieb: Hi there I have a question and it appears it cannot be done on Samba 3 and higher. I want to have administrator rights on each pc in my network. I notice that Domain Admin Groups was removed. I never used this feature so would not know exactly what it does. However since I am now using Samba 3 it wont really be of any use to me. Is there a way, without having to goto each computer and allow domain users to have administrator rights ? I am supporting clients and some of them have 150 pc's, I cant see myself having to go to 150 machines to allow the administrator admin privelages etc. I also install a software (anti virus) that requires admin rights, this is done automatically through the network, however not when you don't have actual admin privies. If it cannot be done, could someone here who is into development possibly look into the source and try to get it to work ? Thanks Ronald James NetXactics Tel: +27 21 680-5069 Fax: +27 21 680-5011 http://www.netxactics.co.za http://www.netxactics.co.za/ Sophos - protecting businesses against viruses and spam -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Avoiding user home directories
Madhusudan, R schrieb: Hi, When I connect to SAMBA using a particular username, apart from the shares I created, it appears that the home directory of the user logging in also shows up in the share list. I searched for a parameter using which I could control this, but was unsuccessful. The [HOMES] section of my SMB.CONF looks like: [homes] comment = Home Directories read only = No create mask = 0750 browseable = No Any suggestions? Thanks, Madhu Errm, What do you want? no home-directory share? Simply remove the complete [homes] section and these shares will disappear. Christoph -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.7 domain membership with AD2003
Baron Robert schrieb: hi guys, [] - Communication test from the linux server: ping 10.0.0.1 = ok smbclient -L -U administrateur = list all the share on the windws server. test from the windows server: ping melkor = ok \\melkor\data = fail and re-ask me to enter password and username _ MSN Hotmail : antivirus et antispam intégrés http://www.msn.fr/newhotmail/Default.asp?Ath=f Hi, you have to give the -k switch to smb-client to use kerberos/ADS Authentification in an ADS-Environment. without this switch it will ask you for a username and password. man smbclient sometimes helps ;-) Christoph -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba ADS -- works with XP Pro, but not 2000 Pro
Hi,
AFAIR, this is a known problem with w2k clients.
You have to upgrade your kerberos to something 1.3
preferably to the latest available version.
Christoph
Gordon Hopper schrieb:
I am using Samba with Active Directory. I have successfully joined my
Samba server to the domain D1 ( net ads join -U [EMAIL PROTECTED]
). I am able to succesfully connect from Windows XP clients ( with no
password ), but not from Windows 2000 ( even when specifying a password
). With w2k, I always get Failed to verify incoming ticket!.
I think it has something to do with the key type of the Kerberos tickets
( etype or enctype in krb5.conf ). Does Windows 2000 speak the same
Kerberos 5 as Windows XP? Which key types are used by Windows? How do
I know which enctype I need, and why doesn't the default enctype setting
negotiate something that works?
It might also have something to do with trust relationships, since my
samba machine is in domain D1.DOMAIN.COM, but my users are in domain
D2.DOMAIN.COM. (And my client machine is in D3.DOMAIN.COM). Each of
these domains is an active directory tree, with trust relationships
between them...
But it works with an XP client, so what's different between XP and
Windows 2000?
Thanks,
Gordon
Configuration files follow.
-
# smb.conf:
[global]
workgroup = D1
realm = D1.DOMAIN.COM
security = ADS
password server = d1dc02.d1.domain.com
log file = /etc/samba/samba.log
[t]
comment = Test Share
path = /tmp
read only = No
guest ok = Yes
browseable = Yes
-
# krb5.conf:
[logging]
default = FILE:/var/log/krb5.log
[libdefaults]
ticket_lifetime = 24000
default_realm = D1.DOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
# According to
http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.8/doc/admin.html#SEC17
# the only supported encryption types are des3-hmac-sha1 and des-cbc-crc.
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
# However, http://lists.samba.org/archive/samba/2004-October/093761.html
suggests:
# default_tgs_enctypes = des-cbc-crc des-cbc-md5
# default_tkt_enctypes = des-cbc-crc des-cbc-md5
[realms]
D1.DOMAIN.COM = {
kdc = d1dc01.d1.domain.com
}
D2.DOMAIN.COM = {
kdc = d2dc01.d2.domain.com
}
--
# from an XP machine in the d2 Domain
C:\net use * \\samba07\t
Drive Y: is now connected to \\samba07\t .
The command completed successfully.
-
# from an XP machine NOT in the Domain
C:\net use * \\samba07\t
The password or user name is invalid for \\samba07\t .
Enter the user name for 'samba07': d2\username
Enter the password for samba07:
Drive Z: is now connected to \\samba07\t .
The command completed successfully.
--
# from a Windows 2000 machine in the d2 Domain:
C:\net use * \\samba07\t
The password or user name is invalid for \\samba07\t.
Type the password for \\samba07\t:
System error 1326 has occurred.
Logon failure: unknown user name or bad password.
C:\net use * \\samba07\t /USER:d2\username
The password or user name is invalid for \\samba07\t .
Type the password for \\samba07\t :
System error 1326 has occurred.
Logon failure: unknown user name or bad password.
# I get this message in the samba.log:
[2004/10/13 17:44:51, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
# List of relevant packages (These are the latest updates available for
RHEL 3)
$ rpm -qa | egrep 'krb5|samba'
krb5-devel-1.2.7-28
krb5-libs-1.2.7-28
krb5-workstation-1.2.7-28
samba-3.0.7-1.3E
samba-client-3.0.7-1.3E
samba-common-3.0.7-1.3E
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Fw: smb_proc_readdir_long error
Hi, maybe someone would have info on it, if you would provide all necesary info's. We can't read your mind, nor can we look over your shoulder. ;-) - What exactly are you tring to do, - what OS-versions/Distributions are involved, - what is the behavior you see? Christoph David Wilson schrieb: Hi guys, Sorry to bug you ... Does nobody have any info on this ? Kindest regards David Wilson D c D a t a Tel +27 33 342 7003 Fax +27 33 345 4155 Cell +27 82 4147413 MSN: [EMAIL PROTECTED] http://www.dcdata.co.za [EMAIL PROTECTED] [EMAIL PROTECTED] KZN's first and only pure Linux solution provider LinuxBox S.A.: Africa's shell provider. Powered by Linux and DcData - driven by passion ! http://www.linuxbox.co.za - Original Message - From: David Wilson To: [EMAIL PROTECTED] Sent: Monday, October 11, 2004 9:31 AM Subject: Fw: smb_proc_readdir_long error Hi guys, Does anyone have any ideas on my questions below ? Kindest regards David Wilson D c D a t a Tel +27 33 342 7003 Fax +27 33 345 4155 Cell +27 82 4147413 MSN: [EMAIL PROTECTED] http://www.dcdata.co.za [EMAIL PROTECTED] [EMAIL PROTECTED] KZN's first and only pure Linux solution provider LinuxBox S.A.: Africa's shell provider. Powered by Linux and DcData - driven by passion ! http://www.linuxbox.co.za - Original Message - From: David Wilson To: [EMAIL PROTECTED] Sent: Thursday, October 07, 2004 11:25 AM Subject: smb_proc_readdir_long error Hi guys, Sorry to bug you with this. Does anyone have any idea what this error below means ? Kindest regards David Wilson D c D a t a Tel +27 33 342 7003 Fax +27 33 345 4155 Cell +27 82 4147413 MSN: [EMAIL PROTECTED] http://www.dcdata.co.za [EMAIL PROTECTED] [EMAIL PROTECTED] KZN's first and only pure Linux solution provider LinuxBox S.A.: Africa's shell provider. Powered by Linux and DcData - driven by passion ! http://www.linuxbox.co.za - Original Message - From: David Wilson To: [EMAIL PROTECTED] Sent: Wednesday, October 06, 2004 1:15 PM Subject: smb_proc_readdir_long error Hi guys/girls, How are you ? I'm running Linux 2.4.22 SMP with Samba-3.0.4 and pick up the following message in my syslog when accessing a mounted NT4 share: kernel: smb_proc_readdir_long: name=\OLAP Services\Data\GreatPlains\*, result=-13, rcls=1, err=5 Any ideas what this is ? Your assistance is greatly appreciated. Many thanks. Kindest regards David Wilson D c D a t a Tel +27 33 342 7003 Fax +27 33 345 4155 Cell +27 82 4147413 MSN: [EMAIL PROTECTED] http://www.dcdata.co.za [EMAIL PROTECTED] [EMAIL PROTECTED] KZN's first and only pure Linux solution provider LinuxBox S.A.: Africa's shell provider. Powered by Linux and DcData - driven by passion ! http://www.linuxbox.co.za -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] iptables protection and broadcasts
Hi, Michal Kurowski schrieb: Hi, It's a basic firewall question I guess. Perhaps someone of you has seen it. I've got I firewall setup meant for my samba server protection. The problem is it seems to block all broadcasts. The error message: [2004/09/22 17:43:47.572148, 0, pid=1505, effective(0, 0), real(0, 0)] libsmb/nmblib.c:send_udp(756) Packet send failed to 192.168.2.25(138) ERRNO=Operation not permitted This tells you the sending of your packet failed, but bellow you show only the part of your firewall for receiving packets. (chain INPUT) What is in the OUTPUT chain of your firewall? Christoph -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Corrupted userid in mail folders - Crisis
Hi again, Roland Giesler schrieb: Hi, another thing popes to my mind, check if a nscd process is running on your box. if yes stop it and remove it from the startup-scripts. It is not compatible with with samba and windbindd and may create strange effects. Christoph Yes, nscd was running, but I have stopped it now. What is nscd? Also, further to our discussion before, the userid actually get's changed Look at this: you didn't check what i wanted you to check... ;-) [EMAIL PROTECTED] root]# ls -l /home/RHENGHS/canhal total 12 drwx-- 7 monsla Domain Users 4096 Aug 17 13:48 Maildir/ drwx-- 2 monsla Domain Users 4096 Feb 23 2002 tmp/ drwxr-xr-x 2 monsla Domain Users 4096 Jun 20 2002 webpage/ [EMAIL PROTECTED] root]# ls -ln /home/RHENGHS/canhal total 12 drwx-- 7 10585 1 4096 Aug 17 13:48 Maildir/ drwx-- 2 10585 1 4096 Feb 23 2002 tmp/ drwxr-xr-x 2 10585 1 4096 Jun 20 2002 webpage/ ^^^ what i want you to verify is if these numbers are changing. i bet they are constant and the only changing numbers are the numbers reported from getent. [EMAIL PROTECTED] root]# getent passwd canhal canhal:x:10167:1::/home/RHENGHS/canhal:/bin/bash So you can see that the correct user should be 10167, not 10585 No, i bet the number reported from getent is changing. Also SMB hangs after a few hours. When I left last night, everything had been running fine for about 2 hours. When I got to work this morning, no-one was authenticated. When I tried to ls a user dir, I got not response. On issuing the reboot command I saw on the console that there was no process SMB. Here are the SMB messages in syslog. How was your samba installed? Was it compiled from source or are the package(s) from your distribution installed? Christoph -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Network Drives Dropping Out
Hi, yes, we have seen this before. It seems not to be a samba issue, as one of our customers has had this symptoms in an winnt-only domain and they still persist after an upgrade of the DC to win2k. We have searched the complete network for problems, but couldn't find anything. running out of CAL's isn't the problem, and all the switches have been replaced. I even have the red-crosses some times in my two-computer-home-network, but every time i double click the crossed-out share i can access it without problems. It's not reproducible, nor does anything show up in the logs of samba. Not much help, i know. But you are not the only one facing this effect. Christoph [EMAIL PROTECTED] schrieb: Hi All, I am looking after a site that is running redhat 7.2 and Samba 3.0.2a-1. There is a mixture of Windows 98 and Windows XP clients on the network. Recently the Windows XP clients have been having problems with mapped network drives. The drives map fine but certain times during the day users get access denied error messages when accessing the drives. This lasts for a few minutes and without having to touch anything they are back working normally. Sometimes the drives in XP also come up with red 'x' next to them. Has anyone seen this before? Cheers -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Corrupted userid in mail folders
Roland Giesler schrieb: I have a Mandrake 10.0 Official server running Samba3, Shorewall, Squid 2.5, Postfix and Courier-IMAP. Samba uses winbind to authenticate mail and proxy users against a windows 2000 ADS server. I get corruption happening in the user's home directories and elsewhere. The directory ownership changes all the time. One moment a dir belongs to roland:Domain Users and the next moment it's marjou:elahyl. The group and userid change, causing absolute havoc with mail delivery as wrong mail lands in people's mailboxes and users cannot be authenticated. My senior support technician is on honeymoon so I'm stuck. Restarting services makes no difference. If I run getent passwd username the results are 100% correct. Also for getend group groupname. Has anynone expereinced this or know of a fix. I'm somewhat clueless on some aspects, like I cannot check the version of Samba, since the doesn't appear to be a command switch for this. thanks Roland hi, i had a similiar efect when i accidently placed the samba-tdb files in a folder which got clean up each and every time by an automatic script. as winbindd does the mapping from AD-users/groups to local userids/groupids not algorithmical a user gets a new id each time the mapping db-gets deleted. For you, this results in a change of the owner/group of the files. Christoph -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Access from Windows to Samba/LINUX
Hi, just to clarify this a bit, you want to have a share called directory_1. In this share you want to have subdirectorys which are invisible to the users, but writeable, like the so called hidden-folders in windows. is this correct? Then you need to set up the mapping for the hidden-flag of windows. Have a look at the manpage for smbd.conf and search for map hidden. This flag allows the mapping of one of the unix-executable-bit's to the windows hidden-flag. Christoph Albert HERVO schrieb: Nothing works ! - First the parameters is browseable or browsable ? - I have created with the Windows Explorer a directory test under the directory myshare and modified the /etc/samba/smb.conf as : [myshare] path = /myshare guest only = Yes guest ok = Yes public = Yes writable = Yes create mask = 0775 browseable = Yes [test] path = /myshare/test guest only = Yes guest ok = Yes public = Yes writable = Yes create mask = 0775 browsable = No [test2] path = /myshare/test2 guest only = Yes guest ok = Yes public = Yes writable = Yes create mask = 0775 browseable = No - Then I Stop and Restart the SMB service Now the test AND test2 directy are visible by the Windows Explorer ! Albert On Tuesday 14 September 2004 12:09, Darren Martz wrote: If you want a share to be hidden from browsing, one option is to add $ to the end of the share name. Example, rather than : And the preferred method in Samba is to set in the share definition: browseable = No - John T. [myshare] Change it to [myshare$] And the windows browser will ignore it unless you type in the share name in the address bar. That works for both Windows and Linux hosting servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Albert HERVO Sent: Tuesday, September 14, 2004 9:58 AM To: [EMAIL PROTECTED] Subject: [Samba] Access from Windows to Samba/LINUX Hello, I am configuring PCs on Windows W2K to access to a LINUX Server where Samba is mounted Is-it possible to do this ? Directory_1 : Browseable (then visible with the Network Favorits) -Sub_Directory_1a : NOT Browseable (unvisible) BUT Writable -Sub_Directory_2a : If not, then just this ? Directory_1 : NOT Browseable (unvisible) BUT Writable Thanks Albert -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 OpenLDAP by Example, ISBN: 0131488732 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Upgrade from Samba 3.0.2 to 3.0.6 smbclient -k fails
Hi, upgrade kerberos to a version 1.3.3 Christoph Griffin, Patrick J schrieb: Hello! I hope someone can point me in the correct direction. I'm trying to upgrade my Samba installation from 3.0.2 to 3.0.6 and, at least for me, the upgrade introduces a problem with Kerberos. 3.0.2 smbclient //server/share -k works 3.0.6 smbclient //server/share -k fails I have updated my smb.conf to include 'use kerberos keytab = yes' and I have updated my /etc/krb5.conf from blank to: [libdefaults] default_keytab_name = FILE:/etc/krb5.keytab When smbclient fails I see the following in my log files: [2004/09/06 01:50:08, 1] smbd/sesssetup.c:reply_spnego_kerberos(173) Failed to verify incoming ticket! I'm running: RedHat ES 3.0 with: kernel-smp-2.4.21-20.EL krb5-libs-1.2.7-28 Please, someone, give me the clue I need to solve this! Thanks, ...Pat -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] gcc: file path prefix `symbolic' never used
Hi, i can't see an error anywhere, only two informational messages from gcc. Christoph steven schrieb: I am compiling Samba 3.06 and get the following errors. Redhat 7.3 . Compiling dynconfig.c Compiling smbd/build_options.c Linking bin/smbd Linking bin/nmbd Linking bin/swat Linking bin/winbindd Linking bin/smbclient Linking bin/net Linking bin/smbspool Linking bin/testparm Linking bin/testprns Linking bin/smbstatus Linking bin/smbcontrol Linking bin/smbtree Linking bin/nmblookup Linking bin/pdbedit Linking bin/smbpasswd Linking bin/rpcclient Linking bin/smbcacls Linking bin/ntlm_auth Linking bin/smbcquotas Linking bin/wbinfo Compiling dynconfig.c with -fPIC Linking nsswitch/libnss_wins.so gcc: file path prefix `symbolic' never used Linking libsmbclient non-shared library bin/libsmbclient.a Linking libsmbclient shared library bin/libsmbclient.so gcc: file path prefix `symbolic' never used -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] krb5_cc_get_principal failed (No credentials cache found)
Hi, as you didn't mention it, i guess you use samba self-compiled on a linux-system. ;-) what is your kerberos-version? it should be MIT-Kerberos =1.3.3. Christoph treklor schrieb: When starting up Samba I get this error in log.winbindd. I'm using Samba version 3.0.6. What's wrong? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] File deletion logging
Hi, i would sugest a dirty trick to get it: setup the recycle-module for samba, set the name / repository-option ( depinding on version of samba) to /your/recycle/path/%U , andmake the repository a veto-file so the users can't see it from windows. Now your repository has a subdirectory for each user who deleted files from that share, containing the files he deleted... now you have solved two problems: you don't have to restore the files from some backups, and you know whom to punish for the deletion. Christoph José Pinteiro da Costa Bisneto schrieb: Hi, I small network at my job, and it has a samba server. This server has many shares (one for the home of each user, one for each group of users and one public share, that anyone can write to, open any file ou even delete then). Lately, I'm experiencing some problems with malicious users who are deleting all files in the public share, and I'd like to know if there is any setting in samba that can log who deleted any file, and when. I've RTFM, and tried using a higher level of logging, tried the audit and extd_audit modules, to no avail. Does any of you have a tip on how could I accomplish this? Thanks in advance, José Pinteiro -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Mount at boot - and a bug - where to report?
Hi, your problem arises from abuse of the c$ share: ;-) the shares ending in$-signs are so-called administrative shares. Their use is restricted to adminitrator-users of the windows-machine, as they are ment only for administrative tasks. Never use these shares for real filesharing, create a second share on the root-directory of your c:-drive if you want to share it to some other machines. Christoph Victor Wynnytsky schrieb: just in case you didn't put this problem to rest... I found I got the tree connect failed: ERRDOS - ERRnoaccess (Access denied.) when I removed my windows user from the administrator group and I was mounting to a c$ share so I suppose the windows account requires admin access if I'm authenticating with it from linux. PS: this problem is best debugged from un/mount scripts and NOT by rebooting for each attempt -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] going from bad to worse
Hi, try it with the command: net groupmap delete sid=S-1-5-21-2643210455-489482773-813538922-512 for the first bad Domain admin group. using the sid should do the trick. delete all mappings for Domain-groups not matching your samba-group, then use the net groupmap modify command to update the remaining group-mappings so they go to the correct unix-groups. be aware that net delete groupmap is not equal to net groupmap delete... Christoph Greg Andrews schrieb: Howdy People, Since my last posting things have definitely taken a turn for the worse The XP clients cannot now even find the domain controller !! my smb.conf file is [global] log file = /var/log/samba/log.%m load printers = no name resolve order = wins bcast lmhosts host admin users = @admingrp socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 obey pam restrictions = Yes lm announce = True domain master = True username map = /etc/samba/user.map encrypt passwords = yes passwd program = /usr/bin/passwd %u wins support = true dns proxy = No netbios name = SAMBASERVER server string = sambaserver logon script = logon.bat unix password sync = yes workgroup = PINARC os level = 255 security = user preferred master = True max log size = 50 domain logons = Yes logon drive = h: logon home =\\%N\%U logon path = \\%N\profiles\%U add user script = /usr/sbin/useradd -d /dev/null -g 400 -s /bin/false -M /%u [Profiles] comment = Profiles Directory path = /SYS/profiles read only = no create mask = 0600 directory mask = 0700 profile acls = yes writeable = yes [netlogon] comment = For Administration Use path = /etc/samba/netlogon valid users = %U write list = @admingrp read only = no create mask = 0644 [homes] comment = %U home directory path = /SYS/home/%U valid users = %S read only = No create mask = 0600 browseable = No directory mask =0700 locking = no [open] comment = Pinarc Readable Share path = /SYS/world/open read only = No create mask = 0664 directory mask = 0775 valid users = @mars The logon script is being executed and the profiles are being written and updated. How do you fix/delete/change the net groupmap list output. I think this may the root cause of my problems , but I just dont know the syntax to fix/delete/change it. I have searched google and the samba manual and they seem to tell you everything except how to delete/fix etc. I have tried net delete groupmap ntgroup=Domain Admins and whilst it says it has deleted this group in actually has done nothing. Below is the output of net groupmap list and net getlocalsid System Operators (S-1-5-32-549) - -1 Domain Admins (S-1-5-21-2643210455-489482773-813538922-512) -admingrp Domain Users (S-1-5-21-3314183342-3289294326-2282427927-513) - mars Replicators (S-1-5-32-552) - -1 interchange (S-1-5-21-3314183342-3289294326-2282427927-4001) - inter Guests (S-1-5-32-546) - -1 lukeman (S-1-5-21-3314183342-3289294326-2282427927-2803) - madint Domain Admins (S-1-5-21-218202318-3803304894-1597324041-512) - -1 Domain Users (S-1-5-21-2643210455-489482773-813538922-513) - -1 Domain Guests (S-1-5-21-218202318-3803304894-1597324041-514) - nogroup Power Users (S-1-5-32-547) - -1 Domain Guests (S-1-5-21-2643210455-489482773-813538922-514) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Domain Guests (S-1-5-21-3314183342-3289294326-2282427927-514) - -1 Domain Admins (S-1-5-21-3314183342-3289294326-2282427927-512) - -1 AccountOperators (S-1-5-32-548) - -1 mad (S-1-5-21-3314183342-3289294326-2282427927-2801) - mad Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 SID for domain SAMBASERVER is: S-1-5-21-3314183342-3289294326-2282427927 Please help. Very desperate. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos verfy ticket failed
Hi,
a few things:
1.) Update your kerberos-version. i had to use at least 1.3.3 (MIT).
With lower versions most seemed to work, but i couldn't connect from a
win2k-workstation to the samba-server using a domain-account.
2.) Reading the logs you give i would say there is something realy
messed up with your integration of the samba-server into your AD-Domain.
What is in your smb.conf, what where the exact steps you did to
integrate the samba server into the AD-Domain?
Christoph
Aaron Rosenblum schrieb:
I am having this problem as well. In my case, wbinfo -t fails. My
kerberos version is 1.3.1 (MIT) and my config file is very minimal:
[libdefaults]
ticket_lifetime = 600
dns_fallback = no
[realms]
SUBDOMAIN.DOMAIN.EDU = {
kdc = myserver1.subdomain.domain.edu.:88
admin_server = myserver1.subdomain.domain.edu.
}
I see these messages in the smbd log:
[2004/07/25 10:19:16, 0]
/SourceCache/samba/samba-56/samba/source/smbd/sesssetup.c:
reply_sesssetup_and_X(645)
reply_sesssetup_and_X: Rejecting attempt at SPNEGO session setup
when it was not negoitiated.
[2004/07/29 16:33:54, 1]
/SourceCache/samba/samba-56/samba/source/smbd/sesssetup.c:
reply_spnego_kerberos(173)
Failed to verify incoming ticket!
[2004/07/29 17:03:09, 2]
/SourceCache/samba/samba-56/samba/source/smbd/sesssetup.c:
setup_new_vc_session(591)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2004/07/29 17:03:09, 1]
/SourceCache/samba/samba-56/samba/source/libads/kerberos_verify.c:
ads_verify_ticket(203)
ads_verify_ticket: failed to fetch machine password
On Aug 11, 2004, at 3:36 AM, Christoph Scheeder wrote:
Hi,
what's in your krb.conf?
AFAIR it should be realy minimalistic. (in fact mine doesn't even exist,
but i'm using a win2k server, not win2k3)
espacialy there shouldn't be settings for default encryption types.
Some persons reported these to produce problems.
And you definitly need a kerberos-version =1.3.3 if you use
MIT-kerberos to get it working.
Hope it helps.
Christoph
Raphael RIGNIER schrieb:
Hello list.
I've got a problem using samba-3.0.4 (RedHat AS 3.0)
the server is member of a Win2003 Active directory domain
All stuff about krb5 seems to work correctly
kinit [EMAIL PROTECTED]
klist
etc...
net ads join -U administrator has worked well too
But when any Windows client member of the domain try to connect to the
server it asks me for a user/pass.
here is the log.
[2004/08/10 18:56:41, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
wct=12 flg2=0xc807
[2004/08/10 18:56:42, 2] smbd/sesssetup.c:setup_new_vc_session(608)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2004/08/10 18:56:42, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
Doing spnego session setup
[2004/08/10 18:56:42, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
PrimaryDomain=[]
[2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
Got OID 1 2 840 48018 1 2 2
[2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
Got OID 1 2 840 113554 1 2 2
[2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
Got OID 1 3 6 1 4 1 311 2 2 10
[2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(447)
Got secblob of size 1191
[2004/08/10 18:56:42, 3]
libads/kerberos_verify.c:ads_verify_ticket(185)
ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt
integrity check failed
[2004/08/10 18:56:43, 3]
libads/kerberos_verify.c:ads_verify_ticket(193)
ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
[2004/08/10 18:56:43, 1] smbd/sesssetup.c:reply_spnego_kerberos(174)
Failed to verify incoming ticket!
[2004/08/10 18:56:43, 3] smbd/error.c:error_packet(94)
error string = Aucun fichier ou rpertoire de ce type
[2004/08/10 18:56:43, 3] smbd/error.c:error_packet(118)
error packet at smbd/sesssetup.c(175) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2004/08/10 18:56:43, 3] smbd/process.c:timeout_processing(1131)
timeout_processing: End of file from client (client has
disconnected).
[2004/08/10 18:56:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/08/10 18:56:43, 2] smbd/server.c:exit_server(572)
Closing connections
[2004/08/10 18:56:43, 3] smbd/connection.c:yield_connection(69)
Yielding connection to [2004/08/10 18:56:44, 3]
smbd/connection.c:yield_connection(76)
yield_connection: tdb_delete for name failed with error Record does
not exist.
[2004/08/10 18:56:44, 3] smbd/server.c:exit_server(615)
Server exit (normal exit)
I'm not sure it's due to Win2k3 server because enc type [3] is
des-cbc-md5.
I definitiveley Don't know what's wrong!
I have even tried to compile samba-3.0.5 and link with kerberos-1.3.4
without success.
Any help would be appretciated.
--
To unsubscribe from this list go
Re: [Samba] ADS membership with Samba 3.0.4
Hi, 1.) Yes you definitly need the winbind/nss stuff, as it is the part of samba that does what you want: ask an ADS server to verify the credentials a user supplys when logging in to samba. 2.) no, it is not sufficient. But you need a working Kerberos library to get winbind to work. Christoph [EMAIL PROTECTED] schrieb: Hi, We are in the process of evaluating the possibility of porting Samba 3.0.4 to VxWorks. Features wise we don't see any problems. But our main concern is on the security. Since we do not have the concept of Users and Groups on VxWorks, we cannot have any authentications as such. So, the other possibility is to pass on the authentication to another Server on the network, typically a AD server (since Samba is required to be a part of a domain) All the documents that we have seen so far, regarding the ADS membership, talk about winbind and NSS. My question here is, 1. Do I really need winbind or NSS since I am not maintaining any Users or Groups locally ?! 2. Is it sufficient if I get the Kerberos and sasl support to work on VxWorks ?! Regards, Sandeep Sundaram Confidentiality Notice The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Wipro or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Kerberos verfy ticket failed
Hi, what's in your krb.conf? AFAIR it should be realy minimalistic. (in fact mine doesn't even exist, but i'm using a win2k server, not win2k3) espacialy there shouldn't be settings for default encryption types. Some persons reported these to produce problems. And you definitly need a kerberos-version =1.3.3 if you use MIT-kerberos to get it working. Hope it helps. Christoph Raphael RIGNIER schrieb: Hello list. I've got a problem using samba-3.0.4 (RedHat AS 3.0) the server is member of a Win2003 Active directory domain All stuff about krb5 seems to work correctly kinit [EMAIL PROTECTED] klist etc... net ads join -U administrator has worked well too But when any Windows client member of the domain try to connect to the server it asks me for a user/pass. here is the log. [2004/08/10 18:56:41, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655) wct=12 flg2=0xc807 [2004/08/10 18:56:42, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535) Doing spnego session setup [2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566) NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0] PrimaryDomain=[] [2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(444) Got OID 1 2 840 48018 1 2 2 [2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(444) Got OID 1 2 840 113554 1 2 2 [2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(444) Got OID 1 3 6 1 4 1 311 2 2 10 [2004/08/10 18:56:42, 3] smbd/sesssetup.c:reply_spnego_negotiate(447) Got secblob of size 1191 [2004/08/10 18:56:42, 3] libads/kerberos_verify.c:ads_verify_ticket(185) ads_verify_ticket: enc type [3] failed to decrypt with error Decrypt integrity check failed [2004/08/10 18:56:43, 3] libads/kerberos_verify.c:ads_verify_ticket(193) ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) [2004/08/10 18:56:43, 1] smbd/sesssetup.c:reply_spnego_kerberos(174) Failed to verify incoming ticket! [2004/08/10 18:56:43, 3] smbd/error.c:error_packet(94) error string = Aucun fichier ou rpertoire de ce type [2004/08/10 18:56:43, 3] smbd/error.c:error_packet(118) error packet at smbd/sesssetup.c(175) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2004/08/10 18:56:43, 3] smbd/process.c:timeout_processing(1131) timeout_processing: End of file from client (client has disconnected). [2004/08/10 18:56:43, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2004/08/10 18:56:43, 2] smbd/server.c:exit_server(572) Closing connections [2004/08/10 18:56:43, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2004/08/10 18:56:44, 3] smbd/connection.c:yield_connection(76) yield_connection: tdb_delete for name failed with error Record does not exist. [2004/08/10 18:56:44, 3] smbd/server.c:exit_server(615) Server exit (normal exit) I'm not sure it's due to Win2k3 server because enc type [3] is des-cbc-md5. I definitiveley Don't know what's wrong! I have even tried to compile samba-3.0.5 and link with kerberos-1.3.4 without success. Any help would be appretciated. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba question
Hi, al relevant info's missing, so nobody can answer your question distro?, version of distro?, kernelversion?, filesystem? Christoph David Kandou schrieb: Dear ll, i want to install samba with acl feature, can anyone tell me how to active acl in samba 3 Do i must update my kernel. OT... how to update my kernel with acl feuture. Thank's Newbie -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] XP does not join domain
Hi, i think this DNS-fixes weren't a good idea. These entrys are generated by ADS (AKA win2kx) servers to tell the other windows-machines where to get the info's for ADS. samba can't do ADS stuff at the moment, so you don't want these info's in your DNS. They only confuse the clients about the environment the live in. If your xp-client complains about these entry's missing, then there is something seriously wrong either with this client or with the way you try to join it to your domain. Christoph [EMAIL PROTECTED] schrieb: hi, i've the following problem: i want a XP pro sp1 to join my samba (3.0.5) domain (MHC). with my first try it complained that it could not resolve: _ldap._tcp.dc._msdcs.MHC i've fixed this with the following DNS setup: -- _ldap._tcp.MHC. 600 IN SRV 0 100 389 server.MHC. _ldap._tcp.Default-First-Site-Name._sites.MHC. 600 IN SRV 0 100 389 server.MHC. _ldap._tcp.pdc._msdcs.MHC. 600 IN SRV 0 100 389 server.MHC. _ldap._tcp.gc._msdcs.MHC. 600 IN SRV 0 100 3268 server.MHC. _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.MHC.600 IN SRV 0 100 3268 server.MHC. gc._msdcs.MHC. 600 IN A 192.168.100.100 _kerberos._tcp.dc._msdcs.MHC. 600 IN SRV 0 100 88 server.MHC. _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.MHC.600 IN SRV 0 100 88 server.MHC. _ldap._tcp.dc._msdcs.MHC. 600 IN SRV 0 100 389 server.MHC. _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.MHC.600 IN SRV 0 100 389 server.MHC. _kerberos._tcp.MHC. 600 IN SRV 0 100 88 server.MHC. _kerberos._tcp.Default-First-Site-Name._sites.MHC. 600 IN SRV 0 100 88 server.MHC. _gc._tcp.MHC. 600 IN SRV 0 100 3268 server.MHC. _gc._tcp.Default-First-Site-Name._sites.MHC.600 IN SRV 0 100 3268 server.MHC. _kerberos._udp.MHC. 600 IN SRV 0 100 88 server.MHC. _kpasswd._tcp.MHC. 600 IN SRV 0 100 464 server.MHC. _kpasswd._udp.MHC. 600 IN SRV 0 100 464 server.MHC. MHC. 600 IN A 192.168.100.100 -- i do not use ldap or kerberos by now. i've apllied the XP reg patches. now, i get the following (german, sorry) message: -- Hinweis: Diese Informationen sind für einen Netzwerkadministrator bestimmt. Wenden Sie sich an den Netzwerkadministrator, wenn Sie kein Netzwerkadministrator sind, und leiten Sie die Informationen in der Datei C:\WINDOWS\debug\dcdiag.txt weiter. Der Domänenname MHC ist möglicherweise ein NetBIOS-Domänenname. Sollte dies der Fall sein, stellen Sie sicher, dass der Name bei WINS registriert ist. Wenn Sie sicher sind, dass es sich nicht um einen NetBIOS-Domänennamen handelt, können folgende Information bei der Fehlersuche in der DNS-Konfiguration behilflich sein: Die DNS-Abfrage über den Ressourceneintrag der Dienstidentifizierung (SRV), der zur Suche eines Domänencontrollers für die Domäne MHC verwendet wird, wurde ordnungsgemäß abgeschlossen: Die Abfrage war für den SRV-Eintrag für _ldap._tcp.dc._msdcs.MHC Die folgenden Domänencontroller wurde von der Abfrage identifiziert: server.mhc Die häufigsten Ursachen dieses Fehlers sind: - Host (A)-Einträge, die den Namen des Domänencontroller dessen IP-Adressen zuordnen, fehlen oder enthalten nicht die richtigen Adressen. - Die in DNS registrierten Domänencontroller verfügen nicht über eine Netzwerkverbindung oder werden nicht ausgeführt. Klicken Sie auf Hilfe, um weitere Informationen über die Fehlerbehebung zu erhalten. -- server.mhc IS resolvable. even from this XP. i've started a tcpdump on the samba server. and while i try to join the domain i do not see a single packate origination form the XP machine. due to this here are no samba log's. it even does not try to connect to the samba server. there is no firewall etc. installed on the XP. when i do local auth and the try to connect to samba every thing works as expected. any suggestions ? TIA matthias -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Read Write by everyone over network
Hi, who owns /shared and whatare the permisions on it on the linux-side? Christoph Robin Wilson schrieb: Hi I have managed to successfully set samba up so that I can access my windows shares from linux and my linux shares from windows, but, when I access my linux shares from windows I cannot write to them. Here is an excerpt from my smb.conf file: [shared] comment = Shared directory on Linux box path = /shared guest ok = yes writeable = yes Why doesn't this work? What should I be doing instead? Thanks in advance Robin --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.732 / Virus Database: 486 - Release Date: 30/07/04 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Trouble authenticating clients from ADS domain on Samba 3.0.5 file server
Hmm, What's your kerberos version? I would bet it is MIT-kerberos and the version is something lower then 1.3.3, isn't it? If i'm correct you'll have to update your kerberos to a version =1.3.3 Christoph Chris Goff schrieb: I'm so close I can feel it :-) I'm having a problem connecting users to their home directories. Under My Network Places on XP clients I can see my Samba file server (Hobbes) just fine. When I double click on it to open it, I get a login/password prompt that I can't bypass even though I try logins/passwords that exist on the ADS server and/or the UNIX accounts. Do I have to add these users under Samba specifically? I am joined to the ADS domain, I can pull users/groups from wbinfo -t, -u, and -g. When I use webmin I can even go into the Samba module to add users to a share and see all the users from my ADS domain pop up in a window. Here's a copy of my smb.conf (where I think my problem might lie): workgroup = NLES realm = NLES.LOCAL security = ads password server = calvin.nles.local username map = /etc/samba/smbusers os level = 10 dns proxy = No idmap uid = 1-2 idmap gid = 1-2 template shell = /bin/bash winbind separator = + winbind use default domain = Yes [homes] comment = %U Home Folder path = /home/%u valid users = %U cgoff administrator # force user = %u writeable = yes browseable = no I think my problem is with the [homes] share, but I'm not sure. Can anyone give me any pointers on what my issue might be? As I said I can talk to the ADS server just fine, seeing lists of users and groups. I'm almost positive I'm not setting up my shares correctly. Chris Goff NLES Network Administrator cgoff at nles.k12.wi.us -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: i need recycle bin configuration
Hi, you are trying to use the option wrong. In 3.x it does not take a path anymore. Only the name of the vfs-object. These objects are now located in a standard-path in the samba-lib directory. the option vfs object = recycle is working fine for me with samba-3.0.5. Christoph Jim C. schrieb: OK, read the docs but it is still not working for me. What happens is that if I put vfs object = [path] in [homes] then try to log in and I get no QuickLaunch icons and no access to My Documents-//enigma/njim/Documents. It seems like it is basically denying access to the homes share. This is where I'm redirecting Application Data and My Documents so that would explain the problems. Wonder if I should be checking bugzilla? My version is 3.0.2a Jim C. excerpt from that mail: complete configuration now goes into smb.conf, no need to create a separate file for it. vfs object = recycle recycle:repository = .Papierkorb/%U Now, that's great. And really works. And testparm goes crazy if i ad all this, it repeats that part maybe 10 times. Can someone please tell me where to find doku on all these parameters for recycle? Google wasn't that helpful this time. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: i need recycle bin configuration
Ermm... have you read the complete mail from me? ;-) it's all described at the bottom of it for 3.x excerpt from that mail: for the samba 3.x-branch the procedure has changed completly. The VFS modules have been integrated in the normal make/install process, so you don't have to compile them for your on, and the complete configuration now goes into smb.conf, no need to create a separate file for it. for example i use the folowing lines in my [homes] section: vfs object = recycle recycle:repository = .Papierkorb/%U recycle:keeptree = Yes recycle:touch = Yes recycle:versions = Yes recycle:maxsize = 0 recycle:exclude = *.tmp|*.temp|*.o|*.obj|~$*|*.~?? recycle:excludedir = /tmp|/temp|/cache recycle:noversions = *.doc|*.xls|*.ppt and it works out of the box like a charm have a nice day. Christoph Jim C. schrieb: How do we do it on Samba 3.x? Hi, there are a few things to do to get this working with samba-2.x.x: Jim C. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + ADS + User Accounts
Hi, yes, samba can do that, kindof;-) What you want is realized via pam. You need to install the pam_mkhomedir module and configure it for all services your users use to connect to your server. After that the home-dir for each user will be created automagically the first time the user trys to access the server. But don't ask me how to do it on fedora, cause i don't know it. pam with all its tricks and traps is verry distribution-specific. if you used debian i could tell you more... Christoph Dan Strohschein schrieb: Hello, We have a windows 2003 server hosting ADS. We also have a fedora core 2 file server running samba 3.0.2a. We have it currently configured to join the ADS domain. We Can use Winbind to see users, groups, etc. We can even browse samba shares from windows computers. However one thing we don't know: What we want to do is when a user is added to ADS for samba to create a user directory (like it does when you run adduser in linux) with proper ownership of that dirrectory. Can samba do this? If so, how do we set up samba to do that?? Thanks Dan Strohschein Director of Software The Wifi Link -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: i need recycle bin configuration
Hi, if testparm goes crazy on these parameters, are you shure its the testparm matching the smbd you are running? perhaps its a leftover older version which doesnt know these values? mine doesn't complain. And yes the doc's for this are not easy to find. AFAIR i found these parameters in the HTML-doc's comming with the new versions of samba. Christoph Holger Krull schrieb: excerpt from that mail: complete configuration now goes into smb.conf, no need to create a separate file for it. vfs object = recycle recycle:repository = .Papierkorb/%U Now, that's great. And really works. And testparm goes crazy if i ad all this, it repeats that part maybe 10 times. Can someone please tell me where to find doku on all these parameters for recycle? Google wasn't that helpful this time. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] i need recycle bin configuration
Hi, there are a few things to do to get this working with samba-2.x.x: 1.) build the vfs-modules, they are not compiled by the default makefile in samba 2.x.x. To do this go in the samba-2.x.x/examples/VFS directory and do a ./configure; make 2.) copy the module recycle/recycle.so to a directory of your choice, i use (as an example) /etc/samba/VFS 3.) for each share you want the recycle-function to be enabled on, put the following lines in the share-section of your smb.conf: vfs object = /etc/samba/VFS/recycle.so vfs options= /etc/samba/VFS/recycle.conf don't forget to adjust the path to the place whre you put the files to. 4.) create the file recycle.conf. as an example, mine contains the lines: name = .recycle/%U mode = KEEP_DIRECTORIES|VERSIONS|TOUCH maxsize = 0 exclude = *.tmp|*.temp|*.o|*.obj|~$*|*.~??|*.log|*.trace excludedir = /tmp|/temp|/cache noversions = *.doc|*.ppt|*.dat|*.ini the available options for the module are documented in the file samba-2.x.x/examples/VFS/README. 5.) create the .recycle directory in the root of each share with full acces for all users who have acess to the share. if you miss this step the dir will get created with wrong permisions when the first user deletes a file, and all files deleted by other user will get lost. for the samba 3.x-branch the procedure has changed completly. The VFS modules have been integrated in the normal make/install process, so you don't have to compile them for your on, and the complete configuration now goes into smb.conf, no need to create a separate file for it. for example i use the folowing lines in my [homes] section: vfs object = recycle recycle:repository = .Papierkorb/%U recycle:keeptree = Yes recycle:touch = Yes recycle:versions = Yes recycle:maxsize = 0 recycle:exclude = *.tmp|*.temp|*.o|*.obj|~$*|*.~?? recycle:excludedir = /tmp|/temp|/cache recycle:noversions = *.doc|*.xls|*.ppt and it works out of the box like a charm have much fun Christoph andry schrieb: any one can help me how to setting up recycle bin on samba or manual references webstie btw i'm using redhat 7.2 samba 2.2.7.. === Gabung INSTANIA, dapatkan XENIA. Daftar di www.telkomnetinstan.com, langsung dapat akses Internet Gratis.. Dan ..ikuti Instan Smile berhadiah Xenia,Tour S'pore, Komputer,dll, info hub : TELKOM Jatim 0-800-1-467826 === -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Question about permissions
Hi, your first attempt with using force group is correct, but your syntax is not. for force group you have to omit the '@' sign. it only takes the name of the group. for example : force group = f at least thats the way it works for me ;-) Christoph Mario Gamito schrieb: Hi, First of all, my apologies for the extension of this message, but it is needeed for you to undertand my problem. Straight to the point: i have this domain in my company running in Samba 3.0.2 My users are: hcoelho, jardim, gamito, yesenia, smatias, fqueiros, faugusto, vamaro, peixinho, aragao, dina, pinho. I have this shares with the users that can access them and the correponding Linux groups: [DAT]: hcoelho, jardim, fqueiros, gamito, faugusto = Linux group A [DID]: hcoelho, jardim, gamito, faugusto, peixinho, aragao, vamaro = Linux group B [DGM]: hcoelho, jardim, smatias = Linux group C [SAD]: hcoelho, jardi, yesenia = Linux group D [NTL]: Everybody = Linux group E [arquivo]: everybody [backups]: jardim, gamito, filipe = Linux group G [biblioteca]: everybody [desenvolvimento]: jardim, gamito, faugusto user's groups: coelho : d hcoelho a b c e f g jardim : d jardim a b c e f g h gamito : gamito a b e f g h (etc...) Besides these shares, there are the homes also. Problems: If hcoelho, for instance, copies a file to share [SAD], yesenia can't open it (and it should, as above), because it is copied with group A. I've already used force group in smb.conf, but then, my users can't access their homes. Following my signature is my smb.conf Any help would be appreciated. Warm Regards, Mário Gamito smb.conf: -- ## ## # smb.conf : criado por Mário Gamito # # Data: 21/06/04 # ## ## [global] workgroup = NETUAL netbios name = bateira server string = Beatrix Kiddo # scripts para alterar o /etc/passwd quando o utilizador muda a password no Windows passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* #username map = /etc/samba/smbusers unix password sync = Yes log level = 2 log file = /etc/samba/individual/%m.log name resolve order = wins lmhosts host time server = Yes socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192 load printers = No #oplocks = No add user script = /usr/sbin/useradd -n -g domainusers -G domainguests -d /dev/null -s /bin/false -M %u delete user script = /usr/sbin/userdel %u add group script = /usr/sbin/groupadd -r %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/bin/gpasswd -a %u %g delete user from group script = /usr/bin/gpasswd -d %u %g set primary group script = /usr/sbin/usermod -g '%g' '%u' add machine script = /usr/sbin/adduser -n -g domainmachines -c Machine -d /dev/null -s /bin/false %u smb passwd file = /etc/samba/passwd logon script = netualinit.bat logon path = \\%L\profiles\%U logon home = \\%L\%U logon drive = H: domain logons = Yes os level = 64 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes message command = echo obrigado | smbclient -M %f panic action = echo Isto é uma mensagem automática: O servidor crashou. Contacte o Mário Gamito | smbclient -M shuttle host msdfs = Yes admin users = domainroot hosts allow = 10.10.1., 10.10.2. hosts deny = ALL hide files = /.bash_profile/.bash_logout/.bashrc/.gtkrc/.kde/.zshrc/ [homes] comment = Home Directories read only = No browseable = No create mask = 0600 directory mask = 0700 [Profiles] comment = Windows profiles para os utilizadores que carregam as suas preferências a partir do servidor. path = /etc/samba/profiles browseable = No read only = No create mask = 0600 directory mask = 0700 [netlogon] comment = Network Logon Service path = /etc/samba/netlogon browseable = No writeable = No browseable = No [arquivo] comment = pasta de arquivo path = /home/arquivo/ writeable = Yes browseable = Yes create mask = 660 directory mask = 777 #force group = @f [SAD] comment = pasta da SAD path = /home/SAD writeable = Yes browseable = Yes create mask = 660 directory mask = 770 #force group = @d [DAT] comment = pasta da DAT path = /home/DAT writeable = Yes browseable = Yes create mask = 660 directory mask = 770 #force group = @a [DID] comment = pasta da DID path = /home/DID writeable = Yes browseable = Yes create mask = 660 directory mask = 770 #force group = @b [DGM] comment = pasta da DGM path = /home/DGM writeable = Yes browseable = Yes create mask = 660 directory mask = 770 #force group = @c [SAD] comment = pasta da SAD path = /home/SAD writeable = Yes browseable = Yes create mask = 660 directory mask = 770 #force group = @d [backups] comment = pasta de backups path = /home/backups writeable = Yes browseable = Yes create mask = 666 directory mask = 770 #force group = @g [biblioteca] comment = pasta da
Re: [Samba] Question about permissions
Hi, you shouldn't need to force a group in the homes share, and using fore group in another share shouldn't affect the homes share at all. I guess the effect of locking out your users from their homes in your first attempt with force group resulted from samba missbehaving with the @ sign in your groupnames. Christoph Mario Gamito schrieb: Hi Christoph, Thank you for your answer. ok, i did that. i suppose that now, assignin the user's primary group as their own, they also can access their homes, right ? Warm Regards, Mário Gamito On Tue, 2004-07-20 at 10:43, Christoph Scheeder wrote: Hi, your first attempt with using force group is correct, but your syntax is not. for force group you have to omit the '@' sign. it only takes the name of the group. for example : force group = f at least thats the way it works for me ;-) Christoph Mario Gamito schrieb: Hi, First of all, my apologies for the extension of this message, but it is needeed for you to undertand my problem. Straight to the point: i have this domain in my company running in Samba 3.0.2 My users are: hcoelho, jardim, gamito, yesenia, smatias, fqueiros, faugusto, vamaro, peixinho, aragao, dina, pinho. I have this shares with the users that can access them and the correponding Linux groups: [DAT]: hcoelho, jardim, fqueiros, gamito, faugusto = Linux group A [DID]: hcoelho, jardim, gamito, faugusto, peixinho, aragao, vamaro = Linux group B [DGM]: hcoelho, jardim, smatias = Linux group C [SAD]: hcoelho, jardi, yesenia = Linux group D [NTL]: Everybody = Linux group E [arquivo]: everybody [backups]: jardim, gamito, filipe = Linux group G [biblioteca]: everybody [desenvolvimento]: jardim, gamito, faugusto user's groups: coelho : d hcoelho a b c e f g jardim : d jardim a b c e f g h gamito : gamito a b e f g h (etc...) Besides these shares, there are the homes also. Problems: If hcoelho, for instance, copies a file to share [SAD], yesenia can't open it (and it should, as above), because it is copied with group A. I've already used force group in smb.conf, but then, my users can't access their homes. Following my signature is my smb.conf Any help would be appreciated. Warm Regards, Mário Gamito smb.conf: -- ## ## # smb.conf : criado por Mário Gamito # # Data: 21/06/04 # ## ## [global] workgroup = NETUAL netbios name = bateira server string = Beatrix Kiddo # scripts para alterar o /etc/passwd quando o utilizador muda a password no Windows passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* #username map = /etc/samba/smbusers unix password sync = Yes log level = 2 log file = /etc/samba/individual/%m.log name resolve order = wins lmhosts host time server = Yes socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192 load printers = No #oplocks = No add user script = /usr/sbin/useradd -n -g domainusers -G domainguests -d /dev/null -s /bin/false -M %u delete user script = /usr/sbin/userdel %u add group script = /usr/sbin/groupadd -r %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/bin/gpasswd -a %u %g delete user from group script = /usr/bin/gpasswd -d %u %g set primary group script = /usr/sbin/usermod -g '%g' '%u' add machine script = /usr/sbin/adduser -n -g domainmachines -c Machine -d /dev/null -s /bin/false %u smb passwd file = /etc/samba/passwd logon script = netualinit.bat logon path = \\%L\profiles\%U logon home = \\%L\%U logon drive = H: domain logons = Yes os level = 64 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes message command = echo obrigado | smbclient -M %f panic action = echo Isto é uma mensagem automática: O servidor crashou. Contacte o Mário Gamito | smbclient -M shuttle host msdfs = Yes admin users = domainroot hosts allow = 10.10.1., 10.10.2. hosts deny = ALL hide files = /.bash_profile/.bash_logout/.bashrc/.gtkrc/.kde/.zshrc/ [homes] comment = Home Directories read only = No browseable = No create mask = 0600 directory mask = 0700 [Profiles] comment = Windows profiles para os utilizadores que carregam as suas preferências a partir do servidor. path = /etc/samba/profiles browseable = No read only = No create mask = 0600 directory mask = 0700 [netlogon] comment = Network Logon Service path = /etc/samba/netlogon browseable = No writeable = No browseable = No [arquivo] comment = pasta de arquivo path = /home/arquivo/ writeable = Yes browseable = Yes create mask = 660 directory mask = 777 #force group = @f [SAD] comment = pasta da SAD path = /home/SAD writeable = Yes browseable = Yes create mask = 660 directory mask = 770 #force group = @d [DAT] comment = pasta da DAT path = /home/DAT writeable = Yes browseable = Yes create mask = 660 directory mask = 770 #force group
Re: [Samba] Winbind under 3.0beta2
Hi, first: 3.0beta2 is verry outdated. please go and get the latest stable version from samba.org. second: after completing step 1, if your problem persists could you be more detailed what your problem is? we can't read your mind... ;-) third: have you read all the doc's available with samba? Christoph Cedric schrieb: Hello, I have a problem with installation of winbindd and samba. I saw on a mailing-list you had the same problem a few month ago. Did you find the solution ? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] I've got a problem with Winbindd
Hm, this sounds as if your winbind-database got delete during the reboot. Where is it stored? possibly in a place that gets cleand on every reboot of the machine? That effect bit me a while ago. Christoph [EMAIL PROTECTED] schrieb: After a power loss (or anything else), the winbind database appears to be different. several of my users' home dirs are owned by the wrong person or a non-mapped uid. How can I avoid this? Is it as simple as running sync every so often? Thanks Romuald MONSELLIER -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Is this possible? (syncing users between a system withsamba 3 on and a win2k3 server)
Hi, it is possible, but you'll have to install some packages manualy by compiling them for your own. these packages are kerberos and samba, as the versions in most distros are to old to work correct as an ads-member in win2k3-ADS. AFAIK you'll have to install MIT-kerberos 1.33 and, at the moment, samba from svnall other versions do not work. Christoph Mark Casey schrieb: Well, the gentoo mention was a joke. (the loving compile times remark) Are there any good books on the subject dealing with what I mentioned, as I haven't used Samba for a few years. (probably pre 2.0) Anyway, if I do setup any *bsd or linux servers they will be dedicated to the task and will not have any additional programs installed. I would most likely leave the win2k3 server as the PDC, I have heard of some issues in the past dealing with Samba and it being a PDC. The situation is that I want to apply the practice of least change, I don't want to (or feel the network needs to) have a new domain controller.. Having all machines join the new domain etc. So, SBS won't allow a BDC? (suppose I'll have to go and buy it then do some tests in vmware) What're saying is that it isn't possible currently with Samba 3 to replicate users from win 2k3? (without some manual work, is it possible at all to script any of it?) Thanks Mark -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with SAMBA
Err, i think this is not a samba question, it is a security question. But anyhow: R U N , not walk to your box and set up a firewall on your system not letting smb-shares to the internet and you should be fine for the first moment. Then install chkrootkit on that box and run it. I guess it will at least find one rootkit installed. i accidently had a minimal debian box a few days running on an adsl-link without firewall and it was rootkitted the first day it ran. setting hosts.deny is far far away from making your debian/linux box secure if it has an internet-connection. Christoph Rodrigo Haces schrieb: Hi, i have a debian box connected to internet by ADSL, in that box i share internet to all my local network, i also have to share 3 directories with samba with full read/write permissions. my hosts.deny is ALL:ALL and my hosts.allow is ALL:127. AND ALL:192.168.0. so that i only accept connections from inside my local network. Here is the problem, i cannot ask for a password to let them write in my directories because im using them as a database location so that my CRM application connects there, but with this, intruders from outside my network can write virus programs (And are actually doing it, writing a Xi.exe program). So, how can i prevent this? here is my smb.conf: [global] log file = /var/log/samba/log.%m passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n socket options = TCP_NODELAY obey pam restrictions = yes null passwords = yes encrypt passwords = true passdb backend = tdbsam guest passwd program = /usr/bin/passwd %u dns proxy = no netbios name = Servidor server string = %h server (Samba %v) invalid users = root workgroup = infosys debug level = 0 os level = 20 syslog = 0 security = share panic action = /usr/share/samba/panic-action %d max log size = 1000 [bitacora] writeable = yes public = yes path = /files/bitacora [comun] writeable = yes public = yes path = /files/comun [admivi] writeable = yes public = yes path = /files/admivi Thank in advanced Rodrigo -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] getent passwd wbinfo -u not working
Hi, remeber, after compiling and installing samba you have to copy the files nsswitch/libnss_winbind.so and nsswitch/libnss_wins.so to /lib/ and ln -sf /lib/libnss_winbind.so /lib/libnss_winbind.so.2 ln -sf /lib/libnss_wins.so /lib/libnss_wins.so.2 then copy nsswitch/pam_winbind.so to /lib/security/ and finally do a ldconfig. you'll have to do these steps manually after each compile and install, as these files are omitted by make install Christoph Sahibzada Junaid Noor schrieb: HI, i had messed up with the pam.d so i did a fresh install. now after this fresh install some how getent passwd and wbinfo -u is not working. the rest of the commands kinit net ads join are ok. [EMAIL PROTECTED] samba]# wbinfo -u Error looking up domain users and getent passwd simply returns me to the prompt after listing the names of the local users and groups any know how whats going on? = Sahibzada Junaid Noor Ph # (+92) (051) 5950 940 Cell # (+92) (0333) 5223586 Qazi plaza,Third Floor,Commerical Market,Chaklala Scheme 3, Rawalpindi Islamic Republic of Pakistan __ Do you Yahoo!? Friends. Fun. Try the all-new Yahoo! Messenger. http://messenger.yahoo.com/ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] authentification in ads2003
Hi,
i got that working on woddy, but against a win2000 ADS.
How?
- fetched the latest soure of MIT-kerberos from mit-server
and installed in /usr/local, as the version comming with woody
is to old , it does not support the neede enc-types.
- fetched samba-3.0.5-pre2 from svn and compiled it against the kerberos
in /usr/local, and installed it.
- deleted all old databases of samba
- delete the samba-server from the ADS and rejoin it.
i found for me that in nsswitch.conf the lines
passwd: compat winbind
group: compat winbind
will not work, replace compat with files
this way you should be able to get it working, but no garanty.
Christoph
Benoit Moeremans schrieb:
Hello,
*This msg was already sent yesterday on this ml, but some i found some
faults in the mail.*
**If anyone can help me... the only thing i'm thinking now is to throw away
the servers**
I installed Samba 3.0.4 + kerberos 5 + winbind to make the debian woody
server joining
the Active directory service.
Everything seems to be ok, except the authentification. If i try to go to
the share of the linux server from a windows box, it asks me the password.
And of course, no
way to log in.
Here is the config:
*nsswitch.conf*
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc:db files
netgroup: nis
*samba*
[global]
workgroup = TEST
realm = CAR.BE.TEST.COM.LOCAL
server string = %h server (Samba %v)
; wins support = no
; wins server = w.x.y.z
dns proxy = no
; name resolve order = lmhosts host wins bcast
use spnego = yes
log file = /var/log/samba/log.%m
max log size = 1000
; syslog only = no
syslog = 0
panic action = /usr/share/samba/panic-action %d
# separate domain and username with '+', like DOMAIN+username
winbind separator = +
# use uids from 1 to 2 for domain users
idmap uid = 1-2
# use gids from 1 to 2 for domain groups
idmap gid = 1-2
# allow enumeration of winbind users and groups
winbind enum users = yes
winbind enum groups = yes
security = ADS
encrypt passwords = yes
passdb backend = tdbsam guest
obey pam restrictions = yes
password server = car-pdc
netbios name = rantanplan
; guest account = nobody
invalid users = root
; unix password sync = no
; passwd program = /usr/bin/passwd %u# passwd chat =
*Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
; pam password change = no
; load printers = yes
; preserve case = yes
; short preserve case = yes
; include = /home/samba/etc/smb.conf.%m
# SO_RCVBUF=8192 SO_SNDBUF=8192
socket options = TCP_NODELAY
; message command = /bin/sh -c '/usr/bin/linpopup %f %m %s; rm %s'
; domain master = auto
idmap uid = 1-2
idmap gid = 1-2
; template shell = /bin/bash
[admin]
comment = Administration Directory
path = /home/benoit
admin users = TEST+bmo
browseable = yes
public = no
writable = yes
guest only = no
valid users = TEST+bmo
*kerberos*
[libdefaults]
default_realm = CAR.BE.TEST.COM
[realms]
CAR.BE.TEST.COM = {
kdc = car-pdc.car.be.test.com
default_domain = car.be.test.com
}
#[domain_realms]
#.kerberos.server=CAR.BE.TEST.COM
# The following krb5.conf variables are only for MIT Kerberos.
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
[login]
krb4_convert = true
krb4_get_tickets = true
*winbind* (logs)
2004/06/07 13:38:57, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
Added domain CAR CAR.BE.TEST.COM.LOCAL S-0-0
[2004/06/07 13:38:57, 1] libsmb/clikrb5.c:ads_krb5_mk_req(306)
krb5_cc_get_principal failed (No credentials cache found)
[2004/06/07 13:38:57, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
Added domain BUILTIN S-1-5-32
[2004/06/07 13:38:57, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
Added domain RANTANPLAN S-1-5-21-837388855-3362161430-1770541169
I found also some trace in the log.smbd
smbd version 3.0.4 started.
Copyright Andrew Tridgell and the Samba Team 1992-2004
[2004/06/09 10:29:16, 0] lib/util_sock.c:get_peer_addr(978)
getpeername failed. Error was Transport endpoint is not connected
[2004/06/09 10:34:28, 0] smbd/server.c:main(757)
All commands like kinit, net ads join, wbinfo -u (-g),
Re: [Samba] authenticating against windows server 2003
Hi, What versions of samba and kerberos? i had to install MIT-kerberos-v1.3.3 and samba-3.0.5pre1 to get this working with a win2k-ADS-server, a samba-member-server and win2k clients. Older Versions definitly didn't work. Christoph Owen, Mary schrieb: I have a windows 2003 server and a SAMBA file server. I appear to have joined the ads realm. When I do a klist I have 3 tickets. for krbtgt,kadmin,kdc server from my SAMBA file server I can access all shares on windows 2003 machine. When my 2003 clients try to access the samba file server they get the login box. It doesn't matter what you enter it will not allow access. My windows 2003 server is also denied access to my SAMBA file server. I have run out of ideas, so any ideas ... -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] 2 passwords when loging from Windows 98 to samba PDC
Hi, AFAIK, you can not obtain what you want with Win98-Clients. Why? this is a Limitation of Win98. It does not realy get incorporated into a domain, it only handles it as a little bit better workgroup. And for that does its own authentication stuff and does not trust the PDC. No Mater if the PDC is samba, NT-x or win2k Christoph [EMAIL PROTECTED] schrieb: Hello. I have setup a local network where Windows 98 workstations authenticates against a samba server PDC running on linux, and it is working. But there is a little annoyance: Windows 98 is handling 2 passwords: 1) the network password (used with the samba PDC) 2) the windows password (used with the Windows desktop) Windows users can change their passwords from the workstation, but the desktop password is kept locally. If they change the passwords in one workstation and then login in another workstation, the passwords will be different. I would like to eliminate the need for second password and kepp only the first. Is it possible? If not, I would like to keep the desktop passwords at the samba server. Is that possible? Regards. Romildo -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Any ideas ?
Hm, any chance there are rests of an older kerberos-installation somewhere on the box? an your os accidently loads older libraries? or perhaps old samba pieces? Christoph Yohann Ferreira schrieb: Note that I compiled MIT Kerberos 1.3.3 with : --enable-dns-for-realm --without-krb4 --enable-shared and I added the : ./configure ... \ --with-ads --with-krb5=/usr/local \ ... lines From: Yohann Ferreira [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [Samba] Any ideas ? Date: Thu, 27 May 2004 13:02:34 + Hints or check lists for that type or error ? [2004/05/27 14:11:06.627563, 10, pid=23616] libads/kerberos_verify.c:ads_verify_ticket(185) ads_verify_ticket: enc type [1] failed to decrypt with error Bad encryption type [2004/05/27 14:11:06.627589, 10, pid=23616] passdb/secrets.c:secrets_named_mutex_release(716) secrets_named_mutex: released mutex for replay cache mutex [2004/05/27 14:11:06.627603, 3, pid=23616] libads/kerberos_verify.c:ads_verify_ticket(193) ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) [2004/05/27 14:11:06.627633, 1, pid=23616] smbd/sesssetup.c:reply_spnego_kerberos(174) Failed to verify incoming ticket! [2004/05/27 14:11:06.627759, 3, pid=23616] smbd/error.c:error_packet(118) error packet at smbd/sesssetup.c(175) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE thanks for any help ! Bertram _ Dialoguez en direct et gratuitement avec vos amis sur http://g.msn.fr/FR1001/866 MSN Messenger ! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba _ MSN Actions Solidaires : http://www.msn.fr/actionssolidaires/ la solidarité à portée de click -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] example configuration for VFS recycle
Hi, Olaf Eichhorn, Vermessungsbüro Pfeifer schrieb: Hi SAMBA users Can anybody give me an working part of an smb.conf for vfs recycle? I use SAMBA 3.0.2-7 on Fedora Core 1 I have read the samba howto and now I know the possible options but not the right syntax. I found only examples for SAMBA 2.x. I tried the following (smb.conf ) but it isn't working for the specific share Daten [Daten] vfs objects = recycle this should read vfs object = recycle recycle:repository = Papierkorb recycle:versions = True recycle:touch = True recycle:keeptree = True recycle:exclude = *.tmp|*.temp|*.o|*.obj|~$*|*.ba0 recycle:exclude_dir = /tmp|/temp|/cache try this one, works fine for me vfs object = recycle recycle:repository = .Papierkorb/%U recycle:keeptree = Yes recycle:touch = Yes recycle:versions = Yes recycle:maxsize = 0 recycle:exclude = *.tmp|*.temp|*.o|*.obj|~$*|*.~?? recycle:excludedir = /tmp|/temp|/cache recycle:noversions = *.doc|*.xls|*.ppt Christoph Is it possible to make the recycle folder user specific with the %U option?? thanks for Your help Olaf -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Home-share, winbindd and use-default-domain trouble
Hi folks, after installing mit kerberos-1.3.3 and the samba.3_0-subversion tree from yesterday i finally got my ADS-memberserver accessible from win2k-clients. but now i have a little problem. The samba server will be the main mailgatway for the site, so i need to set the use default domain switch for winbind to get automagicaly created the local user-mailboxes and home-dirs for the Accounts in ADS. up to this point all if working fine. i can send mail to the users, the homedirs get created on the fly, they can be accessed etc. but if i set samba to restrict the access to the home-share only to the correct user ( only user = %U in the [homes] section) the users get locked out of their home-shares, and the server logs a line user DOMAIN-username is not allowed to access share username. (i have set '-' as domain-separator in smb.conf) should this be called a bug, or is there a work-around for it? C.Scheeder -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Mapping My Documents
Hi, AFAIK you can get usrmgr and srvmgr in download from Micro$oft. the file is called srvtools.exe and can be installed on nt,2k and xp. Christoph L. Claudius schrieb: Also sprach Greg Folkert: On Tue, 2004-05-18 at 21:48, L. Claudius wrote: I'm creating roaming profiles for the Win98 boxes in our network. Is there any way to map the My Documents folder to a share in the Samba server? usermgr.exe from microsoft seems to work quite well for this. AFAIK, I have added users and defined things using the usermgr.exe. I use W2KP and WXPP as the machine I run it on. Works for me. Where do I find this usermgr.exe? I couldn't find it either in a Win98 box or in a Win2k Pro box. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] starnge Auth problem in w2k Domain with ADS
Hi, my Situation: a w2k-server set in mixed mode as ADS-Server,a debian machine with latest stable samba compiled self with ADS-support. samba machine joined to ADS-Domain succesfully, winbindd installed and configured, all w2k users and groups visible on samba-server. Browsing and connecting to w2k-server and samba-server from the samba server with smbclient and -k option works fine for all accounts in the w2k-domain and the localy on the samba server defined users. If i try to access the samba server from a w2k-client in the domain i get a prompt for user and password. If i supply a domain-account i get a failure, if i supply a local samba-server-account all works fine. Where should i look to solve this problem? C.Scheeder -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] winbindd/pam problems
Hi, setup: Debian 3.0, samba 3.0bx / latest cvs, self compiled. options: --with-syslog --with-quotas --with-utmp --with-msdfs \ --with-vfs --with-acl --with-pam acces as domain-user to the samba-shares is working, i set up pam support folowing the html-docs about ADS-support and pam-login. getent shows all domain-users and groups correct on the samba-server. But i'v got a problem: i can not login locally on my samba-server with a domain-user-account. if i telnet to the machine i enter username and password, and get the message User not known to the underlying authentication module Connection closed by foreign host. in auth.log i get the folowing messages (Lines wraped around) Aug 4 12:36:35 greulix pam_winbind[7891]: user 'administrator' \ granted acces Aug 4 12:36:35 greulix PAM_unix[7891]: could not identify user \ (from getpwnam(administrator)) Aug 4 12:36:35 greulix login[7891]: User not known to the \ underlying authentication module can anybody shed some light on this please? Christoph -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
