[Samba] pdbedit functionality
Since I got no response from my last request.. I'll be more concise. Samba 3.0.0 + ldapsam backend - What functions does pdbedit actually support? - Can pebedit be used to alter policies for individual users, or only domain-wide? - Is there a method to force users to change their passwords upon next login? Thanks, -- Cy -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Ext3 ACLS / pdbedit questions
Software: OS: RedHat 9 SMB Ver:3.0.0(+excel patch) OpenLDAP Ver: 2.0.27-8 (backend) I've noticed that when using ext3+acls when viewing permissions from a windows client, there will be two additional attributes, CREATOR USER and CREATOR GROUP. Is this something from the translation between ext3acls - windows? Not a big deal, just curious if I'm the only one here, and if xfs does the same thing? SID-username / groupname is also a bit lagg'ish, but I believe this was fixed in 3.0.1 due to an ldap bind error where when looking up SIDs a bunch of can only connect to ldap as root messages were dumped to log. Waiting for 3.0.2 release to upgrade. And last but not least, pdbedit. Can this only be used to affect the policies for ever user who is a member of the domain, or can it be used per-user? i.e. I have both human users, as well as some service accounts for linux/windows in ldap. Now I'd like for the actual users' passwords to expire after 90 days or so, alternately I'd prefer to not have to worry about the passwords on the service accounts. Also, is there a way to force password change upon next login? Obviously this is a bad idea if pdbedit can only be used to make policy changes for all users. Thanks in advance for all the help, as always I appreciate it. -- Cy -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC/BDC Questions (fwd)
Cool, thanks alot, I really appreciate your time. I'm extremely pleased with 3.0.x's stability, I don't think local segment failover is really going to be a huge issue. Keep up the great work :) -- Cy Date: Fri, 30 Jan 2004 18:14:36 +1100 From: Andrew Bartlett [EMAIL PROTECTED] To: Cybr0t McWhulf [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: [Samba] PDC/BDC Questions On Fri, 2004-01-30 at 15:11, Cybr0t McWhulf wrote: Sorry, that was a bit vague, my apologies. My real question is, in the event where netbios is not being passed between network segments (In this particular case, a WAN), where the PDC is at one site, and the BDC is at another, are there any provisions for failover? Or am I just going to have to run them both as PDC's for their network segment? You don't want inter-site netbios traffic anyway, so run each as a 'pdc' and add local redundancy if you really think you need it. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC/BDC Questions
Sorry, that was a bit vague, my apologies. My real question is, in the event where netbios is not being passed between network segments (In this particular case, a WAN), where the PDC is at one site, and the BDC is at another, are there any provisions for failover? Or am I just going to have to run them both as PDC's for their network segment? Thanks again for your time, I really appreciate it. -- Cy Date: Tue, 27 Jan 2004 18:34:04 +1100 From: Andrew Bartlett [EMAIL PROTECTED] To: Cybr0t McWhulf [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Samba] PDC/BDC Questions On Tue, 2004-01-27 at 08:44, Cybr0t McWhulf wrote: Software: OS: Redhat 9 Samba Ver: Samba 3.0.0 (Plus excel writelock patch, waiting for 3.0.2!) OpenLDAP Ver: 2.0.27-8 Just a quick question about PDC / BDC interaction, my plan is to distribute Samba (with slave ldap backend) BDCs to remote facilities, as well as have one on each network segment in the hopes of avoiding unnecessary nmb broadcast traffic. My question is this: Will the PDC / BDC(s), acting as master browsers for their segments, exchange netbios information (i.e. netbios names, browsing info, etc.) via nmb? Or do they exchange this information via tcp? Or at all for that matter? If they can't see each other, they will not exchange it at all. If it is intended that they not see each other, you may set each up as a 'PDC' on each site. Also as a complete sidenote, what I think would be a nifty feature: (This would only be useful to those running an ldap backend (possibly mysql?) When setting an account to disabled, have an option to set the loginShell attribute to something, such as /sbin/nologin (Should be configurable of course). Should be a fairly trivial thing.. just altering another attribute, if my C foo wasn't so weak I might attempt to add this feature myself. Just a possible suggestion :) We would rather not modify attributes that are not mandated by our schema, but I would certainly look favourably on a patch that allowed integrated updates with things like posixAccount and the shadow attributes. (The problem with setting a shell to /sbin/nologin is deciding what to set it back to...) Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] PDC/BDC Questions
Software: OS: Redhat 9 Samba Ver: Samba 3.0.0 (Plus excel writelock patch, waiting for 3.0.2!) OpenLDAP Ver: 2.0.27-8 Just a quick question about PDC / BDC interaction, my plan is to distribute Samba (with slave ldap backend) BDCs to remote facilities, as well as have one on each network segment in the hopes of avoiding unnecessary nmb broadcast traffic. My question is this: Will the PDC / BDC(s), acting as master browsers for their segments, exchange netbios information (i.e. netbios names, browsing info, etc.) via nmb? Or do they exchange this information via tcp? Or at all for that matter? Also as a complete sidenote, what I think would be a nifty feature: (This would only be useful to those running an ldap backend (possibly mysql?) When setting an account to disabled, have an option to set the loginShell attribute to something, such as /sbin/nologin (Should be configurable of course). Should be a fairly trivial thing.. just altering another attribute, if my C foo wasn't so weak I might attempt to add this feature myself. Just a possible suggestion :) As always, big kudos to the Samba Team, thanks for your time folks. -- Cy -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.0 + LDAP userPassword - sambaNTPassword manual sync?
First, the software: Samba 3.0.0 OpenLDAP 2.0.27 nssldap / pam_ldap Redhat 9 This may be more of a question for the OpenLDAP mailing list.. but does anyone know of a method (perhaps using slappasswd?) to hand-sync userPassword attributes to sambaNTPassword attributes? Deploying Samba 3.0 as pdc pretty soon, used Migration Tools on the mail server soon, and I'd really like to be able to tell people to log in using their mail credentials, as opposed to a generic password that they might not ever change, resulting in the ever-unfun activity of tracking people down and berating them until they change it (This was hard enough the first two times). Any suggestions or advice would be greatly appreciated, and as always great thanks to the Samba team for their terrific work. -- Cybr0t McWhulf -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Ext3+acl vs XFS
Software: - Samba 3.0 (Stable) - OpenLDAP 2.0.27 - Windows 2000 clients I'd like to impliment full-blown nt-style permissions on my existing Samba (with LDAP backend) server / shares. (i.e. file properties-- security: different groups / users, with different permissions etc. etc.) Now I've dug around and found that this can be supported either via ext2/3 + some ACL patch (anyone got a link?), or xfs. My two main questions regarding this are.. a) Does it actually work? b) In terms of overhead / resource utilization, which is better? Also, for those of you using ldap as a backend: in my situation, I'm using ldap as the master information store for all machines in a heterogenous environment (Windows, Linux, BSD, etc.). Has anyone figured out a way to strip Samba accounts of posix attributes? A'la user bob in the ldap tree is a valid user for windows machines joined to the domain, but will not be a valid user (or show up in standard nss_ldap/pam_ldap posixAccount queries to the ldap store) on unix/linux machines. Granted, that's a pretty tall order, as to the best of my understanding the samba ldap attributes are highly dependant on the posix attributes. Thanks for your help folks, and constant thanks to the Samba team for saving me the torture of dealing with Windows :) -- Cybr0t McWhulf -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Strong Password Enforcement (Windows-side)
Before I begin, big thanks to John Terpstra for helping me out with my previous issues. But alas I have another issue, I need to enforce strong passwords on windows side (i.e. ctrl+alt+delete change password), minimum password length, can't be dictionary words, etc. etc. (Setup is Samba 3.0.0 as PDC with LDAP passdb) From what I undersatnd previously this could've been done using pam_smbpass or a policy pushed out from netlogon, but I'm dealing with a mixed environment of 2k/XP, and I read that nt4 policies don't work with XP. And it would appear that when using ldap password sync it bypasses pam(?). Also I've seen alot about Group Policy Editor, but it seems that's only useful if you're using AD. Is this perhaps the direction pdbedit is going towards? it would be quite nifty to have a single command to edit (or generate) domain policies. It seemed to work with altering the minimum password length, but it only goes so far. Any suggestions / advice / heckling if I'm being an idiot would be appreciated -- Cybr0t McWhulf -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.0 + LDAP as PDC
At the risk of having my inbox flooded with another 10,000 Emails from Microsoft proporting the latest security update.. Now that smb3.0 is out and about, I'd really like to use it for authenticating windows users / PDC (With BDC in the plans) My problem is that there seems to be little to zero up to date documentation on how to integrate Samba and LDAP, the most I found were a couple oddball newsgroup postings and a Samba 2.2.4/LDAP PDC howto which is well over a year old. I have a working LDAP userstore authenticating linux/unix logons and freeradius. Samba is the last bit in a month-long project for centralized authentication (due mid-next month *eep*) In my latest exploits I got as far as authenticating users for share access, (and ldap password sync, yay!) but I was unable to add machines to the domain, which may be a group mapping issue (What was so bad about domain admin group? :( ) I'm really just looking for some decent-recent (nearly idiot proof ;) ) instructions on how to accomplish this. Thanks alot to anyone able to help, life saver isn't the right term, but it's the first that comes to mind. -- Cybr0t McWhulf -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] 3.0rc4 + ldap backend (Advice? Suggestions?)
Howdy Folks, I'm working on implimenting centralized authentication for a mixed environment: - Samba(3.0rc4) - Win2k/XP OpenLDAP User Store - - nss_ldap - linux/unix - FreeRadius- Cisco/HP Networking Equip (My apologies if that doesn't look right for anyone) I have a functional ldap database (openldap-2.0.27-8), and I'd very much like to use Samba 3.x (been using Samba for PDC since TNG), but I'm mildly disconcerted by the (possibly undocumented?) changes in the way certain things are handled. At this point I'd just like to ask the community if anyone's successfully done Samba 3.x as PDC with ldap backend and has any advice / suggestions / pointers? Thanks for your help, -- Cybr0t McWhulf -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba