Re: [Samba] [Bulk] Windows Users cannot change password on PDC Samba Server
Dominguez, Gaston Matias escribió: I've this problems. I'm using on my smb.conf # Sincronizacion de cuentas LDAP, NT y LM # unix password sync = Yes ldap passwd sync = Yes passwd program = /usr/sbin/smbldap-passwd -u "%u" passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n" [2009/09/03 14:05:16, 1] smbd/chgpasswd.c:change_oem_password(1057) Sep 3 14:05:16 eisaIII smbd[4801]: user test1 cannot change password now, must wait until vie, 04 sep 2009 17:29:06 ART I don't find what is the problem. Someone help me please¡ Here it's: [r...@srvdc01 ~]# testparm Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Processing section "[printers]" Processing section "[Profiles]" Processing section "[netlogon]" Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions [global] workgroup = EISAIII server string = Samba Server Version %v on %L smb passwd file = /usr/bin/smbpasswd passdb backend = ldapsam:"ldap://127.0.0.1:389 <ldap://127.0.0.1:389%22> " username map = /etc/samba/smbusers syslog = 2 log file = /var/log/samba/log.%m max log size = 1000 time server = Yes add user script = /usr/sbin/smbldap-useradd -m "%u" delete user script = /usr/sbin/smbldap-userdel "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" add machine script = /usr/sbin/smbldap-useradd -w %u logon script = scripts\logon.bat logon path = \\%L\Profiles\%U logon drive = Z: logon home = \\%L\%U domain logons = Yes os level = 65 preferred master = Yes domain master = Yes wins server = 192.168.6.3 ldap admin dn = cn=Administrador,dc=eisaIII,dc=com ldap delete dn = Yes ldap group suffix = ou=Group ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ldap passwd sync = Yes ldap suffix = dc=eisaIII,dc=com ldap user suffix = ou=People idmap uid = 1-2 idmap gid = 1-2 admin users = Administrador, "@Domain Admins" cups options = raw [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [Profiles] comment = Roaming Profile Share path = /var/lib/samba/profiles read only = No profile acls = Yes [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon admin users = root, maryo guest ok = Yes browseable = No Dominguez Gastón Matías Informática y Telecomunicaciones ELECTROINGENIERIA S.A. División Nuclear Tel.: 0054-03487-481880 Fax: 0054-03487-481880 Int. 120/121 E-mail: gdoming...@eling.com.ar Web: <http://www.eling.com.ar/> www.eling.com.ar Deat Gastón. I would think that the problem resides in the Minimum Password Age setting of the PDC. Please run 'net sam policy show "minimum password age"' and check if the value is greater than 0. If it is run 'net sam policy set "minimum password age" 0'. Best regards, David Wells. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] sambaprimaryGroupSid
David Wells escribió: Dear Vishesh, Thank you very much for your reply. Please allow me to clarify. I have created a root user in my LDAP directory wich has 0 as it's UID and as it's GID. Additionally it has a sambaPrimaryGroupSid of S-1-5-21-XX-XX-X-512 so it should be equivalent to the windows "Domain Administrator" account. However when I query samba to see this users information I get that it's Primary Group SID is S-1-5-21-XX-XX-X-513 even though it's correctly setup in LDAP. Thank you again. Best regards, David Wells. Just in case anybody encounters this issue I found that if the "root" user is named anything diferent from "Administrator" or has 0 as its GID samba will set it's "Primary Group SID" to 513, regardless of what the user has stored in LDAP. Renaming the user to "Administrator" and setting its GID to anything but 0 solved the problem. Thank you very much Best regards, David Wells. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] sambaprimaryGroupSid
vishesh kumar escribió: Dear david Do your root working as domain admin? I think you have to modify your ldap database for that Thanks -- http://linuxinterviews.blogspot.com Dear Vishesh, Thank you very much for your reply. Please allow me to clarify. I have created a root user in my LDAP directory wich has 0 as it's UID and as it's GID. Additionally it has a sambaPrimaryGroupSid of S-1-5-21-XX-XX-X-512 so it should be equivalent to the windows "Domain Administrator" account. However when I query samba to see this users information I get that it's Primary Group SID is S-1-5-21-XX-XX-X-513 even though it's correctly setup in LDAP. Thank you again. Best regards, David Wells. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] sambaprimaryGroupSid
Hi all! I'm configuring a samba PDC with an LDAP sam. Everything is working great except that when I do pdbedit -Lv root (which is my "Domain Administrator" account) I see that it's getting a Primary Group SID value of S-1-5-21-XX-XX-X-513 instead of the S-1-5-21-XX-XX-X-512 that is stored in my LDAP tree. Does someone know why this is happening and how could I get my root user to have "Domain Administrators" as it's primary group? Thank you very much! Best regards, David Wells. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + LDAP = SLOW Help plesase
Grey Karapetyan wrote: Hi Guys! Samba suspiciously slow i have: CentOS 5.2 final Samba 3.0.28-0.e15.8 LDAP server placed on anoter (not Samba) Server In ldap container "ou=Users" about 5000 entries When Windows client's connect to samba - Authentification process S.L.O.W. (about 20-30 seconds). When number entries less - performance grow (when 10 users - authentification process go 1-2 seconds) How i can tune up performance? == smb.conf [global] log file = /var/log/samba/samba.log.%m log level = 3 domain logons = no domain master = no local master = no preferred master = no wins support = no dns proxy = no os level = 0 # server setup --- netbios name = testsrv workgroup = TEST security = user passdb backend = ldapsam:ldap://x.x.x.x ldap admin dn = cn=Directory Manager ldap group suffix = ou=NTGroups ldap idmap suffix = ou=Idmap ldap suffix = dc=test ldap user suffix = ou=Users # print setup --- load printers = yes printing = cups printcap = cups use client driver = yes [printers] comment = All Printers path = /var/spool/samba readonly = no browseable = no guest ok = yes writable = no printable = yes [print$] comment = Printer Driver Download Area path = /etc/samba/drivers browseable = yes guest ok = yes read only = yes /etc/ldap.conf uri ldap://x.x.x.x basedc=test binddn cn=Directory Manager bindpw #pam_passwordexop #pam_filter objectclass=sambaSamAccount nss_base_passwd ou=Users,dc=test nss_base_shadow ou=Users,dc=test nss_base_group ou=NTGroups,dc=test ssl no I would bet this is not a samba issue but an LDAP issue, specifically in the indexing of your database Greetings, David Wells. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC & Squid NTLM Auth - Same machine
Victor Medina wrote: Hi Guys! Probably this is not the best place to ask, I'll try anyway... =) I've been trying to configure a Samba PDC and a Squid Porxy server with NTLM auth on the same machine but NTML_AUTH keeps complaining about: NT_STATUS_INVALID_HANDLE I have others machines running Squid and Authenticating against a Samba Server but on different machines, this is the first time a try both on the same machine. Can I use Squid+NTLM Auth and Samba configured as PDC on the same machine? Is there any winbind issue with this kind of configuration? I'm using SLES10+SP2 Samba version as reported by rpm is 3.0.32-0.8 Squid version as reported by rpm is 2.5.STABLE12-18.13 - This is my smb.conf [global] dos charset = 850 unix charset = ISO8859-1 workgroup = C1.SV netbios name = PDCSRVC1SV server string = interfaces = eth0 bind interfaces only = Yes map to guest = Bad Password passdb backend = ldapsam:ldap://127.0.0.1 guest account = Invitado time server = Yes deadtime = 20 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = cups logon path = logon home = domain logons = Yes os level = 65 preferred master = Yes domain master = Yes wins support = Yes ldap admin dn = cn=Administrador,o=Ferreteria EPA ldap delete dn = Yes ldap group suffix = ou=group ldap machine suffix = ou=people ldap passwd sync = Yes ldap suffix = ou=c1,c=sv,o=Ferreteria EPA ldap user suffix = ou=people idmap domains = DEFAULT idmap alloc backend = ldap idmap alloc config:range = 1-10 idmap alloc config:ldap_url = ldap://127.0.0.1 idmap alloc config:ldap_user_dn = cn=Administrador,o=Ferreteria EPA idmap alloc config:ldap_base_dn = ou=idmap,ou=c1,c=sv,o=Ferreteria EPA idmap config DEFAULT:range = 1-10 idmap config DEFAULT:ldap_url = ldap://127.0.0.1 idmap config DEFAULT:ldap_user_dn = cn=Administrador,o=Ferreteria EPA idmap config DEFAULT:ldap_base_dn = ou=idmap,ou=c1,c=sv,o=Ferreteria EPA idmap config DEFAULT:default = yes idmap config DEFAULT:readonly = no idmap config DEFAULT:backend = ldap ldapsam:editposix = yes ldapsam:trusted = yes create mask = 0640 force create mode = 0640 directory mask = 0750 force directory mode = 0750 case sensitive = No dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd My relevant squid.conf lines... auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp C1.SV/PDCSRVC1SV auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic C1.SV/PDCSRVC1SV auth_param ntlm children 100 auth_param basic children 100 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours The pdc works as expected, machine join works like charm, users and groups management works equally right, all accounts are placed in the LDAP, getent passwd, groups and shadow shows the ldap accounts I also did a few tests with wbinfo e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo -u invitado usuarioprueba e01ggen e01glogis e01gcont e01jcomp1 e01jcomp2 e01jcomp3 e01jcomp4 e01jrepo e01jreclu e01rrece e01gcom e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo -g BUILTIN BUILTIN domain users domain admins domain guests grupoprueba gcentralsv gcompras gcontrol ggerencia glogistica gmercadeo gpersonal gventas gjefecompras gjefecontrol gjefelogistica gjefepersonal e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo --all-domains C1.SV I also made sure squid users can read /var/lib/samba/winbindd_privileged I also noted this error: e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo --authenticate=administrator%12345678 plaintext password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc064) error messsage was: No such user Could not authenticate user administrator%12345678 with plaintext password winbind separator was NULL! challenge/response password authentication failed error code was NT_STATUS_INVALID_HANDLE (0xc008) error messsage was: Invalid handle Could not authenticate user administrator with challenge/response Does someone have any idea of could go wrong? When I use squid and samba on different machines i usually join the squid machine to the domain using a net join, is this necesary when the pdc and squid are on the same machine? Victor Medina Samuel Goldwyn - "I don't think anyone should write their autobiography until after they're dead." I think you should add lo to the interfaces listed in smb.conf Best regards, David Wells. -- To unsubscribe from this list go to the following UR
Re: [Samba] Samba Password Question.
mpars...@uk.ey.com wrote: Hi All - Quick question. Is there anyway that when a user first invokes Samba to map to a network share that they are asked to change their (samba) password. I've got a whole bunch of (samba) users who all have been given the same password and I want them to have to change it to one of their own choosing upon first login. Kind Regards, Mark Parsons Ernst & Young is proud to bring you Entrepreneur Of The Year - the prestigious global business awards for entrepreneurs. www.eoy.co.uk This e-mail and any attachment are confidential and contain proprietary information, some or all of which may be legally privileged. It is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient, please notify the author immediately by telephone or by replying to this e-mail, and then delete all copies of the e-mail on your system. If you are not the intended recipient, you must not use, disclose, distribute, copy, print or rely on this e-mail. Whilst we have taken reasonable precautions to ensure that this e-mail and any attachment has been checked for viruses, we cannot guarantee that they are virus free and we cannot accept liability for any damage sustained as a result of software viruses. We would advise that you carry out your own virus checks, especially before opening an attachment. Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. The UK firm Ernst & Young LLP is a limited liability partnership registered in England and Wales with registered number OC31 and is a member practice of Ernst & Young Global. A list of members' names is available for inspection at 1 More London Place, London, SE1 2AF, the firm's principal place of business and its registered office. Is samba the DC of the domain? Best regards, David Wells. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to access samba server from remote location
The only problem with this is that a great many ISPs filter this type of traffic, for security reasons. I have had ISPs filter it for both inbound and outbound. Sometimes I am able to convince them to unblock it for me, and sometimes I am not. -wes Hence the VPN between the branches so that you access an IP in a private space and no the public IP of the server. Best regards, David Wells. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to access samba server from remote location
Muthukumaran Saravanan escribió: Dear all, We have redhat 9 linux server configured with samba server. We have share folder in which we have lot of information. We want to all the users from our different branch office to access the samba server and share the information. In the local network we map the samba share folder as a drive. How to do the same in the remote location. Pls guide me. Regards M.Saravanan CCAT LTD 302, Koon Fook Centre, 9, Knutsford Terrace, T.S.T, Kowloon, Hong Kong. Phone: 28516318 Mobile : 61000856 Fax: 37434866 I have accomplished this by setting a VPN between the two locations using OpenVPN and then setting a PDC+BDC with an OpenLDAP user backend. It's all very well explained in the "Samba by example" that you can read in the samba site. Best regards, David Wells. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Rename a PDC
Hi all I'm faced with the task to rename (it's fqdn and it's netbios name) a samba server runing on Linux that acts as a PDC for a domain that has it's information in an LDAP backend and I was wondering, if anyone knows, what complications could I expect from this, for example, regarding the SID of the domain users and their roaming profiles. Any input will be greatly appreciated. Best regards, David Wells. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems with Samba4 implimentation
Andrew Bartlett wrote: With Samba4, it *should* work just as AD does, however we don't currently support the full AD schema (which some of this functionality requires). Pretty much all the group policy stuff is client side, so Samba's role is surprisingly limited. Andrew Bartlett Great to know about that! Thank you very much for the tip and sorry about the misleading reply. Best regards, David Wells. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem with read/write access
Try with the "Force create mode" (or something similar to that, check the man page) option in smb.conf. Set it to 0777 > I update to the version Version 3.0.33-3.7.el5 and change the directory > permision to 2775, i can't solve the problem, however if i cut and paste a > file in this share, work fine. > I think that the problem is in the file mask. When i create a file (rigth > click > create new > new text file) the permision of the file created is > > -rwxrw-rw- agendaglm nobody0 feb 13 12:44 Nuevo Documento de texto > (2).txt > > I configure the option create mask = 0777 to create a file with this > permision. > > > > Javier Arancibia > > > > > > David Wells > > > Para > Javier Arancibia > cc > samba@lists.samba.org > Asunto > Re: [Samba] Problem with read/write access > > > > > > > Javier, > > What samba version are you using? I encontered this problem using some > early version of the 3.0 tree and it got fixed upgrading samba. I would > also consider using a directory permision of 2775 instead of the 0775 that > you have used on the parent directory of the share adjusting the values in > the smb.conf too. > > Best regards, David Wells. > > > Javier Arancibia escribió: > I add this users to the nobody group and add @nobody to "valid user" and > "write list" however i can't modify the file content, rename files or > create dirs, i can delete file. > > thanks! > > Javier > > > > > > > David Wells > 13/02/2009 10:59 > > Para > Javier Arancibia > cc > samba@lists.samba.org > Asunto > Re: [Samba] Problem with read/write access > > > > > > > Javier, > > If you mean to have usr1 and usr2 access this share I believe you > should have them as members of the nobody group and in the valid users > and write list have nobody group expressed as @nobody because plain > nobody refers to the nobody user, not the nobody group. > > Best regards, David Wells. > > > Javier Arancibia escribió: > > I configure Samba in Share mode, I can see the files but i can't > write/delete files in the directory "agenda" > The directory /o/aplic/NACSEG/agenda have this permission drwxrwxr-x > > and > > the owner and group is agendaglm nobody > I have all valid users in the smbpasswd and /etc/passwd > > This is the smb.conf...THANKS! > > [global] > >workgroup = GLMSA >server string = Samba Server >security = share >load printers = no > >#log file = /var/samba/log/log.%m >max log size = 50 >passdb backend = smbpasswd >dns proxy = no > > [agenda] > comment = Directorio Proceso de Agenda > path = /o/aplic/NACSEG/agenda/ > valid users = usr1,usr2,nobody > write list = usr1,usr2,nobody > writable = yes > guest ok = no > force user = agendaglm > force group = nobody > read only = no > create mask = 0777 > security mask = 0777 > directory mask = 0777 > force directory mode = 0777 > directory security mask = 0777 > > > > Javier > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem with read/write access
Javier, If you mean to have usr1 and usr2 access this share I believe you should have them as members of the nobody group and in the valid users and write list have nobody group expressed as @nobody because plain nobody refers to the nobody user, not the nobody group. Best regards, David Wells. Javier Arancibia escribió: I configure Samba in Share mode, I can see the files but i can't write/delete files in the directory "agenda" The directory /o/aplic/NACSEG/agenda have this permission drwxrwxr-x and the owner and group is agendaglm nobody I have all valid users in the smbpasswd and /etc/passwd This is the smb.conf...THANKS! [global] workgroup = GLMSA server string = Samba Server security = share load printers = no #log file = /var/samba/log/log.%m max log size = 50 passdb backend = smbpasswd dns proxy = no [agenda] comment = Directorio Proceso de Agenda path = /o/aplic/NACSEG/agenda/ valid users = usr1,usr2,nobody write list = usr1,usr2,nobody writable = yes guest ok = no force user = agendaglm force group = nobody read only = no create mask = 0777 security mask = 0777 directory mask = 0777 force directory mode = 0777 directory security mask = 0777 Javier -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems with Samba4 implimentation
Hi Derwyn! Even though I don't have any experience with Samba4 I don't think deploying software upgrades is even planed to be a part of the samba core. That's why I wanted to point you to www.wpkg.org where you can find a great piece of software that can help you with this matter. David Wells. derwyn escribió: Hi, I've managed to get samba4 up and running with some of the group functionalities tested and working. What I did get stuck on and asking for help is that I wanted to set up a users "Roaming" profile like in ADS. and also if it is possible to control software updates like AD. Just wanted to know if this was possible in samba4 and if yes can you please point me to the page where I can read about this or please help me with it. Derwyn -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Multiple subnets, multiple domains and one LDAP
Hi all. I'm being asked to connect two networks, each having it's own PDC and it's own LDAP backend. I would like to know if it's possible to make both PDC's serve each a different domain with a single LDAP backend and having users from DOMAIN1 roaming to DOMAIN2 and viceversa. If it's of any use I have, in the past, set up a PDC+BDC configuration having replicating LDAP directories in two different locations (following the documentation of "The Official Samba 3.0.x HOWTO and Reference Guide" and "Samba-3 by Example") but I've been googling this one up and couldn't find any relevant information. Any help would be greatly appreciated. Thank you very much in advance. David Wells. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba