Re: AW: AW: [Samba] Help for Samba 3 and Win ADS
Hi Dieter, Be very careful with the pam set up. If you make a mistake you might not be able to log back on the machine. The pam config editing is only necessary if you want AD user to access unix services, I mean non samba stuff, like ssh, ftp, su, xdm, pretty much things that will let them log on the machine. For samba share access you only need the samba and winbind part. For user to be able to write to the samba shares you need to make sure of two things. 1. it is writeable = yes 2. the directory permissions are allowing those users to write to it (what you did already) 3. the create and directory mask match those permissions so newly created files or directory will be writeable too. ie: [global] directory mask = 755 [] create mask = 644 I hope this works. Denis. Dieter Wilkens wrote: Hi Denis, Thanks for help! After trying several things out I finally worked it out ;-) No I can connect with the useres from my WinDomain to the samba server - that's fine But: How do I create vald shares for the several groups? How can I set the rights for the different folders for different Windows-users & Windows-groups? Has this be done on windows or on linux? I just tried to set permissions with konqueror (if I type the name of my windomain in the field "user" I can see all valid entries in the field... So there is a connection to my PDC) to my existig samba share - but as soon as I try to create a folder from windows I get an error "permission denied" - the same happens if I try to change permissions from windows.. In windows I can see that I'm a valid user for this folder (all permisssions) but I can't change permissions on this folder an also I can't add files or folders to it I only changed the samba entry in the pam.d folder: Authrequiredpam_winbind.so nodelay Account requiredpam_winbind.so nodelay Session requiredpam_winbind.so nodelay Passwordrequiredpam_winbind.so nodelay - do I have to change some more of these files to get this working? Regards Dieter -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: AW: [Samba] Help for Samba 3 and Win ADS
Hi Dieter, There are several things you need to set up on the samba server for AD user to have access to it. * To be in the AD/domain - smb.conf with the proper security mode, password server and realm - net join the AD - make sure the samba machine shows up in the list of trusted computers and is properly accessible (DNS and that kind) - make sure smbd, nmbd and winbind run you can than check the list of users with the command $ getent passwd * To let users access unix services - set up nsswitch.conf so passwd and group also use winbind - set up pam properly, ie let it use winbind too. I think this should work. At least that's what the doc says. I am not really familiar with the error you're getting but it might be because you're not using winbind. Quote from the doc: "If winbindd is not running, smbd (which calls winbindd) will fall back to using purely local information from /etc/passwd and /etc/group and no dynamic mapping will be used." So make sure winbind is running, the HOWTO explains how to add it to you /etc/init.d/samba. It might vary depending on where you got samba from (official package or distribution package). Chapter 21 is on winbind. I hope it works out for you. Denis Dieter Wilkens wrote: Hi Denis, I just tried this but still I can't log on the samba server with a domain user! If I try to do so I get the error: [2003/10/29 08:48:37, 0] auth/auth_util.c:make_server_info_info3(1017) make_server_info_info3: pdb_init_sam failed! in the log file of the client on samba server... Is there anytihng else I have to adjust on the samba server? I sucessfully joined the domain with ADS and can see the server from my windows machine - but as soon as I try to connect I get the error (exept with one user that I created on the linux server)! Any ideas? Here is my smb.conf ** #=== Global Settings === [global] log file = /var/log/samba/log.%m server string = %h server (Samba %v) socket options = TCP_NODELAY encrypt passwords = yes security = ads realm = workgroup = password server = syslog = 0 #== Shares = [daten] comment = Daten auf Debian path = /daten browsable = yes guest ok = yes ** -Urspr?ngliche Nachricht- Von: Denis M.J. [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 28. Oktober 2003 21:52 An: Dieter Wilkens Cc: [EMAIL PROTECTED] Betreff: Re: [Samba] Help for Samba 3 and Win ADS If you're joining the AD you can use the mode ADS with the lines # smb.conf: security = ADS realm = your.kerberos.realm encrypt passwords = yes password server = MYWINPDC please refer to section 7.4 (Domain Membership - Samba ADS Domain Membership) in the HOWTO. Dieter Wilkens wrote: Thanks for that hint. I downloaded the HOTO and tried to make everything like descibed there but it is still not working ;-( I set the 'security = domain" the 'workgroup = MYDOMAIN' and the 'password server = MYWINPDC' in the smb.conf and restartet samba. After that I tried the 'net join -S MYWINPDC -UMyAdmin%MyPassword' and get the following result: 'realm must be set in smb.conf for ADS join to succeed. ADS join did not work, faling back to RPC... Joined domain MYDOMAIN' From the PDC I can see the sambe server in ADS and in the network neighborhood. If I try to connect samba asks for a username and password (should be OK with the DOMAIN-Admin.). So I type in the Admin and PAssword but without getting a connection. In the logfile on the samba server there are the following lines in 'log.MYWINPDC': '[2003/10/28 10:18:50, 0] auth/auth_util.c:make_server_info_info3(1017) make_server_info_info3: pdb_init_sam failed! [2003/10/28 10:18:50, 0] auth/auth_util.c:make_server_info_info3(1017) make_server_info_info3: pdb_init_sam failed! [2003/10/28 10:19:28, 0] auth/auth_util.c:make_server_info_info3(1017) nake_server_info_info3: pdb_init_sam failed!' Any ideas wahts going wrong here? Regards Dieter "Adam Williams" <[EMAIL PROTECTED]> schrieb im Newsbeitrag news:[EMAIL PROTECTED] Just started to play around with Samba 3 (on debian 3.0) and a win2000 domain. Can anyone help me to integrate the Samba server into the win domain? It should act as a file server for the useres and groups from win and therefor I need different rights and permissions for the shares... Any help is appreciated ;-) See the Samba-HOWTO-Collection available on the Samba website. It covers this in detail. -- To unsubscribe from this list go to the following URL and read the instructions: ht
Re: [Samba] Help for Samba 3 and Win ADS
If you're joining the AD you can use the mode ADS with the lines # smb.conf: security = ADS realm = your.kerberos.realm encrypt passwords = yes password server = MYWINPDC please refer to section 7.4 (Domain Membership - Samba ADS Domain Membership) in the HOWTO. Dieter Wilkens wrote: Thanks for that hint. I downloaded the HOTO and tried to make everything like descibed there but it is still not working ;-( I set the 'security = domain" the 'workgroup = MYDOMAIN' and the 'password server = MYWINPDC' in the smb.conf and restartet samba. After that I tried the 'net join -S MYWINPDC -UMyAdmin%MyPassword' and get the following result: 'realm must be set in smb.conf for ADS join to succeed. ADS join did not work, faling back to RPC... Joined domain MYDOMAIN' From the PDC I can see the sambe server in ADS and in the network neighborhood. If I try to connect samba asks for a username and password (should be OK with the DOMAIN-Admin.). So I type in the Admin and PAssword but without getting a connection. In the logfile on the samba server there are the following lines in 'log.MYWINPDC': '[2003/10/28 10:18:50, 0] auth/auth_util.c:make_server_info_info3(1017) make_server_info_info3: pdb_init_sam failed! [2003/10/28 10:18:50, 0] auth/auth_util.c:make_server_info_info3(1017) make_server_info_info3: pdb_init_sam failed! [2003/10/28 10:19:28, 0] auth/auth_util.c:make_server_info_info3(1017) nake_server_info_info3: pdb_init_sam failed!' Any ideas wahts going wrong here? Regards Dieter "Adam Williams" <[EMAIL PROTECTED]> schrieb im Newsbeitrag news:[EMAIL PROTECTED] Just started to play around with Samba 3 (on debian 3.0) and a win2000 domain. Can anyone help me to integrate the Samba server into the win domain? It should act as a file server for the useres and groups from win and therefor I need different rights and permissions for the shares... Any help is appreciated ;-) See the Samba-HOWTO-Collection available on the Samba website. It covers this in detail. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [OT] [Samba] SPAM
Around 300 spam in less than one day. Sure it's not the list fault, but come on. I guess this is not the right place to complain about it. :) Denis J. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] our windows APW can't add printer driver to samba domain member
Hi, It seems installing the drivers with the rpcclient command worked. I still don't know why it doesn't work with APW. Thanks a lot :) Denis J. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] our windows APW can't add printer driver to samba domain member
Thanks daniel, We've actually tried changing that. also we've tried different permissions on the printers/W* directories, but still the same error on APW. We'll tried to do it using rpcclient commands. From what I gathered on websites describing what we're trying to do, the only difference between theirs and our configuration is the "security = user". Are the permissions different when using "security = ADS"? So we'll try to install them that way. I'll tell you what happens after we've tried all those possibilities. Denis. J [EMAIL PROTECTED] wrote: Hey DJ, Driver Wizard on a Windows client, with a username part of the 'print admin' group, we get this error message: "Unable to install HP Lazerjet 4000 Series PCL 6, Windows 2000, Intel Driver. Access denied" [print$] comment = Printer Drivers path = /var/lib/samba/printers write list = root, @MYGROUP\Staff create mask = 0700 Can /var/lib/samba/printers be reached by a member of @MYGROUP\Staff? What does the ownership permissions of the subdirectories look like? i.e. W32X86... W32X86/2... W32X86/3? Your create mask of 0700 seems like it would be problematic for a few reasons, but mostly because your write list is group based, and other users will not be able to read files from print$. ~ Daniel --- This message is the property of Time Inc. or its affiliates. It may be legally privileged and/or confidential and is intended only for the use of the addressee(s). No addressee should forward, print, copy, or otherwise reproduce this message in any manner that would allow it to be viewed by any individual not originally listed as a recipient. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is strictly prohibited. If you have received this communication in error, please immediately notify the sender and delete this message. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] installing printer drivers through APW problematic
Hi, I'm part of an organization managing Windows clients with a couple of GNU/Linux servers. We're having some trouble configuring our Samba 3 Debian Linux server. It's just a domain member with authentification done with a Windows AD Domain Controller, it's supposed to be our new print server. The printers have already been set up for lprng. Whenever trying to add a driver to any printer throught the Add Printer Driver Wizard on a Windows client, with a username part of the 'print admin' group, we get this error message: "Unable to install HP Lazerjet 4000 Series PCL 6, Windows 2000, Intel Driver. Access denied" All our printers are in /etc/printcap already. There are no entries for any of them in smb.conf gutenberg:/var/log/samba# testparm Load smb config files from /etc/samba/smb.conf Processing section "[printers]" Processing section "[print$]" Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions # Global parameters [global] workgroup = MYGROUP realm = MYGROUP.MYREALM server string = %h server (Samba %v) security = ADS password server = PWDSERV syslog = 3 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No panic action = /usr/share/samba/panic-action %d idmap uid = 1-2 idmap gid = 1-2 printer admin = root, @MYGROUP\Staff [printers] comment = All Printers path = /var/spool/smbprint create mask = 0700 printable = Yes use client driver = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers write list = root, @MYGROUP\Staff create mask = 0700 gutenberg:/var/log/samba# We've read and re-read the chapters/section apropos in the doc, but can't find what we're doing wrong. Help or advice would be greatly appriciated :) Kudos for all the samba people, samba is awesome :) DJ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba