Re: [Samba] Extend Samba4 Schema Scope
-Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Vijay Thakur Sent: Wednesday, 13 February 2013 4:21 PM To: samba@lists.samba.org Subject: [Samba] Extend Samba4 Schema Scope Hi All Experts, I am about to extend our production Samba4 schema to add a few intra-organizational attributes (Employee ID,Passport No., Date of Joining, Date of Leaving) . How can I make change in my samba4 schema. I have already make a post in the forum, but got no reply. Sorry for posting again. But precaution should be taken in to prevent the server from any damage. Kindly help. With Warm Regards, Vijay Thakur -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba A similar question was asked yesterday. Geza replied: https://wiki.samba.org/index.php/Samba4/Schema_extenstions Is a good starting point. Though a follow-up question would be, how do you define an index in Samba's LDB? In openldap it could be done via ldif such as: dn: olcDatabase={1}bdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: cn,gidNumber,uid,uidNumber eq Is there such a construct for samba4 ldap? Regards, Dewayne. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] S3 as domain member with S4
-Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Hervé Hénoch Sent: Monday, 11 February 2013 9:00 PM To: samba-liste Subject: [Samba] S3 as domain member with S4 Hello How to set a S3 file server as a domain member with a S4 PDC server ? Regards -- Hervé Hénoch Responsable informatique Institut Sainte Catherine 250 chemin de Baigne-Pieds CS 80005 84918 AVIGNON cedex 9 Téléphone : 04.90.27.57.44 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Treat it in a manner similar to a Windows AD DC. I'm doing the same because the Samba3 smbd is less than 1/10 the memory footprint than samba4 smbd, you will need to include --with-ads when you build your samba3 fileserver, and change smb.conf to use security = ADS I think its also important to keep in mind the different language. Samba4 provides a much more sophisticated feature-full Active Directory Domain Controller (AD DC), whilst Samba3 provided a Primary Domain Controller (PDC). Ref: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#ads-member Regards, Dewayne. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] S3 as domain member with S4
-Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Hervé Hénoch Sent: Tuesday, 12 February 2013 1:31 AM To: Andrew Bartlett; samba-liste Subject: Re: [Samba] S3 as domain member with S4 Thanks I've followed the document and i can see in the AD the server included. But I've the following error when doing the following command : net join -Uadministrateur Using short domain name -- SC Joined 'SSC011' to realm 'sc.isc84.org' *DNS Update for ssc011.sc.isc84.org failed: ERROR_DNS_INVALID_MESSAGE DNS update failed!* Moreover I can't access from a window box to my server with \\ssc011 (the name of my server). My /ets/hosts 127.0.0.1 ssc011.sc.isc84.org ssc011 localhost 192.168.77.4ssc011.sc.isc84.org ssc011 192.168.77.1vspdc.sc.isc84.org vspdc sc is the samba3 domain 192.168.77.1 - is the samba4 PDC 192.168.77.4 - is the samba 3.6 file server which has the name ssc011 Regards Le 11/02/2013 12:02, Andrew Bartlett a écrit : On Mon, 2013-02-11 at 11:00 +0100, Hervé Hénoch wrote: Hello How to set a S3 file server as a domain member with a S4 PDC server ? You can join Samba 3.x or Samba 4.0 as a domain member of a Samba 4.0 AD DC in the same way you would join any other AD domain. eg 'net ads join. See https://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#adss dm -- Hervé Hénoch Responsable informatique Institut Sainte Catherine 250 chemin de Baigne-Pieds CS 80005 84918 AVIGNON cedex 9 Téléphone : 04.90.27.57.44 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Herve, Samba4 provides a lot of features though it does have some prerequisites; please review the HowTo, and particularly https://wiki.samba.org/index.php/Samba4/HOWTO#Step_7:_Configure_DNS noting the first line A working DNS setup is essential to the correct operation of Samba. It's a hard road (if you're not familiar with being a Windows Admin) but well worth the effort. Regards, Dewayne. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] cannot join an existing AD as either a RODC or DC w/ samba4
-Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Mike Edwards Sent: Saturday, 12 January 2013 4:20 AM To: samba@lists.samba.org Subject: Re: [Samba] cannot join an existing AD as either a RODC or DC w/ samba4 I'm stuck trying to figure out what the next step should be. Any hints on what I could try? On Thu, Jan 10, 2013 at 04:53:59PM -0500, Mike Edwards babbled thus: I'm unable to have samba4 join an existing AD domain as either an RODC (preferrable) or merely a DC. AD domain is Win2k3, but we recently added a pair of Win2k8 DCs to it. Domain functional level is Win2k3. ### Adding samba4 as an RODC ### *chomp* ### Adding samba4 as a DC ### *chomp* -- Mike Edwards| If this email address disappears, Unsolicited advertisments to| assume it was spammed to death. To this address are not welcome. | reach me in that case, s/-.*@/@/ Our progress as a nation can be no swifter than our progress in education. The human mind is our fundamental resource. -- John F. Kennedy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Mike, I've spent a good part of the day trying to figure out the sequence for getting a samba4 AD DC and Samba4 RODC From the Microsoft site, I recall seeing that RODC requires a domain functional level of W2k8R2. There is also a clue at (http://blog.tridgell.net/) to a wintest suite. Within your source tree you'll find test-s4-howto.py under /samba-4.0.3/wintest. It only talks about W2K8. There's also W2K8R2C and W2K8R2A which are machines names, so disregard. Unfortunately without doc or list guidance, I'll defer trying to work out the incantation for a pure samba4 AD DC - RODC setup for the time-being. Tridges video for a multimaster is enticing but uses 4.0.0Alpha11 http://blog.tridgell.net/?p=12 Good luck. Regards, Dewayne. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: correction - Frustrated with there are currently no logon servers available
Bottom posted. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Morgan Toal Sent: Saturday, 2 February 2013 10:12 AM To: samba@lists.samba.org Subject: Re: [Samba] Fwd: correction - Frustrated with there are currently no logon servers available OK, How do I confirm the sid that the windows box is using? I can get the domain sid from net getlocalsid I can get the user sid of a local user no problem In reference to unjoining and rejoining... does this require something more than : 1) userdel machine$ 2) pdbedit --delete machine$ ADditional Information: when I join the domain, and the message welcome to the domain appears I get the following message immediately appear inb my logs: _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client WIN7 machine account WIN7$ Agh! On 2/1/2013 10:44 AM, Mike Howard wrote: On 01/02/2013 15:59, Morgan Toal wrote: On 2/1/2013 8:54 AM, Morgan Toal wrote: OK I feel even dumber now... I pasted the wrong text into my email due to my frustration level. The error is: there are currently no logon servers available as opposed to: the network name is no longer available That error has always meant to me that the client in question has somehow become unjoined (for all intents and purposes). That is, it's SID no longer matches that held by the PDC. Have you tried unjoining the domain, ensuring the client record has actually been removed and rejoining? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba These are very frustrating. I've found that playing with server/client signing and schannel a great way to waste a weekend; though in this case, can I suggest that you comment out the line: server signing = auto From my notes in 201107, # With signing=auto schannel=auto;can join domain and can access fileshares; CANT login # With signing=no schannel=auto; can join and login; CANT access fileshare Regards, Dewayne. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Question about implementing samba4 cleartext passwords
-Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Adrian Stoica Sent: Thursday, 10 January 2013 12:22 AM To: sa...@samba.org Subject: [Samba] Question about implementing samba4 cleartext passwords Hello I want to create a domain using samba4 and from there to authenticate users against ad. The challange for me is that i have never worked out with domain or with ldap , and that i need to use AD users/passwords to authenticate not only the domain clients , but the mail users and perhaps the ftp, or web users , that are on another linux distro's. It is possible to implement a AD with samba4, and to retrieve user and password from that database for use on ex. dovecot ? How ? Many thanks, Adrian Stoica -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba I'd encourage you to not consider working with plaintext passwords. A kerberos environment has many security/convenience (for the user) benefits. I'd suggest that you consider moving your other ftp,web other services to be kerberised (kerberos-based), which may mean that your ftp, web software will need a rebuild. (Samba4 AD DC also performs NTLM (v2)). This will provide some guidance, but it is a long road: https://wiki.samba.org/index.php/Samba4/beyond Most (all?) services have kerberos or gssapi features. Regards, Dewayne -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Questions for minimal AD DC, DNS setup and Posix use
-Original Message- From: Michael Wood [mailto:esiot...@gmail.com] Sent: Friday, 1 February 2013 12:22 AM To: Andrew Bartlett Cc: Dewayne; samba@lists.samba.org Subject: Re: [Samba] Questions for minimal AD DC, DNS setup and Posix use Hi On 31 January 2013 13:56, Andrew Bartlett abart...@samba.org wrote: On Thu, 2013-01-31 at 16:55 +1100, Dewayne wrote: Our plan is to have one AD DC running in Head Office, RODC's at Branches and a second writeable DC at a contingency site. Fileshares will run on separate servers. The Windows 2003/2008 Servers use authentication services from samba4 and run applications. Our current environment is Samba-3.6.9 PDC,BDCs fileshares, openldap stores samba, posix and acts as heimdal backend - for SSO. My questions are: AD DC Are smbd and winbindd necessary on the AD DC. I would prefer to start samba with only what it needs to function. When I kill the smbd and winbindd processes, the kerberos, ldap dns functionality remain. How can I produce a minimal AD DC: 1) Do I need smbd to parse the smb.conf for samba4 to start correctly? on the AD DC, you start only 'samba'. We may start other binaries or provide services via plugins, but you only have to start 'samba'. 2) If not, is there a better way than kill -9 to achieve the result of samba4 without smbd, winbindd? You should just kill the parent 'samba' process and any child processes will notice this and go away. As you know, in general don't generally kill -9 stuff, as something may be in progress. I think tdb is safe for kill -9 these days, but it has always been best not to do this as a first choice. I think for the above two questions he's asking how to run the samba binary without it spawning irrelevant (to him) things like smbd and winbindd. -- Michael Wood esiot...@gmail.com Thanks Michael, I am looking for an AD DC (authentication) server, which as I observe doesn't require smbd and winbindd. These will run on a separate (fileserving) server(s). Andrew, I would like to avoid killing processes by not asking for them to start. :) Regards, Dewayne. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Questions for minimal AD DC, DNS setup and Posix use
Our plan is to have one AD DC running in Head Office, RODC's at Branches and a second writeable DC at a contingency site. Fileshares will run on separate servers. The Windows 2003/2008 Servers use authentication services from samba4 and run applications. Our current environment is Samba-3.6.9 PDC,BDCs fileshares, openldap stores samba, posix and acts as heimdal backend - for SSO. My questions are: AD DC Are smbd and winbindd necessary on the AD DC. I would prefer to start samba with only what it needs to function. When I kill the smbd and winbindd processes, the kerberos, ldap dns functionality remain. How can I produce a minimal AD DC: 1) Do I need smbd to parse the smb.conf for samba4 to start correctly? 2) If not, is there a better way than kill -9 to achieve the result of samba4 without smbd, winbindd? For readers new to RODC, this is useful: http://technet.microsoft.com/en-us/library/cc772234(v=ws.10).aspx DNS DNS is required in Samba4 AD DC as explained here http://blog.tridgell.net/?p=122 (Coming from a samba3 background, Tridge's article is informative). The internal DNS works like a dream. However the internal DNS doesn't slave to a master DNS, so --dns-backend=BIND9_DLZ is the best option for a complex environment using Windows servers as members or DC's. However: 3) For Samba4 AD DC to act purely as an authentication engine, within a UNIX only servers where PCs and WinServers are effectively desktops for users; can I use --dns-backend=NONE without loss of DRS or RODC functionality. (Or are these contradictory requirements). 4) If we need to redesign our DNS infrastructure, is it sufficient that a dhcp server, provide updates to bind9-DLZ (as a component of Samba4 AD DC)? Posix In a Samba3 world, I rely upon smbldap-tools (http://gna.org/projects/smbldap-tools) to manipulate user/group information, including assignment of uidNumber/gidNumber that is unique to an individual, per IT audit instruction. I would greatly appreciate guidance on how to set/use posix on Samba4. I've spent 4 hours trolling the web and mailing list searches with hints or scripts, so 5) Do I need to manually add the ldap posixAccount object to each users' ldap record, or is there an option in samba-tool user create that I haven't found? Next issue is how to manage as the uidNumber/gidNumber content? {This was being worked: http://samba.2283325.n4.nabble.com/Enabling-idmap-ldb-use-rfc2307-yes-on-2-DCs-td4637386.html ?} 6) Is there any mechanism that allows me to change the uid's being assigned to files that are created by Samba AD DC to being the same as pre-existing uid's used by Samba3. For example changing uid 320 to 1046, or gid 319 to 1001? Miscellaineous 7) Will the list of smb.conf options described in samba4 source folder source4/TODO be updated to reflect what appears in testparm -vss? It's a little confusing as to which takes precedence? With some instruction, I'd be happy to update/maintain some wiki information for others' benefit. Regards, Dewayne. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 anonymous ldap search
-Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Hannu Tikka Sent: Wednesday, 2 January 2013 6:24 PM To: samba@lists.samba.org Subject: [Samba] samba4 anonymous ldap search I'm using Version 4.1.0pre1-GIT-e4218e4 samba4 server. It allows nicely anonymous ldap searches, latest versions does not allow that. I have followed Microsofts kb326690 and kb320528 guides, but it seems not helpful. Is the anonymous ldap possible anymore? regards Hannu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Hannu, There was a change within a fortnight of the samba 4.0.0 release affecting ACL controls that restricted anonymous LDAP searches, if you are able to review the mailing lists for samba and samba-technical, you'll find the details. The intent was to restrict access to confidential password information, a good thing. I recall a release/upgrade is scheduled for January 22 which may provide more granular control for ACL's. Karolin Seeger's provides release schedule guidance at http://wiki.samba.org/index.php/Release_Planning_for_Samba_4.0 Regards, Dewayne -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem with Samba4 installation - trouble at kinit
Lee, I've experienced a similar problem - no active kdc. By adding to my smb.conf: interfaces = YOUR_S4_IP bind interfaces only = yes And restarting the samba suite resulted in the kdc starting and listening (on port 88) I then needed to install heimdal 1.5.1 on my FreeBSD 9.1 system (from their ports system) and used this command: kinit --windows administrator@LAN To acquire a TGT. The base heimdal (1.1) on FreeBSD 9.1R fails to acquire a TGT. Regards, Dewayne -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 and phpLdapAdmin
Stephen, Thanks for sharing sage advice. I've used http://www.ldapadmin.org to manage my SAMBA3 PDCs ldap since 2005, an excellent tool. However when accessing SAMBA4 AD, the Directory started to misbehave. It was a test system so I blew it away assuming that something was incorrectly written to the ldb. Regards, Dewayne. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 for AD using existing LDAP, Kerberos, and Bind Setup.
David, I'd echo Gemes comment about posting your question to the samba-techni...@lists.samba.org list which would be more appropriate. There is some topical discussion going on there regarding content of a samba4 Beta release, and your question would be well timed. I'd suggest that you also consider the samba4 on existing: dhcp, dns ntp infrastructure. Good sources of information are at: WhatsNew - http://gitweb.samba.org/?p=samba.git;a=blob;f=WHATSNEW.txt;h=8798a875cc7618 da819e9ecd1db6cb7f25f85a94;hb=edb15ffef29fbb69a4d1dfc862fe8d6a3a027347 Other useful references: 1. https://wiki.samba.org/index.php/Samba4/HOWTO 2. https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC 3. https://wiki.samba.org/index.php/Samba4/samba3upgrade/HOWTO 4. Last updated March 2011 https://wiki.samba.org/index.php/Samba4_DRS_TODO_List#Support_RODC Kind regards, Dewayne. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Newbie question on RPMs
Hello, I'm a relative new-comer to Linux so please bear with me. I'm setting a Linux server up on my network and I want to implement Samba. However, I need ADS support, so I wanted to use Samba3. My server is running SuSE Linux and there is, as of yet, no Samba RPM in the distribution list. Would I be able to use the RedHat RPMs? I've tried a build from the source, but am getting errors that I'm not yet at an experience level to debug. Thanks in advance, DeWayne Thomas