RE: [Samba] NT clients syncronyzing in a Samba PDC Domain
I understand that i'm not using roaming profile, because the logon path is empty. The only difference in this domain is that i'm using winbind to the remote domain users (that is a trusted domain) be able to print in my domain. The message is something like: syncronizing \\server\username in SERVER. This happens just after logoff. Open Windows Explorer. Click on your C: drive Click Tools-Folder Options Click the Offline Files tab Uncheck Enable Offline Files and all the other boxes for that matter I think that should take care of the problem. Cool. It really disabled it. My question, however, is can it could be get activated if a made a classical samba and Windows instalation. I'm not sure I understand your question but I am pretty confident that this behavior is on by default on Windows and that you can disable/enable the offline file synchronization for all joined workstations to a domain through policies. I am not doing this myself so I may be wrong. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] NT clients syncronyzing in a Samba PDC Domain
I understand that i'm not using roaming profile, because the logon path is empty. The only difference in this domain is that i'm using winbind to the remote domain users (that is a trusted domain) be able to print in my domain. The message is something like: syncronizing \\server\username in SERVER. This happens just after logoff. Open Windows Explorer. Click on your C: drive Click Tools-Folder Options Click the Offline Files tab Uncheck Enable Offline Files and all the other boxes for that matter I think that should take care of the problem. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] SAMBA LDAP PDC - LAM LDAP ACCOUNT MANAGER
Adrian, I really have ran out of options here, and I don't know how to resolve this issue. I have a Samba LDAP primary domain controller. I have been using LAM - LDAP Account Manager to manage the accounts. The command line appears to be working correctly ie - getent passwd, getent group, id username, id computer, adding and removing accounts. Problem: When I logon to the LAM page (ldap account manager) and try to login I get an error LDAP error, server says: (-1) Can't contact LDAP server LAM is configured correctly, and it used to work. I am almost positive this is not a LAM issue. Here is a log i get from typeing: [EMAIL PROTECTED] openldap]# tail -100 /var/log/messages Jul 11 14:30:36 node1 ldap: slapd startup succeeded Jul 11 14:30:39 node1 smb: smbd shutdown succeeded Jul 11 14:30:40 node1 smb: nmbd shutdown succeeded Jul 11 14:30:40 node1 smb: smbd startup succeeded Jul 11 14:30:40 node1 smb: nmbd startup succeeded Jul 11 14:30:50 node1 kernel: audit(1121056250.376:0): avc: denied { connect } for pid=4637 exe=/usr/sbin/httpd scontext=root:system_r:httpd_t tcontext=root:system_r:httpd_t tclass=tcp_socket It looks like from your log that SELinux is maybe in enforce mode and that it maybe not allowing the httpd process to run as it needs to. Maybe if you temporarily set your mode to permissive and see. This might explain why LAM which relys on httpd doesn't work but all your other functionality directly related to LDAP seemed to work. Doug Any help or suggestions would be greatly appreciated. Please email me suggestions or solutions: [EMAIL PROTECTED] Many Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Users' Profiles
I am having an issue with users' profiles under the SAMBA environment. The users would be using a Windows XP Pro workstation that is under the SAMBA domain. Ever since SAMBA was implemented, I would have to recreate users' profiles intermittently. Whenever this happens, the users would be prompt with an error message which states that it is unable to log onto the local profile and it would eventually create a temporary profile when logging in. Just this morning, I made the attempt to just reboot the workstation when the issue happened again. Surprisingly, it worked and I did not have to recreate the user's profile. Do you happen to know why? What do I need to do to prevent this issue from happening again? I don't think this is a Samba issue as I have had this occur with our Win2K server and XP Pro clients as well. Don't know what causes it but rebooting the workstation seems to take care of the problem. hardly the type of investigative problem solving that inspires confidence in the system administrator... I have seen several instances when Microsoft stuff such as Outlook or Windows Media Player creates files like prf9.tmp and these files are poisonous to loading a roaming profile (substitute other numbers for the 9). If you were having the same problem that I had, that won't help since I wasn't using roaming profiles. I was using folder redirection but that won't cause the prf .tmp files to be created since a profile is not being synchronized. I guess it is possible that the problem is caused by a bad nic but I can't say whether that was my problem since I switched server hardware shortly after the problem occured and haven't seen it since. No reason to bother investigating something that isn't there any more. I do stand by the point of my original response though by simple stating that I don't believe this problem is caused by something inherent in Samba. Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Users' Profiles
I am having an issue with users' profiles under the SAMBA environment. The users would be using a Windows XP Pro workstation that is under the SAMBA domain. Ever since SAMBA was implemented, I would have to recreate users' profiles intermittently. Whenever this happens, the users would be prompt with an error message which states that it is unable to log onto the local profile and it would eventually create a temporary profile when logging in. Just this morning, I made the attempt to just reboot the workstation when the issue happened again. Surprisingly, it worked and I did not have to recreate the user's profile. Do you happen to know why? What do I need to do to prevent this issue from happening again? I don't think this is a Samba issue as I have had this occur with our Win2K server and XP Pro clients as well. Don't know what causes it but rebooting the workstation seems to take care of the problem. Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Error with usrmgr and groups.
I have a problem when using samba together with usrmgr. When adding a global group I get an error message. The group is still created. You can't see before you refresh but that's a minor detail. Joel, I submitted a bug report on this a month or so back but it is still marked as new. Maybe take a look and see if what I describe there is the same problem as you are having (it sounds like it to me). Here is the link: https://bugzilla.samba.org/show_bug.cgi?id=2509 Doug In the logfiles May 10 17:47:27 lanchester smbd[28424]: [2005/05/10 17:47:27, 0] passdb/pdb_tdb.c:tdbsam_tdbopen(195) May 10 17:47:27 lanchester smbd[28424]: Unable to open/create TDB passwd May 10 17:47:27 lanchester smbd[28424]: [2005/05/10 17:47:27, 0] passdb/pdb_tdb.c:tdbsam_getsampwrid(488) May 10 17:47:27 lanchester smbd[28424]: pdb_getsampwrid: Unable to open TDB rid database! Also, when trying to add or remove members of the group the same error message appears in the log file. And the error message in usrmgr is The user name could not be found. It appears when I try to add or remove more than one user, but sometimes is appears when just adding or removing one user. If I instead click on the user and add a group it works fine 100% of the times. Any ideas what could be wrong? I have tried both 3.0.11 and 3.0.14a but there is no difference. Cheers, Joel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Unable to create new files in share
I have a share with the following share definition: [HR_PR] path = /data/samba/shares/HR_PR valid users = @hr @acct_admin browseable = yes public = no guest ok = no force group = hr inherit acls = yes create mode = 770 The UNIX permissions on the directory are as follows: drwxrwx--- 2 root hr 4096 Apr 18 09:47 /data/samba/shares/HR_PR When I 'su' to my user on the server, I can 'touch' new files just fine. However when she tries to create a new file, she gets the following error: Also when she tries to modify any file, she gets access denied. Every file in the directory has mod 770 with owner being root and hr being the group. There are no ACLs defined for this share. I believe you need to add read only = no The default value according to the man page is yes which would keep you from creating or modifying files in the share. Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] error msg using testparm
[orb] [data] [usb-storage-] [media] [cdrecorder] [printers] path = /var/spool/samba printable = Yes [homes] [more] [mnt] It seems you forgot to specify what you are sharing for all of your shares excepting printers so you might start with specifying path = parameter. Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba and slapd.conf's TLSVerifyClient
Either way, my question is where do I specify the client certificate for Samba to use? or put another way, does Samba even support this? evidently, no one else wanted to answer... Thank you for trying :) Maybe no one knows the answer :( samba has no means to provide a client certificate that I am aware of. Samba should be using nss/padl stuff so in a RHEL / Fedora environment, any references to certificates should be in /etc/ldap.conf and I believe that should encompass options not specified in smb.conf directly. Thus samba isn't providing a certificate because it cannot do so but would rely upon other external methods (nss/padl) if that is configured to do so. This actually is not the case. Samba appears to reference the OpenLDAP client ldap.conf stored on my system in /etc/openldap. I can show this in the following way: 1. Comment out reference to the ca cert in both padl and openldap ldap.conf files. 2. Restart Samba 3. The process hangs for a while with many errors indicating that Samba is failing in starting a TLS connection. 4. Restore the ca cert reference in the papl ldap.conf and restart Samba, same result as before. 5. comment out padl reference, restore openldap's ldap.conf ca cert reference and restart Samba. Samba starts fine. This is why I found it necessary to say that I had this process working for PADL stuff (like doing a su username or getent passwd), smbtools-ldap (the smbldap-tools.conf file allows defining of all the necessary certificates to use) and ldapsearch. The problem I see is that Samba uses the openldap global ldap.conf but that the tls_cert and tls_key directives are user level directives. So, for example, in order to get ldapsearch to work with the TLSVerifyClient demand directive, I have to specify the tls_cert and tls_key directives in root's .ldaprc file. Samba from what I have been able to discern does not have a .ldaprc file of it's own and it does appear to use root's .ldaprc file. Would this be considered a samba bug if it does indeed not have a way to specify a client certificate or would this considered a desired feature? Oh and it's rather rude to cross post the same message to different message bases - if you're gonna do that, you should have the courtesy of an announcement. Sorry. Why is this rude? I posted the question first in the ldap-interop and then thought that maybe it would make sense to ask the samba mailing list as well. I don't see how this would offend anyone. I apologize if it did. Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba and slapd.conf's TLSVerifyClient
I have Samba 3.0.13 and LDAP 2.2.24 installed. I have placed the following directive in my slapd.conf file. TLSVerifyClient demand I have the PADL stuff configured and working fine. ldapsearch with -ZZ works fine. I even have the Idealx smbldap-tools working fine. Samba won't work though unless I set TLSVerifyClient try According to the slapd.conf man page, try causes a client certificate to be requested. If no client certificate is returned then the session proceeds normally. If a client certificate is returned and it is bad the session is terminated otherwise it should proceed normally. This seems to mean that either 1. Samba doesn't provide a client certificate or 2. Samba is providing a bad client certificate Either way, my question is where do I specify the client certificate for Samba to use? or put another way, does Samba even support this? Thanks! Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Need help with log creation
Ed, For the life of me, I can not figure out why I keep getting 2 logs for each deamon. In smb.conf: log file = /var/log/samba/%m.log In smb init script: CONFIG=/etc/samba/smb.conf When I use the init script to start samba, it logs to log.*. When the logs rotate however and they are restarted with /bin/kill -HUP `cat /var/run/smbd.pid etc., it logs as specified in the config file. So I am left with log.smbd _and_ smbd.log depending on how they are started/restarted. Is there a setting somewhere (probably obvious) that I am missing? Running Samba 3.0.13 on RH 7.2 Thanks in advance for any hints as to what I am missing... I am probably way off here but I know initially I was running a slightly earlier version of Samba than 3.0.13 and my logs defaulted to smbd.log, now they are log.smbd. Is it possible that you somehow have two different versions of Samba running on your machine? Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Adminstrator Domain SID?
In the Samba How-To Chapter 13 it says: The Administrator Domain SID Please note that when configured as a DC, it is now required that an account in the server's passdb backend be set to the domain SID of the default Administrator account. To obtain the domain SID on a Samba DC, run the following command: root# net getlocalsid SID for domain FOO is: S-1-5-21-4294955119-3368514841-2087710299 You may assign the Domain Administrator rid to an account using the pdbedit command as shown here: root# pdbedit -U S-1-5-21-4294955119-3368514841-2087710299-500 -u root -r Question: Is this information still valid after samba 3.0.11? I didn't do this but things seem to be working fine. If the information is still valid, what would not having it affect? BTW, I am using the ldapsam backend. Thanks! Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Adminstrator Domain SID?
On Tuesday 29 March 2005 21:57, Doug Campbell wrote: In the Samba How-To Chapter 13 it says: The Administrator Domain SID Please note that when configured as a DC, it is now required that an account in the server's passdb backend be set to the domain SID of the default Administrator account. To obtain the domain SID on a Samba DC, run the following command: root# net getlocalsid SID for domain FOO is: S-1-5-21-4294955119-3368514841-2087710299 You may assign the Domain Administrator rid to an account using the pdbedit command as shown here: root# pdbedit -U S-1-5-21-4294955119-3368514841-2087710299-500 -u root -r Question: Is this information still valid after samba 3.0.11? I didn't do this but things seem to be working fine. If the information is still valid, what would not having it affect? Yes, it is! OK. But what is the name of your administrator account? What is the SID for this account? I currently only have three user accounts named: Administrator, dcampbell and nobody Both Administrator and dcampbell are in the Domain Admins group. The SIDs are as follows: Administrator SID: S-1-5-21-52543480-3766940008-3731351578-2996 dcampbell SID: S-1-5-21-52543480-3766940008-3731351578-3006 nobody SID: S-1-5-21-52543480-3766940008-3731351578-2998 Domain Admins SID: S-1-5-21-52543480-3766940008-3731351578-512 You do realize, I hope, that the RID=500 means the account is the Administrator for Windows clients. Any other RID will be seen by the Windows workstation (client) as an account other than the real Administrator. Doesn't the fact that these accounts are in the Domain Admins group make them real Administrators too? I seem to have Administrative access to my local machine just by being a member of teh Domain Admins group. Just now, I went ahead and set the Administrators account RID to 500 and removed it entirely for the Domain Admins group. I wasn't able to use it anymore to add a machine. I expected this to be the case since being in the Domain Admins group and having assigned it the new SE...Privilege settings was what was allowing it to administrate the domain. What more must we do to clarify the wording so that everyone clearly gets the message? What is not clear in the documentation? I guess for me it would help to know what doing this step is supposed to accomplish. If I can understand what the purpose of this is, I might be able to help in clarifying the wording. Could you explain this in a little more detail, please? Thanks! Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Adminstrator Domain SID?
On Tuesday 29 March 2005 21:57, Doug Campbell wrote: In the Samba How-To Chapter 13 it says: The Administrator Domain SID Please note that when configured as a DC, it is now required that an account in the server's passdb backend be set to the domain SID of the default Administrator account. To obtain the domain SID on a Samba DC, run the following command: root# net getlocalsid SID for domain FOO is: S-1-5-21-4294955119-3368514841-2087710299 You may assign the Domain Administrator rid to an account using the pdbedit command as shown here: root# pdbedit -U S-1-5-21-4294955119-3368514841-2087710299-500 -u root -r Question: Is this information still valid after samba 3.0.11? I didn't do this but things seem to be working fine. If the information is still valid, what would not having it affect? Yes, it is! OK. But what is the name of your administrator account? What is the SID for this account? I currently only have three user accounts named: Administrator, dcampbell and nobody Both Administrator and dcampbell are in the Domain Admins group. The SIDs are as follows: Administrator SID: S-1-5-21-52543480-3766940008-3731351578-2996 dcampbell SID: S-1-5-21-52543480-3766940008-3731351578-3006 nobody SID: S-1-5-21-52543480-3766940008-3731351578-2998 Domain Admins SID: S-1-5-21-52543480-3766940008-3731351578-512 You do realize, I hope, that the RID=500 means the account is the Administrator for Windows clients. Any other RID will be seen by the Windows workstation (client) as an account other than the real Administrator. Doesn't the fact that these accounts are in the Domain Admins group make them real Administrators too? I seem to have Administrative access to my local machine just by being a member of teh Domain Admins group. Just now, I went ahead and set the Administrators account RID to 500 and removed it entirely for the Domain Admins group. I wasn't able to use it anymore to add a machine. I expected this to be the case since being in the Domain Admins group and having assigned it the new SE...Privilege settings was what was allowing it to administrate the domain. What more must we do to clarify the wording so that everyone clearly gets the message? What is not clear in the documentation? I guess for me it would help to know what doing this step is supposed to accomplish. If I can understand what the purpose of this is, I might be able to help in clarifying the wording. Could you explain this in a little more detail, please? Thanks! Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Possible documentation error in Chapter 8. Migrating NT4 Domain to Samba-3
Looking through this chapter today and ran across the following inconsistency under the section NT4 Migration Using LDAP Backend. Step 3 says 3. Create a file called preload.LDIF as shown in Example 8.1. Edit the contents so that the domain name and SID are correct for the site being installed. Then step 4 says 4. Preload the LDAP database so it is ready to receive the information from the NT4 PDC. This pre-loads the LDAP directory with the top-level information, as well as the top level containers for user, group, computer, and domain account data. Execute the instruction shown here: root# slapadd -v -l preload.LDIF added: dc=abmas,dc=biz (0001) added: cn=Manager,dc=abmas,dc=biz (0002) added: ou=People,dc=abmas,dc=biz (0003) added: ou=Computers,dc=abmas,dc=biz (0004) added: ou=Groups,dc=abmas,dc=biz (0005) added: ou=Idmap,dc=abmas,dc=biz (0006) added: sambaDomainName=MEGANET,dc=abmas,dc=biz (00 The Problem: Example 8.1 does not include information for ou=Computers,dc=abmas,dc=biz and cn=Manager,dc=abmas,dc=biz. I guess something like the following should be added to the Example 8.1 ldif dn: ou=Computers,dc=abmas,dc=biz objectClass: top objectClass: organizationalUnit ou: Computers Also, since cn=Manager,dc=abmas,dc=biz is the rootbinddn used in Chapter 6's example, I don't think it would need to be in the directory anyway but that could something I just don't understand yet concerning LDAP. Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Coule really use some help (Samba PDC)
John, Anyway, I am here. When trying to join a domain with the administrator account I get no mapping between account name and security ID's was done And the joining fails... All the needed files are attached, from the ldap log. to the samba.conf to the ldifs of the machine, root and admin account. Trying with the root account nets me the same error in smbusers I noticed an entry i never made root = administrator software versions: [EMAIL PROTECTED] openldap-data]# rpm -qa |grep samba samba-3.0.11-1 samba-swat-3.0.11-1 samba-client-3.0.11-1 samba-common-3.0.11-1 I am assumine the rpm or something else made that mapping. I dunno... This entry is normal, I believe. But according to you smb.conf file, you aren't using the username map parameter, so the fact the file is their shouldn't matter. net groupmap list Engineering (S-1-5-21-1391849139-953726148-1374988380-9005) - Engineering Staff (S-1-5-21-1391849139-953726148-1374988380-9003) - Staff Sales (S-1-5-21-1391849139-953726148-1374988380-9007) - Sales Administration (S-1-5-21-1391849139-953726148-1374988380-9009) - Administration Domain Admins (S-1-5-21-3107161993-1039155829-3332455197-512) - Domain Admins Domain Users (S-1-5-21-3107161993-1039155829-3332455197-513) - Domain Users Domain Guests (S-1-5-21-3107161993-1039155829-3332455197-514) - Domain Guests Domain Computers (S-1-5-21-3107161993-1039155829-3332455197-515) - Domain Computers Administrators (S-1-5-32-544) - Administrators Print Operators (S-1-5-32-550) - Print Operators Backup Operators (S-1-5-32-551) - Backup Operators Replicators (S-1-5-32-552) - Replicators I don't know if this will help you with your problem or not. I'm very new to Samba but you will notice that you group SIDs aren't consistent. My guess is that this could be causing someone of your problems. You could try: net getlocalsid to find out what your SID is supposed to be. Then verify that you have set that correctyl in your smbldap.conf file for the Idealx tools. ldap suffix = o=ventusnetworks.com,dc=na ldap filter = ((uid=%u)(objectclass=sambaSamAccount)) ldap machine suffix = ou=Computers ldap user suffix = ou=Staff ldap group suffix = ou=Groups ldap admin dn = cn=Manager,dc=na Also, I am a newbie to LDAP too but shouldn't your suffixes be the full DN. For example, instead of ldap machine suffix = ou=Computers shouldn't it be ldap machine suffix = ou=Computers,o=vertusnetworks.com,dc=na or whatever you DN is? Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] smb.conf man page error
I think this is an error in the man page smb.conf: ldap group suffix (G) This parameters specifies the suffix that is used for groups when these are added to the LDAP directory. If this parameter is unset, the value of ldap suffix will be used instead. Default: ldap group suffix = Example: ldap group suffix = dc=samba,ou=Groups Shouldn't the example line read: Example: ldap group suffix = ou=Groups,dc=samba Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] usermgr generates error when adding new group
I have Samba 3.0.12pre1 setup and working well so far. The current issue is when I run usermgr.exe to Manage Users and Groups. Managing Users works great. Managing Groups presents some errors. For example, Login with account that has been granted SeAddUsersPrivilege. Create a Group named Test Click OK Receive message Access Denied. Click OK Refresh list of groups. Test is now a valid group. Next try add a user to the Group by doing the following: Edit Group by double-clicking on it Add user Tester to Group Click OK Receive message Access Denied. In this case, no change was made. Instead, double-click on user Tester's entry Click on Group button Add Group Test to Tester's groups Click OK Everything works. Sergey Loskutov mentioned this same error in a previous post and it was indicated that 3.0.12pre1 might have a fix for this. It doesn't seem to. This is a bug, right? When might it be fixed or how can I follow up on it to know when it has been fixed? Thanks! Doug Campbell -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] usermgr.exe vs. 3.0.11 [was Re: Problems to samba 3.0.11]
Sergey Loskutov wrote Problem 2. Launch tools usrmgr.exe Try create user Username: John. Select to group button. User by default in member to Domain Users Added group Domain Admins press ok and next ok ... user is create . it's greet! Select propertes user John and press again button group. Select group Domain Admins and press set primary group, next remove member in Domain Users And press to OK Devil :( I'm have error Access denied Why ??? Again parse debug message 1) Samba set for user john primary group Domain Admins 2) Samba try to remove user john from group Domain Users, but samba say User 'Jonh' have primary group 'Domain Users' and generate message Access denied Script IDEALX have incorrect code in set smbldap-usermod -g . We MUST set primary group, but before user MUST be member to old primary group ... script IDEALX not do it this.. Problem 3. User Administrator have privileges 'SeAddUsersPrivilege' look up :) Try create group ... Group name: Internet Access Member in: Administrator,John Press button OK Devil again :( Have message Access Denied 1) Samba call script add group script group is create 2) Samba try append samba parameters to group Internet Access and say _samr_set_groupinfo: access check ((granted: 00; required: 0x0002) _samr_set_groupinfo: ACCESS DENIED (granted: 00; required: 0x0002) Please fixed samba-3.0.11 or explain what is wrong ??? Analysis code 3.0.11 say me ... is bad very bad Gerald (Jerry) Carter wrote: I think I can probebly reproduce this last 2 error easily enough. We'll try to get this corrected in the first 3.0.12preX release sometime next week. cheers, jerry Was this fixed? I just tried Samba 3.0.12pre1 and the error appears to still be occuring. Thanks! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] hostnames resolve to wrong IPs - and sometimes sharesbecome inaccessible
Environment: OpenBSD v 3.6 Release, Samba ver.: Samba 3.0.5 LAN: 192.168.0.0/24, Samba servers: 2 installed replacing workgroup peer shares Windows version: XP Pro History: The 2 Sambas were installed last year and appear to have operated well until recently. Client admin now reports that, after some time connected to a shared directory, searching for files results in a Win error message to the effect of: Cannot access s:\ - Access is denied. Rebooting the Windows box allows access again. I cannot figure the possible cause except that WinXP was updated ~about~ the time the problems began. Need I say that they have no idea what function was affected by the update. Accessing remotely I see some strange behaviour. Running smbtree results in several errors about not being able to connect to some addresses that are remote. A snip of one message appears below: = \\FIFTY Cosmo Error connecting to 203.202.16.55 (Invalid argument) cli_full_connection: failed to connect to FIFTY20 (203.202.16.55) = That machine should be at 192.168.0.50 as shown by the nmblookup below: = # nmblookup fifty creating lame upcase table creating lame lowcase table querying fifty on 192.168.0.255 192.168.0.50 fifty00 = I do not know if this is in any way connected because I had no reason to look at it before. I can connect, to the machines that throw errors in smbtree, using smbclient with the -I IP address option. Are these conneccted? What do I need to do to resolve the problem/s ? More diagnostics needed? Standing by. I have 2 other clients with the same platform and mixed win versions reporting no problems. From the land down under: Australia. Do we look umop apisdn from up over? Rod/ I had a similiar problem to yours, I believe. It was caused when I switched the IP address on my samba box. I stopped samba. Renamed the gencache.tdb and wins.dat files located at /var/cache/samba. Started samba back up. Everything worked fine after that. For me these cache files were causing the old settings to stay around. Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Srvtools causes smbldap_open: cannot access LDAP when not root - SOLUTION
Thanks to those of you who responded. Andrew Bartlett came through with the answer I needed to hear, which was that I was trying to do something that wasn't supported. I am it has two weeks trying to twirl the PDC with samba + LDAP and ties the moment only migraines. It would like to know which is the problem, now, below described in mine log's? What user are you trying to use to join the domain. It must either be root (Samba 3.0.11) or an user with the SeMachineAccount privilege (Samba = 3.0.11). Andrew Bartlett Is it also true in Samba 3.0.11 that only root can add users/groups and make modifications using the SRVTOOLS package? Correct. Thanks Andrew for the answer! Doug -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tony Earnshaw Sent: Monday, February 28, 2005 9:41 PM To: samba@lists.samba.org Subject: RE: [Samba] Srvtools causes smbldap_open: cannot access LDAP when not root Doug Campbell: [...] smbldap_open: cannot access LDAP when not root... [...] As which user (Unix) is slapd (presume this is OpenLDAP)running? Do you have an 'ldap admin dn' entry in smb.conf with rights to all LDAP ACLs? I.e., I don't have this problem with Samba 3.0.11/OL 2.2.17-23 and didn't with 3.0.7, either. My smb.conf file does have the ldap admin dn entry. The relevant section of my smb.conf file is as follows: [...] Again, as which Unix user is slapd running? Who is the owner of your DB files, config files, etc.? What are the permissions on them? Have you certificates (i.e. the CA cert) or anything that smbd has to try to read that can only be read by root? Is cn=Manager,dc=swro,dc=local a proxy user in your DIT, or the rootdn user in slapd.conf (it's better to make a proxy user in the DIT and comment out the rootdn). Can a normal user run ldapsearch, for example, without being root?Etc. ;) --Tonni -- mail: [EMAIL PROTECTED] http://www.billy.demon.nl -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Srvtools causes smbldap_open: cannot access LDAP when not root
I don't have any certificates to deal with as I am not using SSL/TLS. I actually tried to do this as a learning exercise but couldn't get it to work based on the documentation I read. Try http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html I will check that out. [snip] 'man ldapsearch'. ldapsearch without -x assumes that you are asking for SASL support that you have configured in slapd.conf, and you haven't. The fact that you get the same results for root or a non-root user doesn't have anything to do with the Unix user that you are logged in as; slapd doesn't care about the Unix )posix) user. It only cares about users in DNs that you feed it. That makes sense to me and I think gives me a clue on some of the problems I was having with the LDAP ACLs. Does that give a better idea of what might be wrong in my setup? Yes. I have to agree with Craig White here (I usually do ;) LDAP for me is the be-all and end-all. i use it for across-platform authentication in production for *everything* It is the corner stone to all services that my users may use. If an application doesn't work with it, then that application is useless to me. Examples of apps that use a single login and password at one site I administer (runs 3 servers under RHAS3 using the same LDAP DSA) are postfix smtp, Courier IMAP, Linux Terminal Server Project, Pykota print quota admin, ssh and a Samba PDC. To be able to master the LDAP part thoroughly, I chose to use source code and subscribe to the 4-5 mailing lists dealing with this. Craig does the same. Get samba working without LDAP first, then make sure you master every possible aspect of openldap and are completely confident with it. Then you can adapt what you've done to Samba. I will do that. Thanks for your time in patiently helping me through this. Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Srvtools causes smbldap_open: cannot access LDAP when not root
Doug Campbell: [...] smbldap_open: cannot access LDAP when not root... [...] As which user (Unix) is slapd (presume this is OpenLDAP)running? Do you have an 'ldap admin dn' entry in smb.conf with rights to all LDAP ACLs? I.e., I don't have this problem with Samba 3.0.11/OL 2.2.17-23 and didn't with 3.0.7, either. My smb.conf file does have the ldap admin dn entry. The relevant section of my smb.conf file is as follows: [...] Again, as which Unix user is slapd running? Who is the owner of your DB files, config files, etc.? What are the permissions on them? Have you certificates (i.e. the CA cert) or anything that smbd has to try to read that can only be read by root? Is cn=Manager,dc=swro,dc=local a proxy user in your DIT, or the rootdn user in slapd.conf (it's better to make a proxy user in the DIT and comment out the rootdn). Can a normal user run ldapsearch, for example, without being root?Etc. ;) Sorry, I forgot to put some of these answers in last time :( slapd appears to be running as user ldap when I run ps aux I enabled it to start automatically on boot up using the chkconfig utility in FC3. All config files are owned by root and have root as their group with the one exception of slapd.conf which has ldap as it's group The DB files are owned by ldap and the group is ldap. I don't have any certificates to deal with as I am not using SSL/TLS. I actually tried to do this as a learning exercise but couldn't get it to work based on the documentation I read. cn=Manager,dc=swro,dc=local is the rootdn user in slapd.conf I wanted to have a proxy user but again when I tried using the example slapd.conf files for ACLs they never worked even though I followed the examples as given. if I just type ldapsearch at the console, it will prompt me for a password. I don't know what password it is asking though. I tried all that I have used and there is still no luck. The error I get is user not found: no secret in database. If instead I type ldapsearch -x. It displays information from my ldap store. If I now switch users to a non-root user and execute the same two commands, I also get the same two results. Does that give a better idea of what might be wrong in my setup? Thanks! Doug --Tonni -- mail: [EMAIL PROTECTED] http://www.billy.demon.nl -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Srvtools causes smbldap_open: cannot access LDAP when not root
I am using Samba 3.0.10-1 on Fedora Core 3. Most everything seems to be working as I expect it to except when I try to use the srvtools package to administrate the users and groups in the domain. I want to check and see whether maybe I am just misunderstanding usage as opposed to their being a configuration problem. If I log into my workstation as Administrator, either the local account or into the domain. I can administrate the server using the srvtools. But if I login as a user who is in the Administrators group, Domain Admins group and I even added the user to the root group and I try to run srvtools. I can view all the settings but when I try to submit changes I get the following error showing up in the smbd.log file: smbldap_open: cannot access LDAP when not root... Is this normal? I would think that Samba would check and see that I am a part of the Domain Admins group and allow the changes I have submitted but it doesn't want to allow anyone but root to access LDAP. Appreciate any insight on this. As which user (Unix) is slapd (presume this is OpenLDAP)running? Do you have an 'ldap admin dn' entry in smb.conf with rights to all LDAP ACLs? I.e., I don't have this problem with Samba 3.0.11/OL 2.2.17-23 and didn't with 3.0.7, either. My smb.conf file does have the ldap admin dn entry. The relevant section of my smb.conf file is as follows: [global] workgroup = SWRO netbios name = snoopy server string = Snoopy Samba-LDAP PDC Server domain logons = yes os level = 20 preferred master = yes domain master = yes local master = yes encrypt passwords = yes wins support =yes username map = /etc/samba/smbusers ; SAMBA-LDAP declarations passdb backend = ldapsam:ldap://127.0.0.1/ ldap admin dn = cn=Manager,dc=swro,dc=local ldap suffix = dc=swro,dc=local ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers add machine script = /usr/local/sbin/smbldap-useradd -w %u add user script = /usr/local/sbin/smbldap-useradd -m %u ldap delete dn = Yes add group script = /usr/local/sbin/smbldap-groupadd -p %g add user to group script = /usr/local/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/local/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/local/sbin/smbldap-usermod -g %g %u Also, /etc/samba/smbusers is: # Unix_name = SMB_name1 SMB_name2 ... root = administrator admin nobody = guest pcguest smbguest So I can join the domain without problem. I can even use the SRVTOOLS when logged in as administrator which because of smbusers file is really just an alias for root. But if I log in as user dcampbell who is in the Domain Admins group, I can't use the SRVTOOLS. Is this what you say you have working for you? Also, I just noticed that Samba 3.0.11 came out with the ability to assign privileges. This seems to indicate to me the previously, it may have not been possible to do what I want to do. I went ahead and upgraded and made the necessary changes and now I can log in as dcampbell who is in the Domain Admins group and be able to use the SRVTOOLS package. I am curious to know if you really are indeed logging in as a user that isn't some how aliased as root because I would like to make sure I understand how Samba is supposed to handle this. Thanks! Doug Campbell -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Srvtools causes smbldap_open: cannot access LDAP when not root
I am using Samba 3.0.10-1 on Fedora Core 3. Most everything seems to be working as I expect it to except when I try to use the srvtools package to administrate the users and groups in the domain. I want to check and see whether maybe I am just misunderstanding usage as opposed to their being a configuration problem. If I log into my workstation as Administrator, either the local account or into the domain. I can administrate the server using the srvtools. But if I login as a user who is in the Administrators group, Domain Admins group and I even added the user to the root group and I try to run srvtools. I can view all the settings but when I try to submit changes I get the following error showing up in the smbd.log file: smbldap_open: cannot access LDAP when not root... Is this normal? I would think that Samba would check and see that I am a part of the Domain Admins group and allow the changes I have submitted but it doesn't want to allow anyone but root to access LDAP. Appreciate any insight on this. Thanks! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Login Scripts won't run on W2K
Sorry to send this to the general list but I couldn't find the information on how to send to the samba-ntdom list. I have just setup my Samba as a PDC and I am trying to get my Windows 2000 client to login. The client successfully logs in but does not run the login script. If I log in using one of my Windows 98 clients, the login scripts run every time with no problems. Also, I noticed that if I try to type the following from the W2K command prompt: net use h: /home It gives the following error: The user's home directory has not been specified. This also works on my Windows 98 clients. Any idea what I am doing wrong? One more thing. I can run the login script batch file after logging in so I have the permissions to access it. My smb.conf is attached to the end of this e-mail. Also, if you notice why I can't get profiles to function, I would appreciate that as well. Thanks for any help that is provided! Doug Campbell My smb.conf: [global] ; Basic server settings netbios name=snoopy workgroup=workgroup ; Miscellaneous settings dos filetime resolution = True dos filetimes = True time server = True wins support=yes ; Printer Share settings printcap name=/etc/printcap printing=bsd printer driver file=/etc/samba/printers.def ; we should act as the domain and local master browser os level=64 preferred master=yes domain master=yes local master=yes ; security settings (must use security = user) security = user ; encrypted passwords are a requirement for a PDC encrypt passwords = yes ; support domain logins domain logons=yes ; support for allowing client machines to join our domain. ; use root account and password to allow joining ; hopefully this will change in the future so that I can ; use a none root account domain admin group = root@snoopy ; where to store user profiles logon path = \\%L\profiles\%U ; where is a user's home directory and where should it ; be mounted at? logon drive = P: logon home = \\%L\%U ; specify a logon script location for all users logon script=scripts\%U.bat ; used for on-the-fly creation of machine trust accounts add user script = /usr/sbin/useradd -d /dev/null - g 100 -s /bin/false - M %u ; Guest Access settings map to guest=bad user ; share for storing user profiles [profiles] path = /data/smb/ntprofile read only = no create mask = 0600 directory mask = 0700 [homes] path = %H/samba browseable = no valid users = %U read only = No create mask = 700 writeable = Yes recycle bin = .recycled [tempint] path = /data/tempint/%U valid users = %U read only = No create mask = 700 [netlogon] path=/data/dos/netlogon read only=yes guest ok=no oplocks=no create mask=774 write list=@scriptadmin force group=scriptadmin recycle bin = .recycled [general] path=/data/general read only=no admin users=doug,travis create mask=770 directory mask=770 force group=sambauser recycle bin = .recycled [finance] path=/data/finance read only=yes valid users=@finance write list=@finance create mask=770 directory mask=770 force group=finance recycle bin = .recycled [operations] path=/data/operations read only=yes valid users=@ops write list=@ops create mask=770 directory mask=770 force group=ops recycle bin = .recycled [it] path=/data/it read only=yes valid users=@ituser write list=@ituser create mask=770 directory mask=770 force group=ituser recycle bin = .recycled [wenlin] public=yes path=/mnt/wenlin volume=wenlin2cd force user=root read only=yes [printers] browseable=no guest ok=yes print ok=yes path=/var/spool/samba [software] path=/data/software guest ok=yes read only=no admin users=doug recycle bin = .recycled [pdf] path = /tmp printable=yes guest ok=yes force user=nobody print command=/usr/bin/printpdf %s printer driver = HP LaserJet 5P/5MP PostScript printer driver location=\\%h\printer$ [pdfshare] path=/tmp/pdfdropbox browseable=yes writeable=yes guest ok=yes ; File share to allow clients to download printer drivers [printer$] path=/etc/samba/printdrivers guest ok=yes read only=yes -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] map system=yes doesn't work for directories
I would like to be able to set the system attribute for a directory that is located within a Samba share but the map system=yes tag does not seem to work for directories, only files. Is there a way to set the system attribute of a directory? Appreciate any insights. Thanks! Doug Campbell -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba