[Samba] Moving from SAMBA to 2003 domain with XP SP# client machines roaming profiles stopped working

[Douglas Phillipson]

We have been directed to move off a SAMBA domain to a server 2003R2 
domain.  We run roaming profiles with samba and would like to continue 
this on 2003R2.  After bringing all the XPSP3 desktops into the 2003R2 
domain, roaming profiles wont work.  I'm not even trying to use the 
SAMBA generated profiles.  The error I get when logging on is:


*Windows cannot locate the server copy of your roaming profile and is 
attempting to log you on with your local profile.  Changes to the 
profile will not be copied to the server when you logoff.


Errors in the event viewer are:

DETAIL - Configuration information could not be read from the domain 
controller, either because the machine is unavailable, or access has 
been denied.



This only happens on machines we switched from SAMBA.  Any other machine 
we add to the AD Domain that wasn't in the SAMBA domain handles roaming 
profiles just fine.  Has anyone ever seen this behavior?  I've checked 
the permissions on "Documents and Settings" and they are the same as on 
other machines that work so I don't think it's a permissions problem 
loading a profile into the Documents and Settings Dir.  I've tried 
flushing old local group policies with gpedit, loading the policy 
templates.  I just don't know where to go from here and what else to 
try, short of re-imaging the machines.  They come into the AD Domain 
just fine and authenticate users, but roaming profiles won't load.  This 
even occurs if the roaming profile account used is a "Domain Admin".


We are using SAMBA version 3.0.33...

Thank you very much in advance for your time...

Doug P (Sadly moving off Linux)

*
**
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL (Added info)

[Douglas Phillipson]

On 10/12/2010 01:05 PM, Douglas Phillipson wrote:
To create a "Trust" between Samba and a W2003 AD Domain, does the 
Samba machine have to be a domain member also?


Doug P

I'm not clear on something.  My goal is to have our AD users access a 
samba share without having to enter a second set of credentials.  So 
this is where the trust comes in.  Our Samba machine is a PDC of a 
different domain that our Win2003 PDC.


I'm told the samba machine has to be a member server in the W2003 domain 
for the trust to work.  I thought trusts were between PDC's.  Can my 
samba machine be a PDC and a member server of a W2003 domain?


Confused...

Doug P
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL (Added info)

[Douglas Phillipson]

To create a "Trust" between Samba and a W2003 AD Domain, does the Samba 
machine have to be a domain member also?


Doug P

On 10/11/2010 11:29 PM, Daniel Müller wrote:

"http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/InterdomainTrust
s.html#id2621046"

Problems with LDAP ldapsam and Older Versions of smbldap-tools
If you use the smbldap-useradd script to create a trust account to set up
interdomain trusts, the process of setting up the trust will fail. The
account that was created in the LDAP database will have an account flags
field that has [W ], when it must have [I ] for interdomain trusts to work.

Here is a simple solution. Create a machine account as follows:

root#  smbldap-useradd -w domain_name

Then set the desired trust account password as shown here:

root#  smbldap-passwd domain_name\$

Using a text editor, create the following file:

dn: uid=domain_name$,ou=People,dc={your-domain},dc={your-top-level-domain}
changetype: modify
sambaAcctFlags: [I ]

Then apply the text file to the LDAP database as follows:

root#  ldapmodify -x -h localhost \
  -D "cn=Manager,dc={your-domain},dc={your-top-level-domain}" \
  -W -f /path-to/foobar

Create a single-sided trust under the NT4 Domain User Manager, then execute:


root#  net rpc trustdom establish domain_name<- important


It works with Samba-3 and NT4 domains, and also with Samba-3 and Windows
200x ADS in mixed mode. Both domain controllers, Samba and NT must have the
same WINS server; otherwise, the trust will never work.<---important


---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---
   


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL (Added info)

[Douglas Phillipson]

oops, should be using a machine arg, tried:
/var/lib/samba/sbin/smbldap-useradd.pl -w -c "Domain Trust" ECN$

Still get error:

failed to add entry:  at /var/lib/samba/sbin//smbldap_tools.pm line 
497,  line 283.


DOug P

On 10/11/2010 10:29 AM, Douglas Phillipson wrote:

When trying to add the machine account with smb-ldap, I use the syntax:
/var/lib/samba/sbin/smbldap-useradd.pl -a -B 1 -c "Domain Trust" ECN$

I get the following error when adding the machine account:

failed to add entry:  at /var/lib/samba/sbin//smbldap_tools.pm line 
497,  line 283.


Thanks
Doug P

On 10/11/2010 09:53 AM, Douglas Phillipson wrote:
I'm trying to establish a two way non-transitive trust between a 
W2003 A/D box and our SAMBA domain.


We are using smbldap so we can log in on any of the linux boxes with 
the same passwd.

Samba is version 3.0.33 on Redhat Enterprise.

It's easy to create the trust on the Windows side with AD Domains and 
Trusts but on the Linux side I'm not sure if I need to put the 
machine account locally in smb passwd or use the smbldap passwd on 
the LDAP server.  Has anyone done this before?


For the sake of example:

My windows A/D domain is WECN
My Linux Domain is LECN

I've tried several putting the machine account both in the local file 
and the LDAP passwd file but it just doesn't work.  I've got the 
Samba 3 HowTo book and tried lots of googled suggestions but still 
can't seem to make this work.  Any suggestions are appreciated.  Is 
there an easier way to do this?  My end result is to map a share on 
the SAMBA server from a WinXP client computer thats in a W2003 domain 
without having to put in a Linux username/password.


Thanks for your time and suggestions!
Doug P

My smb.conf [global]
-- 


[global]
dos charset = CP850
unix charset = UTF-8
display charset = LOCALE
workgroup = LECN
realm =
netbios name = RSL-PDC1
netbios aliases =
netbios scope =
server string = Primary RSL Samba Server
interfaces =
bind interfaces only = No
security = USER
auth methods =
encrypt passwords = Yes
update encrypted = No
client schannel = Auto
server schannel = Auto
allow trusted domains = Yes


map to guest = Never
null passwords = No

obey pam restrictions = Yes
password server = *
smb passwd file = /etc/samba/smbpasswd
private dir = /etc/samba
passdb backend = ldapsam:"ldap://127.0.0.1";
algorithmic rid base = 1000
root directory =
guest account = smbguest

passwd chat debug = No
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = "Changing UNIX password for*\nNew password*" 
%n\n "*Retype new password*" %n\n"

passwd chat timeout = 2
check password script = /usr/sbin/crackcheck -c -d  
/usr/lib/cracklib_dict

username map =
password level = 0
username level = 0
unix password sync = Yes
ntlm auth = Yes
restrict anonymous = Yes
lanman auth = No
;ntlm auth = No
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
preload modules =
use kerberos keytab = No

log level = 3 vfs:1
syslog = 0
syslog only = No
log file = /var/log/samba/%m.log
max log size = 50
debug timestamp = Yes
debug hires timestamp = No
debug pid = No
debug uid = No
smb ports = 139
large readwrite = Yes
max protocol = NT1
min protocol = CORE
read bmpx = No
read raw = Yes
write raw = Yes
disable netbios = No
acl compatibility =
defer sharing violations = Yes
nt pipe support = Yes
nt status support = Yes
announce version = 4.9
announce as = NT
max mux = 50
max xmit = 65535
name resolve order = wins hosts bcast
max ttl = 259200
max wins ttl = 518400
min wins ttl = 21600
time server = Yes
unix extensions = Yes
use spnego = Yes
client signing = auto
server signing = No
client use spnego = Yes
;change notify timeout = 60
deadtime = 15
getwd cache = Yes
keepalive = 300
kernel change notify = Yes
lpq cache time = 30
max smbd processes = 0
paranoid server security = Yes
max disk size = 0
max open files = 1
socket options = TCP_NODELAY SO_KEEPALIVE IPTOS_LOWDELAY
use mmap = Yes
hostname lookups = No
name cache timeout = 66

Re: [Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL (Added info)

[Douglas Phillipson]

When trying to add the machine account with smb-ldap, I use the syntax:
/var/lib/samba/sbin/smbldap-useradd.pl -a -B 1 -c "Domain Trust" ECN$

I get the following error when adding the machine account:

failed to add entry:  at /var/lib/samba/sbin//smbldap_tools.pm line 
497,  line 283.


Thanks
Doug P

On 10/11/2010 09:53 AM, Douglas Phillipson wrote:
I'm trying to establish a two way non-transitive trust between a W2003 
A/D box and our SAMBA domain.


We are using smbldap so we can log in on any of the linux boxes with 
the same passwd.

Samba is version 3.0.33 on Redhat Enterprise.

It's easy to create the trust on the Windows side with AD Domains and 
Trusts but on the Linux side I'm not sure if I need to put the machine 
account locally in smb passwd or use the smbldap passwd on the LDAP 
server.  Has anyone done this before?


For the sake of example:

My windows A/D domain is WECN
My Linux Domain is LECN

I've tried several putting the machine account both in the local file 
and the LDAP passwd file but it just doesn't work.  I've got the Samba 
3 HowTo book and tried lots of googled suggestions but still can't 
seem to make this work.  Any suggestions are appreciated.  Is there an 
easier way to do this?  My end result is to map a share on the SAMBA 
server from a WinXP client computer thats in a W2003 domain without 
having to put in a Linux username/password.


Thanks for your time and suggestions!
Doug P

My smb.conf [global]
-- 


[global]
dos charset = CP850
unix charset = UTF-8
display charset = LOCALE
workgroup = LECN
realm =
netbios name = RSL-PDC1
netbios aliases =
netbios scope =
server string = Primary RSL Samba Server
interfaces =
bind interfaces only = No
security = USER
auth methods =
encrypt passwords = Yes
update encrypted = No
client schannel = Auto
server schannel = Auto
allow trusted domains = Yes


map to guest = Never
null passwords = No

obey pam restrictions = Yes
password server = *
smb passwd file = /etc/samba/smbpasswd
private dir = /etc/samba
passdb backend = ldapsam:"ldap://127.0.0.1";
algorithmic rid base = 1000
root directory =
guest account = smbguest

passwd chat debug = No
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = "Changing UNIX password for*\nNew password*" 
%n\n "*Retype new password*" %n\n"

passwd chat timeout = 2
check password script = /usr/sbin/crackcheck -c -d  
/usr/lib/cracklib_dict

username map =
password level = 0
username level = 0
unix password sync = Yes
ntlm auth = Yes
restrict anonymous = Yes
lanman auth = No
;ntlm auth = No
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
preload modules =
use kerberos keytab = No

log level = 3 vfs:1
syslog = 0
syslog only = No
log file = /var/log/samba/%m.log
max log size = 50
debug timestamp = Yes
debug hires timestamp = No
debug pid = No
debug uid = No
smb ports = 139
large readwrite = Yes
max protocol = NT1
min protocol = CORE
read bmpx = No
read raw = Yes
write raw = Yes
disable netbios = No
acl compatibility =
defer sharing violations = Yes
nt pipe support = Yes
nt status support = Yes
announce version = 4.9
announce as = NT
max mux = 50
max xmit = 65535
name resolve order = wins hosts bcast
max ttl = 259200
max wins ttl = 518400
min wins ttl = 21600
time server = Yes
unix extensions = Yes
use spnego = Yes
client signing = auto
server signing = No
client use spnego = Yes
;change notify timeout = 60
deadtime = 15
getwd cache = Yes
keepalive = 300
kernel change notify = Yes
lpq cache time = 30
max smbd processes = 0
paranoid server security = Yes
max disk size = 0
max open files = 1
socket options = TCP_NODELAY SO_KEEPALIVE IPTOS_LOWDELAY
use mmap = Yes
hostname lookups = No
name cache timeout = 660
load printers = Yes
printcap cache time = 0
printcap name = cups
cups server =
disable spoolss = No
enumports command =
addprinter command =
deleteprinter command =
show add printer wizard = Yes
os2 driver ma

[Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL

[Douglas Phillipson]

I'm trying to establish a two way non-transitive trust between a W2003 
A/D box and our SAMBA domain.


We are using smbldap so we can log in on any of the linux boxes with the 
same passwd.

Samba is version 3.0.33 on Redhat Enterprise.

It's easy to create the trust on the Windows side with AD Domains and 
Trusts but on the Linux side I'm not sure if I need to put the machine 
account locally in smb passwd or use the smbldap passwd on the LDAP 
server.  Has anyone done this before?


For the sake of example:

My windows A/D domain is WECN
My Linux Domain is LECN

I've tried several putting the machine account both in the local file 
and the LDAP passwd file but it just doesn't work.  I've got the Samba 3 
HowTo book and tried lots of googled suggestions but still can't seem to 
make this work.  Any suggestions are appreciated.  Is there an easier 
way to do this?  My end result is to map a share on the SAMBA server 
from a WinXP client computer thats in a W2003 domain without having to 
put in a Linux username/password.


Thanks for your time and suggestions!
Doug P

My smb.conf [global]
--
[global]
dos charset = CP850
unix charset = UTF-8
display charset = LOCALE
workgroup = LECN
realm =
netbios name = RSL-PDC1
netbios aliases =
netbios scope =
server string = Primary RSL Samba Server
interfaces =
bind interfaces only = No
security = USER
auth methods =
encrypt passwords = Yes
update encrypted = No
client schannel = Auto
server schannel = Auto
allow trusted domains = Yes


map to guest = Never
null passwords = No

obey pam restrictions = Yes
password server = *
smb passwd file = /etc/samba/smbpasswd
private dir = /etc/samba
passdb backend = ldapsam:"ldap://127.0.0.1";
algorithmic rid base = 1000
root directory =
guest account = smbguest

passwd chat debug = No
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = "Changing UNIX password for*\nNew password*" %n\n 
"*Retype new password*" %n\n"

passwd chat timeout = 2
check password script = /usr/sbin/crackcheck -c -d  
/usr/lib/cracklib_dict

username map =
password level = 0
username level = 0
unix password sync = Yes
ntlm auth = Yes
restrict anonymous = Yes
lanman auth = No
;ntlm auth = No
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
preload modules =
use kerberos keytab = No

log level = 3 vfs:1
syslog = 0
syslog only = No
log file = /var/log/samba/%m.log
max log size = 50
debug timestamp = Yes
debug hires timestamp = No
debug pid = No
debug uid = No
smb ports = 139
large readwrite = Yes
max protocol = NT1
min protocol = CORE
read bmpx = No
read raw = Yes
write raw = Yes
disable netbios = No
acl compatibility =
defer sharing violations = Yes
nt pipe support = Yes
nt status support = Yes
announce version = 4.9
announce as = NT
max mux = 50
max xmit = 65535
name resolve order = wins hosts bcast
max ttl = 259200
max wins ttl = 518400
min wins ttl = 21600
time server = Yes
unix extensions = Yes
use spnego = Yes
client signing = auto
server signing = No
client use spnego = Yes
;change notify timeout = 60
deadtime = 15
getwd cache = Yes
keepalive = 300
kernel change notify = Yes
lpq cache time = 30
max smbd processes = 0
paranoid server security = Yes
max disk size = 0
max open files = 1
socket options = TCP_NODELAY SO_KEEPALIVE IPTOS_LOWDELAY
use mmap = Yes
hostname lookups = No
name cache timeout = 660
load printers = Yes
printcap cache time = 0
printcap name = cups
cups server =
disable spoolss = No
enumports command =
addprinter command =
deleteprinter command =
show add printer wizard = Yes
os2 driver map =
mangling method = hash2
mangle prefix = 1
stat cache = Yes
machine password timeout = 604800
add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u'
delete user script = /var/lib/samba/sbin/smbldap-userdel.pl '%u'
add group script = /var/lib/samba/sbin/smbldap-groupadd.pl -p '%g'
delete group script = /var/lib/samba/sbin/smbldap-groupdel.pl 
-p '%g'
add u

[Samba] Noob question about cached credentials

[Douglas Phillipson]

Can a samba domain user login successfully to a PC in the domain if the 
PC is not connected to the network?  This assumes the user has logged on 
at some point in the past to get their credentials on the local PC of 
course. 

Is this a "Standard" feature of SAMBA (allowing Cached credentials) or 
do you have to some how trick samba to allow this?  I've looked in the 
Official Samba-3 and Samba by example books but don't see any info on 
this.  Googling this subject seems to show it works sometimes but could 
break  depending on the version you run.


Thanks in advance

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Loading profile slow over a fast wan link

[Douglas Phillipson]

Logging on  with XP, with our desktop profile across a 10mbps wan,  
takes a LONG time to transfer even just 5mb of profile data.  Any 
suggestion on tweaks to speed this up would be greatly appreciated.  
Other protocols like ftp, rcp and scp are 10 to 20 times faster.


Regards

Douglas Phillipson
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Now that MS has to play nice...

[Douglas Phillipson]

Being that you SAMBA developers had to work so hard to reverse engineer 
the AD protocols.  Will there soon be improvements and more full 
featured functionality in SAMBA now that you have access to more 
documentation?  Is anything on the order of a fully feature AD clone in 
the works.  Also, how do you dance around patented protocols?  Can you 
still implement them?  Do you have to avoid them?  So anything patented 
is taboo functionality, never to be seen in SAMBA.


Thanks for all your hard work over the years guys.  I hope it gets much 
easier now.


Doug P
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Bi directional trusts with server 2003

[Douglas Phillipson]

Is it possible to establish a two way trust relationship between a SAMBA 
Domain and Win2003 AD Domain such that Users in the SAMBA domain can log 
on to machines in the W2003 Domain and users in the Windows Domain can 
log on to XP machines  in the SAMBA Domain?Is this a domain trust, a 
machine trust, both, or what?


Thanks

Doug P


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Security issues

[Douglas Phillipson]

We have a new Cyber Security professional on our staff that now says we 
can't use Samba for the following reasons:



At this time any appearance that Samba-3 is capable of acting as a 
domain controller in native ADS mode is limited and experimental in 
nature. This functionality should not be used until the Samba Team 
offers formal support for it. At such a time, the documentation will be 
revised to duly reflect all configuration and management requirements. 
Samba can act as a NT4-style domain controller in a Windows 2000/XP 
environment. However, there are certain compromises:


1) No machine policy files.
2) No Group Policy Objects.
3) No synchronously executed Active Directory logon scripts.
4) Can't use Active Directory management tools to manage users and 
machines.
5) Registry changes tattoo the main registry, while with Active 
Directory they do not leave permanent changes in effect.
6)Without Active Directory you cannot perform the function of 
exporting specific applications to specific users or groups.




Are these all true? I don't care about item 4...

Thanks

Doug P




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Preference of local or domain profile

[Douglas Phillipson]

Douglas Phillipson wrote:
With Samba v3.x and WinXP, if there is a local profile on the users PC 
when the user logs on while hooked to a Samba DC, should the PC check 
for the DC profiles password prior to checking the local profiles 
password?  I have a client PC, originally with no local profile, the 
user logs in to the Samba domain, his profile is downloaded to the PC. I 
have his group policy set so it won't delete the profile when he logs 
out so he can remove his PC from the network and he can still use his 
domain account and password.  The problem comes in when his domain 
password is changed and he re-attaches his PC to the domain.  The PC 
appears to use the local profile rather than the domain for credentials. 
 I thought if there was a domain controller that the client PC should 
ALWAYS prefer the DC to a local profile.  This occurs as it should with 
a Windows AD domain, but not with the Samba domain.  Do I have some 
settings or policies set wrong?  I hope I've explained this correctly...


Thanks

Doug P


I haven't seen any posts concerning this problem.  Am I explaining my 
problem sufficiently well?  This isn't a dumb question, is it?


Thanks

Doug P
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Preference of local or domain profile

[Douglas Phillipson]

With Samba v3.x and WinXP, if there is a local profile on the users PC 
when the user logs on while hooked to a Samba DC, should the PC check 
for the DC profiles password prior to checking the local profiles 
password?  I have a client PC, originally with no local profile, the 
user logs in to the Samba domain, his profile is downloaded to the PC. 
I have his group policy set so it won't delete the profile when he logs 
out so he can remove his PC from the network and he can still use his 
domain account and password.  The problem comes in when his domain 
password is changed and he re-attaches his PC to the domain.  The PC 
appears to use the local profile rather than the domain for credentials. 
 I thought if there was a domain controller that the client PC should 
ALWAYS prefer the DC to a local profile.  This occurs as it should with 
a Windows AD domain, but not with the Samba domain.  Do I have some 
settings or policies set wrong?  I hope I've explained this correctly...


Thanks

Doug P
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Changed the IP address of Samba server, can't logon

[Douglas Phillipson]

After changing the IP address of our samba server (3.0.10), our users 
can't logon.  We use ldap authentication, which all worked fine for more 
than a year prior.  The samba log shows attempts as "guest" rather than 
the user's name.  Also logging in as root on an XP box translates to 
user guest, which is passed to LDAP and of course can't authenticate. 
I've removed the entries from wins.dat for all workstations and removed 
browse.dat from the DC.  I've removed the PC from the domain and added 
it back, still the same problem.  How and why is my username being 
translated to "guest"?


Thanks

Doug P
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Outlook path to pst file is lost when using roaming profiles

[Douglas Phillipson]

Is nobody else losing their Outlook profile/path to pst when using 
roaming profiles?


Doug P

Douglas Phillipson wrote:
We are having a problem getting the path to the Outlook PST file to move 
from machine to machine using roaming profiles (Samba 3.0.10 on RHEL 4). 
 When a user logs off on one machine and logs on to another, the outlook 
path to the PST file is gone.  I found this message in the archive back 
in 2002 but I see no resolution for it:


http://lists.samba.org/archive/samba/2002-July/047507.html

Here is the text from that post:

Does anybody know how to manage roaming profiles with outlook 2002 ? I
have XP boxes with roaming profiles and all work fine. The only problem
is that
XP doesn´t export the path where outlook stores ist .pst file. This is
not the problem for the .pst file where outlook stores contacts and so.
The path of the normal pst is on a network drive.  But I have an IMAP
mail account for every user and if you configure outlook for imap it
creates another .pst file under the normal path ...Local
Settings../outlook/
I am not able to store this file under a different path e.g. a network
drive. I think that there are 2 ways for my problem:

1.) show outlook the path to a network drive for the imap pst as I did
it for the normal pst --> I don´t know how

2.) export the whole outlook path under local settings -->

It works, but not for a long time:

After you create an outlook account for the first time, outlook adds a
registry entry under

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
--> ExcludeProfileDirs

In this entry you can add directories of the roaming profile not to
export. --> because of that, the outlook pst would not exported with the
roaming profile. If I delete this entry on all workstations under the
default and the user profile of the registry it works for some time.
But after some time, I don´t know why the entry is back in the registry
to not export the outlook folder.

Does anybody have an idea ?

Regards sven

Has anybody else seen this problem or found a resolution?

Thanks

Doug P

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Outlook path to pst file is lost when using roaming profiles

[Douglas Phillipson]

We are having a problem getting the path to the Outlook PST file to move 
from machine to machine using roaming profiles (Samba 3.0.10 on RHEL 4). 
 When a user logs off on one machine and logs on to another, the 
outlook path to the PST file is gone.  I found this message in the 
archive back in 2002 but I see no resolution for it:


http://lists.samba.org/archive/samba/2002-July/047507.html

Here is the text from that post:

Does anybody know how to manage roaming profiles with outlook 2002 ? I
have XP boxes with roaming profiles and all work fine. The only problem
is that
XP doesn´t export the path where outlook stores ist .pst file. This is
not the problem for the .pst file where outlook stores contacts and so.
The path of the normal pst is on a network drive.  But I have an IMAP
mail account for every user and if you configure outlook for imap it
creates another .pst file under the normal path ...Local
Settings../outlook/
I am not able to store this file under a different path e.g. a network
drive. I think that there are 2 ways for my problem:

1.) show outlook the path to a network drive for the imap pst as I did
it for the normal pst --> I don´t know how

2.) export the whole outlook path under local settings -->

It works, but not for a long time:

After you create an outlook account for the first time, outlook adds a
registry entry under

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
--> ExcludeProfileDirs

In this entry you can add directories of the roaming profile not to
export. --> because of that, the outlook pst would not exported with the
roaming profile. If I delete this entry on all workstations under the
default and the user profile of the registry it works for some time.
But after some time, I don´t know why the entry is back in the registry
to not export the outlook folder.

Does anybody have an idea ?

Regards sven

Has anybody else seen this problem or found a resolution?

Thanks

Doug P
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Are these still all the recommended settings for using roaming profiles?

[Douglas Phillipson]

I got these several years ago, but we are having problems with Outlook 
with roaming profiles so I want to check and see if something new should 
be added to this list of mods for roaming profiles.


-

Go to Local Computer Policy->Administrative Templates->System->Logon and
enable:

1) Enable "Do not check for ownership of Roaming Profiles Folders"
2) Enable "Add the Administrators security group to roaming users profiles"
3) Enable "Delete cached copies of roaming profiles"
4) Enable "Wait for remote user profile"
5) Enable "log users off when roaming profile fails"

Use regedit and search for the following two registry keys:

   RequireSignOrSeal ValueType REG_DWORD = 4
   SignSecureChannel ValueType REG_DWORD = 4

Change them to:

   RequireSignOrSeal ValueType REG_DWORD = 0
   SignSecureChannel ValueType REG_DWORD = 0

-
Thanks

Doug P
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Can Samba be used to push out updates and hotfixes

[Douglas Phillipson]

I have the Official Samba 3 and Samba-3 by example books, although not 
the second edition copies.  But I can't seem to find out how to push out 
patches and hotfixes with Samba.  Is this not possible at this time?


I don't have a lot of experience with Windows but I am going to have to 
deal with this issue soon.


I think I understand that pushing out policies is possible.

Is Microsoft designing its OS intentionally to subvert what Samba can do?

Thanks

Doug P
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Is there a method to search the samba archives

[Douglas Phillipson]

I'd like to do some research prior to posting questions here but all I 
see in the archives are monthly gzip'd files.  I there a single file in 
say mbox format I can grab, or is there another search/query mechanism I 
don't know about?


Thanks

Doug P
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Can Samba be used to push out updates and hotfixes to client PC's

[Douglas Phillipson]

I have the Official Samba 3 and Samba-3 by example books, although not 
the second edition copies.  But I can't seem to find out how to push out 
patches and hotfixes with Samba.  Is this not possible at this time?


I don't have a lot of experience with Windows but I am going to have to 
deal with this issue soon.


I think I understand that pushing out policies is possible.

Is Microsoft designing its OS intentionally to subvert what Samba can do?

Thanks

Doug P
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Is there a method to search the samba archives

[Douglas Phillipson]

I'd like to do some research prior to posting questions here but all I 
see in the archives are monthly gzip'd files.  I there a single file in 
say mbox format I can grab, or is there another search/query mechanism I 
don't know about?


Thanks

Doug P
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] High Availability with Samba and Heartbeat

[Douglas Phillipson]

Since I get so much from this list I thought I would share a project 
I've been working on and how it works with samba (3.0.1).  It is Samba 
related so I hope it's not off topic.

I've set up a HA solution with redundant Samba Domain Controllers 
throuth the "Heartbeat" package at:

http://www.ultramonkey.org/download/heartbeat/1.1.3/redhat_9/

I have two "Redhat 9" Linux machines (A and B) configured as a HA 
cluster providing httpd, DNS, and Samba Domain and File services on a 
virtual IP of 192.168.0.45. Initially one of the machines, (A), is 
running those services (smb, named and httpd) and listening on the 
virtual IP, while the other, (B), watches a heartbeat from machine (A) 
through both a redundant ethernet and serial link. When both heartbeat 
lines are pulled or the power drops on machine (A), within 10 seconds 
machine (B) starts the httpd, dns and smbd/nmbd services and listens on 
the virtual IP.

I have a third machine (C) running Win2000 as a client for those 
services.  I can even login on the windows box, thus using Samba's 
Domain Authentication services from machine (A), and while logged on the 
domain, kill machine (A) and machine (B) takes over and when I log off 
the windows box my remote profile is saved on  machine (B), no muss no 
fuss, all transparent to the client machine.  The win2000 client can 
surf to the web services on the virtual IP and never know that a machine 
has died.  When machine (A) comes back up it takes back over the 
services automatically.

What this means is that a machine outage does NOT take our customers 
Domain Authentication out.  All the services will fail over to a 
redundant machine automatically.  I know for Samba there are BDC 
capabilities but this solution seems to cover all the internet services 
we use at once.  I hope someone will get somethnig usefull from this. 
Has anyone else tried this with Samba?

Here is a brief procedure (minus config files) for getting it working.

Installed "libnet" from the src rpm:

rpm -i libnet-1.1.0-1.rh.9.um.1.src.rpm
cd /usr/src/redhat/SPECS
rpmbuild -bb libnet.spec
rpm -Uvh /usr/src/redhat/RPMS/i386/libnet-1.1.0-1.rh.9.um.1.i386.rpm
Installed heartbeat 1.1.3 from the src rpm:

rpm -i heartbeat-1.1.3-1.rh.9.src.rpm
cd /usr/src/redhat/SPEC
rpmbuild -bb heartbeat.spec
The heartbeat src RPM contains several packages to install:

rpm -Uvh /usr/src/redhat/RPMS/i386/heartbeat-pils-1.1.3-1.rh.9.i386.rpm
rpm -Uvh /usr/src/redhat/RPMS/i386/heartbeat-stonith-1.1.3-1.rh.9.i386.rpm
rpm -Uvh /usr/src/redhat/RPMS/i386/heartbeat-1.1.3-1.rh.9.i386.rpm
Configure NICS: (Virtual IP 192.168.0.45 is set in "haresources")

Machine A eth0  192.168.0.40
Machine A eth1  10.0.0.1
Machine B eth0  192.168.0.41
Machine B eth1  10.0.0.2
Connect redundant NICs with a crossover Cat-5 cable
Connect Serial ports with a Null Modem cable
Edit HA config files in /etc/ha.d:

ha.cf
haresources
authkeys
Disable HA services from running at boot time:

chkconfig --level smb 23456 off
chkconfig --level httpd 23456 off
chkconfig --level named 23456 off
Duplicate Apache's documentroot (Rsync)
Duplicate Samba's domain stuff (Copy smbpasswd to both machines)
Duplicate DNS files
Start the HA service or reboot both machines:

/etc/init.d/heartbeat start

Regards

Doug P

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] CUPS vs lprng

[Douglas Phillipson]

Could I get some opinions on which type of Samba based printing is 
easier, CUPS or LPRNG, or just bybass Samba altogether.  I'm looking at 
the Printing HOWTO by Kurt Pfeifle (Printing Support in Samba 3.0) and 
both look really complex.  Anyone out there have any experience with 
printing services in Samba?  Should I just stay away from samba printing 
and go direct to Network printers? What are the advantages of a samba 
print server as opposed to installing printer drivers on the client and 
printing to a network printer?

Any opinions are appreciated

Regards

DSP

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Winbind seems to have hosed my roaming profiles

[Douglas Phillipson]

Winbind seems to have broke my roaming profiles.  I have a 3.0.1Pre1 DC 
on RH AS 3.0 running with Win2000 SP4 clients logging in.  Remote 
profiles worked well and then I added:

winbind separator = +
idmap uid = 1-2
winbind gid = 1-2
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/win2000/%D/%U
template shell = /bin/bash
Added it to nsswitch.conf and started winbindd

The next time I logged in on a client, I got the message that it 
couldn't create my profile on the DC.  I remove the existing profile 
from /home/profiles/ expecting it would recreate it but got 
the same message.  As soon as I commented out the above entries 
everything went back to normal.  I'd heard that winbind usually makes 
things better.  What's happening here???  Should I have made my samba 
and Linux users AFTER adding winbind?  I'm still not sure winbine is 
applicable in my situation because I have NO other real MS Domain 
Controllers.  Please advise...

Thanks

DSP  (Reading up more on winbind)

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Admin privilages for root in a samba domain on a win2000 box

[Douglas Phillipson]

Just a FYI for those that are interested.

I found that to give admin privilages, in Windows, to Domain user "root" 
do this on tha Samba Domain Controller:

net groupmap modify ntgroup="Domain Admins" unixgroup=root

I can now install/remove software logged in as a domain user "root" on 
Win2k.

I've never seen this directly stated before and thought some newbies 
would like to know.  (I'm still a samba newbie pouring through the docs 
and howto's)

Thanks  Samba team for a great piece of software!
Regards
Doug P

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Winbind separator warning

[Douglas Phillipson]

When adding winbind entries in smb.conf and running testparm I get the 
following warning:

'winbind separator = +' might cause problems with group membership.

"winbind separator = +" is used in the HOWTO (21.5.3.3).  Is this OK? 
Or will I have problems.  What is the separator for? What commands is it 
used with?  I see some querying commands like wbinfo but are there 
commands that require one to use the separator as part of the command 
syntax?  Basicaly, what problem is this error referring to?

Second question:

Should I only create Linux/samba users after winbind is running?  I 
don't think it should make a difference but I just want to make sure.

DSP

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Cups printing, domain group error, getting closer...

[Douglas Phillipson]

After realizing my CUPS printername in /etc/cups/cupsd.conf must be the 
same as my samba printer sharename (I don't think it says that anywhere 
in any HOWTO, correct me if I'm wrong though) I am now getting to the 
printer resource but...

Using Samba 3.0.1 and attempting to connect to a samba cups printer with 
Win2000 I am getting the following samba error:

 Returning domain sid for domain TESTDOM -> 
S-1-5-21-4236639219-957987792-2344320348
[2003/11/04 21:48:54, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2537)
  Returning domain sid for domain TESTDOM -> 
S-1-5-21-4236639219-957987792-2344320348
[2003/11/04 21:48:54, 0] rpc_server/srv_util.c:get_domain_user_groups(371)
  get_domain_user_groups: primary gid of user [douglas] is not a Domain 
group !
  get_domain_user_groups: You should fix it, NT doesn't like that

The DC is a samba machine and I am running winbind on it.  Do I need to 
create a domain group through samba or something?

Thanks

DSP

SMB.conf:

[global]

workgroup = TESTDOM
netbios name = blue
security = user
server string = Samba Server
winbind separator = +
idmap uid = 1-2
winbind gid = 1-2
winbind enum users = yes
winbind enum groups = yes
printcap name = /etc/printcap
load printers = yes
log file = /var/log/samba.log
log level = 2
max log size = 5
add machine script = /usr/sbin/useradd -n -g machines -c 
Machine -d /dev/null -s /bin/false %u
add user script = /usr/sbin/useradd %u

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

local master = Yes
os level = 65
domain master = yes
preferred master = yes
domain logons = yes
admin users = root
csc policy = disable
logon script = logon.bat
logon path = \\%L\profiles\%U
logon drive = H:
printer admin = root
printing = cups
printcap name = cups
username map = /etc/maps
[netlogon]
comment = Network Logon Service
path = /home/netlogon
guest ok = yes
writable = no
create mask = 0600
directory mask = 0700
;   share modes = no
# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
[profiles]
path = /home/profiles
browseable = no
guest ok = no
create mask = 0600
directory mask = 0700
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = yes
# Set public = yes to allow user 'guest account' to print
guest ok = yes
writable = yes
public = yes
printable = yes
printer admin = root, douglas
[hp7xxx]
comment = Printer with Restricted Access
path = /var/spool/samba_my_printer
printer admin = root, douglas
browseable = yes
printable = yes
writeable = yes
guest ok = yes
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Cups printing on Samba 3.0.1 from Win2000 SP4

[Douglas Phillipson]

I have a samba based domain controller with a CUPS printer working fine. 
 When I try to connect to a samba printer from  Win2000 I get the 
following in the samba log:

2003/11/04 20:38:02, 0] printing/print_cups.c:cups_queue_get(889)
  Unable to get jobs for ipp://localhost/printers/goucho - 
client-error-not-found
[2003/11/04 20:38:02, 0] smbd/service.c:set_admin_user(321)
  root logged in as admin user (root privileges)

Any clues are appreciated...

Here are the relevant parts of my smb.conf:

[global]

workgroup = TESTDOM
netbios name = blue
security = user
server string = Samba Server
printcap name = /etc/printcap
load printers = yes
log file = /var/log/samba.log
log level = 2
max log size = 5
add machine script = /usr/sbin/useradd -n -g machines -c 
Machine -d /dev/null -s /bin/false %u
add user script = /usr/sbin/useradd %u

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

local master = Yes
os level = 65
domain master = yes
preferred master = yes
domain logons = yes
admin users = root
csc policy = disable
logon script = logon.bat
logon path = \\%L\profiles\%U
logon drive = H:
printer admin = root
printing = cups
printcap name = cups
  [printers]
comment = All Printers
path = /var/spool/samba
browseable = yes
# Set public = yes to allow user 'guest account' to print
guest ok = yes
writable = yes
public = yes
printable = yes
printer admin = root, douglas
#   hosts allow = 0.0.0.0
[goucho]
comment = Printer with Restricted Access
path = /var/spool/samba_my_printer
printer admin = root, douglas
browseable = yes
printable = yes
writeable = yes
guest ok = yes
  username map = /etc/maps
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Samba printing, I just don't get it

[Douglas Phillipson]

I'm sorry for asking a really newbie question here.  But I'm just 
missing something I guess.  I've read the HOWTO for 3.0.0 and either I 
missed it or I just didn't understand it.

I have 3.0.1Pre1 on RH 9 "Machine A" working as a domain controller with 
a win2000 SP4 box.  I made a USB local CUPS printer on RH 9 "Machine B". 
 I made a remote CUPS printer on "A" that prints to "B" just fine.  How 
do I get the Win2000 machine "C" to print to the printer on "B"? I can 
see the printer share from Win2000.  I can't connect to it though, it 
says I have insufficient access.  I try to create a "network" printer 
and use \\Machine A\dot but again insufficient access.  I'm logged in as 
root on the win2k box, in the TESTDOM domain. I also don't understand 
what parameter to put into smb.conf to actually print to the CUPS 
printer.  What am I missing here?  How do you add the printer from the 
Windows side?  Or do you just connect to it?  My samba.log shows this 
when trying to connect:

[2003/11/03 23:58:26, 0] smbd/service.c:set_admin_user(321)
  root logged in as admin user (root privileges)
[2003/11/03 23:58:27, 0] printing/print_cups.c:cups_queue_get(889)
  Unable to get jobs for ipp://localhost/printers/dot - 
client-error-not-found

Here is my smb.conf for printing:

[global]

workgroup = TESTDOM
netbios name = blue
security = user
server string = Samba Server
printcap name = /etc/printcap
load printers = yes
log file = /var/log/samba.log
log level = 2
max log size = 5
add machine script = /usr/sbin/useradd -n -g machines -c 
Machine -d /dev /null -s /bin/false %u
add user script = /usr/sbin/useradd %u

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

local master = Yes
os level = 65
domain master = yes
preferred master = yes
domain logons = yes
admin users = root
csc policy = disable
logon script = logon.bat
logon path = \\%L\profiles\%U
logon drive = H:
printing = cups
printcap name = cups
 [printers]
comment = All Printers
path = /var/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to print
guest ok = yes
writable = yes
public = yes
printable = yes
printer admin = root, douglas
[dot]
comment = Printer with Restricted Access
path = /var/spool/samba_my_printer
printer admin = root, douglas
browseable = yes
printable = yes
writeable = yes
guest ok = yes
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Request for ACL experiences

[Douglas Phillipson]

I'm having trouble with ACL's and wonder how many others are too.  I see 
conflicting answers and comments about different aspects of ACL's from 
many prople on the list.  I was wondering if ANYONE is successfully 
using ACL's with Samba 3.0 or above.

Questions I have that I'm sure many are asking are:

Was your Samba server configured as the DC?

What client OS were you setting ACL's on the Samba Share with? (Win2000, 
XP) What service pack (SP4 on Win2000???)

Did you have to have the ACL kernel patch?

Did you need "nt acl support = yes" in each share definition?

How did you setup your shares? (Working share Examples are good)

Did you have to use the "server Tools" downloaded from microsoft or 
could you simply right click on a file/folder and change the security ACL's?

How are you verifying the ACL's actually work?  Did you fully test any 
ACL you set through Windows by actually trying to make a user access a 
file to see that his access matched the ACL you set.

What was the scope of what you could really do with ACL's?

What didn't work with ACL's that you thought should?

Are you compareing the windows ACL's to the output of getfacl?

Could you use ACL's to add users to Samba printers?

How did you add Samba printers as Domain resources so you could add 
ACL's to them?  Or did you need to do this?

Did you have to do any setfacl commands in Linux?

Did you have to run winbind?

Did you have to do any "net groupmap" commands to make ACL's work?

I.E. net groupmap modify ntgroup="Domain Admins" unixgroup=root

Were there any commands/configurations you had to use to make ACL's work 
that were not covered in the 3.0 HowTo?

I think we could use some real world working examples here.  Please be 
VERY explicit and complete with concrete examples.  Assume those reading 
your answers are NOT experts!  If you see any missing questions that you 
think might be useful to using ACL's, please add them!

regards

Doug P

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba Share ACLs

[Douglas Phillipson]

Please See ACL related questions below...

John H Terpstra wrote:
On Wed, 29 Oct 2003 [EMAIL PROTECTED] wrote:


Hi all,

I have already set up a Samba 3.0 with Openldap as user repository. I have a question 
about share access controls.
Chapter 13.1 of Samba-HOWTO-Collection describes:
Samba offers a lot of flexibility in file system access management. These are the key 
access control facilities present
in Samba today:
1) UNIX File and Directory Permissions
2) Samba Share Definitions
3) Samba Share ACLs
   Just like it is possible in MS Windows NT to set ACLs on shares themselves, so it 
is possible to do this in Samba.
   Few people make use of this facility, yet it remains on of the easiest ways to a 
ect access controls (restrictions)
   and can often do so with minimum invasiveness compared with other methods.
4) MS Windows ACLs through UNIX POSIX ACLs


I have a question about Point 3 Samba Share ACLs. Do I need Linux file
system ACLs in order to be able to define Samba Share ACLs.


No, you do not! You need to use the Server Tools, or the Nexus package
from Microsoft as documented in the HOWTO.
Are you saying here that you don't need the ACL patch in linux to do 
ACL's?

If not I have problems to define ACLs on shares via Windows Explorer
from a Windows XP Workstation. my environment:


Using the files extracted from the SRVTOOLS.EXE installation, in
particular the Server Manager, you must edit the permissions on the Shares
themselves.

Samba 3.0 compiled --with-acl-spupport installed on Suse Linux Enterprise Server 8
OpenLDAP 2.1.4 as suer repository.
Samba 3.0 is configured as PDC.
I can log from a Windows XP workstation in Samba Domain. I can connect to shares 
defined in smb.conf.
All defined access controls in smb.conf works fine.


You must log on as the Administrator for the Domain (root).


I try to set ACLs on following Share:

[Test-Share]
  path=/home/Test-Share
  public = yes
  printable = no
  writeable = yes

Do you have to have "nt acl support = yes" in any share that will have 
it's acl's changed by the "server tools"?

This is an example of setting share definition controls.

- John T.
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Should I use winbind in this case

[Douglas Phillipson]

I can't seem to get an answer to this question...

Should I use winbind if my Domain Controller is a samba machine?  Or is 
it only useful if my DC is a real MS DC and I have other unix/linux 
client machines?

I'm strictly wanting to provide file and domain logon services to 
Win2000 machines via a samba DC.  There are no other DC's involved. 
After reading the 3.0 HowTo on winbind all I see are references to 
winbind helping linux/unix resolve usernames from a Windows DC.  If I'm 
using a linux/samba box as the DC I don't need this for my win2000 
users, in a domain on the Samba DC, to gain access to shares, right? 
Would winbind help me in any other way in trying to use ACL's?

Regards

Doug P

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Should I use Winbind if my DC is Samba?

[Douglas Phillipson]

Should I use winbind if my Domain Controller is a samba machine?  Or is 
it only useful if my DC is a real MS DC?

Regards

Doug P

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Found a ACL howto but...

[Douglas Phillipson]

I found a howto on ACL's but it assumes the following:

At this time, this document is not 100% complete. I have assumed you are 
joining to a Windows 2000 domain which is using Active Directory, you 
aren't trying to use Samba as a domain controller, and that you're using 
ext2 or ext3 on Linux.

How would this procedure have to be changed if I was using Samba as the DC?

http://www.bluelightning.org/linux/samba_acl_howto/

Regards

Doug P

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] How do I add a printer as a samba domain resource

[Douglas Phillipson]

With NT4 I grant users access to printers via the security tab on the 
printer.  How do I add a printer as a domain resource, with Samba, that 
I can then grant domain users access to through Windows?  (Using Samba 
3.0.1Pre1 as a DC)

Thanks

Doug P

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] How do I add a printer as a domain resource

[Douglas Phillipson]

With NT4 I add grant users access to printers via the security tab on 
the printer.  How do I add a printer as a domain resource, with Samba, 
that I can then grant domain users access to?  (Using Samba 3.0.1Pre1)

Thanks

Doug P

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] ACL's vs Share definitions (Trying again)

[Douglas Phillipson]

I have the Win2000 client(s) in a Samba domain.  Domain authentication 
works fine, my "homes" share works fine, remote profiles work fine.

Using 3.0.1Pre1 I would like to add people to "someshare" through the 
Security tab, and control their access through windows ACL's.

How should I setup a share as a basis for doing this?

The share below (someshare) in this email doesn't work.  Although I get 
no error when adding another user to the share through the security tab 
in windows, and the ACL's on the Linux side get added. The newly added 
user, added via "Properties->Security", does not have permission to 
write to the share.

Does the "read list", "write list" and other similar parameters take 
precedence over an ACL set through windows?

If the share definition overrides all the ACL's, what good are ACL's? Am 
I not using them properly?

How should I setup a share with minimal rights so an administrator can 
grant users access to the share, through Windows ACL's?

Does winbind offer any advantages to me if no other DC's are involved. I 
have one samba 3.0.1 DC with several win2000 PC's as a testbed.  I'm 
trying to really scope out what ACL's do for me.  I've read the section 
on Winbind according to the "Target Uses" section winbind would be good 
for adding Linux machines to an existing NT network.  I will have no 
existing NT machines or Domains so what does winbind offer me and do I 
need to run it anyway?

On my NT4 box we grant access to printers through the Security tab on 
the printer, adding the user to the printer.  Is this possible with 
ACL's as they exist now with Samba and the ACL patch?

If so, how would you add a printer as a domain resource to do this, 
again through windows?  Or does it have to be added (if it can be added) 
on the Linux side?  If on linux side, how do you add/create a domain 
printer.  Is the printer in the domain simply by being in the smb.conf 
file?  I don't see my printer as a resource, domain or other,to choose 
from in the security tab from within windows.

I did read the April 21 2003 version of the howto and these things were 
not clear to me.  After I figure them out I would be happy to give you 
some verbage if you would care to have it.

Thanks again Samba folks

Doug P

(Previous reference below)

I'm really struggling with ACL's and permissions.  I have a share owned 
by a user (douglas).  Douglas can read, write and create to the share:

[someshare]
  comment = Public Stuff
  path = /home/samba/pub
  nt acl support = yes
  public = yes
  admin users = douglas
  write list = douglas
I'm logged in to Win2000 as douglas.  Through the security tab on 
Win2000 I add read and write permission to the top level share called 
public (but it's not really public) for "terry".  I see terry in the 
list and everything seems to go OK in setting it.  Then I log off and 
login as terry.  Terry has no write access to the share.What takes 
precedence?  The share definition in smb.conf or settings through the 
security tab in windows, which should be the ACL's.   Does adding a user 
through the security tab effectively add another user to the "write 
list".  If so, it isn't.  What am I doing wrong?

Here are the linux permissions:

ls -ld /home/samba/pub
drwxrwxrwt3 douglas  douglas4096 2003-10-20 22:18 
/home/samba/pub

Here are the ACL's from linux
getfacl -R --skip-base /home/samba/pub
getfacl: Removing leading '/' from absolute path names
# file: home/samba/pub
# owner: douglas
# group: douglas
user::rwx
user:terry:rwx
group::r-x
mask::rwx
other::rwx
default:user::rwx
default:user:terry:rwx< Shouldn't terry have rwx access 
according to this?
default:group::---
default:mask::rwx
default:other::---

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] ACL's and permissions

[Douglas Phillipson]

After looking at my own post, I see I need to tweak my questions.

I have the Win2000 client(s) in a Samba domain.  Domain authentication 
works fine, my "homes" share works fine, remote profiles work fine.

Using 3.0.1Pre1 I would like to add people to "someshare" through the 
Security tab, and control their access through windows ACL's.

How should I setup a share as a basis for doing this?

The share below (someshare) in this email doesn't work.  Although I get 
no error when adding another user to the share through the security tab 
in windows, and the ACL's on the Linux side get added. The newly added 
user does not have permission to write to the share.

Does the "read list", "write list" and other similar parameters take 
precedence over an ACL set through windows?

If the share definition overrides all the ACL's, what good are ACL's? Am 
I not using them properly?

How should I setup a share with minimal rights so an administrator can 
grant users access to the share, through Windows ACL's?

Does winbind offer any advantages to me if no other DC's are involved. I 
have one samba 3.0.1 DC with several win2000 PC's as a testbed.  I'm 
trying to really scope out what ACL's do for me.  I've read the section 
on Winbind according to the "Target Uses" section winbind would be good 
for adding Linux machines to an existing NT network.  I will have no 
existing NT machines or Domains so what does winbind offer me and do I 
need to run it anyway?

On my NT4 box we grant access to printers through the Security tab on 
the printer, adding the user to the printer.  Is this possible with 
ACL's as they exist now with Samba and the ACL patch?

If so, how would you add a printer as a domain resource to do this, 
again through windows?  Or does it have to be added (if it can be added) 
on the Linux side?  If on linux side, how do you add/create a domain 
printer.  Is the printer in the domain simply by being in the smb.conf 
file?  I don't see my printer as a resource, domain or other,to choose 
from in the security tab from within windows.

I did read the April 21 2003 version of the howto and these things were 
not clear to me.  After I figure them out I would be happy to give you 
some verbage if you would care to have it.

Thanks again Samba folks

Doug P

Douglas Phillipson wrote:
I'm really struggling with ACL's and permissions.  I have a share owned 
by a user (douglas).  Douglas can read, write and create to the share:

[someshare]
  comment = Public Stuff
  path = /home/samba/pub
  nt acl support = yes
  public = yes
  admin users = douglas
  write list = douglas
I'm logged in to Win2000 as douglas.  Through the security tab on 
Win2000 I add read and write permission to the top level share called 
public (but it's not really public) for "terry".  I see terry in the 
list and everything seems to go OK in setting it.  Then I log off and 
login as terry.  Terry has no write access to the share.What takes 
precedence?  The share definition in smb.conf or settings through the 
security tab in windows, which should be the ACL's.   Does adding a user 
through the security tab effectively add another user to the "write 
list".  If so, it isn't.  What am I doing wrong?

Here are the linux permissions:

ls -ld /home/samba/pub
drwxrwxrwt3 douglas  douglas4096 2003-10-20 22:18 
/home/samba/pub

Here are the ACL's from linux
getfacl -R --skip-base /home/samba/pub
getfacl: Removing leading '/' from absolute path names
# file: home/samba/pub
# owner: douglas
# group: douglas
user::rwx
user:terry:rwx
group::r-x
mask::rwx
other::rwx
default:user::rwx
default:user:terry:rwx<<<<< Shouldn't terry have rwx access 
according to this?
default:group::---
default:mask::rwx
default:other::---




--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] ACL's and permissions

[Douglas Phillipson]

I'm really struggling with ACL's and permissions.  I have a share owned 
by a user (douglas).  Douglas can read, write and create to the share:

[public]
  comment = Public Stuff
  path = /home/samba/pub
  nt acl support = yes
  public = yes
  admin users = douglas
  write list = douglas
I'm logged in to Win2000 as douglas.  Through the security tab on 
Win2000 I add read and write permission to the top level share called 
public (but it's not really public) for "terry".  I see terry in the 
list and everything seems to go OK in setting it.  Then I log off and 
login as terry.  Terry has no write access to the share.What takes 
precedence?  The share definition in smb.conf or settings through the 
security tab in windows, which should be the ACL's.   Does adding a user 
through the security tab effectively add another user to the "write 
list".  If so, it isn't.  What am I doing wrong?

Here are the linux permissions:

ls -ld /home/samba/pub
drwxrwxrwt3 douglas  douglas4096 2003-10-20 22:18 
/home/samba/pub

Here are the ACL's from linux
getfacl -R --skip-base /home/samba/pub
getfacl: Removing leading '/' from absolute path names
# file: home/samba/pub
# owner: douglas
# group: douglas
user::rwx
user:terry:rwx
group::r-x
mask::rwx
other::rwx
default:user::rwx
default:user:terry:rwx< Shouldn't terry have rwx access 
according to this?
default:group::---
default:mask::rwx
default:other::---



--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] domain groups

[Douglas Phillipson]

I have ACL's enabled and am getting a new error, in the Samba log (V 
3.0.1Pre1, when attempting to set permissions on a file through Win2000:

  get_domain_user_groups: primary gid of user [terry] is not a Domain 
group !
  get_domain_user_groups: You should fix it, NT doesn't like that

Do I need to create a group on the windows(2000) side?  The entries in 
the domaingroup.map don't do this?  Please be verbose in answering.  A 
couple of good example wouldn't hurt also.

I have a domain group map:

domain group map = /etc/samba/domaingroup.map

Contents of this map are:

domuser = "Domain User"
domadmin = "Domain Admin"


I have terry in /etc/group and passwd as such:

/etc/passwd:

terry:x:505:1::/home/terry:/bin/bash

/etc/group:

domuser:x:1:terry, phillipd

Thanyou very much

Doug P

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] is there a way to enforce a single domain wide login

[Douglas Phillipson]

If I put a preexec script in the [profiles] share that touches a file in 
the users home dir, then removes it with a postexec script, I can 
enforce a domain wide single login.  That is for about 1 minute.  What 
appears to be happening is the share has a timeout feature that 
disconnects after about 1 minute and then calls the postexec script 
which removes the file required to determine if that user is currently 
logged on.  I tried using the "deadtime = 0" attribute but it still 
times out and runs the postexec script.

Any suggestions are appreciated...

DSP

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] preexec scripts allowing logon under all conditions in 3.0.1

[Douglas Phillipson]

In an attempt to enforce a single login domain wide.  I think preexec 
scripts will work but when I test a script that returns a "1" the log 
says I get denied but I still get logged in.  Here is the info:

---
[netlogon]
   comment = Network Logon Service
   preexec close = yes
   root preexec close = yes
   preexec = /home/profiles/test.sh
   root preexec = /home/profiles/test.sh
#   root preexec = csh -c 'if [ -f /home/%u/.loggedon ] exit 0'
   path = /home/netlogon
   guest ok = no
   writable = no
   create mask = 0600
   directory mask = 0700
--
The script test.sh is just:
#!/bin/sh
#
exit 1

The samba log says:
root preexec gave 1 - connection failing
Closed connection to service netlogon
But I still get logged on.

If I change the "1" to a "4" I get

root preexec gave 4 - connection failing
Closed connection to service netlogon
But I still get logged on.
If I change the "1" to a "0" I get no entry in the log and get logged 
on.  The parameter appears to be acknowledged but won't prevent a logon. 
Any suggestions would be appreciated.

Regards

DSP

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Is there a way to enforce a single login domain wide

[Douglas Phillipson]

Im trying a root preexec = some script

the script is:

#!/bin/sh
#
exit 1
In the samba log it says:

 root preexec gave 1 - connection failing
Closed connection to service netlogon
But I still get logged on.

If I change the "1" to a "4" I get

root preexec gave 4 - connection failing
Closed connection to service netlogon
If I change the "1" to a "0" I get no entry in the log and get logged 
on.  The parameter appears to be acknowledged but won't prevent a logon. 
 Any suggestions would be appreciated.

DSP

Gémes Géza wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Douglas Phillipson írta:
| I just tested the process/uid check theory.  Upon initail login the new
|  smbd process is owned by the user but with no activity on any shares it
| switches to being owned by root in a minute.  I guess I could use a
| script to touch a file with the users login name or uid and just check
| for that upon login and remove it on logout...
|
| Anyone have any better ideas?
|
| DSP
|
|
| Gémes Géza wrote:
|
|> -BEGIN PGP SIGNED MESSAGE-
|> Hash: SHA1
|>
|> I.M.H.O
|>
|> you could write a root prexec script for your netlogon share, wich would
|> check for runing smbd with the uid of the connection, and return an
|> error if there is such. And specifying root prexec close = yes on the
|> netlogon share, you could deny them.
|> The danger is that because of blocked clients you would got lots of
|> frustrated clients.
|>
|> Good Luck!
|>
|> Geza Gemes
|>
|> John H Terpstra írta:
|> | On Mon, 13 Oct 2003, Douglas Phillipson wrote:
|> |
|> |
|> |>I didn't get any hits on this.  Does that mean it's not possible???
|> |>Has anyone enforced a "single instance" login policy somehow?  Is
|> this a
|> |>reasonable question to ask?
|> |
|> |
|> | This is not possible. There is no way to do this with MS Windows 200x
|> | server - and there is no way to do this with Samba.
|> |
|> | - John T.
|> |
|> |
|> |>DSP
|> |>
|> |>Douglas Phillipson wrote:
|> |>
|> |> > I would like to enforce a policy for a user being only able to 
login
|> |>once anywhere in the Domain.  When you use roaming profiles, the 
system
|> |>gets confused and leaves the local profile on the client PC if the 
same
|> |>user logs in on a second machine while they are still loggewd in on 
the
|> |>first one.  This then causes the Samba profile to NOT get updated on
|> |>logout.  If a user is currently logged on a domain, I need that 
user to
|> |>be refused if they logon to a second machine until they logoff the
|> first
|> |>machine.  Is this possible with Samba, or would I use some sort of
|> logon
|> |>script to query something and force the user off at their second login
|> |>attempt?  When this problem occurs you have to reboot the machine and
|> |>remove the users local profile so it will again use the roaming 
profile
|> |>on the samba DC.  Very irritating...
|> |> >
|> |> > Thanks
|> |> >
|> |> > DSP
|> |>
|> |>
|> |
|> |
|>
|> -BEGIN PGP SIGNATURE-
|> Version: GnuPG v1.2.2 (GNU/Linux)
|> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
|>
|> iD8DBQE/i+88/PxuIn+i1pIRAi+fAJ0Yc/e6H8MyKxc0z8s1FnWhLsFVyACgh7vh
|> G3SEihFi0OPiVpUSvBFZZvA=
|> =SjHf
|> -END PGP SIGNATURE-
|>
|>
|>
|
Maybe if you would try to filter smbstatus output in your root preexec
instead of ps-ing for smbd-s?
In my samba 3.0.1pre1 smbstatus gave me the correct username after about
an hour of inactivity.

Good Luck!

Geza Gemes

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/joRu/PxuIn+i1pIRAstNAKCxFtotm2nZY6bCb2wPaKoF2MuCtgCfTjOE
W5KuYoiThM3nazrhkfG3Q80=
=UP3R
-END PGP SIGNATURE-


--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] If you install Samba via an rpm how do you tell what options are compiled in?

[Douglas Phillipson]

I think I need "with-acl-support" in Samba 3.0.1 but am unsuer if it is 
compiled in.  How would I be able to tell if installed via RPM?

Thanks

DSP

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Is there a way to enforce a single login domain wide

[Douglas Phillipson]

I just tested the process/uid check theory.  Upon initail login the new 
 smbd process is owned by the user but with no activity on any shares 
it switches to being owned by root in a minute.  I guess I could use a 
script to touch a file with the users login name or uid and just check 
for that upon login and remove it on logout...

Anyone have any better ideas?

DSP

Gémes Géza wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I.M.H.O

you could write a root prexec script for your netlogon share, wich would
check for runing smbd with the uid of the connection, and return an
error if there is such. And specifying root prexec close = yes on the
netlogon share, you could deny them.
The danger is that because of blocked clients you would got lots of
frustrated clients.
Good Luck!

Geza Gemes

John H Terpstra írta:
| On Mon, 13 Oct 2003, Douglas Phillipson wrote:
|
|
|>I didn't get any hits on this.  Does that mean it's not possible???
|>Has anyone enforced a "single instance" login policy somehow?  Is this a
|>reasonable question to ask?
|
|
| This is not possible. There is no way to do this with MS Windows 200x
| server - and there is no way to do this with Samba.
|
| - John T.
|
|
|>DSP
|>
|>Douglas Phillipson wrote:
|>
|> > I would like to enforce a policy for a user being only able to login
|>once anywhere in the Domain.  When you use roaming profiles, the system
|>gets confused and leaves the local profile on the client PC if the same
|>user logs in on a second machine while they are still loggewd in on the
|>first one.  This then causes the Samba profile to NOT get updated on
|>logout.  If a user is currently logged on a domain, I need that user to
|>be refused if they logon to a second machine until they logoff the first
|>machine.  Is this possible with Samba, or would I use some sort of logon
|>script to query something and force the user off at their second login
|>attempt?  When this problem occurs you have to reboot the machine and
|>remove the users local profile so it will again use the roaming profile
|>on the samba DC.  Very irritating...
|> >
|> > Thanks
|> >
|> > DSP
|>
|>
|
|
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE/i+88/PxuIn+i1pIRAi+fAJ0Yc/e6H8MyKxc0z8s1FnWhLsFVyACgh7vh
G3SEihFi0OPiVpUSvBFZZvA=
=SjHf
-END PGP SIGNATURE-


--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Is there a way to enforce a single login domain wide

[Douglas Phillipson]

I didn't get any hits on this.  Does that mean it's not possible???
Has anyone enforced a "single instance" login policy somehow?  Is this a 
reasonable question to ask?

DSP

Douglas Phillipson wrote:

> I would like to enforce a policy for a user being only able to login 
once anywhere in the Domain.  When you use roaming profiles, the system 
gets confused and leaves the local profile on the client PC if the same 
user logs in on a second machine while they are still loggewd in on the 
first one.  This then causes the Samba profile to NOT get updated on 
logout.  If a user is currently logged on a domain, I need that user to 
be refused if they logon to a second machine until they logoff the first 
machine.  Is this possible with Samba, or would I use some sort of logon 
script to query something and force the user off at their second login 
attempt?  When this problem occurs you have to reboot the machine and 
remove the users local profile so it will again use the roaming profile 
on the samba DC.  Very irritating...
>
> Thanks
>
> DSP

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Is there a way to enforce a single login domain wide

[Douglas Phillipson]

I would like to enforce a policy for a user being only able to login 
once anywhere in the Domain.  When you use roaming profiles, the system 
gets confused and leaves the local profile on the client PC if the same 
user logs in on a second machine while they are still loggewd in on the 
first one.  This then causes the Samba profile to NOT get updated on 
logout.  If a user is currently logged on a domain, I need that user to 
be refused if they logon to a second machine until they logoff the first 
machine.  Is this possible with Samba, or would I use some sort of logon 
script to query something and force the user off at their second login 
attempt?  When this problem occurs you have to reboot the machine and 
remove the users local profile so it will again use the roaming profile 
on the samba DC.  Very irritating...

Thanks

DSP

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] [Samba} Can't do roaming profiles (Solved)

[Douglas Phillipson]

Through much help from a guy in my local LUG I found the solution to 
making roaming profiles work on Win2000 (SP4).

1) You should have SP4 installed.
2) Two registry changes are needed:
   Use regedit and change the following two dword attributes to 0

   "requiresignorseal"
   "signsecurechannel"
3) Run the group policy editor "gpedit.msc" and enable the following 4 
policies under:

 Computer Configuration->Administrative Templates->System->Logon

"Do not check for ownership of Roaming Profiles Folders"
"Add the Administrators security group to roaming users profiles"
"Wait for remote user profile"
"Delete cached copies of roaming profiles"
Create the Linux user. Create the Samba user.  Logon as the user on 
windows, it will fail, but create the users profile dir on the Samba 
PDC.  It will NOT create a full profile on the PDC, but will on the Win 
client.  Copy a "default" profile and all the associated directories to 
the users profile dir on the Samba PDC.  Reboot the Client to release 
the lock on the users local copy of ntuser.dat and login as 
administrator and delete the users local profile copy on the PC.  Log 
back in as the user and the remote profile will be copied down from the 
samba server to the client.  When logging out, the samba users profile 
will be updated to the PDC and then removed from the client PC.

This works for me I hope it does for everyone else...

Regards

Doug P

---
>I need a little advice on finishing off a Samba PDC.  I have Samba 
>3.0.0RC1 installed and working as a PDC on a Redhat AS 3.0 machine. 
It >authenticates users nicely but the "roaming" profiles don't work. 
>Tailing the samba log, I see the an attempt to access the users 
>ntuser.dat file, which doesn't exist before the first logon, when 
>logging in. The profile directory (/home/profiles/ DOES get 
>created by samba when the user logs in.  When the user logs off, there 
>is no reference, in the log that ntuser.dat is being written with the 
>users updated profile.  In fact the ntuser.dat file is not created on 
>the samba server.  If I "touch ntuser.dat" in the profile directory on 
>the samba PDC, then log in on a Win2000 client PC, I get a message 
>saying the ntuser.dat file is not the proper format, so I know the 
>"profiles" share and "logon path" are correct.  But the profile will 
>not update on the PDC.  My Win2000 is SP2, and I tried SP4 also.  I 
>looked on the client PC and the profile is a "roaming" profile.  Also 
>the "add user script" doesn't work, I have to add the users by hand 
>(with the same script).  Here is my smb.conf file, any help is greatly 
>appreciated...

>Regards and thanks for a great program!

>Doug P

-
# Global parameters
[global]
workgroup = TESTDOM
server string = Samba Server
update encrypted = Yes
client lanman auth = No
client plaintext auth = No
log level = 4
log file = /var/log/samba.log
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add user script = /usr/sbin/useradd -d /dev/null -g machines -s 
/bin/false -M %u
logon path = \\%L\profiles\%U
logon drive = H:
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
dns proxy = No
ldap ssl = no
preload = homes

[homes]
comment = Home Directories
path = /home/%S
read only = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
[software]
path = /home/software
read only = No
[netlogon]
path = /home/scripts
browseable = No
[profiles]
path = /home/profiles
read only = No
writable = yes
create mask = 0600
directory mask = 0700
profile acls = Yes
browseable = No
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Can't do roaming profiles

[Douglas Phillipson]

I need a little advice on finishing off a Samba PDC.  I have Samba 
3.0.0RC1 installed and working as a PDC on a Redhat AS 3.0 machine.  It 
authenticates users nicely but the "roaming" profiles don't work. 
Tailing the samba log, I see the an attempt to access the users 
ntuser.dat file, which doesn't exist before the first logon, when 
logging in. The profile directory (/home/profiles/ DOES get 
created by samba when the user logs in.  When the user logs off, there 
is no reference, in the log that ntuser.dat is being written with the 
users updated profile.  In fact the ntuser.dat file is not created on 
the samba server.  If I "touch ntuser.dat" in the profile directory on 
the samba PDC, then log in on a Win2000 client PC, I get a message 
saying the ntuser.dat file is not the proper format, so I know the 
"profiles" share and "logon path" are correct.  But the profile will not 
update on the PDC.  My Win2000 is SP2, and I tried SP4 also.  I looked 
on the client PC and the profile is a "roaming" profile.  Also the "add 
user script" doesn't work, I have to add the users by hand (with the 
same script).  Here is my smb.conf file, any help is greatly appreciated...

Regards and thanks for a great program!

Doug P

-
# Global parameters
[global]
workgroup = TESTDOM
server string = Samba Server
update encrypted = Yes
client lanman auth = No
client plaintext auth = No
log level = 4
log file = /var/log/samba.log
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add user script = /usr/sbin/useradd -d /dev/null -g machines -s 
/bin/false -M %u
logon path = \\%L\profiles\%U
logon drive = H:
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
dns proxy = No
ldap ssl = no
preload = homes

[homes]
comment = Home Directories
path = /home/%S
read only = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
[software]
path = /home/software
read only = No
[netlogon]
path = /home/scripts
browseable = No
[profiles]
path = /home/profiles
read only = No
writable = yes
create mask = 0600
directory mask = 0700
profile acls = Yes
browseable = No
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Can't do roaming profiles

[Douglas Phillipson]

I need a little advice on finishing off a Samba PDC.  I have Samba 
3.0.0RC1 installed and working as a PDC on a Redhat AS 3.0 machine.  It 
authenticates users nicely but the "roaming" profiles don't work. 
Tailing the samba log, I see the an attempt to access the users 
ntuser.dat file, which doesn't exist before the first logon, when 
logging in. The profile directory (/home/profiles/ DOES get 
created by samba when the user logs in.  When the user logs off, there 
is no reference, in the log that ntuser.dat is being written with the 
users updated profile.  In fact the ntuser.dat file is not created on 
the samba server.  If I "touch ntuser.dat" in the profile directory on 
the samba PDC, then log in on a Win2000 client PC, I get a message 
saying the ntuser.dat file is not the proper format, so I know the 
"profiles" share and "logon path" are correct.  But the profile will not 
update on the PDC.  My Win2000 is SP2, and I tried SP4 also.  I looked 
on the client PC and the profile is a "roaming" profile.  Also the "add 
user script" doesn't work, I have to add the users by hand (with the 
same script).  Here is my smb.conf file, any help is greatly appreciated...

Regards and thanks for a great program!

Doug P

-
# Global parameters
[global]
workgroup = TESTDOM
server string = Samba Server
update encrypted = Yes
client lanman auth = No
client plaintext auth = No
log level = 4
log file = /var/log/samba.log
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add user script = /usr/sbin/useradd -d /dev/null -g machines -s 
/bin/false -M %u
logon path = \\%L\profiles\%U
logon drive = H:
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
dns proxy = No
ldap ssl = no
preload = homes

[homes]
comment = Home Directories
path = /home/%S
read only = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
[software]
path = /home/software
read only = No
[netlogon]
path = /home/scripts
browseable = No
[profiles]
path = /home/profiles
read only = No
writable = yes
create mask = 0600
directory mask = 0700
profile acls = Yes
browseable = No
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Has anyone tried to install OfficeXP into a samba share?

[Douglas Phillipson]

When I attempt to install OfficeXP into a drive letter "S:" which is a 
samba share, I can't get the install to finish.  Anyone else experience 
this?

DSP

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Installing office on a 3.0.0-8rc3 share

[Douglas Phillipson]

I'm having trouble installing OfficeXP on an win2000 machine that has a 
samba share.  Office XP installs and gets almost to the end then coughs 
an obscure error and states that two files will be sent to microsoft for 
debugging, which aren't there I might add.  I can install the same 
software just fine on a share from a Win2000 server so my question is, 
how could it know the difference?  I'm not sure what additional 
information I could post here that would be helpful.  The share has full 
write permission and the files show up on the share.  Then at the end it 
fails and backs out all the files and barfs the bogus error message.

Thanks

DSP

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba