[Samba] Moving from SAMBA to 2003 domain with XP SP# client machines roaming profiles stopped working
We have been directed to move off a SAMBA domain to a server 2003R2 domain. We run roaming profiles with samba and would like to continue this on 2003R2. After bringing all the XPSP3 desktops into the 2003R2 domain, roaming profiles wont work. I'm not even trying to use the SAMBA generated profiles. The error I get when logging on is: *Windows cannot locate the server copy of your roaming profile and is attempting to log you on with your local profile. Changes to the profile will not be copied to the server when you logoff. Errors in the event viewer are: DETAIL - Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied. This only happens on machines we switched from SAMBA. Any other machine we add to the AD Domain that wasn't in the SAMBA domain handles roaming profiles just fine. Has anyone ever seen this behavior? I've checked the permissions on "Documents and Settings" and they are the same as on other machines that work so I don't think it's a permissions problem loading a profile into the Documents and Settings Dir. I've tried flushing old local group policies with gpedit, loading the policy templates. I just don't know where to go from here and what else to try, short of re-imaging the machines. They come into the AD Domain just fine and authenticate users, but roaming profiles won't load. This even occurs if the roaming profile account used is a "Domain Admin". We are using SAMBA version 3.0.33... Thank you very much in advance for your time... Doug P (Sadly moving off Linux) * ** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL (Added info)
On 10/12/2010 01:05 PM, Douglas Phillipson wrote: To create a "Trust" between Samba and a W2003 AD Domain, does the Samba machine have to be a domain member also? Doug P I'm not clear on something. My goal is to have our AD users access a samba share without having to enter a second set of credentials. So this is where the trust comes in. Our Samba machine is a PDC of a different domain that our Win2003 PDC. I'm told the samba machine has to be a member server in the W2003 domain for the trust to work. I thought trusts were between PDC's. Can my samba machine be a PDC and a member server of a W2003 domain? Confused... Doug P -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL (Added info)
To create a "Trust" between Samba and a W2003 AD Domain, does the Samba machine have to be a domain member also? Doug P On 10/11/2010 11:29 PM, Daniel Müller wrote: "http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/InterdomainTrust s.html#id2621046" Problems with LDAP ldapsam and Older Versions of smbldap-tools If you use the smbldap-useradd script to create a trust account to set up interdomain trusts, the process of setting up the trust will fail. The account that was created in the LDAP database will have an account flags field that has [W ], when it must have [I ] for interdomain trusts to work. Here is a simple solution. Create a machine account as follows: root# smbldap-useradd -w domain_name Then set the desired trust account password as shown here: root# smbldap-passwd domain_name\$ Using a text editor, create the following file: dn: uid=domain_name$,ou=People,dc={your-domain},dc={your-top-level-domain} changetype: modify sambaAcctFlags: [I ] Then apply the text file to the LDAP database as follows: root# ldapmodify -x -h localhost \ -D "cn=Manager,dc={your-domain},dc={your-top-level-domain}" \ -W -f /path-to/foobar Create a single-sided trust under the NT4 Domain User Manager, then execute: root# net rpc trustdom establish domain_name<- important It works with Samba-3 and NT4 domains, and also with Samba-3 and Windows 200x ADS in mixed mode. Both domain controllers, Samba and NT must have the same WINS server; otherwise, the trust will never work.<---important --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL (Added info)
oops, should be using a machine arg, tried: /var/lib/samba/sbin/smbldap-useradd.pl -w -c "Domain Trust" ECN$ Still get error: failed to add entry: at /var/lib/samba/sbin//smbldap_tools.pm line 497, line 283. DOug P On 10/11/2010 10:29 AM, Douglas Phillipson wrote: When trying to add the machine account with smb-ldap, I use the syntax: /var/lib/samba/sbin/smbldap-useradd.pl -a -B 1 -c "Domain Trust" ECN$ I get the following error when adding the machine account: failed to add entry: at /var/lib/samba/sbin//smbldap_tools.pm line 497, line 283. Thanks Doug P On 10/11/2010 09:53 AM, Douglas Phillipson wrote: I'm trying to establish a two way non-transitive trust between a W2003 A/D box and our SAMBA domain. We are using smbldap so we can log in on any of the linux boxes with the same passwd. Samba is version 3.0.33 on Redhat Enterprise. It's easy to create the trust on the Windows side with AD Domains and Trusts but on the Linux side I'm not sure if I need to put the machine account locally in smb passwd or use the smbldap passwd on the LDAP server. Has anyone done this before? For the sake of example: My windows A/D domain is WECN My Linux Domain is LECN I've tried several putting the machine account both in the local file and the LDAP passwd file but it just doesn't work. I've got the Samba 3 HowTo book and tried lots of googled suggestions but still can't seem to make this work. Any suggestions are appreciated. Is there an easier way to do this? My end result is to map a share on the SAMBA server from a WinXP client computer thats in a W2003 domain without having to put in a Linux username/password. Thanks for your time and suggestions! Doug P My smb.conf [global] -- [global] dos charset = CP850 unix charset = UTF-8 display charset = LOCALE workgroup = LECN realm = netbios name = RSL-PDC1 netbios aliases = netbios scope = server string = Primary RSL Samba Server interfaces = bind interfaces only = No security = USER auth methods = encrypt passwords = Yes update encrypted = No client schannel = Auto server schannel = Auto allow trusted domains = Yes map to guest = Never null passwords = No obey pam restrictions = Yes password server = * smb passwd file = /etc/samba/smbpasswd private dir = /etc/samba passdb backend = ldapsam:"ldap://127.0.0.1"; algorithmic rid base = 1000 root directory = guest account = smbguest passwd chat debug = No passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = "Changing UNIX password for*\nNew password*" %n\n "*Retype new password*" %n\n" passwd chat timeout = 2 check password script = /usr/sbin/crackcheck -c -d /usr/lib/cracklib_dict username map = password level = 0 username level = 0 unix password sync = Yes ntlm auth = Yes restrict anonymous = Yes lanman auth = No ;ntlm auth = No client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No preload modules = use kerberos keytab = No log level = 3 vfs:1 syslog = 0 syslog only = No log file = /var/log/samba/%m.log max log size = 50 debug timestamp = Yes debug hires timestamp = No debug pid = No debug uid = No smb ports = 139 large readwrite = Yes max protocol = NT1 min protocol = CORE read bmpx = No read raw = Yes write raw = Yes disable netbios = No acl compatibility = defer sharing violations = Yes nt pipe support = Yes nt status support = Yes announce version = 4.9 announce as = NT max mux = 50 max xmit = 65535 name resolve order = wins hosts bcast max ttl = 259200 max wins ttl = 518400 min wins ttl = 21600 time server = Yes unix extensions = Yes use spnego = Yes client signing = auto server signing = No client use spnego = Yes ;change notify timeout = 60 deadtime = 15 getwd cache = Yes keepalive = 300 kernel change notify = Yes lpq cache time = 30 max smbd processes = 0 paranoid server security = Yes max disk size = 0 max open files = 1 socket options = TCP_NODELAY SO_KEEPALIVE IPTOS_LOWDELAY use mmap = Yes hostname lookups = No name cache timeout = 66
Re: [Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL (Added info)
When trying to add the machine account with smb-ldap, I use the syntax: /var/lib/samba/sbin/smbldap-useradd.pl -a -B 1 -c "Domain Trust" ECN$ I get the following error when adding the machine account: failed to add entry: at /var/lib/samba/sbin//smbldap_tools.pm line 497, line 283. Thanks Doug P On 10/11/2010 09:53 AM, Douglas Phillipson wrote: I'm trying to establish a two way non-transitive trust between a W2003 A/D box and our SAMBA domain. We are using smbldap so we can log in on any of the linux boxes with the same passwd. Samba is version 3.0.33 on Redhat Enterprise. It's easy to create the trust on the Windows side with AD Domains and Trusts but on the Linux side I'm not sure if I need to put the machine account locally in smb passwd or use the smbldap passwd on the LDAP server. Has anyone done this before? For the sake of example: My windows A/D domain is WECN My Linux Domain is LECN I've tried several putting the machine account both in the local file and the LDAP passwd file but it just doesn't work. I've got the Samba 3 HowTo book and tried lots of googled suggestions but still can't seem to make this work. Any suggestions are appreciated. Is there an easier way to do this? My end result is to map a share on the SAMBA server from a WinXP client computer thats in a W2003 domain without having to put in a Linux username/password. Thanks for your time and suggestions! Doug P My smb.conf [global] -- [global] dos charset = CP850 unix charset = UTF-8 display charset = LOCALE workgroup = LECN realm = netbios name = RSL-PDC1 netbios aliases = netbios scope = server string = Primary RSL Samba Server interfaces = bind interfaces only = No security = USER auth methods = encrypt passwords = Yes update encrypted = No client schannel = Auto server schannel = Auto allow trusted domains = Yes map to guest = Never null passwords = No obey pam restrictions = Yes password server = * smb passwd file = /etc/samba/smbpasswd private dir = /etc/samba passdb backend = ldapsam:"ldap://127.0.0.1"; algorithmic rid base = 1000 root directory = guest account = smbguest passwd chat debug = No passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = "Changing UNIX password for*\nNew password*" %n\n "*Retype new password*" %n\n" passwd chat timeout = 2 check password script = /usr/sbin/crackcheck -c -d /usr/lib/cracklib_dict username map = password level = 0 username level = 0 unix password sync = Yes ntlm auth = Yes restrict anonymous = Yes lanman auth = No ;ntlm auth = No client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No preload modules = use kerberos keytab = No log level = 3 vfs:1 syslog = 0 syslog only = No log file = /var/log/samba/%m.log max log size = 50 debug timestamp = Yes debug hires timestamp = No debug pid = No debug uid = No smb ports = 139 large readwrite = Yes max protocol = NT1 min protocol = CORE read bmpx = No read raw = Yes write raw = Yes disable netbios = No acl compatibility = defer sharing violations = Yes nt pipe support = Yes nt status support = Yes announce version = 4.9 announce as = NT max mux = 50 max xmit = 65535 name resolve order = wins hosts bcast max ttl = 259200 max wins ttl = 518400 min wins ttl = 21600 time server = Yes unix extensions = Yes use spnego = Yes client signing = auto server signing = No client use spnego = Yes ;change notify timeout = 60 deadtime = 15 getwd cache = Yes keepalive = 300 kernel change notify = Yes lpq cache time = 30 max smbd processes = 0 paranoid server security = Yes max disk size = 0 max open files = 1 socket options = TCP_NODELAY SO_KEEPALIVE IPTOS_LOWDELAY use mmap = Yes hostname lookups = No name cache timeout = 660 load printers = Yes printcap cache time = 0 printcap name = cups cups server = disable spoolss = No enumports command = addprinter command = deleteprinter command = show add printer wizard = Yes os2 driver ma
[Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL
I'm trying to establish a two way non-transitive trust between a W2003 A/D box and our SAMBA domain. We are using smbldap so we can log in on any of the linux boxes with the same passwd. Samba is version 3.0.33 on Redhat Enterprise. It's easy to create the trust on the Windows side with AD Domains and Trusts but on the Linux side I'm not sure if I need to put the machine account locally in smb passwd or use the smbldap passwd on the LDAP server. Has anyone done this before? For the sake of example: My windows A/D domain is WECN My Linux Domain is LECN I've tried several putting the machine account both in the local file and the LDAP passwd file but it just doesn't work. I've got the Samba 3 HowTo book and tried lots of googled suggestions but still can't seem to make this work. Any suggestions are appreciated. Is there an easier way to do this? My end result is to map a share on the SAMBA server from a WinXP client computer thats in a W2003 domain without having to put in a Linux username/password. Thanks for your time and suggestions! Doug P My smb.conf [global] -- [global] dos charset = CP850 unix charset = UTF-8 display charset = LOCALE workgroup = LECN realm = netbios name = RSL-PDC1 netbios aliases = netbios scope = server string = Primary RSL Samba Server interfaces = bind interfaces only = No security = USER auth methods = encrypt passwords = Yes update encrypted = No client schannel = Auto server schannel = Auto allow trusted domains = Yes map to guest = Never null passwords = No obey pam restrictions = Yes password server = * smb passwd file = /etc/samba/smbpasswd private dir = /etc/samba passdb backend = ldapsam:"ldap://127.0.0.1"; algorithmic rid base = 1000 root directory = guest account = smbguest passwd chat debug = No passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = "Changing UNIX password for*\nNew password*" %n\n "*Retype new password*" %n\n" passwd chat timeout = 2 check password script = /usr/sbin/crackcheck -c -d /usr/lib/cracklib_dict username map = password level = 0 username level = 0 unix password sync = Yes ntlm auth = Yes restrict anonymous = Yes lanman auth = No ;ntlm auth = No client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No preload modules = use kerberos keytab = No log level = 3 vfs:1 syslog = 0 syslog only = No log file = /var/log/samba/%m.log max log size = 50 debug timestamp = Yes debug hires timestamp = No debug pid = No debug uid = No smb ports = 139 large readwrite = Yes max protocol = NT1 min protocol = CORE read bmpx = No read raw = Yes write raw = Yes disable netbios = No acl compatibility = defer sharing violations = Yes nt pipe support = Yes nt status support = Yes announce version = 4.9 announce as = NT max mux = 50 max xmit = 65535 name resolve order = wins hosts bcast max ttl = 259200 max wins ttl = 518400 min wins ttl = 21600 time server = Yes unix extensions = Yes use spnego = Yes client signing = auto server signing = No client use spnego = Yes ;change notify timeout = 60 deadtime = 15 getwd cache = Yes keepalive = 300 kernel change notify = Yes lpq cache time = 30 max smbd processes = 0 paranoid server security = Yes max disk size = 0 max open files = 1 socket options = TCP_NODELAY SO_KEEPALIVE IPTOS_LOWDELAY use mmap = Yes hostname lookups = No name cache timeout = 660 load printers = Yes printcap cache time = 0 printcap name = cups cups server = disable spoolss = No enumports command = addprinter command = deleteprinter command = show add printer wizard = Yes os2 driver map = mangling method = hash2 mangle prefix = 1 stat cache = Yes machine password timeout = 604800 add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u' delete user script = /var/lib/samba/sbin/smbldap-userdel.pl '%u' add group script = /var/lib/samba/sbin/smbldap-groupadd.pl -p '%g' delete group script = /var/lib/samba/sbin/smbldap-groupdel.pl -p '%g' add u
[Samba] Noob question about cached credentials
Can a samba domain user login successfully to a PC in the domain if the PC is not connected to the network? This assumes the user has logged on at some point in the past to get their credentials on the local PC of course. Is this a "Standard" feature of SAMBA (allowing Cached credentials) or do you have to some how trick samba to allow this? I've looked in the Official Samba-3 and Samba by example books but don't see any info on this. Googling this subject seems to show it works sometimes but could break depending on the version you run. Thanks in advance -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Loading profile slow over a fast wan link
Logging on with XP, with our desktop profile across a 10mbps wan, takes a LONG time to transfer even just 5mb of profile data. Any suggestion on tweaks to speed this up would be greatly appreciated. Other protocols like ftp, rcp and scp are 10 to 20 times faster. Regards Douglas Phillipson -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Now that MS has to play nice...
Being that you SAMBA developers had to work so hard to reverse engineer the AD protocols. Will there soon be improvements and more full featured functionality in SAMBA now that you have access to more documentation? Is anything on the order of a fully feature AD clone in the works. Also, how do you dance around patented protocols? Can you still implement them? Do you have to avoid them? So anything patented is taboo functionality, never to be seen in SAMBA. Thanks for all your hard work over the years guys. I hope it gets much easier now. Doug P -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Bi directional trusts with server 2003
Is it possible to establish a two way trust relationship between a SAMBA Domain and Win2003 AD Domain such that Users in the SAMBA domain can log on to machines in the W2003 Domain and users in the Windows Domain can log on to XP machines in the SAMBA Domain?Is this a domain trust, a machine trust, both, or what? Thanks Doug P -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Security issues
We have a new Cyber Security professional on our staff that now says we can't use Samba for the following reasons: At this time any appearance that Samba-3 is capable of acting as a domain controller in native ADS mode is limited and experimental in nature. This functionality should not be used until the Samba Team offers formal support for it. At such a time, the documentation will be revised to duly reflect all configuration and management requirements. Samba can act as a NT4-style domain controller in a Windows 2000/XP environment. However, there are certain compromises: 1) No machine policy files. 2) No Group Policy Objects. 3) No synchronously executed Active Directory logon scripts. 4) Can't use Active Directory management tools to manage users and machines. 5) Registry changes tattoo the main registry, while with Active Directory they do not leave permanent changes in effect. 6)Without Active Directory you cannot perform the function of exporting specific applications to specific users or groups. Are these all true? I don't care about item 4... Thanks Doug P -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Preference of local or domain profile
Douglas Phillipson wrote: With Samba v3.x and WinXP, if there is a local profile on the users PC when the user logs on while hooked to a Samba DC, should the PC check for the DC profiles password prior to checking the local profiles password? I have a client PC, originally with no local profile, the user logs in to the Samba domain, his profile is downloaded to the PC. I have his group policy set so it won't delete the profile when he logs out so he can remove his PC from the network and he can still use his domain account and password. The problem comes in when his domain password is changed and he re-attaches his PC to the domain. The PC appears to use the local profile rather than the domain for credentials. I thought if there was a domain controller that the client PC should ALWAYS prefer the DC to a local profile. This occurs as it should with a Windows AD domain, but not with the Samba domain. Do I have some settings or policies set wrong? I hope I've explained this correctly... Thanks Doug P I haven't seen any posts concerning this problem. Am I explaining my problem sufficiently well? This isn't a dumb question, is it? Thanks Doug P -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Preference of local or domain profile
With Samba v3.x and WinXP, if there is a local profile on the users PC when the user logs on while hooked to a Samba DC, should the PC check for the DC profiles password prior to checking the local profiles password? I have a client PC, originally with no local profile, the user logs in to the Samba domain, his profile is downloaded to the PC. I have his group policy set so it won't delete the profile when he logs out so he can remove his PC from the network and he can still use his domain account and password. The problem comes in when his domain password is changed and he re-attaches his PC to the domain. The PC appears to use the local profile rather than the domain for credentials. I thought if there was a domain controller that the client PC should ALWAYS prefer the DC to a local profile. This occurs as it should with a Windows AD domain, but not with the Samba domain. Do I have some settings or policies set wrong? I hope I've explained this correctly... Thanks Doug P -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Changed the IP address of Samba server, can't logon
After changing the IP address of our samba server (3.0.10), our users can't logon. We use ldap authentication, which all worked fine for more than a year prior. The samba log shows attempts as "guest" rather than the user's name. Also logging in as root on an XP box translates to user guest, which is passed to LDAP and of course can't authenticate. I've removed the entries from wins.dat for all workstations and removed browse.dat from the DC. I've removed the PC from the domain and added it back, still the same problem. How and why is my username being translated to "guest"? Thanks Doug P -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Outlook path to pst file is lost when using roaming profiles
Is nobody else losing their Outlook profile/path to pst when using roaming profiles? Doug P Douglas Phillipson wrote: We are having a problem getting the path to the Outlook PST file to move from machine to machine using roaming profiles (Samba 3.0.10 on RHEL 4). When a user logs off on one machine and logs on to another, the outlook path to the PST file is gone. I found this message in the archive back in 2002 but I see no resolution for it: http://lists.samba.org/archive/samba/2002-July/047507.html Here is the text from that post: Does anybody know how to manage roaming profiles with outlook 2002 ? I have XP boxes with roaming profiles and all work fine. The only problem is that XP doesn´t export the path where outlook stores ist .pst file. This is not the problem for the .pst file where outlook stores contacts and so. The path of the normal pst is on a network drive. But I have an IMAP mail account for every user and if you configure outlook for imap it creates another .pst file under the normal path ...Local Settings../outlook/ I am not able to store this file under a different path e.g. a network drive. I think that there are 2 ways for my problem: 1.) show outlook the path to a network drive for the imap pst as I did it for the normal pst --> I don´t know how 2.) export the whole outlook path under local settings --> It works, but not for a long time: After you create an outlook account for the first time, outlook adds a registry entry under HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon --> ExcludeProfileDirs In this entry you can add directories of the roaming profile not to export. --> because of that, the outlook pst would not exported with the roaming profile. If I delete this entry on all workstations under the default and the user profile of the registry it works for some time. But after some time, I don´t know why the entry is back in the registry to not export the outlook folder. Does anybody have an idea ? Regards sven Has anybody else seen this problem or found a resolution? Thanks Doug P -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Outlook path to pst file is lost when using roaming profiles
We are having a problem getting the path to the Outlook PST file to move from machine to machine using roaming profiles (Samba 3.0.10 on RHEL 4). When a user logs off on one machine and logs on to another, the outlook path to the PST file is gone. I found this message in the archive back in 2002 but I see no resolution for it: http://lists.samba.org/archive/samba/2002-July/047507.html Here is the text from that post: Does anybody know how to manage roaming profiles with outlook 2002 ? I have XP boxes with roaming profiles and all work fine. The only problem is that XP doesn´t export the path where outlook stores ist .pst file. This is not the problem for the .pst file where outlook stores contacts and so. The path of the normal pst is on a network drive. But I have an IMAP mail account for every user and if you configure outlook for imap it creates another .pst file under the normal path ...Local Settings../outlook/ I am not able to store this file under a different path e.g. a network drive. I think that there are 2 ways for my problem: 1.) show outlook the path to a network drive for the imap pst as I did it for the normal pst --> I don´t know how 2.) export the whole outlook path under local settings --> It works, but not for a long time: After you create an outlook account for the first time, outlook adds a registry entry under HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon --> ExcludeProfileDirs In this entry you can add directories of the roaming profile not to export. --> because of that, the outlook pst would not exported with the roaming profile. If I delete this entry on all workstations under the default and the user profile of the registry it works for some time. But after some time, I don´t know why the entry is back in the registry to not export the outlook folder. Does anybody have an idea ? Regards sven Has anybody else seen this problem or found a resolution? Thanks Doug P -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Are these still all the recommended settings for using roaming profiles?
I got these several years ago, but we are having problems with Outlook with roaming profiles so I want to check and see if something new should be added to this list of mods for roaming profiles. - Go to Local Computer Policy->Administrative Templates->System->Logon and enable: 1) Enable "Do not check for ownership of Roaming Profiles Folders" 2) Enable "Add the Administrators security group to roaming users profiles" 3) Enable "Delete cached copies of roaming profiles" 4) Enable "Wait for remote user profile" 5) Enable "log users off when roaming profile fails" Use regedit and search for the following two registry keys: RequireSignOrSeal ValueType REG_DWORD = 4 SignSecureChannel ValueType REG_DWORD = 4 Change them to: RequireSignOrSeal ValueType REG_DWORD = 0 SignSecureChannel ValueType REG_DWORD = 0 - Thanks Doug P -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Can Samba be used to push out updates and hotfixes
I have the Official Samba 3 and Samba-3 by example books, although not the second edition copies. But I can't seem to find out how to push out patches and hotfixes with Samba. Is this not possible at this time? I don't have a lot of experience with Windows but I am going to have to deal with this issue soon. I think I understand that pushing out policies is possible. Is Microsoft designing its OS intentionally to subvert what Samba can do? Thanks Doug P -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Is there a method to search the samba archives
I'd like to do some research prior to posting questions here but all I see in the archives are monthly gzip'd files. I there a single file in say mbox format I can grab, or is there another search/query mechanism I don't know about? Thanks Doug P -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Can Samba be used to push out updates and hotfixes to client PC's
I have the Official Samba 3 and Samba-3 by example books, although not the second edition copies. But I can't seem to find out how to push out patches and hotfixes with Samba. Is this not possible at this time? I don't have a lot of experience with Windows but I am going to have to deal with this issue soon. I think I understand that pushing out policies is possible. Is Microsoft designing its OS intentionally to subvert what Samba can do? Thanks Doug P -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Is there a method to search the samba archives
I'd like to do some research prior to posting questions here but all I see in the archives are monthly gzip'd files. I there a single file in say mbox format I can grab, or is there another search/query mechanism I don't know about? Thanks Doug P -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] High Availability with Samba and Heartbeat
Since I get so much from this list I thought I would share a project I've been working on and how it works with samba (3.0.1). It is Samba related so I hope it's not off topic. I've set up a HA solution with redundant Samba Domain Controllers throuth the "Heartbeat" package at: http://www.ultramonkey.org/download/heartbeat/1.1.3/redhat_9/ I have two "Redhat 9" Linux machines (A and B) configured as a HA cluster providing httpd, DNS, and Samba Domain and File services on a virtual IP of 192.168.0.45. Initially one of the machines, (A), is running those services (smb, named and httpd) and listening on the virtual IP, while the other, (B), watches a heartbeat from machine (A) through both a redundant ethernet and serial link. When both heartbeat lines are pulled or the power drops on machine (A), within 10 seconds machine (B) starts the httpd, dns and smbd/nmbd services and listens on the virtual IP. I have a third machine (C) running Win2000 as a client for those services. I can even login on the windows box, thus using Samba's Domain Authentication services from machine (A), and while logged on the domain, kill machine (A) and machine (B) takes over and when I log off the windows box my remote profile is saved on machine (B), no muss no fuss, all transparent to the client machine. The win2000 client can surf to the web services on the virtual IP and never know that a machine has died. When machine (A) comes back up it takes back over the services automatically. What this means is that a machine outage does NOT take our customers Domain Authentication out. All the services will fail over to a redundant machine automatically. I know for Samba there are BDC capabilities but this solution seems to cover all the internet services we use at once. I hope someone will get somethnig usefull from this. Has anyone else tried this with Samba? Here is a brief procedure (minus config files) for getting it working. Installed "libnet" from the src rpm: rpm -i libnet-1.1.0-1.rh.9.um.1.src.rpm cd /usr/src/redhat/SPECS rpmbuild -bb libnet.spec rpm -Uvh /usr/src/redhat/RPMS/i386/libnet-1.1.0-1.rh.9.um.1.i386.rpm Installed heartbeat 1.1.3 from the src rpm: rpm -i heartbeat-1.1.3-1.rh.9.src.rpm cd /usr/src/redhat/SPEC rpmbuild -bb heartbeat.spec The heartbeat src RPM contains several packages to install: rpm -Uvh /usr/src/redhat/RPMS/i386/heartbeat-pils-1.1.3-1.rh.9.i386.rpm rpm -Uvh /usr/src/redhat/RPMS/i386/heartbeat-stonith-1.1.3-1.rh.9.i386.rpm rpm -Uvh /usr/src/redhat/RPMS/i386/heartbeat-1.1.3-1.rh.9.i386.rpm Configure NICS: (Virtual IP 192.168.0.45 is set in "haresources") Machine A eth0 192.168.0.40 Machine A eth1 10.0.0.1 Machine B eth0 192.168.0.41 Machine B eth1 10.0.0.2 Connect redundant NICs with a crossover Cat-5 cable Connect Serial ports with a Null Modem cable Edit HA config files in /etc/ha.d: ha.cf haresources authkeys Disable HA services from running at boot time: chkconfig --level smb 23456 off chkconfig --level httpd 23456 off chkconfig --level named 23456 off Duplicate Apache's documentroot (Rsync) Duplicate Samba's domain stuff (Copy smbpasswd to both machines) Duplicate DNS files Start the HA service or reboot both machines: /etc/init.d/heartbeat start Regards Doug P -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] CUPS vs lprng
Could I get some opinions on which type of Samba based printing is easier, CUPS or LPRNG, or just bybass Samba altogether. I'm looking at the Printing HOWTO by Kurt Pfeifle (Printing Support in Samba 3.0) and both look really complex. Anyone out there have any experience with printing services in Samba? Should I just stay away from samba printing and go direct to Network printers? What are the advantages of a samba print server as opposed to installing printer drivers on the client and printing to a network printer? Any opinions are appreciated Regards DSP -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind seems to have hosed my roaming profiles
Winbind seems to have broke my roaming profiles. I have a 3.0.1Pre1 DC on RH AS 3.0 running with Win2000 SP4 clients logging in. Remote profiles worked well and then I added: winbind separator = + idmap uid = 1-2 winbind gid = 1-2 winbind enum users = yes winbind enum groups = yes template homedir = /home/win2000/%D/%U template shell = /bin/bash Added it to nsswitch.conf and started winbindd The next time I logged in on a client, I got the message that it couldn't create my profile on the DC. I remove the existing profile from /home/profiles/ expecting it would recreate it but got the same message. As soon as I commented out the above entries everything went back to normal. I'd heard that winbind usually makes things better. What's happening here??? Should I have made my samba and Linux users AFTER adding winbind? I'm still not sure winbine is applicable in my situation because I have NO other real MS Domain Controllers. Please advise... Thanks DSP (Reading up more on winbind) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Admin privilages for root in a samba domain on a win2000 box
Just a FYI for those that are interested. I found that to give admin privilages, in Windows, to Domain user "root" do this on tha Samba Domain Controller: net groupmap modify ntgroup="Domain Admins" unixgroup=root I can now install/remove software logged in as a domain user "root" on Win2k. I've never seen this directly stated before and thought some newbies would like to know. (I'm still a samba newbie pouring through the docs and howto's) Thanks Samba team for a great piece of software! Regards Doug P -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind separator warning
When adding winbind entries in smb.conf and running testparm I get the following warning: 'winbind separator = +' might cause problems with group membership. "winbind separator = +" is used in the HOWTO (21.5.3.3). Is this OK? Or will I have problems. What is the separator for? What commands is it used with? I see some querying commands like wbinfo but are there commands that require one to use the separator as part of the command syntax? Basicaly, what problem is this error referring to? Second question: Should I only create Linux/samba users after winbind is running? I don't think it should make a difference but I just want to make sure. DSP -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Cups printing, domain group error, getting closer...
After realizing my CUPS printername in /etc/cups/cupsd.conf must be the same as my samba printer sharename (I don't think it says that anywhere in any HOWTO, correct me if I'm wrong though) I am now getting to the printer resource but... Using Samba 3.0.1 and attempting to connect to a samba cups printer with Win2000 I am getting the following samba error: Returning domain sid for domain TESTDOM -> S-1-5-21-4236639219-957987792-2344320348 [2003/11/04 21:48:54, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2537) Returning domain sid for domain TESTDOM -> S-1-5-21-4236639219-957987792-2344320348 [2003/11/04 21:48:54, 0] rpc_server/srv_util.c:get_domain_user_groups(371) get_domain_user_groups: primary gid of user [douglas] is not a Domain group ! get_domain_user_groups: You should fix it, NT doesn't like that The DC is a samba machine and I am running winbind on it. Do I need to create a domain group through samba or something? Thanks DSP SMB.conf: [global] workgroup = TESTDOM netbios name = blue security = user server string = Samba Server winbind separator = + idmap uid = 1-2 winbind gid = 1-2 winbind enum users = yes winbind enum groups = yes printcap name = /etc/printcap load printers = yes log file = /var/log/samba.log log level = 2 max log size = 5 add machine script = /usr/sbin/useradd -n -g machines -c Machine -d /dev/null -s /bin/false %u add user script = /usr/sbin/useradd %u socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = Yes os level = 65 domain master = yes preferred master = yes domain logons = yes admin users = root csc policy = disable logon script = logon.bat logon path = \\%L\profiles\%U logon drive = H: printer admin = root printing = cups printcap name = cups username map = /etc/maps [netlogon] comment = Network Logon Service path = /home/netlogon guest ok = yes writable = no create mask = 0600 directory mask = 0700 ; share modes = no # Un-comment the following to provide a specific roving profile share # the default is to use the user's home directory [profiles] path = /home/profiles browseable = no guest ok = no create mask = 0600 directory mask = 0700 writable = yes [printers] comment = All Printers path = /var/spool/samba browseable = yes # Set public = yes to allow user 'guest account' to print guest ok = yes writable = yes public = yes printable = yes printer admin = root, douglas [hp7xxx] comment = Printer with Restricted Access path = /var/spool/samba_my_printer printer admin = root, douglas browseable = yes printable = yes writeable = yes guest ok = yes -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Cups printing on Samba 3.0.1 from Win2000 SP4
I have a samba based domain controller with a CUPS printer working fine. When I try to connect to a samba printer from Win2000 I get the following in the samba log: 2003/11/04 20:38:02, 0] printing/print_cups.c:cups_queue_get(889) Unable to get jobs for ipp://localhost/printers/goucho - client-error-not-found [2003/11/04 20:38:02, 0] smbd/service.c:set_admin_user(321) root logged in as admin user (root privileges) Any clues are appreciated... Here are the relevant parts of my smb.conf: [global] workgroup = TESTDOM netbios name = blue security = user server string = Samba Server printcap name = /etc/printcap load printers = yes log file = /var/log/samba.log log level = 2 max log size = 5 add machine script = /usr/sbin/useradd -n -g machines -c Machine -d /dev/null -s /bin/false %u add user script = /usr/sbin/useradd %u socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = Yes os level = 65 domain master = yes preferred master = yes domain logons = yes admin users = root csc policy = disable logon script = logon.bat logon path = \\%L\profiles\%U logon drive = H: printer admin = root printing = cups printcap name = cups [printers] comment = All Printers path = /var/spool/samba browseable = yes # Set public = yes to allow user 'guest account' to print guest ok = yes writable = yes public = yes printable = yes printer admin = root, douglas # hosts allow = 0.0.0.0 [goucho] comment = Printer with Restricted Access path = /var/spool/samba_my_printer printer admin = root, douglas browseable = yes printable = yes writeable = yes guest ok = yes username map = /etc/maps -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba printing, I just don't get it
I'm sorry for asking a really newbie question here. But I'm just missing something I guess. I've read the HOWTO for 3.0.0 and either I missed it or I just didn't understand it. I have 3.0.1Pre1 on RH 9 "Machine A" working as a domain controller with a win2000 SP4 box. I made a USB local CUPS printer on RH 9 "Machine B". I made a remote CUPS printer on "A" that prints to "B" just fine. How do I get the Win2000 machine "C" to print to the printer on "B"? I can see the printer share from Win2000. I can't connect to it though, it says I have insufficient access. I try to create a "network" printer and use \\Machine A\dot but again insufficient access. I'm logged in as root on the win2k box, in the TESTDOM domain. I also don't understand what parameter to put into smb.conf to actually print to the CUPS printer. What am I missing here? How do you add the printer from the Windows side? Or do you just connect to it? My samba.log shows this when trying to connect: [2003/11/03 23:58:26, 0] smbd/service.c:set_admin_user(321) root logged in as admin user (root privileges) [2003/11/03 23:58:27, 0] printing/print_cups.c:cups_queue_get(889) Unable to get jobs for ipp://localhost/printers/dot - client-error-not-found Here is my smb.conf for printing: [global] workgroup = TESTDOM netbios name = blue security = user server string = Samba Server printcap name = /etc/printcap load printers = yes log file = /var/log/samba.log log level = 2 max log size = 5 add machine script = /usr/sbin/useradd -n -g machines -c Machine -d /dev /null -s /bin/false %u add user script = /usr/sbin/useradd %u socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = Yes os level = 65 domain master = yes preferred master = yes domain logons = yes admin users = root csc policy = disable logon script = logon.bat logon path = \\%L\profiles\%U logon drive = H: printing = cups printcap name = cups [printers] comment = All Printers path = /var/spool/samba browseable = no # Set public = yes to allow user 'guest account' to print guest ok = yes writable = yes public = yes printable = yes printer admin = root, douglas [dot] comment = Printer with Restricted Access path = /var/spool/samba_my_printer printer admin = root, douglas browseable = yes printable = yes writeable = yes guest ok = yes -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Request for ACL experiences
I'm having trouble with ACL's and wonder how many others are too. I see conflicting answers and comments about different aspects of ACL's from many prople on the list. I was wondering if ANYONE is successfully using ACL's with Samba 3.0 or above. Questions I have that I'm sure many are asking are: Was your Samba server configured as the DC? What client OS were you setting ACL's on the Samba Share with? (Win2000, XP) What service pack (SP4 on Win2000???) Did you have to have the ACL kernel patch? Did you need "nt acl support = yes" in each share definition? How did you setup your shares? (Working share Examples are good) Did you have to use the "server Tools" downloaded from microsoft or could you simply right click on a file/folder and change the security ACL's? How are you verifying the ACL's actually work? Did you fully test any ACL you set through Windows by actually trying to make a user access a file to see that his access matched the ACL you set. What was the scope of what you could really do with ACL's? What didn't work with ACL's that you thought should? Are you compareing the windows ACL's to the output of getfacl? Could you use ACL's to add users to Samba printers? How did you add Samba printers as Domain resources so you could add ACL's to them? Or did you need to do this? Did you have to do any setfacl commands in Linux? Did you have to run winbind? Did you have to do any "net groupmap" commands to make ACL's work? I.E. net groupmap modify ntgroup="Domain Admins" unixgroup=root Were there any commands/configurations you had to use to make ACL's work that were not covered in the 3.0 HowTo? I think we could use some real world working examples here. Please be VERY explicit and complete with concrete examples. Assume those reading your answers are NOT experts! If you see any missing questions that you think might be useful to using ACL's, please add them! regards Doug P -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba Share ACLs
Please See ACL related questions below... John H Terpstra wrote: On Wed, 29 Oct 2003 [EMAIL PROTECTED] wrote: Hi all, I have already set up a Samba 3.0 with Openldap as user repository. I have a question about share access controls. Chapter 13.1 of Samba-HOWTO-Collection describes: Samba offers a lot of flexibility in file system access management. These are the key access control facilities present in Samba today: 1) UNIX File and Directory Permissions 2) Samba Share Definitions 3) Samba Share ACLs Just like it is possible in MS Windows NT to set ACLs on shares themselves, so it is possible to do this in Samba. Few people make use of this facility, yet it remains on of the easiest ways to a ect access controls (restrictions) and can often do so with minimum invasiveness compared with other methods. 4) MS Windows ACLs through UNIX POSIX ACLs I have a question about Point 3 Samba Share ACLs. Do I need Linux file system ACLs in order to be able to define Samba Share ACLs. No, you do not! You need to use the Server Tools, or the Nexus package from Microsoft as documented in the HOWTO. Are you saying here that you don't need the ACL patch in linux to do ACL's? If not I have problems to define ACLs on shares via Windows Explorer from a Windows XP Workstation. my environment: Using the files extracted from the SRVTOOLS.EXE installation, in particular the Server Manager, you must edit the permissions on the Shares themselves. Samba 3.0 compiled --with-acl-spupport installed on Suse Linux Enterprise Server 8 OpenLDAP 2.1.4 as suer repository. Samba 3.0 is configured as PDC. I can log from a Windows XP workstation in Samba Domain. I can connect to shares defined in smb.conf. All defined access controls in smb.conf works fine. You must log on as the Administrator for the Domain (root). I try to set ACLs on following Share: [Test-Share] path=/home/Test-Share public = yes printable = no writeable = yes Do you have to have "nt acl support = yes" in any share that will have it's acl's changed by the "server tools"? This is an example of setting share definition controls. - John T. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Should I use winbind in this case
I can't seem to get an answer to this question... Should I use winbind if my Domain Controller is a samba machine? Or is it only useful if my DC is a real MS DC and I have other unix/linux client machines? I'm strictly wanting to provide file and domain logon services to Win2000 machines via a samba DC. There are no other DC's involved. After reading the 3.0 HowTo on winbind all I see are references to winbind helping linux/unix resolve usernames from a Windows DC. If I'm using a linux/samba box as the DC I don't need this for my win2000 users, in a domain on the Samba DC, to gain access to shares, right? Would winbind help me in any other way in trying to use ACL's? Regards Doug P -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Should I use Winbind if my DC is Samba?
Should I use winbind if my Domain Controller is a samba machine? Or is it only useful if my DC is a real MS DC? Regards Doug P -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Found a ACL howto but...
I found a howto on ACL's but it assumes the following: At this time, this document is not 100% complete. I have assumed you are joining to a Windows 2000 domain which is using Active Directory, you aren't trying to use Samba as a domain controller, and that you're using ext2 or ext3 on Linux. How would this procedure have to be changed if I was using Samba as the DC? http://www.bluelightning.org/linux/samba_acl_howto/ Regards Doug P -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] How do I add a printer as a samba domain resource
With NT4 I grant users access to printers via the security tab on the printer. How do I add a printer as a domain resource, with Samba, that I can then grant domain users access to through Windows? (Using Samba 3.0.1Pre1 as a DC) Thanks Doug P -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] How do I add a printer as a domain resource
With NT4 I add grant users access to printers via the security tab on the printer. How do I add a printer as a domain resource, with Samba, that I can then grant domain users access to? (Using Samba 3.0.1Pre1) Thanks Doug P -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] ACL's vs Share definitions (Trying again)
I have the Win2000 client(s) in a Samba domain. Domain authentication works fine, my "homes" share works fine, remote profiles work fine. Using 3.0.1Pre1 I would like to add people to "someshare" through the Security tab, and control their access through windows ACL's. How should I setup a share as a basis for doing this? The share below (someshare) in this email doesn't work. Although I get no error when adding another user to the share through the security tab in windows, and the ACL's on the Linux side get added. The newly added user, added via "Properties->Security", does not have permission to write to the share. Does the "read list", "write list" and other similar parameters take precedence over an ACL set through windows? If the share definition overrides all the ACL's, what good are ACL's? Am I not using them properly? How should I setup a share with minimal rights so an administrator can grant users access to the share, through Windows ACL's? Does winbind offer any advantages to me if no other DC's are involved. I have one samba 3.0.1 DC with several win2000 PC's as a testbed. I'm trying to really scope out what ACL's do for me. I've read the section on Winbind according to the "Target Uses" section winbind would be good for adding Linux machines to an existing NT network. I will have no existing NT machines or Domains so what does winbind offer me and do I need to run it anyway? On my NT4 box we grant access to printers through the Security tab on the printer, adding the user to the printer. Is this possible with ACL's as they exist now with Samba and the ACL patch? If so, how would you add a printer as a domain resource to do this, again through windows? Or does it have to be added (if it can be added) on the Linux side? If on linux side, how do you add/create a domain printer. Is the printer in the domain simply by being in the smb.conf file? I don't see my printer as a resource, domain or other,to choose from in the security tab from within windows. I did read the April 21 2003 version of the howto and these things were not clear to me. After I figure them out I would be happy to give you some verbage if you would care to have it. Thanks again Samba folks Doug P (Previous reference below) I'm really struggling with ACL's and permissions. I have a share owned by a user (douglas). Douglas can read, write and create to the share: [someshare] comment = Public Stuff path = /home/samba/pub nt acl support = yes public = yes admin users = douglas write list = douglas I'm logged in to Win2000 as douglas. Through the security tab on Win2000 I add read and write permission to the top level share called public (but it's not really public) for "terry". I see terry in the list and everything seems to go OK in setting it. Then I log off and login as terry. Terry has no write access to the share.What takes precedence? The share definition in smb.conf or settings through the security tab in windows, which should be the ACL's. Does adding a user through the security tab effectively add another user to the "write list". If so, it isn't. What am I doing wrong? Here are the linux permissions: ls -ld /home/samba/pub drwxrwxrwt3 douglas douglas4096 2003-10-20 22:18 /home/samba/pub Here are the ACL's from linux getfacl -R --skip-base /home/samba/pub getfacl: Removing leading '/' from absolute path names # file: home/samba/pub # owner: douglas # group: douglas user::rwx user:terry:rwx group::r-x mask::rwx other::rwx default:user::rwx default:user:terry:rwx< Shouldn't terry have rwx access according to this? default:group::--- default:mask::rwx default:other::--- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ACL's and permissions
After looking at my own post, I see I need to tweak my questions. I have the Win2000 client(s) in a Samba domain. Domain authentication works fine, my "homes" share works fine, remote profiles work fine. Using 3.0.1Pre1 I would like to add people to "someshare" through the Security tab, and control their access through windows ACL's. How should I setup a share as a basis for doing this? The share below (someshare) in this email doesn't work. Although I get no error when adding another user to the share through the security tab in windows, and the ACL's on the Linux side get added. The newly added user does not have permission to write to the share. Does the "read list", "write list" and other similar parameters take precedence over an ACL set through windows? If the share definition overrides all the ACL's, what good are ACL's? Am I not using them properly? How should I setup a share with minimal rights so an administrator can grant users access to the share, through Windows ACL's? Does winbind offer any advantages to me if no other DC's are involved. I have one samba 3.0.1 DC with several win2000 PC's as a testbed. I'm trying to really scope out what ACL's do for me. I've read the section on Winbind according to the "Target Uses" section winbind would be good for adding Linux machines to an existing NT network. I will have no existing NT machines or Domains so what does winbind offer me and do I need to run it anyway? On my NT4 box we grant access to printers through the Security tab on the printer, adding the user to the printer. Is this possible with ACL's as they exist now with Samba and the ACL patch? If so, how would you add a printer as a domain resource to do this, again through windows? Or does it have to be added (if it can be added) on the Linux side? If on linux side, how do you add/create a domain printer. Is the printer in the domain simply by being in the smb.conf file? I don't see my printer as a resource, domain or other,to choose from in the security tab from within windows. I did read the April 21 2003 version of the howto and these things were not clear to me. After I figure them out I would be happy to give you some verbage if you would care to have it. Thanks again Samba folks Doug P Douglas Phillipson wrote: I'm really struggling with ACL's and permissions. I have a share owned by a user (douglas). Douglas can read, write and create to the share: [someshare] comment = Public Stuff path = /home/samba/pub nt acl support = yes public = yes admin users = douglas write list = douglas I'm logged in to Win2000 as douglas. Through the security tab on Win2000 I add read and write permission to the top level share called public (but it's not really public) for "terry". I see terry in the list and everything seems to go OK in setting it. Then I log off and login as terry. Terry has no write access to the share.What takes precedence? The share definition in smb.conf or settings through the security tab in windows, which should be the ACL's. Does adding a user through the security tab effectively add another user to the "write list". If so, it isn't. What am I doing wrong? Here are the linux permissions: ls -ld /home/samba/pub drwxrwxrwt3 douglas douglas4096 2003-10-20 22:18 /home/samba/pub Here are the ACL's from linux getfacl -R --skip-base /home/samba/pub getfacl: Removing leading '/' from absolute path names # file: home/samba/pub # owner: douglas # group: douglas user::rwx user:terry:rwx group::r-x mask::rwx other::rwx default:user::rwx default:user:terry:rwx<<<<< Shouldn't terry have rwx access according to this? default:group::--- default:mask::rwx default:other::--- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] ACL's and permissions
I'm really struggling with ACL's and permissions. I have a share owned by a user (douglas). Douglas can read, write and create to the share: [public] comment = Public Stuff path = /home/samba/pub nt acl support = yes public = yes admin users = douglas write list = douglas I'm logged in to Win2000 as douglas. Through the security tab on Win2000 I add read and write permission to the top level share called public (but it's not really public) for "terry". I see terry in the list and everything seems to go OK in setting it. Then I log off and login as terry. Terry has no write access to the share.What takes precedence? The share definition in smb.conf or settings through the security tab in windows, which should be the ACL's. Does adding a user through the security tab effectively add another user to the "write list". If so, it isn't. What am I doing wrong? Here are the linux permissions: ls -ld /home/samba/pub drwxrwxrwt3 douglas douglas4096 2003-10-20 22:18 /home/samba/pub Here are the ACL's from linux getfacl -R --skip-base /home/samba/pub getfacl: Removing leading '/' from absolute path names # file: home/samba/pub # owner: douglas # group: douglas user::rwx user:terry:rwx group::r-x mask::rwx other::rwx default:user::rwx default:user:terry:rwx< Shouldn't terry have rwx access according to this? default:group::--- default:mask::rwx default:other::--- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] domain groups
I have ACL's enabled and am getting a new error, in the Samba log (V 3.0.1Pre1, when attempting to set permissions on a file through Win2000: get_domain_user_groups: primary gid of user [terry] is not a Domain group ! get_domain_user_groups: You should fix it, NT doesn't like that Do I need to create a group on the windows(2000) side? The entries in the domaingroup.map don't do this? Please be verbose in answering. A couple of good example wouldn't hurt also. I have a domain group map: domain group map = /etc/samba/domaingroup.map Contents of this map are: domuser = "Domain User" domadmin = "Domain Admin" I have terry in /etc/group and passwd as such: /etc/passwd: terry:x:505:1::/home/terry:/bin/bash /etc/group: domuser:x:1:terry, phillipd Thanyou very much Doug P -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] is there a way to enforce a single domain wide login
If I put a preexec script in the [profiles] share that touches a file in the users home dir, then removes it with a postexec script, I can enforce a domain wide single login. That is for about 1 minute. What appears to be happening is the share has a timeout feature that disconnects after about 1 minute and then calls the postexec script which removes the file required to determine if that user is currently logged on. I tried using the "deadtime = 0" attribute but it still times out and runs the postexec script. Any suggestions are appreciated... DSP -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] preexec scripts allowing logon under all conditions in 3.0.1
In an attempt to enforce a single login domain wide. I think preexec scripts will work but when I test a script that returns a "1" the log says I get denied but I still get logged in. Here is the info: --- [netlogon] comment = Network Logon Service preexec close = yes root preexec close = yes preexec = /home/profiles/test.sh root preexec = /home/profiles/test.sh # root preexec = csh -c 'if [ -f /home/%u/.loggedon ] exit 0' path = /home/netlogon guest ok = no writable = no create mask = 0600 directory mask = 0700 -- The script test.sh is just: #!/bin/sh # exit 1 The samba log says: root preexec gave 1 - connection failing Closed connection to service netlogon But I still get logged on. If I change the "1" to a "4" I get root preexec gave 4 - connection failing Closed connection to service netlogon But I still get logged on. If I change the "1" to a "0" I get no entry in the log and get logged on. The parameter appears to be acknowledged but won't prevent a logon. Any suggestions would be appreciated. Regards DSP -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Is there a way to enforce a single login domain wide
Im trying a root preexec = some script the script is: #!/bin/sh # exit 1 In the samba log it says: root preexec gave 1 - connection failing Closed connection to service netlogon But I still get logged on. If I change the "1" to a "4" I get root preexec gave 4 - connection failing Closed connection to service netlogon If I change the "1" to a "0" I get no entry in the log and get logged on. The parameter appears to be acknowledged but won't prevent a logon. Any suggestions would be appreciated. DSP Gémes Géza wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Douglas Phillipson írta: | I just tested the process/uid check theory. Upon initail login the new | smbd process is owned by the user but with no activity on any shares it | switches to being owned by root in a minute. I guess I could use a | script to touch a file with the users login name or uid and just check | for that upon login and remove it on logout... | | Anyone have any better ideas? | | DSP | | | Gémes Géza wrote: | |> -BEGIN PGP SIGNED MESSAGE- |> Hash: SHA1 |> |> I.M.H.O |> |> you could write a root prexec script for your netlogon share, wich would |> check for runing smbd with the uid of the connection, and return an |> error if there is such. And specifying root prexec close = yes on the |> netlogon share, you could deny them. |> The danger is that because of blocked clients you would got lots of |> frustrated clients. |> |> Good Luck! |> |> Geza Gemes |> |> John H Terpstra írta: |> | On Mon, 13 Oct 2003, Douglas Phillipson wrote: |> | |> | |> |>I didn't get any hits on this. Does that mean it's not possible??? |> |>Has anyone enforced a "single instance" login policy somehow? Is |> this a |> |>reasonable question to ask? |> | |> | |> | This is not possible. There is no way to do this with MS Windows 200x |> | server - and there is no way to do this with Samba. |> | |> | - John T. |> | |> | |> |>DSP |> |> |> |>Douglas Phillipson wrote: |> |> |> |> > I would like to enforce a policy for a user being only able to login |> |>once anywhere in the Domain. When you use roaming profiles, the system |> |>gets confused and leaves the local profile on the client PC if the same |> |>user logs in on a second machine while they are still loggewd in on the |> |>first one. This then causes the Samba profile to NOT get updated on |> |>logout. If a user is currently logged on a domain, I need that user to |> |>be refused if they logon to a second machine until they logoff the |> first |> |>machine. Is this possible with Samba, or would I use some sort of |> logon |> |>script to query something and force the user off at their second login |> |>attempt? When this problem occurs you have to reboot the machine and |> |>remove the users local profile so it will again use the roaming profile |> |>on the samba DC. Very irritating... |> |> > |> |> > Thanks |> |> > |> |> > DSP |> |> |> |> |> | |> | |> |> -BEGIN PGP SIGNATURE- |> Version: GnuPG v1.2.2 (GNU/Linux) |> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org |> |> iD8DBQE/i+88/PxuIn+i1pIRAi+fAJ0Yc/e6H8MyKxc0z8s1FnWhLsFVyACgh7vh |> G3SEihFi0OPiVpUSvBFZZvA= |> =SjHf |> -END PGP SIGNATURE- |> |> |> | Maybe if you would try to filter smbstatus output in your root preexec instead of ps-ing for smbd-s? In my samba 3.0.1pre1 smbstatus gave me the correct username after about an hour of inactivity. Good Luck! Geza Gemes -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/joRu/PxuIn+i1pIRAstNAKCxFtotm2nZY6bCb2wPaKoF2MuCtgCfTjOE W5KuYoiThM3nazrhkfG3Q80= =UP3R -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] If you install Samba via an rpm how do you tell what options are compiled in?
I think I need "with-acl-support" in Samba 3.0.1 but am unsuer if it is compiled in. How would I be able to tell if installed via RPM? Thanks DSP -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Is there a way to enforce a single login domain wide
I just tested the process/uid check theory. Upon initail login the new smbd process is owned by the user but with no activity on any shares it switches to being owned by root in a minute. I guess I could use a script to touch a file with the users login name or uid and just check for that upon login and remove it on logout... Anyone have any better ideas? DSP Gémes Géza wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I.M.H.O you could write a root prexec script for your netlogon share, wich would check for runing smbd with the uid of the connection, and return an error if there is such. And specifying root prexec close = yes on the netlogon share, you could deny them. The danger is that because of blocked clients you would got lots of frustrated clients. Good Luck! Geza Gemes John H Terpstra írta: | On Mon, 13 Oct 2003, Douglas Phillipson wrote: | | |>I didn't get any hits on this. Does that mean it's not possible??? |>Has anyone enforced a "single instance" login policy somehow? Is this a |>reasonable question to ask? | | | This is not possible. There is no way to do this with MS Windows 200x | server - and there is no way to do this with Samba. | | - John T. | | |>DSP |> |>Douglas Phillipson wrote: |> |> > I would like to enforce a policy for a user being only able to login |>once anywhere in the Domain. When you use roaming profiles, the system |>gets confused and leaves the local profile on the client PC if the same |>user logs in on a second machine while they are still loggewd in on the |>first one. This then causes the Samba profile to NOT get updated on |>logout. If a user is currently logged on a domain, I need that user to |>be refused if they logon to a second machine until they logoff the first |>machine. Is this possible with Samba, or would I use some sort of logon |>script to query something and force the user off at their second login |>attempt? When this problem occurs you have to reboot the machine and |>remove the users local profile so it will again use the roaming profile |>on the samba DC. Very irritating... |> > |> > Thanks |> > |> > DSP |> |> | | -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/i+88/PxuIn+i1pIRAi+fAJ0Yc/e6H8MyKxc0z8s1FnWhLsFVyACgh7vh G3SEihFi0OPiVpUSvBFZZvA= =SjHf -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Is there a way to enforce a single login domain wide
I didn't get any hits on this. Does that mean it's not possible??? Has anyone enforced a "single instance" login policy somehow? Is this a reasonable question to ask? DSP Douglas Phillipson wrote: > I would like to enforce a policy for a user being only able to login once anywhere in the Domain. When you use roaming profiles, the system gets confused and leaves the local profile on the client PC if the same user logs in on a second machine while they are still loggewd in on the first one. This then causes the Samba profile to NOT get updated on logout. If a user is currently logged on a domain, I need that user to be refused if they logon to a second machine until they logoff the first machine. Is this possible with Samba, or would I use some sort of logon script to query something and force the user off at their second login attempt? When this problem occurs you have to reboot the machine and remove the users local profile so it will again use the roaming profile on the samba DC. Very irritating... > > Thanks > > DSP -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Is there a way to enforce a single login domain wide
I would like to enforce a policy for a user being only able to login once anywhere in the Domain. When you use roaming profiles, the system gets confused and leaves the local profile on the client PC if the same user logs in on a second machine while they are still loggewd in on the first one. This then causes the Samba profile to NOT get updated on logout. If a user is currently logged on a domain, I need that user to be refused if they logon to a second machine until they logoff the first machine. Is this possible with Samba, or would I use some sort of logon script to query something and force the user off at their second login attempt? When this problem occurs you have to reboot the machine and remove the users local profile so it will again use the roaming profile on the samba DC. Very irritating... Thanks DSP -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] [Samba} Can't do roaming profiles (Solved)
Through much help from a guy in my local LUG I found the solution to making roaming profiles work on Win2000 (SP4). 1) You should have SP4 installed. 2) Two registry changes are needed: Use regedit and change the following two dword attributes to 0 "requiresignorseal" "signsecurechannel" 3) Run the group policy editor "gpedit.msc" and enable the following 4 policies under: Computer Configuration->Administrative Templates->System->Logon "Do not check for ownership of Roaming Profiles Folders" "Add the Administrators security group to roaming users profiles" "Wait for remote user profile" "Delete cached copies of roaming profiles" Create the Linux user. Create the Samba user. Logon as the user on windows, it will fail, but create the users profile dir on the Samba PDC. It will NOT create a full profile on the PDC, but will on the Win client. Copy a "default" profile and all the associated directories to the users profile dir on the Samba PDC. Reboot the Client to release the lock on the users local copy of ntuser.dat and login as administrator and delete the users local profile copy on the PC. Log back in as the user and the remote profile will be copied down from the samba server to the client. When logging out, the samba users profile will be updated to the PDC and then removed from the client PC. This works for me I hope it does for everyone else... Regards Doug P --- >I need a little advice on finishing off a Samba PDC. I have Samba >3.0.0RC1 installed and working as a PDC on a Redhat AS 3.0 machine. It >authenticates users nicely but the "roaming" profiles don't work. >Tailing the samba log, I see the an attempt to access the users >ntuser.dat file, which doesn't exist before the first logon, when >logging in. The profile directory (/home/profiles/ DOES get >created by samba when the user logs in. When the user logs off, there >is no reference, in the log that ntuser.dat is being written with the >users updated profile. In fact the ntuser.dat file is not created on >the samba server. If I "touch ntuser.dat" in the profile directory on >the samba PDC, then log in on a Win2000 client PC, I get a message >saying the ntuser.dat file is not the proper format, so I know the >"profiles" share and "logon path" are correct. But the profile will >not update on the PDC. My Win2000 is SP2, and I tried SP4 also. I >looked on the client PC and the profile is a "roaming" profile. Also >the "add user script" doesn't work, I have to add the users by hand >(with the same script). Here is my smb.conf file, any help is greatly >appreciated... >Regards and thanks for a great program! >Doug P - # Global parameters [global] workgroup = TESTDOM server string = Samba Server update encrypted = Yes client lanman auth = No client plaintext auth = No log level = 4 log file = /var/log/samba.log socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add user script = /usr/sbin/useradd -d /dev/null -g machines -s /bin/false -M %u logon path = \\%L\profiles\%U logon drive = H: domain logons = Yes os level = 65 preferred master = Yes domain master = Yes dns proxy = No ldap ssl = no preload = homes [homes] comment = Home Directories path = /home/%S read only = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [software] path = /home/software read only = No [netlogon] path = /home/scripts browseable = No [profiles] path = /home/profiles read only = No writable = yes create mask = 0600 directory mask = 0700 profile acls = Yes browseable = No -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Can't do roaming profiles
I need a little advice on finishing off a Samba PDC. I have Samba 3.0.0RC1 installed and working as a PDC on a Redhat AS 3.0 machine. It authenticates users nicely but the "roaming" profiles don't work. Tailing the samba log, I see the an attempt to access the users ntuser.dat file, which doesn't exist before the first logon, when logging in. The profile directory (/home/profiles/ DOES get created by samba when the user logs in. When the user logs off, there is no reference, in the log that ntuser.dat is being written with the users updated profile. In fact the ntuser.dat file is not created on the samba server. If I "touch ntuser.dat" in the profile directory on the samba PDC, then log in on a Win2000 client PC, I get a message saying the ntuser.dat file is not the proper format, so I know the "profiles" share and "logon path" are correct. But the profile will not update on the PDC. My Win2000 is SP2, and I tried SP4 also. I looked on the client PC and the profile is a "roaming" profile. Also the "add user script" doesn't work, I have to add the users by hand (with the same script). Here is my smb.conf file, any help is greatly appreciated... Regards and thanks for a great program! Doug P - # Global parameters [global] workgroup = TESTDOM server string = Samba Server update encrypted = Yes client lanman auth = No client plaintext auth = No log level = 4 log file = /var/log/samba.log socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add user script = /usr/sbin/useradd -d /dev/null -g machines -s /bin/false -M %u logon path = \\%L\profiles\%U logon drive = H: domain logons = Yes os level = 65 preferred master = Yes domain master = Yes dns proxy = No ldap ssl = no preload = homes [homes] comment = Home Directories path = /home/%S read only = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [software] path = /home/software read only = No [netlogon] path = /home/scripts browseable = No [profiles] path = /home/profiles read only = No writable = yes create mask = 0600 directory mask = 0700 profile acls = Yes browseable = No -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Can't do roaming profiles
I need a little advice on finishing off a Samba PDC. I have Samba 3.0.0RC1 installed and working as a PDC on a Redhat AS 3.0 machine. It authenticates users nicely but the "roaming" profiles don't work. Tailing the samba log, I see the an attempt to access the users ntuser.dat file, which doesn't exist before the first logon, when logging in. The profile directory (/home/profiles/ DOES get created by samba when the user logs in. When the user logs off, there is no reference, in the log that ntuser.dat is being written with the users updated profile. In fact the ntuser.dat file is not created on the samba server. If I "touch ntuser.dat" in the profile directory on the samba PDC, then log in on a Win2000 client PC, I get a message saying the ntuser.dat file is not the proper format, so I know the "profiles" share and "logon path" are correct. But the profile will not update on the PDC. My Win2000 is SP2, and I tried SP4 also. I looked on the client PC and the profile is a "roaming" profile. Also the "add user script" doesn't work, I have to add the users by hand (with the same script). Here is my smb.conf file, any help is greatly appreciated... Regards and thanks for a great program! Doug P - # Global parameters [global] workgroup = TESTDOM server string = Samba Server update encrypted = Yes client lanman auth = No client plaintext auth = No log level = 4 log file = /var/log/samba.log socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add user script = /usr/sbin/useradd -d /dev/null -g machines -s /bin/false -M %u logon path = \\%L\profiles\%U logon drive = H: domain logons = Yes os level = 65 preferred master = Yes domain master = Yes dns proxy = No ldap ssl = no preload = homes [homes] comment = Home Directories path = /home/%S read only = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [software] path = /home/software read only = No [netlogon] path = /home/scripts browseable = No [profiles] path = /home/profiles read only = No writable = yes create mask = 0600 directory mask = 0700 profile acls = Yes browseable = No -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Has anyone tried to install OfficeXP into a samba share?
When I attempt to install OfficeXP into a drive letter "S:" which is a samba share, I can't get the install to finish. Anyone else experience this? DSP -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Installing office on a 3.0.0-8rc3 share
I'm having trouble installing OfficeXP on an win2000 machine that has a samba share. Office XP installs and gets almost to the end then coughs an obscure error and states that two files will be sent to microsoft for debugging, which aren't there I might add. I can install the same software just fine on a share from a Win2000 server so my question is, how could it know the difference? I'm not sure what additional information I could post here that would be helpful. The share has full write permission and the files show up on the share. Then at the end it fails and backs out all the files and barfs the bogus error message. Thanks DSP -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba