Re: [Samba] Parameter "idmap backend" is deprecated ???

2008-08-12 Thread Douglas VanLeuven

Volker Lendecke wrote:

On Tue, Aug 12, 2008 at 12:23:18AM +0200, Andreas Ladanyi wrote:

why is this parameter deprecated ?

I have to set this parameter if i want to get my user/group information 
from Active Directory with SFU AD schemata extension.


Is there a new parameter instead of "idmap backend" ???


It will come back in 3.3 :-)



In the meantime, use idmap config, something like this:
winbind nss info = sfu
idmap domains = DOMAINNAME
idmap config DOMAINNAME:readonly = yes
idmap config DOMAINNAME:default = yes
idmap config DOMAINNAME:backend = ad
idmap config DOMAINNAME:range = 500 - 2
idmap config DOMAINNAME:schema_mode = sfu

idmap alloc backend = tdb
idmap alloc config:range = 5-50999

Doug
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] How to get AD computer name by winbind

2008-08-10 Thread Douglas VanLeuven

wilson kwok wrote:

Hello,
 
I'm trying migration from AD 203 to Samba + LDAP using winbind, but I don't know how to use getent command to get AD 2003 computer name information. I tried to use man getent that does not has related information. Could anyone tell me how to do that ?


getent passwd|grep \\$:

All the machine names end with $ in field 1

Doug

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] unable to map windows to unix groups

2008-08-10 Thread Douglas VanLeuven

[EMAIL PROTECTED] wrote:

As I said, I did a fresh install of opensuse 10.3, samba, ldap.

During the process, I filled the ldap database directly with an ldif file built
using smbldap tools.

(one item in that file -->

dn: cn=Domain Admins,ou=Groups,dc=ldap_hathor,dc=nwk
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: Domain Admins
memberUid: root
sambaSID: S-1-5-21-3134345319-2430187646-2919245149-512
sambaGroupType: 2
displayName: Domain Admins
description: Netbios Domain Administrators
#sambaPrimaryGroupSID: SID of the user group (512 = Admins group)
#description: Netbios Domain Administrators
 )

So you mean by doing this it is not necessary to map the native existing unix
group "ntadmin" (gid 71) with "Domain Admins" ?
(ntadmin appear in /etc/group and "Domain Admins" not)


When you do getent group you're getting what's in the local /etc/group 
and what's defined in the ldap group membership.  See gidNumber above. 
Using /etc/nsswitch.conf to define ldap lookups extends the /etc/passwd 
and /etc/group membership so passwd and group uid/gid's can be defined 
system wide and used by any unix machine.


So yes.  Users belonging to group 512 are "Domain Admins".  You need to 
add users to this group when you want them to have related security 
privileges.  You should be able to chgrp 512 filename and have it show 
as "Domain Admins" when you ls the directory.  I haven't used the 
smbldap tools package, but it looks like the most common windows groups 
have already been defined for you.  All you need to do is avoid using 
the ldap passwd & group uid/gids in the local files.  Yast tools will 
probably not allow you to generate duplicates.


And yes, you only need to map groups when the unix name doesn't match 
the windows name and you don't want samba to create the account on the 
fly using whatever idmap backend you pick.  Your idmap backend should 
probably be idmap_ldap and accounts generated then become available 
system wide using the same uid/gid's and network file sharing offers the 
same membership security regardless of client machine access.


This is probably in a FAQ somewhere where the answer would be more 
structured.  I use the following to resolve my issues:

http://us6.samba.org/samba/docs/man/Samba-HOWTO-Collection/
http://us6.samba.org/samba/docs/man/Samba-Guide/

Since samba is evolving almost daily, sometime the Howto syntax has been 
modified in the current manifestation of the command.  Always refer to 
the current command documentation to resolve any discrepancies.


Doug



Reading the samba documentation was not very clear for me.

jcdole


Selon Douglas VanLeuven <[EMAIL PROTECTED]>:

It looks like you already have an existing unix group called "Domain
Admins" being pulled in from ldap.  When that is true, there is no need
for groupmap and indeed it would appear it is illegal to map a windows
group that matches an existing unix group to another unix group.

Doug


[EMAIL PROTECTED] wrote:

Hello.

After fresh install.

Samba and ldap seems to run normally ( I can join win2k workstation to

linux

samba pdc ).

Using yast I create a system group named domadmin

But I am unable to map "Domain Admins" to domadmin
I am unable to map "Domain Admins" to existing ntadmin group

I am unable to mofify mapping "Domain Admins" to domadmin group

Thank you for helping.

LINUX-SRV: # net groupmap add ntgroup="Domain Admins" unixgroup=domadmin
rid=512 type=d
adding entry for group Domain Admins failed!
LINUX-SRV: #

LINUX-SRV: # net groupmap add ntgroup="Domain Admins" unixgroup=ntadmin

rid=512

type=d
adding entry for group Domain Admins failed!
LINUX-SRV: #

LINUX-SRV: # net groupmap modify ntgroup="Domain Admins" unixgroup=domadmin
Can't map to an unknown group type.
LINUX-SRV: #

LINUX-SRV:~ # net groupmap modify ntgroup="Domain Admins"

unixgroup=domadmin

type=d
Could not update group database
LINUX-SRV: #

LINUX-SRV:~ net groupmap list
request done: ld 0x55c881e0 msgid 1
request done: ld 0x55c881e0 msgid 2
Domain Admins (S-1-5-21-3134345319-2430187646-2919245149-512) -> Domain

Admins

request done: ld 0x55c881e0 msgid 3
Domain Users (S-1-5-21-3134345319-2430187646-2919245149-513) -> Domain

Users

request done: ld 0x55c881e0 msgid 4
Domain Guests (S-1-5-21-3134345319-2430187646-2919245149-514) -> Domain

Guests

request done: ld 0x55c881e0 msgid 5
Domain Computers (S-1-5-21-3134345319-2430187646-2919245149-515) -> Domain
Computers
request done: ld 0x55c881e0 msgid 6
Administrators (S-1-5-32-544) -> Administrators
request done: ld 0x55c881e0 msgid 7
Account Operators (S-1-5-32-548) -> Account Operators
request done: ld 0x55c881e0 msgid 8
Print Operators (S-1-5-32-550) -> Print Operators
request done: l

Re: [Samba] unable to map windows to unix groups

2008-08-09 Thread Douglas VanLeuven

[EMAIL PROTECTED] wrote:

Hello.

After fresh install.

Samba and ldap seems to run normally ( I can join win2k workstation to linux
samba pdc ).

Using yast I create a system group named domadmin

But I am unable to map "Domain Admins" to domadmin
I am unable to map "Domain Admins" to existing ntadmin group

I am unable to mofify mapping "Domain Admins" to domadmin group

Thank you for helping.

LINUX-SRV: # net groupmap add ntgroup="Domain Admins" unixgroup=domadmin
rid=512 type=d
adding entry for group Domain Admins failed!
LINUX-SRV: #

LINUX-SRV: # net groupmap add ntgroup="Domain Admins" unixgroup=ntadmin rid=512
type=d
adding entry for group Domain Admins failed!
LINUX-SRV: #

LINUX-SRV: # net groupmap modify ntgroup="Domain Admins" unixgroup=domadmin
Can't map to an unknown group type.
LINUX-SRV: #

LINUX-SRV:~ # net groupmap modify ntgroup="Domain Admins" unixgroup=domadmin 
type=d

Could not update group database
LINUX-SRV: #

LINUX-SRV:~ net groupmap list
request done: ld 0x55c881e0 msgid 1
request done: ld 0x55c881e0 msgid 2
Domain Admins (S-1-5-21-3134345319-2430187646-2919245149-512) -> Domain Admins
request done: ld 0x55c881e0 msgid 3
Domain Users (S-1-5-21-3134345319-2430187646-2919245149-513) -> Domain Users
request done: ld 0x55c881e0 msgid 4
Domain Guests (S-1-5-21-3134345319-2430187646-2919245149-514) -> Domain Guests
request done: ld 0x55c881e0 msgid 5
Domain Computers (S-1-5-21-3134345319-2430187646-2919245149-515) -> Domain
Computers
request done: ld 0x55c881e0 msgid 6
Administrators (S-1-5-32-544) -> Administrators
request done: ld 0x55c881e0 msgid 7
Account Operators (S-1-5-32-548) -> Account Operators
request done: ld 0x55c881e0 msgid 8
Print Operators (S-1-5-32-550) -> Print Operators
request done: ld 0x55c881e0 msgid 9
Backup Operators (S-1-5-32-551) -> Backup Operators
request done: ld 0x55c881e0 msgid 10
Replicators (S-1-5-32-552) -> Replicators
request done: ld 0x55c881e0 msgid 11
Users (S-1-5-32-545) -> 15000
LINUX-SRV: #

LINUX-SRV: # getent group
at:!:25:
..
..
domadmin:x:114:
root:x:0:
...
..
users:x:100:
+::0:
request done: ld 0x618d10 msgid 1
Domain Admins:*:512:root,user_admin
Domain Users:*:513:
Domain Guests:*:514:
Domain Computers:*:515:
Administrators:*:544:
Account Operators:*:548:
Print Operators:*:550:
Backup Operators:*:551:
Replicators:*:552:
request done: ld 0x618d10 msgid 2


It looks like you already have an existing unix group called "Domain 
Admins" being pulled in from ldap.  When that is true, there is no need 
for groupmap and indeed it would appear it is illegal to map a windows 
group that matches an existing unix group to another unix group.


Doug

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Problems with Samba(idmap_ad/sfu on AIX

2008-03-30 Thread Douglas VanLeuven

Heikki Manninen wrote:
I'm unabe to use idmap_ad and sfu nss info with Samba on AIX. The 
configuration as it is works on a Linux build.


workgroup = DOMAIN
realm = DOMAIN.TLD
server string = SERVER
security = ADS
idmap domains = DOMAIN
idmap config DOMAIN:default = yes
idmap config DOMAIN:backend = ad
idmap config DOMAIN:range = 1000 - 6
idmap config DOMAIN:readonly = yes
idmap config DOMAIN:schema_mode = sfu

winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind use default domain = yes
winbind nss info = sfu
map to guest = bad uid


That all looks good.


When run with statically built idmap_ad I get this in the log when 
trying to map user info (wbinfo -i):


Error loading module '/opt/pware/samba/3.0.28/lib/nss_info/sfu.so': 
Could not load module /opt/pware/samba/3.0.28/lib/nss_info/sfu.so.



Last I knew, this module can't be statically compiled.

And when I build a version with shared idmap_ad (and sfu.so -> 
idmap_ad.so), it gets back to this:


lib/module.c:do_smb_load_module(49) Error loading module 
'/usr/local/samba/lib/nss_info/sfu.so': rtld: 0712-001 Symbol 
_talloc_zero_zeronull was referenced from module 
/usr/local/samba/lib/nss_info/sfu.so(), but a runtime definition of the 
symbol was not found.


lib/module.c:do_smb_load_module(49) Error loading module 
'/usr/local/samba/lib/idmap/ad.so': rtld: 0712-001 Symbol 
_talloc_zero_zeronull was referenced from module 
/usr/local/samba/lib/idmap/ad.so(), but a runtime definition of the 
symbol was not found.




Either the linker options need assistance or you need to add some 
libraries to the run time library path LIBPATH if my memory serves.  I'm 
haven't done AIX for a while.


You might have more success on samba-technical getting a response.

If you post over there, don't forget to include the version of AIX and 
which compiler you're using, native or gnu.  Also the version of samba.


Regards, Doug
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Still get error 13 when mounting w2k3 share

2008-03-27 Thread Douglas VanLeuven

Tosh, Michael J wrote:

# BACKGROUND #

I still cannot do basic share mapping between Samba 3.0.28 and a Windows
2003 AD Domain controller.  When using mount.cifs, I get a permission
denied error 13.  I have run it as root and as my own user account.

From a windows workstation on a different domain, I can log on fine.




Try adding the sec= option on the command line trying a couple different 
modes.  I can use ntlm, ntlmi, and ntlmv2.  Maybe something other than 
the defaults will work for you.


You also need to know what level of security your w2k3 is enforcing 
through group policy.  Enforced signing and ntlmv2 only have caused some 
people difficulties in the past.


I'd try /sbin/mount.cifs directly and specifying the user and password 
on the command line at least to test.  Try using the IP number of the 
remote host.  The domain name must be in uppercase, workgroup NAME or 
realm style MY.REALM.COM.


Regards, Doug

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] samba3.0.22 - "net setlocalsid" with no effect

2008-03-26 Thread Douglas VanLeuven

Friedrich Strohmaier wrote:

Hi all,

Really no one with a glue, what steps I could go??


I can't tell what you're trying to do from what you've described.
It looks like you set the local machine sid and it worked.
The local machine sid will be different than the domain sid.
A profile based on the local machine sid won't be a roaming profile it 
will be a local profile.




Friedrich Strohmaier schrieb:

[..]


root# net setlocalsid SID_WANTED
root#

root# net getlocalsid
SID for domain DOMAIN is: SID_WANTED

Result:
Client with Roamingprofile based on SID_WANTED is not able to connect
to DOMAIN but has access to shares.

OOOoops!


If the local user name and password are the same as the domain name and 
password, depending on the security model, it's an old trick to allow 
access to shares in a workgroup without being a domain member.  Which is 
sort of what you describe.




More Tests found here:
http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetCommand.html#netmisc1

root# net rpc info
Domain Name: DOMAIN
Domain SID: SID_NOT_WANTED
Sequence number: 1206493306
Num users: 37
Num domain groups: 0
Num local groups: 0


I would think zero groups with 37 users is a hint to a problem.

Regards, Doug
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Get logged on username (several sessions on the same machine)

2008-03-12 Thread Douglas VanLeuven
Michael Heydon wrote:
> Kurthermal wrote:
>> But the machine has been rebooted and another user has opened a
>> session on it, but 'net status session' or 'net session' continue to
>> claim that there are 2 users logged on the same machine. It isn't
>> always the case, I think it can be due for example to a reset of the
>> machine so windows didn't close cleanly the network resources.
>>
>> Is there a way to get samba close all connections from a machine if
>> another user try to open a new network resource from that machine ?
> reset on zero vc
>> 
> 
> I'm not sure what would happen in cases where you legitimately have
> multiple users on a single machine (term servers, someone using "run
> as", services accessing shares) but in the case of a single user PC it
> should do what you want.

That one snuck by me.  No it doesn't affect remote desktop use, but then
it just doesn't seem to do anything at all.  At least with an XP box
talking to samba.  When I pulled the network cable while a file was
open, logged off, logged on as another user and reconnected, it didn't
kill the previous session either and the file is still locked, which was
the original justification on technical - snaffu sessions across vpn.

I once filed a report on a related issue - logging off and back on
rapidly would allow the new user to see the home share of the previously
logged on user though not browse it.  Same basic reasoning it was closed
out was multi-user systems make it happen that way.  In some of the
environments I worked in, it was perceived as a flaw and I debated that
and lost.

I do a lot of vpn and got excited it might work.  It might with a
different scenario.

I just logged on, browsed, and logged off as the original user.  Darn
file is still locked.

Regards, Doug
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Get logged on username (several sessions on the same machine)

2008-03-12 Thread Douglas VanLeuven
Kurthermal wrote:
> But the machine has been rebooted and another user has opened a session
> on it, but 'net status session' or 'net session' continue to claim that
> there are 2 users logged on the same machine. It isn't always the case,
> I think it can be due for example to a reset of the machine so windows
> didn't close cleanly the network resources.

I'm sorry I wasn't clear enough.  I wasn't attempting to explain your
circumstance.  I was trying to state a general design principal using a
kind of Socratic method.

Windows workstations are notorious for not bothering to signal goodbye.
  There are MS KB articles about fine tuning Windows servers to avoid
exhausting resources because the workstations are like that.  It's not a
samba issue, it's a windows issue.  I only tried to explain why it is
the way it is because you used the bug word.

There has been a samba option for forever (since at least 1.x or beta)

deadtime = 

just so the sessions don't hang around forever.  I never tried setting
it to 1 min., but you could experiment.  But it doesn't work if an
application forgets to close a file or release a lock..

I never tried it, but it should be possible to script something with the
"root preexec" if this is really an issue for you.  But be warned -
there are legitimate reasons multiple users can be logged on to a samba
machine at the same time.

For example.  My wife is logged on a widows machine.  I connect with
remote desktop.

Samba version 3.0.28-0.1.95-1624-SUSE-SL10.3
PID Username  Group Machine
---
 7207   ranger1$  machine   192.168.202.35 (192.168.202.35)
 7207   FOREST\doug   users 192.168.202.35 (192.168.202.35)
 7339   FOREST\cindy  users 192.168.202.35 (192.168.202.35)
 7207   FOREST\cindy  users 192.168.202.35 (192.168.202.35)
 7339   ranger1$  machine   192.168.202.35 (192.168.202.35)

There's nothing I know of to readily distinguish your circumstance from
this circumstance other than quiescence on the connection for a period
of time.

Doug

> 
> Is there a way to get samba close all connections from a machine if
> another user try to open a new network resource from that machine ?
> 
> Or is there another way to get the currently active session on a PDC
> client ?
> 
> 
> Douglas VanLeuven wrote :
>> Kurthermal wrote:
>>  
>>> Am I the only one to have noticed this behaviour ?
>>> Do I have to report a bug or so ?
>>> Where can I get some answers ?
>>>
>>> 
>>
>> If a service was running as a prior user and needed network resources
>> from the samba server in addition to the currently logged on user,
>> wouldn't it be wrong to make the assumption those resources should no
>> longer be available?
>>
>> It only takes one exception to break a general case.
>>
>> Regards, Doug
>>
>>
>>   


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] net join fails NT_STATUS_INVALID_COMPUTER_NAME

2008-03-12 Thread Douglas VanLeuven
Lothar Belle wrote:
> We want to join out Linux-Server:
> SLES 10 SP1 x86 with Samba (samba-client-3.0.24-2.23)
>  to our  W2000 Domain.
> 

> krb5.conf
> [libdefaults]
> default_realm = TQ-NET.DE
> clockskew = 300
> [realms]
> TQ-NET.DE = {
> kdc = TQ-DC-1.TQ-NET.DE
> default_domain = TQG

  default_domain = tq-net.de

The domain here is the DNS domain.

> admin_server = TQ-DC-1.TQ-NET.DE
> }
> [domain_realm]
> .tq-net.DE = TQ-NET.DE
> [appdefaults]
> pam = {
> ticket_lifetime = 1d
> renew_lifetime = 1d
> forwardable = true
> proxiable = true
> retain_after_close = true
> minimum_uid = 0
> try_first_pass = true
> debug = false
> }
> krb5.conf
> 
> kerberos works fine.
> 

That's all that I noticed.

Regards, Doug
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Get logged on username (several sessions on the same machine)

2008-03-11 Thread Douglas VanLeuven
Kurthermal wrote:
> Am I the only one to have noticed this behaviour ?
> Do I have to report a bug or so ?
> Where can I get some answers ?
> 

If a service was running as a prior user and needed network resources
from the samba server in addition to the currently logged on user,
wouldn't it be wrong to make the assumption those resources should no
longer be available?

It only takes one exception to break a general case.

Regards, Doug
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Problem with ADS idmap backend

2008-03-11 Thread Douglas VanLeuven
David Eisner wrote:
> On Mon, Mar 10, 2008 at 7:54 PM, Douglas VanLeuven <[EMAIL PROTECTED]> wrote:
> 
>>  Try adding to global section:
>>  winbind nss info = sfu
>>
>>  Right now you're defaulting to "template".

> 
> Thanks for the tip.  Unfortunately, after making the change and
> restarting winbindd, the problem persists.   Are there any .tdb files
> I need to delete?

My winbind reinitializes to version 1 and clears it's cache on restart.

If you're running nscd, you have to restart that as well.

There's a pdf I refer to
http://www.samba.org/~idra/samba3_newidmap.pdf

Simo wrote that up.

The only thing I picked up from that paper is to add an allocation range
for samba's BUILTIN users and groups.

idmap alloc backend = tdb
idmap alloc config:range = 5-50999

If you do that, you end up with a file called idmap_cache.tdb that would
have to be cleared manually.

I took a good look at the differences between our files and I'm not using
winbind use default domain = yes
winbind nested groups = yes

but I wouldn't think that would make a difference.  The configuration
looks good.

I use opensuse and nsswitch.conf is

passwd: compat winbind
group:  files winbind

It installed that way and I never changed it even though there is no
shadow entry.  From what I've read, any shadow entry shouldn't have
winbind on it.

I thought the win 2k3 R2 server used the rfc2307 schema out of the box.
 But if you were able to install SFU and modify the schema and the ldap
entries exist in the ad, it shouldn't have any effect.

Still, if all else fails - from source/nsswitch/idmap_ad.c in funtion
idmap_ad_init(void) each method is checked in turn: rfc2307, sfu, and
sfu20.  Once the status is OK, the remaining checks are skipped.  If
rfc2307 is initializing OK ...

Don't have a w2k3 R2 to experiment.  If I did, I'd put the sfu check
ahead of the rfc2307 check, recompile and see if it made a difference.

Probably just a foolish thought, though.

In case you don't have the source, I've included the function for you.

Regards, Doug


/* The SFU and RFC2307 NSS plugins share everything but the init
   function which sets the intended schema model to use */


/
 Initialize the plugins
 ***/

NTSTATUS idmap_ad_init(void)
{
static NTSTATUS status_idmap_ad = NT_STATUS_UNSUCCESSFUL;
static NTSTATUS status_nss_rfc2307 = NT_STATUS_UNSUCCESSFUL;
static NTSTATUS status_nss_sfu = NT_STATUS_UNSUCCESSFUL;
static NTSTATUS status_nss_sfu20 = NT_STATUS_UNSUCCESSFUL;

/* Always register the AD method first in order to get the
   idmap_domain interface called */

if ( !NT_STATUS_IS_OK(status_idmap_ad) ) {
status_idmap_ad =
  smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION,
 "ad", &ad_methods);
if ( !NT_STATUS_IS_OK(status_idmap_ad) )
return status_idmap_ad; 
}

if ( !NT_STATUS_IS_OK( status_nss_rfc2307 ) ) {
status_nss_rfc2307 =
  smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
"rfc2307",
   &nss_rfc2307_methods );  
if ( !NT_STATUS_IS_OK(status_nss_rfc2307) )
return status_nss_rfc2307;
}

if ( !NT_STATUS_IS_OK( status_nss_sfu ) ) {
status_nss_sfu =
  smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
"sfu",
 &nss_sfu_methods );
if ( !NT_STATUS_IS_OK(status_nss_sfu) )
return status_nss_sfu;  
}

if ( !NT_STATUS_IS_OK( status_nss_sfu20 ) ) {
status_nss_sfu20 =
  smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION,
"sfu20",
  &nss_sfu20_methods ); 
if ( !NT_STATUS_IS_OK(status_nss_sfu20) )
return status_nss_sfu20;
}

return NT_STATUS_OK;
}

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Problem with ADS idmap backend

2008-03-10 Thread Douglas VanLeuven
David Eisner wrote:
> I'm running Samba 3.0.28a on a CentOS 3.9 box as a member of an AD
> domain whose PDC is a W2k3 server (Standard x64 R2 SP2).
> 
> Using wbinfo -u and wbinfo -g I can see domain users and groups from
> the CentOS box, but getent (passwd|group) fails to display them.  The
> nsswitch is setup correctly, as far as I can tell.  When I tail -f the
> samba log file during a getent query, I see that winbindd is having
> problems mapping the sid to the uid or gid ("sid2uid returned an
> error").
> 
> Furthermore, wbinfo -n can find the SID for a user or group, but it
> can't preform the inverse mapping.
> 
> In the following example, 'deisner' and 'unixusers' are a domain user
> and group, respectively.
> 
>>From the CentOS box (with intentional SID obfuscation):
> 
> $ wbinfo -u |grep deisner
> deisner
> $ wbinfo -n deisner
> S-1-5-21-**6 User (1)
> $ wbinfo -S S-1-5-21-**6
> Could not convert sid S-1-5-21-**6 to uid
> $ wbinfo -g |grep unixusers
> unixusers
> $ wbinfo -n unixusers
> S-1-5-21-**8 Domain Group (2)
> $ wbinfo -Y S-1-5-21-**8
> Could not convert sid S-1-5-21-**8 to gid
> 
> In the log file, I see this:
> [2008/03/10 18:37:58, 10]
> nsswitch/winbindd_cache.c:cache_retrieve_response(2300)
>   Retrieving response for pid 6274
> [2008/03/10 18:37:58, 5]
> nsswitch/winbindd_async.c:winbindd_sid2gid_recv(527)
>   sid2gid returned an error
> [2008/03/10 18:37:58, 5] nsswitch/winbindd_sid.c:sid2gid_recv(254)
>   Could not convert sid S-1-5-21-*8
> 
> 
> I'm using the SFU schema.  In AD I have uids and gids assigned to the
> user and group, in the Unix Attributes tab, with values in the range
> I've specified for the idmap range.  Here is my smb.conf:
> 
> 
> [global]
> workgroup = THEDOMAIN
> server string = Centos Samba Server
> hosts allow = xxx.y.  xxx.y.  127.  # obfuscated
> printcap name = CUPS
> load printers = yes
> cups options = raw
> log file = /usr/local/samba/var/log.smbd
> security = ads
> encrypt passwords = yes
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> dns proxy = no
> unix charset = LOCALE
> netbios name = LDAP
> realm = THEDOMAIN.FOO.ORG
> use kerberos keytab = Yes
> idmap domains = THEDOMAIN
> idmap config THEDOMAIN:backend = ad
> idmap config THEDOMAIN:default = yes
> idmap config THEDOMAIN:schema_mode = sfu
> idmap config THEDOMAIN:range= 1 - 3
> log level = 1
> syslog = 0
> winbind use default domain = yes
> winbind nested groups = yes
> winbind enum users = yes
> winbind enum groups = yes
> template homedir = /home/windows/%D/%U
> template shell = /bin/bash
> allow trusted domains = no

Try adding to global section:
winbind nss info = sfu

Right now you're defaulting to "template".

Regards, Doug
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Problems running samba in vmware

2008-03-10 Thread Douglas VanLeuven
Ryan Novosielski wrote:
> Natxo Asenjo wrote:
>> On Thu, Mar 6, 2008 at 10:13 PM, Adam Zimmer <[EMAIL PROTECTED]> wrote:
>>> I have used samba for nearly 9 years with no problems and we have about
>>>  20 users. In the past we have had a dedicated samba server. We have
>>>  recently virtualized this server to a quad core Q6600 using vmware
>>>  virtual server 1.0.4 on a 64 bit host running ubuntu 7.10.
>> bad idea. Vmware server is not meant for production servers. Don't try
>> to save a buck and buy a copy of esx. It will save you all this
>> trouble and time is money.
> 
>> If you really want to go along the free road, get yourself xen, linux
>> runs perfectly with the opensource 'free as in free beer' xensource.
>> Vmware server is a great testing tool, not a production one.
> 
> Why is that?
> 
ESX is the OS.  Vmware server runs under an OS.  All kinds of
ramifications to this from allocating specific ethernet cards to
specific virtual machines instead of bridging to better cpu and memory
management.

But this is getting pretty off topic for samba.

Regards, Doug
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Problems running samba in vmware

2008-03-06 Thread Douglas VanLeuven
Adam Zimmer wrote:
> At the moment I have enabled timeSync with vmware tools.
> 
> In the general area of time keeping on the host, I added the following
> settings which avoided errors about the RTC missing interrupts:
> host.usefastclock=false
> host.cpukHz=240
> host.useTSC=true
> ptsc.useTSC=true
> 
> I have two other machines similarly configured (with the exception of
> running other linux applications not samba).
> 
> Ntpdate seems to be installed as it is part of the ubuntu-server default
> config. However, my other machines seem to run it ok. If anything they
> fall behind a bit and the vmware sync keeps them up-to-date.
> 

> 
> Ian McDonald wrote:

>>
>> How are your time sync options set for the VM? Is it keeping time ok?
>> (note,AFAIR, you're not supposed to run NTP within a VM.).
>>

True.  I refer to this document from vmware.
http://www.vmware.com/pdf/vmware_timekeeping.pdf

Generally, ntp & vmware timesync fight each other.  The usual method is
to turn off the ntp service, figure out how to minimize interrupts,
allow the clock to run a little slow and allow vmware timesync to bump
up the time when it gets about 1 minute slow.

There's another thread that mentions issues with on-board nics and
drivers.  Over the years, I've bumped into that myself.  To the extent I
 try and use host-only and route whenever possible.  That's worked
better for me in generic usage.

Regards, Doug
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Curious: Windows -> Samba 4 transition path?

2008-03-04 Thread Douglas VanLeuven
Ken D'Ambrosio wrote:
> Hi, all.  I see that the second alpha has been released, and that makes me
> wonder about one or two things:
> 
> - Can you have a Samba 4 box be a DC alongside a Windows DC?
> - Failing that, is there a transition path from Windows AD to Samba 4?
> 
> If either of these are true, it would save a heck of a lot of work,
> instead of having to rejoin a couple hundred clients to the domain.
> 
> Thanks much,
> 
> -Ken
> 
> P.S.  Kudos on whoever thought of the Python scripting hooks.  While I
> don't "speak" Python, it would certainly be a strong incentive to learn
> it!
> 

I recently enquired on the technical list and got an answer.

There exist vampire scripts to pull from an existing AD.  But right now
those scripts are transitioning from an older scripting language into
python and transitioning to a native AD methodology from an NT4 method.

Just have to wait a while.

Someone else will have to answer about samba4 as a DC with an MS DC in
harmony, although I wouldn't think that would be a goal.

Regards, Doug

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: Fwd: [Samba] Winbind 3.0.26a cannot authenticate with ActiveDirectory

2008-02-28 Thread Douglas VanLeuven
Douglas VanLeuven wrote:
> Walter Huf wrote:
>> I changed those lines, and nothing seemed to change.
>> However, I remembered more information that I could include.
>> getent passwd does not list domain users, only local users.

Something still looks wrong to me with your pam config.  But I checked
the release note archives.  3.0.25 introduced the changes to the idmap
backend.

Here's what I use as the alternative to the old syntax

winbind enum users = Yes
winbind enum groups = Yes
winbind nss info = sfu
idmap domains = FOREST
idmap config FOREST:backend = ad
idmap config FOREST:schema_mode = sfu
idmap config FOREST:readonly = yes
idmap config FOREST:range = 200 - 2
idmap config FOREST:default = yes

idmap alloc backend = tdb
idmap alloc config:range = 5-50999

There is a document "A new IDMAP subsystem" on the samba website that I
think is more illuminative than the manpages.  Thank Simo!

http://www.samba.org/~idra/samba3_newidmap.pdf

Regards, Doug

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: Fwd: [Samba] Winbind 3.0.26a cannot authenticate with ActiveDirectory

2008-02-28 Thread Douglas VanLeuven
Walter Huf wrote:
> I changed those lines, and nothing seemed to change.
> However, I remembered more information that I could include.
> getent passwd does not list domain users, only local users.
> 
> Sample lines from /var/log/samba/log.winbindd:
> [2008/02/22 14:13:21, 1] nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(613)
>   Could not get unix ID
> [2008/02/22 14:13:21, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(85)
>   error getting user id for sid S-1-5-21-2143970516-726479814-926709054-1840
> [2008/02/22 14:13:21, 1] nsswitch/winbindd_user.c:winbindd_getpwent(728)
>   could not lookup domain user otherusername
> 
> Does this help at all?
> Has anybody gotten Winbind 3.0.26a to authenticate successfully with Active
> Directory?

I can't specifically say 3.0.26a.  But I've been doing it since 3.0.6 or
something.  Like you I use sfu and the backend is ad.  Used to have to
merge the padl idmap_ad module patches to the source.

I used to run redhat, then fedora, now opensuse.  Each has their own
technique to setting up pam.  Here's opensuse version for login and su
and sshd.  Each service includes a set of common configurations and
maybe some uniq to the individual service.

I've found using the distro supplied software for configuring system
auth to be the easiest way to get a baseline.  In opensuse it's
pam-config.  In fedora it was system-config-authentication.

Anytime I mess with the auth methods, I stop nscd from running during
the tests.

pam.d/login
#%PAM-1.0
auth requisite  pam_nologin.so
auth [user_unknown=ignore success=ok ignore=ignore auth_err=die
default=bad]pam_securetty.so
auth includecommon-auth
account  includecommon-account
password includecommon-password
session  required   pam_loginuid.so 
session  includecommon-session
session  required   pam_lastlog.so  nowtmp
session  required   pam_resmgr.so
session  optional   pam_mail.so standard
session  optional   pam_ck_connector.so

pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
auth includecommon-auth
account  includecommon-account
password includecommon-password
session  includecommon-session
session  optional   pam_xauth.so

pam.d/sshd
#%PAM-1.0
auth requisite  pam_nologin.so
auth includecommon-auth
account  includecommon-account
password includecommon-password
session  required   pam_loginuid.so
session  includecommon-session

pam.d/common-auth
authrequiredpam_env.so  
authsufficient  pam_unix2.so
authsufficient  pam_ldap.so use_first_pass
authrequiredpam_winbind.so  use_first_pass  

pam.d/common-account
account requisite   pam_unix2.so
account sufficient  pam_localuser.so
account sufficient  pam_ldap.so use_first_pass
account requiredpam_winbind.so  use_first_pass  

pam.d/common-password
passwordsufficient  pam_winbind.so  
passwordrequisite   pam_pwcheck.so  nullok cracklib remember=
passwordsufficient  pam_unix2.souse_authtok nullok
passwordrequiredpam_ldap.so try_first_pass use_authtok

pam.d/common-session
session optionalpam_mkhomedir.so
session requiredpam_limits.so   
session requiredpam_unix2.so
session optionalpam_ldap.so 
session requiredpam_winbind.so  
session optionalpam_umask.soumask=002

gate:~ # ssh [EMAIL PROTECTED]
Password:
Last login: Tue Feb 19 23:14:46 2008 from console
Have a lot of fun...
[EMAIL PROTECTED]:~> logout

Regards, Doug
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Winbind+ldap = core dump

2008-02-27 Thread Douglas VanLeuven
Robin wrote:
> Hi,
> I use samba 3.0.26a on fedora 8 as a fileserver for a win 2k3 domain.  This
> has worked fine for about 2 months without any problems.  However I came to
> the server 3 days ago and the harddrive was 100% full.  On checking I found
> 60gb of core dumps in the winbind folder.  I did a lot of searching and
> couldnt find anything relevent for this release.  I tried upgrading samba to
> 3.0.28 (fc8 supplied rpm) and this does the same.  The log.winbindd-idmap
> log suggests to me that it has a problem with ldap and empty results, so I
> made a quick script to check for gaps in the ldap records and found that
> several uid and gid numbers were not assigned (ie there was no entry for
> them in ldap, even though there were entries after them).
> 
> Winbind does still mostly work just fails once in about every 10 tries.  I
> believe it fails for both samba and dovecot (pop3/imap mail server).  At the
> moment we are generating about 10gb/hour of core dumps which a cron job is
> keeping cleaned up.  Has anyone got any ideas on this? also is it possible
> to tell samba/winbind not to do core dumps?

enable core files = No

Sorry, can't help with the ldap though.

Regards, Doug
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] After migrating from Samba 2 to Samba 3 - home share names are case sensitive

2008-02-27 Thread Douglas VanLeuven
Andreas Schmidl wrote:
> Hello!
> 
> We have several sun solaris servers which are now serve Samba 3 services.
> For 2 weeks we migrate all servers from Samba 2 to Samba 3.
> After the upgrade to Samba 3 all shares generated by [home]-section in
> smb.conf have case sensitive names.
> 
> For example:
> 
> Besides root user john exists on the server and has a home folder.
> 
> If user john want to access his share with a Windows client he use the path:
> 
> \\server\john
> 
> This works great.
> 
> But if he want to access his share using the path:
> 
> \\server\JOHN
> 
> he can't access the share.
> 
> Samba 2 doesn't differ between the two paths.
> 
> Other shares on the server (no [home] share) for example [smb_test] can be
> accessed by typing:
> 
> \\server\SMB_TEST or
> \\server\smb_test
> 
> My [home]-section on the server:
>  [homes]
> comment = UNIX Home Directory for %S
> valid users = %S
> writeable = yes
> browseable = no
> 
> 
> In my opinion there aren't any special configuration in this section and of
> course no change since migration from samba 2 to samba 3.
> 
> Are there any solution for this problem? Or is it a samba 3 security feature
> ;-)
> 

Try taking out the valid users = %S and see if the problem persists.

Anyway, I know that without that, case doesn't matter on my machine.
Not an inherent function.  There are other things the %S inhibits as well.

Regards, Doug

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Can I have share name "shareone" and "share one" at the same time?

2008-02-27 Thread Douglas VanLeuven
Young-Jun Oh wrote:
> Hello Samba community!
> 
> I recently found out interesting behavior of share name with Samba and did
> not find any useful information on the net. If anyone knows why I'm having
> this problem, I would feel like I could fly!
> 
> Thanks in Advance.
> 
> The problem I have is that I can not get following two shares working at the
> same time.
> 
> in my smb.conf file,
> 
> [shareone]
> comment = shareone
> path=/shareone
> printable = no
> public = yes
> writeable = Yes
> 
> [share one]
> comment = share one
> path=/share one
> printable = no
> public = yes
> writeable = Yes
> 
> I can get either one of them to work but not at the same time. I tried
> quote(") around share one. I tried "share\ one". I tried share\040one. But
> none of them worked.
> 
> I tried these names for share in Windows XP and they worked fine at the same
> time.
> 
> I'm sure this kind of share names on same computer would be very rare but
> I'm just curious.

I was curious too.  So I tried it out.  Works fine for me.  I'm using
opensuse 10.3 and using the samba.org repository for samba 3.0.28.

What version of samba are you using?
If it's behind current, are you able to upgrade to a more current release?

Regards, Doug
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Samba4 and GPO´s

2008-02-25 Thread Douglas VanLeuven
Magic Zambo wrote:
> Hello its me again,
> 
> really anybody has got an idea? Everything could help. 
> So please write everything you think about even if you think its too
> trivial. ;-) 
> 
> Thanks in advance
> 
> I successfully managed installing a Samba4 server. Ist all fine but the
> server doesn´t accept my GPO´s I made. For example I´ve got an ou which
> isn´t allowed to start Control Panel, but every user in this ou can start it
> without problems.
> 
> Anyone knows a solution?

Probably not many people using samba 4 on this list.  It's still alpha.

You might have better luck on samba-technical.

Regards, Doug
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Need help upgrading from 3.0.4 to 3.0.28

2008-02-20 Thread Douglas VanLeuven
Joe wrote:
> I have a FreeBSD 5.2.1 machine running Samba 3.0.4.  I am going to
> upgrade Samba to 3.0.28.  The process I would follow would be...
> 
> download source
> configure
> make
> make install
> 
> My questions are...
> 
> 1. Can I "make install" with users connected to the samba
>server and using shares?

Only if you're an optimist.  It's a rare day one can migrate that many
releases without some changes in config file syntax or interpretation.

> 
> 2. Can I just restart nmbd and smbd to run the new version?
>What happens to connected users if I restart nmbd and smbd?

You could.  Your users would get (optimistically) momentarily
disconnected.  The windows offline files balloon pops up or a message
"no longer connected to ...".

> 
> 2. Will I need to change anything in smb.conf?

Probably.  I know some of the defaults have changed, but I don't have a
list handy.

> 
> 3. Will any of the samba databases (users) get destroyed/erased/
>changed?
Shouldn't, but someone else would have to say definitively.  I've
personally wiped and reinitialized most of them several times only
keeping the private tdb files secrets & passdb while regenerating the
printer tdb's and mappings.

> 
> Sorry for all the questions, I'm just nervous about creating
> a big mess during the upgrade.

If it's at all possible, your best course is to setup a test machine
(real or virtual) and test the new version in your current setup by
joining it to your domain and connecting from users.  Alternatively,
duplicate the existing OS & samba version with a different machine name
and perform the upgrade on it.  Your experience doing that is the only
real way to self answer some of your questions and make the production
upgrade as smooth as possible.

Regards, Doug
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] cifs verses smbfs for Linux clients

2008-02-18 Thread Douglas VanLeuven
Michael Lueck wrote:
> I am somewhat confused...
> 
> I understand that the preferred method to mount a Samba share with a
> Linux client is to use "mount -t cifs" rather than "mount -t smbfs".
> 
> I get the impression that smbfs is samba.org developed code where as
> cifs is from elsewhere. Thus the point of confusion. Why is samba.org
> not developing the preferred code in this case?
> 
> A sub question to that main one is a nagging thought of needing to add
> the Debian / Ubuntu smbfs package to Linux client systems issuing "mount
> -t cifs". If cifs really is from elsewhere, and smbfs is "bad evil", why
> the interdependency?
> 
> Thanks!

As I know it, cifs-mount (/sbin/mount.cifs) is maintained by the samba
team as the replacement for the older smbfs.  I can't even find smbmnt
in opensuse 10.3.

I wish I could point you to a release notes for this.

Regards, Doug

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Re: winbind - not ready for prime time

2008-02-17 Thread Douglas VanLeuven
Christian McHugh wrote:
> Guido Lorenzutti wrote:
>> Jeremy Allison wrote:
>>  
>>>
>>> If you have a specific issue, ask it. If you have a specific
>>> bug, report it. You did none of those things.
>>> 
>>
>> Im not a developer, Im a sysadmin and I been using samba for a lot of
>> years know.
>> When I read the post, I wasn't going to answear, 'coz I didn't feel
>> related to the subject.
>>
>> I think I have a little experience in Samba and Winbind. If you need
>> someone to write examples, docs, manpages, etc.. I don't have any
>> problem to fill the blanks. Just tell me where I should start.
>>
>>   
> 
> Well, in an attempt at raising the signal to noise ratio, I've
> personally had problems deciphering exactly how to use winbind with
> idmap_ad.
>  - In the smb.conf do I have an idmap decleration per domain, or is the
> example given in the man page "ALLDOMAINS" acceptable?
>  - (As mentioned in an unanswered mail to this list) How do I go about
> compiling the rfc2307 module, either statically or dynamiclly?
> 
> Once I get past the rfc2307 compile question, I think I'll have more
> questions. But since I don't have winbind running well in my environment
> (yet) I can bring those up later.

My 2 cents.  Open Source used to mean just that.  The source was public.
 Anyone can read it.  Howtos were generally created by users that wanted
to give back to the community, not usually developers.

My observation is non-developers frequently confuse documenting samba
with documenting MS windows (c).  As the recent EC decision indicates,
MS has been reluctant to document their product.  Don't blame the samba
team for the MS lack of transparency.

As far as compiling idmap_ad goes, look in the supplied configure script.

# Check whether --with-shared-modules or --without-shared-modules was given.
if test "${with_shared_modules+set}" = set; then
  withval="$with_shared_modules"
   if test $withval; then
for i in `echo $withval | sed -e 's/,/ /g'`
do
eval MODULE_$i=SHARED
done
fi
fi;

Then grep the file "grep MODULE_idmap_ configure"

MODULE_idmap_tdb=STATIC
MODULE_idmap_passdb=STATIC
MODULE_idmap_nss=STATIC
if test "$MODULE_idmap_ldap"; then
DEST=$MODULE_idmap_ldap
if test "$MODULE_idmap_tdb"; then
DEST=$MODULE_idmap_tdb
if test "$MODULE_idmap_passdb"; then
DEST=$MODULE_idmap_passdb
if test "$MODULE_idmap_nss"; then
DEST=$MODULE_idmap_nss
if test "$MODULE_idmap_rid"; then
DEST=$MODULE_idmap_rid
if test "$MODULE_idmap_ad"; then
DEST=$MODULE_idmap_ad

There you have it.

--with-shared-modules=idmap_ldap,idmap_tdb,idmap_passdb,idmap_nss,idmap_rid,idmap_ad

Just pick the ones you want.  idmap_ad includes support for both SFU and
rfc2307.  I once tried to compile idmap_ad as a static module and core
dumpped.  Maybe it's changed but I don't think so.  If your OS has
issues with dynamic modules, you'll probably have to fix it yourself
either thru support with the OS vendor or modifying the samba code.

As far as rfc2307 support goes:

find .|grep idmap_ad
./nsswitch/.svn/prop-base/idmap_ad.c.svn-base
./nsswitch/.svn/props/idmap_ad.c.svn-work
./nsswitch/.svn/text-base/idmap_ad.c.svn-base
./nsswitch/idmap_ad.c

less nsswitch/idmap_ad.c

Second line:
/*
 *  idmap_ad: map between Active Directory and RFC 2307 or "Services for
Unix" (SFU) Accounts

There is a document "A new IDMAP subsystem" on the samba website that I
think is more illuminative than the manpages.

google idmap pdf site:www.samba.org

http://www.samba.org/~idra/samba3_newidmap.pdf

Regards, Doug

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] NT_STATUS_ACCESS_DENIED

2008-02-15 Thread Douglas VanLeuven
Miguel Gonzalez Castaños wrote:
> I'm stumped. Same configuration in Debian sarge with
> kernel 2.4 works fine, however, with kernel 2.6,
> breaks.
> 
> boddingtons2:/var# smbclient -U THREESPOT+mgonzalez //10.0.6.41/www -c 'ls'
> Password:
> Domain=[THREESPOT] OS=[Unix] Server=[Samba 3.0.24]
> tree connect failed: NT_STATUS_ACCESS_DENIED
> 
> 
> /etc/samba/smb.conf
> 
> [global]
>workgroup = THREESPOT
>server string = boddingtons2
> 
>password server = 10.0.6.13
>realm = THREESPOT.COM
> 
>wins support = no
>wins server = 10.0.6.13
>dns proxy = no
>name resolve order = wins lmhosts hosts bcast
> 
>log level =3
> 
>log file = /var/log/samba/log.%m
>max log size = 1000
>syslog = 0
>panic action = /usr/share/samba/panic-action %d
> 
>security = ads
>encrypt passwords = true
> #   passdb backend = tdbsam guest   This is the only that changes from
> the 2.4 sarge configuration, running it with guest support gives me a core

At best, the reason for the core dump is samba is looking for a backend
called "guest".  You could make a case for samba to be more graceful
about backends that don't exist, but that's it.

At this point, I'd run "pdbedit -L -v|less" and check the accounts
didn't get corrupted from the abnormal terminations.

Regards, Doug

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] NT_STATUS_ACCESS_DENIED

2008-02-12 Thread Douglas VanLeuven
Chris du Preez wrote:
> On Tuesday 12 February 2008 03:07:29 pm you wrote:
>> Um, either you omitted the chr share definition, or you don't have one.
>> Either way we can't help much without it :)
>>
>> Rubin
>>
>  I get the same result with 
> 
> # smbclient //bbb/homes -U chr
>  Password:
>  Domain=[BBB] OS=[Unix] Server=[Samba 3.0.28-0.fc8]
>  smb: \> ls
>  NT_STATUS_ACCESS_DENIED listing \*
> 
> 
> when I list the server with 
> 
> # smbclient -L bbb -U chr
> Password:
> Domain=[BBB] OS=[Unix] Server=[Samba 3.0.28-0.fc8]
> 
> Sharename   Type  Comment
> -     ---
> cc  Disk
> HP5550  Printer   HP Color LaserJet 5550
> IPC$IPC   IPC Service (BBB Samba Server)
> chr Disk  Home Directories
> Domain=[BBB] OS=[Unix] Server=[Samba 3.0.28-0.fc8]
> 
> Server   Comment
> ----
> 
> WorkgroupMaster
> ----
> FLAMENGROFLAHOIS01
> 
> This is what I found. The share chr is there.
> 
> I even went as far as put in a share cc in smd.conf like this, the same result
>  
> [cc]
> path = /home/chr
> valid users = chr
> read only = No

Try valid users = FLAMENGRO\chr
I believe specifying the domain is mandatory.
You realize that only chr will have a home directory if you specify it
like that?

Regards, Doug
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] (no subject)

2008-02-07 Thread Douglas VanLeuven
Dale Schroeder wrote:
> I have systems using security = ADS and security = domain where
> "password server =" works quite well.  There's something else going on.
> 
> Dale
> 
> Adam Williams wrote:
>> password server = only works when samba is in security = server mode.
>>
>> security = domain is used when the server is a member server of an NT4
>> style domain (meaning, its not a PDC or a BDC, but another server with
>> some file shares on it and it authenticates to the PDC using LDAP).
>>
>> when you have a bunch of samba servers like you sound like you do, you
>> should be using an LDAP backend.
>>
>> Carter, David SIS SB56 ITMOXF POWERGEN wrote:
>>> Installed Samba 3.0.10 via 'pkgadd' on Solaris 2.6 workstation s080
>>> (137.223.31.80) - previously running Samba 2.2.8 which has worked for a
>>> long time.
>>> Samba 3.0.10 smb.conf file - changed to security =DOMAIN  from SERVER at
>>> 2.2.8 version
>>> password server = 137.223.33.45, 137.223.33.72  - these are DCs
>>>  
>>>
>>> # Samba config file created using SWAT
>>> # from 127.0.0.1 (127.0.0.1)
>>> # Date: 2008/02/07 16:05:52
>>>
>>> # Global parameters
>>> [global]
>>> workgroup = WW007
>>> server string = Samba Server ww007
>>> interfaces = 137.223.31.80/255.255.255.0
>>> bind interfaces only = Yes

You might try adding 127.0.0.1
  interfaces = 137.223.31.80/255.255.255.0, 127.0.0.1/24

There are some issues documented in the manual and it seems to help with
any broadcast related issues.

I've started masking to 24 bits because I've had some servers come up
with 127.0.0.2 on occasion.  Might be dual processors, but I've not
pursued it further.

Regards, Doug
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] net ads join : ads_connect: No logon servers

2008-01-30 Thread Douglas VanLeuven
D G Teed wrote:
> Thanks very much, Douglas.  That did the trick.
> I had not understood what realm represented in a dns
> style domain.
> 
> It is also confusing that one lists a realm section,
> defining it...
> 
> BEER = {
>kdc = ADC1.AD.BEERU.CA
> }

Sorry, missed that one too.  Should be
AD.BEERU.CA = {
kdc = ADC1.AD.BEERU.CA
}

It's just that Kerberos doesn't know anything about workgroups in
windows and so there shouldn't be any workgroup names in krb5.conf,
only DNS names and REALM names.  It worked because samba picked up the
Kerberos kdc from SRV records in DNS.  BEER defines the .BEER realm
which doesn't exist.


> 
> But then when providing the realm name in smb.conf, the
> handle isn't BEER, but rather the subdomain in
> which the AD controller lives.
> 
> Regards,
> 
> --Donald
> 
> On Jan 30, 2008 3:37 PM, Douglas VanLeuven <[EMAIL PROTECTED]> wrote:
>> Douglas VanLeuven wrote:
>>> D G Teed wrote:
>>>> I've been able to use security = ads in smb.conf, and connect OK,
>>>> but it must be falling back to domain.  When I run net ads join
>>>> I get the error (debug trace below):
>>>>
>>>> ads_connect: No logon servers
>>>>
>>>> Here is my krb5.conf:
>>>>
>>>> [logging]
>>>>  default = FILE:/var/log/krb5libs.log
>>>>  kdc = FILE:/var/log/krb5kdc.log
>>>>  admin_server = FILE:/var/log/kadmind.log
>>>> [libdefaults]
>>>>  default_realm = BEER
>>>> [realms]
>>>>  BEER = {
>>>>   kdc = ADC1.AD.BEERU.CA
>>>>  }
>> Missed this on the last post.
>>   default realm = AD.BEERU.CA
>>
>> Doug
>>

Regards, Doug
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] net ads join : ads_connect: No logon servers

2008-01-30 Thread Douglas VanLeuven
Douglas VanLeuven wrote:
> D G Teed wrote:
>> I've been able to use security = ads in smb.conf, and connect OK,
>> but it must be falling back to domain.  When I run net ads join
>> I get the error (debug trace below):
>>
>> ads_connect: No logon servers
>>
>> Here is my krb5.conf:
>>
>> [logging]
>>  default = FILE:/var/log/krb5libs.log
>>  kdc = FILE:/var/log/krb5kdc.log
>>  admin_server = FILE:/var/log/kadmind.log
>> [libdefaults]
>>  default_realm = BEER
>> [realms]
>>  BEER = {
>>   kdc = ADC1.AD.BEERU.CA
>>  }

Missed this on the last post.
  default realm = AD.BEERU.CA

Doug
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] net ads join : ads_connect: No logon servers

2008-01-30 Thread Douglas VanLeuven
D G Teed wrote:
> I've been able to use security = ads in smb.conf, and connect OK,
> but it must be falling back to domain.  When I run net ads join
> I get the error (debug trace below):
> 
> ads_connect: No logon servers
> 
> Here is my krb5.conf:
> 
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> [libdefaults]
>  default_realm = BEER
> [realms]
>  BEER = {
>   kdc = ADC1.AD.BEERU.CA
>  }
> [domain_realm]
>  beer.ca = BEER
>  .beer.ca = BEER

This should be a mapping from DNS domain to Kerberos REALM.
Going by the kdc name, what you probably want is:
beer.ca = AD.BEERU.CA
.beer.ca = AD.BEERU.CA
www2.beer.ca = AD.BEERU.CA


> 
> Here is my rpc join status:
> # net rpc testjoin
> Join to 'BEER' is OK
> 
> Here is my attempt to graduate this to ADS levels, with debug:
> 
> # net ads join -Ubeeruser%beeruserpw -d3
> [2008/01/30 11:06:08, 3] param/loadparm.c:lp_load(5033)
>   lp_load: refreshing parameters
> [2008/01/30 11:06:08, 3] param/loadparm.c:init_globals(1424)
>   Initialising global parameters
> [2008/01/30 11:06:08, 3] param/params.c:pm_process(572)
>   params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
> [2008/01/30 11:06:08, 3] param/loadparm.c:do_section(3772)
>   Processing section "[global]"
> [2008/01/30 11:06:08, 2] lib/interface.c:add_interface(81)
>   added interface ip=111.111.200.8 bcast=111.111.207.255 nmask=255.255.248.0
> [2008/01/30 11:06:08, 2] lib/interface.c:add_interface(81)
>   added interface ip=111.111.202.39 bcast=111.111.207.255 nmask=255.255.248.0
> [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
>   get_dc_list: preferred server list: "ADC2, 111.111.200.67"
> [2008/01/30 11:06:08, 1] libads/cldap.c:recv_cldap_netlogon(247)
>   Failed to parse cldap reply
> [2008/01/30 11:06:08, 3] libads/ldap.c:ads_try_connect(189)
>   ads_try_connect: CLDAP request 111.111.200.66 failed.
> [2008/01/30 11:06:08, 1] libads/cldap.c:recv_cldap_netlogon(247)
>   Failed to parse cldap reply
> [2008/01/30 11:06:08, 3] libads/ldap.c:ads_try_connect(189)
>   ads_try_connect: CLDAP request 111.111.200.67 failed.
> [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
>   get_dc_list: preferred server list: "ADC2, 111.111.200.67"
> [2008/01/30 11:06:08, 3] libsmb/namequery_dc.c:rpc_dc_name(154)
>   Could not look up dc's for domain BEER
> [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
>   get_dc_list: preferred server list: "ADC2, 111.111.200.67"
> [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489)
>   get_dc_list: preferred server list: "ADC2, 111.111.200.67"
> [2008/01/30 11:06:08, 0] utils/net_ads.c:ads_startup_int(286)
>   ads_connect: No logon servers
> [2008/01/30 11:06:08, 1] utils/net_ads.c:net_ads_join(1470)
>   error on ads_startup: No logon servers
> Failed to join domain: No logon servers
> [2008/01/30 11:06:08, 2] utils/net.c:main(1032)
>   return code = -1
> 
> Can this user achieve such a goal?
> 
> Here is beeruser's rights via rpc:
> net rpc rights list -Ubeeruser
> Password:
>  SeMachineAccountPrivilege  Add machines to domain
>   SeTakeOwnershipPrivilege  Take ownership of files or other objects
>  SeBackupPrivilege  Back up files and directories
> SeRestorePrivilege  Restore files and directories
>  SeRemoteShutdownPrivilege  Force shutdown from a remote system
>   SePrintOperatorPrivilege  Manage printers
>SeAddUsersPrivilege  Add users and groups to the domain
>SeDiskOperatorPrivilege  Manage disk shares
> 
> I've had various toggles done to my smb.conf, but here is what the
> global section
> of smb.conf looks like at the moment, following the hints of someone else who
> solved this on the list...
> 
> [global]
> netbios name = www2
> workgroup = BEER
> unix charset = LOCALE
> realm = BEER

Same here.
   realm = AD.BEERU.CA

> server string = Web Server
> security = ADS
> password server = 111.111.200.67
> idmap backend = rid:BEER=5000-1
> idmap uid = 1-1000
> idmap gid = 1-1000
> template shell = /bin/bash
> winbind use default domain = Yes
> winbind enum users = Yes
> winbind enum groups = Yes
> allow trusted domains = No
> log level = 3
> log file = /var/log/samba/%m.log
> max log size = 50
> dns proxy = No
> winbind use default domain = Yes
> hosts allow = 111.111.
> encrypt passwords = yes
> 
> I had great results with the last question I put on the list.  I hope
> someone can help us graduate to ads with kerberos level authentication.
> 
> It feels like there is something missing on the AD end, but I know
> nothing about this
> other than that it is Windows Server 2003 and it has been in production for
> awhile with good performance.
> 

There may be something 

Re: [Samba] file differences when copying files to linux, using samba

2008-01-27 Thread Douglas VanLeuven
jeffunit wrote:
> 
>> >> Have you tried copying the file over with "cp" from
>> >> windows to your server? (cp from 'cygwin')?
>> >
>> > No, but I will try that today.
>> >
>> >> Have you tried comparing some of the differing files and
>> >> looking for a pattern?
>> >
>> > Yes. I wrote a modified version of cmp that tries to list all byte
>> > differences.
>> > I was looking at an iso image of some linux distribution.
>> > There were three bytes that differed, and if I recall correctly,
>> > they were all one bit differences.
>> >
>> Hi,
>> I would think one bit differences should be picked up by the TCP
>> transport layer.
>>
>> You probably have Rx checksum offload on the receiving box.  You could
>> try turning that off and recopying to see if the error persists.  Could
>> be a bad card.
> 
> How do I turn rx checksums off under linux?  This is an intel pro1000 ct.
> I am happy to try it.
> The gigabit ethernet is on-board, but I have several spare gigabit nics
> available.

If eth0 is the name:
   ethtool -K eth0 rx off

I got good service out of these settings in modprobe.conf (one line)
options e1000 RxDescriptors=1024 TxDescriptors=1024
InterruptThrottleRate=1

I have lots of memory, so I upped the buffers, probably overkill.
Default is 256
InterruptThrottleRate defaults to 3 (dynamic conservative) and I changed
it to 1 (dynamic).

see /usr/src//Documentaion/networking/e1000.txt

Along with larger buffers in smb.conf, I regularly hit my hard disk
limits on gigabyte. And bit error free.  I never did it your way, but I
have run tripwire with checksums and after disaster recovery, haven't
had any issues or noticed any discrepancies with entire drives going
across the wires.

> 
>> Seems unlikely the Tx sender could send an incorrect checksum unless the
>> buffer memory flipped a bit before checksum computation which seems
>> ruled out by the ECC.  Still, I'm a believer in memtest.
> 
> I ran memtest-86+ through about 5 iterations, and there were no problems.
> 
> thanks,
> jeff

Good luck (whatever it is), Doug
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] file differences when copying files to linux, using samba

2008-01-27 Thread Douglas VanLeuven
jeffunit wrote:
> At 01:03 AM 1/27/2008, Linda W wrote:
>> jeffunit wrote:
>>> I ran my python program locally on the linux system, and it reported
>>> that roughly
>>> 100 md5sums for files differed.
>>
>>> Any ideas how to track down this problem
>> ---
>> Could it be a code-page conversion issue?
> 
> I am not sure, but I think that involves translating language encoding
> from one form to another. I hope that neither samba nor windows explorer
> does that silently.
> 
>> Have you tried copying the file over with "cp" from
>> windows to your server? (cp from 'cygwin')?
> 
> No, but I will try that today.
> 
>> Have you tried comparing some of the differing files and
>> looking for a pattern?
> 
> Yes. I wrote a modified version of cmp that tries to list all byte
> differences.
> I was looking at an iso image of some linux distribution.
> There were three bytes that differed, and if I recall correctly,
> they were all one bit differences.
> 
Hi,
I would think one bit differences should be picked up by the TCP
transport layer.

You probably have Rx checksum offload on the receiving box.  You could
try turning that off and recopying to see if the error persists.  Could
be a bad card.

Seems unlikely the Tx sender could send an incorrect checksum unless the
buffer memory flipped a bit before checksum computation which seems
ruled out by the ECC.  Still, I'm a believer in memtest.

Regards, Doug

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Hide Home Share for a single user

2008-01-24 Thread Douglas VanLeuven
Nelson Vale wrote:
> Hi again,
> 
> 
>> How do you mean hide?  So that they can't browse it, or so that they
>> cannot see the 'homes' service?
> 
> What I wan't is to just hide (well wath I'd really wanted was to disable it 
> but I don't know if it is possible), the Home Share for one particular user, 
> i.e. don't show it when the user browses the available shares.
> 
> The user is not allowed to connect to the share anyway.
> 
>> And do you mean hide from everyone 
>> else, or hide from that user themselves?
> 
> The other users have no access to it.
>

Try the option
   invalid users = joe

I think the user would still see it when browsing, but couldn't connect.
That might be a compromise you could accept.

Regards, Doug
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Retry: Mapping AD domain users to UNIX users

2008-01-23 Thread Douglas VanLeuven
[EMAIL PROTECTED] wrote:
> That looks hopeful. However, we are using 3.0.23b (binaries downloaded from 
> samba.org, not SunFreeware as I previously said). I hesitate to try compiling 
> a more recent version as I've not managed to compile successfully so far!
> 
I forget when the option started.
You can check your distribution by running "smbd -b|grep idmap_nss".  If
your distribution includes it, it should show up.

Regards, Doug
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba