Re: [Samba] Parameter "idmap backend" is deprecated ???
Volker Lendecke wrote: On Tue, Aug 12, 2008 at 12:23:18AM +0200, Andreas Ladanyi wrote: why is this parameter deprecated ? I have to set this parameter if i want to get my user/group information from Active Directory with SFU AD schemata extension. Is there a new parameter instead of "idmap backend" ??? It will come back in 3.3 :-) In the meantime, use idmap config, something like this: winbind nss info = sfu idmap domains = DOMAINNAME idmap config DOMAINNAME:readonly = yes idmap config DOMAINNAME:default = yes idmap config DOMAINNAME:backend = ad idmap config DOMAINNAME:range = 500 - 2 idmap config DOMAINNAME:schema_mode = sfu idmap alloc backend = tdb idmap alloc config:range = 5-50999 Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] How to get AD computer name by winbind
wilson kwok wrote: Hello, I'm trying migration from AD 203 to Samba + LDAP using winbind, but I don't know how to use getent command to get AD 2003 computer name information. I tried to use man getent that does not has related information. Could anyone tell me how to do that ? getent passwd|grep \\$: All the machine names end with $ in field 1 Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] unable to map windows to unix groups
[EMAIL PROTECTED] wrote: As I said, I did a fresh install of opensuse 10.3, samba, ldap. During the process, I filled the ldap database directly with an ldif file built using smbldap tools. (one item in that file --> dn: cn=Domain Admins,ou=Groups,dc=ldap_hathor,dc=nwk objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 512 cn: Domain Admins memberUid: root sambaSID: S-1-5-21-3134345319-2430187646-2919245149-512 sambaGroupType: 2 displayName: Domain Admins description: Netbios Domain Administrators #sambaPrimaryGroupSID: SID of the user group (512 = Admins group) #description: Netbios Domain Administrators ) So you mean by doing this it is not necessary to map the native existing unix group "ntadmin" (gid 71) with "Domain Admins" ? (ntadmin appear in /etc/group and "Domain Admins" not) When you do getent group you're getting what's in the local /etc/group and what's defined in the ldap group membership. See gidNumber above. Using /etc/nsswitch.conf to define ldap lookups extends the /etc/passwd and /etc/group membership so passwd and group uid/gid's can be defined system wide and used by any unix machine. So yes. Users belonging to group 512 are "Domain Admins". You need to add users to this group when you want them to have related security privileges. You should be able to chgrp 512 filename and have it show as "Domain Admins" when you ls the directory. I haven't used the smbldap tools package, but it looks like the most common windows groups have already been defined for you. All you need to do is avoid using the ldap passwd & group uid/gids in the local files. Yast tools will probably not allow you to generate duplicates. And yes, you only need to map groups when the unix name doesn't match the windows name and you don't want samba to create the account on the fly using whatever idmap backend you pick. Your idmap backend should probably be idmap_ldap and accounts generated then become available system wide using the same uid/gid's and network file sharing offers the same membership security regardless of client machine access. This is probably in a FAQ somewhere where the answer would be more structured. I use the following to resolve my issues: http://us6.samba.org/samba/docs/man/Samba-HOWTO-Collection/ http://us6.samba.org/samba/docs/man/Samba-Guide/ Since samba is evolving almost daily, sometime the Howto syntax has been modified in the current manifestation of the command. Always refer to the current command documentation to resolve any discrepancies. Doug Reading the samba documentation was not very clear for me. jcdole Selon Douglas VanLeuven <[EMAIL PROTECTED]>: It looks like you already have an existing unix group called "Domain Admins" being pulled in from ldap. When that is true, there is no need for groupmap and indeed it would appear it is illegal to map a windows group that matches an existing unix group to another unix group. Doug [EMAIL PROTECTED] wrote: Hello. After fresh install. Samba and ldap seems to run normally ( I can join win2k workstation to linux samba pdc ). Using yast I create a system group named domadmin But I am unable to map "Domain Admins" to domadmin I am unable to map "Domain Admins" to existing ntadmin group I am unable to mofify mapping "Domain Admins" to domadmin group Thank you for helping. LINUX-SRV: # net groupmap add ntgroup="Domain Admins" unixgroup=domadmin rid=512 type=d adding entry for group Domain Admins failed! LINUX-SRV: # LINUX-SRV: # net groupmap add ntgroup="Domain Admins" unixgroup=ntadmin rid=512 type=d adding entry for group Domain Admins failed! LINUX-SRV: # LINUX-SRV: # net groupmap modify ntgroup="Domain Admins" unixgroup=domadmin Can't map to an unknown group type. LINUX-SRV: # LINUX-SRV:~ # net groupmap modify ntgroup="Domain Admins" unixgroup=domadmin type=d Could not update group database LINUX-SRV: # LINUX-SRV:~ net groupmap list request done: ld 0x55c881e0 msgid 1 request done: ld 0x55c881e0 msgid 2 Domain Admins (S-1-5-21-3134345319-2430187646-2919245149-512) -> Domain Admins request done: ld 0x55c881e0 msgid 3 Domain Users (S-1-5-21-3134345319-2430187646-2919245149-513) -> Domain Users request done: ld 0x55c881e0 msgid 4 Domain Guests (S-1-5-21-3134345319-2430187646-2919245149-514) -> Domain Guests request done: ld 0x55c881e0 msgid 5 Domain Computers (S-1-5-21-3134345319-2430187646-2919245149-515) -> Domain Computers request done: ld 0x55c881e0 msgid 6 Administrators (S-1-5-32-544) -> Administrators request done: ld 0x55c881e0 msgid 7 Account Operators (S-1-5-32-548) -> Account Operators request done: ld 0x55c881e0 msgid 8 Print Operators (S-1-5-32-550) -> Print Operators request done: l
Re: [Samba] unable to map windows to unix groups
[EMAIL PROTECTED] wrote: Hello. After fresh install. Samba and ldap seems to run normally ( I can join win2k workstation to linux samba pdc ). Using yast I create a system group named domadmin But I am unable to map "Domain Admins" to domadmin I am unable to map "Domain Admins" to existing ntadmin group I am unable to mofify mapping "Domain Admins" to domadmin group Thank you for helping. LINUX-SRV: # net groupmap add ntgroup="Domain Admins" unixgroup=domadmin rid=512 type=d adding entry for group Domain Admins failed! LINUX-SRV: # LINUX-SRV: # net groupmap add ntgroup="Domain Admins" unixgroup=ntadmin rid=512 type=d adding entry for group Domain Admins failed! LINUX-SRV: # LINUX-SRV: # net groupmap modify ntgroup="Domain Admins" unixgroup=domadmin Can't map to an unknown group type. LINUX-SRV: # LINUX-SRV:~ # net groupmap modify ntgroup="Domain Admins" unixgroup=domadmin type=d Could not update group database LINUX-SRV: # LINUX-SRV:~ net groupmap list request done: ld 0x55c881e0 msgid 1 request done: ld 0x55c881e0 msgid 2 Domain Admins (S-1-5-21-3134345319-2430187646-2919245149-512) -> Domain Admins request done: ld 0x55c881e0 msgid 3 Domain Users (S-1-5-21-3134345319-2430187646-2919245149-513) -> Domain Users request done: ld 0x55c881e0 msgid 4 Domain Guests (S-1-5-21-3134345319-2430187646-2919245149-514) -> Domain Guests request done: ld 0x55c881e0 msgid 5 Domain Computers (S-1-5-21-3134345319-2430187646-2919245149-515) -> Domain Computers request done: ld 0x55c881e0 msgid 6 Administrators (S-1-5-32-544) -> Administrators request done: ld 0x55c881e0 msgid 7 Account Operators (S-1-5-32-548) -> Account Operators request done: ld 0x55c881e0 msgid 8 Print Operators (S-1-5-32-550) -> Print Operators request done: ld 0x55c881e0 msgid 9 Backup Operators (S-1-5-32-551) -> Backup Operators request done: ld 0x55c881e0 msgid 10 Replicators (S-1-5-32-552) -> Replicators request done: ld 0x55c881e0 msgid 11 Users (S-1-5-32-545) -> 15000 LINUX-SRV: # LINUX-SRV: # getent group at:!:25: .. .. domadmin:x:114: root:x:0: ... .. users:x:100: +::0: request done: ld 0x618d10 msgid 1 Domain Admins:*:512:root,user_admin Domain Users:*:513: Domain Guests:*:514: Domain Computers:*:515: Administrators:*:544: Account Operators:*:548: Print Operators:*:550: Backup Operators:*:551: Replicators:*:552: request done: ld 0x618d10 msgid 2 It looks like you already have an existing unix group called "Domain Admins" being pulled in from ldap. When that is true, there is no need for groupmap and indeed it would appear it is illegal to map a windows group that matches an existing unix group to another unix group. Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problems with Samba(idmap_ad/sfu on AIX
Heikki Manninen wrote: I'm unabe to use idmap_ad and sfu nss info with Samba on AIX. The configuration as it is works on a Linux build. workgroup = DOMAIN realm = DOMAIN.TLD server string = SERVER security = ADS idmap domains = DOMAIN idmap config DOMAIN:default = yes idmap config DOMAIN:backend = ad idmap config DOMAIN:range = 1000 - 6 idmap config DOMAIN:readonly = yes idmap config DOMAIN:schema_mode = sfu winbind enum users = yes winbind enum groups = yes winbind nested groups = yes winbind use default domain = yes winbind nss info = sfu map to guest = bad uid That all looks good. When run with statically built idmap_ad I get this in the log when trying to map user info (wbinfo -i): Error loading module '/opt/pware/samba/3.0.28/lib/nss_info/sfu.so': Could not load module /opt/pware/samba/3.0.28/lib/nss_info/sfu.so. Last I knew, this module can't be statically compiled. And when I build a version with shared idmap_ad (and sfu.so -> idmap_ad.so), it gets back to this: lib/module.c:do_smb_load_module(49) Error loading module '/usr/local/samba/lib/nss_info/sfu.so': rtld: 0712-001 Symbol _talloc_zero_zeronull was referenced from module /usr/local/samba/lib/nss_info/sfu.so(), but a runtime definition of the symbol was not found. lib/module.c:do_smb_load_module(49) Error loading module '/usr/local/samba/lib/idmap/ad.so': rtld: 0712-001 Symbol _talloc_zero_zeronull was referenced from module /usr/local/samba/lib/idmap/ad.so(), but a runtime definition of the symbol was not found. Either the linker options need assistance or you need to add some libraries to the run time library path LIBPATH if my memory serves. I'm haven't done AIX for a while. You might have more success on samba-technical getting a response. If you post over there, don't forget to include the version of AIX and which compiler you're using, native or gnu. Also the version of samba. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Still get error 13 when mounting w2k3 share
Tosh, Michael J wrote: # BACKGROUND # I still cannot do basic share mapping between Samba 3.0.28 and a Windows 2003 AD Domain controller. When using mount.cifs, I get a permission denied error 13. I have run it as root and as my own user account. From a windows workstation on a different domain, I can log on fine. Try adding the sec= option on the command line trying a couple different modes. I can use ntlm, ntlmi, and ntlmv2. Maybe something other than the defaults will work for you. You also need to know what level of security your w2k3 is enforcing through group policy. Enforced signing and ntlmv2 only have caused some people difficulties in the past. I'd try /sbin/mount.cifs directly and specifying the user and password on the command line at least to test. Try using the IP number of the remote host. The domain name must be in uppercase, workgroup NAME or realm style MY.REALM.COM. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba3.0.22 - "net setlocalsid" with no effect
Friedrich Strohmaier wrote: Hi all, Really no one with a glue, what steps I could go?? I can't tell what you're trying to do from what you've described. It looks like you set the local machine sid and it worked. The local machine sid will be different than the domain sid. A profile based on the local machine sid won't be a roaming profile it will be a local profile. Friedrich Strohmaier schrieb: [..] root# net setlocalsid SID_WANTED root# root# net getlocalsid SID for domain DOMAIN is: SID_WANTED Result: Client with Roamingprofile based on SID_WANTED is not able to connect to DOMAIN but has access to shares. OOOoops! If the local user name and password are the same as the domain name and password, depending on the security model, it's an old trick to allow access to shares in a workgroup without being a domain member. Which is sort of what you describe. More Tests found here: http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetCommand.html#netmisc1 root# net rpc info Domain Name: DOMAIN Domain SID: SID_NOT_WANTED Sequence number: 1206493306 Num users: 37 Num domain groups: 0 Num local groups: 0 I would think zero groups with 37 users is a hint to a problem. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Get logged on username (several sessions on the same machine)
Michael Heydon wrote: > Kurthermal wrote: >> But the machine has been rebooted and another user has opened a >> session on it, but 'net status session' or 'net session' continue to >> claim that there are 2 users logged on the same machine. It isn't >> always the case, I think it can be due for example to a reset of the >> machine so windows didn't close cleanly the network resources. >> >> Is there a way to get samba close all connections from a machine if >> another user try to open a new network resource from that machine ? > reset on zero vc >> > > I'm not sure what would happen in cases where you legitimately have > multiple users on a single machine (term servers, someone using "run > as", services accessing shares) but in the case of a single user PC it > should do what you want. That one snuck by me. No it doesn't affect remote desktop use, but then it just doesn't seem to do anything at all. At least with an XP box talking to samba. When I pulled the network cable while a file was open, logged off, logged on as another user and reconnected, it didn't kill the previous session either and the file is still locked, which was the original justification on technical - snaffu sessions across vpn. I once filed a report on a related issue - logging off and back on rapidly would allow the new user to see the home share of the previously logged on user though not browse it. Same basic reasoning it was closed out was multi-user systems make it happen that way. In some of the environments I worked in, it was perceived as a flaw and I debated that and lost. I do a lot of vpn and got excited it might work. It might with a different scenario. I just logged on, browsed, and logged off as the original user. Darn file is still locked. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Get logged on username (several sessions on the same machine)
Kurthermal wrote: > But the machine has been rebooted and another user has opened a session > on it, but 'net status session' or 'net session' continue to claim that > there are 2 users logged on the same machine. It isn't always the case, > I think it can be due for example to a reset of the machine so windows > didn't close cleanly the network resources. I'm sorry I wasn't clear enough. I wasn't attempting to explain your circumstance. I was trying to state a general design principal using a kind of Socratic method. Windows workstations are notorious for not bothering to signal goodbye. There are MS KB articles about fine tuning Windows servers to avoid exhausting resources because the workstations are like that. It's not a samba issue, it's a windows issue. I only tried to explain why it is the way it is because you used the bug word. There has been a samba option for forever (since at least 1.x or beta) deadtime = just so the sessions don't hang around forever. I never tried setting it to 1 min., but you could experiment. But it doesn't work if an application forgets to close a file or release a lock.. I never tried it, but it should be possible to script something with the "root preexec" if this is really an issue for you. But be warned - there are legitimate reasons multiple users can be logged on to a samba machine at the same time. For example. My wife is logged on a widows machine. I connect with remote desktop. Samba version 3.0.28-0.1.95-1624-SUSE-SL10.3 PID Username Group Machine --- 7207 ranger1$ machine 192.168.202.35 (192.168.202.35) 7207 FOREST\doug users 192.168.202.35 (192.168.202.35) 7339 FOREST\cindy users 192.168.202.35 (192.168.202.35) 7207 FOREST\cindy users 192.168.202.35 (192.168.202.35) 7339 ranger1$ machine 192.168.202.35 (192.168.202.35) There's nothing I know of to readily distinguish your circumstance from this circumstance other than quiescence on the connection for a period of time. Doug > > Is there a way to get samba close all connections from a machine if > another user try to open a new network resource from that machine ? > > Or is there another way to get the currently active session on a PDC > client ? > > > Douglas VanLeuven wrote : >> Kurthermal wrote: >> >>> Am I the only one to have noticed this behaviour ? >>> Do I have to report a bug or so ? >>> Where can I get some answers ? >>> >>> >> >> If a service was running as a prior user and needed network resources >> from the samba server in addition to the currently logged on user, >> wouldn't it be wrong to make the assumption those resources should no >> longer be available? >> >> It only takes one exception to break a general case. >> >> Regards, Doug >> >> >> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net join fails NT_STATUS_INVALID_COMPUTER_NAME
Lothar Belle wrote: > We want to join out Linux-Server: > SLES 10 SP1 x86 with Samba (samba-client-3.0.24-2.23) > to our W2000 Domain. > > krb5.conf > [libdefaults] > default_realm = TQ-NET.DE > clockskew = 300 > [realms] > TQ-NET.DE = { > kdc = TQ-DC-1.TQ-NET.DE > default_domain = TQG default_domain = tq-net.de The domain here is the DNS domain. > admin_server = TQ-DC-1.TQ-NET.DE > } > [domain_realm] > .tq-net.DE = TQ-NET.DE > [appdefaults] > pam = { > ticket_lifetime = 1d > renew_lifetime = 1d > forwardable = true > proxiable = true > retain_after_close = true > minimum_uid = 0 > try_first_pass = true > debug = false > } > krb5.conf > > kerberos works fine. > That's all that I noticed. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Get logged on username (several sessions on the same machine)
Kurthermal wrote: > Am I the only one to have noticed this behaviour ? > Do I have to report a bug or so ? > Where can I get some answers ? > If a service was running as a prior user and needed network resources from the samba server in addition to the currently logged on user, wouldn't it be wrong to make the assumption those resources should no longer be available? It only takes one exception to break a general case. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with ADS idmap backend
David Eisner wrote: > On Mon, Mar 10, 2008 at 7:54 PM, Douglas VanLeuven <[EMAIL PROTECTED]> wrote: > >> Try adding to global section: >> winbind nss info = sfu >> >> Right now you're defaulting to "template". > > Thanks for the tip. Unfortunately, after making the change and > restarting winbindd, the problem persists. Are there any .tdb files > I need to delete? My winbind reinitializes to version 1 and clears it's cache on restart. If you're running nscd, you have to restart that as well. There's a pdf I refer to http://www.samba.org/~idra/samba3_newidmap.pdf Simo wrote that up. The only thing I picked up from that paper is to add an allocation range for samba's BUILTIN users and groups. idmap alloc backend = tdb idmap alloc config:range = 5-50999 If you do that, you end up with a file called idmap_cache.tdb that would have to be cleared manually. I took a good look at the differences between our files and I'm not using winbind use default domain = yes winbind nested groups = yes but I wouldn't think that would make a difference. The configuration looks good. I use opensuse and nsswitch.conf is passwd: compat winbind group: files winbind It installed that way and I never changed it even though there is no shadow entry. From what I've read, any shadow entry shouldn't have winbind on it. I thought the win 2k3 R2 server used the rfc2307 schema out of the box. But if you were able to install SFU and modify the schema and the ldap entries exist in the ad, it shouldn't have any effect. Still, if all else fails - from source/nsswitch/idmap_ad.c in funtion idmap_ad_init(void) each method is checked in turn: rfc2307, sfu, and sfu20. Once the status is OK, the remaining checks are skipped. If rfc2307 is initializing OK ... Don't have a w2k3 R2 to experiment. If I did, I'd put the sfu check ahead of the rfc2307 check, recompile and see if it made a difference. Probably just a foolish thought, though. In case you don't have the source, I've included the function for you. Regards, Doug /* The SFU and RFC2307 NSS plugins share everything but the init function which sets the intended schema model to use */ / Initialize the plugins ***/ NTSTATUS idmap_ad_init(void) { static NTSTATUS status_idmap_ad = NT_STATUS_UNSUCCESSFUL; static NTSTATUS status_nss_rfc2307 = NT_STATUS_UNSUCCESSFUL; static NTSTATUS status_nss_sfu = NT_STATUS_UNSUCCESSFUL; static NTSTATUS status_nss_sfu20 = NT_STATUS_UNSUCCESSFUL; /* Always register the AD method first in order to get the idmap_domain interface called */ if ( !NT_STATUS_IS_OK(status_idmap_ad) ) { status_idmap_ad = smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "ad", &ad_methods); if ( !NT_STATUS_IS_OK(status_idmap_ad) ) return status_idmap_ad; } if ( !NT_STATUS_IS_OK( status_nss_rfc2307 ) ) { status_nss_rfc2307 = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION, "rfc2307", &nss_rfc2307_methods ); if ( !NT_STATUS_IS_OK(status_nss_rfc2307) ) return status_nss_rfc2307; } if ( !NT_STATUS_IS_OK( status_nss_sfu ) ) { status_nss_sfu = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION, "sfu", &nss_sfu_methods ); if ( !NT_STATUS_IS_OK(status_nss_sfu) ) return status_nss_sfu; } if ( !NT_STATUS_IS_OK( status_nss_sfu20 ) ) { status_nss_sfu20 = smb_register_idmap_nss(SMB_NSS_INFO_INTERFACE_VERSION, "sfu20", &nss_sfu20_methods ); if ( !NT_STATUS_IS_OK(status_nss_sfu20) ) return status_nss_sfu20; } return NT_STATUS_OK; } -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with ADS idmap backend
David Eisner wrote: > I'm running Samba 3.0.28a on a CentOS 3.9 box as a member of an AD > domain whose PDC is a W2k3 server (Standard x64 R2 SP2). > > Using wbinfo -u and wbinfo -g I can see domain users and groups from > the CentOS box, but getent (passwd|group) fails to display them. The > nsswitch is setup correctly, as far as I can tell. When I tail -f the > samba log file during a getent query, I see that winbindd is having > problems mapping the sid to the uid or gid ("sid2uid returned an > error"). > > Furthermore, wbinfo -n can find the SID for a user or group, but it > can't preform the inverse mapping. > > In the following example, 'deisner' and 'unixusers' are a domain user > and group, respectively. > >>From the CentOS box (with intentional SID obfuscation): > > $ wbinfo -u |grep deisner > deisner > $ wbinfo -n deisner > S-1-5-21-**6 User (1) > $ wbinfo -S S-1-5-21-**6 > Could not convert sid S-1-5-21-**6 to uid > $ wbinfo -g |grep unixusers > unixusers > $ wbinfo -n unixusers > S-1-5-21-**8 Domain Group (2) > $ wbinfo -Y S-1-5-21-**8 > Could not convert sid S-1-5-21-**8 to gid > > In the log file, I see this: > [2008/03/10 18:37:58, 10] > nsswitch/winbindd_cache.c:cache_retrieve_response(2300) > Retrieving response for pid 6274 > [2008/03/10 18:37:58, 5] > nsswitch/winbindd_async.c:winbindd_sid2gid_recv(527) > sid2gid returned an error > [2008/03/10 18:37:58, 5] nsswitch/winbindd_sid.c:sid2gid_recv(254) > Could not convert sid S-1-5-21-*8 > > > I'm using the SFU schema. In AD I have uids and gids assigned to the > user and group, in the Unix Attributes tab, with values in the range > I've specified for the idmap range. Here is my smb.conf: > > > [global] > workgroup = THEDOMAIN > server string = Centos Samba Server > hosts allow = xxx.y. xxx.y. 127. # obfuscated > printcap name = CUPS > load printers = yes > cups options = raw > log file = /usr/local/samba/var/log.smbd > security = ads > encrypt passwords = yes > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > dns proxy = no > unix charset = LOCALE > netbios name = LDAP > realm = THEDOMAIN.FOO.ORG > use kerberos keytab = Yes > idmap domains = THEDOMAIN > idmap config THEDOMAIN:backend = ad > idmap config THEDOMAIN:default = yes > idmap config THEDOMAIN:schema_mode = sfu > idmap config THEDOMAIN:range= 1 - 3 > log level = 1 > syslog = 0 > winbind use default domain = yes > winbind nested groups = yes > winbind enum users = yes > winbind enum groups = yes > template homedir = /home/windows/%D/%U > template shell = /bin/bash > allow trusted domains = no Try adding to global section: winbind nss info = sfu Right now you're defaulting to "template". Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problems running samba in vmware
Ryan Novosielski wrote: > Natxo Asenjo wrote: >> On Thu, Mar 6, 2008 at 10:13 PM, Adam Zimmer <[EMAIL PROTECTED]> wrote: >>> I have used samba for nearly 9 years with no problems and we have about >>> 20 users. In the past we have had a dedicated samba server. We have >>> recently virtualized this server to a quad core Q6600 using vmware >>> virtual server 1.0.4 on a 64 bit host running ubuntu 7.10. >> bad idea. Vmware server is not meant for production servers. Don't try >> to save a buck and buy a copy of esx. It will save you all this >> trouble and time is money. > >> If you really want to go along the free road, get yourself xen, linux >> runs perfectly with the opensource 'free as in free beer' xensource. >> Vmware server is a great testing tool, not a production one. > > Why is that? > ESX is the OS. Vmware server runs under an OS. All kinds of ramifications to this from allocating specific ethernet cards to specific virtual machines instead of bridging to better cpu and memory management. But this is getting pretty off topic for samba. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problems running samba in vmware
Adam Zimmer wrote: > At the moment I have enabled timeSync with vmware tools. > > In the general area of time keeping on the host, I added the following > settings which avoided errors about the RTC missing interrupts: > host.usefastclock=false > host.cpukHz=240 > host.useTSC=true > ptsc.useTSC=true > > I have two other machines similarly configured (with the exception of > running other linux applications not samba). > > Ntpdate seems to be installed as it is part of the ubuntu-server default > config. However, my other machines seem to run it ok. If anything they > fall behind a bit and the vmware sync keeps them up-to-date. > > > Ian McDonald wrote: >> >> How are your time sync options set for the VM? Is it keeping time ok? >> (note,AFAIR, you're not supposed to run NTP within a VM.). >> True. I refer to this document from vmware. http://www.vmware.com/pdf/vmware_timekeeping.pdf Generally, ntp & vmware timesync fight each other. The usual method is to turn off the ntp service, figure out how to minimize interrupts, allow the clock to run a little slow and allow vmware timesync to bump up the time when it gets about 1 minute slow. There's another thread that mentions issues with on-board nics and drivers. Over the years, I've bumped into that myself. To the extent I try and use host-only and route whenever possible. That's worked better for me in generic usage. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Curious: Windows -> Samba 4 transition path?
Ken D'Ambrosio wrote: > Hi, all. I see that the second alpha has been released, and that makes me > wonder about one or two things: > > - Can you have a Samba 4 box be a DC alongside a Windows DC? > - Failing that, is there a transition path from Windows AD to Samba 4? > > If either of these are true, it would save a heck of a lot of work, > instead of having to rejoin a couple hundred clients to the domain. > > Thanks much, > > -Ken > > P.S. Kudos on whoever thought of the Python scripting hooks. While I > don't "speak" Python, it would certainly be a strong incentive to learn > it! > I recently enquired on the technical list and got an answer. There exist vampire scripts to pull from an existing AD. But right now those scripts are transitioning from an older scripting language into python and transitioning to a native AD methodology from an NT4 method. Just have to wait a while. Someone else will have to answer about samba4 as a DC with an MS DC in harmony, although I wouldn't think that would be a goal. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: Fwd: [Samba] Winbind 3.0.26a cannot authenticate with ActiveDirectory
Douglas VanLeuven wrote: > Walter Huf wrote: >> I changed those lines, and nothing seemed to change. >> However, I remembered more information that I could include. >> getent passwd does not list domain users, only local users. Something still looks wrong to me with your pam config. But I checked the release note archives. 3.0.25 introduced the changes to the idmap backend. Here's what I use as the alternative to the old syntax winbind enum users = Yes winbind enum groups = Yes winbind nss info = sfu idmap domains = FOREST idmap config FOREST:backend = ad idmap config FOREST:schema_mode = sfu idmap config FOREST:readonly = yes idmap config FOREST:range = 200 - 2 idmap config FOREST:default = yes idmap alloc backend = tdb idmap alloc config:range = 5-50999 There is a document "A new IDMAP subsystem" on the samba website that I think is more illuminative than the manpages. Thank Simo! http://www.samba.org/~idra/samba3_newidmap.pdf Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: Fwd: [Samba] Winbind 3.0.26a cannot authenticate with ActiveDirectory
Walter Huf wrote: > I changed those lines, and nothing seemed to change. > However, I remembered more information that I could include. > getent passwd does not list domain users, only local users. > > Sample lines from /var/log/samba/log.winbindd: > [2008/02/22 14:13:21, 1] nsswitch/idmap_ad.c:idmap_ad_sids_to_unixids(613) > Could not get unix ID > [2008/02/22 14:13:21, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(85) > error getting user id for sid S-1-5-21-2143970516-726479814-926709054-1840 > [2008/02/22 14:13:21, 1] nsswitch/winbindd_user.c:winbindd_getpwent(728) > could not lookup domain user otherusername > > Does this help at all? > Has anybody gotten Winbind 3.0.26a to authenticate successfully with Active > Directory? I can't specifically say 3.0.26a. But I've been doing it since 3.0.6 or something. Like you I use sfu and the backend is ad. Used to have to merge the padl idmap_ad module patches to the source. I used to run redhat, then fedora, now opensuse. Each has their own technique to setting up pam. Here's opensuse version for login and su and sshd. Each service includes a set of common configurations and maybe some uniq to the individual service. I've found using the distro supplied software for configuring system auth to be the easiest way to get a baseline. In opensuse it's pam-config. In fedora it was system-config-authentication. Anytime I mess with the auth methods, I stop nscd from running during the tests. pam.d/login #%PAM-1.0 auth requisite pam_nologin.so auth [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad]pam_securetty.so auth includecommon-auth account includecommon-account password includecommon-password session required pam_loginuid.so session includecommon-session session required pam_lastlog.so nowtmp session required pam_resmgr.so session optional pam_mail.so standard session optional pam_ck_connector.so pam.d/su #%PAM-1.0 auth sufficient pam_rootok.so auth includecommon-auth account includecommon-account password includecommon-password session includecommon-session session optional pam_xauth.so pam.d/sshd #%PAM-1.0 auth requisite pam_nologin.so auth includecommon-auth account includecommon-account password includecommon-password session required pam_loginuid.so session includecommon-session pam.d/common-auth authrequiredpam_env.so authsufficient pam_unix2.so authsufficient pam_ldap.so use_first_pass authrequiredpam_winbind.so use_first_pass pam.d/common-account account requisite pam_unix2.so account sufficient pam_localuser.so account sufficient pam_ldap.so use_first_pass account requiredpam_winbind.so use_first_pass pam.d/common-password passwordsufficient pam_winbind.so passwordrequisite pam_pwcheck.so nullok cracklib remember= passwordsufficient pam_unix2.souse_authtok nullok passwordrequiredpam_ldap.so try_first_pass use_authtok pam.d/common-session session optionalpam_mkhomedir.so session requiredpam_limits.so session requiredpam_unix2.so session optionalpam_ldap.so session requiredpam_winbind.so session optionalpam_umask.soumask=002 gate:~ # ssh [EMAIL PROTECTED] Password: Last login: Tue Feb 19 23:14:46 2008 from console Have a lot of fun... [EMAIL PROTECTED]:~> logout Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind+ldap = core dump
Robin wrote: > Hi, > I use samba 3.0.26a on fedora 8 as a fileserver for a win 2k3 domain. This > has worked fine for about 2 months without any problems. However I came to > the server 3 days ago and the harddrive was 100% full. On checking I found > 60gb of core dumps in the winbind folder. I did a lot of searching and > couldnt find anything relevent for this release. I tried upgrading samba to > 3.0.28 (fc8 supplied rpm) and this does the same. The log.winbindd-idmap > log suggests to me that it has a problem with ldap and empty results, so I > made a quick script to check for gaps in the ldap records and found that > several uid and gid numbers were not assigned (ie there was no entry for > them in ldap, even though there were entries after them). > > Winbind does still mostly work just fails once in about every 10 tries. I > believe it fails for both samba and dovecot (pop3/imap mail server). At the > moment we are generating about 10gb/hour of core dumps which a cron job is > keeping cleaned up. Has anyone got any ideas on this? also is it possible > to tell samba/winbind not to do core dumps? enable core files = No Sorry, can't help with the ldap though. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] After migrating from Samba 2 to Samba 3 - home share names are case sensitive
Andreas Schmidl wrote: > Hello! > > We have several sun solaris servers which are now serve Samba 3 services. > For 2 weeks we migrate all servers from Samba 2 to Samba 3. > After the upgrade to Samba 3 all shares generated by [home]-section in > smb.conf have case sensitive names. > > For example: > > Besides root user john exists on the server and has a home folder. > > If user john want to access his share with a Windows client he use the path: > > \\server\john > > This works great. > > But if he want to access his share using the path: > > \\server\JOHN > > he can't access the share. > > Samba 2 doesn't differ between the two paths. > > Other shares on the server (no [home] share) for example [smb_test] can be > accessed by typing: > > \\server\SMB_TEST or > \\server\smb_test > > My [home]-section on the server: > [homes] > comment = UNIX Home Directory for %S > valid users = %S > writeable = yes > browseable = no > > > In my opinion there aren't any special configuration in this section and of > course no change since migration from samba 2 to samba 3. > > Are there any solution for this problem? Or is it a samba 3 security feature > ;-) > Try taking out the valid users = %S and see if the problem persists. Anyway, I know that without that, case doesn't matter on my machine. Not an inherent function. There are other things the %S inhibits as well. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can I have share name "shareone" and "share one" at the same time?
Young-Jun Oh wrote: > Hello Samba community! > > I recently found out interesting behavior of share name with Samba and did > not find any useful information on the net. If anyone knows why I'm having > this problem, I would feel like I could fly! > > Thanks in Advance. > > The problem I have is that I can not get following two shares working at the > same time. > > in my smb.conf file, > > [shareone] > comment = shareone > path=/shareone > printable = no > public = yes > writeable = Yes > > [share one] > comment = share one > path=/share one > printable = no > public = yes > writeable = Yes > > I can get either one of them to work but not at the same time. I tried > quote(") around share one. I tried "share\ one". I tried share\040one. But > none of them worked. > > I tried these names for share in Windows XP and they worked fine at the same > time. > > I'm sure this kind of share names on same computer would be very rare but > I'm just curious. I was curious too. So I tried it out. Works fine for me. I'm using opensuse 10.3 and using the samba.org repository for samba 3.0.28. What version of samba are you using? If it's behind current, are you able to upgrade to a more current release? Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba4 and GPO´s
Magic Zambo wrote: > Hello its me again, > > really anybody has got an idea? Everything could help. > So please write everything you think about even if you think its too > trivial. ;-) > > Thanks in advance > > I successfully managed installing a Samba4 server. Ist all fine but the > server doesn´t accept my GPO´s I made. For example I´ve got an ou which > isn´t allowed to start Control Panel, but every user in this ou can start it > without problems. > > Anyone knows a solution? Probably not many people using samba 4 on this list. It's still alpha. You might have better luck on samba-technical. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Need help upgrading from 3.0.4 to 3.0.28
Joe wrote: > I have a FreeBSD 5.2.1 machine running Samba 3.0.4. I am going to > upgrade Samba to 3.0.28. The process I would follow would be... > > download source > configure > make > make install > > My questions are... > > 1. Can I "make install" with users connected to the samba >server and using shares? Only if you're an optimist. It's a rare day one can migrate that many releases without some changes in config file syntax or interpretation. > > 2. Can I just restart nmbd and smbd to run the new version? >What happens to connected users if I restart nmbd and smbd? You could. Your users would get (optimistically) momentarily disconnected. The windows offline files balloon pops up or a message "no longer connected to ...". > > 2. Will I need to change anything in smb.conf? Probably. I know some of the defaults have changed, but I don't have a list handy. > > 3. Will any of the samba databases (users) get destroyed/erased/ >changed? Shouldn't, but someone else would have to say definitively. I've personally wiped and reinitialized most of them several times only keeping the private tdb files secrets & passdb while regenerating the printer tdb's and mappings. > > Sorry for all the questions, I'm just nervous about creating > a big mess during the upgrade. If it's at all possible, your best course is to setup a test machine (real or virtual) and test the new version in your current setup by joining it to your domain and connecting from users. Alternatively, duplicate the existing OS & samba version with a different machine name and perform the upgrade on it. Your experience doing that is the only real way to self answer some of your questions and make the production upgrade as smooth as possible. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] cifs verses smbfs for Linux clients
Michael Lueck wrote: > I am somewhat confused... > > I understand that the preferred method to mount a Samba share with a > Linux client is to use "mount -t cifs" rather than "mount -t smbfs". > > I get the impression that smbfs is samba.org developed code where as > cifs is from elsewhere. Thus the point of confusion. Why is samba.org > not developing the preferred code in this case? > > A sub question to that main one is a nagging thought of needing to add > the Debian / Ubuntu smbfs package to Linux client systems issuing "mount > -t cifs". If cifs really is from elsewhere, and smbfs is "bad evil", why > the interdependency? > > Thanks! As I know it, cifs-mount (/sbin/mount.cifs) is maintained by the samba team as the replacement for the older smbfs. I can't even find smbmnt in opensuse 10.3. I wish I could point you to a release notes for this. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: winbind - not ready for prime time
Christian McHugh wrote: > Guido Lorenzutti wrote: >> Jeremy Allison wrote: >> >>> >>> If you have a specific issue, ask it. If you have a specific >>> bug, report it. You did none of those things. >>> >> >> Im not a developer, Im a sysadmin and I been using samba for a lot of >> years know. >> When I read the post, I wasn't going to answear, 'coz I didn't feel >> related to the subject. >> >> I think I have a little experience in Samba and Winbind. If you need >> someone to write examples, docs, manpages, etc.. I don't have any >> problem to fill the blanks. Just tell me where I should start. >> >> > > Well, in an attempt at raising the signal to noise ratio, I've > personally had problems deciphering exactly how to use winbind with > idmap_ad. > - In the smb.conf do I have an idmap decleration per domain, or is the > example given in the man page "ALLDOMAINS" acceptable? > - (As mentioned in an unanswered mail to this list) How do I go about > compiling the rfc2307 module, either statically or dynamiclly? > > Once I get past the rfc2307 compile question, I think I'll have more > questions. But since I don't have winbind running well in my environment > (yet) I can bring those up later. My 2 cents. Open Source used to mean just that. The source was public. Anyone can read it. Howtos were generally created by users that wanted to give back to the community, not usually developers. My observation is non-developers frequently confuse documenting samba with documenting MS windows (c). As the recent EC decision indicates, MS has been reluctant to document their product. Don't blame the samba team for the MS lack of transparency. As far as compiling idmap_ad goes, look in the supplied configure script. # Check whether --with-shared-modules or --without-shared-modules was given. if test "${with_shared_modules+set}" = set; then withval="$with_shared_modules" if test $withval; then for i in `echo $withval | sed -e 's/,/ /g'` do eval MODULE_$i=SHARED done fi fi; Then grep the file "grep MODULE_idmap_ configure" MODULE_idmap_tdb=STATIC MODULE_idmap_passdb=STATIC MODULE_idmap_nss=STATIC if test "$MODULE_idmap_ldap"; then DEST=$MODULE_idmap_ldap if test "$MODULE_idmap_tdb"; then DEST=$MODULE_idmap_tdb if test "$MODULE_idmap_passdb"; then DEST=$MODULE_idmap_passdb if test "$MODULE_idmap_nss"; then DEST=$MODULE_idmap_nss if test "$MODULE_idmap_rid"; then DEST=$MODULE_idmap_rid if test "$MODULE_idmap_ad"; then DEST=$MODULE_idmap_ad There you have it. --with-shared-modules=idmap_ldap,idmap_tdb,idmap_passdb,idmap_nss,idmap_rid,idmap_ad Just pick the ones you want. idmap_ad includes support for both SFU and rfc2307. I once tried to compile idmap_ad as a static module and core dumpped. Maybe it's changed but I don't think so. If your OS has issues with dynamic modules, you'll probably have to fix it yourself either thru support with the OS vendor or modifying the samba code. As far as rfc2307 support goes: find .|grep idmap_ad ./nsswitch/.svn/prop-base/idmap_ad.c.svn-base ./nsswitch/.svn/props/idmap_ad.c.svn-work ./nsswitch/.svn/text-base/idmap_ad.c.svn-base ./nsswitch/idmap_ad.c less nsswitch/idmap_ad.c Second line: /* * idmap_ad: map between Active Directory and RFC 2307 or "Services for Unix" (SFU) Accounts There is a document "A new IDMAP subsystem" on the samba website that I think is more illuminative than the manpages. google idmap pdf site:www.samba.org http://www.samba.org/~idra/samba3_newidmap.pdf Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NT_STATUS_ACCESS_DENIED
Miguel Gonzalez Castaños wrote: > I'm stumped. Same configuration in Debian sarge with > kernel 2.4 works fine, however, with kernel 2.6, > breaks. > > boddingtons2:/var# smbclient -U THREESPOT+mgonzalez //10.0.6.41/www -c 'ls' > Password: > Domain=[THREESPOT] OS=[Unix] Server=[Samba 3.0.24] > tree connect failed: NT_STATUS_ACCESS_DENIED > > > /etc/samba/smb.conf > > [global] >workgroup = THREESPOT >server string = boddingtons2 > >password server = 10.0.6.13 >realm = THREESPOT.COM > >wins support = no >wins server = 10.0.6.13 >dns proxy = no >name resolve order = wins lmhosts hosts bcast > >log level =3 > >log file = /var/log/samba/log.%m >max log size = 1000 >syslog = 0 >panic action = /usr/share/samba/panic-action %d > >security = ads >encrypt passwords = true > # passdb backend = tdbsam guest This is the only that changes from > the 2.4 sarge configuration, running it with guest support gives me a core At best, the reason for the core dump is samba is looking for a backend called "guest". You could make a case for samba to be more graceful about backends that don't exist, but that's it. At this point, I'd run "pdbedit -L -v|less" and check the accounts didn't get corrupted from the abnormal terminations. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NT_STATUS_ACCESS_DENIED
Chris du Preez wrote: > On Tuesday 12 February 2008 03:07:29 pm you wrote: >> Um, either you omitted the chr share definition, or you don't have one. >> Either way we can't help much without it :) >> >> Rubin >> > I get the same result with > > # smbclient //bbb/homes -U chr > Password: > Domain=[BBB] OS=[Unix] Server=[Samba 3.0.28-0.fc8] > smb: \> ls > NT_STATUS_ACCESS_DENIED listing \* > > > when I list the server with > > # smbclient -L bbb -U chr > Password: > Domain=[BBB] OS=[Unix] Server=[Samba 3.0.28-0.fc8] > > Sharename Type Comment > - --- > cc Disk > HP5550 Printer HP Color LaserJet 5550 > IPC$IPC IPC Service (BBB Samba Server) > chr Disk Home Directories > Domain=[BBB] OS=[Unix] Server=[Samba 3.0.28-0.fc8] > > Server Comment > ---- > > WorkgroupMaster > ---- > FLAMENGROFLAHOIS01 > > This is what I found. The share chr is there. > > I even went as far as put in a share cc in smd.conf like this, the same result > > [cc] > path = /home/chr > valid users = chr > read only = No Try valid users = FLAMENGRO\chr I believe specifying the domain is mandatory. You realize that only chr will have a home directory if you specify it like that? Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] (no subject)
Dale Schroeder wrote: > I have systems using security = ADS and security = domain where > "password server =" works quite well. There's something else going on. > > Dale > > Adam Williams wrote: >> password server = only works when samba is in security = server mode. >> >> security = domain is used when the server is a member server of an NT4 >> style domain (meaning, its not a PDC or a BDC, but another server with >> some file shares on it and it authenticates to the PDC using LDAP). >> >> when you have a bunch of samba servers like you sound like you do, you >> should be using an LDAP backend. >> >> Carter, David SIS SB56 ITMOXF POWERGEN wrote: >>> Installed Samba 3.0.10 via 'pkgadd' on Solaris 2.6 workstation s080 >>> (137.223.31.80) - previously running Samba 2.2.8 which has worked for a >>> long time. >>> Samba 3.0.10 smb.conf file - changed to security =DOMAIN from SERVER at >>> 2.2.8 version >>> password server = 137.223.33.45, 137.223.33.72 - these are DCs >>> >>> >>> # Samba config file created using SWAT >>> # from 127.0.0.1 (127.0.0.1) >>> # Date: 2008/02/07 16:05:52 >>> >>> # Global parameters >>> [global] >>> workgroup = WW007 >>> server string = Samba Server ww007 >>> interfaces = 137.223.31.80/255.255.255.0 >>> bind interfaces only = Yes You might try adding 127.0.0.1 interfaces = 137.223.31.80/255.255.255.0, 127.0.0.1/24 There are some issues documented in the manual and it seems to help with any broadcast related issues. I've started masking to 24 bits because I've had some servers come up with 127.0.0.2 on occasion. Might be dual processors, but I've not pursued it further. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join : ads_connect: No logon servers
D G Teed wrote: > Thanks very much, Douglas. That did the trick. > I had not understood what realm represented in a dns > style domain. > > It is also confusing that one lists a realm section, > defining it... > > BEER = { >kdc = ADC1.AD.BEERU.CA > } Sorry, missed that one too. Should be AD.BEERU.CA = { kdc = ADC1.AD.BEERU.CA } It's just that Kerberos doesn't know anything about workgroups in windows and so there shouldn't be any workgroup names in krb5.conf, only DNS names and REALM names. It worked because samba picked up the Kerberos kdc from SRV records in DNS. BEER defines the .BEER realm which doesn't exist. > > But then when providing the realm name in smb.conf, the > handle isn't BEER, but rather the subdomain in > which the AD controller lives. > > Regards, > > --Donald > > On Jan 30, 2008 3:37 PM, Douglas VanLeuven <[EMAIL PROTECTED]> wrote: >> Douglas VanLeuven wrote: >>> D G Teed wrote: >>>> I've been able to use security = ads in smb.conf, and connect OK, >>>> but it must be falling back to domain. When I run net ads join >>>> I get the error (debug trace below): >>>> >>>> ads_connect: No logon servers >>>> >>>> Here is my krb5.conf: >>>> >>>> [logging] >>>> default = FILE:/var/log/krb5libs.log >>>> kdc = FILE:/var/log/krb5kdc.log >>>> admin_server = FILE:/var/log/kadmind.log >>>> [libdefaults] >>>> default_realm = BEER >>>> [realms] >>>> BEER = { >>>> kdc = ADC1.AD.BEERU.CA >>>> } >> Missed this on the last post. >> default realm = AD.BEERU.CA >> >> Doug >> Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join : ads_connect: No logon servers
Douglas VanLeuven wrote: > D G Teed wrote: >> I've been able to use security = ads in smb.conf, and connect OK, >> but it must be falling back to domain. When I run net ads join >> I get the error (debug trace below): >> >> ads_connect: No logon servers >> >> Here is my krb5.conf: >> >> [logging] >> default = FILE:/var/log/krb5libs.log >> kdc = FILE:/var/log/krb5kdc.log >> admin_server = FILE:/var/log/kadmind.log >> [libdefaults] >> default_realm = BEER >> [realms] >> BEER = { >> kdc = ADC1.AD.BEERU.CA >> } Missed this on the last post. default realm = AD.BEERU.CA Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net ads join : ads_connect: No logon servers
D G Teed wrote: > I've been able to use security = ads in smb.conf, and connect OK, > but it must be falling back to domain. When I run net ads join > I get the error (debug trace below): > > ads_connect: No logon servers > > Here is my krb5.conf: > > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > [libdefaults] > default_realm = BEER > [realms] > BEER = { > kdc = ADC1.AD.BEERU.CA > } > [domain_realm] > beer.ca = BEER > .beer.ca = BEER This should be a mapping from DNS domain to Kerberos REALM. Going by the kdc name, what you probably want is: beer.ca = AD.BEERU.CA .beer.ca = AD.BEERU.CA www2.beer.ca = AD.BEERU.CA > > Here is my rpc join status: > # net rpc testjoin > Join to 'BEER' is OK > > Here is my attempt to graduate this to ADS levels, with debug: > > # net ads join -Ubeeruser%beeruserpw -d3 > [2008/01/30 11:06:08, 3] param/loadparm.c:lp_load(5033) > lp_load: refreshing parameters > [2008/01/30 11:06:08, 3] param/loadparm.c:init_globals(1424) > Initialising global parameters > [2008/01/30 11:06:08, 3] param/params.c:pm_process(572) > params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" > [2008/01/30 11:06:08, 3] param/loadparm.c:do_section(3772) > Processing section "[global]" > [2008/01/30 11:06:08, 2] lib/interface.c:add_interface(81) > added interface ip=111.111.200.8 bcast=111.111.207.255 nmask=255.255.248.0 > [2008/01/30 11:06:08, 2] lib/interface.c:add_interface(81) > added interface ip=111.111.202.39 bcast=111.111.207.255 nmask=255.255.248.0 > [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489) > get_dc_list: preferred server list: "ADC2, 111.111.200.67" > [2008/01/30 11:06:08, 1] libads/cldap.c:recv_cldap_netlogon(247) > Failed to parse cldap reply > [2008/01/30 11:06:08, 3] libads/ldap.c:ads_try_connect(189) > ads_try_connect: CLDAP request 111.111.200.66 failed. > [2008/01/30 11:06:08, 1] libads/cldap.c:recv_cldap_netlogon(247) > Failed to parse cldap reply > [2008/01/30 11:06:08, 3] libads/ldap.c:ads_try_connect(189) > ads_try_connect: CLDAP request 111.111.200.67 failed. > [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489) > get_dc_list: preferred server list: "ADC2, 111.111.200.67" > [2008/01/30 11:06:08, 3] libsmb/namequery_dc.c:rpc_dc_name(154) > Could not look up dc's for domain BEER > [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489) > get_dc_list: preferred server list: "ADC2, 111.111.200.67" > [2008/01/30 11:06:08, 3] libsmb/namequery.c:get_dc_list(1489) > get_dc_list: preferred server list: "ADC2, 111.111.200.67" > [2008/01/30 11:06:08, 0] utils/net_ads.c:ads_startup_int(286) > ads_connect: No logon servers > [2008/01/30 11:06:08, 1] utils/net_ads.c:net_ads_join(1470) > error on ads_startup: No logon servers > Failed to join domain: No logon servers > [2008/01/30 11:06:08, 2] utils/net.c:main(1032) > return code = -1 > > Can this user achieve such a goal? > > Here is beeruser's rights via rpc: > net rpc rights list -Ubeeruser > Password: > SeMachineAccountPrivilege Add machines to domain > SeTakeOwnershipPrivilege Take ownership of files or other objects > SeBackupPrivilege Back up files and directories > SeRestorePrivilege Restore files and directories > SeRemoteShutdownPrivilege Force shutdown from a remote system > SePrintOperatorPrivilege Manage printers >SeAddUsersPrivilege Add users and groups to the domain >SeDiskOperatorPrivilege Manage disk shares > > I've had various toggles done to my smb.conf, but here is what the > global section > of smb.conf looks like at the moment, following the hints of someone else who > solved this on the list... > > [global] > netbios name = www2 > workgroup = BEER > unix charset = LOCALE > realm = BEER Same here. realm = AD.BEERU.CA > server string = Web Server > security = ADS > password server = 111.111.200.67 > idmap backend = rid:BEER=5000-1 > idmap uid = 1-1000 > idmap gid = 1-1000 > template shell = /bin/bash > winbind use default domain = Yes > winbind enum users = Yes > winbind enum groups = Yes > allow trusted domains = No > log level = 3 > log file = /var/log/samba/%m.log > max log size = 50 > dns proxy = No > winbind use default domain = Yes > hosts allow = 111.111. > encrypt passwords = yes > > I had great results with the last question I put on the list. I hope > someone can help us graduate to ads with kerberos level authentication. > > It feels like there is something missing on the AD end, but I know > nothing about this > other than that it is Windows Server 2003 and it has been in production for > awhile with good performance. > There may be something
Re: [Samba] file differences when copying files to linux, using samba
jeffunit wrote: > >> >> Have you tried copying the file over with "cp" from >> >> windows to your server? (cp from 'cygwin')? >> > >> > No, but I will try that today. >> > >> >> Have you tried comparing some of the differing files and >> >> looking for a pattern? >> > >> > Yes. I wrote a modified version of cmp that tries to list all byte >> > differences. >> > I was looking at an iso image of some linux distribution. >> > There were three bytes that differed, and if I recall correctly, >> > they were all one bit differences. >> > >> Hi, >> I would think one bit differences should be picked up by the TCP >> transport layer. >> >> You probably have Rx checksum offload on the receiving box. You could >> try turning that off and recopying to see if the error persists. Could >> be a bad card. > > How do I turn rx checksums off under linux? This is an intel pro1000 ct. > I am happy to try it. > The gigabit ethernet is on-board, but I have several spare gigabit nics > available. If eth0 is the name: ethtool -K eth0 rx off I got good service out of these settings in modprobe.conf (one line) options e1000 RxDescriptors=1024 TxDescriptors=1024 InterruptThrottleRate=1 I have lots of memory, so I upped the buffers, probably overkill. Default is 256 InterruptThrottleRate defaults to 3 (dynamic conservative) and I changed it to 1 (dynamic). see /usr/src//Documentaion/networking/e1000.txt Along with larger buffers in smb.conf, I regularly hit my hard disk limits on gigabyte. And bit error free. I never did it your way, but I have run tripwire with checksums and after disaster recovery, haven't had any issues or noticed any discrepancies with entire drives going across the wires. > >> Seems unlikely the Tx sender could send an incorrect checksum unless the >> buffer memory flipped a bit before checksum computation which seems >> ruled out by the ECC. Still, I'm a believer in memtest. > > I ran memtest-86+ through about 5 iterations, and there were no problems. > > thanks, > jeff Good luck (whatever it is), Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] file differences when copying files to linux, using samba
jeffunit wrote: > At 01:03 AM 1/27/2008, Linda W wrote: >> jeffunit wrote: >>> I ran my python program locally on the linux system, and it reported >>> that roughly >>> 100 md5sums for files differed. >> >>> Any ideas how to track down this problem >> --- >> Could it be a code-page conversion issue? > > I am not sure, but I think that involves translating language encoding > from one form to another. I hope that neither samba nor windows explorer > does that silently. > >> Have you tried copying the file over with "cp" from >> windows to your server? (cp from 'cygwin')? > > No, but I will try that today. > >> Have you tried comparing some of the differing files and >> looking for a pattern? > > Yes. I wrote a modified version of cmp that tries to list all byte > differences. > I was looking at an iso image of some linux distribution. > There were three bytes that differed, and if I recall correctly, > they were all one bit differences. > Hi, I would think one bit differences should be picked up by the TCP transport layer. You probably have Rx checksum offload on the receiving box. You could try turning that off and recopying to see if the error persists. Could be a bad card. Seems unlikely the Tx sender could send an incorrect checksum unless the buffer memory flipped a bit before checksum computation which seems ruled out by the ECC. Still, I'm a believer in memtest. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Hide Home Share for a single user
Nelson Vale wrote: > Hi again, > > >> How do you mean hide? So that they can't browse it, or so that they >> cannot see the 'homes' service? > > What I wan't is to just hide (well wath I'd really wanted was to disable it > but I don't know if it is possible), the Home Share for one particular user, > i.e. don't show it when the user browses the available shares. > > The user is not allowed to connect to the share anyway. > >> And do you mean hide from everyone >> else, or hide from that user themselves? > > The other users have no access to it. > Try the option invalid users = joe I think the user would still see it when browsing, but couldn't connect. That might be a compromise you could accept. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Retry: Mapping AD domain users to UNIX users
[EMAIL PROTECTED] wrote: > That looks hopeful. However, we are using 3.0.23b (binaries downloaded from > samba.org, not SunFreeware as I previously said). I hesitate to try compiling > a more recent version as I've not managed to compile successfully so far! > I forget when the option started. You can check your distribution by running "smbd -b|grep idmap_nss". If your distribution includes it, it should show up. Regards, Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba