Re: Re : [Samba] Solaris nss_ldap vs PADL nss_ldap
Hi Alban, You can download padl's nss_ldap library from http://www.padl.com/Contents/OpenSourceSoftware.html If you've already configured solaris for groups and password in LDAP, it should just work once you replace the Solaris nss_ldap with the padl one ( back it up first ;) and add / configure /etc/ldap.conf mine looks like TLS_CACERT /etc/certs/cacert.pem TLSCIPHERSUITE TLSv1 host ldap.st-andrews.ac.uk rootbinddn base ou=People,dc=st-andrews,dc=ac,dc=uk ldap_version 3 nss_base_passwd ou=People,dc=st-andrews,dc=ac,dc=uk?one nss_base_shadow ou=People,dc=st-andrews,dc=ac,dc=uk?one nss_base_group ou=Groups,dc=st-andrews,dc=ac,dc=uk?one ssl start_tls tls_cacertfile /etc/certs/certificate? tls_cacertdir /etc/certs tls_ciphers TLSv1 With the admin user password in /etc/ldap.secret permission 600. You could also try group: compat as suggested by Douglas Engert, I've not managed to get back to trying this yet. Have you tried using Solaris version withthis in the nsswitch.conf: group: compat group_compat ldap and adding the + in the /etc/group file. This appears to work as expected, getting groups info from both local and ldap. Or (I have not tried this): group: files [SUCCESS=continue] ldap Cheers, Duncan [EMAIL PROTECTED] wrote: Hi Duncan, I have the same issue on Solaris and Samba (3.028a and 3.31) that is OK for primary groups but not for secondaries. can you describe how do you get / configurePADL's nss_ldap? Thanks in advance Regards Alban - Message d'origine ---- De : Duncan Brannen <[EMAIL PROTECTED]> À : samba@lists.samba.org Envoyé le : Mercredi, 27 Août 2008, 18h09mn 55s Objet : [Samba] Solaris nss_ldap vs PADL nss_ldap Hi All, Any thoughts on why, while everything seems ok at the OS level (getent , id -a ) Samba doesn't pickup any supplementary groups when Solaris is configured with 'group: files ldap' in nsswitch.conf and using it's own native nss_ldap.so.1 but does when using PADL's nss_ldap? Everything else is equal. Do they use/accept different calls or could it be an openldap vs native ldap incompatibility, Samba being compiled against the openldap libraries. Samba seems not to compile against the native libraries due to a lack of ldap_start_tls_s Solaris 10 and Samba 3.2.2 Cheers, Duncan -- The University of St Andrews is a charity registered in Scotland : No SC013532 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- The University of St Andrews is a charity registered in Scotland : No SC013532 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc group addmem returns NT_STATUS_ACCESS_DENIED
John H Terpstra wrote: On Monday 25 August 2008 08:56:23 Duncan Brannen wrote: Hi All, I'm trying to add a user to a group using /usr/local/samba/bin/net rpc group addmem room11 dunk -Uroot%password The user is added to the group as far as I can tell but the command returns NT_STATUS_ACCESS_DENIED This is on Solaris 10 (Sparc) and Samba 3.2.1, OS and Samba are both configured to lookup users and groups in LDAP. /usr/local/samba/bin/net rpc group members room11 -Uroot%password CROOMTEST\dunk Trying to remove the user from the group returns NT_STATUS_MEMBER_NOT_IN_GROUP and the user is not removed from the group in LDAP (running smbldap-groupmod manually removes the user from LDAP) In smb.conf, I have add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g" With log level set to 10 I see the following for the add that may or may not be relevant. Should the access check granted and required values be equal? [2008/08/25 12:59:48, 4] rpc_server/srv_pipe.c:api_rpcTNP(2297) api_rpcTNP: samr op 0x16 - api_rpcTNP: rpc command: SAMR_ADDGROUPMEMBER [2008/08/25 12:59:48, 6] rpc_server/srv_pipe.c:api_rpcTNP(2323) api_rpc_cmds[22].fn == 200be4 samr_AddGroupMember: struct samr_AddGroupMember in: struct samr_AddGroupMember group_handle : * group_handle: struct policy_handle handle_type : 0x (0) uuid : 0500---b248-b49e9051 rid : 0x0bb8 (3000) flags: 0x0005 (5) [2008/08/25 12:59:48, 4] rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(168) Found policy hnd[0] [000] 00 00 00 00 05 00 00 00 00 00 00 00 B2 48 B4 9E .H.. [010] 90 51 00 00 .Q.. [2008/08/25 12:59:48, 5] rpc_server/srv_samr_nt.c:access_check_samr_function(227) _samr_AddGroupMember: access check ((granted: 0f001f; required: 04) [2008/08/25 12:59:48, 10] rpc_server/srv_samr_nt.c:_samr_AddGroupMember(4651) sid is S-1-5-21-440367617-1876916578-3462541782-3003 [2008/08/25 12:59:48, 10] groupdb/mapping.c:get_domain_group_from_sid(132) get_domain_group_from_sid ... [2008/08/25 12:59:50, 3] groupdb/mapping.c:smb_add_user_group(352) smb_add_user_group: Running the command `/usr/local/sbin/smbldap-groupmod -m "dunk" "room11"' gave 0 [2008/08/25 12:59:50, 10] lib/system_smbd.c:sys_getgrouplist(122) sys_getgrouplist: user [dunk] [2008/08/25 12:59:50, 3] smbd/sec_ctx.c:push_sec_ctx(224) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 ... [2008/08/25 12:59:50, 10] passdb/lookup_sid.c:legacy_gid_to_sid(1170) LEGACY: gid 512 -> sid S-1-5-21-440367617-1876916578-3462541782-512 samr_AddGroupMember: struct samr_AddGroupMember out: struct samr_AddGroupMember result : NT_STATUS_ACCESS_DENIED For delmem I again get the same access check granted value _samr_DeleteGroupMember: access check ((granted: 0f001f; required: 08) then Get_Pwnam_internals did find user [dunk]! [2008/08/25 14:41:10, 3] smbd/sec_ctx.c:pop_sec_ctx(432) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/08/25 14:41:10, 10] passdb/lookup_sid.c:legacy_sid_to_uid(1213) LEGACY: sid S-1-5-21-440367617-1876916578-3462541782-3000 -> uid 1000 samr_DeleteGroupMember: struct samr_DeleteGroupMember out: struct samr_DeleteGroupMember result : NT_STATUS_MEMBER_NOT_IN_GROUP Any thoughts or pointers as to where I should be looking? Have you tried to execute this script manually? Example: smbldap-useradd -G new_group user_name If that works, check that you gave Samba permission to update the LDAP directory. Did you execute the following?: smbpasswd -w LDAP_Secret_Password also, check that the user you are using to do this, and/or the group that user belongs to, has the rights and privileges needed to do this: net rpc rights list accounts -Uroot%password - John T. Hi John, For what it's worth, the error message has gone now I'm using 3.2.2 and padl's nss_ldap library and I'm assuming it's the padl nss_ldap library that's solved it. A cursory glance at the ldap logs and what happens there looks similar, user still successfully added to the group. If I'd kept digging at this it may have shown why the groups were not showing up in windows. Cheers, Duncan -- The University of St Andrews is a charity registered in Scotland : No SC013532 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba Groups questions
Short answer, yes. You should/do get all the groups listed with ifmember /list but get different results with the Solaris nsswitch.conf than padl's nsswitch.conf. I have it working, through changing only this one library. There may of course have been problems with my ldap_client_file that didn't show up at the OS level but scuppered what samba was asking for. Didn't see any error messages though. Cheers. Duncan Brannen wrote: Hi, When Samba is running as a PDC and a workstation is joined to the Domain, should the user logged into the workstation be able to see all the groups they are a member of using `ifmember /list`? Is the below output as expected? I'm I correct thinking that as all my groups originate in the Unix world, I don't need winbind to allow the Workstations to see them? For what it's worth, Solaris 10 (Sparc) Samba 3.2.1 and OpenLDAP, everything bar the Samba version should be irrelevant as it's hidden behind nsswitch and passdb backend? It's a clean OS / Ldap install with the smbldap tools used to populate the directory and create the user, then 'net rpc' used to create groups and add members. Thanks, Duncan - On the PDC /usr/local/samba/bin/net rpc group members room11 -Uroot%password CROOMTEST\dunk /usr/local/samba/bin/net groupmap list Domain Admins (S-1-5-21-440367617-1876916578-3462541782-512) -> Domain Admins Domain Users (S-1-5-21-440367617-1876916578-3462541782-513) -> Domain Users Domain Guests (S-1-5-21-440367617-1876916578-3462541782-514) -> Domain Guests Domain Computers (S-1-5-21-440367617-1876916578-3462541782-515) -> Domain Computers Administrators (S-1-5-32-544) -> Administrators Account Operators (S-1-5-32-548) -> Account Operators Print Operators (S-1-5-32-550) -> Print Operators Backup Operators (S-1-5-32-551) -> Backup Operators Replicators (S-1-5-32-552) -> Replicators room11 (S-1-5-21-440367617-1876916578-3462541782-3003) -> room11 room9 (S-1-5-21-440367617-1876916578-3462541782-3005) -> room9 getent group ... room11::1001:dunk getent passwd ... dunk:x:1000:512:System User:/home/dunk:/bin/bash - On the workstation net group /domain room11 returns dunk as a member net group /domain returns a list of all the groups mapped on the pdc that start S-1-5-21- ifmember /list returns the primary group CROOMTEST\Domain Admins \Everyone BUILTIN\Administrators BUILTIN\Users \Local NT Authority\INTERACTIVE NT Authority\Authneticated Users -- The University of St Andrews is a charity registered in Scotland : No SC013532 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba PDC with groups in LDAP
To answer my own question, I had to use Padls' nss_ldap to make this work. I'd thought with Solaris 9 and later I could get away with using the Sun libraries but obviously not. Hope to help someone else Cheers Duncan Duncan Brannen wrote: Hi All, I'm wondering if anyone can shed some light on a problem I'm having. I have a samba PDC with an LDAP backend, keeping the smb.conf file constant, When I have /etc/nsswitch.conf configured with groups: files ldap Then /usr/local/samba/bin/net rpc user info dbb only returns my primary group. If I have /etc/nsswitch.conf configured with groups: files nis Then all my groups are shown when running the same net rpc command. In both cases, groups dbb and id -a dbb show all the groups I am a member of, getent group groupName shows the members of the group and /usr/local/samba/bin/net groupmap list provides a list of groups (from LDAP) eg Domain Users (S-1-5-21-440367617-1876916578-3462541782-513) -> Domain Users Domain Guests (S-1-5-21-440367617-1876916578-3462541782-514) -> Domain Guests Domain Computers (S-1-5-21-440367617-1876916578-3462541782-553) -> Domain Computers Domain Vagrants (S-1-5-21-440367617-1876916578-3462541782-554) -> Domain Vagrants Domain Sidekicks (S-1-5-21-440367617-1876916578-3462541782-590) -> Domain Sidekicks Domain Admins (S-1-5-21-440367617-1876916578-3462541782-512) -> domadm The group objects in LDAP look like dn: cn=,ou=Groups,dc=st-andrews,dc=ac,dc=uk objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: cn: memberUid: user1 memberUid: user2 memberUid: ... description: Some Descriptive Term Here sambaSID: S-1-5-21-xxx-yyy-zzz- sambaGroupType: 2 displayName: Whatever where S-1-5-21-xxx-yyy-zzz is our domain SID Watching the ldap logs, when I run net/rpc usr info dbb, samba looks up all the groups root is in (&objectClass=sambaGroupMapping)(gidNumber=...)), for sambaSID=s-1-5-32-544 and 545, then for a whole bunch of sambaSIDLists (I have none setup) or sambaGroupMapping,sambaGroupType=4 It then looks up my account, searches for my primary group both by its gidNumber, then by its sambaSID, and then it stops. Is there extra configuration need for looking up groups in ldap? It feels like an OS issue but the OS commands seem to return the correct output. OS is Solaris 10 sparc. Samba versions are 3.0.23c and 3.2.1 Thanks, Duncan -- The University of St Andrews is a charity registered in Scotland : No SC013532 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Solaris nss_ldap vs PADL nss_ldap
Hi All, Any thoughts on why, while everything seems ok at the OS level (getent , id -a ) Samba doesn't pickup any supplementary groups when Solaris is configured with 'group: files ldap' in nsswitch.conf and using it's own native nss_ldap.so.1 but does when using PADL's nss_ldap? Everything else is equal. Do they use/accept different calls or could it be an openldap vs native ldap incompatibility, Samba being compiled against the openldap libraries. Samba seems not to compile against the native libraries due to a lack of ldap_start_tls_s Solaris 10 and Samba 3.2.2 Cheers, Duncan -- The University of St Andrews is a charity registered in Scotland : No SC013532 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc group addmem returns NT_STATUS_ACCESS_DENIED
John H Terpstra wrote: On Monday 25 August 2008 08:56:23 Duncan Brannen wrote: Hi All, I'm trying to add a user to a group using /usr/local/samba/bin/net rpc group addmem room11 dunk -Uroot%password The user is added to the group as far as I can tell but the command returns NT_STATUS_ACCESS_DENIED This is on Solaris 10 (Sparc) and Samba 3.2.1, OS and Samba are both configured to lookup users and groups in LDAP. /usr/local/samba/bin/net rpc group members room11 -Uroot%password CROOMTEST\dunk Trying to remove the user from the group returns NT_STATUS_MEMBER_NOT_IN_GROUP and the user is not removed from the group in LDAP (running smbldap-groupmod manually removes the user from LDAP) In smb.conf, I have add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g" With log level set to 10 I see the following for the add that may or may not be relevant. Should the access check granted and required values be equal? [2008/08/25 12:59:48, 4] rpc_server/srv_pipe.c:api_rpcTNP(2297) api_rpcTNP: samr op 0x16 - api_rpcTNP: rpc command: SAMR_ADDGROUPMEMBER [2008/08/25 12:59:48, 6] rpc_server/srv_pipe.c:api_rpcTNP(2323) api_rpc_cmds[22].fn == 200be4 samr_AddGroupMember: struct samr_AddGroupMember in: struct samr_AddGroupMember group_handle : * group_handle: struct policy_handle handle_type : 0x (0) uuid : 0500---b248-b49e9051 rid : 0x0bb8 (3000) flags: 0x0005 (5) [2008/08/25 12:59:48, 4] rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(168) Found policy hnd[0] [000] 00 00 00 00 05 00 00 00 00 00 00 00 B2 48 B4 9E .H.. [010] 90 51 00 00 .Q.. [2008/08/25 12:59:48, 5] rpc_server/srv_samr_nt.c:access_check_samr_function(227) _samr_AddGroupMember: access check ((granted: 0f001f; required: 04) [2008/08/25 12:59:48, 10] rpc_server/srv_samr_nt.c:_samr_AddGroupMember(4651) sid is S-1-5-21-440367617-1876916578-3462541782-3003 [2008/08/25 12:59:48, 10] groupdb/mapping.c:get_domain_group_from_sid(132) get_domain_group_from_sid ... [2008/08/25 12:59:50, 3] groupdb/mapping.c:smb_add_user_group(352) smb_add_user_group: Running the command `/usr/local/sbin/smbldap-groupmod -m "dunk" "room11"' gave 0 [2008/08/25 12:59:50, 10] lib/system_smbd.c:sys_getgrouplist(122) sys_getgrouplist: user [dunk] [2008/08/25 12:59:50, 3] smbd/sec_ctx.c:push_sec_ctx(224) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 ... [2008/08/25 12:59:50, 10] passdb/lookup_sid.c:legacy_gid_to_sid(1170) LEGACY: gid 512 -> sid S-1-5-21-440367617-1876916578-3462541782-512 samr_AddGroupMember: struct samr_AddGroupMember out: struct samr_AddGroupMember result : NT_STATUS_ACCESS_DENIED For delmem I again get the same access check granted value _samr_DeleteGroupMember: access check ((granted: 0f001f; required: 08) then Get_Pwnam_internals did find user [dunk]! [2008/08/25 14:41:10, 3] smbd/sec_ctx.c:pop_sec_ctx(432) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/08/25 14:41:10, 10] passdb/lookup_sid.c:legacy_sid_to_uid(1213) LEGACY: sid S-1-5-21-440367617-1876916578-3462541782-3000 -> uid 1000 samr_DeleteGroupMember: struct samr_DeleteGroupMember out: struct samr_DeleteGroupMember result : NT_STATUS_MEMBER_NOT_IN_GROUP Any thoughts or pointers as to where I should be looking? Have you tried to execute this script manually? Example: smbldap-useradd -G new_group user_name If that works, check that you gave Samba permission to update the LDAP directory. Did you execute the following?: smbpasswd -w LDAP_Secret_Password also, check that the user you are using to do this, and/or the group that user belongs to, has the rights and privileges needed to do this: net rpc rights list accounts -Uroot%password - John T. I haven't tried that script as I was trying to add an existing user to a current group, so samba calls /usr/local/sbin/smbldap-groupmod -m "dunk" "room11" The script does work and adds the user to the group in LDAP, the samba logs show the script returning 0 but the ACCESS_DENIED message still occurs, so I was wondering if something else should be happening and it's broken in a way that I've not noticed yet. net rpc rights list accounts ... returned CROOMTEST\Domain Admins SeMachineAccountPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege but bin/net rpc rig
[Samba] Samba Groups questions
Hi, When Samba is running as a PDC and a workstation is joined to the Domain, should the user logged into the workstation be able to see all the groups they are a member of using `ifmember /list`? Is the below output as expected? I'm I correct thinking that as all my groups originate in the Unix world, I don't need winbind to allow the Workstations to see them? For what it's worth, Solaris 10 (Sparc) Samba 3.2.1 and OpenLDAP, everything bar the Samba version should be irrelevant as it's hidden behind nsswitch and passdb backend? It's a clean OS / Ldap install with the smbldap tools used to populate the directory and create the user, then 'net rpc' used to create groups and add members. Thanks, Duncan - On the PDC /usr/local/samba/bin/net rpc group members room11 -Uroot%password CROOMTEST\dunk /usr/local/samba/bin/net groupmap list Domain Admins (S-1-5-21-440367617-1876916578-3462541782-512) -> Domain Admins Domain Users (S-1-5-21-440367617-1876916578-3462541782-513) -> Domain Users Domain Guests (S-1-5-21-440367617-1876916578-3462541782-514) -> Domain Guests Domain Computers (S-1-5-21-440367617-1876916578-3462541782-515) -> Domain Computers Administrators (S-1-5-32-544) -> Administrators Account Operators (S-1-5-32-548) -> Account Operators Print Operators (S-1-5-32-550) -> Print Operators Backup Operators (S-1-5-32-551) -> Backup Operators Replicators (S-1-5-32-552) -> Replicators room11 (S-1-5-21-440367617-1876916578-3462541782-3003) -> room11 room9 (S-1-5-21-440367617-1876916578-3462541782-3005) -> room9 getent group ... room11::1001:dunk getent passwd ... dunk:x:1000:512:System User:/home/dunk:/bin/bash - On the workstation net group /domain room11 returns dunk as a member net group /domain returns a list of all the groups mapped on the pdc that start S-1-5-21- ifmember /list returns the primary group CROOMTEST\Domain Admins \Everyone BUILTIN\Administrators BUILTIN\Users \Local NT Authority\INTERACTIVE NT Authority\Authneticated Users -- The University of St Andrews is a charity registered in Scotland : No SC013532 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net rpc group addmem returns NT_STATUS_ACCESS_DENIED
Hi All, I'm trying to add a user to a group using /usr/local/samba/bin/net rpc group addmem room11 dunk -Uroot%password The user is added to the group as far as I can tell but the command returns NT_STATUS_ACCESS_DENIED This is on Solaris 10 (Sparc) and Samba 3.2.1, OS and Samba are both configured to lookup users and groups in LDAP. /usr/local/samba/bin/net rpc group members room11 -Uroot%password CROOMTEST\dunk Trying to remove the user from the group returns NT_STATUS_MEMBER_NOT_IN_GROUP and the user is not removed from the group in LDAP (running smbldap-groupmod manually removes the user from LDAP) In smb.conf, I have add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g" With log level set to 10 I see the following for the add that may or may not be relevant. Should the access check granted and required values be equal? [2008/08/25 12:59:48, 4] rpc_server/srv_pipe.c:api_rpcTNP(2297) api_rpcTNP: samr op 0x16 - api_rpcTNP: rpc command: SAMR_ADDGROUPMEMBER [2008/08/25 12:59:48, 6] rpc_server/srv_pipe.c:api_rpcTNP(2323) api_rpc_cmds[22].fn == 200be4 samr_AddGroupMember: struct samr_AddGroupMember in: struct samr_AddGroupMember group_handle : * group_handle: struct policy_handle handle_type : 0x (0) uuid : 0500---b248-b49e9051 rid : 0x0bb8 (3000) flags: 0x0005 (5) [2008/08/25 12:59:48, 4] rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(168) Found policy hnd[0] [000] 00 00 00 00 05 00 00 00 00 00 00 00 B2 48 B4 9E .H.. [010] 90 51 00 00 .Q.. [2008/08/25 12:59:48, 5] rpc_server/srv_samr_nt.c:access_check_samr_function(227) _samr_AddGroupMember: access check ((granted: 0f001f; required: 04) [2008/08/25 12:59:48, 10] rpc_server/srv_samr_nt.c:_samr_AddGroupMember(4651) sid is S-1-5-21-440367617-1876916578-3462541782-3003 [2008/08/25 12:59:48, 10] groupdb/mapping.c:get_domain_group_from_sid(132) get_domain_group_from_sid ... [2008/08/25 12:59:50, 3] groupdb/mapping.c:smb_add_user_group(352) smb_add_user_group: Running the command `/usr/local/sbin/smbldap-groupmod -m "dunk" "room11"' gave 0 [2008/08/25 12:59:50, 10] lib/system_smbd.c:sys_getgrouplist(122) sys_getgrouplist: user [dunk] [2008/08/25 12:59:50, 3] smbd/sec_ctx.c:push_sec_ctx(224) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 ... [2008/08/25 12:59:50, 10] passdb/lookup_sid.c:legacy_gid_to_sid(1170) LEGACY: gid 512 -> sid S-1-5-21-440367617-1876916578-3462541782-512 samr_AddGroupMember: struct samr_AddGroupMember out: struct samr_AddGroupMember result : NT_STATUS_ACCESS_DENIED For delmem I again get the same access check granted value _samr_DeleteGroupMember: access check ((granted: 0f001f; required: 08) then Get_Pwnam_internals did find user [dunk]! [2008/08/25 14:41:10, 3] smbd/sec_ctx.c:pop_sec_ctx(432) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/08/25 14:41:10, 10] passdb/lookup_sid.c:legacy_sid_to_uid(1213) LEGACY: sid S-1-5-21-440367617-1876916578-3462541782-3000 -> uid 1000 samr_DeleteGroupMember: struct samr_DeleteGroupMember out: struct samr_DeleteGroupMember result : NT_STATUS_MEMBER_NOT_IN_GROUP Any thoughts or pointers as to where I should be looking? Thanks, Duncan -- The University of St Andrews is a charity registered in Scotland : No SC013532 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba PDC with groups in LDAP
Hi All, I'm wondering if anyone can shed some light on a problem I'm having. I have a samba PDC with an LDAP backend, keeping the smb.conf file constant, When I have /etc/nsswitch.conf configured with groups: files ldap Then /usr/local/samba/bin/net rpc user info dbb only returns my primary group. If I have /etc/nsswitch.conf configured with groups: files nis Then all my groups are shown when running the same net rpc command. In both cases, groups dbb and id -a dbb show all the groups I am a member of, getent group groupName shows the members of the group and /usr/local/samba/bin/net groupmap list provides a list of groups (from LDAP) eg Domain Users (S-1-5-21-440367617-1876916578-3462541782-513) -> Domain Users Domain Guests (S-1-5-21-440367617-1876916578-3462541782-514) -> Domain Guests Domain Computers (S-1-5-21-440367617-1876916578-3462541782-553) -> Domain Computers Domain Vagrants (S-1-5-21-440367617-1876916578-3462541782-554) -> Domain Vagrants Domain Sidekicks (S-1-5-21-440367617-1876916578-3462541782-590) -> Domain Sidekicks Domain Admins (S-1-5-21-440367617-1876916578-3462541782-512) -> domadm The group objects in LDAP look like dn: cn=,ou=Groups,dc=st-andrews,dc=ac,dc=uk objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: cn: memberUid: user1 memberUid: user2 memberUid: ... description: Some Descriptive Term Here sambaSID: S-1-5-21-xxx-yyy-zzz- sambaGroupType: 2 displayName: Whatever where S-1-5-21-xxx-yyy-zzz is our domain SID Watching the ldap logs, when I run net/rpc usr info dbb, samba looks up all the groups root is in (&objectClass=sambaGroupMapping)(gidNumber=...)), for sambaSID=s-1-5-32-544 and 545, then for a whole bunch of sambaSIDLists (I have none setup) or sambaGroupMapping,sambaGroupType=4 It then looks up my account, searches for my primary group both by its gidNumber, then by its sambaSID, and then it stops. Is there extra configuration need for looking up groups in ldap? It feels like an OS issue but the OS commands seem to return the correct output. OS is Solaris 10 sparc. Samba versions are 3.0.23c and 3.2.1 Thanks, Duncan -- The University of St Andrews is a charity registered in Scotland : No SC013532 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: Re : Re : [Samba] Samba 3.0.x access rights issue with secondary groups or Unix rights
Ah, Sorry, I assumed you didn't see the groups in Samba either. Hope you get it sorted. Cheers, Duncan [EMAIL PROTECTED] wrote: good remark, Duncan, but on the samba side, the commande "net ads user info jdoe" can resolve all the user groups included secondary I check on unix side with the ldapsearch command that using kerberos that the authentication of the involved accounts can read requires all attributes in users and groups and it is OK I have no idea on what's wrong I am stuck and an expert could probably help us Regards - Message d'origine ---- De : Duncan Brannen <[EMAIL PROTECTED]> À : [EMAIL PROTECTED] Cc : samba@lists.samba.org Envoyé le : Mardi, 19 Août 2008, 15h28mn 47s Objet : Re: Re : [Samba] Samba 3.0.x access rights issue with secondary groups or Unix rights Someone more knowledgeable may correct me, but I'd guess you have to fix that, if Solaris isn't picking up secondary groups for a user, I'd think Samba won't find them either. On my systems id -a returns all the groups, it's just the groups command when run as a non root user that doesn't work on my systems with groups configured in ldap and this seems enough to stop Samba picking up my secondary groups. Your systems seems to be misbehaving in the opposite way. If I fix mine, I'll let you know what was wrong, I may just go back to NIS groups in nsswitch.conf. Cheers, Duncan [EMAIL PROTECTED] wrote: details on grous command To have the secondary groups, I have to enter "id -a" logged as the user As root, It doesn't work. "id -a jdoe" just returns the primary group - Message d'origine De : Duncan Brannen À : [EMAIL PROTECTED] Cc : samba@lists.samba.org Envoyé le : Mardi, 19 Août 2008, 14h02mn 38s Objet : Re: [Samba] Samba 3.0.x access rights issue with secondary groups or Unix rights Hi, I have a similar problem, no ADS in my setup, just no supplementary groups showing up (samba 3.2.1 and groups ldap in nsswitch.conf as opposed to onf) Solaris 10 SPARC Everything looks ok, getent, groups etc when logged in as root, but if I su to the user not getting any groups and type groups I don't see any groups there bar the primary one. Are you seeing the same thing? IE if you're logged in as root and type groups jdoe You see all of jdoe's groups but if you su to jdoe and type groups You only see the primary group? Just a long shot but might push you in the right direction? Cheers, Duncan [EMAIL PROTECTED] wrote: Hi experts I have a trouble in access rights I am running Samba 3.0.31 on Solaris 10 x86 64 bits as member server of an Active Directory 2003 R2 domain (MYDOMAIN) using Identity Management for Unix I set rights to access a sub folder of a Samba share. On Solaris the user "toto" jdoe can write a new file. From Windows, the same user can't. Itlooks like OK when the primary group (grp1) of the user is the group that own the subtree but not when this owner group is a secondary group (grp2). It is OK If I set explicitly the user right from MS Windows I can't change the access rights to the group from MS Windows I suspect Unix ownership or ACL to be the root cause but I can't exclude a Samba issue Thanks for help he parts that take place and no useful info, so just go to the valuable data) An extract from my smb.conf [global] ## part windows ## host msdfs = no netbios name = machines01 netbios aliases = 2store server string = 2store workgroup = MYDOMAIN realm = MYDOMAIN.LOCAL security = ADS use kerberos keytab = yes use spnego = yes client use spnego = yes password server = machinew01.MYDOMAIN.local machinew07.MYDOMAIN.local # unix extensions = no machine password timeout = 0 # logon path = \\machines01\profiles\%U template shell = /bin/bash hosts allow = 127.0.0.1, 192.168.10.0/255.255.255.0, 192.168.11.0/255.255.255.0 ## part samba engine ## max log size = 5 log level = 10 syslog = 0 log file = /var/log/samba/%m socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 ## part ldap et idmap ## ldap admin dn = "cn=myadmin,cn=users,dc=MYDOMAIN,dc=local" ldap idmap suffix = ou=idmap ldap ssl = no idmap backend = ldap:ldap://machinew01.MYDOMAIN.local ldap:ldap://machinew07.MYDOMAIN.local #idmap backend = 0-2 #idmap backend = ad idmap uid = 1-2
Re: Re : [Samba] Samba 3.0.x access rights issue with secondary groups or Unix rights
Someone more knowledgeable may correct me, but I'd guess you have to fix that, if Solaris isn't picking up secondary groups for a user, I'd think Samba won't find them either. On my systems id -a returns all the groups, it's just the groups command when run as a non root user that doesn't work on my systems with groups configured in ldap and this seems enough to stop Samba picking up my secondary groups. Your systems seems to be misbehaving in the opposite way. If I fix mine, I'll let you know what was wrong, I may just go back to NIS groups in nsswitch.conf. Cheers, Duncan [EMAIL PROTECTED] wrote: details on grous command To have the secondary groups, I have to enter "id -a" logged as the user As root, It doesn't work. "id -a jdoe" just returns the primary group - Message d'origine De : Duncan Brannen <[EMAIL PROTECTED]> À : [EMAIL PROTECTED] Cc : samba@lists.samba.org Envoyé le : Mardi, 19 Août 2008, 14h02mn 38s Objet : Re: [Samba] Samba 3.0.x access rights issue with secondary groups or Unix rights Hi, I have a similar problem, no ADS in my setup, just no supplementary groups showing up (samba 3.2.1 and groups ldap in nsswitch.conf as opposed to working with Samba 3.0.28 and groups nis in nsswitch.conf) Solaris 10 SPARC Everything looks ok, getent, groups etc when logged in as root, but if I su to the user not getting any groups and type groups I don't see any groups there bar the primary one. Are you seeing the same thing? IE if you're logged in as root and type groups jdoe You see all of jdoe's groups but if you su to jdoe and type groups You only see the primary group? Just a long shot but might push you in the right direction? Cheers, Duncan [EMAIL PROTECTED] wrote: Hi experts I have a trouble in access rights I am running Samba 3.0.31 on Solaris 10 x86 64 bits as member server of an Active Directory 2003 R2 domain (MYDOMAIN) using Identity Management for Unix I set rights to access a sub folder of a Samba share. On Solaris the user "toto" jdoe can write a new file. From Windows, the same user can't. Itlooks like OK when the primary group (grp1) of the user is the group that own the subtree but not when this owner group is a secondary group (grp2). It is OK If I set explicitly the user right from MS Windows I can't change the access rights to the group from MS Windows I suspect Unix ownership or ACL to be the root cause but I can't exclude a Samba issue Thanks for help he parts that take place and no useful info, so just go to the valuable data) An extract from my smb.conf [global] ## part windows ## host msdfs = no netbios name = machines01 netbios aliases = 2store server string = 2store workgroup = MYDOMAIN realm = MYDOMAIN.LOCAL security = ADS use kerberos keytab = yes obey pam restrictions = Yes use spnego = yes client use spnego = yes password server = machinew01.MYDOMAIN.local machinew07.MYDOMAIN.local # unix extensions = no machine password timeout = 0 # logon path = \\machines01\profiles\%U template shell = /bin/bash hosts allow = 127.0.0.1, 192.168.10.0/255.255.255.0, 192.168.11.0/255.255.255.0 ## part samba engine ## max log size = 5 log level = 10 syslog = 0 log file = /var/log/samba/%m socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 ## part ldap et idmap ## ldap admin dn = "cn=myadmin,cn=users,dc=MYDOMAIN,dc=local" ldap idmap suffix = ou=idmap ldap ssl = no idmap backend = ldap:ldap://machinew01.MYDOMAIN.local ldap:ldap://machinew07.MYDOMAIN.local #idmap backend = 0-2 #idmap backend = ad idmap uid = 1-2 idmap gid = 1-2 #idmap config MYDOMAIN:schema_mode = rfc2307 ## part winbind ## winbind nss info = rfc2307 winbind cache time = 5 winbind refresh tickets = Yes winbind use default domain = Yes winbind trusted domains only = Yes winbind nested groups = Yes winbind enum groups = Yes winbind enum users = Yes [data] comment = Samba data folder path = /samba/data read o ctory mask = 0750 guest ok = Yes Check the Unix name resolution getent passwd jdoe jdoe:x:10037:10002:John DOE:/home/jdoe:/bin/sh getent group grp2 grp2::10004:myadmin,jdoe,demo1,demo2,demo3 I can check that Samba can resolve if the user is member of the group /usr/local/samba/bin/net ads user info jdoe grp2 grp1 /usr/local/samba/bin/wbinfo -G 10004 S-1-
Re: [Samba] Samba 3.0.x access rights issue with secondary groups or Unix rights
Hi, I have a similar problem, no ADS in my setup, just no supplementary groups showing up (samba 3.2.1 and groups ldap in nsswitch.conf as opposed to working with Samba 3.0.28 and groups nis in nsswitch.conf) Solaris 10 SPARC Everything looks ok, getent, groups etc when logged in as root, but if I su to the user not getting any groups and type >groups I don't see any groups there bar the primary one. Are you seeing the same thing? IE if you're logged in as root and type groups jdoe You see all of jdoe's groups but if you su to jdoe and type groups You only see the primary group? Just a long shot but might push you in the right direction? Cheers, Duncan [EMAIL PROTECTED] wrote: Hi experts I have a trouble in access rights I am running Samba 3.0.31 on Solaris 10 x86 64 bits as member server of an Active Directory 2003 R2 domain (MYDOMAIN) using Identity Management for Unix I set rights to access a sub folder of a Samba share. On Solaris the user "toto" jdoe can write a new file. From Windows, the same user can't. Itlooks like OK when the primary group (grp1) of the user is the group that own the subtree but not when this owner group is a secondary group (grp2). It is OK If I set explicitly the user right from MS Windows I can't change the access rights to the group from MS Windows I suspect Unix ownership or ACL to be the root cause but I can't exclude a Samba issue Thanks for help Here a long details on my config (sorry for the parts that take place and no useful info, so just go to the valuable data) An extract from my smb.conf [global] ## part windows ## host msdfs = no netbios name = machines01 netbios aliases = 2store server string = 2store workgroup = MYDOMAIN realm = MYDOMAIN.LOCAL security = ADS use kerberos keytab = yes obey pam restrictions = Yes use spnego = yes client use spnego = yes password server = machinew01.MYDOMAIN.local machinew07.MYDOMAIN.local # unix extensions = no machine password timeout = 0 # logon path = \\machines01\profiles\%U template shell = /bin/bash hosts allow = 127.0.0.1, 192.168.10.0/255.255.255.0, 192.168.11.0/255.255.255.0 ## part samba engine ## max log size = 5 log level = 10 syslog = 0 log file = /var/log/samba/%m socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 ## part ldap et idmap ## ldap admin dn = "cn=myadmin,cn=users,dc=MYDOMAIN,dc=local" ldap idmap suffix = ou=idmap ldap ssl = no idmap backend = ldap:ldap://machinew01.MYDOMAIN.local ldap:ldap://machinew07.MYDOMAIN.local #idmap backend = 0-2 #idmap backend = ad idmap uid = 1-2 idmap gid = 1-2 #idmap config MYDOMAIN:schema_mode = rfc2307 ## part winbind ## winbind nss info = rfc2307 winbind cache time = 5 winbind refresh tickets = Yes winbind use default domain = Yes winbind trusted domains only = Yes winbind nested groups = Yes winbind enum groups = Yes winbind enum users = Yes [data] comment = Samba data folder path = /samba/data read only = No create mask = 0740 directory mask = 0750 guest ok = Yes Check the Unix name resolution getent passwd jdoe jdoe:x:10037:10002:John DOE:/home/jdoe:/bin/sh getent group grp2 grp2::10004:myadmin,jdoe,demo1,demo2,demo3 I can check that Samba can resolve if the user is member of the group /usr/local/samba/bin/net ads user info jdoe grp2 grp1 /usr/local/samba/bin/wbinfo -G 10004 S-1-5-21-2269603188-533060101-51835291-1642 /usr/local/samba/bin/wbinfo -Y S-1-5-21-2269603188-533060101-51835291-1642 10004 /usr/local/samba/bin/wbinfo -R 10004 winbind_lookup_rids failed Could not lookup RIDs 10004 Review of the access rights ls -al /samba/data/level1/level2/level3/level4 drwxrwsr-x+ 19 myadmin grp2 512 Aug 15 11:18 . drwxr-x--- 9 myadmin grp1 512 Aug 12 16:06 .. drwxrws---+ 3 myadmin grp2 512 Jun 27 10:58 general -rwxr-+ 1 jdoe grp20 Aug 15 11:18 New Text Document from Windows.txt -rwxrw 1 jdoe grp2 44 Aug 15 11:14 newdocfromunix.txt *** ACTION: I try on Unix to change the group owner of ".." by grp2 but that remove all jdoe access from Windows Test POSIX ACLs getfacl -a /samba/data/level1/level2/level3/level4/ # file: /samba/data/level1/level2/level3/level4/ # owner: myadmin # group: grp2 user::rwx group::rwx #effective:rwx other:r-x getfacl -a /samba/data/level1/leve vel3 # file: /samba/data/level1/level2/level3 # owner: myadmin # group: grp1 user::rwx group::r-x #effective:r-x mask:r-x other:--- getfacl -a /samba/data
[Samba] Overlaying acls onto a share.
Not sure if this is what I'm looking for but if it's possible with samba, I'd appreciate pointers at the correct documentation. We've got a bunch of filespace shared out onto our samba server from a fileserver that doesn't support ACLs, we're stuck using basic rwxr-x type permissions. Each share is assigned to a Unit so we've controlled access by group and put members of the unit into the group or just listed the users. However, the units want shares broken into subfolders to which group members have read / write or no access. Basic file permissions mean doing this with further groups and with people being in multiple units, we've soon run into the 16 group limit. (Samba's running on Solaris and the filespace is an NFS mount) So on to the question. Can I use samba to overlay file permissions over the top of these shares which could either be ldap group or user based, thus leaving a units files all owned by the same underlying user/group and if not has anyone come across and solved this problem another way? Pointers welcome. Thanks, Duncan -- The University of St Andrews is a charity registered in Scotland : No SC013532 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Strange NT_STATUS_PASSWORD errors after upgrade to 3.0.26a
Setting the User Account Flags to [UX] on the LDAP server allows the user to log in, Previous to this pdbedit was reporting 'Password must change: 0' should that have been -1? Any way to get back to what seemed to be default behaviour prior to 3.0.25 ? Cheers, Duncan Duncan Brannen wrote: Thanks John, Setting this to 0 (Zero) or not having it present seems to work with 3.0.23c but with 3.0.26a I still get the NT_STATUS_PASSWORD_MUST_CHANGE error. Looking at the code the log points to (auth/auth_sam.c) line 172 There is a change between 23c and 26a which may or may not point to the answer. It doesn't look obvious to me. 3.0.26a if (!(pdb_get_acct_ctrl(sampass) & ACB_PWNOEXP) && !(pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ)) { time_t must_change_time = pdb_get_pass_must_change_time(sampass); time_t last_set_time = pdb_get_pass_last_set_time(sampass); /* check for immediate expiry "must change at next logon" */ if (last_set_time == 0) { DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n", pdb_get_username(sampass))); return NT_STATUS_PASSWORD_MUST_CHANGE; } # diff samba-3.0.26a/source/auth/auth_sam.c samba-3.0.23c/source/auth/auth_sam.c 166c166 < if (!(pdb_get_acct_ctrl(sampass) & ACB_PWNOEXP) && !(pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ)) { --- > if (!(pdb_get_acct_ctrl(sampass) & ACB_PWNOEXP)) { 171c171 < if (last_set_time == 0) { --- > if (must_change_time == 0 && last_set_time != 0) { Cheers, Duncan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Strange NT_STATUS_PASSWORD errors after upgrade to 3.0.26a
Thanks John, Setting this to 0 (Zero) or not having it present seems to work with 3.0.23c but with 3.0.26a I still get the NT_STATUS_PASSWORD_MUST_CHANGE error. Looking at the code the log points to (auth/auth_sam.c) line 172 There is a change between 23c and 26a which may or may not point to the answer. It doesn't look obvious to me. 3.0.26a if (!(pdb_get_acct_ctrl(sampass) & ACB_PWNOEXP) && !(pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ)) { time_t must_change_time = pdb_get_pass_must_change_time(sampass); time_t last_set_time = pdb_get_pass_last_set_time(sampass); /* check for immediate expiry "must change at next logon" */ if (last_set_time == 0) { DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n", pdb_get_username(sampass))); return NT_STATUS_PASSWORD_MUST_CHANGE; } # diff samba-3.0.26a/source/auth/auth_sam.c samba-3.0.23c/source/auth/auth_sam.c 166c166 < if (!(pdb_get_acct_ctrl(sampass) & ACB_PWNOEXP) && !(pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ)) { --- > if (!(pdb_get_acct_ctrl(sampass) & ACB_PWNOEXP)) { 171c171 < if (last_set_time == 0) { --- > if (must_change_time == 0 && last_set_time != 0) { Cheers, Duncan John Drescher wrote: On Nov 15, 2007 12:20 PM, Duncan Brannen <[EMAIL PROTECTED]> wrote: Rolling back to 3.0.23c has worked. the error with 3.0.23c was a change made to my account when looking at the 3.0.26a problem as blatantly obvious from the log below. Any ideas as to why 3.0.26a shouldn't be working? I'm guessing it's something ldap related? I think your problem is that the password expiration is on a per user bases in the ldap. The key param is sambaPwdMustChange. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Strange NT_STATUS_PASSWORD errors after upgrade to 3.0.26a
Rolling back to 3.0.23c has worked. the error with 3.0.23c was a change made to my account when looking at the 3.0.26a problem as blatantly obvious from the log below. Any ideas as to why 3.0.26a shouldn't be working? I'm guessing it's something ldap related? Thanks Duncan Duncan Brannen wrote: I tried reinstalling 3.0.23c and now get init_sam_from_ldap: Entry found for user: dbb [2007/11/15 16:28:13, 1] auth/auth_sam.c:sam_account_ok(178) sam_account_ok: Account for user 'dbb' password expired!. [2007/11/15 16:28:13, 1] auth/auth_sam.c:sam_account_ok(179) sam_account_ok: Password expired at 'Mon, 16 Feb 1970 08:06:40 BST' (400) unix time. [2007/11/15 16:28:13, 3] auth/auth_winbind.c:check_winbind_security(80) check_winbind_security: Not using winbind, requested domain [CLASSROOM] was for this SAM. [2007/11/15 16:28:13, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [dbb] -> [dbb] FAILED with error NT_STATUS_PASSWORD_EXPIRED Cheers, Duncan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Strange NT_STATUS_PASSWORD errors after upgrade to 3.0.26a
It does look like samba > 3.0.23c now writes extra info into the sambaDomain object in ldap (?) sambaPwdHistoryLength: 0 sambaMaxPwdAge: -1 sambaMinPwdAge: 0 sambaLockoutThreshold: 0 sambaMinPwdLength: 5 but that looks like it shouldn't be expiring passwords ( -1 ) Should it? Cheers, Duncan Duncan Brannen wrote: Hi, I just upgraded one of our samba BDC's (with LDAP back end on solaris 10) from 3.0.23c to 3.0.26a and can no longer mount shares. The error message I'm seeing in the samba logs is [2007/11/15 14:15:26, 1] auth/auth_sam.c:sam_account_ok(172) sam_account_ok: Account for user 'dbb' password must change!. [2007/11/15 14:15:26, 3] auth/auth_winbind.c:check_winbind_security(80) check_winbind_security: Not using winbind, requested domain [CLASSROOM] was for this SAM. [2007/11/15 14:15:26, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [dbb] -> [dbb] FAILED with error NT_STATUS_PASSWORD_MUST_CHANGE [2007/11/15 14:15:26, 3] smbd/error.c:error_packet_set(106) error packet at smbd/sesssetup.c(1489) cmd=115 (SMBsesssetupX) NT_STATUS_PASSWORD_MUST_CHANGE I tried reinstalling 3.0.23c and now get init_sam_from_ldap: Entry found for user: dbb [2007/11/15 16:28:13, 1] auth/auth_sam.c:sam_account_ok(178) sam_account_ok: Account for user 'dbb' password expired!. [2007/11/15 16:28:13, 1] auth/auth_sam.c:sam_account_ok(179) sam_account_ok: Password expired at 'Mon, 16 Feb 1970 08:06:40 BST' (400) unix time. [2007/11/15 16:28:13, 3] auth/auth_winbind.c:check_winbind_security(80) check_winbind_security: Not using winbind, requested domain [CLASSROOM] was for this SAM. [2007/11/15 16:28:13, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [dbb] -> [dbb] FAILED with error NT_STATUS_PASSWORD_EXPIRED Any thoughts? It worked fine earlier. I've tried deleting all the var/locks tdb files and the private/*.tdb files, resetting the SID and smbpassword but it doesn't seem to help. Reasoning for this is there seemed to be a new Account Policy entry appear in the gencache.tdb file to do with password age after the upgrade. There isn't anything set in the samba attributes of the ldap accounts to do with password expiry so it's all default. Cheers, Duncan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Strange NT_STATUS_PASSWORD errors after upgrade to 3.0.26a
Hi, I just upgraded one of our samba BDC's (with LDAP back end on solaris 10) from 3.0.23c to 3.0.26a and can no longer mount shares. The error message I'm seeing in the samba logs is [2007/11/15 14:15:26, 1] auth/auth_sam.c:sam_account_ok(172) sam_account_ok: Account for user 'dbb' password must change!. [2007/11/15 14:15:26, 3] auth/auth_winbind.c:check_winbind_security(80) check_winbind_security: Not using winbind, requested domain [CLASSROOM] was for this SAM. [2007/11/15 14:15:26, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [dbb] -> [dbb] FAILED with error NT_STATUS_PASSWORD_MUST_CHANGE [2007/11/15 14:15:26, 3] smbd/error.c:error_packet_set(106) error packet at smbd/sesssetup.c(1489) cmd=115 (SMBsesssetupX) NT_STATUS_PASSWORD_MUST_CHANGE I tried reinstalling 3.0.23c and now get init_sam_from_ldap: Entry found for user: dbb [2007/11/15 16:28:13, 1] auth/auth_sam.c:sam_account_ok(178) sam_account_ok: Account for user 'dbb' password expired!. [2007/11/15 16:28:13, 1] auth/auth_sam.c:sam_account_ok(179) sam_account_ok: Password expired at 'Mon, 16 Feb 1970 08:06:40 BST' (400) unix time. [2007/11/15 16:28:13, 3] auth/auth_winbind.c:check_winbind_security(80) check_winbind_security: Not using winbind, requested domain [CLASSROOM] was for this SAM. [2007/11/15 16:28:13, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [dbb] -> [dbb] FAILED with error NT_STATUS_PASSWORD_EXPIRED Any thoughts? It worked fine earlier. I've tried deleting all the var/locks tdb files and the private/*.tdb files, resetting the SID and smbpassword but it doesn't seem to help. Reasoning for this is there seemed to be a new Account Policy entry appear in the gencache.tdb file to do with password age after the upgrade. There isn't anything set in the samba attributes of the ldap accounts to do with password expiry so it's all default. Cheers, Duncan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Sharing Accounts between Servers and SIDs
When I did this, I did a getlocalsid on the samba server and used that as the prefix for all user SIDs so the sambaSID became - I then did a setlocalsid on the other servers wanting to use the same userbase. As far as I could tell, the only thing samba tries to write is the SambaDomainName. If you write it in to the master manually, samba should stop trying to add it. dn: sambaDomainName=, dc=example,dc=com sambaDomainName: sambaSID: sambaAlgorithmicRidBase: 1000 objectClass: sambaDomain sambaNextRid: 1104 I don't use the RidBase or NextRid as users and machines have these assigned outside of samba. Hope this helps. Cheers, Duncan Peter Daum wrote: To answer my own question: No, it doesn't work like this! Samba coumplained about any SID I tried as being invalid. (Unfortunately, I couldn't find any hint about what constitutes a "valid" SID). Furthermore, It seems like when using the samba3 ldap_sam backend, samba wants to write all kinds of stuff into the ldap directory (which does not work because the directory is replicated and samba only has access to a read-only copy. For many reasons, I also don't want samba to be able to write the LDAP directory). Is it possible at all to use the Samba3 ldapsam backend with this setup? (With Samba2 it worked without any problem, starting with Samba3 the focus of Samba shifted obviously mostly towards beeing as windows-like as possible; right now I am using Samba 3.0.23b). I am trying to keep out everything that only makes sense within a pure windows domain controller based network - all I want is a bunch of samba servers using a shared account database. The clients don't do domain logons but just connect to single servers, which should consider all users with a valid unix account as local users and authenticate based on the lm/nt password hashes stored in the ldap directory. Any help is appreciated, Regards, Peter Daum Peter Daum wrote: I maintain a heterogenous network with a shared LDAP account database. The user accounts have globally unique user names, UIDs and RIDs. Some, but not all accounts are valid on all machines, but there is no need for samba to care about this, because there simply won't be a unix account for invalid users. There are no MS servers involved, and because every samba server has the same user account base and does its own authentification, there is no need for winbind. The samba servers currently still use the old samba2-compatible ldapsam_compat passdb backend which I eventually want to migrate to the current sambaSamAccount. While most attributes just changed their names, which shouldn't make much any difference, I am a little uncertain, how to handle the new sambaSID attribute without breaking my setup: Would it work to just put a dummy domain with SID "S-1-0-0" in the directory and use this as a prefix for all the user SIDs? Currently, every server has its own SID (which is created by Samba, so far there was no reason to worry about this), but with the new LDAP schema, I am afraid that Samba might not accept such an account as a valid local account ... Any recommendations? Regards, Peter Daum -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba Anonymous LDAP Authentication
Why not create an admin user in the ldap server which only has read access to the samba attributes of the user as well as the uid and group info. Then make that user only have those privileges from the specific IP of the other samba server. Duncan Matthew Crites wrote: Hello all. I have a Samba PDC server working great already. However on another host on the network I would like to setup a Samba server that authenticates to the same LDAP server that my Samba PDC is using. However I want to do this anonymously without telling the second server the admin password for LDAP. I cannot seem to find any documentation for anonymous LDAP authentication using Samba. Do I have to give Samba the admin password just to access authentication records? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.0.23c memory usage increased ten fold to over 70Mb / smbd process
Hi, I'm running samba 3.0.23c on Solaris 10. The smbd processes on my PDC have increased in size from 7Mb to upto 86 Mb , the majority of which seems to be resident . 3940 root 77M 72M sleep 590 0:00:01 0.1% smbd/1 14174 root 77M 73M sleep 590 0:00:10 0.1% smbd/1 13551 root 77M 73M sleep 590 0:00:18 0.1% smbd/1 19888 root 77M 73M sleep 590 0:00:10 0.1% smbd/1 29251 root 77M 73M sleep 590 0:00:13 0.1% smbd/1 20490 root 78M 73M sleep 590 0:00:19 0.1% smbd/1 1311 root 86M 81M sleep 590 0:05:58 0.1% smbd/1 7095 root 77M 70M sleep 590 0:00:00 0.0% smbd/1 1969 root 77M 73M sleep 590 0:00:02 0.0% smbd/1 10797 root 84M 79M sleep 590 0:06:06 0.0% smbd/1 7638 root 74M 49M sleep 590 0:00:00 0.0% smbd/1 29414 root 77M 71M sleep 590 0:00:00 0.0% smbd/1 28282 root 79M 74M sleep 590 0:00:40 0.0% smbd/1 3155 root 77M 72M sleep 590 0:00:01 0.0% smbd/1 21683 root 77M 70M sleep 590 0:00:06 0.0% smbd/1 2996 root 77M 71M sleep 590 0:00:01 0.0% smbd/1 The increase seems to be coming from the connections.tdb file which is being loaded by every process From pmap FA40 64896K rw-s- dev:32,0 ino:301744 the address changes for each smbd process but the dev:32,0 ino:301744 remains constant -rw-r--r-- 1 root root 66453504 Sep 29 15:07 /usr/local/samba/var/locks/connections.tdb (Sizes are identical, so I guess it's this file which is mapped) I've currently got 480 smbd processes running and very little RAM left. Question : Can I clean out the connections.tdb somehow or is it a case of shutdown / close all user files and delete connections.tdb / restart? Our classrooms are 24 hour so restarting is difficult. Is setting Max Connections to 1 on the net logon share a viable way to stop Win2K machines getting that server as their %LOGONSERVER% and thus getting users off to let me restart (We've 3 BDC's doing nothing) Our clients are on Networks A,B,C,D,E and F we have a PDC on Z, BDC's on W,X and Y Wins-server on G Is there a way to bias the Win2K clients towards the BDCs? I've currently got approx 15 connectinos to each BDC and 480 to the PDC, they're in similar areas & ping times to each are equivalent. That would get some of the memory load off the PDC. Cheers, Duncan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] RE: Trouble compiling Samba 3.0.23c on Solaris 10
You don't say but are you using gcc fro /usr/sfw/bin? I've found samba pretty straight forward to compile using gcc from there and setting my library / include paths to include /usr/sfw/lib /usr/sfw/include Duncan -Original Message- From: van der Werf, Bettina Sent: Wednesday, 13 September 2006 03:08 To: 'samba@lists.samba.org' Subject: Trouble compiling Samba 3.0.23c on Solaris 10 Hi everyone I'm trying to compile Samba 3.0.23c on Solaris 10. I have... - applied the latest Solaris 10 patch cluster - installed autoconf and run autogen.sh - successfully run configure with the following options... ./configure --with-PACKAGE --with-winbind --with-pam --prefix=/opt/samba ...but when I run make I get the following errors... . Compiling lib/sendfile.c lib/sendfile.c: In function `sys_sendfile': lib/sendfile.c:188: warning: cast from pointer to integer of different size . Compiling auth/pampass.c auth/pampass.c: In function `smb_setup_pam_conv': auth/pampass.c:422: warning: assignment from incompatible pointer type . Linking nsswitch/libnss_winbind.so ld: warning: option -o appears more than once, first setting taken . Compiling auth/iconv.c lib/iconv.c: In function `sys_iconv': lib/iconv.c:141: warning: passing arg 2 of `iconv' from incompatible pointer type . ...then I cannot build the package with makepkg.sh I am using gcc to compile. I have tried... - unsetting LD_LIBRARY_PATH - running configure with the -with-included-popt and -with-ldap=no - compiling Samba 3.0.23b - compiling on a different server ...but I always bet the same errors. Any assistance at all would be appreciated! Many thanks Bettina Bettina van der Werf UNIX Systems Administrator L38, Central Park, 152 St George's Tce, Perth, WA 6000 P: (08) 9415 5347 | M: 0405 094 945 E: [EMAIL PROTECTED] Asgard Wealth Solutions Advice. Solutions. Confidence. === IMPORTANT INFORMATION This message and any files transmitted with it are confidential and should be read only by those persons to whom it is addressed. If you have received this message in error, please notify us immediately by way of reply. Please also destroy and delete the message from your computer. Any unauthorised form of reproduction of this message is strictly prohibited. It is the duty of the recipient to virus scan and otherwise test the information provided before loading on to any computer system. No warranty is given or made by Asgard Wealth Solutions Limited, Asgard Capital Management Limited or SECURITOR Financial Group Limited that the information is free of a virus or any other defect or error and they will not be liable for the proper and complete transmission of the information contained in this communication, nor for any delay in its receipt. Any views expressed in this message are those of the individual sender, except where the sender specifically states they are the views of Asgard Wealth Solutions Limited, Asgard Capital Management Limited or SECURITOR Financial Group Limited, as the case may be. === -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain Logins across VPN
[EMAIL PROTECTED] wrote: - Original Message - From: "Duncan Brannen" <[EMAIL PROTECTED]> Cc: Sent: Friday, May 26, 2006 4:12 AM Subject: Re: [Samba] Domain Logins across VPN This configuration works. If I change passdb to 127.0.0.1 instead of the Master LDAP's IP, this pops up in samba.smbd: [2006/05/24 14:53:30, 1] lib/smbldap_util.c:add_new_domain_info(198) failed to add domain dn= sambaDomainName=ATWORK,dc=atworkpersonnel,dc=com with: Server is unwilling to perform shadow context; no update referral [2006/05/24 14:53:30, 0] lib/smbldap_util.c:smbldap_search_domain_info(258) Adding domain info for ATWORK failed with NT_STATUS_UNSUCCESSFUL That's the only error I see popping up. Ideas? Has the entry dn= sambaDomainName=ATWORK,dc=atworkpersonnel,dc=com replicated across to your slave ldap server successfully? Check your ldap logs on the slave, I think samba does a lookup for the domain and adds it if it doesn't exist, otherwise is the updateref set in your slaves slapd.conf file? If the slave ldap server is telling samba it doesn't accept changes but not telling it where to send changes ( no update referral) you might get this problem. Hope this helps Duncan Hi Duncan, I'm not using slurpd for replication; I'm using syncrepl. The database exists and is updated fine (if I add a user on the master, it exists on the slave, etc). I'm using the smbldap tools for samba, and on the slave machines, they generate an error any time I try to use them (unless I point them at the Master LDAP). for example, if I try this: smbldap-useradd -a testuser it returns: Error: shadow context; no update referral at /usr/local/sbin//smbldap_tools.pm line 1005. I believe this has something to do with the issue. -- Rob Hi Rob, The replication method shouldn't matter. updateref is used for both slurpd and syncrepl and tells the slave where to send clients who try to make changes. eg Samba -> ldap slave "Add/Update this entry" ldap slave -> samba "I don't accept changes, please write to the master at " If you don't have updateref set, the slave will refuse the change but not tell the client where to make the change. If you do have updateref set and it still doesn't work, I'd try to add an entry using the (I assume openldap) client tools to the slave, check the slave logs, turning up logging if necessary and the master logs. You should see the client connect to the slave, get an error and an updateref, then the change should show up in the logs of the master. If the slave returns the updateref but the client does not then contact the master, the client doesn't understand update references and you'll need to update your clients or make changes to the master directly. If it works using the openldap tools, try it again with the samba ldap tools, you should see the same thing, client connects to slave, slave provides update ref, client connects to and updates master. I'm fairly sure my BDC's didn't try to write to the ldap servers after the PDC had written the domain info in. (Though I wouldn't swear I checked) Can the samba user can pull out the complete domain info using ldapsearch? Any joy? Duncan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] sambaUnixIdPooldn
Ah, Sorry :) Don't know, maybe it's just neater to have it in the domain object and you can have distinct uidNumber / gidNumber pools per domain on the same server. Otherwise, if you have multiple Domains on the same ldap server but one pool of users across them you'd probably want to keep using NextFreeUnixId (and have the same SID for each domain). Anyway it's the weekend - leave it till Monday ;) Duncan [EMAIL PROTECTED] wrote: the dn of this entry is where you're telling smbldap.conf to store the uid / gid numbers. Thanks...however I understand that. Perhaps I should have been more specific. Why is the location where this is being stored changed. Specifically, why are we storing it under the PDC_Domain name, instead of NextFreeUnixId. ---quote--- 4. Edit the /etc/smbldap-tools/smbldap.conf file so that the following information is changed from: # Where to store next uidNumber and gidNumber available sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" to read, after modification: # Where to store next uidNumber and gidNumber available #sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" sambaUnixIdPooldn="sambaDomainName=MEGANET2,dc=abmas,dc=biz" ---quote--- I hate to do things blindly without having an idea what I'm doing, and why. Thanks, Greg Hope this helps Duncan [EMAIL PROTECTED] wrote: Quick question: In the Samba-by-example, (Chapter 5, Page 188 of PDF) ---quote--- 4. Edit the /etc/smbldap-tools/smbldap.conf file so that the following information is changed from: # Where to store next uidNumber and gidNumber available sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" to read, after modification: # Where to store next uidNumber and gidNumber available #sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" sambaUnixIdPooldn="sambaDomainName=MEGANET2,dc=abmas,dc=biz" ---quote--- I don't understand what the purpose is, or more precisely what it is this accomplishes. Could someone explain it to me? I'm making good progress, but still hashing things out. TIA -Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] sambaUnixIdPooldn
When you add a new user or group via samba, samba needs to assign it a uid / gid The next available number can be stored in the ldap server and queried/updated by samba. I create my users / groups outside of samba and so don't use it so I'm not sure exactly what should go here. There's a sambaUnixIdPool object class in the samba.schema which could hold these values and by the look of the example, I'm guessing that objectClass will be added to your sambaDomain object in the ldap server. If you do an ldap search on your server for '(sambaDomain=*)' you should see your domain and it should have objectclass sambaDomain and objectClass sambaUnixIdPool the dn of this entry is where you're telling smbldap.conf to store the uid / gid numbers. Hope this helps Duncan [EMAIL PROTECTED] wrote: Quick question: In the Samba-by-example, (Chapter 5, Page 188 of PDF) ---quote--- 4. Edit the /etc/smbldap-tools/smbldap.conf file so that the following information is changed from: # Where to store next uidNumber and gidNumber available sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" to read, after modification: # Where to store next uidNumber and gidNumber available #sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" sambaUnixIdPooldn="sambaDomainName=MEGANET2,dc=abmas,dc=biz" ---quote--- I don't understand what the purpose is, or more precisely what it is this accomplishes. Could someone explain it to me? I'm making good progress, but still hashing things out. TIA -Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain Logins across VPN
This configuration works. If I change passdb to 127.0.0.1 instead of the Master LDAP's IP, this pops up in samba.smbd: [2006/05/24 14:53:30, 1] lib/smbldap_util.c:add_new_domain_info(198) failed to add domain dn= sambaDomainName=ATWORK,dc=atworkpersonnel,dc=com with: Server is unwilling to perform shadow context; no update referral [2006/05/24 14:53:30, 0] lib/smbldap_util.c:smbldap_search_domain_info(258) Adding domain info for ATWORK failed with NT_STATUS_UNSUCCESSFUL That's the only error I see popping up. Ideas? Has the entry dn= sambaDomainName=ATWORK,dc=atworkpersonnel,dc=com replicated across to your slave ldap server successfully? Check your ldap logs on the slave, I think samba does a lookup for the domain and adds it if it doesn't exist, otherwise is the updateref set in your slaves slapd.conf file? If the slave ldap server is telling samba it doesn't accept changes but not telling it where to send changes ( no update referral) you might get this problem. Hope this helps Duncan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Failover LDAP?
You should be able to specify them as a list ldap server = ldap1 ldap2 ldap3 Though that was for 2.2, looking at my 3.0 confs I've got passdb backend = ldapsam:ldap://ldapX which is local to the PDC/BDC you probably want passdb backend = ldapsam:"ldap://ldap1 ldap://ldap2"; I think the quotes are important. Duncan Golden Butler wrote: Okay, I've searched around on this, but can't find any examples or docs. Is there a way to specify a second ldap server in the smb.conf, in case the primary ldap server fails or become unreachable? - Delamatrix -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] PDC BDC logon server
If I have a PDC and 3 BDCs on separate networks, with no clients on either of these networks, should the BDCs still be the preferred logon servers or do the have to be on the same network segment? Does where the wins server is (on the PDC) make a difference to which responds first? I've got 95% of my clients using the PDC and would like to spread the load a little. Samba 3.0.21c on Solaris 10 Ideas? Duncan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] connections.tdb file keeps growing.
Hi, I think I've found the cause of the large smbd processes. Does each smbd process keep a pointer to the connections.tdb file? This keeps growing and is currently over 20MB in size despite there being only 40 current users and 80 smbd processes? smbstatus reports services being accessed and files locked by non existent pids which are over a month old. Samba 3.0.21c on Solaris 10 Is there any way to force samba to refresh / clear out this file or does it require a restart? Cheers, Duncan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] smbd process grows to 25Mb resident size
Hi, I've 4 Samba servers running 3.0.21c in solaris 10 zones. One PDC, 3 BDCs. The machines are identically installed and the samba binaries and associated libraries are copied between the machines so are also identical. On my PDC which seems to be accepting almost all of the clients, my smbd processes are 33M with 25M resident. This seems to be used by dev:32,0 ino301938 ,see pmap below, which is a similar size on most smbd processes. I can see some where it's 8k. Any idea what might be causing this and is it possible to cap it at all? Is it normal and nothing to be concerned about? It seems to be related to how busy the server is as my BDCs, which only seem to pick up between 10 and 60 clients at any one time have footprints of around 8 to 10 MB. The PDC has over 300 clients at any one time. It's not causing any major problems but the PDC will eventually run out of RAM as we add clients unless I can somehow slow it down from being first to respond to domain logon requests. (Is that possible and is having the PDC as the wins server what causes that? They all have very similar ping times from a given client and are spread across our network as the clients are.) Thanks, Duncan 26029: /usr/local/samba/sbin/smbd -D 00012832K r-x-- /usr/local/samba/sbin/smbd 002E2000 48K rwx-- /usr/local/samba/sbin/smbd 002EE0001320K rwx--[ heap ] FD081224K rw-s- dev:32,0 ino:301936 FD201736K rw-s- dev:32,0 ino:301937 FD40 20288K rw-s- dev:32,0 ino:301938 FE90 168K rw-s- dev:32,0 ino:301940 FE93 24K r-x-- /lib/nss_nis.so.1 FE946000 8K rwx-- /lib/nss_nis.so.1 FE95 8K rw-s- dev:32,0 ino:301950 FE96 8K rw-s- dev:32,0 ino:301949 FE97 8K rw-s- dev:32,0 ino:301945 FE98 8K rw-s- dev:32,0 ino:301948 FE99 8K rw-s- dev:32,0 ino:301942 FE9A 8K rw-s- dev:32,0 ino:301941 FE9D 8K rw-s- dev:32,0 ino:301939 FE9E 8K rwxs-[ anon ] FE9F 8K r-x-- /lib/libdoor.so.1 FEA02000 8K rwx-- /lib/libdoor.so.1 FEA1 8K r-x-- /usr/local/lib/libcom_err.so.1.1.1 FEA2 8K rwx-- /usr/local/lib/libcom_err.so.1.1.1 FEA3 72K r-x-- /usr/local/lib/libroken.so.16.1.0 FEA5 8K rwx-- /usr/local/lib/libroken.so.16.1.0 FEA6 256K r-x-- /usr/local/lib/libncurses.so.5.4 FEAAE000 48K rwx-- /usr/local/lib/libncurses.so.5.4 FEAC 160K r-x-- /usr/local/lib/libasn1.so.6.1.0 FEAF6000 8K rwx-- /usr/local/lib/libasn1.so.6.1.0 FEB0 264K r-x-- /usr/local/lib/libkrb5.so.17.4.0 FEB5 24K rwx-- /usr/local/lib/libkrb5.so.17.4.0 FEB6 80K r-x-- /usr/local/lib/libgssapi.so.4.0.0 FEB82000 16K rwx-- /usr/local/lib/libgssapi.so.4.0.0 FEB9 80K r-x-- /lib/nss_ldap.so.1 FEBB2000 16K rwx-- /lib/nss_ldap.so.1 FEBB6000 40K rwx-- /lib/nss_ldap.so.1 FEBD 24K r-x-- /lib/nss_files.so.1 FEBE6000 8K rwx-- /lib/nss_files.so.1 FEBF 8K rw-s- dev:32,0 ino:301751 FEC0 64K rwx--[ anon ] FEC2 8K rw-s- dev:32,0 ino:199483 FEC3 64K r--s- dev:32,0 ino:199406 FEC5 8K rwx--[ anon ] FEC6 8K r-x-- /usr/lib/iconv/CP850%UTF-16LE.so FEC7 8K rwx-- /usr/lib/iconv/CP850%UTF-16LE.so FEC8 8K r-x-- /usr/lib/iconv/8859-15%UTF-16LE.so FEC9 8K rwx-- /usr/lib/iconv/8859-15%UTF-16LE.so FECA 8K r-x-- /usr/lib/iconv/UTF-16LE%CP850.so FECB 8K rwx-- /usr/lib/iconv/UTF-16LE%CP850.so FECC 8K r-x-- /usr/lib/iconv/UTF-16LE%8859-15.so FECD 8K rwx-- /usr/lib/iconv/UTF-16LE%8859-15.so FECE 16K r-x-- /usr/lib/locale/en_GB.ISO8859-15/en_GB.ISO8859-15.so.3 FECF2000 16K rwx-- /usr/lib/locale/en_GB.ISO8859-15/en_GB.ISO8859-15.so.3 FED0 8K rwx--[ anon ] FED2 128K r--s- dev:32,0 ino:199403 FED5 128K r--s- dev:32,0 ino:199404 FED81432K r-x-- /usr/local/ssl/lib/libcrypto.so.0.9.8 FEEF4000 88K rwx-- /usr/local/ssl/lib/libcrypto.so.0.9.8 FEF0A000 8K rwx-- /usr/local/ssl/lib/libcrypto.so.0.9.8 FEF2 8K r-x-- /platform/sun4u-us3/lib/libc_psr.so.1 FEF3 24K rwx--[ anon ] FEF4 8K rwx--[ anon ] FEF5 16K r-x-- /lib/libcmd.so.1 FEF64000 8K rwx-- /lib/libcmd.so.1 FEF7 264K r-x-- /usr/local/ssl/lib/libssl.so.0.9.8 FEFC 24K rwx-- /usr/local/ssl/lib/libssl.so.0.9.8 FEFD 88K r-x-- /usr/local/lib/libsasl2.so.2.0.21 FEFF4000 8K rwx-- /usr/local/lib/libsasl2.so.2.0.21 FF00 848K r-x-- /lib/libc.so.1 FF0E4000 32K rwx-- /lib/libc.so.1 FF0EC000 8K rwx-- /lib/libc.so.1 FF10 32K r-x-- /usr/local/lib/libgcc_s.so.1 FF116000 16K rwx-- /usr/local/lib/libgcc_s.so.1 FF12 8K rwx--[ anon ] FF13 24K r-x-- /lib/libgen.so.1 FF146000 8K rwx-- /lib/libg
Re: [Samba] 2 Domains on one server (browse.dat location) (3.0.9)
zheka wrote: Duncan Brannen wrote: Appologies for double posting this. I managed to add it to the end of an old thread instead of starting a new one, anyone recommend a mail client that shows threads? :) Hi, I'm trying to run 2 domains from the one server. I've got my 2 config files and both servers run, bound to the correct interface if started normally. The problem I have occurs when I try to start both at once. nmdb seems to be hardwired to write to $SAMBA_ROOT/var/locks/browse.dat so each instance of nmbd overwrites the data of the other. Have I missed an option to configure it to write elsewhere? ( log, lock & pid dirs don't do it) or, do I have to recompile samba with a new root? Feature Request:: Is it possible to have an option to reset this location if it doesn't exist? Is there a good howto anywhere on 2 domains / one machine or a good reason not to do it? (Pref for Solaris) We've got the same users in each domain, with the same ldap backend, The problem being solved is that of giving some users escalated permissions when logged into their own domain (Set group of machines ) but allowing them to log into the "World usable" domain (open access machines) with normal permissions. Joe Blogs shouldn't be able to login to the 2nd domain, & I've controlled access using the ldap filter in smb.conf. (Good / Bad idea?) Any comments from those who done this appreciated. Cheers, Duncan Yes, you missed the parameter "lock directory" in smb.conf. browse.dat lays under the lock directory path. I have successfull installation of samba server with two domains, but it works only if locking directories are separated. And yes, you will need separate ldap records for same users in different domains (because of different SIDs). I've set the lock directory (see above, tried lock, log and pid) but this doesn't change the browse.dat location, just the pid / filename.tdb location. Possibly the overwriting of browse.dat by the two nmbd processes is a red herring and it should work. I've set the SIDs' of the two domains to be the same so I only need one set of user records. Which version are you using? I'm going to try again with 3.0.11, and compile them into distinct directories if it still fails. Cheers, Duncan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] 2 Domains on one server (browse.dat location) (3.0.9)
Appologies for double posting this. I managed to add it to the end of an old thread instead of starting a new one, anyone recommend a mail client that shows threads? :) Hi, I'm trying to run 2 domains from the one server. I've got my 2 config files and both servers run, bound to the correct interface if started normally. The problem I have occurs when I try to start both at once. nmdb seems to be hardwired to write to $SAMBA_ROOT/var/locks/browse.dat so each instance of nmbd overwrites the data of the other. Have I missed an option to configure it to write elsewhere? ( log, lock & pid dirs don't do it) or, do I have to recompile samba with a new root? Feature Request:: Is it possible to have an option to reset this location if it doesn't exist? Is there a good howto anywhere on 2 domains / one machine or a good reason not to do it? (Pref for Solaris) We've got the same users in each domain, with the same ldap backend, The problem being solved is that of giving some users escalated permissions when logged into their own domain (Set group of machines ) but allowing them to log into the "World usable" domain (open access machines) with normal permissions. Joe Blogs shouldn't be able to login to the 2nd domain, & I've controlled access using the ldap filter in smb.conf. (Good / Bad idea?) Any comments from those who done this appreciated. Cheers, Duncan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.0.9: 2 Domains on one server (browse.dat location)
Hi, I'm trying to run 2 domains from the one server. I've got my 2 config files and both servers run, bound to the correct interface if started normally. The problem I have occurs when I try to start both at once. nmdb seems to be hardwired to write to $SAMBA_ROOT/var/locks/browse.dat so each instance of nmbd overwrites the data of the other. Have I missed an option to configure it to write elsewhere? ( log, lock & pid dirs don't do it) or, do I have to recompile samba with a new root? Feature Request:: Is it possible to have an option to reset this location if it doesn't exist? Is there a good howto anywhere on 2 domains / one machine or a good reason not to do it? (Pref for Solaris) We've got the same users in each domain, with the same ldap backend, The problem being solved is that of giving some users escalated permissions when logged into their own domain (Set group of machines ) but allowing them to log into the "World usable" domain (open access machines) with normal permissions. Joe Blogs shouldn't be able to login to the 2nd domain, & I've controlled access using the ldap filter in smb.conf. (Good / Bad idea?) Any comments from those who done this appreciated. Cheers, Duncan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] IdealX
I'm in touch with a couple of guys at idealx.com Was starting to think I was the only one seeing it. The root servers seem to be at fault, listing an additional Authority for idealx.org Duncan At 13:29 18/01/2005, Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Duncan Brannen wrote: | Using nslookup against sarajevo.idealx.org gives me | the correct address. | | Noone else affected by this then? I see it as well. I'll contact the developers. cheers, jerry = Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc "I never saved anything for the swim back." Ethan Hawk in Gattaca -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB7Q9SIR7qMdg1EfYRAqsJAKDpy2TNRHgb9DfKBTsxZREs9YQ/WwCg6O2K L1mGAeg1HAtPjcUnof1UQoc= =O09I -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] IdealX
Cheers, Looks like our dns servers picked up an extra Authorative source for idealx.org ; <<>> DiG 9.2.1 <<>> www.idealx.org ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55053 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.idealx.org.IN A ;; ANSWER SECTION: www.idealx.org. 74634 IN A 12.47.46.198 ;; AUTHORITY SECTION: idealx.org. 74630 IN NS launtra.fumble.org. idealx.org. 74630 IN NS sarajevo.idealx.com. ;; ADDITIONAL SECTION: launtra.fumble.org. 74631 IN A 12.47.46.198 sarajevo.idealx.com.161032 IN A 213.41.87.90 ;; Query time: 18 msec ;; SERVER: 138.251.66.46#53(138.251.66.46) ;; WHEN: Tue Jan 18 12:26:12 2005 ;; MSG SIZE rcvd: 142 Using nslookup against sarajevo.idealx.org gives me the correct address. Noone else affected by this then? Duncan At 09:56 18/01/2005, Tomasz Chmielewski wrote: Duncan Brannen wrote: Have IdealX.org lost their domain? it seems to have been pinched by some company selling domains. Site is partially mirrored at Idealx.com but stil links to idealx.org. Replace idealx.org urls with idealx.com but the samba downloadable stuff isn't there at the moment. IdealX.org works for me from several IPs (in different locations). Tomek -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] IdealX
Have IdealX.org lost their domain? it seems to have been pinched by some company selling domains. Site is partially mirrored at Idealx.com but stil links to idealx.org. Replace idealx.org urls with idealx.com but the samba downloadable stuff isn't there at the moment. Duncan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Hardware Sun V210 /240
Hi, Anyone out there running samba on Sun V210 or V240 hardware? We're thinking of buying a few for our migration to samba 3 so if anybody has samba running on these & wants to share numbers etc please do. Cheers, Duncan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Attempting to join domain disables root account (SAMBA LDAP PDC 3.0.4)
Hi, We've got a working samba 2.2.8 / LDAP / PDC setup going here with multiple samba servers all looking at the same ldap backend but oblivious of each other. I've tried to upgrade one of these servers to samba 3.0.4 setting the passdb backend as ldapsam_compat. If I try to join a windows 2K machine to the 3.0.4 domain it fails, I use the same 'root' user and password but get the error message Login failure: unknown user name or bad password. meanwhile, the samba server has connected to my ldap server as the samba-ldap-administrator, disabled the root account ands reset the lm and ntpasswd fields, effectively stopping and machine joining via the 2.2.8 servers either. Resetting the root password and acctFlags fixes the 2.2.8 servers but doesn't help me with the 3.0.4. Have a missed something obvious & can 2.2.8 and 3.0.4 servers co exist with the same ldap backend (The samba servers cannot see each other) Cheers, Duncan PS using the newest smbldap tools, though the logs don't seem to show me getting as far as trying that. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] ldap pdc and rejoining domains
Afternoon all, I've got a problem I hope somebody can help me with. We've got samba working as a PDC to windows 2000 machines with LDAP as the backend. It's fine until we start distributing the load over multiple LDAP servers. I've changed the configuration in the pam ldap stuff (on Solaris using padl) to point at a slave LDAP server (replacing /etc/passwd) What I'm not clear on is what happens when we rebuild a machine. We reinstall the machine & try to create a new domain account. That fails because it already exists Machine then tries to rejoin domain setting up new SID/password (???) smb.conf points at the ldap-slave smbldap_tools stuff points at ldap master pam.conf stuff points at ldap slave which one is samba using to rejoin the domain. I guess it's smb.conf or pam.conf since before I had referrals working properly changes were being made to the slave. If it's smb.conf, does it understand referrals? If not, is it possible to use a slave ldap server with samba? Sorry if I seem confused - it's cos I am :) Cheers, Duncan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba