Re: [Samba] howto sync unix passwd & samba passwd?
Iris Lames escreveu: Hi, I'm using samba-3.0.28-0.fc8. I'm trying to build a file server for 100 users. I created a perl script that automatically adds the 100 users plus their passwords with success. Now I'm having difficulty creating a script using the smbpasswd command because passwords must be entered in stdin. I also tried smbpasswd -s option but it asks passwd in stdin. Is there a way that I can use the command smbpasswd plus the user password in one line? As already answered by other people, you can use expect, I use it to set initial passwords, feeding smbldap-passwd in automated installs, it works and is the only solution that I know about too. Also, I read about mksmbpasswd.sh and test it but it did not work at all. My smb.conf contains: smb passwd file = /etc/samba/sambapassword and did: cat /etc/passwd | grep test | /usr/bin/mksmbpasswd.sh > /etc/samba/sambapassword What do you mean by did not work at all? Have you sure that you are executing it in the right place? Theres nothing wrong with that line unless mksmbpasswd isn't where you think it is (isn't it in sbin?) or isn't working as it should (not likely). Is there a way for me to sync the userpassword and smbpasswd? Help me please. -Iris Lames I don't know if I got it right. Doing what you are trying to do will just INITIALLY create the same accounts in samba as in /etc/passwd without setting the passwords (I don't know Fedora, but Debian based distros does that by default in the package scripts if the user choose to). Debian can convert it to tdbsam after that too. All that can be scripted. If by "sync" you mean initially populate smbpasswd as you are trying to do, the easiest way is already this way. Any other way you will redoing the mksmbpasswd script. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA PDC with LDAP backend syncing unix/samba accounts ...
Jason Waters escreveu: I'm coming into this half way through but won't ldap passwd sync = yes work? Or does that only work when you change your password from samba? Jason Waters (...) You can use "smbpasswd -r pdcname". This is the simplest way to change the password. If you really want to use the passwd command, you will need to use winbind in these workstations and the pam_winbind.so pam module to change the password trough it. You could even use smbldap-passwd to change the password directly in the base, but you would need to make some changes in the script first. Regards. Edmundo Valle Neto Yes, it will only work for commands that relies on samba itself to change the password. Here passwd is NOT included. Is was shown three approaches, using samba (smbpasswd), using PAM (passwd) and using LDAP directly. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA PDC with LDAP backend syncing unix/samba accounts ...
yogi escreveu: Hi , Thanks Edmundo and Louis for the input. Edmundo you are absolutely right about three hashes. I figuered that part. I always wondered how will samba generate a hash from my unix hash ;). Now coming back to my question. I will try and be even more specific. IF a user tries to change password on his/her wks, then he/she uses "passwd" in which case it uses pam and unix password is changed leaving samba password. How do I provide my users a common password sync option on their respective workstation ? Anybody , Thanks in advance, yogesh You can use "smbpasswd -r pdcname". This is the simplest way to change the password. If you really want to use the passwd command, you will need to use winbind in these workstations and the pam_winbind.so pam module to change the password trough it. You could even use smbldap-passwd to change the password directly in the base, but you would need to make some changes in the script first. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA PDC with LDAP backend syncing unix/samba accounts ...
yogi escreveu:
Hi all ,
I'm running Debian Etch . I just finished
configuring SAMBA
as PDC to authenticate against LDAP server which works.
The system in question uses default debian etch packages.
As My Linix/unix accounts can authenticate against it. The
LDAP works.
I Used the default shipped smbldap-populate script to
setup SAMBA.
Good, this is the reason that it is there :)
You will only not want to use if you have a reason, like it messing with
your already populated base.
Everything seems to work as Anonymous User or as
user root.
shark:/etc/samba# smbclient -L shark -N
Anonymous login successful
Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24]
Share name Type Comment
- ---
netlogonDisk Network Logon Service
knoppix Disk
IPC$IPC IPC Service (Samba Server
3.0.24)
Anonymous login successful
Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24]
Server Comment
----
SHARKSamba Server 3.0.24
Now when I try and login as normal user, which i have
enabled
with "smbldap-usermod -a yogesh"
smbldap-usershow yogesh
dn: uid=yogesh,ou=People,dc=biomax,dc=de
uid: yogesh
cn: yogesh
objectClass:
account,posixAccount,top,shadowAccount,sambaSamAccount
userPassword: {MD5}.SOMELONGHASH
shadowLastChange: 12900
shadowMax: 1
loginShell: /bin/bash
uidNumber: 668
gidNumber: 100
homeDirectory: /sk-home/yogesh
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
displayName: System User
sambaSID: S-1-5-21-4033729970-1053622217-143831336-9886
sambaAcctFlags: [UX ]
-
Now when I try and connect I get the following failure .
shark:/etc/samba# smbclient -L shark -U yogesh
session setup failed: NT_STATUS_LOGON_FAILURE
For me smbldap-usermod -a dont ask for a password, so your error appears
to be the right behavior of the server, when you try to access the samba
server with an account that have a posix password but don't have a samba
password.
If your posix password is hashed and it didn't asked for the password it
cannot guess it and fill the NT and LM samba hashes.
If you don't know, your account need to end up with three hashes for the
same password :)
After Digging thru the logs I figuered that if I enter
password using
"smbldap-password" . It works.
Ok, now you have defined your samba password, and it will be synced with
the posix one, and everyone will be happy.
Now my Stupid questions ?
I already have unix users working of LDAP, How can I
automate the addition of remaining accounts with SAMBA ?
Well, as already said your script cannot guess the content of a hash to
create another that samba needs (this is the purpose of hashes),
normally people add the samba part (with smbldap-usermod), change the
password to something else (with smbldap-passwd), mark the account to
only allow the login if the password is changed (with smbldap-usermod -B
1), then inform the user of the new password and ask to he to put his
password back when he tries to login and receive automatically a window
asking for that.
It will be a process very likely as adding a new user.
Also whenever a unix user changes passwd samba password is
not updated ?
Well, this is a little more complicated, depends of how and were they
are trying to do that, but normally posix tools don't know of the
existence of samba hashes, anyway its possible to do that too, but you
will need to be a little more specific. They are trying to do that using
their own workstations that have Linux or trying to do that accessing
the server shell?
Any pointers will be of great help.
Thanks in advace
yogesh
Appears that theres nothing wrong with your config, you just didn't
understood what you need to do.
Regards.
Edmundo Valle Neto
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA PDC with LDAP backend syncing unix/samba accounts ...
yogi escreveu:
Hi all ,
I'm running Debian Etch . I just finished
configuring SAMBA
as PDC to authenticate against LDAP server which works.
The system in question uses default debian etch packages.
As My Linix/unix accounts can authenticate against it. The
LDAP works.
I Used the default shipped smbldap-populate script to
setup SAMBA.
Good, this is the reason that it is there :)
You will only not want to use if you have a reason, like it messing with
your already populated base.
Everything seems to work as Anonymous User or as
user root.
shark:/etc/samba# smbclient -L shark -N
Anonymous login successful
Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24]
Share name Type Comment
- ---
netlogonDisk Network Logon Service
knoppix Disk
IPC$IPC IPC Service (Samba Server
3.0.24)
Anonymous login successful
Domain=[LDAPBIOMAX] OS=[Unix] Server=[Samba 3.0.24]
Server Comment
----
SHARKSamba Server 3.0.24
Now when I try and login as normal user, which i have
enabled
with "smbldap-usermod -a yogesh"
smbldap-usershow yogesh
dn: uid=yogesh,ou=People,dc=biomax,dc=de
uid: yogesh
cn: yogesh
objectClass:
account,posixAccount,top,shadowAccount,sambaSamAccount
userPassword: {MD5}.SOMELONGHASH
shadowLastChange: 12900
shadowMax: 1
loginShell: /bin/bash
uidNumber: 668
gidNumber: 100
homeDirectory: /sk-home/yogesh
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
displayName: System User
sambaSID: S-1-5-21-4033729970-1053622217-143831336-9886
sambaAcctFlags: [UX ]
-
Now when I try and connect I get the following failure .
shark:/etc/samba# smbclient -L shark -U yogesh
session setup failed: NT_STATUS_LOGON_FAILURE
For me smbldap-usermod -a dont ask for a password, so your error appears
to be the right behavior of the server, when you try to access the samba
server with an account that have a posix password but don't have a samba
password.
If your posix password is hashed and it didn't asked for the password it
cannot guess it and fill the NT and LM samba hashes.
If you don't know, your account need to end up with three hashes for the
same password :)
After Digging thru the logs I figuered that if I enter
password using
"smbldap-password" . It works.
Ok, now you have defined your samba password, and it will be synced with
the posix one, and everyone will be happy.
Now my Stupid questions ?
I already have unix users working of LDAP, How can I
automate the addition of remaining accounts with SAMBA ?
Well, as already said your script cannot guess the content of a hash to
create another that samba needs (this is the purpose of hashes),
normally people add the samba part (with smbldap-usermod), change the
password to something else (with smbldap-passwd), mark the account to
only allow the login if the password is changed (with smbldap-usermod -B
1), then inform the user of the new password and ask to he to put his
password back when he tries to login and receive automatically a window
asking for that.
It will be a process very likely as adding a new user.
Also whenever a unix user changes passwd samba password is
not updated ?
Well, this is a little more complicated, depends of how and were they
are trying to do that, but normally posix tools don't know of the
existence of samba hashes, anyway its possible to do that too, but you
will need to be a little more specific. They are trying to do that using
their own workstations that have Linux or trying to do that accessing
the server shell?
Any pointers will be of great help.
Thanks in advace
yogesh
Appears that theres nothing wrong with your config, you just didn't
understood what you need to do.
Regards.
Edmundo Valle Neto
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba & ldap
Charles Marcus escreveu: On 5/15/2008 3:40 AM, Esteban Torres Rodriguez wrote: I'm new here and I have a doubt... I'm work with windows 2003 server and now i would change to llnux. My doubt regards the share of my server: to authenticate my users what is better: samba tdb or ldap? For us is not necessary an active directory, domain, ecc... I need only a file server and I have arounud 400 users...Anyone have experience? Any suggestions? always ldap. Not necessarily... tdb is *very* fast and reliable, much simpler to set up and maintain, and if you don't *need* all the bells and whistles of ldap (high availability, SSO, etc), tdb is the better choice - at least in my opinion... Depends of what is needed, in my opinion if an user must have the same password in samba AND any other service, use LDAP. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with samba+openldap with regard changing passwords from windows
(...) Here you go... http://pastebin.com/f61c911dd - logs In answer to your questions... Yeah that command works as root on the CLI Samba version is 3.0.25b-1.el5_1.4 No I used the RPM's OpenLDAP version... slapd -V @(#) $OpenLDAP: slapd 2.3.27 (Nov 10 2007 09:24:08) $ [EMAIL PROTECTED]:/builddir/build/BUILD/openldap-2.3.27/openldap-2.3.27/build-servers/servers/slapd Many thanks for your help. It is much appreciated. Alan ... [2008/02/20 10:06:11, 3] smbd/chgpasswd.c:chat_with_program(430) chat_with_program: Dochild for user alan (uid=0,gid=0) (as_root = Yes) [2008/02/20 10:06:14, 2] smbd/chgpasswd.c:expect(285) expect: Success [2008/02/20 10:06:14, 3] smbd/chgpasswd.c:talktochild(316) Response 1 incorrect ... Your log is showing that something is going wrong when chating with the passwd program. 1. Asking again, have you tried to use only "ldap passwd sync = yes and unix password sync = no"? This way the password program is not used. 2. Enable password chat debug "passwd chat debug = yes" and raise the log level to 100 in the related debug class, "log level = 3 smb:100". It will print even your passwords used in the chat. You can raise the log level to a specific machine if you have other useless traffic together: http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/bugreport.html Or the error is there or you have a samba version with a broken password chat processing (I dont know CentOS). Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with samba+openldap with regard changing passwords from windows
Alan Goodman escreveu: Edmundo Valle Neto wrote: Alan Goodman escreveu: I have implemented samba with LDAP backend, domain logins and roaming profiles and everything is great - except for one thing. Noone can change their passwords from windows - trying to change your password results in windows telling you your not allowed to do that! I did smbldap-show alan and among other information the line: sambaPwdCanChange: 0 appeared. From my understanding if I do smbldap-usermod -A0 -B0 alan that line should then be changed to have a value of 1 allowing users to change passwords from their windows logins, however running the above command does not appear to be changing these values at all and thus im left with manually smbldap-passwd user to change each persons passwords (which does work) If someone could let me know which logs you require and how to obtain them I would be happy to post them up here. OS = CentOS 5.1 Alan Post your smb.conf. Edmundo Valle Neto http://pastebin.com/f5fba0114 Alan netbios name = MARANATHACENTRA Netbios names can have a maximum of 12 characters, it will probably be truncated. (but this isnt related to your problem) You only need password options if you want that unix passwords stay in sync. Then, you only need "ldap passwd sync = Yes". Its commented out, you already tried it? What happens? These three options together works too. unix password sync = Yes passwd program = /usr/local/sbin/smbldap-passwd -u %u passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n" Theres a double quote that isn't needed at the end (its not opening nor closing any string), the old smbldap-tools documentation shows that way (wrong), I dont have sure if it is really a problem. If it doesn't work as you said that it works at command line, include a piece of log using level 3 when a client try to change its password. Regards. Edmundo Valle Neto Besides that, the configuration is right. "/usr/local/sbin/smbldap-passwd -u anyuser" works when executed from the command line? What samba version you use, you compile your own packages? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with samba+openldap with regard changing passwords from windows
Alan Goodman escreveu: I have implemented samba with LDAP backend, domain logins and roaming profiles and everything is great - except for one thing. Noone can change their passwords from windows - trying to change your password results in windows telling you your not allowed to do that! I did smbldap-show alan and among other information the line: sambaPwdCanChange: 0 appeared. From my understanding if I do smbldap-usermod -A0 -B0 alan that line should then be changed to have a value of 1 allowing users to change passwords from their windows logins, however running the above command does not appear to be changing these values at all and thus im left with manually smbldap-passwd user to change each persons passwords (which does work) If someone could let me know which logs you require and how to obtain them I would be happy to post them up here. OS = CentOS 5.1 Alan Post your smb.conf. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] FreeBSD: Changing UNIX password - Password Chat?
Jon Theil Nielsen escreveu: 2008/2/13, Edmundo Valle Neto <[EMAIL PROTECTED]>: Jon Theil Nielsen escreveu: I can't get my Samba PDC (FreeBSD 7,0-BETA3) changing UNIX passwords from Windows clients (Ctrl-Alt-Del). I now have the password chat debug active and I have loglevel 100. I am not certain about the syntax in the password chat. But if I from a console try to change the password of a given user (here testuser1), I see these lines: mflserver3# /usr/bin/passwd testuser1 Changing local password for testuser1 New Password: (entering the password) Retype New Password: (entering it again) >From that i guess the expression in the chat would be: *Changing*local*password*for* %u\n *New*Password* %n\n *Retype*New*Password* %n\n (...) And again something is completely wrong, I see. As I said, I am far from confident with the syntax/mecanism here. So I would really appreciate some more explicit help. I have tried to modify the chat by removing the trailing "*" or by putting the expressions into double quotes - but with no luck. Again, what is going on in the console is exactely what I wrote above. What would then be tbe correct chat? Regards, Jon Theil Nielsen Your problem is not the trailing *, you can't use %u. Its just strings with wildcards, "WATCH THIS" send this "WATCH THIS" send this. I think that even if you do that "C*:" it works as you have only one C and only one : before the first iteration. It matches anything in the middle, Cblablablablablablablab\nlablabla blablablabla: passwd chat = "Changing local password for*\nNew Password*" %n\n "*Retype New Password*" %n\n Have you ever used regular expressions? This is a hundred times simpler :) Its a sintax based on a unix program called "expect" that is used in automation. It feeds command line programs that doesn't accept options. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] FreeBSD: Changing UNIX password - Password Chat?
Jon Theil Nielsen escreveu: I can't get my Samba PDC (FreeBSD 7,0-BETA3) changing UNIX passwords from Windows clients (Ctrl-Alt-Del). I now have the password chat debug active and I have loglevel 100. I am not certain about the syntax in the password chat. But if I from a console try to change the password of a given user (here testuser1), I see these lines: mflserver3# /usr/bin/passwd testuser1 Changing local password for testuser1 New Password: (entering the password) Retype New Password: (entering it again) >From that i guess the expression in the chat would be: *Changing*local*password*for* %u\n *New*Password* %n\n *Retype*New*Password* %n\n No. %u is the username and %n is the newpassword. "What*to*expect" %n\n (send the password and a new line) "What*to*expect*then" %n\n (send the password again and a new line) Selected parts of the log shows: [2008/02/13 17:47:07, 100] smbd/chgpasswd.c:expect(279) expect: expected [*Changing*local*password*for*] received [Changing local password for testuser1 New Password:] match yes It matched the two first lines stopping at (New Password:) as you have a * at the end. And wait. [2008/02/13 17:47:07, 10] smbd/chgpasswd.c:expect(290) expect: returning True [2008/02/13 17:47:07, 100] smbd/chgpasswd.c:expect(242) expect: sending [testuser1 ] You sent an username to the New password: prompt??? [2008/02/13 17:47:07, 10] lib/util_sock.c:read_socket_with_timeout(476) read_socket_with_timeout: timeout read. select timed out. [2008/02/13 17:47:07, 100] smbd/chgpasswd.c:expect(279) expect: expected [*New*Password*] received [ Retype New Password:] match yes It matched the second line stopping at (Retype New Password:) And wait. [2008/02/13 17:47:07, 10] smbd/chgpasswd.c:expect(290) expect: returning True [2008/02/13 17:47:07, 100] smbd/chgpasswd.c:expect(242) expect: sending [VerySecret ] You sent a "VerySecret" password (that obviously will not match the first) [2008/02/13 17:47:10, 10] lib/util_sock.c:read_socket_with_timeout(476) read_socket_with_timeout: timeout read. select timed out. [2008/02/13 17:47:10, 100] smbd/chgpasswd.c:expect(279) expect: expected [*Retype*New*Password*] received [ Mismatch; try again, EOF to quit. New Password:] match no Mismatch. Try again. (your chat doesn't expected that this will happens and don't have more expressions to match. [2008/02/13 17:47:10, 2] smbd/chgpasswd.c:expect(285) expect: Unknown error: 0 Error. [2008/02/13 17:47:10, 3] smbd/chgpasswd.c:talktochild(316) Response 3 incorrect [2008/02/13 17:47:10, 3] smbd/chgpasswd.c:chat_with_program(372) chat_with_program: Child failed to change password: testuser1 [2008/02/13 17:47:10, 3] smbd/sec_ctx.c:pop_sec_ctx(415) pop_sec_ctx (1035, 1036) - sec_ctx_stack_ndx = 1 [2008/02/13 17:47:10, 5] rpc_parse/parse_samr.c:init_samr_r_chgpasswd_user(7576) init_samr_r_chgpasswd_user [2008/02/13 17:47:10, 5] rpc_server/srv_samr_nt.c:_samr_chgpasswd_user(1581) _samr_chgpasswd_user: 1581 [2008/02/13 17:47:10, 5] rpc_parse/parse_prs.c:prs_debug(84) 00 samr_io_r_chgpasswd_user [2008/02/13 17:47:10, 5] rpc_parse/parse_prs.c:prs_ntstatus(769) status: NT_STATUS_ACCESS_DENIED And so on. As told, I'm not confident with the syntax. Have I made it wrong? Or can you see anything else from the log that can pinpoint the problem? I would believe that there must be several admins out there who use the combination of of Samba and FreeBSD without having these problems. Cheers, Jon Theil Nielsen Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap passwd sync not working
(...) Sure enough smbldap-passwd works. I have tried this once ldap passwd sync was not working. How? Though, there are two problems: 1) it's too slow and 2) it shows a message to the user telling he has no permissions to change password. Where? How? So it's confusing. I don't feel comfortable using such a thing. Actually, I was hoping for some answer from whom has ldap passwd sync working. Mine is. It doesn't needs anything else. Hints on how to debug and so on. Was suggested one, try smbldap-passwd -u from command line and inside samba and see if it works, if it works alone theres a possibility that your samba config has a problem if it doesn't works even outside samba, it doesn't have anything to do with samba, as it runs alone, its a simple perl script that binds to ldap directly. If you conclude that the problem is with samba you can start to raise the log level, if its not, its useless and maybe you should look at your ldap acls. So, it depends, I didnt understood what works and what doesn't and in which situation now. Thanks again! Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap passwd sync not working
Fabiano Caixeta Duarte escreveu: Fabiano Caixeta Duarte wrote: Hi, there! When my XP users try to change passwords, they get a message saying that password has been changed. That's not true! NT and LM passwords are changed but unixPassword isn't. Look at this openldap.log lines: Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD dn="uid=teste,ou=Users,dc=domain" Feb 12 07:50:28 apolo slapd[22826]: conn=698021 op=40 MOD attr=sambaLMPassword sambaLMPassword sambaNTPassword sambaNTPassword sambaPwdLastSet sambaPwdLastSet See? My smb.conf have this ldap related options: passdb backend = ldapsam:ldap://apolo.domain idmap backend = ldapsam:ldap://apolo.domain ldap suffix = dc=domain ldap admin dn = cn=root,dc=domain ldap ssl = start_tls ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Users ldap passwd sync = yes add user script = /usr/local/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes delete user script = /usr/local/sbin/smbldap-userdel "%u" add machine script = /usr/local/sbin/smbldap-useradd -w "%u" add group script = /usr/local/sbin/smbldap-groupadd -p "%g" add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u" > The question may not be related to LDAP since your domain passwords are > changed. You should be looking at why the Unix password isn't being > changed. > - Are you using LDAP for Unix authentication? > - Can you change the Unix password using passwd? > - is your password chat in smb.conf correct for your system? AFAIK when using ldapsam, we must use ldap attributes for storing unix information. So passwd won't work. passwd works partially. passwd uses PAM, and PAM can access LDAP but it only knows about posix attributes. If so, we cannot use "passwd chat" "passwd program" "unix password sync", etc. Instead, we have to use "ldap passwd sync". Well, you can, but yes, ldap passwd sync does the same thing without need to configure anything, so, it works but just doesnt make sense configure both. idealx documentation explain that: http://sourceforge.net/docman/display_doc.php?docid=33543&group_id=166108 6.8 The directive passwd program = /usr/local/sbin/smbldap-passwd -u %u is not called, or i got a error message when changing the password from windows The directive is called if you also set unix password sync = Yes. Notes: * if you use OpenLDAP, none of those two options are needed. You just need ldap passwd sync = Yes. * the script called here must only update the userPassword attribute. This is the reason of the -u option. Samba passwords will be updated by samba itself. * the passwd chat directive must match what is prompted when using the smbldap-passwd command So..., just -u to change only userPassword and a working passwd chat :) And in: 8.1.3 The samba configuration file : /etc/samba/smb.conf #unix password sync = Yes #passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u #passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n" ldap passwd sync = Yes One OR another. But both approaches works. Am I wrong? Yes. And yes, I'm using also unix authentication for some services. I assume that I missed something on smb.conf because samba doesn't ask for modification on unixPassword ldap attribute as shown on openldap.log Thats funny, I cannot point anything missing in your smb.conf, ldap passwd sync should work alone. but you can try smbldap-passwd as shown at the tree lines above. Make sure it works at the command line first. Thanks for your attention. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] need wins understanding
Dominic Iadicicco escreveu: Cool. So the servers should not do anything bad to each other becasue they are both running wins? Is this correct? Also I can disable broadcasting on both servers as well. I don't have to but I can. Thanks again Dominic (...) They will not clash or fight with each other trying to be the "master WINS" if thats what you are asking. :) The reasons that you should not use more than one is exactly the contrary, both will ignore each other and clients that register or use one to make a query will not use the other, ending with only partial knowledge of the neighborhood. (but seems that its what you want) About trying to do more than that and disable the broadcast of the servers, I simply never tried/needed to do anything like that. As I never saw any reason to do so and as a security measure I don't see it being all that usefull either. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] need wins understanding
Dominic Iadicicco escreveu: Here is my setup. I have two samba domain controllers on the same subnet. It's a 172.16.12.0 subnet. First domain "STAFF" Second domain "PATRONS" They both have wins enabled and all clients have broadcasting disabled. Can someone tell me if I will have a problem? If so please give some kind of example. I am really trying to learn why and get a better understanding of wins, and this will put me in the right direction. If you need more info on the network, just ask. Although I feel this is more of a concept question to help me get it. Thanks all Dominic Iadicicco As far as I know, the behavior of your network will be that clients configured to use the first WINS server will not know of the existence of the machines that uses the other WINS server, and vice versa. If thats a problem or not, it depends if you wish that these two domains interact with each other. But if I remember right at least the two servers will know of each other (as only the clients brodcast behavior was disabled) and so all clients will know about the two servers. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] looking for a pam_smbpass user to answer passwd sync issues
Deas, Jim escreveu: Ryan, Wish I could say yes but no, not clear. My existing users are all Mac OSX clients using the netatalk package. I never used a Mac or Netatalk, but ... Netatalk uses the PAM system to authenticate. I have the ldap modules in pam.d setup to use the LDAP posix structure for netatalk authentication. The issue is how to create and sync a smbpassword to the the exisiting LDAP/POSIX structure. I am half way there by adding the new sambaSam.schema to the LDAP system. I can now create a user with the standard smbpasswd program and authenticate them into a smb share. I don't mind telling the users that they need to change their password to gain access to the new smb services so a migration script is not needed. From what I understand there is no way to take the MD5 unix password and convert it to smb anyhow. Well, you probably will want to change the accounts adding the samba attributes first. (Sure, if you make that, you will have a nonworking password). Then make the clients change the passwords and sync. Best Option, find a way to make Fedora DS run a script that updates the users smb data including syncing the password when changes to the posix structure happen. I think I saw something like that as a patch to LDAP, but I dont remember even the name. I saw it and I didn't like it. Second Option, find a way to make pam.d execute both the passwd and smbpasswd processes for password changes. This is second choice as some of the Fedora DS tools would not be usefull. Here we have a contradiction, smbpasswd uses samba to do its job it doesn't do it directly, if you have that option (ask samba to do it) read below. You can make pam execute pam_winbind.so after pam_ldap.so and it will try to find a remote Winbind daemon, and ask it to change the samba password (and this Winbind will be using the LDAP password database). Maybe you dont like it, but its the only solution that I know that works using pam (the client can then use "passwd" and pam will sync both passwords). And NO, pam_smbpass.so that anyone tries to use don't do that, you really need winbind. I do not need to sync the other way around (smb->(md5)posix). Ok. Lets say that the other way around is the configuration made inside samba, so samba will sync the unix password inside LDAP by its own. Then it will be used by the samba tools, pdbedit, net, smbpasswd, etc. I will not authenticate WinX workstations with this system. Only smb disk share authentication via smbd. So in a sense, the PDC is only used by the several samba instances to authenticate disk shares. The last option is to make a custom script by your own. The smbldap-passwd script from smbldap-tools is made in Perl and makes almost that, accessing LDAP directly. I don't know if it will be the best option, as to bind to the base you need a password. So to change your password you need your password first, annoying. Web applications are an option too, but I never liked to do that this way. (...) Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] password
Andrea Bencini escreveu: SWAT's help files are a good resource, as shown below. Dale I will explain you my question. I have installed samba-3.0.28-0 like PDC and I have only some Xp prof clients. In "global" section of smb.conf I have set passdb backend = tdbsam unix password sync = no encrypt password = yes I have NOT set "passwd program" and "passwd chat" Then, with pdbedit, I have set password expired. I can change the password, when it is expired, from Xp prof client. The question is: Are "passwd program" and "passwd chat" part of the suit to change the password? Yes. I have NOT used them, but I can change anyway the passwords; then when should I use them? In which situation? As already said, the man page are very clear. The password program is the program used to change UNIX passwords. And UNIX passwords are not, lets say, "samba passwords". Samba maintains its hashes by its own (that only it uses), but the UNIX part is configurable. These options are used if you enable back the unix password sync. Theres some other options used with LDAP too. What you will notice if you not sync the UNIX part, is that these accounts would not be able to be used with the same password by other services (that don't use the samba NT and LM hashes to authenticate), you will not be able to log in a shell, for example. The password chat is the configuration used to know when to feed or to consider the output a response to the password program, as password programs doesn't accept passwords in their command line for security reasons. It works like a program called expect that is used for the same purpose in automated configurations. Use these options together if you plan to sync the UNIX part of the set of passwords with the samba part and you are not using LDAP. Thanks Andrea Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Unable to change password in windows - SAMBA_LDAP_PDC
Don't reuse subjects that doesn't have anything about what are you asking for. Putting back "Re: [Samba] Unable to change password in windows - SAMBA_LDAP_PDC" in turn of "Re: [Samba] Re: samba Digest, Vol 59, Issue 28", a lot of people don't read digests and so will ignore your message (if not all). jayendren anand maduray escreveu: (...) So take a look at the "SO USE A PARTIAL" part, it worth for all organizational units suffixes. *>I have set to use partial, restarted samba and slapd, and I still receive: **>"The system cannot change your password now because the domain RIVONINGO.HIVSA is not available" > or "The system cannot change your password at this time" >When I try to change the password >The log entry is: >[2007/11/28 14:44:04, 0] lib/debug.c:reopen_logs(597) > Unable to open new log file /var/log/samba/log.computername: Permission denied **>Is there something else I can try?*** (...) I can't even say that the previous and this error messages has anything to do with your problem (but as the previous message doesn't repeated, the server now is finding whatever it is looking for), or if that its a name resolution problem. Use a log level bigger than 0 to the server spit something useful, use something like 3. But yes, its not normal to the server don't find objects in LDAP as its not normal start to give "permission denied" errors trying to reopen log files. What are the permissions of your log directory? Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Unable to change password in windows - SAMBA_LDAP_PDC
jayendren anand maduray escreveu: Hi All. I have a SAMBA PDC that uses LDAP as its back end. The OS, is UBUNTU 6.10 Server. SAMBA Version is 3.022 The problem is, when a client logs onto the Domain, he presses Control+Alt+Del, and chooses Change Password. He types in the old password, then the new one, and confirms this. When he clicks on OK, it thinks for a bit (about 30 seconds) and then says: "The system cannot change your password now because the domain RIVONINGO.HIVSA is not available" This used to work before, and works fine on another server, with the identical settings. The log file for the computer says: [2007/11/27 16:00:11, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(2171) ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (No such object) This says that something wasn't found in LDAP, but doesn't say what or where it was looked for. (...) ldap suffix = dc=rivoningo,dc=hivsa ldap group suffix = ou=smbGroups,ou=soul-calibur,ou=smbServers,dc=rivoningo,dc=hivsa ldap user suffix = ou=smbUsers,ou=soul-calibur,ou=smbServers,dc=rivoningo,dc=hivsa ldap machine suffix = ou=smbComputers,ou=soul-calibur,ou=smbServers,dc=rivoningo,dc=hivsa ldap idmap suffix = ou=smbUsers,ou=soul-calibur,ou=smbServers,dc=rivoningo,dc=hivsa I didn't understood why did you crated your DIT that way, but ... From smb.conf man page: ldap suffix (G) Specifies the base for all ldap suffixes and for storing the sambaDomain object. The ldap suffix will be appended to the values specified for the ldap user suffix, ldap group suffix, ldap machine suffix, and the ldap idmap suffix. Each of these should be given only a DN relative to the ldap suf- fix. Default: ldap suffix = Example: ldap suffix = dc=samba,dc=org ldap user suffix (G) This parameter specifies where users are added to the tree. If this parameter is unset, the value of ldap suf- fix will be used instead. The suffix string is pre-pended to the ldap suffix string SO USE A PARTIAL DN. Default: ldap user suffix = Example: ldap user suffix = ou=people (...) So take a look at the "SO USE A PARTIAL" part, it worth for all organizational units suffixes. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] connection to IPC$ denied due to security descriptor
richid escreveu: Hey all, I have a fileserver running Debian Etch and Samba 3.0.24 that I use to serve media and private home directories. I have a couple roommates, and therefore have a couple accounts on the box for those users. I had everything working perfectly until last week when my system drive took a crap. I've reinstalled everything exactly the same (I think?) but now I am having problems with some accounts not being able to connect to the shares. My username can connect to my home share and the communal media share just fine. When I try to connect to another users home share or to the media share with their username, I keep getting the password dialog box. I've ensured that they are in smbpasswd and that their password is correct. I've also verified this using smbclient. DETAILS: The log file is reporting this error when I try to connect: make_connection: connection to IPC$ denied due to security descriptor. Here is output from smbclient: [EMAIL PROTECTED]:~$ smbclient //warehouse/media -U bob Password: Domain=[WAREHOUSE] OS=[Unix] Server=[Samba 3.0.24] smb: \> ls . D0 Thu Oct 18 11:25:22 2007 .. D0 Wed Nov 7 21:47:06 2007 audio D0 Tue Nov 13 23:40:25 2007 downloads D0 Tue Nov 13 23:41:11 2007 video D0 Thu Nov 15 23:00:34 2007 44708 blocks of size 33553920. 25310 blocks available smb: \> Here is my smb.conf: [global] netbios name = warehouse server string = warehouse dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d security = user encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes invalid users = root passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n socket options = TCP_NODELAY domain master = auto force user = %U force group = users [homes] comment = Home Directories browseable = no writable = yes create mask = 0700 directory mask = 0700 force group = %G valid users = %S [media] comment = Media path = /mnt/storage/media browsable = yes writeable = yes create mask = 0775 directory mask = 0775 #guest ok = yes hide files = /*.dat/ It's pretty basic, I'm not doing anything special here. Anyone have any idea what the problem is? I've also read a couple other threads, and have already tried removing the /var/run/samba/share_info.tdb file and restarting Samba, but that hasn't worked. I'm really stumped on this one, anyone else? Thanks in advance, Rich I have something similar with the computers in my home using Ubuntu (that uses almost the same samba package), I can say one thing, it doesn't seems to triggered with something inside share_info.tdb, putting the line "force group = users" (that I think I never used before) gives me "make_connection: connection to IPC$ denied due to security descriptor." errors when I log on a Windows XP in the same network, and it appears to happen when XP tries to connect to samba with the guest account to get the list of shares. But I haven't noted any problem because of that. Samba continues to accept connections using already created accounts. So, I don't have sure if your problem has anything to do with that error message. Testparm gives you any error? Listing the shares with these accounts work? smbclient -L localhost -Uanyuser%password ? Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba as a pdc, Unable to change passwd htrough Windows clients.
Hari escreveu: Hi Everyone, I am Using Samba-3.0.0-14.3E as a PDC. every thing working fine in PDC, But only the problem is to change passwd from Windows client machine, while trying to change passwd from client I am getting Bellow error messages.Please advice on this one. error message in some systems "You Don't have permission to change passwd" And "The system cannot change your passwd now because the domain "TEST-DOMAIN" is not available" Here is My smb.conf - [global] workgroup = TEST netbios name = TEST-DOMAIN server string = TEST-PDC pam password change = Yes passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* unix password sync = Yes log level = 10 log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 logon path = \\%L\Profiles\%U domain logons = Yes os level = 33 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap ssl = no admin users = hari hosts allow = 192.168.1., 192.168.2., 127. Can any one help on thins issue. For more Details this is the log what iam getting while changing the passwd (...) A.HariManiKandan, SPG Softek,Sanjay Nagar, Bangalore.Cell:9845133870. Email: [EMAIL PROTECTED] Why delete messages? Unlimited storage is just a click away. Go to http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html Don't use log level 10 unless really needed, to solve simple problems they are useless. Use 3 instead. You have set password chat, this is the chat used to match what the passwd program returns. Where is your passwd program? It defaults to nothing when not specified. The samba documentation, the smb.conf man page and probably the mail list history has examples of setting them. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] DNS problem?
[EMAIL PROTECTED] escreveu: I'm trying to join an XP SP2 PC called testpc to a test environment. Its network settings are statically set. IP address is 10.8.3.209. I have a PDC called gomer.mdah.state.ms.us w/ samba 3.0.26a and IP address is 10.8.3.37. On test PC I right click on my computer, properties, computer name, change from workgroup WORKGROUP to domain ADAMSTEST. But I get the error: (...) any ideas? You can start to look if the server really registered the types 1b, 1c and 1d to its address. Don't use a log level = 10 unless really needed, a log level of 2 (preferred) or even 3 is enough to see almost all common problems. It should have 1c and 1b in wins.dat and nmbd.log should say what was the result of the elections (or if you are having any master browser war). nmblookup can be used locally to query the WINS server or make a broadcast query to see who is what. nmblookup -R -U 10.8.3.37 ADAMSTEST#1B (query the wins about DMB) nmblookup -R -U 10.8.3.37 ADAMSTEST#1C (query the wins about DCs) nmblookup -M ADAMSTEST (query by broadcast about LMBs) On the client you can use ipconfig /all to se if it is really using a WINS server, the node type, if NetBIOS over Tcpip is disabled, etc. Windows have its own tools to test lookups too. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba+LDAP problems
Marcelo Mogrovejo escreveu: Hi John... John H Terpstra wrote: (...) I mean that i don't know why the user linux is not created, why i don't see him with getent passwd. The command work fine without errors. So all of this means smbldap-tools is broken ?? No, it means your NSS is either not configured correctly, or is broken. How have you configured /etc/nsswitch.conf and /etc/ldap.conf? here i show you my /etc/nsswitch.conf and /etc/ldap/ldap.conf http://pastebin.com/mf74cf2 thanks. regards About /etc/ldap/ldap.conf, Debian don't use the config from there (it reads from different files when using NSS or PAM), include your /etc/nss-ldap.conf instead. The only use of /etc/ldap/ldap.conf that I remeber now is by ldap-utils (ldapsearch for example). Looking at the file that you sent, I saw that you are trying to use TLS, and didn't understood yet if openldap is installed in that same machine that you are trying to configure NSS (that in my opinion in this case could make TLS useless). If you never configured an LDAP server before, if possible you should try something simpler, don't use TLS and don't set the pam and nss filters. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba+LDAP problems
Marcelo Mogrovejo escreveu: Hello Edmundo (...) So, yes, i have configured this file already: passwd: compat ldap shadow: compat ldap group: compat ldap I have downloaded the libnss-ldap file too but it's the same... Yes, this package must be installed too, nsswitch.conf says where to read and libnss-ldap says how to do it when using LDAP. Normally answering debconf properly when installing the package is enough to make it work and messing with /etc/libnss-ldap.conf isn't needed. I can't make it to work... If i try to create a posixAccount in phpLDAPadmin it show me the error: "Could not add the object to the LDAP server. LDAP said: Object class violation Error number: 0x41 (LDAP_OBJECT_CLASS_VIOLATION) Description: You tried to perform an operation that would cause an undefined attribute to exist or that would remove a required attribute, given the current list of ObjectClasses. This can also occur if you do not specify a structural objectClass when creating an entry, or if you specify more than one structural objectClass." Doesn't make much sense trying anything else if your NSS doesn't work, make it work isn't optional. If you have populated LDAP successfully with smbldap-populate at least the administrator and nobody accounts (or whatever was inserted in the base) must appear with getent. (you can make sure what was inserted doing a slapcat). And the rare is, when i create the account with smbldap-useradd -m testuser it create the home directory at /home/testuser but i don't know why it doesn't create a uid Ok, -m makes the home directory, but what do you mean by "doesn't create a uid"? Its only a perl script that inserts something in the base directly, it doesn't fail when lacking NSS. A dump of the base with slapcat doesn't show the user? The command give any error? If the user isn't in the base your smbldap-tools install is broken too. thanks for your help best regards. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba+LDAP problems
Marcelo Mogrovejo escreveu: (...) Have you configured NSS? "gentent passwd" shows the user? NSS is the same of /etc/nsswitch.conf ?? Yes, its the configuration file of NSS, it says from which base the information are readed, when using LDAP it needs to read from LDAP too. No, getent passwd doesn't show me the users i created... So, make it shows :). Configure NSS is not optional, and the documentation shows how to do it. regards Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba+LDAP problems
Have you configured NSS? "gentent passwd" shows the user? Its "getent". Edmundo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba+LDAP problems
Marcelo Mogrovejo escreveu: Hi (...) I read this documents and i begin again with samba+ldap... This time i have not problems, except when i try to create an user for testing. I create a testuser and i add a password for his but when i try to login with this user, hi doesn't login... for exameple with command "su testuser" as root it show me "Id desconocido: testuser" or "Unknown Id: testuser". i don't know why happen it... (...) Have you configured NSS? "gentent passwd" shows the user? If I remember right, smbldap-tools creates users with a null shell by default too. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba+LDAP problems
If it was asked to the list answer to the list please, other people can not guess what was already answered. Sending it back ... (...) Trying to add anything else works? with de command line a don't know how add another thing, but with phpldapadmin i can add for example users. The best documentation are from smbldap-tools project [1] and samba [2], [3]. (...) I don't use LAM, but use smbldap-tools and phpldapadmin. In turn to saying that the services aren't properly configured (as nothing worked and you said that there isnt anything like that in google), I think helps begin from the beginning. Are all services running in the same machine? before, services were running now, i don't know what happen but slapd doesn't work when i write /etc/init.d/slapd start as root in command line, the syslog show me this: Oct 29 16:31:56 skull1 slapd[12409]: @(#) $OpenLDAP: slapd 2.3.38 (Sep 17 2007 21:09:04) $ [EMAIL PROTECTED]:/tmp/buildd/openldap2.3-2.3.38/debian/build/servers/slapd Oct 29 16:31:57 skull1 slapd[12410]: bdb_db_open: Database cannot be opened, err 13. Restore from backup! Oct 29 16:31:57 skull1 slapd[12410]: bdb(dc=skull-one,dc=com,dc=ar): DB_ENV->lock_id_free interface requires an environment configured for the locking subsystem Oct 29 16:31:57 skull1 slapd[12410]: bdb(dc=skull-one,dc=com,dc=ar): txn_checkpoint interface requires an environment configured for the transaction subsystem Oct 29 16:31:57 skull1 slapd[12410]: bdb_db_close: txn_checkpoint failed: Invalid argument (22) Oct 29 16:31:57 skull1 slapd[12410]: backend_startup_one: bi_db_open failed! (13) Oct 29 16:31:57 skull1 slapd[12410]: bdb_db_close: alock_close failed Oct 29 16:31:57 skull1 slapd[12410]: slapd stopped. Oct 29 16:31:57 skull1 slapd[12410]: connections_destroy: nothing to destroy. i don't know why... yesterday it work perfectly. Probably your database is corrupted, you can try to fix it, recover a backup, or if you don't have a backup and nothing works, start it over. If you don't know how to make any of the alternatives, maybe is time to learn a little more about how LDAP works, before trying to use it. You said that you are using Debian right? yes The package 3.0.26a doesn't come with the stable release "Etch", which release are you using? i have debian sid (unstable release) I don't recommend it in servers. And don't recommend it in desktops if you don't know how to solve your own problems. How do you configure your apt repositories and install your packages? (if the packages related with the problem didn't came from the stable repository, helps write its versions). i configured my apt repository manualy with nano -w /etc/apt/sources.list and my repositories are: deb http://ftp.uk.debian.org/debian/ sid main non-free contrib deb-src http://ftp.uk.debian.org/debian/ sid main non-free contrib ldap-account-manage 2.0.0-1 ldap-utils 2.3.38-1 slapd 2.3.38-1 smbldap-tools 0.9.4-1 phpldapadmin0.9.8.4-2 i think that all packages are there... Ok. Everything from Sid. How did you populated your LDAP tree? i can't populate my LDAP tree jet ... The package drops a working database practically with only the root and administrator DNs. I mean prepare it be used by samba, creating the needed OUs and domain information. One detail. smbldap-tools doesn't use samba to do its job, it connects to LDAP directly, so, supposing that you have configured smbldap-tools properly, its very unlikely that the problem has anything to do with the samba package, as you have noticed that changing versions doesn't solve the problem. aahh. ok. thanks and best regards 1. http://download.gna.org/smbldap-tools/docs/ 2. http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/ 3. http://us4.samba.org/samba/docs/man/Samba-Guide/ Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba+LDAP problems
Celodrake escreveu: Hello there... Hi. My name is Marcelo, i am new in this list. I don't know if here is the right place for asking about samba + LDAP, if not, sorry... Yes, it is. I am finishing to implement a samba server with ldap support but, when i want to add some group to the samba domain i obtain the following error messages: - SMBLDAP_TOOLS # smbldap-groupadd -a -g 1 -s S-1-5-21-blablabla -t 2 domainadmins erreur LDAP: Can't contact master ldap server for writing (IO::Socket::INET: connect: Conexion rehusada) at /usr/share/perl5/smbldap_tools.pm line 277. This line code refers to master ldap server, this server is in /etc/smbldap-tools/smbldap.conf configuration file. Trying to add anything else works? - LAM (LDAP ACCOUNT MANAGER) In section groups i press the New Group button and then i complete the form for Unix and Samba 3 sections, but when i press the Create Account button it show me the following error message: (...) I don't undertand what mean the 1401 line code in modules.inc file, searching in google i don't find information, onle a person who advises to use a old samba.schema version, i have the version which come with debian packet 3.0.26a and i downloaded the versions 3.0.25, 3.0.24 and 3.0.23 but i had no luck, the problem continues there. - PHPLDAPADMIN In left menu, in ou=group section i press Create New Object button, i select Posix Group, i complete form with group name and GID and then press Proceed>> button. Then Create Object and i obtain the following error: (...) Searching in google i don't find any information about this error number. I would be thankful if someone could help me with this problem. Best regards I don't use LAM, but use smbldap-tools and phpldapadmin. In turn to saying that the services aren't properly configured (as nothing worked and you said that there isnt anything like that in google), I think helps begin from the beginning. Are all services running in the same machine? You said that you are using Debian right? The package 3.0.26a doesn't come with the stable release "Etch", which release are you using? How do you configure your apt repositories and install your packages? (if the packages related with the problem didn't came from the stable repository, helps write its versions). How did you populated your LDAP tree? One detail. smbldap-tools doesn't use samba to do its job, it connects to LDAP directly, so, supposing that you have configured smbldap-tools properly, its very unlikely that the problem has anything to do with the samba package, as you have noticed that changing versions doesn't solve the problem. Regards. Edmundo Valle Neto. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] user == Administrator doesn't work
Vadim Vatlin escreveu: User in group Domain Admins hasnt superuser (Administrator) privileges. For the first: shell> adduser poweruser shell> pdbedit -a -u poweruser shell> id poweruser uid=1004(poweruser) gid=1005(poweruser) groups=1005(poweruser) shell> net groupmap add rid=512 ntgroup="Domain Admins" unixgroup=poweruser type=d shell> pdbedit -vL poweruser Unix username:poweruser NT username: Account Flags:[U ] User SID: S-1-5-21-464898509-599635920-2875905535-1009 Primary Group SID:S-1-5-21-464898509-599635920-2875905535-512 Full Name:poweruser Home Directory: \\domain\poweruser HomeDir Drive: Logon Script: Profile Path: \\domain\poweruser\profile Domain: DOMAIN Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set:Wed, 24 Oct 2007 15:44:59 MSD Password can change: Wed, 24 Oct 2007 15:44:59 MSD Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF shell> adduser plainuser shell> pdbedit -a -u plainuser shell> pdbedit -nL plainuser [skip] User SID: S-1-5-21-464898509-599635920-2875905535-1010 Primary Group SID:S-1-5-21-464898509-599635920-2875905535-513 [skip] Now: 1) I login on share as "plainuser" and create folder "222". 2) logout. 3) Login as poweruser, and I cant remove folder "222" Permission denied. Why??? You haven't included any information about the permissions on the filesystem or how was the share configured. So by what you have included... Making a user be called "powersomething" or be included in any "Administrator of Whatever" group, or making the RIDs of these accounts anything you want, doesn't make them have any special power. To these accounts be "seen" as such by the clients you put the proper RIDs and to these accounts be able to make *some* "administrative tasks" you assign privileges. Theres two places where you can be allowed or denied to do something, the system itself and samba. The short answer: probably because your filesystem permissions doesn't allow you to do that. Theres only one user that can do whatever it wants on a UNIX filesystem, root. Have you readed the chapter [1] of the samba documentation that explains how File, Directory, and Share Access Controls works? Theres a chapter that explain what privileges are and do too. 1. http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba as PDC with XP Client - Logon requires reboot - Help Please
Ron Segal escreveu: Hi, I'm running the latest version of Samba with a tdbsam backend, configured not to use roaming profiles. Two different XP clients (SP2) are joined to the domain ok but users can only logon by rebooting before entering their logon details. When users logoff and try to logon again (or logon as a different user on the same machine) they get the standard message 'windows cannot connect to the domain either because the domain controller is down or because your computer account was not found. Please try again later .. ' etc. Have tried fiddling with registry entries and permissions but can't get this problem to go away. Any ideas on this would be appreciated. Cheers. Would help if you post your smb.conf and give a little more information about your network (if it is really only these 3 machines and you want the samba server be a PDC of a little domain), and about how did you joined the workstations. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC (can't fetch domain SID)
Leandro Tracchia escreveu: After running this command... I figured out what the problem was. The daemon was not reading the correct smb.conf file. I thought the file was being read form /usr/local/samba/lib/smb.conf, but apparently it was being read from /etc/samba/smb.conf. Is this OK? Which is the correct location, if any? Thanks for everyone's help. (...) Different distros can use different build options, what is "better" or "right" is a question of taste/convention. Debian puts configuration files in /etc as all packages must comply with the Debian Policy [1] (see section 10.7.2). It has its own conventions and has its own reasons to do that, tracking configuration files and preserving its contents even if you upgrade the package. You can see in Debian where a specific file is (or will be placed) and in which package, using apt-file. Or list the contents of a package with "dpkg -L packagename" As in any distro, you can see how your samba was built running "smbd -b", it will show you build options and paths being used. 1. http://www.debian.org/doc/debian-policy/ch-files.html Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problems joining machine to domain
(...) Yes I saw that it doesn't gave any error as the logs says that this line "gave 0", my doubt was if is really accepted or make any difference. Does your smbldap-useradd accepts a "-t" ? Yes, sorry. I didn't found it in the idealx documentation but I downloaded the Ubuntu Feisty package and it really have that option. (...) Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problems joining machine to domain
Misty Stanley-Jones escreveu:
Anyway, when I try to join to the domain using smbldap-tools, here is
my script in smb.conf:
add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
Can you explain to me what "-t" means and where did you got it from?
-ttime. Wait 'time' seconds before exiting (when adding Windows
Workstation)
I copied it from the config before the upgrade, where it worked. I took out
the -t 0 just to test, and I get the same result.
Yes I saw that it doesn't gave any error as the logs says that this line
"gave 0", my doubt was if is really accepted or make any difference.
Does your smbldap-useradd accepts a "-t" ?
If I run that by hand, as root, it adds the posixAccount but not the
sambaSamAccount. On the Windows system I get an error like "No such
user".
In the Samba logs, I see an error like this:
[2007/09/05 13:24:55, 3]
passdb/pdb_interface.c:pdb_default_create_user(368)
_samr_create_user: Running the command `/usr/sbin/smbldap-useradd -t
0 -w "xptommy$"' gave 0
[2007/09/05 13:24:55, 3]
passdb/pdb_interface.c:pdb_default_create_user(384)
pdb_default_create_user: failed to create a new user structure:
NT_STATUS_NO_SUCH_USER
Just to be sure I had the privileges right:
net rpc rights grant "CORP\Domain Admins" SeMachineAccountPrivilege
I am joining domains as 'root', who is a member of the Domain Admins
group:
memberUid: root,misty,carl
Obviously smbldap-tools is set up at least somewhat correctly, because
it is creating the posixAccount. I re-ran 'smbpasswd -W' just to be
sure that Samba could bind to the LDAP server. I also tried using the
username 'misty' to join the domain. Same results every time.
Any idea what I can try next, apart from simply adding the
sambaSamAccount objectclass by hand?
Misty Stanley-Jones
System Administrator
Have you configured NSS properly ("getent passwd" show your machine accounts
from LDAP)? Any chance that you are using nscd and winbind?
Nss is configured just fine. The getent command works just fine, both for
'root' and for 'misty'. Should I be able to getent my machine accounts?
Hmm, I think I should.
OK, I had been specifying the base for users and groups in the nss
configuration file. I took that off so it would search the whole tree.
Lets test...
Yep, that was it! You must not specify nss_base_passwd (in
/etc/libnss-ldap.conf on my system) if your users and computers are in
different sections of the LDAP tree. It makes sense now that I think about
it. The downside is that the entire LDAP tree will be searched for users
every time nss is used. I think I will definitely start using nscd
post-haste.
Any ideas on a better way to do this?
Misty
I never really bothered about that. The only thing I can do is say that
the documentation shows that in [1], it says it can be put everything
together, separate searching the whole tree, separate searching with a
sub scope or separate with two options that would make the subtrees be
searched in sequence.
1. http://us1.samba.org/samba/docs/man/Samba-Guide/happy.html#id336060
Regards.
Edmundo Valle Neto
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problems joining machine to domain
Misty Stanley-Jones escreveu:
Our Samba server was recently the recipient of a major upgrade. I thought
all the kinks were worked out, but apparently not.
I think this is the first time I've tried to join a machine account to the
domain since the upgrade. I've tried using smbldap-tools and also just
using smbpasswd (I have my users in LDAP). I'll also say that 'net join'
works just fine from my Samba domain members to my Samba domain master.
First, the preliminaries:
OS: Ubuntu 7.04 Server
Samba Version: 3.0.24
Smbldap-tools Version: 0.9.2
Passdb Backend: LDAP (openLDAP)
Anyway, when I try to join to the domain using smbldap-tools, here is my
script in smb.conf:
add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
Can you explain to me what "-t" means and where did you got it from?
If I run that by hand, as root, it adds the posixAccount but not the
sambaSamAccount. On the Windows system I get an error like "No such user".
In the Samba logs, I see an error like this:
[2007/09/05 13:24:55, 3] passdb/pdb_interface.c:pdb_default_create_user(368)
_samr_create_user: Running the command `/usr/sbin/smbldap-useradd -t 0 -w
"xptommy$"' gave 0
[2007/09/05 13:24:55, 3] passdb/pdb_interface.c:pdb_default_create_user(384)
pdb_default_create_user: failed to create a new user structure:
NT_STATUS_NO_SUCH_USER
Just to be sure I had the privileges right:
net rpc rights grant "CORP\Domain Admins" SeMachineAccountPrivilege
I am joining domains as 'root', who is a member of the Domain Admins group:
memberUid: root,misty,carl
Obviously smbldap-tools is set up at least somewhat correctly, because it is
creating the posixAccount. I re-ran 'smbpasswd -W' just to be sure that
Samba could bind to the LDAP server. I also tried using the username
'misty' to join the domain. Same results every time.
Any idea what I can try next, apart from simply adding the sambaSamAccount
objectclass by hand?
Misty Stanley-Jones
System Administrator
Have you configured NSS properly ("getent passwd" show your machine
accounts from LDAP)? Any chance that you are using nscd and winbind?
Regards.
Edmundo Valle Neto
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Unable to join Win client to domain (user not found error)
Eric Evans escreveu: Hello, I'm having some difficulty trying to join a WinXP client to our Samba domain. When I try to join the client to the domain and I submit the computer name and the domain name in the computer identification control panel, I'm prompted for the root user and password on the server, so I enter root and the root password on our Samba server. I then get a message saying that it couldn't be joined to the domain because the username (i.e. root) is not found. But the root username and root account are definitely in the server password system and in the Samba password file. Furthermore, the samba log indicates that the authentication of root was successful: [2007/08/28 15:12:09, 2] smbd/sesssetup.c:setup_new_vc_session(1200) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2007/08/28 15:12:09, 2] smbd/sesssetup.c:setup_new_vc_session(1200) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2007/08/28 15:12:09, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [root] -> [root] -> [root] succeeded [2007/08/28 15:12:11, 2] smbd/sesssetup.c:setup_new_vc_session(1200) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2007/08/28 15:12:11, 2] smbd/sesssetup.c:setup_new_vc_session(1200) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2007/08/28 15:12:11, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [root] -> [root] -> [root] succeeded [2007/08/28 15:12:12, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2916) Returning domain sid for domain PLAB -> S-1-5-21-442260237-273426051-107281484 And I have the machine record setup correctly for this client. I have joined other WinXP clients to this same domain without any trouble in the past, but since I upgraded from Samba 3.0.22 to 3.0.25c now I seem to be unable to join a client to this domain. So I was hoping someone out there might have some suggestions for further troubleshooting of this problem. The global section of my smb.conf is as follows: [global] socket options = TCP_NODELAY invalid users = bin daemon adm sync shutdown halt mail news uucp print command = /bin/lp -d%p %s; sleep 5; rm -f %s printer = 128_1 printing = SYSV netbios name = pleiades workgroup = PLAB passdb backend = smbpasswd os level = 65 preferred master = yes domain master = yes local master = yes security = user domain logons = yes logon drive = h: logon path = logon script = %U.bat log file = /var/log/samba.log log level = 2 max log size = 500 debug timestamp = yes encrypt passwords = yes Thanks! EJ What the log says (with a log level of 3)? You never used the "add machine script" option in smb.conf? [1] You have upgraded samba, didn't changed smb.conf and was able to join machines on-the-fly before without creating unix accounts for them by hand? 1. http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#id336155 Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: SID
Dragan Krnic escreveu: What I ended up doing was to use an LDAP browser and edit the domain accounts for ech machine to have the same SID. we're not using LDAP but we can manipulate the trivial data base file "secrets.tdb" to set the locl SID to any sensible SID. Is it OK to set the local SID to the same value as the domain SID? In our network the PDC server has the same local SID as the domain SID. All other member servers register the same domain SID for the domain and a totally different local SID for themselves in "secrets.tdb". This works quite well, except that sometimes there is an entry in samba logs that a domain-qualified user SID with correct RID for an existing user with the same UID=(RID-1000)/2 and same GIDs on all member servers can't be mapped to his name, e.g. [2007/08/21 20:48:26, 0] smbd/posix_acls.c:create_canon_ace_lists(1421) create_canon_ace_lists: unable to map SID S-1-5-21-3574958883-2392404172-2943802112-2590 to uid or gid. whereby RID=2590 translates to UID=795, a well-known user in our domain S-1-5-21-3574958883-2392404172-2943802112. Is it OK to set the local SID to the same value as the domain SID, as the quoted posting seems to imply? http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetCommand.html#id365521 "... there is now a safe copy of the local machine SID. On a PDC/BDC this is the domain SID also." So, as the documentation says, yes, on a PDC/BDC the machine SID IS equal to the domain SID. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Subnet not visible in Network Neighbourhood
Alessandro FAGLIA escreveu: Hi list! I've got a debian "etch" box running samba 3.0.24. The server is a firewall (running Shorewall 3.2.6) with five NICs: eth0 -> DSL (it has a public IP address and it allows all the people browse by masquerading other interfaces) eth1 and eth3 -> bond0 (IP address is 192.168.1.1/24) eth2 and eth4 -> bond1 (IP address is 192.168.2.1/24) BTW, bond+ refers to an interface which enslaves two physical NICs. Samba is acting as WINS server, and I don't have other Windows Servers which acts as PDCs or WINS servers. There is no PDC in the network. The smb.conf is the following (only [global] section is reported): [global] workgroup = WORK server string = server Etch interfaces = 192.168.1.0/24, 192.168.2.0/24, 10.1.0.0/24, 127.0.0.1/8 bind interfaces only = Yes obey pam restrictions = Yes passdb backend = tdbsam passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* . syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No wins support = Yes ldap ssl = no panic action = /usr/share/samba/panic-action %d invalid users = root hosts allow = 192.168.1., 192.168.2., 10.1., 127. 10.1.0.0/24 is a subnet for OpenVPN roadwarriors. The problem is that from my laptop (belonging to 192.168.1.0/24 subnet), running Windows XP Pro SP2, in the Network Neighbourhood I can only see machines belonging to my subnet. Machine of the other subnet are not listed, even if I can reach them (e.g. \\machine shows me shares and printers). The same for machines belonging to the second subnet, with the difference that they can only see machines in their subnet. I checked the firewall, and apparently there are no rules which block broadcast traffic between the two subnets. Any hint is GREATLY appreciated. TIA --Alessandro Read this (it explains how cross-subnet browsing works): http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetworkBrowsing.html#id349811 In fact I recommend you to read the entire chapter about network browsing (it explains the roles of LMBs, DMBs, WINS, etc, and how they work). Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Automatically running a script on Samba PDC when Windows user changes his password
Felip Manyé escreveu: Hello, Hello. I've installed a Samba 3 PDC using LDAP authentication, along with the smbldap tools, on Ubuntu GNU/Linux. Everything works fine and (XP Pro) Windows clients can join my domain. I would like Samba to automatically run a (home made) script on the PDC server when the user changes his password on his machine in order to update it on other servers (for instance our mail server uses another LDAP for authentication, but there are still many accounts of this kind), so that the user has to remember only one password for all these applications. I've already had a look at the "passwd program" line in my smb.conf file. By default it was commented like this: #passwd program = /usr/sbin/smbldap-passwd ?u %u Its "-u" not "?u". and "ldap passwd sync" is set to Yes (which seems quite sensible since I use LDAP authentication). These options serve to similar purposes. "ldap passwd sync" works alone. "unix password sync" works executing "passwd program" with "passwd chat" to sync the unix password. With LDAP just setting "ldap password sync" is enough and when "unix password sync" is set to no, the other options aren't used. So, you can set "unix password sync" and put another script (it wasn't made for that purpose, but works). Or turn off "ldap password sync" and use "unix password sync" with a changed smbldap-tools script, that does what it already does plus what you want it to do. The matter is that I was unable to use this line to automatically run a script as explained above. As an example I've tried to create a file (in a directory with 777 permissions) with the "touch" command (passwd program = touch mydirectory/myfile), but it has no effect. This script is executed by root, doesn't make much difference the permissions assigned to others. The script cannot be executed as a normal user. I may not have correctly understood this feature, or maybe it cannot be used with LDAP authentication. If you didnt had "unix password sync = yes" it will not execute, I just don't know what would be the behavior of samba if the command or script that you put in there begins to write things to stdout or stderr. Do you know whether this kind of trick is possible, and if so how to achieve it ? Thanks in advance, Felip. Take a look at the man page of smb.conf, theres some details to make a "passwd program" work, it should honor the password chat too and will ever be executed as root. I use something like that (changing the smbldap-tools script) to sync digest hashes for authentication trough squid digest ldap helper. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Automatically running a script on Samba PDC when Windows user changes his password
Felip Manyé escreveu: Hello, Hello. I've installed a Samba 3 PDC using LDAP authentication, along with the smbldap tools, on Ubuntu GNU/Linux. Everything works fine and (XP Pro) Windows clients can join my domain. I would like Samba to automatically run a (home made) script on the PDC server when the user changes his password on his machine in order to update it on other servers (for instance our mail server uses another LDAP for authentication, but there are still many accounts of this kind), so that the user has to remember only one password for all these applications. I've already had a look at the "passwd program" line in my smb.conf file. By default it was commented like this: #passwd program = /usr/sbin/smbldap-passwd ?u %u Its "-u" not "?u". and "ldap passwd sync" is set to Yes (which seems quite sensible since I use LDAP authentication). These options serve to similar purposes. "ldap passwd sync" works alone. "unix password sync" works executing "passwd program" with "passwd chat" to sync the unix password. With LDAP just setting "ldap password sync" is enough and when "unix password sync" is set to no, the other options aren't used. So, you can set "unix password sync" and put another script (it wasn't made for that purpose, but works). Or turn off "ldap password sync" and use "unix password sync" with a changed smbldap-tools script, that does what it already does plus what you want it to do. The matter is that I was unable to use this line to automatically run a script as explained above. As an example I've tried to create a file (in a directory with 777 permissions) with the "touch" command (passwd program = touch mydirectory/myfile), but it has no effect. This script is executed by root, doesn't make much difference the permissions assigned to others. The script cannot be executed as a normal user. I may not have correctly understood this feature, or maybe it cannot be used with LDAP authentication. If you didnt had "unix password sync = yes" it will not execute, I just don't know what would be the behavior of samba if the command or script that you put in there begins to write things to stdout or stderr. Do you know whether this kind of trick is possible, and if so how to achieve it ? Thanks in advance, Felip. Take a look at the man page of smb.conf, theres some details to make a "passwd program" work, it should honor the password chat too and will ever be executed as root. I use something like that (changing the smbldap-tools script) to sync digest hashes for authentication trough squid digest ldap helper. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Using LDAP and Unix Group Group Mappings
Svancara, Randall escreveu: Hello all, I could not find anything in the discussion groups or documentation about using LDAP and Unix group mappings. The documentation states that in order to map unix groups to samba groups, you need to use the net group add command. However, I have an ldap backend and all my groups, that I care about are in LDAP. Yes, it states that, but in all examples a tdbsam backend is used not ldap. So I have a group called mainwdev. dn: cn=test,ou=Group,dc=somewhere,dc=com objectClass: posixGroup objectClass: sambaGroupMapping sambaSID: S-1-5-21-582185903-2148186938-2210701745-801 sambaGroupType: 2 objectClass: top cn: test gidNumber: 801 memberUid: user1 memberUid: user2 memberUid: user3 memberUid: user4 memberUid: user5 memberUid: user6 Now, if I run "net groupmap list", I can see the group mapping as follows. test (S-1-5-21-582185903-2148186938-2210701745-801) -> test But when I attempt to log onto a share that only allows anyone that belongs to the group test (say user1), i get permission denied errors. It should be another problem not related to group mapping. Do I still have to run "net group map" command to establish a relationship between unix and samba groups? No. When using ldap, the objectClass sambaGroupMapping represents the relationship of the UNIX and NT groups (that in ldap are stored normally in the same dn, and almost all tools creates the accounts that way by default). You can use "net groupmap" with ldap when you have UNIX and NT groups in different places (lest suppose that you have a container for UNIX groups and another to NT groups), and it works, but normally nobody creates groups that way unless have a good reason. Randall Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [Urgent] Cannot make changes via pdbedit
Edmundo Valle Neto escreveu: Jason Baker escreveu: I have been having some problems since I updated from Samba 3.0.23 to 3.0.25b. I have installed the latest version of smbldap-tools but I am still not able to make certain changes to a user's account. I have created a new user named JROLFE. After I set up a new user, I will set it so they are required to change their password when they first login. I usually do this through LDAP Account Manager. I set User can change password to a date in the past and User must change password to a date in the past. But for some reason it didn't work. If I run pdbedit -Lv -u jrolfe, I get: Password last set:Mon, 01 Jan 2007 03:00:00 EST Password can change: Mon, 08 Jan 2007 03:00:00 EST Password must change: never If I run ../smbldap-usershow jrolfe, I get: sambaPwdCanChange: 1183795200 sambaPwdLastSet: 1167638400 sambaPwdMustChange: 1167638400 The unix times converted to english are: Sat, 07 Jul 2007 08:00:00 GMT and Mon, 01 Jan 2007 08:00:00 GMT. So you can see that the dates do not match between pdbedit and smbldap-tools. This is really causing a problem because I am trying to set up a new user and cannot get his password to expire. According the samba documentation: sambaPwdLastSet: The integer time in seconds since 1970 when the sambaLMPassword and sambaNTPassword attributes were last set. sambaPwdCanChange: Specifies the time (UNIX time format) after which the user is allowed to change his password. If this attribute is not set, the user will be free to change his password whenever he wants. sambaPwdMustChange: Specifies the time (UNIX time format) when the user is forced to change his password. If this value is set to 0, the user will have to change his password at first login. If this attribute is not set, then the password will never expire. "UNIX time format" (1) means exactly that time measured in seconds since 1970, and your results appears to be coherent with time measured in seconds. sambaPwdCanChange: 1183795200 sambaPwdLastSet: 1167638400 Your sambaPwdCanChange is 7 days (measured in seconds) beyond sambaPwdLastSet (thats is exactly the same result that pdbedit is showing). Passwords can be forced to change using smbldap-tools "smbldap-usermod -B 1 user" too. And as the docs say, users are forced to change their passwords when sambaPwdMustChange is set to 0. I don't know how your system used to be, but the docs says how it should behaves. 1. http://en.wikipedia.org/wiki/Unix_time Regards. Edmundo Valle Neto Sorry, calculating the times seems that one of the results is really incorrect, even with Unix time format. Password last set is correct, the difference is between GMT and EST. But Password can change isn't. Do you have any policy set about password changing? Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [Urgent] Cannot make changes via pdbedit
Jason Baker escreveu: I have been having some problems since I updated from Samba 3.0.23 to 3.0.25b. I have installed the latest version of smbldap-tools but I am still not able to make certain changes to a user's account. I have created a new user named JROLFE. After I set up a new user, I will set it so they are required to change their password when they first login. I usually do this through LDAP Account Manager. I set User can change password to a date in the past and User must change password to a date in the past. But for some reason it didn't work. If I run pdbedit -Lv -u jrolfe, I get: Password last set:Mon, 01 Jan 2007 03:00:00 EST Password can change: Mon, 08 Jan 2007 03:00:00 EST Password must change: never If I run ../smbldap-usershow jrolfe, I get: sambaPwdCanChange: 1183795200 sambaPwdLastSet: 1167638400 sambaPwdMustChange: 1167638400 The unix times converted to english are: Sat, 07 Jul 2007 08:00:00 GMT and Mon, 01 Jan 2007 08:00:00 GMT. So you can see that the dates do not match between pdbedit and smbldap-tools. This is really causing a problem because I am trying to set up a new user and cannot get his password to expire. According the samba documentation: sambaPwdLastSet: The integer time in seconds since 1970 when the sambaLMPassword and sambaNTPassword attributes were last set. sambaPwdCanChange: Specifies the time (UNIX time format) after which the user is allowed to change his password. If this attribute is not set, the user will be free to change his password whenever he wants. sambaPwdMustChange: Specifies the time (UNIX time format) when the user is forced to change his password. If this value is set to 0, the user will have to change his password at first login. If this attribute is not set, then the password will never expire. "UNIX time format" (1) means exactly that time measured in seconds since 1970, and your results appears to be coherent with time measured in seconds. sambaPwdCanChange: 1183795200 sambaPwdLastSet: 1167638400 Your sambaPwdCanChange is 7 days (measured in seconds) beyond sambaPwdLastSet (thats is exactly the same result that pdbedit is showing). Passwords can be forced to change using smbldap-tools "smbldap-usermod -B 1 user" too. And as the docs say, users are forced to change their passwords when sambaPwdMustChange is set to 0. I don't know how your system used to be, but the docs says how it should behaves. 1. http://en.wikipedia.org/wiki/Unix_time Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Help Finding a How-To
Dalton Calford escreveu: I have been reading documentation for over two hours and I am getting glazed-eyed. I have a Fedora box, that authenticates users from an existing windows domain. The users do not have a local account on the Fedora box, so they do not have a local home directory. I need to know what setting/script is needed in order to have the home directory automatically created if it does not already exist. Could someone point me to the appropriate documentation for that? Thanks Dalton Try searching for pam_mkhomedir. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Purpose of Browse Lists if you have WINS
Adam Tauno Williams escreveu: What are the point of Browse Lists if you have a WINS server? Unless I'm mistaken, Browse Lists and WINS servers both serve the same purpose: to resolve NetBIOS names to IP addresses. So in a Windows Domain, if I have a WINS server, why do I even bother messing with Browse Lists? I'm kind of new to Windows Domains and I'm also new to Samba (in any capacity more complicated than simple SMB file sharing) so I'm trying to understand some of these basic concepts and would really appreciate any help. This seems like more of a general Windows network administration question; with little specificly to do with Samba. You'll probably get a better response in a Windows networking forum. I doubt, here is a better place to ask. :P You can take a look at the samba docs, it has an entire chapter about how browsing works: http://samba.org/samba/docs/man/Samba-HOWTO-Collection/NetworkBrowsing.html TIP: If you want to avoid using browsing, etc... you can set the NetBIOS note type of your workstations either in the registry or via DHCP. Node types defines the way the client register and resolve NetBIOS names. http://support.microsoft.com/?scid=kb%3Ben-us%3B160177&x=15&y=10 Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] workgroup to domain migration question
De Leeuw Guy escreveu: Hi all Hi I try to transform our old workgroup to a domain. I read a lot of doc about that and smb-ldap tools. I cannot use smb-ldap tools because I have a running ldap database with our unix accounts. Well, I think that you can continue to have it the way it is and use smbldap-tools with higher ids. I build my own script to update our database. Questions : - For the admin account I modify the uid=admin, uidNumber=1033 and gid=512 to secure the server root account. (no homeDirectory and loginShell). It is correct ? I don't understood very well what you have done, but yes, a user without a valid loginShell cannot log in the system. - For the accounts : Administrators, Account Operators, Print Operators, Backup Operators et Replicators which are the correct SID ? S-1-5-32-544 or a form like S-1-5-21-374813769-5580279-1681509432-544 ? smbldap-tools creates them in the S-1-5-32-XXX form. But really only a few accounts are expected to be seen by domain clients in a samba domain with the right RID making any difference. See: http://samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html#WKURIDS - For the sambaSID users I use the localSID + uidNumber it is ok ? - For the sambaSid groups unix (each user have this own group) I use localsid + uidNumber + 1000 The primaryGroupSID are needed ? if yes which ? - For hosts I use localsid + uidNumber + 2000 ok ? Could you help me to clarify that ? Smbldap-tools used to create RIDs in a odd/even algorithmic fashion, never clashing. Posix accounts have separate allocation spaces but in Windows accounts share the same RID space and users/groups cannot clash. Your accounts will probably start to clash after 1000 created user accounts (as uids/gids are not reused). primaryGroupSID is normally "Domain Users". Thanks in advance Guy Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
mikelOn escreveu: Hi, I have been trying different approaches to get it working and apparently I do need nss installed to get it working (which I have not found as mandatory in many tutorials). Once I installed nss-ldap and configured it still failed, but then I removed the line "ldapsam:trusted = yes" and the machines started to join the domain correctly. Summing up, I needed nss-ldap and I did not need "ldapsam:trusted = yes". Now I am trying to get the whole thing working with "ldapsam:trusted = yes" uncommented. Thank you all very much for your help. I expect to be able to help others solve the problems I have had. NSS is mandatory in the samba documentation, about the other "cake recipes" that you have readed, probably are incomplete. You can read smb.conf man page to see what is expected from "ldapsam:trusted = yes". You dont need it to samba work, but it speeds up name resolution, resolving names directly in LDAP without consulting NSS. You must have all samba accounts in LDAP and with samba and posix attributes together in each object. So, yes, it can be problematic. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
mikelOn escreveu: The last few lines of the "pdbedit -v root" command show the following: pm_process() returned Yes smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=EREMU))] smbldap_open_connection: connection opened ldap_connect_system: succesful connection to the LDAP server The LDAP server is succesfully connected smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=EREMU))] smbldap_open_connection: connection opened ldap_connect_system: succesful connection to the LDAP server The LDAP server is succesfully connected init_sam_from_ldap: Entry found for user: root Unix username:root NT username: root Account Flags:[U ] User SID: S-1-5-21-325600022-3777026502-3741709481-500 ldapsam_getgroup: Did not find group Primary Group SID:S-1-5-21-325600022-3777026502-3741709481-513 Full Name:root Home Directory: \\SAMBA\root HomeDir Drive:H: Logon Script: LOGON.BAT Profile Path: \\SAMBA\profiles\root Domain: EREMU Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: mar, 19 ene 2038 04:14:07 CET Kickoff time: mar, 19 ene 2038 04:14:07 CET Password last set:mié, 27 jun 2007 20:35:52 CEST Password can change: 0 Password must change: sáb, 11 ago 2007 20:35:52 CEST Last bad password : 0 Bad password count : 0 Logon hours : FF As you can see, the same error shows up: GROUP NOT FOUND Do you know why? Thanks Edmundo Valle Neto wrote: mikelOn escreveu: I have added the parameter "ldapsam:trusted = yes" and now the samba error has changed to NT_STATUS_UNSUCCESSFUL. The logs say the following: [2007/06/27 22:41:11, 4] auth/auth_sam.c:sam_account_ok(138) sam_account_ok: Checking SMB password for user root [2007/06/27 22:41:11, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2007/06/27 22:41:11, 3] smbd/uid.c:push_conn_ctx(353) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2007/06/27 22:41:11, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2007/06/27 22:41:11, 3] passdb/pdb_ldap.c:ldapsam_enum_group_memberships(2663) primary group of [root] not found [2007/06/27 22:41:11, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2007/06/27 22:41:11, 0] auth/auth_sam.c:check_sam_security(352) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' [2007/06/27 22:41:11, 3] auth/auth_winbind.c:check_winbind_security(80) check_winbind_security: Not using winbind, requested domain [eremu] was for this SAM. [2007/06/27 22:41:11, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [root] -> [root] FAILED with error NT_STATUS_UNSUCCESSFUL [2007/06/27 22:41:11, 3] smbd/error.c:error_packet(146) error packet at smbd/sesssetup.c(99) cmd=115 (SMBsesssetupX) NT_STATUS_UNSUCCESSFUL [2007/06/27 22:41:11, 3] smbd/process.c:timeout_processing(1359) timeout_processing: End of file from client (client has disconnected). [2007/06/27 22:41:11, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2007/06/27 22:41:11, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2007/06/27 22:41:11, 3] smbd/server.c:exit_server_common(675) Server exit (normal exit) Do you see anything familiar here? Thanks What "pdbedit -v root" shows? Regards. Edmundo Valle Net Whats the output of: net groupmap list smbldap-usershow root smbldap-groupshow "Domain Admins" ? ps: Im not interested in your password hashes :) You said that root belongs to Domain Admins group, but the RID 513 is the known RID of the Domin Users group. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
mikelOn escreveu: I have added the parameter "ldapsam:trusted = yes" and now the samba error has changed to NT_STATUS_UNSUCCESSFUL. The logs say the following: [2007/06/27 22:41:11, 4] auth/auth_sam.c:sam_account_ok(138) sam_account_ok: Checking SMB password for user root [2007/06/27 22:41:11, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2007/06/27 22:41:11, 3] smbd/uid.c:push_conn_ctx(353) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2007/06/27 22:41:11, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2007/06/27 22:41:11, 3] passdb/pdb_ldap.c:ldapsam_enum_group_memberships(2663) primary group of [root] not found [2007/06/27 22:41:11, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2007/06/27 22:41:11, 0] auth/auth_sam.c:check_sam_security(352) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' [2007/06/27 22:41:11, 3] auth/auth_winbind.c:check_winbind_security(80) check_winbind_security: Not using winbind, requested domain [eremu] was for this SAM. [2007/06/27 22:41:11, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [root] -> [root] FAILED with error NT_STATUS_UNSUCCESSFUL [2007/06/27 22:41:11, 3] smbd/error.c:error_packet(146) error packet at smbd/sesssetup.c(99) cmd=115 (SMBsesssetupX) NT_STATUS_UNSUCCESSFUL [2007/06/27 22:41:11, 3] smbd/process.c:timeout_processing(1359) timeout_processing: End of file from client (client has disconnected). [2007/06/27 22:41:11, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2007/06/27 22:41:11, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2007/06/27 22:41:11, 3] smbd/server.c:exit_server_common(675) Server exit (normal exit) Do you see anything familiar here? Thanks What "pdbedit -v root" shows? Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
John Drescher escreveu: Sorry if it is a bit of a pain that I am also answering this thread but I do experience the same problem... Theres a LOT of things that can got wrong when using LDAP as you can populate and use it the way YOU want, but samba expects it in a proper way. Its recommended that you populate it using smbldap-populate. Did not do that. Its just recommended not necessary. I think its more error prone to that using ldif files (idealx scripts already does the initial population for you, without problems). Of course, in a clean install. You need to have the tools configured properly. Yes, according to the docs I have this correct. You need to have an user that have rights to join machines, a root account WITH samba attributes, or another user with proper privileges assigned by hand. Yes. It does not matter weather I use root or a user with the correct privelages. Would be easyer just looking the log errors. Samba must know the password of the ldap administrator to be able to change it. Samba has that for me. John Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
mikelOn escreveu:
I am using debian etch for the testing but I have had the same problem with
gentoo 2007.0. I used smbldap-populate (the admin user is "root" so no
parameters at all) and I also tried with "-u 5 and -g 5" so that
user ids do not overlap.
Probably you didnt configured something in all the distros.
High ids are used principally in migrations when you dont want them to
clash with old ids (made who knows how).
Do I need anything else (nss) if I am not authenticating *nix clients?
getent passwd does not show the machine accounts, should they be also be
there and not only in the ldap? I thought that was not necessary.
Yes, do you need NSS working. I dont know where exactly it breaks when
you dont have it. If you dont want to use posix accounts with samba
simply give them a null shell (set the loginShell attribute with
/bin/false) and they will not be able to be used (if you dont have
configured PAM, I doubt that you can use them too). (If I remember right
smbldap-tools in debian already creates accounts with a null shell)
Samba has an option called "ldap:trusted = yes", but I dont know if NSS
is really NOT USED even if you do that in recent versions of samba.
Maybe the developers can answer that.
Anyway the system uses NSS to resolve posix account names. And samba
need posix accounts to map samba accounts.
In debian you install and configure the package libnss-ldap and set it
to be used in /etc/nsswitch.conf.
You can test NSS with "getent passwd" and "getent group", your accounts
in ldap must be visible then.
Regards.
Edmundo Valle Neto
I user the root user to join the machines and the smb query you suggest
works properly. I can even list the samba shares from the windows machines.
Thanks again
Edmundo Valle Neto wrote:
What distro are you using?
How did you populate it?
I use Debian (its a little different), but how did you configured NSS?
("getent passwd" shows your machine accounts?)
What user are you using to join? (if root, "smbclient -L localhost
-Uroot" works on the shell to list the shares?)
Regards.
Edmundo Valle Neto
mikelOn escreveu:
I am not running nscd :(
Thanks for your response
simo-7 wrote:
On Wed, 2007-06-27 at 09:45 -0700, mikelOn wrote:
About the samba attributes, when you add a machine account the script
"add machine" must NOT ADD SAMBA ATTRIBUTES, only posix, samba does
that
alone. Refer to the idealx documentation (if you really want that
things
work properly, reading the documentation is not an option), it was
already discussed here and the documentation explains how to configure
that and how it should work.
I did set a debug level of 4 and what I saw was a
NT_STATUS_NO_SUCH_USER
(or
something alike) but no more specific details. The machine account
(posix)
gets created automatically but the samba attributes are not added by
samba.
look for nscd running, it may cache a negative response and samba never
see the created posix attributes in time to add samba stuff.
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer
email: [EMAIL PROTECTED]
http://samba.org
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
What distro are you using?
How did you populate it?
I use Debian (its a little different), but how did you configured NSS?
("getent passwd" shows your machine accounts?)
What user are you using to join? (if root, "smbclient -L localhost
-Uroot" works on the shell to list the shares?)
Regards.
Edmundo Valle Neto
mikelOn escreveu:
I am not running nscd :(
Thanks for your response
simo-7 wrote:
On Wed, 2007-06-27 at 09:45 -0700, mikelOn wrote:
About the samba attributes, when you add a machine account the script
"add machine" must NOT ADD SAMBA ATTRIBUTES, only posix, samba does that
alone. Refer to the idealx documentation (if you really want that things
work properly, reading the documentation is not an option), it was
already discussed here and the documentation explains how to configure
that and how it should work.
I did set a debug level of 4 and what I saw was a NT_STATUS_NO_SUCH_USER
(or
something alike) but no more specific details. The machine account
(posix)
gets created automatically but the samba attributes are not added by
samba.
look for nscd running, it may cache a negative response and samba never
see the created posix attributes in time to add samba stuff.
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer
email: [EMAIL PROTECTED]
http://samba.org
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
mikelOn escreveu: About the samba attributes, when you add a machine account the script "add machine" must NOT ADD SAMBA ATTRIBUTES, only posix, samba does that alone. Refer to the idealx documentation (if you really want that things work properly, reading the documentation is not an option), it was already discussed here and the documentation explains how to configure that and how it should work. I did set a debug level of 4 and what I saw was a NT_STATUS_NO_SUCH_USER (or something alike) but no more specific details. The machine account (posix) gets created automatically but the samba attributes are not added by samba. A snip from an old post in the history of the list, you should expect something like that when adding a machine with a loglevel of 3 (look, only -w used, and samba saying that it will create the rest): A samba log with a level 3 output: ... [2006/06/26 14:47:28, 3] rpc_server/srv_samr_nt.c:_samr_create_user(2324) _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w "testmachine$"' gave 0 ... [2006/06/26 14:47:28, 3] passdb/pdb_ldap.c:ldapsam_add_sam_account(1832) ldapsam_add_sam_account: User exists without samba attributes: adding them [2006/06/26 14:47:28, 2] passdb/pdb_ldap.c:init_ldap_from_sam(912) init_ldap_from_sam: Setting entry for user: testmachine$ [2006/06/26 14:47:28, 2] passdb/pdb_ldap.c:ldapsam_add_sam_account(1942) ldapsam_add_sam_account: added: uid == testmachine$ in the LDAP database ... Again, those scripts are used only by tools that create accounts trough samba, like net or usrmgr, if you dont use it those lines will not be used. I think you are wrong, because the "add machine script" DOES get executed when adding a machine to a domain. OK, yes it is. I answered this without context. (I already said this earlier, in aprevious post) http://sourceforge.net/docman/display_doc.php?docid=33543&group_id=166108 About knowing what is happening, put a log level 2 or 3 and try to join a machine. Look at the logs, it should say what exit the script gave and what samba tried to do. I have read the documentation you point out and many other tutorials and howtos but I find myself in the same situation I was some days ago. I have even tried to install everything in three different linux distros and in one of them I have reinstalled everything from scratch three or four times. This is why I am trying alternate methods. So, samba is not doing its job and it may be because I am missing something but I still do not know what it is. Anyway, I can post the samba log if you think it is helpful to find out the source of the error. Theres a LOT of things that can got wrong when using LDAP as you can populate and use it the way YOU want, but samba expects it in a proper way. Its recommended that you populate it using smbldap-populate. You need to have the tools configured properly. You need to have an user that have rights to join machines, a root account WITH samba attributes, or another user with proper privileges assigned by hand. Samba must know the password of the ldap administrator to be able to change it. Regards. Edmundo Valle Neto Thanks for the advice, Mikel Edmundo Valle Neto wrote: mikelOn escreveu: Hi Alex, I don´t think those modifiers would change anything but I have tried them anyway and the objectclass is still not being added. Thanks for the suggestion. Alex Crow wrote: On Wed, 2007-06-27 at 01:42 -0700, mikelOn wrote: Hi all, I finally found where the problem is. The samba attributes are not being added when the workstation entry is created. The "sambaSamAccount" objectclass is missing. Why is it not being added if it is suppossed to be a windows workstation? Is there a bug in the "smbldap-useradd" script when invoked with the "-w" parameter? You need both "-a" and "-m" passwd to smbldap-useradd for the samba attributes to be added, IMHO. Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Again, those scripts are used only by tools that create accounts trough samba, like net or usrmgr, if you dont use it those lines will not be used. About the samba attributes, when you add a machine account the script "add machine" must NOT ADD SAMBA ATTRIBUTES, only posix, samba does that alone. Refer to the idealx documentation (if you really want that things work properly, reading the documentation is not an option), it was already discussed here and the documentation explains how to configure that and how it should work. http://sourceforge.net/docman/display_doc.php?docid=33543&group_id=166108 About knowing what is happening, put a log level 2 or 3 and try to join a machine. Look at the logs, it should say wh
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
The RID portion doesn't really matters as it doesn't clash with known RIDs (below 1000), and other created RIDs (you cannot have two accounts with the same RID, composing the same SID). Regards. Edmundo Valle Neto mikelOn escreveu: Sorry, I was wrong. After changing such value the machines are added with a number above 5 but still cannot join the domain. I will keep comparing the records created by the script and the LAM and give some feedback. Thanks for your help. Asier Baranguán wrote: mikelOn escribió: This morning I wanted to review the smbldap-useradd perl script to see if there is any place (config file or so) where I can indicate the base number I want for the machines. ¿Do I need to set that "base" uidNumber somewhere? ¿Why must it be set to above than 5? ¿Did you ever experience anything similar? (I suppose you have executed the smbldap-populate script) When you execute the smbldap-populate you can pass some parameters to set the first uid/gid number that will be assigned to the users/groups. This scripts read the value from the sambaDomainName LDAP entry and updates it when adding groups/users. I think this values are the uidNumber and gidNumber attributes, but I'm not sure. As LAM doesn't use the smbldap scripts it has different starting numbers (see the lam.conf file, usually at /usr/share/ldap-account-manager/config) AFAIK this is used to separate regular unix accounts from LDAP accounts to prevent overlapping. Look at your /etc/passwd file and slapcat output for id collision. Perhaps that was your problem. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
mikelOn escreveu: Hi Alex, I don´t think those modifiers would change anything but I have tried them anyway and the objectclass is still not being added. Thanks for the suggestion. Alex Crow wrote: On Wed, 2007-06-27 at 01:42 -0700, mikelOn wrote: Hi all, I finally found where the problem is. The samba attributes are not being added when the workstation entry is created. The "sambaSamAccount" objectclass is missing. Why is it not being added if it is suppossed to be a windows workstation? Is there a bug in the "smbldap-useradd" script when invoked with the "-w" parameter? You need both "-a" and "-m" passwd to smbldap-useradd for the samba attributes to be added, IMHO. Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Again, those scripts are used only by tools that create accounts trough samba, like net or usrmgr, if you dont use it those lines will not be used. About the samba attributes, when you add a machine account the script "add machine" must NOT ADD SAMBA ATTRIBUTES, only posix, samba does that alone. Refer to the idealx documentation (if you really want that things work properly, reading the documentation is not an option), it was already discussed here and the documentation explains how to configure that and how it should work. http://sourceforge.net/docman/display_doc.php?docid=33543&group_id=166108 About knowing what is happening, put a log level 2 or 3 and try to join a machine. Look at the logs, it should say what exit the script gave and what samba tried to do. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
John Drescher escreveu: On 6/26/07, Asier Baranguán <[EMAIL PROTECTED]> wrote: El Martes, 26 de Junio de 2007 10:23, mikelOn escribió: > add user script = /usr/sbin/smbldap-useradd -m "%u" If your users are Windows users you should add an '-a' here, and add the users with the '-a' flag. Like this: add user script = /usr/sbin/smbldap-useradd -m -a "%u" > delete user script = /usr/sbin/smbldap-userdel -r "%u" > add group script = /usr/sbin/smbldap-groupadd "%g" You should add '-a -p' here: add group script = /usr/sbin/smbldap-groupadd -m -a "%g" Thanks for the info. Perhaps I have that wrong too and that is the reason it fails causing me to have to do this manually on the linux side before the windows side. John If you are talking about your problem creating machine accounts, absolutely not. Machine accounts are created using the "add machine" script, not cited above. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
Asier Baranguán escreveu: El Martes, 26 de Junio de 2007 10:23, mikelOn escribió: add user script = /usr/sbin/smbldap-useradd -m "%u" If your users are Windows users you should add an '-a' here, and add the users with the '-a' flag. Like this: add user script = /usr/sbin/smbldap-useradd -m -a "%u" Not really, theres nothing wrong with that. If you use the "User Manager" windows application, the posix account is created and samba creates the rest. If you are using the shell, then yes, -a is needed (but typing it IN THE SHELL not inside smb.conf). You can consult the samba documentation or idealx documentation about setting those options. The difference is that with "-a" you will receive an error, but the user will be created anyway. delete user script = /usr/sbin/smbldap-userdel -r "%u" add group script = /usr/sbin/smbldap-groupadd "%g" You should add '-a -p' here: add group script = /usr/sbin/smbldap-groupadd -m -a "%g" Same thing. And I dont know what "-m" means to smbldap-groupadd script. P.S.: ¿Can it have anything to do with other stuff such as the DNS server? Perhaps yes... I have a Samba server with OpenLDAP acting as a PDC and we use dnsmasq as our DNS server. It's small, fast and deals very well with Samba and Windows clients. We use it also as DHCP server so all the machines have the correct IP, DNS server, WINS Server and so on. One question... the user "mikelvm" is a regular UNIX user or one added with the smbldap-useradd tool? Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
Just to make it clear that its not normal a system really need to have accounts created that way. I dont think is a good idea to call a workaround used on a system that someone didnt got it working properly (who knows why) as a solution, samba works very fine creating workstation accounts automatically when joining the clients and can even use accounts other than root trough privileges to join the client. The list has several posts about that and the samba documentation shows how to do that automatically and manually. But anyway if the user that asked simply said that its fine for him that way, and dropped the thread ... Regards. Edmundo Valle Neto mikelOn escreveu: Great!!! I have created a couple of machine accounts through the LAM utility and I have eventually been able to join the domain. Thank you very much for your help. John Drescher-2 wrote: I have had the same problem with a similar setup for at least 3 years. My solution is to create the account for the windows workstation either via the smbldap-useradd and the linux useradd commands or a gui wizard that does this for me. I currently use ldap-account-manager http://lam.sourceforge.net/ for as well as user management. And then after the account is created the windows add to domain boxes work. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] login.bat not called?
mikee escreveu: I just realized that my login.bat is not being called. Where can I look to find (hopefully) an error why the file is not being called when a user logs in? Mike Have you enabled domain logons and configured the netlogon share in smb.conf and properly assigned permissions to everyone be able to read your logon script? Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Message on testparm
Walmiro Muzzi escreveu: Folks. Is this normal or I did something wrong??? [EMAIL PROTECTED]:/etc/samba# testparm Load smb config files from /etc/samba/smb.conf Processing section "[printers]" Processing section "[print$]" Processing section "[publico]" Loaded services file OK. WARNING: passdb expand explicit = yes is deprecated Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions Thanks in advance. Sincerely Walmiro Muzzi # man smb.conf ... passdb expand explicit (G) This parameter controls whether Samba substitutes %-macros in the passdb fields if they are explicitly set. We used to expand macros here, but this turned out to be a bug because the Windows client can expand a variable %G_osver% in which %G would have been substituted by the user’s primary group. Default: passdb expand explicit = no ... So, the testparm is saying just that, its a deprecated option not used anymore. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Scan shares for music/video files?
I dont know what is the exact purpose of your question but... files can get the extensions changed, can be ziped, etc. I always was a fan of updatedb and locate that is much faster than a find, but its a "first index then search tool". Its another option to find files with patterns in the names or specific extensions. Theres some scripts on the net that make reports on disk usage, (you can make a cron job an receive e-mails about "huge" differences in specific paths), its usefull to see that someone uploaded his entire mp3 collection for the server for example, or tried to zip it and hide in some place. And use this to control disk usage. Another thing that I done too was block some file extensions on the clients antivirus, some antivirus for M$ have management components too, so every time someone try to play some file a virus warning is displayed (I know, its not a proper solution, nor a good message to be displayed) and this is logged on the machine that runs the management server to be inspected later :) Regards. Edmundo Valle Neto Rune Tønnesen escreveu: Dear Michael You can use find it is a good unix tool To get a list of files in the home dir ending on mp3 use find /home -name "*.mp3" -print To delete files in the home dir ending on mp3 find /home -name "*.mp3" -delete search google for "find examples linux" and you will get plenty -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Change password from XP
Fernando M. Maresca escreveu: Hello. I've migrated samba to ldap, and everithing works fine except that when a user changes the password from an xp client receives an error indicating that the "old" password was wrong, but the password is changed in the server, so the user gets confused. Here http://lists.samba.org/archive/samba/2004-August/090254.html are a thread about this same problem; it's says that this was corrected in version 3.0.4. I'm runnig debian testing's 3.0.24 samba server with smbldap-tools 0.92. Xp clientes are pro SP2. smbldap-passwd returns 0. There is a workaround for this? Thanks in advance. Regards, Would help if you post your smb.conf file. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Enter or quit a samba's domain in pdc
BACQUEZ escreveu: >From : Edmundo Valle Neto The point is, %anything is not recognised inside a script. But, yes, adduser is a little different in Debian, it doesnt have "-M" option, for example. If you look at "Samba by Example" you will find something like that: add machine script = /usr/sbin/useradd -s /bin/false/ -d /dev/null '%u' "add machine script = /usr/sbin/useradd -s /bin/false/ -d /dev/null '%m'" Work. But one thing : you must put this line in the first line of [global], or the script will be done after the domain's enter try. Thank you. The order of the lines inside a section doesnt make difference. And read that about %m: http://lists.samba.org/archive/samba/2005-November/114366.html Again, the history of the list is very usefull, and you should expect correct information when you see something posted by any developer :) This is the only work that must be done by the add machine script here, the samba account will be created when the client is joined (with the root account or any other account that have privileges to do that). This is used to configure accounts other that root to join clients, for example. I will try this line today. I dont understood what do you mean by "your share", but... Share = domain.. sorry i twas a mistake. If you dont want to enter with a local administrator account to manage network settings and domain join/unjoin, you can put the users inside the group "Domain Administrators" that this group will be added to the local administrators group of the machine when joined, well, it depends of how did you created your default groups and SIDs. Or create a group in samba put some users inside it an make this group belong to the local administrator group in every machine, then the domain accounts will have local administrative right in those workstations. Simple. If i understand what you say, I have to create a group who I put the users. But how can i attribute the local administrator for this group? When you join a workstation in a domain you will must have a local administrator account on that machine as the machine doesnt know of domain accounts. About the group, you will not attribute anything, a group (normally called Domain Administrators) with the right SID (that is one of the "well known domain groups") is inserted automatically in the "Administrators" group locally on the machine when joined into the domain, or you can make it by hand with any group you want (putting that group inside the "Administrators" group of the machine). Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Enter or quit a samba's domain in pdc
BACQUEZ escreveu: What key in your Windows? There isnt any need to change any key to make a Windows client join a domain since the first version of samba 3 (I am talking about several years). You can search the samba list history and see that beeing asked several times. I don’t have see that... sorry What the log says? If you are saying that the account really exists, does samba accepts at least the root user list the server shares locally? "smbclient -L localhost -U root". What "pdbedit -Lv root" shows? "Samba by Example" has several examples step by step to configure a server. Yes of course. The account exists, "smbclient..." work and I enter the share in this method. But when I edit the pdbedit -Lv root, I had the line : Workstations: Nothing in the station. It's normaly? Yes, its normal. Its the workstations you can log on, if empty, no restrictions. Well, Im not a bash script guru, but I really dont know what %m$ means. Principally inside a script to which wasnt passed any parameter (parameters are referenced by %1, %2, etc). About your script, have you really readed the samba docs, the part that shows how to join clients automatically, and what should be in that line? Its in the docs, it shows all available ways. %m, in samba, it's the netbios name of the machine. The docs say : " creating Machine Trust Accounts is simply to allow the Samba server to create them as needed when the client is joined to the domain. add machine script = /usr/sbin/useradd −d /var/lib /nobody −g 100 −s /bin/false −M %u " It's for a RedHat configuration and mine is a Debian Etch. I search the good script to enter automaticly the machines on samba, it's simple. The point is, %anything is not recognised inside a script. But, yes, adduser is a little different in Debian, it doesnt have "-M" option, for example. If you look at "Samba by Example" you will find something like that: add machine script = /usr/sbin/useradd -s /bin/false/ -d /dev/null '%u' Doesnt REALLY matters what you put in some options, using the above line and Debian defaults (in /etc/adduser.conf) you will create an account with no shell, no home and belonging to the group 100 (users), the first system group in Debian. This is the only work that must be done by the add machine script here, the samba account will be created when the client is joined (with the root account or any other account that have privileges to do that). Search about "privileges" and the option "enable privileges = yes" in the docs. This option make the users operations be executed as root on the share only. I'm not here yet but i will see for that. Thank This is used to configure accounts other that root to join clients, for example. Well, seams pretty obvious that you must be a local administrator of the machine to change any network setting. Or you can search how to change the Windows policies to allow other users to do what you want. I don't want configure all the windows in my share to enter the root as local administrator. Like the option group "Local administrator" on a Windows Serveur, I want my personnal account be a share AND local administrator on all the machine. I dont understood what do you mean by "your share", but... If you dont want to enter with a local administrator account to manage network settings and domain join/unjoin, you can put the users inside the group "Domain Administrators" that this group will be added to the local administrators group of the machine when joined, well, it depends of how did you created your default groups and SIDs. Or create a group in samba put some users inside it an make this group belong to the local administrator group in every machine, then the domain accounts will have local administrative right in those workstations. Simple. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Enter or quit a samba's domain in pdc
BACQUEZ escreveu: Hello Hello I configured my domain under samba pdc. with bind and dhcpd for the network, and samba for the sharing. Having correctly configured the global (I think, because in workgroup it works very good, and testparm finds me no error), I obtain following both problems: 1. Refusal to join the domain. I modified well the key in my Windows, I What key in your Windows? There isnt any need to change any key to make a Windows client join a domain since the first version of samba 3 (I am talking about several years). You can search the samba list history and see that beeing asked several times. was kind enough to change domain. That recognized it because I fell at request of account of the domain samba. But at the time of entering my root and its password, I have the error message: "name of untraceable user ". The root account exists well. But on the other hand not the account of the machine. If I enter well the machine the users samba ( Adduser then smbpasswd), I manage to enter the domain. Nevertheless, on my smb.conf, I indeed have this: What the log says? If you are saying that the account really exists, does samba accepts at least the root user list the server shares locally? "smbclient -L localhost -U root". What "pdbedit -Lv root" shows? "Samba by Example" has several examples step by step to configure a server. add machine script = /srv/samba/addmachine.sh With the script "addmachine.sh" like that: # /bin/bash # /usr/sbin/useradd -d /dev/null -G machines -s /bin/false -M %m$ smbpasswd -a -m %m$ Well, Im not a bash script guru, but I really dont know what %m$ means. Principally inside a script to which wasnt passed any parameter (parameters are referenced by %1, %2, etc). About your script, have you really readed the samba docs, the part that shows how to join clients automatically, and what should be in that line? I don't want enter all the netbios of my machines to join with the hand, one by one. Its in the docs, it shows all available ways. 2. Go out of the domain. When I am finally in the domain (by adding the post in the users samba), I created an account administrator with an uid of 0, which has him a reel counts on the server (personal home). I joined it to the group @administrators, which have rights of administration with the line. (in the smb.conf) : admin users = @admins Search about "privileges" and the option "enable privileges = yes" in the docs. This option make the users operations be executed as root on the share only. But when I want to go out of the domain, I have grey buttons under title: "you must have to have an administrator account to be able to modify the domain". I'm a basic user on my machine, and unable to modify some important parameters of my machine: domain, ip adress, . I'm obliged to connect me in local administrator to be able to make it. Well, seams pretty obvious that you must be a local administrator of the machine to change any network setting. Or you can search howw to change the Windows policies to allow other users to do what you want. Sorry for my English. I hope to be readable. David BACQUEZ BORDEAUX (France) Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap-useradd not creating machine accounts in correct fashion
Ben Tisdall escreveu: Hi, I have OpenLDAP working here generally without problems for a variety of applications including the management of Samba. Functioning user accounts can be created via 'smbldap-useradd' with the proper samba attributes being added in LDAP, however... Something odd is happening when I (or samba) tries to create a machine account with 'smbldap-useradd -w test1$' - an entry is created that looks like this: dn: uid=test1$,ou=computers,dc=redcircle objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount cn: test1$ sn: test1$ uid: test1$ uidNumber: 1041 gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer gecos: Computer Needless to the computer is not able to join the domain... Whereas a working entry migrated from tdbsam looks like this: dn: uid=sonny$,ou=computers,dc=redcircle uid: sonny$ sambaSID: S-1-5-21-1595696850-3378076689-3030227139-3008 sambaPrimaryGroupSID: S-1-5-21-1595696850-3378076689-3030227139-1201 objectClass: sambaSamAccount objectClass: account displayName: SONNY$ sambaPwdMustChange: 2147483647 sambaAcctFlags: [W ] sambaPwdCanChange: 1175234556 sambaPwdLastSet: 1175234556 Feel as what's happening is so wrong that it must be some silliness on my part but for the life of me can't figure out what & any help would be much appreciated. BTW this is occurring with version 0.9.2a of the tools downloaded from SF & also the .deb for my Ubuntu server. Your script appears to be working right, "smbldap-useradd -w machinename$" should only create an account with posix attributes, the sambaSAMAccount class and attributes will be added by samba when the client is joined into the domain. You can see that in the IDEALX smbldap-tools user manual. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap password sync
Sean Elble escreveu: On 4/10/07 9:29 PM, "Edmundo Valle Neto" <[EMAIL PROTECTED]> wrote: David. You appears to have two conflicting options setted, I saw that you enabled the "ldap passwd sync", this is the right way to do this, samba will sync the password directly in ldap without any external command (at least I think it does that way). Heh, I never even noticed that he had that option enabled in the first place. Oops . . . But when you set "unix password sync" to yes, samba will try to use the specified "passwd program" using the specified "passwd chat" as root. I dont know exactly what happens in the samba code when the two are setted to yes, in my tests (with the other options (unix pass sync, passwd program and chat) setted as yours) windows clients refuses to change the password saying that they doesnt have right to do that (heh, a very nice error message to someone say to me that I need to fix my LDAP acls to solve that :) ). I would think that one *COULD* use just the unix password sync and passwd program parameters to change all the passwords, assuming the passwd program had access to a DN with ACLs to change those parameters. BUT, LDAP passwd sync is definitely the easiest/best option . . . Yes it could and probably works, but as the official IDEALX documentation suggests: http://sourceforge.net/docman/display_doc.php?docid=33543&group_id=166108 6.8 The directive passwd program = /usr/local/sbin/smbldap-passwd -u %u is not called, or i got a error message when changing the password from windows The directive is called if you also set unix password sync = Yes. Notes: * if you use OpenLDAP, none of those two options are needed. You just need ldap passwd sync = Yes. * the script called here must only update the userPassword attribute. This is the reason of the -u option. Samba passwords will be updated by samba itself. * the passwd chat directive must match what is prompted when using the smbldap-passwd command So..., just -u to change only userPassword and a working passwd chat :) And in: 8.1.3 The samba configuration file : /etc/samba/smb.conf #unix password sync = Yes #passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u #passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n" ldap passwd sync = Yes One OR another. If I remember right "unix password sync" is no by default (you can check this with "testparm -v | grep sync" when the option is not setted), in this case, passwd program and chat are simply ignored, doesnt make difference what you put there. Just dont set "unix password sync" to yes at the same time with "ldap passwd sync". Good advice - Wish I had noticed that in David's original post. Regards. Edmundo Valle Neto David Pinkerton escreveu: I'm trying to get ldap/unix password sync working. Using this config, packet traces show no requests to update userPassword (only the samba passwords) Can someone see what I've done wrong? [global] workgroup = HOME netbios name = DHP security = user encrypt passwords = yes enable privileges = yes passdb backend = ldapsam:ldap://127.0.0.1 passwd program = /usr/local/sbin/smbldap-passwd -u %u unix password sync = yes log file = /var/log/samba/%m.log utmp = yes max log size = 50 log level = 1 syslog = 0 add user script = /usr/local/sbin/smbldap-useradd -m "%u" add machine script = /usr/local/sbin/smbldap-useradd -w "%u" add group script = /usr/local/sbin/smbldap-groupadd -p "%g" add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u" domain logons = yes domain master = yes os level = 65 preferred master = yes wins support = yes ldap admin dn = cn=admin,o=dhp ldap passwd sync = yes ldap delete dn = yes ldap suffix = o=dhp ldap machine suffix = ou=machine ldap user suffix = ou=staff ldap group suffix = ou=group ldap idmap suffix = ou=idmap idmap uid = 1-2 idmap gid = 1-2 The contents of this email may be privileged and confidential, any unauthorised use of the contents is expressly prohibited. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. PLAN Australia is not liable for the proper and complete transmission of the information contained in this communication, nor for any delay in its receipt. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ldap password sync
David. You appears to have two conflicting options setted, I saw that you enabled the "ldap passwd sync", this is the right way to do this, samba will sync the password directly in ldap without any external command (at least I think it does that way). But when you set "unix password sync" to yes, samba will try to use the specified "passwd program" using the specified "passwd chat" as root. I dont know exactly what happens in the samba code when the two are setted to yes, in my tests (with the other options (unix pass sync, passwd program and chat) setted as yours) windows clients refuses to change the password saying that they doesnt have right to do that (heh, a very nice error message to someone say to me that I need to fix my LDAP acls to solve that :) ). If I remember right "unix password sync" is no by default (you can check this with "testparm -v | grep sync" when the option is not setted), in this case, passwd program and chat are simply ignored, doesnt make difference what you put there. Just dont set "unix password sync" to yes at the same time with "ldap passwd sync". Regards. Edmundo Valle Neto David Pinkerton escreveu: I'm trying to get ldap/unix password sync working. Using this config, packet traces show no requests to update userPassword (only the samba passwords) Can someone see what I've done wrong? [global] workgroup = HOME netbios name = DHP security = user encrypt passwords = yes enable privileges = yes passdb backend = ldapsam:ldap://127.0.0.1 passwd program = /usr/local/sbin/smbldap-passwd -u %u unix password sync = yes log file = /var/log/samba/%m.log utmp = yes max log size = 50 log level = 1 syslog = 0 add user script = /usr/local/sbin/smbldap-useradd -m "%u" add machine script = /usr/local/sbin/smbldap-useradd -w "%u" add group script = /usr/local/sbin/smbldap-groupadd -p "%g" add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u" domain logons = yes domain master = yes os level = 65 preferred master = yes wins support = yes ldap admin dn = cn=admin,o=dhp ldap passwd sync = yes ldap delete dn = yes ldap suffix = o=dhp ldap machine suffix = ou=machine ldap user suffix = ou=staff ldap group suffix = ou=group ldap idmap suffix = ou=idmap idmap uid = 1-2 idmap gid = 1-2 The contents of this email may be privileged and confidential, any unauthorised use of the contents is expressly prohibited. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. PLAN Australia is not liable for the proper and complete transmission of the information contained in this communication, nor for any delay in its receipt. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba problems. accounts expire after a hour, but work after reset
Collen Blijenberg escreveu: Hi Edmundo, the main problem we have here, is that all out of the blue, the samba PDC and BDC are giving error's. like TRUST DOMAIN FAILED, or USER AUTH FAILED, MACHINE HAS NO ACCOUNT. things like that. but the funny part is, there is no reason for the servers to do that, they run for a few hours (sometimes a day) and then start spitting out these error's. after resetting the PDC, all turns back to normal. and those error's go away, and samba function as it should be. but then after a while, it's back to the error's again. we do use however the pdb-sql backend for storing the usernames and all... in that period, of error's the sql get queried. so the backend does work. and i can't find anny error's generated from the sql backend. also the sql server is accessible in those error times. (we use it for nss-mysql aswell) The only similar problem that happened to me once was a problem with an unconfigured network (that was deactivated) in the dhcp server that was running in the same samba server, and I dont remember why it happened. You said "resetting", restarting samba doesn't make it work? Have you sure that the problem is in samba? so either the migration part went wrong (the sid <> uid part +1000), or samba has a serious bug in the passwd plugin backend ?? the winbindd part are for some other servers in the domain. Where is your winbindd daemon running? In that same server? Just a guess, are you using nscd? our domain is only accessible for domain accounts, so no guests or other accounts here. also all machines have registered to the domain no anonymously accounts and all. it's really driving me crazy this bug. cheers Collen Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba problems. accounts expire after a hour, but work after reset
Collen Blijenberg escreveu: Sorry, forgot something, indeed there was a mixup with the migrating, old posix uid were differed than the once we use now. a changed the auto_increment value of the user.uid table from mysql. i took the highest sid (5620) subbed 1000 and /2 and used that for auto_increment value.. so now my new user accounts are in sync with samba RID's again. all i'm interested in now is the once i already have and use... i have a heap of accounts that have a posix uid, that doesn't fit the rules Edmundo explained (1000 + (2*uid)) it looks like all works fine, but i would like to take the advise of the experts... is the rule only active when creating new accounts, or does samba use that rule also with in daily basic things ? (like logging in, or accessing shares ??) does it harm to have a posix uid 1050 and a SID ending with -1299 ? Cheers Collen ... [cut] That I know, this algorithmic mapping is made to prevent clashes and prevent the use of well know RIDs by Windows domains. I don't know all the situations that the algorithmic mapping will be used in addiction of the creation of new accounts or to resolve unmapped accounts. (Someone correct me if Im wrong). But I would guess that if your accounts are being resolved (SID<->GID and SID<->UID) (and if I remember right those mappings are made inside the base used and/or inside groupmap_idmap.tdb, when you are not using winbind) you will not have any problems beyond those related with permissions by lost/changed ids after used (IF that happened). Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap-useradd says "Error: modifications require authentication at /usr/lib/perl5/5.8.8/smbldap_tools.pm line 1056."
Moreless, it isn't trying to do it anonymously but as you said probably is a problem with credentials: Mar 6 13:59:38 macallan slapd[4731]: conn=50 op=0 BIND dn="cn=Manager,dc=,dc=com" method=128 Binding as the manager but with a strange in the DN (that is repeated in the searches). Mar 6 13:59:38 macallan slapd[4731]: conn=50 op=0 RESULT tag=97 err=49 text= Then failing with an error 49, bad credentials (dn or password). Have you configured correctly your smbldap_bind.conf or forgotten to configure some option related to the base dn in smbldap.conf? Regards. Edmundo Valle Neto Michael Heydon escreveu: Hi Eric, This line here looks like the interesting bit to me. Mar 6 13:59:38 macallan slapd[4731]: conn=50 op=3 RESULT tag=103 err=8 text=modifications require authentication It looks like the useradd script is doing an anonymous bind, which is interesting since you mentioned that you used the populate script which should be using the same bind settings. have you reset any passwords? changed any acls? I would double check the bind DN and password in the smbldap-tools config. Regards, Michael Heydon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba problems. accounts expire after a hour, but work after reset
Collen Blijenberg escreveu: Thx Felipe, after a week debugging, i found the problem!! there was a mix up with SID's. i had 5 machines and username with the same SID including the PDC. Would be a nice thing if you discover why that happened. Samba generates the RID part of the SID algorithmically (1000 + (2 x uid) for user accounts, and 1001 + (2 x gid) for groups), if the uid is different in these accounts the RID should be different too. but there is something funny were i need some help with, if i make a new user or machine account, samba generate the SID automatically. i saw, that my server doesn't look at existing SID's. No it doesn't, that's right. It's not needed, calculating RIDs that way will not make clashes. how can i let samba make SID's after a specified number ?? my problem at the moment is that if i make a new user, samba generate an existing SID, and there for trouble arise! Well, normally it will not make clashes, unless you already have a base with SIDs calculated, who knows how. You can change the "algorithmic rid base" option that defaults to 1000 to another value raising the values that will make RIDs. (if you have unmapped accounts, it will have their SIDs changed too, as the algorithm will be different, if I remember right in samba 3.0.23c theres some changes about that). In some distributions, you can raise the uid/gids range. That way would make higher RIDs be generated too. :) example: current last SID in user database: S-1-5-21-1968991162-2130249723-1959552931-5462 if i make a new user samba will use: S-1-5-21-1968991162-2130249723-1959552931-5410 Do you use a database server to store your samba users right? Well, I never used it, I don't know how exactly it stores information. As I don't know how do you have created your accounts or how much have you messed with them. Normally uids are not reused in posix accounts and samba user/group accounts picks up even/odd RID numbers, not making that probably future clash as you are seeing. :) so basically it's all about the last 4 digits! can i alter a .tdb file ??? (if so witch one??) I can't say that you can't, there's some tools that dump/change/add/etc contents of .tdb files, you can even dump them and grep to find where's the information that you are looking for, but keep in mind that probably you will mess up with any reference to the SID being changed (beeing it ACLs, profiles, or whatever). The last time that I blowed up my base with repeated SIDs (took me a while to discover why users where getting permissions that they shouldn't, it was the first time I used an LDAP base importing the old base and I changed the code that make the SIDs in the scripts that creates the accounts) I deleted all these accounts, raised the base RID, recreated them and changed permissions with shell scripts. all i like is samba to start making SID's after that -5462 number !!! Cheers, Collen ... [cut] I hope it helps. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba3 pdc ldap idealx
And dont forget to execute slapindex in an already populated base after
make such changes.
Regards.
Edmundo Valle Neto
Edmundo Valle Neto escreveu:
Hi.
This has nothing to do with samba or the atribute itself. You
cannot separate attributes or index types by spaces, take a look again
in the formatting of your config.
Regards.
Edmundo Valle Neto
Jason Baker escreveu:
Try removing uidNumber and just use uid. Here is a section from my
slapd.conf file.
index
objectClass
eq
index
cn,mail,givenname,sn,displayName
eq,subinitial,pres
index uidNumber,gidNumber,memberUID,member,uniqueMember eq
index
uid
eq,subinitial,pres
index sambaSID,sambaDomainName,sambaPrimaryGroupSID eq
*Jason Baker
*/IT Coordinator/
*Glastender Inc.*
5400 North Michigan Road
Saginaw, Michigan 48604 USA
800.748.0423
Phone: 989.752.4275 ext. 228
Fax: 989.752.
www.glastender.com <http://www.glastender.com>
On 2/14/2007 3:06 PM, Miguel wrote:
Hi, i have followed the idealx tutorial to the letter, however i get
this error when i try to start slapd:
ambepdc# /usr/local/etc/rc.d/slapd start
Starting slapd.
/usr/local/etc/openldap/slapd.conf: line 74: index type "uidNumber"
undefined
this is my slapd.conf
ambepdc# cat /usr/local/etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/samba.schema
# log
loglevel 4095
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile/var/run/openldap/slapd.args
# Load dynamic backend modules:
modulepath /usr/local/libexec/openldap
moduleload back_bdb
# moduleloadback_ldap
# moduleloadback_ldbm
# moduleloadback_passwd
# moduleloadback_shell
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
###
# BDB database definitions
###
databasebdb
suffix "dc=sv,dc=amnetcorp,dc=com"
rootdn "cn=Manager,dc=sv,dc=amnetcorp,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}v6130sVnBx1z/2/c3e7qipTB5Y41TQOu
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/db/openldap-data
# Indices to maintain
index objectClass, uidNumber, gidNumber eq
index cn, sn, ui, displayName pres, sub, eq
index memberUid, mail, givennameeq, subinitial
index sambaSID, sambaPrimaryGroupSID, sambaDomainName eq
# users can authenticate and change their password
access to attrs=userPassword , sambaNTPassword , sambaLMPassword
by self write
by anonymous auth
by * none
# all others attributes are readable to everybody
access to *
by * read
ambepdc#
I dont knowe what else to do, there are many docs in the net but
everbody seems to prefer the idealx one, what freebsd's special
settings
am i missing?
thanks
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba3 pdc ldap idealx
Hi.
This has nothing to do with samba or the atribute itself. You cannot
separate attributes or index types by spaces, take a look again in the
formatting of your config.
Regards.
Edmundo Valle Neto
Jason Baker escreveu:
Try removing uidNumber and just use uid. Here is a section from my
slapd.conf file.
index
objectClass
eq
index
cn,mail,givenname,sn,displayName
eq,subinitial,pres
index uidNumber,gidNumber,memberUID,member,uniqueMember eq
index
uid
eq,subinitial,pres
index sambaSID,sambaDomainName,sambaPrimaryGroupSID eq
*Jason Baker
*/IT Coordinator/
*Glastender Inc.*
5400 North Michigan Road
Saginaw, Michigan 48604 USA
800.748.0423
Phone: 989.752.4275 ext. 228
Fax: 989.752.
www.glastender.com <http://www.glastender.com>
On 2/14/2007 3:06 PM, Miguel wrote:
Hi, i have followed the idealx tutorial to the letter, however i get
this error when i try to start slapd:
ambepdc# /usr/local/etc/rc.d/slapd start
Starting slapd.
/usr/local/etc/openldap/slapd.conf: line 74: index type "uidNumber"
undefined
this is my slapd.conf
ambepdc# cat /usr/local/etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/samba.schema
# log
loglevel 4095
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile/var/run/openldap/slapd.args
# Load dynamic backend modules:
modulepath /usr/local/libexec/openldap
moduleload back_bdb
# moduleloadback_ldap
# moduleloadback_ldbm
# moduleloadback_passwd
# moduleloadback_shell
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
###
# BDB database definitions
###
databasebdb
suffix "dc=sv,dc=amnetcorp,dc=com"
rootdn "cn=Manager,dc=sv,dc=amnetcorp,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}v6130sVnBx1z/2/c3e7qipTB5Y41TQOu
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/db/openldap-data
# Indices to maintain
index objectClass, uidNumber, gidNumber eq
index cn, sn, ui, displayName pres, sub, eq
index memberUid, mail, givennameeq, subinitial
index sambaSID, sambaPrimaryGroupSID, sambaDomainName eq
# users can authenticate and change their password
access to attrs=userPassword , sambaNTPassword , sambaLMPassword
by self write
by anonymous auth
by * none
# all others attributes are readable to everybody
access to *
by * read
ambepdc#
I dont knowe what else to do, there are many docs in the net but
everbody seems to prefer the idealx one, what freebsd's special settings
am i missing?
thanks
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SMB slow by design?
Jeremy Allison escreveu: On Sat, Jan 27, 2007 at 11:35:32PM +0100, Jan Engelhardt wrote: Ah I found it. This is smb.conf: http://pastebin.ca/330452 Removing SO_SNDBUF=8192 gives $ smbget smb://localhost/rt/blob.iso [blob.iso] 41.08Mb of 171.06Mb (24.01%) at 41.08Mb/s ETA: 00:00:03 perfect performance again. Wonder how that got in there *grumble* Yep, on modern kernels I don't think setting SNDBUF or RCVBUF is a good idea Jeremy. Can you explain that a little better? Why is that good for older kernels and not for new ones? And what do you call modern kernels, any 2.6 kernel? Regards. Edmundo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] can not get preexec option to run a script file
James A. Dinkel escreveu: I created a script in a file called HomeScript located at "/etc/samba/Scripts/". Now I want to run this from preexec on the [homes] share. This is all that is in the script right now, minus the dashed lines: -- #!/bin/bash # Creating home directories mkdir --mode=700 /export/homes/%S -- My preexec option looks like this: preexec = /etc/samba/Scripts/HomeScript Now if I put the mkdir command directly in the preexec line, then it works, but I want to add in checking for the existence of the directory and also some other commands and branches. Anybody see what I am doing wrong? James Dinkel Are you using %S inside the script? Probably it wont know what %S is, you can pass a parameter like: preexec = /etc/samba/Scripts/HomeScript %S and inside the script: mkdir --mode=700 /export/homes/$1 Another thing, preexec is executed as the user connecting to the share if the script needs root rights use root preexec instead. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP, checkpwnam and PDC
If you dont want some users to be able to login using their posix accounts give to them a null shell, put /bin/false in the shell attribute. I dont know what distribution do you use or what is the default of idealx scripts, but in Debian, smbldap-tools (the packaged idealx scripts) does that by default. That way any access that requires a shell will not work for these users. Regards. Edmundo Valle Neto Ben Wheare escreveu: Hiya, I'm trying to set up a Samba PDC with an LDAP backend. I experienced problems joining machines to domains, the machine account was created, but Windows said user name cannot be found. I resolved this by adding ldap to /etc/nsswitch.conf, but this has the side effect of allowing ldap users to login to the server via SSH. Whilst I can understand the need for LDAP users to be accessible to the system, i.e. checkpwnam etc for permisisons, I don't want users to be able to login to anywhere except the client Windows 2000/XP boxes. People (only 3) who can login via SSH already have "real" user accounts in /etc/passwd etc. Is there a way to stop this being allowed? Thanks. Ben -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problems with wins server
Noc. Im not an expert about how the netbios name service works, but what your log is saying is that SMB1 made a query back to SMB2 at 192.168.75.254 to allow it to register its name and SMB2 doesnt answered properly (its a multi-homed host, and as in "Inplementing CIFS" Book http://ubiqx.org/cifs/NetBIOS.html#NBT.4.3.1.4, I think that it should answer with all IPs allowed to register its name). I don't know how to solve that, and I think that whould help if you post your network addressing on both sides to be more clear, take a look at wins.dat file and see if SMB2 is registered with any other IP too. About the other error: Nov 23 07:03:48 gw nmbd[3768]: process_name_refresh_request: unicast name registration request received for name DELL_7<20> from IP 192.168.75.103 on subnet UNICAST_SUBNET. Nov 23 07:03:48 gw nmbd[3768]: [2006/11/23 07:03:48, 0] nmbd/nmbd_incomingrequests.c:process_name_refresh_request(173) Nov 23 07:03:48 gw nmbd[3768]: Error - should be sent to WINS server It says that it received a unicast packet (if I remember right, unicast packets are meant to be sent to WINS servers only), and its just saying that. Probably "wins proxy" option redirects only broadcasts to the remote WINS server it will not make SMB2 to be a WINS server too (so point to SMB2 as being a WINS server is wrong, or you point to SMB1 directly or let the client register itself in SMB2 by broadcast). Anyone corrects me if im wrong :) I never used it too and dont know how well it works, but maybe you would like to take a look at the Samba4WINS project, to replicate WINS servers. Regards. Edmundo Valle Neto Noc Phibee escreveu: No other solution ? Noc Phibee a écrit : Hi i have a smaal problems ... : I have two samba server connected by a VPN. One, are the master, the config are: [global] workgroup = LOCAL netbios name = SMB1 server string = Linux Smb Server 1 os level = 33 log file = /var/log/samba/%m.log max log size = 500 log level = 3 map to guest = bad user security = user encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = no domain master = no dns proxy = no wins support = yes unix password sync=yes hosts allow = 192.168.0. 192.168.75. 192.160.150. 192.168.151. 192.168.3. 127. into the log i have: [2006/11/23 07:01:50, 3] nmbd/nmbd_winsserver.c:wins_multihomed_register_query_fail(1097) wins_multihomed_register_query_fail: Registering machine at IP 192.168.75.254 failed to answer query successfully for name SMB2<03>. The second server are: [global] workgroup = LOCAL netbios name = SMB2 server string = Linux Smb Server 2 os level = 33 log file = /var/log/samba/%m.log max log size = 500 log level = 3 map to guest = bad user security = user encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = no domain master = no dns proxy = yes wins support = no wins server = 192.168.0.1 wins proxy = yes unix password sync=yes 192.168.0.1 are the ip of the first server my computer, on the network of Smb2 have in wins server the SMB2 into the log of smb2 i have: Nov 23 07:01:50 gw nmbd[3768]: register_name_response: WINS server at IP 192.168.0.1 rejected our name registration of SMB2<20> IP 192.168.75.254 with error code 5. Nov 23 07:01:50 gw nmbd[3768]: [2006/11/23 07:01:50, 0] nmbd/nmbd_namelistdb.c:standard_fail_register(283) Nov 23 07:01:50 gw nmbd[3768]: standard_fail_register: Failed to register/refresh name SMB2<20> on subnet UNICAST_SUBNET Nov 23 07:01:50 gw nmbd[3768]: [2006/11/23 07:01:50, 0] nmbd/nmbd_nameregister.c:register_name_response(130) Nov 23 07:01:50 gw nmbd[3768]: register_name_response: WINS server at IP 192.168.0.1 rejected our name registration of SMB2<03> IP 192.168.75.254 with error code 5. Nov 23 07:01:50 gw nmbd[3768]: [2006/11/23 07:01:50, 0] nmbd/nmbd_namelistdb.c:standard_fail_register(283) Nov 23 07:01:50 gw nmbd[3768]: standard_fail_register: Failed to register/refresh name SMB2<03> on subnet UNICAST_SUBNET Nov 23 07:01:50 gw nmbd[3768]: [2006/11/23 07:01:50, 0] nmbd/nmbd_nameregister.c:register_name_response(130) and for all user: Nov 23 07:03:48 gw nmbd[3768]: [2006/11/23 07:03:48, 0] nmbd/nmbd_incomingrequests.c:process_name_refresh_request(173) Nov 23 07:03:48 gw nmbd[3768]: Error - should be sent to WINS server Nov 23 07:03:48 gw nmbd[3768]: [2006/11/23 07:03:48, 0] nmbd/nmbd_incomingrequests.c:process_name_refresh_request(172) Nov 23 07:03:48 gw nmbd[3768]: process_name_refresh_request: unicast name registration request received for name DELL_7<20> from IP 192.168.75.103 on subnet UNICAST_SUBNET. Nov 23 07:03:48 gw nmbd[3768]: [2006/11/23 07:03:48, 0] nmbd/nmbd_incomingrequests.c:process_name_refresh_re
Re: [Samba] Can I provide Samba file sharing to machines on many subnets
stan escreveu: I need to be able to provide a Samba file share for machines on a number of different subnets to use to store data on Is this feasible? Yes, it is. If so, what do I need to do to acomplish this? The same thing that you need to do to configure a server for only one subnet + configure a WINS server. If you have any question about your config you can ask it here, besides that I can only recommends that you read the official documentation, the Samba By Example book has a lot of examples. http://us3.samba.org/samba/docs/man/Samba-Guide/ Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] cannot join to domain
Haven't you already answered yourself? Does that users already exists in
ldap?
Second, smbldap-useradd -w "%u" is enough to create a machine account,
-i is to create trust accounts.
Edmundo Valle Neto
[EMAIL PROTECTED] escreveu:
I am trying to set up Samba 3-0-22 as a PDC on Ubuntu server 6.0.6 LTS, this is
on a Sun Ultra 5. When I try to join the domain using root, I get a dialog box
with the following message
The following error occurred attempting to join the domain "domain name":
The user name could not be found.
When I looked inside /var/log/samba/log.hp-laptop I found this
[2006/10/10 19:07:02, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2415)
_samr_create_user:Running the command '/usr/sbin/smbldap-useradd -w -i
"hp-laptop"' gave 9
so I looked inside /usr/sbin/smbldap-useradd, I then found that the only exit
that gave 9 was the following
# user must not exist in LDAP (should it be nss-wide ?)
my ($rc, $dn) = get_user_dn2($username);
if ($rc and defined($dn)) {
print "$0: user $username exists\n";
exit (9);
I am now lost, as I understand it, root is the only way to join a domain and the
dialog box on my windows machine says the user cannot be found,
but smbldap-useradd seems to be saying because the user exists I cannot join.
I have tried reading the archives etc but cannot find an answer, anybody out
there know a cure for my problem?
thanks
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] somewhat OT--windows logon script
Another way to do:
I verify if the workstation is a Windows XP and if it is I do:
net use /persistent:no > nul
before the mappings.
Then the mappings are not made persistent.
PS: If I remeber right, one time made persistent you must delete them
all before try to map them with no persistence.
Edmundo Valle Neto
Aaron Kincer escreveu:
Rory,
I can't speak for anyone else, but in my logon scripts, I delete shares
before mapping them because Windows exhibits very strange behavior
sometimes
with shares. Anyone who has ever gotten the amusing error "connection
cannot
be restored" or whatever it says knows what I mean. Deleting and
recreating
shares every login guarantees that the shares are good at that moment.
The downsides are that the time to execute the login script goes up.
Well,
rather it stays approximately the same speed each time. Also, users
sometimes try to open networked files before the drive using that file is
deleted and restored or even worse, they open the file using the previous
day's share information and the share is deleted while they have the file
open. I urge anyone using this method to put the most commonly used
drives
in the script first to avoid this problem.
Aaron
On 10/10/06, Rory Vieira <[EMAIL PROTECTED]> wrote:
Steve,
I agree with Aaron on this...
Unmap anything that *might* be mapped and then map your drives...
I do the same using kix...
And why do you need to 'remove' them in the first place?
It's not like you are connectiong them persistently, after which a
logon script seems pretty useless if all it does is mount shares...
PS Here's the kix equivalent of what Aaron meant:
...
function map_share( $What, $Where )
use $What /del
use $What $Where
endfunction
map_share("W:", @LSERVER+"\contract_maintenance")
map_share("T:", @LSERVER+"\fleet")
map_share("U:", @LSERVER+"\field")
...
Just two side notes:
You realy need a letter as low as E: ?!?
And if your using [homes] than U: seems obvious for a 'user' share ;)
> (why not use active directory to configure NTP?)
> REM net time \\server5 /set
Or assign both NTP/Time servers using DHCP ;) (Works for XP hehe)
And you can do this in kix too using: settime "*"
This will scan my domain in search of a time server...
> (you do realize you have "t" declared twice, right?)
hehe
--
Rory Vieira
rory dot vieira at gmail dot com
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can't get guest users to see a drive without logging in
Felipe Augusto van de Wiel escreveu: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/22/2006 01:15 PM, Scott Simpson escreveu: I have a drive set up like [public] comment = Public drive for miscellaneous stuff path = /apps/local/public writable = yes guest ok = yes force user = root force group = engr create mask = 0664 directory mask = 0775 public = yes browseable = yes and I want users without Unix accounts to be able to access this drive from Windows machines. However, whenever they try to access the drive it asks for a login password. Users with Linux accounts on the machine aren't asked for the password. How can I let in guest users without Linux accounts? Thanks. My guess is that you having problems with your guest account and trying to set the user (force user) to be root. Kind regards, - -- Felipe Augusto van de Wiel <[EMAIL PROTECTED]> Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQFFInbPCj65ZxU4gPQRAh+ZAJ0Rvfz9I38OP8f7Ccfz1oJvY2TCXQCfQowc Di+qfKBQBd7v+Hj1HNUO6Pw= =66wR -END PGP SIGNATURE- If you use security = user and want that unexistent accounts be mapped to guest without beeing asked for a password you can use the "map to guest = Bad User" option. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: WINS over subnets - something strange in the HOWTO
John H Terpstra escreveu: On Sunday 01 October 2006 18:45, Hoggins! wrote: Edmundo Valle Neto a écrit : Hoggins! escreveu: Yes, in that case it should maintain a more complete list. And yes you just must have ONE WINS server. I think you didnt got the point, domain master, local master, domain controllers, wins server, etc are just roles of the same server, enabling some options in smb.conf the same server can be all of them at the same time. BUT, other subnets need local master browsers too, they can be any Windows workstation (normally you should not worry about that), this is one of the reasons that all of them must use the same single WINS server (I am not saying that yours are not), the LMB can be any available workstation (the machines in the subnet should elect one automatically), so any machine ending up beeing a LMB will use the same WINS server to find the DMB and sync. It works that way without you needing to care about it. Ok, if the wireless clients can see each others probably that segment has an LMB with the browse list of that segment but just isnt passing it to the samba server. About the LMBs I just said that to make it clear, that the other networks dont register themselves directly with samba to be included in the browse.dat file, who does that is the LMB of that segment (as explained before). Thanks, I understand better now how it works. So the LMB (any Win machine, elected) of the 192.168.3.0/24 segment must send its browse list to the server, right ? I must check this traffic with ethereal and/or with debug level 2. Sorry I didn't yet. Not quite! The LMB does nothing to contact the DMB. The responsibility for browse list synchronization belongs to the DMB. The DMB looks for the LMB registrations in the WINS (wins.dat) database. It then contacts each LMB to synchronise the browse list. Ergo, if the WINS database does not contain all machines that are LMBs - browse list synchronization will not happen. - John T. John. Look at this at: http://samba.org/samba/docs/man/Samba-HOWTO-Collection/NetworkBrowsing.html How Browsing Functions ... Instead, the DMB serves the role of contacting each LMB (found by asking WINS or from LMHOSTS) and exchanging browse list contents. ... This is what you said. But. Cross-Subnet Browsing ... As soon as N2_B has become the LMB, it looks for a DMB with which to synchronize its browse list. It does this by querying the WINS server (N2_D) for the IP address associated with the NetBIOS name WORKGROUP<1B>. This name was registered by the DMB (N1_C) with the WINS server as soon as it was started. Once N2_B knows the address of the DMB, it tells it that is the LMB for subnet 2 by sending a MasterAnnouncement packet as a UDP port 138 packet. It then synchronizes with it by doing a NetServerEnum2 call. This tells the DMB to send it all the server names it knows about. Once the DMB receives the MasterAnnouncement packet, it schedules a synchronization request to the sender of that packet. After both synchronizations are complete, the browse lists look like those in Browse Subnet Example 2 ... And thats the another explanation that I said. Shouldnt that last explanation be different? Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: WINS over subnets
... Yes, I put debug level to 2, and I saw that the server was always elected as the master. And also that the machines successfully registered to the server. My smb.conf (a bit modified since my first post, but the symptoms are the same though) : [global] display charset = ASCII workgroup = BOUFFARD netbios aliases = hgsserver server string = PARTAGES interfaces = eth0 security = SHARE map to guest = Bad User root directory = / pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat debug = Yes username map = /etc/samba/smbusers unix password sync = Yes #log level = 2 #syslog = 3 #syslog only = Yes log file = /var/log/samba/%m.log max log size = 50 debug timestamp = No time server = Yes server signing = auto socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192 printcap name = /etc/printcap os level = 32 lm announce = Yes preferred master = Yes domain master = Yes local master = no dns proxy = No wins support = Yes ldap ssl = no remote announce = 192.168.3.255/BOUFFARD remote browse sync = 192.168.3.255 224.0.0.1 usershare path = winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes guest ok = Yes hosts allow = 192.168.2.0/24, 192.168.3.0/24 cups options = raw [...] (some shares declarations) I'll come with more results on benchmarks ASAP. Thanks for your help and patience. Regards, Hoggins! Theres some options that I think are not needed in your config, but probably doesnt cause that problem that you have, in exeption of this one: local master = no Try to set it to yes, I never tried to set it to no and let it be only the DMB to see what happens but the samba docs have something to say about that, "If you want Samba to be a DMB, then it is recommended that you also set preferred master to yes, because Samba will not become a DMB for the whole of your LAN or WAN IF IT IS NOT ALSO A LMB ON ITS OWN BROADCAST ISOLATED SUBNET". Anyway its at least recommended to samba be the LMB too. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: WINS over subnets
Hoggins! escreveu: Edmundo Valle Neto a écrit : Hoggins! escreveu: Take a look at the chapter of the samba book about cross-subnet browsing, who maintains the browse list is the domain master browser, each subnet must have a local master browser to maintain the browse list for its own network segment and it will sync the list with the domain master browser of the network. In browse.dat only should appear machines that have some service to offer to the network. Almost all the machines of my network offer services (shares), so it's not the problem. Since then, the server should maintain a more complete list : the clients successfully register to it. I must not have understood the behavior of Samba, because I believed you just had to have one WINS server to which all the clients register, so it would maintain a browse list of these clients. I cannot have "slave" servers on the other subnets, that's why I planned on using one single master server for all the subnets. Yes, in that case it should maintain a more complete list. And yes you just must have ONE WINS server. I think you didnt got the point, domain master, local master, domain controllers, wins server, etc are just roles of the same server, enabling some options in smb.conf the same server can be all of them at the same time. BUT, other subnets need local master browsers too, they can be any Windows workstation (normally you should not worry about that), this is one of the reasons that all of them must use the same single WINS server (I am not saying that yours are not), the LMB can be any available workstation (the machines in the subnet should elect one automatically), so any machine ending up beeing a LMB will use the same WINS server to find the DMB and sync. It works that way without you needing to care about it. What is the behavior of your network? Each network only shows its own machines? i.e. Wireless clients only sees each others and samba only sees one XP machine? Wireless clients cannot see the samba server at all? I did not check all the behaviors, but according to what I saw, the wireless clients can see each other (thanks to broadcast), but cannot see the XP box. I must make more checks, since I don't even know if they can see the server. I must admit that I was more preoccupied by the browse.dat list, and my own XP box. Ok, if the wireless clients can see each others probably that segment has an LMB with the browse list of that segment but just isnt passing it to the samba server. About the LMBs I just said that to make it clear, that the other networks dont register themselves directly with samba to be included in the browse.dat file, who does that is the LMB of that segment (as explained before). Wins not only holds the IP address but the roles that these addresses have in the network. Like: "WORKGROUP#1b" ... 1b = Domain Master Browser, and WINS clients access this information to know where they shoul authenticate, sync their browse lists, etc. The WINS file looks fine to me, and all these infos appear, and all the machines and their services also appear. ok. Theres some options to force syncs and announces to other networks too, but I never needed to use them, even in that type of situation with cross-subnets. Yes, maybe because you have several local master browsers that sync to the domain master browser, so these options would be redundant. Anyway, these syncs won't even work, since they rely on broadcast transmissions. Look at was explained above, and about these options I just cited them to say that them exists. Thanks for the help, I'm getting desperate, though I thought it was possible to maintain such a list with only ONE server if the routes and the server's configuration files were correctly set. Yes, it is possible and most of the times the recommended way. Theres some tools and comands to see problems with name resolution on the XP clients, like nbtstat or the netbios browsing console. Putting a log level of 2 in smb.conf, is there any interesting information about elections in the nmbd log? Whould help if you include your smb.conf here too. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: WINS over subnets
Hoggins! escreveu: chris barry a écrit : On Thu, 2006-09-28 at 19:00 +0200, Hoggins! wrote: does the WINS server have a route to this wireless net, or is it responding out the default gateway? have you tcpdumped the interfaces on anything yet? All the routes are static, and the two hosts can ping each other without problems. The routing works perfectly fine. Having tcpdumped a bit what was going on, I could only figure that the machines are correctly registering to the server, and the servers responds that it's okay. The real problem is that it simply does not fill the browse.dat file with other entries than itself and the WinXP box that is on the same subnet. Take a look at the chapter of the samba book about cross-subnet browsing, who maintains the browse list is the domain master browser, each subnet must have a local master browser to maintain the browse list for its own network segment and it will sync the list with the domain master browser of the network. In browse.dat only should appear machines that have some service to offer to the network. What is the behavior of your network? Each network only shows its own machines? i.e. Wireless clients only sees each others and samba only sees one XP machine? Wireless clients cannot see the samba server at all? With a closer look to wins.dat, I can see that all the machines are present, and have the correct IP addresses. Wins not only holds the IP address but the roles that these addresses have in the network. Like: "WORKGROUP#1b" ... 1b = Domain Master Browser, and WINS clients access this information to know where they shoul authenticate, sync their browse lists, etc. Theres some options to force syncs and announces to other networks too, but I never needed to use them, even in that type of situation with cross-subnets. So my personal conclusion is that there is a misconfiguration of samba somewhere, that makes it generate a browse list only for it's own subnet. I think it's weird. Thanks for helping Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Question regarding Samba rights
beast escreveu: Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 beast wrote: Where did samba store information regarding user privilege? account_policy.tdb Do I need to runs same commands to all domain controllers? For now, yes. Hi Jerry, Since account policy is unique to every user, why there is an account_policy.tdb file, why not just added to to ldap just like sambaLogonHours? --beast Hi. I use samba 3.0.14a yet, but if I remeber right, policy settings can be exported to ldap since 3.0.21. root #> pdbedit -y -i tdbsam -e ldapsam About privileges, that the first message was talking about I dont know the current ldap status. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Using samba 3rd ed - was samba4 readiness
Sorry, I made a little confusion (as the printed version of TOSHARG is in the 2nd edition too), Using Samba 2nd Edition covers Samba 2, so everything will be new. I readed "Using Samba 2nd edition" from O'Reilly and bought the first edition and followed the changes from the online documentation of TOSHARG and SAMBA-3 by Example. What I really want to know is what will be the differences to TOSHARG. Regards. Edmundo Valle Neto Edmundo Valle Neto escreveu: Hi. Some time ago I bought the first edition, and followed some changes reading the online version of the documentation (but I really like to read books as books). Can you point what will be included in the 3rd edition? Regards. Edmundo Valle Neto Gerald (Jerry) Carter escreveu: ... This is a blurb I put in the upcoming 3rd edition of "Using Samba" (O'Reilly). Hope it helps clarify things. ... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Using samba 3rd ed - was samba4 readiness
Hi. Some time ago I bought the first edition, and followed some changes reading the online version of the documentation (but I really like to read books as books). Can you point what will be included in the 3rd edition? Regards. Edmundo Valle Neto Gerald (Jerry) Carter escreveu: ... This is a blurb I put in the upcoming 3rd edition of "Using Samba" (O'Reilly). Hope it helps clarify things. ... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] append to path from login script?
I make this that way, in the logon script: After mapping the network drive. ... path | find "R:\Util;" > nul if errorlevel 1 echo Verificando a variavel de ambiente path NAO DEFINIDA if not errorlevel 1 goto path_ok \\%SERVIDOR%\netlogon\winset.exe PATH=R:\Util;%PATH% if errorlevel 1 echo Definindo a variavel de ambiente path .. ERRO if not errorlevel 1 echo Definindo a variavel de ambiente path .. OK :path_ok echo Verificando a variavel de ambiente path JA DEFINIDA ... I dont remeber where I got the "winset.exe" utility, its needed to redefine the environmnet variables outside the shell executing the logon script. Edmundo Valle Neto B. Cook escreveu: I'm wondering if there is a way to add a network share (either UNC or mapped drive) to the path of a user when they login? for example have a directory \\smbserver\apps and put putty.exe in there.. so that when I sit down at a machine I will always have putty in the path.. Is that possible? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Missing 'smbmount' on Ubuntu?
Adam Williams escreveu: i know on fedora core 5 you use mount -t cifs "\\server\share" /mnt/point -o username=validuser not sure about what kubuntu has but you should try that. Larry Alkoff wrote: I have just started running Kubuntu Badger version 6.06. Although Samba seems to be installed, there is no smbmount program. What would I use to mount a samba share? Plain old 'mount -t smbfs'? Larry I don't know which command is better, but the smbmount command is in the smbfs package in Ubuntu. In any Debian based distro you can use apt-file to search which package contains a file. Install it: apt-get install apt-file Index it: apt-file update And search: apt-file search smbmount ... smbfs: usr/bin/smbmount ... Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cross-Subnet Browsing Problem
Todd. I already used samba in network with more than one segment and never needed any "remote ..." option too, it worked even through a VPN. The samba books says to use that options when more than one WINS server are used, for example. Using the same WINS server in both networks, the name registration is already made in unicast, and it should pass through a router. Have you looked inside wins.dat and browse.dat on the samba server to see if is everything there? You said that you have already tested with nblookup (maybe looking there doesnt make sense then), but I think its easyer to see what your WINS server has to offer, what are the available resources and if theres any name that shouldnt be registered there that way. nbtstat -r, on the client shows that the names are really beeing resolved by the name server (WINS)? Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] corrupt files on samba server
Jeremy Allison escreveu: On Mon, Jul 10, 2006 at 08:32:26PM +0200, @ichkommnichmehrklar.de wrote: We don't compare the md5 checksumes. We cheked our switches to make shure there is nothing wrong with our network installation. And there are no hardware errors because we are having the problem on two different machines. This does not follow. If you're using the same network between the two then a network hardware problem would easily cause this. Definately use md5sum on client and server to check integrity. Jeremy. One problem that I had several times and isnt related to samba was with bad memory. Sometimes the OS installs without problems, can be be used without problems, but sometimes it corrupts some files, this happens only when DMA is enabled, I dont know if it can apply to the server too, but is one thing to try. On the server you can use md5 to check the files after copy them locally and on the client you can use QuickSFV. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba installation discrepancies
Eric Evans escreveu: Samba colleagues, I promise to limit my postings to this list to one message per day from now on, and to keep my messages focussed on very specific technical issues. I think I have gotten over my initial panic at the weirdly broken Samba installation and am now in a troubleshooting mode. The drama of all my Samba 3 difficulties now seems to be due to a faulty Samba installation. Symptoms are: bin/nmbd -V and bin/smbd -V both return version 2.2.7a, even though I did a complete installation of version 3.0.22 and the installation (including the 'make install') ran completely through to its completion with no error messages. Also, nmbd is currently running but smbd is not running. And when I try to run smbclient I get the messages read_socket_with_timeout: timeout read. read error = Connection reset by peer. session request to PLEIADES failed (Read error: Connection reset by peer) read_socket_with_timeout: timeout read. read error = Connection reset by peer. session request to *SMBSERVER failed (Read error: Connection reset by peer) My environment is Solaris 8. Has anyone else had any difficulty getting Samba 3 to install properly on Solaris 8? Thanks very much, Eric I have never used Solaris 8, and I dont know how the previous version was installed or where its installed by befault nor how Solaries handle packages, but discovering that can be a good start. Have you uninstalled Samba 2 first? Because of this type of problems I dropped Slackware and begun using Debian (with a trustworthy packaging system). But lets say that it was installed from sources and you dont have the source of Samba2 to look where it was configured to be installed or to try to uninstall it. Look at the environment variables what is included in your PATH variable (to see the order that directories are looked at). Use the "which" command to see where the default smbd and nmbd are installed (as you said probably it will find the version 2). Try using find or locate to see how many files exists with that names (to see if it was installed in another location). Look at the date of the old samba files and try to find files with same date (that probably was installed toghether). Summarizing, try to move the old Samba2 files to another location (out of the way), by hand or using the packaging system used before trying to use Samba3 (a better choice if possible). Maybe if you give more information on how the two versions was installed someone that knows Solaris can give a better solution. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] very very weird problem, Samba completely broken
Eric Evans escreveu: probably would be much easier if you understood Windows Networking principles. I'm sure it would, I'm trying my best to learn them. In the meantime I have a bunch of users who are impatient to get this thing working ASAP and who are not patient enough to wait around while I read an entire book on Windows networking before tackling their problem. Only and advice. By personal experience, if you do something expecting that it will just works, without testing it first or really knowing what you are doing, probably a lot of problems will arise. Every time I needed to deploy something that I didnt know about (never have done) and didnt had time to learn and test it (and the time of deploy really was critical) I contracted someone to do that part. If you cant make sure it will work it doesnt count as an alternative. Nothing below suggests that you are using a WINS server...not in the Windows clients, not in smb.conf. That is entirely correct. I'm not using a WINS server and I have no need to use a WINS server. Yes you really doesnt need a WINS server if all machines are in the same network segment, but even for small networks (with an always available server) its recommended, that way you will have a dns-like service and the clients will not need to broadcast all the time to make name resolution works. Make life easy for yourself, add 'wins support = yes' to smb.conf and change your dhcp server to use 128.253.175.150 as WINS server and node type = '8' I have tried adding 'wins support = yes' to the smb.conf and it has no effect on this problem. Furthermore I don't see why that should be necessary anyway since I'm not running a WINS server. Also, I can't change our DHCP server because it is controlled by a centralized agency that I have no authority over, and I don't have configuration access to it. wins support = yes, tells samba to BE a WINS server, to make a difference ALL clients MUST use it, to not ending up having partial views of the neighborhood and resources available. Besides the error message, your client shouldnt appear to be using it as a WINS server, I dont know if it should work only setting that option and having that "node type = unknown" config problem on the clients. About the DHCP thing, its only easyer to deploy WINS configuration using it, you can specify an address and node type to the clients, but it can be done manually too, in each client (the node type only can be changed in the registry then, but its not normally necessary, the default not unknown value should work well). READ the documentation...Samba by Example does excellent handholding for the impatient... http://www.samba.org/samba/docs/man/Samba-Guide/ I would suggest that you start with 'Small Office Networking' Yes I agree that the documentation is important, and I assure you that I have been reading it and I'm still reading it. I could just use a little help here, is all. No comments, the two samba books are the minimal things that people that deploy servers really need to read. Also note that firewalls would block access - probably a very good idea to run firewalls on these systems since they appear to have public IP addresses - thus a 'hosts allow = 128.253.175. ' would be a very good thing. Firewall would have to allow ports 137:139 and probably 445 from that same ip address range. Not going across a firewall, so this is not a problem. Also note that you don't have any shares that users can see in your above configuration since a "HOMES" share is only pertinent to those that attach to a PDC/BDC and since you have surrendered that ground in frustration, you can't have it. Now this is an interesting and surprising statement. When we were running Samba 2 we were definitely not using PDC or BDC, but we had a homes share declared in the smb.conf and people were connecting to it every day without any difficulty. But you're saying now that you can't connect to the homes share unless you are attaching to a PDC or BDC? When did this happen? Was this a change in Samba's policy that occurred when they went from version 2 to version 3? Hmm, not really. You can have home shares and connect to them manually without need to be a DC. Thanks, Eric Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] very very weird problem, Samba completely broken
is the order and inclusion (with its own nomenclature) of netbios name resolution (broadcast or WINS (a unicast packet, remember?)), searching the MS KBs I found this: http://support.microsoft.com/kb/310570 Try unsing "nbtstat -a yourserver" on the command line of the windows machine to see if it can list the table of names of the server (and see if netbios and name resolution is working). Probably your client (or a lot of them) is making some confusion and isnt registering itself properly to the network. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problems with domain logons
Eric Evans escreveu: As I mentioned in my last email and as explained below, the use of login scripts in the netlogon share only work when the samba server is acting as a PDC and your clients are part of this domain. Windows clients then automatically look for the existence of the netlogon share and run the script mentioned in the smb.conf. The users home directory will be automatically mapped using the drive letter completed in the smb.conf. Other drives can then be added using net use or you can use kixtart which is a great scripting program which allows you to be more creative with your scripting. Stick with net use if its just basic mapping your after. Thanks very much. We've never used domain logins before but I looked up in the "Using Samba" book about how to set up the Samba server as a domain controller. Here's the contents of my [global] section of my smb.conf: Using samba is a reference to the Samba 2 branch (although some things remains the same), Samba 3 has two books (available online), The Official Samba-3 Howto and Reference Guide, and Samba by Example. [global] workgroup = Plab domain logons = yes socket options = TCP_NODELAY invalid users = root bin daemon adm sync shutdown halt mail news uucp max log size = 100 security = user encrypt passwords = yes os level = 34 local master = yes preferred master = yes domain master = yes print command = /bin/lp -d%p %s; sleep 5; rm -f %s printer = 128_1 printing = SYSV log file = /var/log/samba.log log level = 0 max log size = 50 debug timestamp = yes logon script = startup.bat Now I have two stupid questions: 1. When I go into one of my Windows 2000 clients and try to set it up to be a member of the Plab domain, I get an error message saying that it's not able to contact the Plab domain. But I thought I had the Samba server set up properly to be a PDC. Can be a lot of things, browsing, lack of guest user, the nmbd logs should show how elections are going. I don't see any error messages in the Samba log file. Put a log level = 2, 0 doesn't log anything. Is there any way I can test the Samba server to see if it's actually operating as a PDC? smbclient -L localhost -U% should show if you can list the resource of the server locally and show who is the master browser. I recommend you to use the samba server as a WINS server too (if it will be always available), and configure the clients to use it. The books have step by step examples on how to set up an test a PDC. 2. We also have Windows XP clients but I'm not able to find how to set them up to be in the Plab domain. Anybody know how to configure XP clients for domain logons? The books shows that too including pictures of the dialogs on the client and the scripts needed in the server, how to set privileges, etc. Thanks very much, Eric Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] query about PC setups
Eric Evans escreveu: Hello, My boss claims that it is possible to set up a PC as a Samba client in such a way that every Windows user who logs in to that PC will automatically be connected to a certain designated Samba share, without the user himself having to map the network drive to the Samba share. That is, the boss claims that I, as the administrator of the PC, have the power to set up some kind of global mapping for all the PC users so that each user doesn't have to do the mapping himself. Is there any truth to this claim? I haven't found any mention of this feature in the Samba documentation. Thanks, Eric With any windows/samba network you can do that. Any .bat script including "net use" commands when executed on client maps drives that way. It can be included alone on the client in any place that permits to run programs after logon or using logon scripts with a PDC (that are meant to do that). Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Default behavior of setting SUID bit in directories.
Hello. In the Samba by Example book theres a section called "Effect of Setting File and Directory SUID/SGID Permissions Explained", that shows an example of the effect of SUID/SGID bits. The SGID bit when setted in directories makes the files inherit the group owner, but I couldn't make the SUID bit on directories work, making files inherit the owner. The documentation says that, as it was a general default behavior, and recommends that together with force user in several places in the book. I'm using Debian Sarge for example, and it doesn't do that, I dont know even how to enable that behavior. Am I missing something? Any Linux/Unix flavor does that (inherit the owner when a directory has the SUID bit set) by default? Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] What the Administrator RID 500 is supposed to be able to do?
Answering my own question. I have found some related questions in the mailing list archive saying that RIDS doesn't change the behavior of the accounts to samba, only the way they appear to windows clients. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
