Re: [Samba] Very slow wbinfo -u
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Again, I have traced some more on the problem. It is the failing name resolution via netbios that delay the output from wbinfo -u. I can see from a trace that failing lookup's are on other DC's in the domain, which i don't have access to, but they probably don't provide WINS. How do i avoid winbind to lookup these DC's, i am not going to use theme anyway. ? Regards //Erik Erik Holst Trans wrote: Hi, I have set up Samba-3.0.11 to retrive account information from W2k server via winbind, and it works. But is takes about 10 sec. to retrive the information. I have dumped some traffic from the request, and it looks like this: A lot of these: 21:21:55.133423 172.20.3.131.1077 > 172.20.3.130.137: NBT UDP PACKET(137): QUERY; REQUEST; UNICAST (DF) 21:21:55.133842 172.20.3.130.137 > 172.20.3.131.1077: NBT UDP PACKET(137): QUERY; NEGATIVE; RESPONSE; UNICAST 21:21:55.136553 172.20.3.131.1077 > 172.20.3.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST (DF) 21:21:55.406642 172.20.3.131.1077 > 172.20.3.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST (DF) 21:21:55.676634 172.20.3.131.1077 > 172.20.3.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST (DF) And at the end this. 21:22:03.358852 172.20.3.131.1077 > 172.20.3.130.137: NBT UDP PACKET(137): QUERY; REQUEST; UNICAST (DF) 21:22:03.359260 172.20.3.130.137 > 172.20.3.131.1077: NBT UDP PACKET(137): QUERY; NEGATIVE; RESPONSE; UNICAST 21:22:03.362375 172.20.3.131.1077 > 172.20.3.130.53: 19551+ A? MAIL.ag-electric.ts-gruppen.lokal. (51) (DF) 21:22:03.362696 172.20.3.130.53 > 172.20.3.131.1077: 19551 NXDomain* 0/1/0 (133) 21:22:03.365096 172.20.3.131.1077 > 172.20.3.130.53: 19552+ A? MAIL. (22) (DF) 21:22:03.365304 172.20.3.130.53 > 172.20.3.131.1077: 19552 ServFail 0/0/0 (22) 21:22:03.367225 172.20.3.131.1077 > 172.20.100.2.53: 19552+ A? MAIL. (22) (DF) 21:22:03.393420 172.20.100.2.53 > 172.20.3.131.1077: 19552 ServFail 0/0/0 (22) 21:22:03.394424 172.20.3.131.1077 > 172.20.100.3.53: 19552+ A? MAIL. (22) (DF) 21:22:03.417466 172.20.100.3.53 > 172.20.3.131.1077: 19552 ServFail 0/0/0 (22) 21:22:03.418430 172.20.3.131.1077 > 172.20.3.130.53: 19552+ A? MAIL. (22) (DF) 21:22:03.418693 172.20.3.130.53 > 172.20.3.131.1077: 19552 ServFail 0/0/0 (22) 21:22:03.420718 172.20.3.131.1077 > 172.20.100.2.53: 19552+ A? MAIL. (22) (DF) 21:22:03.453146 172.20.100.2.53 > 172.20.3.131.1077: 19552 ServFail 0/0/0 (22) 21:22:03.454160 172.20.3.131.1077 > 172.20.100.3.53: 19552+ A? MAIL. (22) (DF) 21:22:03.475636 172.20.100.3.53 > 172.20.3.131.1077: 19552 ServFail 0/0/0 (22) 21:22:03.477011 172.20.3.131.1077 > 172.20.3.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST (DF) 21:22:03.543035 172.20.3.130.445 > 172.20.3.131.1195: . 896738190:896738191(1) ack 2114075428 win 65353 (DF) 21:22:03.543236 172.20.3.131.1195 > 172.20.3.130.445: . ack 1 win 14076 (DF) 21:22:03.746618 172.20.3.131.1077 > 172.20.3.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST (DF) 21:22:04.016733 172.20.3.131.1077 > 172.20.3.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST (DF) 21:22:04.288070 172.20.3.131.1077 > 172.20.3.130.137: NBT UDP PACKET(137): QUERY; REQUEST; UNICAST (DF) 21:22:04.288503 172.20.3.130.137 > 172.20.3.131.1077: NBT UDP PACKET(137): QUERY; NEGATIVE; RESPONSE; UNICAST 21:22:04.289752 172.20.3.131.1077 > 172.20.3.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST (DF) 21:22:04.556624 172.20.3.131.1077 > 172.20.3.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST (DF) 21:22:04.826634 172.20.3.131.1077 > 172.20.3.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST (DF) 21:22:05.098145 172.20.3.131.1200 > 172.20.3.130.389: S 2238976557:2238976557(0) win 5840 (DF) 21:22:05.098373 172.20.3.130.389 > 172.20.3.131.1200: S 925400727:925400727(0) ack 2238976558 win 65535 (DF) 21:22:05.098655 172.20.3.131.1200 > 172.20.3.130.389: . ack 1 win 5840 (DF) 21:22:05.101294 172.20.3.131.1077 > 172.20.3.130.53: 19553+ PTR? 130.3.20.172.in-addr.arpa. (43) (DF) 21:22:05.101577 172.20.3.130.53 > 172.20.3.131.1077: 19553* 1/0/0 (97) 21:22:05.104163 172.20.3.131.1200 > 172.20.3.130.389: P 1:61(60) ack 1 win 5840 (DF) 21:22:05.104565 172.20.3.130.389 > 172.20.3.131.1200: P 1:87(86) ack 61 win 65475 (DF) 21:22:05.104857 172.20.3.131.1200 > 172.20.3.130.389: . ack 87 win 5840 (DF) 21:22:05.107316 172.20.3.131.1200 > 172.20.3.130.389: P 61:68(7) ack 87 win 5840 (DF) 21:22:05.107594 172.20.3.130.389 > 172.20.3.131.1200: F 87:87(0) ack 68 win 65468 (DF) 21:22:05.107907 172.20.3.131.1200 > 172.20.3.130.389: F 68:68(0) ack 88 win 5840 (DF) 21:22:05.108047 172.20.3.130.389 > 172.20.3.131.1200: . ack 69 win 65468 (DF) 21:22:11.745590 172.20.3.130.445 > 172.20.3.131.1196: . 896798331:896798332(1) ack 2106587559
[Samba] Very slow wbinfo -u
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I have set up Samba-3.0.11 to retrive account information from W2k server via winbind, and it works. But is takes about 10 sec. to retrive the information. I have dumped some traffic from the request, and it looks like this: A lot of these: 21:21:55.133423 172.20.3.131.1077 > 172.20.3.130.137: NBT UDP PACKET(137): QUERY; REQUEST; UNICAST (DF) 21:21:55.133842 172.20.3.130.137 > 172.20.3.131.1077: NBT UDP PACKET(137): QUERY; NEGATIVE; RESPONSE; UNICAST 21:21:55.136553 172.20.3.131.1077 > 172.20.3.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST (DF) 21:21:55.406642 172.20.3.131.1077 > 172.20.3.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST (DF) 21:21:55.676634 172.20.3.131.1077 > 172.20.3.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST (DF) And at the end this. 21:22:03.358852 172.20.3.131.1077 > 172.20.3.130.137: NBT UDP PACKET(137): QUERY; REQUEST; UNICAST (DF) 21:22:03.359260 172.20.3.130.137 > 172.20.3.131.1077: NBT UDP PACKET(137): QUERY; NEGATIVE; RESPONSE; UNICAST 21:22:03.362375 172.20.3.131.1077 > 172.20.3.130.53: 19551+ A? MAIL.ag-electric.ts-gruppen.lokal. (51) (DF) 21:22:03.362696 172.20.3.130.53 > 172.20.3.131.1077: 19551 NXDomain* 0/1/0 (133) 21:22:03.365096 172.20.3.131.1077 > 172.20.3.130.53: 19552+ A? MAIL. (22) (DF) 21:22:03.365304 172.20.3.130.53 > 172.20.3.131.1077: 19552 ServFail 0/0/0 (22) 21:22:03.367225 172.20.3.131.1077 > 172.20.100.2.53: 19552+ A? MAIL. (22) (DF) 21:22:03.393420 172.20.100.2.53 > 172.20.3.131.1077: 19552 ServFail 0/0/0 (22) 21:22:03.394424 172.20.3.131.1077 > 172.20.100.3.53: 19552+ A? MAIL. (22) (DF) 21:22:03.417466 172.20.100.3.53 > 172.20.3.131.1077: 19552 ServFail 0/0/0 (22) 21:22:03.418430 172.20.3.131.1077 > 172.20.3.130.53: 19552+ A? MAIL. (22) (DF) 21:22:03.418693 172.20.3.130.53 > 172.20.3.131.1077: 19552 ServFail 0/0/0 (22) 21:22:03.420718 172.20.3.131.1077 > 172.20.100.2.53: 19552+ A? MAIL. (22) (DF) 21:22:03.453146 172.20.100.2.53 > 172.20.3.131.1077: 19552 ServFail 0/0/0 (22) 21:22:03.454160 172.20.3.131.1077 > 172.20.100.3.53: 19552+ A? MAIL. (22) (DF) 21:22:03.475636 172.20.100.3.53 > 172.20.3.131.1077: 19552 ServFail 0/0/0 (22) 21:22:03.477011 172.20.3.131.1077 > 172.20.3.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST (DF) 21:22:03.543035 172.20.3.130.445 > 172.20.3.131.1195: . 896738190:896738191(1) ack 2114075428 win 65353 (DF) 21:22:03.543236 172.20.3.131.1195 > 172.20.3.130.445: . ack 1 win 14076 (DF) 21:22:03.746618 172.20.3.131.1077 > 172.20.3.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST (DF) 21:22:04.016733 172.20.3.131.1077 > 172.20.3.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST (DF) 21:22:04.288070 172.20.3.131.1077 > 172.20.3.130.137: NBT UDP PACKET(137): QUERY; REQUEST; UNICAST (DF) 21:22:04.288503 172.20.3.130.137 > 172.20.3.131.1077: NBT UDP PACKET(137): QUERY; NEGATIVE; RESPONSE; UNICAST 21:22:04.289752 172.20.3.131.1077 > 172.20.3.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST (DF) 21:22:04.556624 172.20.3.131.1077 > 172.20.3.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST (DF) 21:22:04.826634 172.20.3.131.1077 > 172.20.3.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST (DF) 21:22:05.098145 172.20.3.131.1200 > 172.20.3.130.389: S 2238976557:2238976557(0) win 5840 (DF) 21:22:05.098373 172.20.3.130.389 > 172.20.3.131.1200: S 925400727:925400727(0) ack 2238976558 win 65535 (DF) 21:22:05.098655 172.20.3.131.1200 > 172.20.3.130.389: . ack 1 win 5840 (DF) 21:22:05.101294 172.20.3.131.1077 > 172.20.3.130.53: 19553+ PTR? 130.3.20.172.in-addr.arpa. (43) (DF) 21:22:05.101577 172.20.3.130.53 > 172.20.3.131.1077: 19553* 1/0/0 (97) 21:22:05.104163 172.20.3.131.1200 > 172.20.3.130.389: P 1:61(60) ack 1 win 5840 (DF) 21:22:05.104565 172.20.3.130.389 > 172.20.3.131.1200: P 1:87(86) ack 61 win 65475 (DF) 21:22:05.104857 172.20.3.131.1200 > 172.20.3.130.389: . ack 87 win 5840 (DF) 21:22:05.107316 172.20.3.131.1200 > 172.20.3.130.389: P 61:68(7) ack 87 win 5840 (DF) 21:22:05.107594 172.20.3.130.389 > 172.20.3.131.1200: F 87:87(0) ack 68 win 65468 (DF) 21:22:05.107907 172.20.3.131.1200 > 172.20.3.130.389: F 68:68(0) ack 88 win 5840 (DF) 21:22:05.108047 172.20.3.130.389 > 172.20.3.131.1200: . ack 69 win 65468 (DF) 21:22:11.745590 172.20.3.130.445 > 172.20.3.131.1196: . 896798331:896798332(1) ack 2106587559 win 64837 (DF) 21:22:11.745880 172.20.3.131.1196 > 172.20.3.130.445: . ack 1 win 17152 (DF) Seem like some sort of name-resolution problem, but i have no idea about what is missing. I also have no clue about the DNS lookup of MAIL comes from, there is none and never has been ? Anyone a hint ? Regards //Erik Here is my smb.conf [global] # Optimum Samba performance settings socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 loglevel = 1 # NT workgroup settings workgroup = AG-ELECTRIC server string = Samba Serve
Re: [Samba] LDAP-based NIS server .vs. NIS migration to LDAP?
Hi Kang, You should get the "LDAP System Administration" by Gerald Carter. ISBN: 1-56592-491-6 (O'Reilly & Associates Inc.) There you will find a chapter about replacing NIS with LDAP or make a NIS/LDAP gateway. Very good reading :-) //Erik Paul Gienger wrote: This is really something for the openldap list. Kang Sun wrote: Greetings! I tried to post this question to openldap group but somehow my post never showed up there. Anyway, I built PDC using Samba3 and OPENLDAP and now like to integrade NIS service to it. I searched the net there are quite a few guides on how to replace NIS with LDAP. However, in our environment, we have almost all sorts of Unix platforms, e.g. Linux (mainly Redhat), Solaris, HPUX, AIX, IRIS, and plus some pretty old OS versions. They are all NIS clients now but I don't expect they can all be easily converted to to be authenticated against LDAP. For instance, I don't think all of them have pam and nss ready. I thought it would be easier if I can somehow build the NIS Server using LDAP and maintain all NIS slaves and clients as they are, I would have an easy mirgration path while achieving the goal of centralizing authentication/administration of the enterprise-wide accounts on LDAP server. Any comments, suggestions, guidances are deeply appreciated. Sincerely yours, --- Kang Sun -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] overwriting files used by many users
Hi, Please try to add the line below to your smb.conf and restart the Samba service. After restart there should be a lot of files in the /var/lock/samba directory. The strict locking option should normaly not be used. You can read about it at -> man smb.conf lock directory = /var/lock/samba locking = yes # strict locking = yes Best regards //Erik wait4you2 wrote: I use Samba (version 3) to share documents between many users. When one user uses the file, the other can open the same file without any information from the server that the file is already in use. In such situation both users keep overwritting eachothers work. How to configure the server to fix that problem? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Password trouble with LDAP (eDirectory)
Hi Bruce, Thanks for your replys. I got i working.. allmost Think i forgot a few things such as a "root" account in LDAP and "adminstrator" account in /etc/passwd. There is a little thing with join'ed workstations. I can only login as root, login's on other accounts get a WRONG PASSWORD message in the log ? Windows 9x works great on all accounts. //Erik [EMAIL PROTECTED] wrote: Sorry, I have no idea what is causing this problem. I wish you luck in resolving the problem. Bruce From: Erik Holst Trans <[EMAIL PROTECTED]> To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: [Samba] Password trouble with LDAP (eDirectory) Date: Mon, 07 Jun 2004 11:28:02 +0200 - Original Message Follows - Hi, I just tied to lower the sambaPwdMustChange value, and then the windows client correctly says the password is expired, and prompts for a new one. But the update fails because the server still does't accept the password (the old one) So the sambaPwdMustChange shold be fine. Below is the Administrator LDAP entry. I am know that the home path's are wrong, but that shold not have anything to do with my problem. BTW. the Samba version is 3.0.4 Best regards Erik Holst Trans version: 1 # LDIF Export for: uid=Administrator,o=it-trans # Generated by phpLDAPadmin on June 7, 2004 11:17 am # Server: SLSS (ldap://127.0.0.1) # Search Scope: base # Total Entries: 1 # Entry 1: uid=Administrator,o=it-trans dn:uid=Administrator,o=it-trans sambaPrimaryGroupSID: S-1-5-21-511030576-2330128811-1600862552-512 sambaSID: S-1-5-21-511030576-2330128811-1600862552-2996 sambaHomePath: \\SLSS\homes sambaHomeDrive: H: sambaKickoffTime: 2147483647 sambaLogoffTime: 2147483647 sambaLogonTime: 0 sambaPwdMustChange: 2147483647 sambaPwdCanChange: 1086598595 sambaPwdLastSet: 1086598595 sambaAcctFlags: [U] sambaNTPassword: 2D20D252A479F485CDF5E171D93985BF sambaLMPassword: 598DDCE2660D3193AAD3B435B51404EE loginShell: /bin/bash homeDirectory: /home/ gecos: Netbios Domain Administrator gidNumber: 512 uidNumber: 0 uid: Administrator sn: Administrator objectClass: inetOrgPerson objectClass: sambaSamAccount objectClass: posixAccount objectClass: shadowAccount objectClass: organizationalPerson objectClass: Person objectClass: ndsLoginProperties objectClass: Top cn: Administrator ACL: 2#entry#[Public]#messageServer ACL: 2#entry#[Root]#groupMembership ACL: 2#entry#[Root]#networkAddress ACL: 2#subtree#uid=Administrator,o=it-trans#[All Attributes Rights] ACL: 6#entry#uid=Administrator ,o=it-trans#loginScript ACL: 6#entry#uid=Administrator ,o=it-trans#printJobConfiguration [EMAIL PROTECTED] wrote: From: Erik Holst Trans <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: [Samba] Password trouble with LDAP (eDirectory) Date: Mon, 07 Jun 2004 02:25:03 +0200 When i try to logon as a user with the correct password, access is denied and the log says check_ntlm_password: Authentication for user [administrator] -> [administrator] FAILED with error NT_STATUS_NO_SUCH_USER Just a quick thought ... has the password expired? Check ldap attribute sambaPwdMustChange. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Two questions about smbldap-tools
Hi Dan, 1. Yes, ther is a cgi sctipt in the documentation under examples/LDAP/smb-tools/cgi/ldappass.cgi But i have not used it yet. 2. Yes, works great here. Using this URL: http://www.idealx.org/index.en.html Best regards Erik Holst Trans Dan Hill wrote: Hi all. 1. Are they any web based interfaces to smbldap-passwd.pl? 2. Is www.idealx.org still a valid site for the smbldap-tools and related info? When I go there, no matter the URL I enter, I get a login screen prompting for a username and password or a message that page can not be found on the server. Thanks, ~Dan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Migrating to new Samba - LDAP schema change
Hi, I have noticed that the SambaAccount have changed to SambaSamAcount. Take a the documetation directory under examples/LDAP there should be a script "convertSambaAccount" to convert you entries. Best regards Erik Holst Trans Dwight Tovey wrote: I'm working on upgrading a Samba server from Version 2.2.8a to Version 3.0.4. One of the things I've noticed is that the samba.schema has changed. I'll admit that I haven't done an exhaustive search yet, but in looking over the documentation I haven't seen any mention of anything that needs to be done to migrate an existing directory to the new schema. Are there any tools that will aid in the migration? Thanks /dwight -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Password trouble with LDAP (eDirectory)
Hi, I just tied to lower the sambaPwdMustChange value, and then the windows client correctly says the password is expired, and prompts for a new one. But the update fails because the server still does't accept the password (the old one) So the sambaPwdMustChange shold be fine. Below is the Administrator LDAP entry. I am know that the home path's are wrong, but that shold not have anything to do with my problem. BTW. the Samba version is 3.0.4 Best regards Erik Holst Trans version: 1 # LDIF Export for: uid=Administrator,o=it-trans # Generated by phpLDAPadmin on June 7, 2004 11:17 am # Server: SLSS (ldap://127.0.0.1) # Search Scope: base # Total Entries: 1 # Entry 1: uid=Administrator,o=it-trans dn:uid=Administrator,o=it-trans sambaPrimaryGroupSID: S-1-5-21-511030576-2330128811-1600862552-512 sambaSID: S-1-5-21-511030576-2330128811-1600862552-2996 sambaHomePath: \\SLSS\homes sambaHomeDrive: H: sambaKickoffTime: 2147483647 sambaLogoffTime: 2147483647 sambaLogonTime: 0 sambaPwdMustChange: 2147483647 sambaPwdCanChange: 1086598595 sambaPwdLastSet: 1086598595 sambaAcctFlags: [U] sambaNTPassword: 2D20D252A479F485CDF5E171D93985BF sambaLMPassword: 598DDCE2660D3193AAD3B435B51404EE loginShell: /bin/bash homeDirectory: /home/ gecos: Netbios Domain Administrator gidNumber: 512 uidNumber: 0 uid: Administrator sn: Administrator objectClass: inetOrgPerson objectClass: sambaSamAccount objectClass: posixAccount objectClass: shadowAccount objectClass: organizationalPerson objectClass: Person objectClass: ndsLoginProperties objectClass: Top cn: Administrator ACL: 2#entry#[Public]#messageServer ACL: 2#entry#[Root]#groupMembership ACL: 2#entry#[Root]#networkAddress ACL: 2#subtree#uid=Administrator,o=it-trans#[All Attributes Rights] ACL: 6#entry#uid=Administrator,o=it-trans#loginScript ACL: 6#entry#uid=Administrator,o=it-trans#printJobConfiguration [EMAIL PROTECTED] wrote: From: Erik Holst Trans <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: [Samba] Password trouble with LDAP (eDirectory) Date: Mon, 07 Jun 2004 02:25:03 +0200 When i try to logon as a user with the correct password, access is denied and the log says check_ntlm_password: Authentication for user [administrator] -> [administrator] FAILED with error NT_STATUS_NO_SUCH_USER Just a quick thought ... has the password expired? Check ldap attribute sambaPwdMustChange. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] LDAP authentication problem
Hi Alexander, First of all, you do not need to make any configuration in your slapd.conf, this is only if you want to run a LDAP server on your Samba host. If you want to use an Novell LDAP server you need to extend its LDAP schema first, to support the ObjectClass'es and attributes that Samba uses/need. You probably have to find a version of the schema file that is compatible with your LDAP server, Novell's LDAP server does't like the syntax of the standard samba.schema file. Afterwards you probly need an LDAP-Editor to access the server to add ObjectClass'es and attributes to user accounts you want to "Samba enable". Netware Administrator and ConsoleOne don't support those (yet). Best regards Erik Holst Trans Alexander Varga wrote: Hi I have a little problem with my ldap authorization of samba against Novel LDAP server. This is the log output from the Novel Ldap server: New TCP connection 0xcb1e3980, monitor = 0x1bf, index = 2 (0xcb1e3980:0x0001:0x60) DoBind on connection 0xcb1e3980 (0xcb1e3980:0x0001:0x60) DoBind: name = 'cn=SAMBAuser,ou=SRV100,ou=Resources,o=USS', client version = 3, method = 0x80 (0xcb1e3980:0x0001:0x60) Sending operation result 0:"":"" to connection 0xcb1e3980 ### ### Samba user is the one who can browse the NDS to search for existing user ..he logged in successfully (0:"":"") ## (0xcb1e3980:0x0002:0x63) DoSearch on connection 0xcb1e3980 (0xcb1e3980:0x0002:0x63) Search request: base: "o=USS" scope:2 derefence:0 sizelimit:0 timelimit:0 attrsonly:0 filter: "(&(uid=AlexanderVarga)(objectclass=sambaAccount)) ## After it he was searching the Directory structure for user AlexanderVarga, but of a type ObjectClass=sambaAccount (0xcb1e3980:0x0002:0x63)attribute: "uid" (0xcb1e3980:0x0002:0x63)attribute: "uidNumber" (0xcb1e3980:0x0002:0x63)attribute: "gidNumber" (0xcb1e3980:0x0002:0x63)attribute: "homeDirectory" (0xcb1e3980:0x0002:0x63)attribute: "pwdLastSet" ... (0xcb1e3980:0x0002:0x63) Sending operation result 0:"":"" to connection 0xcb1e3980 Monitor 0x1bf found connection 0xcb1e3980 socket closed, err = 57, 0 of 0 bytes read Monitor 0x1bf initiating close for connection 0xcb1e3980 Server closing connection 0xcb1e3980, socket error = 57 # ### of course he couldn't find it, because on the novel they have defined ObjectClasses: user, group... so it cannot match and it closes connection here is my slapd.conf ... it doesnot work to start slapd, because he cannot load ldbm database. I compiled everything and I not familiar in that manner with this, , but Vecause I am just a client,maybe I dont need this.: include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/openldap.schema include /etc/ldap/samba.schema pidfile /usr/local/var/slapd.pid argsfile/usr/local/var/slapd.args databaselbdm suffix "o=USS" rootdn "cn=SAMBAuser,ou=SRV100,ou=Resources,o=USS" rootpw secret directory /usr/local/samba/var/openldap-data index objectClass eq --- -- here is my ldap.conf... the ldap_cachemgr is working properly... i hope so :) BASEo=USS URI ldap://nv6test.nw.usske.sk:389 HOST10.5.3.177 PORT389 --- here is my smb.conf [global] workgroup = Inf-ks netbios name = SUNV240 passwd backend = ldapsam://10.5.3.177:389 ldap admin dn="cn=SAMBAuser,ou=SRV100,ou=Resources,o=USS" ldap filter = (&(uid=%u) (o=USS)) ldap suffix = "o=USS" ldap port = 389 ldap server = 10.5.3.177 [share1] path = /tmp - - inbetween i ran this ldapclient manual \ -a profileName=profile-imb \ -a domainName=o=USS \ -a serviceSearchDescriptor=passwd:o=USS \ -a serviceSearchDescriptor=group:o=USS \ -a authenticationMethod=simple -a defaultSearchBase=o=USS
[Samba] Password trouble with LDAP (eDirectory)
Hi All, I have a strange problem with passwords, stored in LDAP. When i try to logon as a user with the correct password, access is denied and the log says check_ntlm_password: Authentication for user [administrator] -> [administrator] FAILED with error NT_STATUS_NO_SUCH_USER When i try to logon a user with incorrect password, access is (of course) denied, but the log now says check_ntlm_password: Authentication for user [administrator] -> [administrator] FAILED with error NT_STATUS_WRONG_PASSWORD I have now tried for several hours to solve the problem, but can't find out what is wrong and need some new input for solvin this. Below are some snippets from the log, maybe this is useful for you and the smb.conf too. Best regards Erik Holst Trans With correct password: [2004/06/07 02:20:15, 3] smbd/sesssetup.c:reply_sesssetup_and_X(783) Domain=[] NativeOS=[Windows 4.0] NativeLanMan=[Windows 4.0] PrimaryDomain=[null] [2004/06/07 02:20:15, 2] smbd/sesssetup.c:setup_new_vc_session(602) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2004/06/07 02:20:15, 3] smbd/sesssetup.c:reply_sesssetup_and_X(798) sesssetupX:[EMAIL PROTECTED] [2004/06/07 02:20:15, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2004/06/07 02:20:15, 3] smbd/uid.c:push_conn_ctx(351) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2004/06/07 02:20:15, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2004/06/07 02:20:15, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2004/06/07 02:20:15, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [EMAIL PROTECTED] with the new password interface [2004/06/07 02:20:15, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [EMAIL PROTECTED] [2004/06/07 02:20:15, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2004/06/07 02:20:15, 3] smbd/uid.c:push_conn_ctx(351) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2004/06/07 02:20:15, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2004/06/07 02:20:15, 2] passdb/pdb_ldap.c:init_sam_from_ldap(483) init_sam_from_ldap: Entry found for user: Administrator [2004/06/07 02:20:15, 4] lib/substitute.c:automount_server(323) Home server: slss [2004/06/07 02:20:15, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2004/06/07 02:20:15, 4] libsmb/ntlm_check.c:ntlm_password_check(369) ntlm_password_check: Checking LM password [2004/06/07 02:20:15, 4] auth/auth_sam.c:sam_account_ok(82) sam_account_ok: Checking SMB password for user Administrator [2004/06/07 02:20:15, 1] auth/auth_util.c:make_server_info_sam(822) User Administrator in passdb, but getpwnam() fails! [2004/06/07 02:20:15, 0] auth/auth_sam.c:check_sam_security(260) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' [2004/06/07 02:20:15, 3] auth/auth_winbind.c:check_winbind_security(80) check_winbind_security: Not using winbind, requested domain [EDIR] was for this SAM. [2004/06/07 02:20:15, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [ADMINISTRATOR] -> [ADMINISTRATOR] FAILED with error NT_STATUS_NO_SUCH_USER [2004/06/07 02:20:15, 3] smbd/error.c:error_packet(94) error string = No such file or directory [2004/06/07 02:20:15, 3] smbd/error.c:error_packet(134) error packet at smbd/sesssetup.c(881) cmd=115 (SMBsesssetupX) eclass=1 ecode=5 [2004/06/07 02:20:16, 3] smbd/process.c:timeout_processing(1121) timeout_processing: End of file from client (client has disconnected). [2004/06/07 02:20:16, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2004/06/07 02:20:16, 2] smbd/server.c:exit_server(568) Closing connections [2004/06/07 02:20:16, 3] smbd/connection.c:yield_connection(69) Yielding connection to Server exit (normal exit) With incorrect password: [2004/06/07 02:20:32, 3] smbd/sesssetup.c:reply_sesssetup_and_X(783) Domain=[] NativeOS=[Windows 4.0] NativeLanMan=[Windows 4.0] PrimaryDomain=[null] [2004/06/07 02:20:32, 2] smbd/sesssetup.c:setup_new_vc_session(602) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2004/06/07 02:20:32, 3] smbd/sesssetup.c:reply_sesssetup_and_X(798) sesssetupX:[EMAIL PROTECTED] [2004/06/07 02:20:32, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2004/06/07 02:20:32, 3] smbd/uid.c:push_conn_ctx(351) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2004/06/07 02:20:32, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2004/06/07 02:20:32, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2004/06/07 02:20:32, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking pa
Re: [Samba] Printer accounting/quota ?
Hi all, Thanks for the reply's, looks very interresting i will catch up on these shortly. I will let you know how i solve the case. BTW. Today i had a look at the IT facilities at the school, and it turned out that they have 2 old Netware 4.11 servers running, that i have to migrate and replace. They also run an older version of ZenWorks for application an policy distribution. So now i am also looking for a replacement for the applicataion distribution as well. Thats probably not that easy. Best regards Erik Holst Trans Erik Holst Trans wrote: Hi all, I am about to install a Samba server at a local school, and i need some advice and/or experience from others who have worked on a installation of that type/size. My plan is to roll-out a Samba server (of course), with LDAP back-end, and a number of printer queue's via CUPS. There will be aprox. 1000 user accounts, mostly students. The school has asked for a solution that would make theme able to control the amount of paper each student is allowed to use eg. hard-quota. AFAIK, there is no solution in the Samba or CUPS tool-box itself, so i Googled a little and found the PyKota project: http://www.librelogiciel.com/software/PyKota/action_Presentation Unfortunately i do not have any experience with it, but it seems like a good solution because it is able to store the accounting data in LDAP, and monitor the printers life-time page counter. Any advice or info about how it is done else where would be deeply apriciated. Thanks and best regards, Erik Holst Trans -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Printer accounting/quota ?
Hi all, I am about to install a Samba server at a local school, and i need some advice and/or experience from others who have worked on a installation of that type/size. My plan is to roll-out a Samba server (of course), with LDAP back-end, and a number of printer queue's via CUPS. There will be aprox. 1000 user accounts, mostly students. The school has asked for a solution that would make theme able to control the amount of paper each student is allowed to use eg. hard-quota. AFAIK, there is no solution in the Samba or CUPS tool-box itself, so i Googled a little and found the PyKota project: http://www.librelogiciel.com/software/PyKota/action_Presentation Unfortunately i do not have any experience with it, but it seems like a good solution because it is able to store the accounting data in LDAP, and monitor the printers life-time page counter. Any advice or info about how it is done else where would be deeply apriciated. Thanks and best regards, Erik Holst Trans -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC/LDAP
Hi, Looks like you dont have write access to your ldap-directory. Make sure that you have the modified the "smbldap_conf.pm" file to match your LDAP configuration (slapd.conf). Look for "$binddn" Also check your smb.conf LDAP config, has to match too ;-) Best regards //Erik asky wrote: Hi, I'm using redhat 8.0 samba-3.0 and smbatool-0.8.3. when i run smbldap-populat, i get the following errors [EMAIL PROTECTED] root]# smbldap-populate using builtin directory structure adding new entry: dc=nijacol,dc=net failed to add entry: Already exists at /usr/local/sbin/smbldap-populate line 384, line 2. adding new entry: ou=Users,dc=nijacol,dc=net failed to add entry: Already exists at /usr/local/sbin/smbldap-populate line 384, line 3. adding new entry: ou=Groups,dc=nijacol,dc=net failed to add entry: no write access to parent at /usr/local/sbin/smbldap-populate line 384, line 4. adding new entry: ou=Computers,dc=nijacol,dc=net failed to add entry: Already exists at /usr/local/sbin/smbldap-populate line 384, line 5. adding new entry: uid=Administratorou=Users,dc=nijacol,dc=net failed to add entry: no write access to parent at /usr/local/sbin/smbldap-populate line 384, line 6. adding new entry: uid=nobody,ou=Users,dc=nijacol,dc=net failed to add entry: no write access to parent at /usr/local/sbin/smbldap-populate line 384, line 7. adding new entry: cn=Domain Admins,ou=Groups,dc=nijacol,dc=net failed to add entry: no write access to parent at /usr/local/sbin/smbldap-populate line 384, line 8. adding new entry: cn=Domian Users,ou=Groups,dc=nijacol,dc=net failed to add entry: no write access to parent at /usr/local/sbin/smbldap-populate line 384, line 9. adding new entry: cn=Domain Guests,ou=Groups,dc=nijacol,dc=net failed to add entry: no write access to parent at /usr/local/sbin/smbldap-populate line 384, line 16. adding new entry: cn=Print Operators,ou=Groups,dc=nijacol,dc=net failed to add entry: no write access to parent at /usr/local/sbin/smbldap-populate line 384, line 17. adding new entry: cn=Backup Operators,ou=Groups,dc=nijacol,dc=net failed to add entry: no write access to parent at /usr/local/sbin/smbldap-populate line 384, line 18. failed to add entry: no write access to parent at /usr/local/sbin/smbldap-populate line 384, line 18. adding new entry: cn=Replicator,ou=Groups,dc=nijacol,dc=net failed to add entry: no write access to parent at /usr/local/sbin/smbldap-populate line 384, line 19. adding new entry: cn=Domain Computers,ou=Groups,dc=nijacol,dc=net failed to add entry: no write access to parent at /usr/local/sbin/smbldap-populate line 384, line 19. [EMAIL PROTECTED] root]# Also, I can't seem to login unless I go to single user mode and disable authconfig services (ldap etc) I know i'm not doing somthing right but I just can't figure it out. any help will be appreciated. Asky -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] LDAP - _samr_open_domain: ACCESS DENIED
Hi, I am trying to get samba running with LDAP password backend, but having some trouble with the rights. Dist. : SuSE 9.0 LDAP: OpenLDAP 2.1.22 Samba: 3.0.1 It work's great when i login in for a Win98 box, but when i try to import a WinXP box i get the following in my log file. //--snip-- [2004/01/27 20:36:25, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [administrator] -> [administrator] -> [Administrator] succeeded [2004/01/27 20:36:25, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2461) Returning domain sid for domain IT-TRANS -> S-1-5-21-3079347702-147214601-1898991890 [2004/01/27 20:36:25, 2] rpc_server/srv_samr_nt.c:access_check_samr_object(93) _samr_open_domain: ACCESS DENIED (requested: 0x0211) [2004/01/27 20:36:25, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2461) Returning domain sid for domain IT-TRANS -> S-1-5-21-3079347702-147214601-1898991890 [2004/01/27 20:36:25, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(115) _samr_create_user: ACCESS DENIED (granted: 0x0201; required: 0x0010) [2004/01/27 20:36:25, 2] smbd/server.c:exit_server(558) Closing connections //--snip-- I suppose my problem is in the groupmapping's. ? My current mappings are like below: Domain Admins (S-1-5-21-3079347702-147214601-1898991890-512) -> Domain Admins Domain Users (S-1-5-21-3079347702-147214601-1898991890-513) -> Domain Users Domain Guests (S-1-5-21-3079347702-147214601-1898991890-514) -> Domain Guests Administrators (S-1-5-21-3079347702-147214601-1898991890-544) -> Administrators users (S-1-5-21-3079347702-147214601-1898991890-545) -> Users Guests (S-1-5-21-3079347702-147214601-1898991890-546) -> Guests Power Users (S-1-5-21-3079347702-147214601-1898991890-547) -> Power Users Account Operators (S-1-5-21-3079347702-147214601-1898991890-548) -> Account Operators Server Operators (S-1-5-21-3079347702-147214601-1898991890-549) -> Server Operators Print Operators (S-1-5-21-3079347702-147214601-1898991890-550) -> Print Operators Backup Operators (S-1-5-21-3079347702-147214601-1898991890-551) -> Backup Operators Replicator (S-1-5-21-3079347702-147214601-1898991890-552) -> Replicator Domain Computers (S-1-5-21-3079347702-147214601-1898991890-553) -> Domain Computers This is the default after running "smbldap-populate.pl" from the ldap-tools. From the documentation, the "Domain Admins" have to be mapped to unixgroup=root or another group with gidnumber=0 (Right ?) Now, executing "net groupmap modify ntgroup="Domain Admins" unixgroup=root type=domain" is succesfull, but the mappings don't change "Domain Admins" is stille pointing at "Domain Admins" ? I also tried to create a posix group in LDAP with gidnumber=0, and made a mapping from the "Domain Admins" but the mapping still don't change. Could some one kindly point me in the right direction. Thanks. Best regards Erik -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] automounting a usb-harddrive/cdrom that can be mapped from the login script.
Hi, I am installing a Samba 3.0.1 on RH90 for a little school, and they want to have access to a mobile usb-harddrive. The harddrive shoud be mapped via the login script, and here is were my troubles begin I have been experimenting with the autofs service, which works great if the harddrive is present at login time. If one login at a time where the harddrive isn't present the login script fails and the drive mapping isn't made. Yes i know why... at login time the autofs generated directory doesn,t exist. Then i made a directory (which get mapped) where autofs will generate a sub-directory for the connected device. Now the problem is that autofs is not mounting the harddrive until a request is made to the non-existent directory (defined in the autofs conf. files). Hopefully you get the picture. ;-) Any one who have something like this working, or some hints. I guess one would have the same problems when using the servers cdrom drive. Best regards Erik Holst Trans -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: User Manager For Domains - SAMBA 3.0.1-2
Hi again, Well i did not get any response to my problem :-( The only thing i have noticed since my last posting is a log entry that seems to show up when i try to add a user with the "User Manager For Domains" (on windws 98se) I also tried to make my own "add user script" in perl, that make use of both the "adduser" and "smbpasswd" commands. But no success. This is the entry from the log. [2003/12/28 20:41:36, 1] smbd/ipc.c:api_fd_reply(292) api_fd_reply: INVALID PIPE HANDLE: I suppose that means that "UMFD" is not supported, but i find that difficult to belive cause the delete and change group member ship functions works great. //Erik Erik Holst Trans wrote: Hi, I,m running Samba 3.0.1-2 on a RedHat 9.0 box, and would like to use the "User Manager for Domains" tool to control users and groups. But i can't get it to work proberly. Deleting users and groups, change group membership on users works fine, but adding users and groups does not. I have tried to find out how well the "User Manager for Domains" is supported in Samba 3.0.1-2, but without success. Does anybody have some experience with this tool ? In my smb.conf i have added the following lines: //--snip--// add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M "%u" add user script = /usr/sbin/useradd "%u" add group script = /usr/sbin/groupadd "%g" add user to group script = /usr/bin/gpasswd -a "%u" "%g" delete user from group script = /usr/bin/gpasswd -d "%u" "%g" set primary group script = /usr/sbin/usermod -g "%g" "%u" delete user script = /usr/sbin/userdel "%u" delete group script = /usr/sbin/groupdel "%g" //--snip--// Best regards Erik Holst Trans -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] User Manager For Domains - SAMBA 3.0.1-2
Hi, I,m running Samba 3.0.1-2 on a RedHat 9.0 box, and would like to use the "User Manager for Domains" tool to control users and groups. But i can't get it to work proberly. Deleting users and groups, change group membership on users works fine, but adding users and groups does not. I have tried to find out how well the "User Manager for Domains" is supported in Samba 3.0.1-2, but without success. Does anybody have some experience with this tool ? In my smb.conf i have added the following lines: //--snip--// add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M "%u" add user script = /usr/sbin/useradd "%u" add group script = /usr/sbin/groupadd "%g" add user to group script = /usr/bin/gpasswd -a "%u" "%g" delete user from group script = /usr/bin/gpasswd -d "%u" "%g" set primary group script = /usr/sbin/usermod -g "%g" "%u" delete user script = /usr/sbin/userdel "%u" delete group script = /usr/sbin/groupdel "%g" //--snip--// Best regards Erik Holst Trans -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba