[Samba] SAMBA RESOURCE

[Diego Fernando Donoso Gallo]

Hi everybody:

I have a problem with samba 4.0.9

Why when I put "browseable = no" in a shared resource, it still appears
from a windows client?

Thanks

Diego Donoso
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] nslcd: kerberos vs. simple bind

[Fernando Lozano]

Oi,

Simple bind method: Create a user, add the credentials to the root only
readable file nslcd.conf. Done

Kerberos: Create user, add a SPN, extract keytab, edit nslcd.conf (ok.
This is all done only once.). But then, if I understand it right, I need
something that renews the kerberos ticket from time to time.

So currently I don't see what are the advantages of Kerberos and in
which way it should be easier or anything else. :-)

If you're happy with plain text passwords being passed over the network
then use them. There may be some admins that will not be able to do that
though, so. . .


If this were the only kerberos advantage, we'd all be using LDAP with 
TLS to secure passwords on the wire.



[]s, Fernando Lozano

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] About NAS versus Samba

[Fernando Lozano]

Hi Andrew,

I work on a NAS product myself, and at this vendor and my previous 
vendor Samba 4.0 as an AD DC was all I ever needed to use to test the 
AD integration features of the NAS. Thanks, Andrew Bartlett 
Please tell me which product this is, so I can contact the local 
reseller. :-) You can send me in pvt if you think it would not be 
ethical to advertise your employee on the list.


Sales people here (and their "technical" consultants) don't know / don't 
care about Samba. Every time I ask about samba compatibility they try to 
sell me Windows and VmWare licenses. They even lie trying to make my 
employee buy those licenses and ditch Linux altogether.


I am only saved because of some previous incidents where I told my boss 
"either they are lying or they don't know", showing technical references 
from vendors themselves and standards bodies, but was overruled. Later 
my boss found I was right the had way: products didn't worked as 
expected, company lost money.


Most non-IT people, even many IT people, wrongly believe the vendor 
people should be the better experts and so any conflict of opinion they 
should be right. When it fails, the IT manager or the business area 
manager hide it, so they don't take blame for the wrong decision 
consequences. :-(


If I someone tell me "this product works" I can by knowing if something 
bad happens it's something I can solve. Sometimes the management 
interface for a product won't let you do things the embebed software 
could do, so I don't want to risk a product without someone telling me 
"this one worked for me".



[]s, Fernando Lozano
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] About NAS versus Samba

[Fernando Lozano]

Hi,


Its simple, this is a BAD thing tot do.
But if you really want a nas.
As a technician I can agree, but I ceased trying to explain to 
management. Hey, we must help hardware vendor personal have a living ;-) 
and they help us put more expertise areas in our own resume. ;-)))




Get a synology.
The best you can get, is my experiance.


Thanks a lot. I hope not only best as a NAS but also easy to setup as a 
member server for a samba 3 or 4 domain, right?




Just get a pc with 2 harddisks and install.
http://www.freenas.org/
Risking being off-topic on this list, many people told me not to use 
freenas because it was unmantained. Do you actually use it, follow the 
project closely, or just heard about it?




personaly, get the samba4 appliance.
I have to use my RHEL subscriptions ;-) Will use sernet packages when I 
get to upgrade to samba4.




get zarafa, and you have about the samba as Windows + exchange
Already have Zimbra. Someday I'll research about integrating Zimbra LDAP 
to Samba 4 LDAP. Won't try with Samba 3 because I hope to upgrade to 
samba4 this year.



[]s, Fernando Lozano

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] About NAS versus Samba

[Fernando Lozano]

Hi Gaiseric,

It seems common that vendors (esp the sales guys) assume you are 
running Windows 200x and AD.I think the logic is that "none of our 
customers use linux so we won't support it." It becomes 
self-fulfilling when anyone wanting something besides the basic 
Windows AD support looks for other solutions.


Exactly my problem. Lasy vendors. ;-)

Getting samba to work sometimes requires fiddling with protocol 
versions, WINS and DNS.  For example windows 7 won't work with 
Samba 3.x until you tweek the registry.   You can probably put 
together a price-comparable equivalent of the Buffalo using a 
white-box PC tower and linux.  You can even set up software 
raid.   It is more likely to work the way you want than a NAS box.
I have no problem with that. Have been doing this for years and my 
employee is happy with the results.


I'm afraid the NAS box won't give access to tweaking its configuration.

But you know, everyone buys NASes today, it's getting harder to explaing 
a common PC would be better. Here a server box with a RAID controller 
and a hot-swappable disk bays is way more expensive than an iomega NAS 
in a rack form factory.



[]s, Fernando Lozano

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] What great things can a non-windows user do with Samba

[Fernando Lozano]

Hi Steve,


I have about 7 computers, all Linux or BSD. Are there any cool things I
can do with Samba, even though I have no Windows computers?

I'd use Samba only to support Windows users. Samba provides three things:

1. File Services
2. Print Services
3. Network Logons

As you are a Unix-only shop, you have other (better) alternatives:

1. NFS, AFS
2. CUPS, LPD
3. LDAP, NIS, Kerberos

Some people already know how to configure Samba, because they needed it 
for mixed Unix/Windows shops, and keeps using it for Unix-only shops. 
That's fine, you won't have to learn NFS, LDAP, etc. But if you already 
know those, and not Samba, adding samba would bring no value IMHO.



[]s, Fernando Lozano

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] About NAS versus Samba

[Fernando Lozano]

Hi Tony,


RE: [Samba] About NAS versus Samba

I've had experience with a Western Digital "MyBook Live DUO", and it 
does NOT support any type of network authentication.  Users must be 
created and deleted on that device.




Thanks. May good for home use, but not for my employee.

Anyway a vendor told me "this works with linux" but was unable to give 
details about authentication.



[]s, Fernando Lozano

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] About NAS versus Samba

[Fernando Lozano]

Hi,


what about the samba running on your NAS. I did a lot of NAS hacking pointing  
a running samba/winbind config of the vendor to my nt-style samba/ldap domain .
But if you do so be aware you are loosing your support :-).
So if you can change the samba on your NAS you are up and running.
I don't have the NAS box yet. I wish advice on which one to buy based on 
compatibility with a Samba 3 PDC (or Samba 4 DC, or IPA).


Vendors I talked to tell me it won't work, I'd have to use Microsoft 
AD.  Knowing the Linux and Windows side (protocols, software) this 
doesn't make sense to me, I'm guessing the sales people I talked to 
simply doesn't know and doesn't want to learn.


And it's not easy to tell the boss I'll buy a somewhat expensive box 
(for a small business) just to hack and see if it'll work the way I 
want. :-(


It would help if you simply tell me which NAS you had success and which 
one was easier, out-of-the-box, or had to hack.



[]s, Fernando Lozano

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] About NAS versus Samba

[Fernando Lozano]

Hi,

No, they all write their own these days. None available to license as 
far as I'm aware. 
Most times the "proprietary" NAS software is simply a web interface over 
a standard Linux/FreeBSD OS using Samba. If you know Samba and Linux, 
the web interface may be a hurdle, not allowing access to features you 
know how to configure from the shell or, worse yet, overwriting those 
settings, if they provide a shell at all.



[]s, Fernando Lozano

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] About NAS versus Samba

[Fernando Lozano]

Hi Bob,


I have a site that runs 2 trusted domain PDC's across a OpenVPN link. At
one end there is a (older) Buffalo Terrastation NAS. The NAS quite
happily authenticates etc both sets of domain users. It has the option
of Workgroup, NT Domain or AD. I use NT Domain.

The PDC's run on Debian GNU/Linux 6.0.5 (squeeze) Samba 3.56. I use
idmap_tdb winbind of course.

Thanks a lot. I found there is a local reseller here for Buffalo storage 
systems, so it's in.



[]s, Fernando Lozano

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] About NAS versus Samba

[Fernando Lozano]

Hi,


Hi there, Has anyone tried to configure a NAS server to authenticate
users using a Samba PDC, or even a Samba4 DC (AD-compatible) or an IPA
server?

not in a while, but I have done a samba 3 DC

This was not my question. I'm ok running samba 3 DCs. :-)

oh but it was!  PDC means NT4 style, so samba PDC means samba 3
domain!  If you're searching for information, this kind of nitpicky
detail is important for an accurate answer.


Well, I know how to setup a Samba 3 PDC, with other "BDCs" using LDAP 
replication. Fortunately I do not need help doing this. And I was not 
asking what is a Samba PDC, I know that, I know MSAD and etc


 I'm not asking the IT manager in you and other list members, I'm 
asking the network admins and sysadmins about wich products worked or 
didn't work based on their real-world experience.


My question is wether a NAS (which one) will be able to become a member 
server on the samba NT-style domain, of if it will work only as member 
of a real MSAD domain from a Windows Server. Do you know the answer,


I talked about "even a Samba 4 DC" because if someone answers me "won't 
work for a samba 3 pdc, but should work with a samba 4 DC" I'll 
seriously think about moving my test-lab samba 4 setup into production, 
otherwise I was not willing to do this just for the NAS.


I'm even open to IPA, a software I've never tried. It looks like can 
replace my Samba3 DCs with advantes, and is well supported by Red Hat, 
while Samba 4 is not. Today I'd rather run Samba 4 without support than 
learning an entirely new network login solution. But if the new solution 
makes using a NAS easier I may change my mind.



AFAIK it shouldn't matter, from a technical perspective, [Fedora vs RHEL]

I agree.  But you're asking questions that show us that you assume
that this is not the case.  If that's your concern, then the disto
you're using is important since they all put in their own patches, or
not, and that's where issues raise.


For now it only matters to me if sometone tells "i tried with ACME NAS 
and RHEL and it worked, but tried the same NAS with Fedora and it 
didn't" or vice-versa.  I can compile samba myself if needed, or get 
packages from a repo outisde the official distro ones.




if you can verify the samba version on the nas, that should have your
answer since those issues are well tracked.  Generally, if it supports
AD, it supports a samba AD.  Bugs are possible, but bugs can also be
fixed.
If I had the NAS box here I'd verify. But I'm still evaluating which one 
to buy, and for small purchages / small companies no one gives me a box 
for a POC.


I wish information on with products / vendors have a track record of 
working (or not working) as member servers to a samba 3 domain, so I 
won't loose time talking to those vendors or evaluating those products.


As I said in the previous messages, trying to get this information from 
the vendors themselves was a failure, so I'm appealing to the list.


Unfortunately, as nobody besides you, on both lists, replied to me, I 
must assume that no NAS in the market was ever proven to work using a 
Samba PDC, and so buying any NAS is out of question for me. :-(


Maybe I'll instead buy a DAS box to which I can connect 4 to 8 server 
machines using SAS links, and let the file servers running as samba 
processes inside linux VMs.



[]s, Fernando Lozano


[]s, Fernando Lozano

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] About NAS versus Samba

[fernando]

Hi Cris,


Hi there, Has anyone tried to configure a NAS server to authenticate
users using a Samba PDC, or even a Samba4 DC (AD-compatible) or an 
IPA

server?


not in a while, but I have done a samba 3 DC


This was not my question. I'm ok running samba 3 DCs. :-)

Have you ever configured a NAS so it would authenticate users from your 
Samba DC and them serve SMB file shares (aka network drives) to Windows 
desktops?



I'm evaluating replacing some Linux file server for a NAS product, 
but
all them make me nervous when the vendor talks about "Active 
Directory

support" and nothing else.


if 3rd party support is your concern, why are you using fedora 
instead of

RHEL?


Are you trying to sell me RHEL subscriptions or help me with my 
question? ;-) Anything wrong about asking about Fedora on a Fedora list, 
or any server issue is forbidden for Fedora users? ;-)


AFAIK it shouldn't matter, from a technical perspective, if the samba 
DC runs Fedora, Debian, Slackware, RHEL, SuSE, Ubuntu, Solaris, 
whatever. I am not talking about OS level FC drivers or iSCSI 
initiators. Either a NAS will be compatible with Samba3, Samba4, both or 
neither. This depends on the SMB and MSRPC features needed by the NAS, 
all them application level protocols, not kernel modules. If I'll need 
Red Hat support for managing this system is another, unrelated, 
question.


If the NAS vendors state they suṕport RHEL, that's not que question 
either, as supporting RHEL could mean the RHEL linux kernel smbfs and 
cifsfs driver talks to the NAS, not the NAS talks to the Samba DC. Or 
else, RHEL support may mean just that the NAS talks NFS and so a RHEL 
machine can mount volumes from tne NAS. That's not what I want.


Most times I see linux servers they are simply members of a MSAD 
domain, not the DC themselves. But mine are. All vendors I talked to 
assume MSAD, and don't know about Samba. :-(


Anyway Fedora is my desktop system and development workstation. The DC 
in question runs RHEL. But if this works I can try someday using Fedora 
or CentOS with the same (or other) NAS.




In theory, many NASes are Linux boxes running samba, so there
shouldn't be a problem, except if the web admin interface won't 
support
a samba DC setup and I won't have SSH access to configure the NAS 
samba

myself



a cheaper nas will probably use samba, but not all NASs do. there are
several commercial SMB/CIFS implementation out there.


At least iomega/lenovo/emc state their NAS runs Samba. And a lot of 
less know vendors also. I'll buy a single, cheap NAS, not a high end EMC 
rack full of boxes. :-)


But... will any NAS you know work with a Samba DC, or else, using an 
IPA server? Or will they only work with Microsoft Windows Server AD?


All vendors I contacted talk only about MS Active Directory. They don't 
even know about NT4-style domains, which would mean a Samba3 DC should 
work. Besides, AFAIK a Samba4 DC isn't supported by RHEL at all -- 
that's why I included IPA in my question -- I'd have to use Sernet 
packages for Samba4. Even then, Samba4 is very new, I don't know if a 
NAS implementation would accept it in place of a MSAD DC.


Most vendors talk to me about vmware, exchange and sql server support. 
They offer me windows-only backup servers and the like. Some even offer 
me SAP R/3 agents, while my ERP is another one. They can only follow 
their standard script for windows shops. So I ask for the collective 
knowledge from the Fedora and Samba lists... can anyone tell me "I tried 
this NAS and it worked"? Or should I better forget about this and keep 
using cheap intel boxes as file servers?


Am I the first linux sysadmin in the world who's considering to have a 
NAS replacing some file servers but keeping his samba DCs?



[]s, Fernando Lozano

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] About NAS versus Samba

[Fernando Lozano]

Hi there,

Has anyone tried to configure a NAS server to authenticate users using a
Samba PDC, or even a Samba4 DC (AD-compatible) or an IPA server?

I'm evaluating replacing some Linux file server for a NAS product, but
all them make me nervous when the vendor talks about "Active Directory
support" and nothing else.

In theory, many NASes are Linux boxes running samba, so there shouldn't
be a problem, except if the web admin interface won't support a samba DC
setup and I won't have SSH access to configure the NAS samba myself.

So I'm asking if someone there has had any real experience, be it using
Fedora, CentOS or RHEL as the Samba3 PDC or Samba4 DC.


PS: I'm cross-posting because I asked before on the samba mailing list
and nobody cared to answer. Or nobody has had any real experience. I'm
hoing many sysadmins on the Fedora list also works on companies with
RHEL or CentOS and had a real experience to share.


[]s, Fernando Lozano

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 + Shared Folders

[Fernando]

Even in /tmp folder with 777 permissions

Em 29/05/2013 08:59, Diogo Borsoi escreveu:

Hi Fernando,

Unfortunately the same error.

Diogo

--
=


Diogo Borsoi
Mobile: +55 12 91436960

http://br.linkedin.com/in/diborsoi
http://diborsoi.wordpress.com/


=



On Tue, May 28, 2013 at 5:44 PM, Fernando <mailto:de...@netkeep.com.br>> wrote:


Hi Diogo, I did this way:

ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2

Edit /etc/nsswitch.conf:

passwd: compat winbind
group:  compat winbind
shadow: compat

reboot machine

For the users shares:

/home/NOME_DO_DOMINIO/usuario

chown usuario /home/NOME_DO_DOMINIO/usuario
chmod 700 /home/NOME_DO_DOMINIO/usuario

Edit /usr/local/samba/etc/smb.conf

[homes]
  comment = Home Directories
  browseable = no
  writable = yes

and for the shares:

[teste]
  path = /tmp
  comment = Test Share
  read only = no

/tmp has 777 permissions, so it`s easy, for another shares, just
set then properly.

att.


Em 28/05/2013 16:14, Diogo Borsoi escreveu:

Follow output:

smbclient //localhost/teste -UAdministrator -d5
INFO: Current debug levels:
   all: 5
   tdb: 5
   printdrivers: 5
   lanman: 5
   smb: 5
   rpc_parse: 5
   rpc_srv: 5
   rpc_cli: 5
   passdb: 5
   sam: 5
   auth: 5
   winbind: 5
   vfs: 5
   idmap: 5
   quota: 5
   acls: 5
   locking: 5
   msdfs: 5
   dmapi: 5
   registry: 5
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows
limit (16384)
INFO: Current debug levels:
   all: 5
   tdb: 5
   printdrivers: 5
   lanman: 5
   smb: 5
   rpc_parse: 5
   rpc_srv: 5
   rpc_cli: 5
   passdb: 5
   sam: 5
   auth: 5
   winbind: 5
   vfs: 5
   idmap: 5
   quota: 5
   acls: 5
   locking: 5
   msdfs: 5
   dmapi: 5
   registry: 5
params.c:pm_process() - Processing configuration file
"/usr/local/samba/etc/smb.

  conf"
Processing section "[global]"
doing parameter workgroup = TEST
doing parameter realm = test.local
doing parameter netbios name = SMB
doing parameter server role = active directory domain controller
doing parameter server services = s3fs, rpc, nbt, wrepl, ldap,
cldap, kdc,
drepl

, winbind, ntp_signd, kcc, dnsupdate
pm_process() returned Yes
added interface eth0 ip=192.168.137.2 bcast=192.168.137.255
netmask=255.255.255.

0
Netbios name list:-
my_netbios_names[0]="SMB"
Client started (version 4.0.5).
Enter Administrator's password:
Opening cache file at /usr/local/samba/var/lock/gencache.tdb
Opening cache file at
/usr/local/samba/var/lock/gencache_notrans.tdb
sitename_fetch: No stored sitename for TEST.LOCAL
no entry for localhost#20 found.
resolve_lmhosts: Attempting lmhosts lookup for name
localhost<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name
localhost<0x20>
startlmhosts: Can't open lmhosts file
/usr/local/samba/etc/lmhosts. Error
was No

   such file or directory
resolve_wins: WINS server resolution selected and no WINS
servers listed.
resolve_hosts: Attempting host lookup for name localhost<0x20>
namecache_store: storing 2 addresses for localhost#20:
[::1],127.0.0.1
Connecting to ::1 at port 445
Socket options:
 SO_KEEPALIVE = 0
 SO_REUSEADDR = 0
 SO_BROADCAST = 0
 TCP_NODELAY = 1
 TCP_KEEPCNT = 9
 TCP_KEEPIDLE = 7200
 TCP_KEEPINTVL = 75
 IPTOS_LOWDELAY = 0
 IPTOS_THROUGHPUT = 0
 SO_SNDBUF = 172880
 SO_RCVBUF = 87380
 SO_SNDLOWAT = 1
 SO_RCVLOWAT = 1
 SO_SNDTIMEO = 0
 SO_RCVTIMEO = 0
 TCP_QUICKACK = 1
 TCP_DEFER_ACCEPT = 0
  session request ok
Doing spnego session setup (blob length=96)
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554

Re: [Samba] Samba 4 Packages Available for Download

[Fernando Lozano]

Hi there,

[Sorry for cross-posting, I hope I didn't violated any list policies]


this is just a heads-up that SerNet does provide Samba 4 packages
(including AD DC package) now.
It was told on the fedora user's list that the kerberos implementation 
used by Fedora, RHEL and CentOS conflicts with the samba one, and so 
Fedora was providing samba4 binaries without AD DC support. This was 
related to the use of FreeIPA by Fedora and RHEL.


So I wasn't expecting to see packages with AD DC support for RHEL and 
CentOS so soon. Thanks a lot!


But how did you manage the kerberos problem? I see you repo provides 
only samba4 packages, and do not replace any other library or daemin 
from CentOS and RHEL.


Or would the problem be present only on newer Fedora releases, and not 
on RHEL6 (yet)? Would this be related to the fact servnet does not 
provide samba4 packages for Fedora, or you simply don't package anything 
for Fedora?


Another question: if my CentOS server is using samba3 from sernet repos, 
may I upgrade them using sernet samba4? Or should I uninstall samba3 and 
do a clean install of samba4, redoing all configuration manually?



[]s, Fernando Lozano

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] winbind versus nss/pam_ldap

[Fernando Lozano]

Hi there,

Since samba 3.0 I've been using Samba PDC and BDCs backed by OpenLDAP, 
and I configure my member servers (all running Linux) to use nss and pam 
to get user information directly from LDAP. I took this way because I 
had previous experience using LDAP for e-mail and web apps. But it looks 
from the list and samba docs that most people configure winbind on 
member servers, and so they don't need direct access to a LDAP server.


I'm wondering what are the advantages and disadvantages of each method, 
and if I should change my setup to use winbind. Can anyone provide some 
pointers to such a comparison?


For example, using winbind seems to be easier: less configuration files 
to change on linux member servers. On the other side, using LDAP 
provides centralized identity management for servers which do not run 
samba (such as database servers), but setting up a server with winbind 
only (no smbd or nmbd) doesn't seem harder to do than setting up a 
server with nss/pam_ldap.



[]s, Fernando Lozano

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] New to Samba 4

[Fernando]

Thanks to all that answered me, it worked!

Em 15-03-2013 20:53, TMason escreveu:

"Fernando" wrote in message news:51408060.1040...@netkeep.com.br...

Hi list, it's my first post here, and I have a basic question, but
couldn't find a good explanation out there It's about users folders,
or the [homes] section in Samba 3.X. I believe that the users now stay
inside the AD, and they're not unix users anymore, so, how can I
implement the users folders now, if there is no users folders on the
host system

Thanks!


 



You mean like a default location when they log into a Unix host, or a 
folder for when a person browses from the network.


If the former, check out the "templates homedir" option. Mine is 
configured like so:


template homedir = /home/%D/%U
template shell = /bin/bash

If the latter, this is how I configured mine, which works well in 
conjunction with what I wrote above:


[homes]
  comment = Home Directories
  browseable = no
  writable = yes

TMason



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] New to Samba 4

[Fernando]

Hi list, it's my first post here, and I have a basic question, but 
couldn't find a good explanation out there It's about users folders, 
or the [homes] section in Samba 3.X. I believe that the users now stay 
inside the AD, and they're not unix users anymore, so, how can I 
implement the users folders now, if there is no users folders on the 
host system


Thanks!
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] FOOBAR\usuario1 windows explorer hungs forever while accessing shared dirs in LAPAZ\comp1 (interdomain trust relationships)

[Fernando Torrez]

Hi all

I have two samba PDC installed according to these specifications:

domain FOOBAR with pdc server name: BAR (ip 192.168.1.1)
opensuse 11.1  
samba-3.5.6-15.1
openldap2-2.4.12-5.6.1
smbldap-tools-0.9.5-25.1
A winxp called USUARIO1 joined to the FOOBAR domain (ip 192.168.1.100)


domain LAPAZ with pdc server name: SERVERLPZ (ip 192.168.10.4)
openSUSE 12.2
samba-3.6.7-48.12.1.i586
openldap2-2.4.31-2.1.3.i586
smbldap-tools-0.9.6-5.1.noarch
A winxp called COMP1 joined to the LAPAZ domain (ip 192.168.10.101)

I made interdomain trust relationships according to the steps written at the 
end of this mail, 
but when FOOBAR\USUARIO1 tries to access shares available on LAPAZ\COMP1 using 
windows explorer, it hungs forever.

Doing some packet capture with wireshark I got these results:

24915.610519192.168.1.101192.168.10.100SMB260Session 
Setup AndX Request, NTLMSSP_NEGOTIATE
25015.610866192.168.10.100192.168.1.101SMB291Session 
Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
25115.611490192.168.1.101192.168.10.100SMB400Session 
Setup AndX Request, NTLMSSP_AUTH, User: FOOBAR\usuario1
25215.615751192.168.1.101192.168.10.100ICMP74Echo 
(ping) request  id=0x0200, seq=1024/4, ttl=30
25315.622135192.168.10.100192.168.1.101ICMP74Echo 
(ping) replyid=0x0200, seq=1024/4, ttl=128
25415.689197192.168.10.100192.168.1.101SMB175Session 
Setup AndX Response
25515.689820192.168.1.101192.168.10.100SMB136Tree 
Connect AndX Request, Path: \\COMPU1\IPC$
25615.689959192.168.10.100192.168.1.101SMB93Tree 
Connect AndX Response, Error: Unknown (0xC35C)
25715.690717192.168.1.101192.168.10.100SMB260Session 
Setup AndX Request, NTLMSSP_NEGOTIATE
25815.690970192.168.10.100192.168.1.101SMB291Session 
Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
25915.691353192.168.1.101192.168.10.100SMB400Session 
Setup AndX Request, NTLMSSP_AUTH, User: FOOBAR\usuario1
26015.732067192.168.10.100192.168.1.101SMB175Session 
Setup AndX Response
26115.732568192.168.1.101192.168.10.100SMB136Tree 
Connect AndX Request, Path: \\COMPU1\IPC$
26215.732728192.168.10.100192.168.1.101SMB93Tree 
Connect AndX Response, Error: Unknown (0xC35C)
26315.733215192.168.1.101192.168.10.100SMB260Session 
Setup AndX Request, NTLMSSP_NEGOTIATE
26415.733547192.168.10.100192.168.1.101SMB291Session 
Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
26515.733918192.168.1.101192.168.10.100SMB400Session 
Setup AndX Request, NTLMSSP_AUTH, User: FOOBAR\usuario1
26615.745888192.168.10.100192.168.1.101SMB175Session 
Setup AndX Response
26715.746319192.168.1.101192.168.10.100SMB136Tree 
Connect AndX Request, Path: \\COMPU1\IPC$
26815.746437192.168.10.100192.168.1.101SMB93Tree 
Connect AndX Response, Error: Unknown (0xC35C)

As it can be seen, there's a recurrent strange error called: Error: Unknown 
(0xC35C) and doing some googling I only could find something like:
 0xC35C (STATUS_NETWORK_SESSION_EXPIRED) that is referred to a Network 
session expired
 
I think that samba 3.5 and samba 3,6 are not fully compatible when doing 
interdomain trustings
because idmap are not configured and managed in the same way. isn't it?

This behavior doesn't appear if FOOBAR\USUARIO1 tries to access LAPAZ\SERVERLPZ 
shares
or if LAPAZ\COMP1 tries to access any FOOBAR shares (either FOOBAR\USUARIO1 or 
FOOBAR\BAR).

I thought that both windows have samething wrong, so I tried with another two 
win workstations with same results.

If someone can point me to the right direction to solve this problem. I would 
really appreciate any help

Thanks in advance

   Fernando Torrez


INTERDOMAIN TRUST RELATIONSHIP PROCESS

1.- PREVIOUS ADJUSTMENTS
On LAPAZ domain server (serverlpz) I changed wins server to use FOOBAR wins 
server:

wins server = 192.168.1.1

and made sure that smb.conf have these lines defined for mapping:

idmap config * : backend = ldap
idmap config * : readonly = no
idmap config * : default = yes
idmap config * : ldap_base_dn = ou=Idmap,dc=lapaz,dc=tld
idmap config * : ldap_user_dn = cn=Manager,dc=lapaz,dc=tld
idmap config * : ldap_url = ldap://serverlpz.lapaz.tld
idmap config * : range = 5-50

idmap alloc config:ldap_base_dn = ou=Idmap,dc=lapaz,dc=tld
idmap alloc config:ldap_user_dn = cn=Manager,dc=lapaz,dc=tld
idmap alloc config:ldap_url = ldap://serverlpz.lapaz.tld
idmap alloc config:range = 50

Re: [Samba] LDAP with Samba Server

[Fernando Lozano]

Rodrigo,

It's not hard to fix your LDAP data, but you must find why it sambaSID 
values were stored the wrong way. Maybe your LDAP config files 
(/etc/slapd.conf?) on the slave point to the wrong schema definitions?


As for the space it may be there because of phpLdapAdmin. Try another 
LDAP browser, like the GUI (Windows) Ldap Admin or GC (for Gnome) to 
check the values.



[]s, Fernando Lozano


On 19:43:51 wrote rodrigo tavares:

Hello !

Today I have a ldap server, it replicate the database from another
machine SMB-LDAP. See the result:

dn: cn=informatica,ou=defensoria,dc=defensoria,dc=br
cn: informatica
description: Informatica
gidNumber: 2451
phpgwAccountExpires: -1
phpgwAccountType: g
userPassword:
mail: informat...@defensoria.br
memberUid: diego.santos
memberUid: alan.murta
memberUid: bruce.borba
memberUid: william.mor
memberUid: manuel.neto
memberUid: eli.set
memberUid: rodrigo.tavares
memberUid: faria.tavares
structuralObjectClass: posixGroup
entryUUID: e0cf40fa-b0af-1031-9098-b773bfdd8a70
creatorsName: cn=admin,dc=defensoria,dc=br
createTimestamp: 20121022161837Z
objectClass: top
objectClass: posixGroup
objectClass: phpgwAccount
objectClass: sambaGroupMapping
sambaGroupType: 2
displayName: informatica
sambaSID::
IFMtMS01LTIxLTM2OTQ4MTM4NjctMjE3NjUzNTQ2Ny0xMzMzMDcxNTk2LTU5MDM=

The field "sambaSID" should never be base64 encoded!
There is a space before "S-1-5", but should not ;-)

$ echo IFMtMS01LTIxLTM2OTQ4MTM4NjctMjE3NjUzNTQ2Ny0xMzMzMDcxNTk2LTU5MDM=|
base64 -d
  S-1-5-21-3694813867-2176535467-1333071596-5903

check your smbldap config file.

Maybe that all or most sambaSid attributes are wrong.


entryCSN: 20121112130102.988770Z#00#000#00
modifiersName: cn=admin,dc=defensoria,dc=mg,dc=gov,dc=br
modifyTimestamp: 20121112130102Z

I my smb.conf

[system]

 comment = system

 path = /home/system
 public = yes
 printable = no
 browseable = no
 guest ok = yes
 read only = yes
 write list = @informatica

  domain logons = yes
add user script = /usr/sbin/smbldap-useradd -a -m "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
"%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u" add machine script = /usr/sbin/smbldap-useradd -w "%u"


  ldap user suffix = ou=defensoria
ldap group suffix = ou=grupos
ldap machine suffix = ou=computadores
ldap passwd sync = yes
ldap admin dn = cn=admin,dc=defensoria,dc=mg,dc=gov,dc=br
ldap suffix = dc=defensoria,dc=mg,dc=gov,dc=br
ldap ssl = no
passdb backend = ldapsam:ldap://10.26.7.249


http://rodrigofariat.files.wordpress.com/2012/11/ldap-smb.png



When I try mapping the folder, come a screen with login/password,
then i type password but is not login is not access. Why is not
access ?

Rodrigo Faria




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Login batch file not working for Win7

[Fernando Lozano]

Hi Tony,



I'm running samba3x-3.5.10-0.110.el5_8.x86_64 on a fully updated
CentOS-5.8 system as PDC.

We upgraded our lab machines to Win7 over the summer

The logins work ok and the homes share is being mounted from a
separate fileserver. However the login batch command script is not
running.
I have RHEL 5.4 with servnet Samba3.4 RPMS and it works OK with Windows 
7 clients, besides a few Windows Vista and Windows XP ones. Even with 
different releases and package sources our setups should work the same. 
I know this for sure because one of my BDCs run RHEL 5.6 with RHEL own 
Samba3.6 packages, which didn't exist on previous releases for RHEL 5.x 
and this also didn't for CentOS 5.x where x < 6.



Part of smb.conf

logon script = %G.cmd
I guess this is your problem, because this hurt me with my first setup 
(and it was before I had Windows 7 clients). From "man smb.conf":


   %G   primary group name of %U.

Are you sure your users have the correct primary group set? "Primary 
group" is a Unix concept which doesn't exist in the Windows world. As 
you didn't sent the rest of your smb.conf and your NSS/PAM config files 
I don't know from there your PDC user information comes and how 
Samba/Windows user and group definitions map to Unix user and groups.


My first setup had all users getting the same Unix group, which was 
something generic such as "users", and was not mapped to any 
Samba/Windows group. I have a few Unix groups which are not mapped 
because they are used only for Unix (actually Linux) sysadmins and 
applications.


I changed my user creation policies and procedures so the primary user 
group was set to the unix group mapped to the "main" Samba/Windows group 
for the new user, and manually set the correct primary group for all old 
users. It was quite a bit of work but I could not see any other way as 
some (most) of my users were members of multiple Samba/Windows groups.


The "main" Samba/Windows group is what MS calls "organizational group": 
it reflects the user position as a member of a company department or 
project.


Try using the command "id user_name" for a few users and check the if 
the gid (which is the primary user group) is mapped to an existing 
Samba/Windows group, and then chech if the Samba/Windows group has a 
login script with the expected name at the correct path.


For example, my own regular user is:
# id lozano
uid=563(lozano) gid=508(suporte) 
groups=508(suporte),548(ntaccount),100(users)


gid=508(suporte) is mapped to a Samba/Windows group of the same name. 
While group 548(ntaccount) is mapped to the Samba/Windows "Account 
Operators" group and grupo 100(users) is mapped to no Samba/Windows 
group and is used by us to flag users with shell access to our servers.


I can check de Samba/Windows group memberships and mappings using the 
net command from Samba, for example:


# net user info lozano
Enter root's password:
suporte
Account Operators


# net groupmap list
Enter root's password:
[... filtered ...]
Account Operators (S-1-5-32-548) -> ntaccount
suporte (S-1-5-21-2052653627-1561675057-495535119-1020) -> suporte


Also beware the factory settings for RHEL and CentOS systems is to 
create a "private group" with its name equal to the user name for all 
new users, so user "lozano" would have as its gid "lozano". But "lozano" 
was a Unix-only group and this didn't enabled us to use %G in any 
effective way inside the Windows login script.


See for example a Unix-only user which is used by us to run a few cron 
scripts:


# id analista
uid=500(analista) gid=100(users) groups=100(users),99(nobody),508(suporte)

# net user info analista
Enter root's password:
Failed to get groups for 'analista' with: Could not map names to SIDs

Hope this long message helps.


[]s, Fernando Lozano

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba browsing through subnets with different nethoods

[Fernando Torrez]

4 11:33:32,  3] 
nmbd/nmbd_sendannounce.c:167(send_local_master_announcement)
  send_local_master_announcement: type 849a03 for name CLIENTE on subnet 
192.168.20.2 for workgroup BAGOLIN
[2012/08/24 11:33:32,  3] 
nmbd/nmbd_sendannounce.c:186(send_workgroup_announcement)
  send_workgroup_announcement: on subnet 192.168.20.2 for workgroup BAGOLIN
[2012/08/24 11:34:08,  3] 
nmbd/nmbd_incomingdgrams.c:381(process_master_browser_announce)
  process_master_browser_announce: Local master announce from BAR IP 
192.168.1.1.
[2012/08/24 11:34:08,  0] 
nmbd/nmbd_incomingdgrams.c:385(process_master_browser_announce)
  process_master_browser_announce: Not configured as domain master - ignoring 
master announce.
[2012/08/24 11:37:08,  3] 
nmbd/nmbd_incomingdgrams.c:381(process_master_browser_announce)
  process_master_browser_announce: Local master announce from BAR IP 
192.168.1.1.
[2012/08/24 11:37:08,  0] 
nmbd/nmbd_incomingdgrams.c:385(process_master_browser_announce)
  process_master_browser_announce: Not configured as domain master - ignoring 
master announce.
[2012/08/24 11:37:38,  3] 
nmbd/nmbd_sendannounce.c:167(send_local_master_announcement)
  send_local_master_announcement: type 849a03 for name CLIENTE on subnet 
192.168.20.2 for workgroup BAGOLIN
[2012/08/24 11:37:38,  3] 
nmbd/nmbd_sendannounce.c:186(send_workgroup_announcement)
  send_workgroup_announcement: on subnet 192.168.20.2 for workgroup BAGOLIN
[2012/08/24 11:40:14,  3] 
nmbd/nmbd_incomingdgrams.c:381(process_master_browser_announce)
  process_master_browser_announce: Local master announce from BAR IP 
192.168.1.1.
[2012/08/24 11:40:14,  0] 
nmbd/nmbd_incomingdgrams.c:385(process_master_browser_announce)
  process_master_browser_announce: Not configured as domain master - ignoring 
master announce.
.
  
[2012/08/24 12:04:26,  3] 
nmbd/nmbd_incomingdgrams.c:381(process_master_browser_announce)
  process_master_browser_announce: Local master announce from BAR IP 
192.168.1.1.
[2012/08/24 12:04:26,  0] 
nmbd/nmbd_incomingdgrams.c:385(process_master_browser_announce)
  process_master_browser_announce: Not configured as domain master - ignoring 
master announce.
[2012/08/24 12:07:35,  3] 
nmbd/nmbd_incomingdgrams.c:381(process_master_browser_announce)
  process_master_browser_announce: Local master announce from BAR IP 
192.168.1.1.
[2012/08/24 12:07:35,  0] 
nmbd/nmbd_incomingdgrams.c:385(process_master_browser_announce)
  process_master_browser_announce: Not configured as domain master - ignoring 
master announce.
[2012/08/24 12:10:35,  3] 
nmbd/nmbd_incomingdgrams.c:381(process_master_browser_announce)
  process_master_browser_announce: Local master announce from BAR IP 
192.168.1.1.
[2012/08/24 12:10:35,  0] 
nmbd/nmbd_incomingdgrams.c:385(process_master_browser_announce)
  process_master_browser_announce: Not configured as domain master - ignoring 
master announce.

as can be seen, CLIENTE is rejecting any attempt to share data with BAR.

I read "Samba how to","samba by example" and google various sites with no luck.
I'm stuck here, Any tip to solve this problem?

Can samba servers (either Domain master browser or local master browser) share 
their browse and nethood lists
along each other through subnets?

thanks in advanced for any suggestions?

Fernando Torrez





lines below are software details used and complete smb.conf of both servers.

BAR server
-opensuse 11.1
-samba 3.4.2-2.1
-openldap2-2.4.12.5.5.1

CLIENTE server
-opensuse 12.1
-samba 3.6.3-34.12.1


BAR smb.conf file
[global]
unix charset = utf8
workgroup = FOOBAR
server string = bar
netbios name = bar
interfaces = eth1, lo
remote announce = 192.168.20.2/FOOBAR
remote browse sync = 192.168.20.2
bind interfaces only = Yes
passdb backend = ldapsam:ldap://bar.foobar.tld
username map = /etc/samba/smbusers
log level = 3
syslog = 0
log file = /var/log/samba/%m
max log size = 50
smb ports = 139
name resolve order = wins bcast hosts
time server = Yes
printcap name = CUPS
show add printer wizard = No
ldap ssl = no
ldap delete dn = Yes
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
logon script = logon.bat
logon home =
logon path =
#logon path = \\%L\profiles\%u
logon drive = H:
domain

[Samba] Anyone running samba virtual servers?

[Fernando Lozano]

Hi there,

Nobody replied to my questions about configuring a virtual samba server 
as a domain member.


Isn't anyone using this feature? Is it supposed to work with samba 
3.4.x/3.6.x?



[]s, Fernando Lozano

 Mensagem original 
Assunto:[Samba] samba virtual server x domain membership
Data:   Thu, 12 Jul 2012 10:53:11 -0300
De: Fernando Lozano 
Para:   samba@lists.samba.org



Hi there,

I have a samba server (version 3.6) named 'lnbxservcid' which is already
a member of a domain whose PDC is another samba server (version 3.4).
I'm using the standard samba3 packages from centos and from servnet (as
CentOS.4 comes with only samba 3.0.x, but later CentOS releases came
with samba3-3.4.x packages).

I wish to create on the lnxservcid machine another samba server (a
virtual server) so I don't need to change login scripts and windows
client UNC paths that point to a server which will be retired. The idea
is each virtual server will show it's own set of shares.

I tryed a test setup following instructions from:

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/cfgsmarts.html

On restart, domain member clients (windows machines) can connect to
lnxservcid normally. But trying to connect to lnxservteste shows a login
prompt, and no domain user works.

It looks like I have to add machine lnxservteste to the domain. But
neither "net join" or "smbpasswd" have options to tell the name of the
machine (virtual server) to join, and lnxservcid is already joined.

Any idea?

I changed lnxservcid /etc/samba/smb.conf adding "netbios aliases", "smb
ports" and "include" statements:

[global]
netbios name = lnxservcid
security = domain
netbios aliases = lnxservteste
smb ports = 139
include = /etc/samba/smb-%L.conf

[work]
path=/mnt/work

And then I created /etc/samba/smb-lnxservteste.conf

[global]
  workgroup = IBP
  netbios name = lnxservteste

[teste]
  path = /mnt/teste


Should I point net join or smbpasswd to smb-lnxservteste.conf file? Or
should I change the local hostname to tool those utilites? Or isn't this
setup supposed to work? No "samba virtual server" tutorial I found on
google told about domain membership. :-(

And by the way, will the need to use "smb ports = 139" prevent Windows 7
clients from using my servers? So far I tried with only Windows XP  clients.


[]s, Fernando Lozano

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba virtual server x domain membership

[Fernando Lozano]

Hi there,

I have a samba server (version 3.6) named 'lnbxservcid' which is already 
a member of a domain whose PDC is another samba server (version 3.4). 
I'm using the standard samba3 packages from centos and from servnet (as 
CentOS.4 comes with only samba 3.0.x, but later CentOS releases came 
with samba3-3.4.x packages).


I wish to create on the lnxservcid machine another samba server (a 
virtual server) so I don't need to change login scripts and windows 
client UNC paths that point to a server which will be retired. The idea 
is each virtual server will show it's own set of shares.


I tryed a test setup following instructions from:

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/cfgsmarts.html

On restart, domain member clients (windows machines) can connect to 
lnxservcid normally. But trying to connect to lnxservteste shows a login 
prompt, and no domain user works.


It looks like I have to add machine lnxservteste to the domain. But 
neither "net join" or "smbpasswd" have options to tell the name of the 
machine (virtual server) to join, and lnxservcid is already joined.


Any idea?

I changed lnxservcid /etc/samba/smb.conf adding "netbios aliases", "smb 
ports" and "include" statements:


[global]
netbios name = lnxservcid
security = domain
netbios aliases = lnxservteste
smb ports = 139
include = /etc/samba/smb-%L.conf

[work]
path=/mnt/work

And then I created /etc/samba/smb-lnxservteste.conf

[global]
  workgroup = IBP
  netbios name = lnxservteste

[teste]
  path = /mnt/teste


Should I point net join or smbpasswd to smb-lnxservteste.conf file? Or 
should I change the local hostname to tool those utilites? Or isn't this 
setup supposed to work? No "samba virtual server" tutorial I found on 
google told about domain membership. :-(


And by the way, will the need to use "smb ports = 139" prevent Windows 7 
clients from using my servers? So far I tried with only Windows XP  clients.



[]s, Fernando Lozano

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Netbios over VPN

[Fernando Lozano]

Niels Dettenbach  escreveu:

Am Montag, 9. Juli 2012, 08:29:00 schrieb Daniel Müller:
> This is right. Openvpn does the job perfectly fine here connecting our far
> away office in our network and Samba-Domain. 

We can recommend OpenVPN too.

The "easiest" way to connect to a Samba by VPN in the majority of scenarios 
should be the OpenVPN TAP mode (layer 2) - but security may more difficult to 
handle a bit.

-> see i.e.:
http://openvpn.net/index.php/open-source/documentation/howto.html#samba

for some basics about this...

To "solve" name resolution questions i knew manies who are using a DNS with 
their samba / OpenVPN setup. Not shure how far samba / windows network 
browsing is working today over tap correctly (did not tried that in the past 
again) but may be there are more clever solutions possible today.

hth
best regards,


Niels.

-- 
---
Niels Dettenbach
Syndicat IT & Internet
http://www.syndicat.com
PGP: https://syndicat.com/pub_key.asc
---




-- 
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba


Hi there,

We are using tun (routed) without problems. Just a matter of configuring wins 
and/or dns.

[]s, Fernando Lozano
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba network shares over VPN

[Fernando Lozano]

Hi there,

I have two computers, one Windows XP other Windows 7 (actually a dozen
each) which are members of a Samba domain. Users have no problem login
in to the domain, running the login script to map network drives and
accesssing files on them, for both computers.

I want to give users remote access using a VPN (OpenVPN to be exact).
The idea is to login on a disconnected computer using a domain account
cached profie, then connnect to the VPN, then map network drives.
OpenVPN allows running a batch file on connection sucessfull and I use
this to run the user login script from the PDC netlogon share.

The Windows XP computer does this fine. Happy remote users.

But the Windows 7 doesn't. It asks for user login and password for each
server (network drives are on different samba member servers)

Someone told me the problem should to be related to the fact the TAP
adapter (the VPN virtual network adapter) is considered by windows as an
"unknown network" and classified as a "public network". But I could not
find a way to turn this into a home / work or domain network location.

I already tried customising and disabling windows firewall, no changes.

Any ideas on how to transparently access network shares from domain
member servers over a vpn using windows 7?


[]s, Fernnado Lozano
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba Digest, Vol 107, Issue 20

[Pradeep Fernando]

Thanks





-Original Message-
From: samba-boun...@lists.samba.org
[mailto:samba-boun...@lists.samba.org] On Behalf Of
samba-requ...@lists.samba.org
Sent: Monday, November 21, 2011 12:30 AM
To: samba@lists.samba.org
Subject: samba Digest, Vol 107, Issue 20

Send samba mailing list submissions to
samba@lists.samba.org

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.samba.org/mailman/listinfo/samba
or, via email, send a message with subject or body 'help' to
samba-requ...@lists.samba.org

You can reach the person managing the list at
samba-ow...@lists.samba.org

When replying, please edit your Subject line so it is more specific than
"Re: Contents of samba digest..."
 

__ Information from ESET NOD32 Antivirus, version of virus
signature database 6646 (2020) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com
 
 

__ Information from ESET NOD32 Antivirus, version of virus
signature database 6646 (2020) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com
 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba over IPX

[fernando]

Hi,

Tecnically there should be no problem implementing IPX support in Samba like it 
worked with DOS Lan Manager and Windows for Workgroups. It has nothing to do 
with NCP and Netware. NCP is akin to SMB, not TCP. IPX has SPX which is the 
connection-oriented protocol, while IPX would be used directly for datagram 
messages (like UDP). I guess the same kernel syscalls and glibc sockets API 
would support the IPX stack instead of TCP/IP, so it would not be so big a 
change in code. If someone wants to try, just grab the sources and start 
hacking (I won't). But I heard IPX support is no longer mantained in current 
linux kernels, and thus porting Samba to IPX could be a dead-end.

In the short run, Chris could try mars_nwe which is an open source Netware 3.x 
compatible file server. I have used it extensively to support clipper apps. 
You'd need the Netware client for DOS instead of the MS Network Client for DOS, 
and would save a few extra KB from the 640KB range.

Another thing to check is FreeDOS instead of MS-DOS. It's said it uses less 
real memory.


[]s, Fernando Lozano


> Original Message 
>From: Daniel Müller 
>To: "'Chris Weiss'" , "'samba'" 
>Sent: Qua, Abr 27, 2011, 3:47 AM
>Subject: Re: [Samba] Samba over IPX
>
>Who wants the old days come back again!?
>Who needs this ???
>We are in 2011 and samba is the first time heading towards a full
>substitution of ms ads.
>This should be the main effort.
>
>---
>EDV Daniel Müller
>
>Leitung EDV
>Tropenklinik Paul-Lechler-Krankenhaus
>Paul-Lechler-Str. 24
>72076 Tübingen
>
>Tel.: 07071/206-463, Fax: 07071/206-499
>eMail: muel...@tropenklinik.de
>Internet: www.tropenklinik.de
>---
>
>-Ursprüngliche Nachricht-
>Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im
>Auftrag von Chris Weiss
>Gesendet: Dienstag, 26. April 2011 16:54
>An: samba
>Betreff: Re: [Samba] Samba over IPX
>
>Since I use TCP/IP on 3 different DOS system running completely
>different CNC systems with no issues at all, I have to ask: what
>issues are you seeing when running TCP/IP?  Just that you have more
>extended memory used?  or are you not using himem.sys?
>
>
>On Tue, Apr 26, 2011 at 9:32 AM, Maurizio Manfredini 
>wrote:
>> Hi Chris,
>>
>> Just to add some info. I tried with NCP over IPX (mars_nwe) but I found
>that
>> the MS-DOS Network Client doesn't connect to it. Appearently this is
>because
>> MS Network Client for DOS uses SMB over IPX, and not NCP over IPX. NCP
>under
>> DOS would need the Novel client to be installed.
>> SMB over IPX sounds like addressing again to Samba over IPX...
>>
>> Thanks anyway,
>> Maurizio
>>
>> On 4/11/2011 8:57 PM, Chris Weiss wrote:
>>>
>>> I have TCP/IP on DOS on several systems, 2 of which are CNC, slowest
>>> is a 386 with 2MB ram, and I have no issues with it.  yes IP uses more
>>> ram than IPX, but it's still not significant enough to cause problems
>>> with most programs.
>>>
>>> But back to your question: IPX isn't just a network layer, it's got
>>> it's own completely different file sharing protocols and NCP server
>>> software to go with it.  I'd suggest plugging "linux IPX" into a
>>> search engine.  you can share out the same folder structure using both
>>> SMB and NCP protocols, and also NFS and AFP if you like.
>>>
>>> On Mon, Apr 11, 2011 at 1:32 PM, Maurizio Manfredini
>>>  wrote:
>>>>
>>>> I would like to add my case for a wish of IPX support in Samba:
>>>>
>>>> We use a number of CNC tool machines whose host is pure DOS based.
>>>> Don't be surprised that DOS is stilll running somewhere. It is fairly OK
>>>> when we get to the field of HW and real-time control, unlike Windows and
>>>> the
>>>> like...
>>>>
>>>> These hosts use IPX to access LAN shares. IPX is here preferable to
>>>> TCP/IP
>>>> because of its lower memory consumption.
>>>>
>>>> Anyone knows how to make Samba work over IPX, or is there any plan for
>>>> IPX
>>>> support in Samba ?
>>>>
>>>> Thanks in advance,
>>>> Maurizio Manfredini
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba loses to be the master browser

[Fernando Torrez]

BAGOLIN<1d> on subnet 
192.168.0.14
[2011/02/23 14:33:56,  0] libsmb/nmblib.c:834(send_udp)
  Packet send failed to 192.168.0.255(137) ERRNO=Invalid argument
[2011/02/23 14:33:56,  0] nmbd/nmbd_packets.c:158(send_netbios_packet)
  send_netbios_packet: send_packet() to IP 192.168.0.255 port 137 failed
[2011/02/23 14:33:56,  0] nmbd/nmbd_namequery.c:244(query_name)
  query_name: Failed to send packet trying to query name BAGOLIN<1d>
[2011/02/23 14:38:58,  0] libsmb/nmblib.c:834(send_udp)
  Packet send failed to 192.168.0.255(137) ERRNO=Invalid argument
[2011/02/23 14:38:58,  0] nmbd/nmbd_packets.c:158(send_netbios_packet)



Googling I found that microsoft windows 7 systems have os level equal to 70, 
but my samba configuration had 'log level=65' , so I changed it to 'log 
level=100', but it didn't solve the problem and nmb log didn't show 'Samba name 
server BAGO has stopped being a local master browser for workgroup BAGOLIN on 
subnet 192.168.0.14' anymore.

I changed two parameters in my smb.conf
log level = 3   (to have more log information)
os level = 255 (to make my linux samba server the only one master browser)

this configuration worked this last 2 months, and the problem appear again. A 
checked samba logs and found nothing except in the log.wb-BAGOLIN file a line 
says: RPC fault code DCERPC_FAULT_OP_RNG_ERROR received from host BAGO!

[2011/04/26 14:35:49,  3] libsmb/ntlmssp.c:62(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x60088215
[2011/04/26 14:35:49,  3] libsmb/ntlmssp_sign.c:342(ntlmssp_sign_init)
  NTLMSSP Sign/Seal - Initialising with flags:
[2011/04/26 14:35:49,  3] libsmb/ntlmssp.c:62(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x60088215
[2011/04/26 14:35:49,  1] 
rpc_client/cli_pipe.c:949(cli_pipe_validate_current_pdu)
  cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR 
received from host BAGO!
[2011/04/26 14:35:49,  3] 
winbindd/winbindd_misc.c:359(winbindd_dual_list_trusted_domains)
  [12750]: list trusted domains
[2011/04/26 14:35:49,  2] lib/smbldap_util.c:277(smbldap_search_domain_info)
  smbldap_search_domain_info: Searching 
for:[(&(objectClass=sambaDomain)(sambaDomainName=BAGOLIN))]
[2011/04/26 14:35:49,  2] lib/smbldap.c:856(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2011/04/26 14:35:49,  3] lib/smbldap.c:1067(smbldap_connect_system)
  ldap_connect_system: successful connection to the LDAP server
[2011/04/26 14:41:06,  3] 
winbindd/winbindd_misc.c:359(winbindd_dual_list_trusted_domains)
  [12750]: list trusted domains


I also noticed that at the begining (a year ago), when I installed samba as PDC 
server, my LAN had two windows 7 profs, two macs (configured as workgroup 
systems), and around 35 windows xp systems. But now my LAN have sixteen windows 
7 profs and this number will grow up meanwhile windows xp clients will decrease.

Can I say that this problem is because my samba version wasn't designed to 
support windows vista and 7 systems as domain clients?

Is there any solution to overcome this problem?

Any hint will be really appreciated

below is my smb.conf file and some relevant log pieces as attachments.


Fernando




smb.conf (testparm -s -v)

[global]
dos charset = 850
unix charset = iso-8859-15
display charset = LOCALE
workgroup = BAGOLIN
realm = 
netbios name = BAGO
netbios aliases = 
netbios scope = 
server string = bago
interfaces = eth0, lo
bind interfaces only = Yes
security = USER
auth methods = 
encrypt passwords = Yes
update encrypted = No
client schannel = Auto
server schannel = Auto
allow trusted domains = Yes
map to guest = Never
null passwords = No
obey pam restrictions = No
password server = *
smb passwd file = /etc/samba/smbpasswd
private dir = /etc/samba
passdb backend = ldapsam:ldap://bago.bagolin.tld
algorithmic rid base = 1000
root directory = 
guest account = nobody
enable privileges = Yes
pam password change = No
passwd program = 
passwd chat = *new*password* %n\n *new*password* %n\n *changed*
passwd chat debug = No
passwd chat timeout = 2
check password script = 
username map = /etc/samba/smbusers
password level = 0
username level = 0
unix password sync = No
restrict anonymous = 0
lanman auth = No
ntlm auth = Yes
client NTLMv2 auth = No
client lanman auth = No
client plaintext auth = No
preload modules = 
dedicated keytab file = 
kerberos method = default
map untrusted to domain = No
log level = 3
syslog = 0
syslog only = No
log file = /var/log/samba/%m
max log size = 50
debug timestamp = Yes
debug prefix timestamp = No
debug hires timestamp = No
debug pid = No
debug uid = No
debug class = No
enable core files = Yes
smb ports = 139
large readwrite = Yes
max protocol = NT1

[Samba] Cant access to resource (FAILED with error NT_STATUS_NO_SUCH_USER) PLEASE HELP!

[Javier Fernando]

I configure Samba Version 3.2.5 to validate users over Windows 2003, i 
configure kerberos and join successfully to the windows 2003 AD, but, when i 
connect to a shared resource of the samba i have the error.

[2010/08/13 12:38:07,  2] auth/auth.c:check_ntlm_password(318)
  check_ntlm_password:  Authentication for user [USER1] -> [USER1] FAILED with 
error NT_STATUS_NO_SUCH_USER


.i check all the config, run in debug mode and can't resolve the problem, i 
think that the problem is the compatibiliti with windows.

Thanks.

Javier

  
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Windows client not accessible when changing ip address on samba PDC

[Fernando Torrez]

Hi Everybody

 I installed a Samba 3.4.5-3.1 PDC with openldap2-2.4.12-5.3, 
samba-winbind-3.4.5-3.1,  bind-9.5.0P2-18.1 and dhcp-3.1.1-6.3 on a opensuse 
11.1 based on Samba3-ByExample.pdf book.
 I manage a network that has around 60 windows client computers (from windows 
2000 to win 7) and quite of them are windows notebooks with 2 NIC's (wireless 
and cable)
and I was assigning two diferent addresses for each NIC( let's say for 
wireless: 192.168.10.10 and for LAN cable:192.168.10.20) through DHCP service.

Problems come when someone that always works well with wireless NIC uses the 
cable NIC (because poor or no wireless sign) and get back to the wireless NIC 
;so change the  notebook ip address from 192.168.10.10 to 192.168.10.20 and 
back to 192.168.10.10

I can't access the notebook shared dirs anymore from other windows clients. 
When trying to access through \\notebook\shared_dir, the windows client get a 
error like: 'network path not found'. If I do pings to the notebook from other 
windows cmd: 'c:> ping notebook' it says 'ping to 192.168.10.20 ... request 
time out'  because the notebook real address is: 192.168.0.10 and not the last 
taken:192.168.0.20.  If I do pings or access the share through its real IP 
address, it works perfectly.

This happens only on windows clients, from linux PDC console either doing pings 
or connecting to the notebook shares using the computer name works fine anytime.

I don't know why windows clients can't update the other windows ip addresses .

Is there something that a missed on the configuration?
any thoughts?

Here is my smb.conf:

[global]
unix charset = iso-8859-15
dos charset = 850
workgroup = BAGOLIN
server string = bago
interfaces = eth1, lo
bind interfaces only = Yes
passdb backend = ldapsam:ldap://bago.bagolin.tld
username map = /etc/samba/smbusers
syslog = 0
log file = /var/log/samba/%m
max log size = 50
smb ports = 139
name resolve order = wins bcast hosts
time server = Yes
printcap name = CUPS
socket options = IPTOS_LOWDELAY TCP_NODELAY
show add printer wizard = No
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
logon script = logon.bat
logon home =
logon path =
logon drive = H:
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=Manager,dc=bagolin,dc=tld
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap suffix = dc=bagolin,dc=tld
ldap ssl = no
ldap user suffix = ou=Users
idmap backend = ldap:ldap://bago.bagolin.tld
idmap uid = 1-2
idmap gid = 1-2
winbind enum users = Yes
winbind enum groups = Yes
map acl inherit = Yes   


  
_
Hotmail: Trusted email with powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] HI

[sheron fernando]

Dear Samba Admin

my samba server working but windows client log to my samba server coming
error massages. i check  my samba log file coming this error massage. please
help to me.
*
[2009/12/29 09:01:48, 0] lib/util_sock.c:write_data(562)
  write_data: write failure in writing to client 192.168.0.85. Error
Connection reset by peer
[2009/12/29 09:01:48, 0] lib/util_sock.c:send_smb(761)
  Error writing 4 bytes to client. -1. (Connection reset by peer)*
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Not updating group member changes to win clients

[Fernando Torrez]

Hi Everyone

I installed a samba PDC on opensuse 11.1 with:

samba-winbind-3.4.2-2.1
samba-client-3.4.2-2.1
samba-3.4.2-2.1
openldap2-2.4.12-5.5.1
openldap2-client-2.4.12-5.3
perl-ldap-0.39-14.1
nss_ldap-262-10.12
smbldap-tools-0.9.5-3.1
pam_ldap-184-144.12

It runs perfectly with win xp professional and vista business domain clients.
The problem is that when I update any member of a certain domain group (let say 
by adding or
removing a user from a group) on samba PDC; these changes don't update 
on win clients until samba and winbind services are restarted.

For instance let say that group: grupo3 (which has user: usuario3 as member) 
have full 
control on this shared directory:

//bar/Documents (on linux domain server)

when I tried to access from linux using user: Fernando2
I got expected results:


bar:/data # smbclient //bar/Documents -U Fernando2%fernando2
Domain=[FOOBAR] OS=[Unix] Server=[Samba 3.4.2-2.1-2229-SUSE-CODE11]
tree connect failed: NT_STATUS_ACCESS_DENIED


Same results if I tried to access from Fernando2 winxp joined to the domain.
All these results are right.


But problems comes when I include user: Fernando2 to group: grupo3 so
group3 now has 2 members: usuario3  and  Fernando2

>From linux works great:

bar:/data # smbclient //bar/Documents -U Fernando2%fernando2
Domain=[FOOBAR] OS=[Unix] Server=[Samba 3.4.2-2.1-2229-SUSE-CODE11]
smb: \> mkdir mydir
smb: \> ls
  .   D0  Wed Nov 11 17:52:32 2009
  ..  D0  Wed Nov 11 17:49:30 2009
  mydir   D0  Wed Nov 11 17:52:32 2009

36381 blocks of size 131072. 16831 blocks available
smb: \>



but from windows xp called Fernando2 still can't access the shared folder
until samba and winbind services are restarted
I tried reload services but didn't work, I also have wait 30 minutes but no 
update was done.

Is there a command to send all group changes to win clients from linux?
Is a missed parameter?
is this a feature not implemented?



Thanks in advance

 Fernando Torrez


my smb.conf file: testparm -sv

[global]
dos charset = CP850
unix charset = utf8
display charset = LOCALE
workgroup = FOOBAR
realm = 
netbios name = BAR
netbios aliases = 
netbios scope = 
server string = bar
interfaces = eth1, lo
bind interfaces only = Yes
security = USER
auth methods = 
encrypt passwords = Yes
update encrypted = No
client schannel = Auto
server schannel = Auto
allow trusted domains = Yes
map to guest = Never
null passwords = No
obey pam restrictions = No
password server = *
smb passwd file = /etc/samba/smbpasswd
private dir = /etc/samba
passdb backend = ldapsam:ldap://bar.foobar.tld
algorithmic rid base = 1000
root directory = 
guest account = nobody
enable privileges = Yes
pam password change = No
passwd program = 
passwd chat = *new*password* %n\n *new*password* %n\n *changed*
passwd chat debug = No
passwd chat timeout = 2
check password script = 
username map = /etc/samba/smbusers
password level = 0
username level = 0
unix password sync = No
restrict anonymous = 0
lanman auth = No
ntlm auth = Yes
client NTLMv2 auth = No
client lanman auth = No
client plaintext auth = No
preload modules = 
dedicated keytab file = 
kerberos method = default
map untrusted to domain = No
log level = 10
syslog = 0
syslog only = No
log file = /var/log/samba/%m
max log size = 50
debug timestamp = Yes
debug prefix timestamp = No
debug hires timestamp = No
debug pid = No
debug uid = No
debug class = No
enable core files = Yes
smb ports = 139
large readwrite = Yes
max protocol = NT1
min protocol = CORE
min receivefile size = 0
read raw = Yes
write raw = Yes
disable netbios = No
reset on zero vc = No
acl compatibility = auto
defer sharing violations = Yes
nt pipe support = Yes
nt status support = Yes
announce version = 4.9
announce as = NT
max mux = 50
max xmit = 16644
name resolve order = wins bcast hosts
max ttl = 259200
max wins ttl = 518400
min wins ttl = 21600
time server = Yes
unix extensions = Yes
use spnego = Yes
client signing = auto
server signing = No
client use spnego = Yes
client ldap sasl wrapping = plain
enable asu support = No
svcctl list = 
deadtime = 0
getwd cache = Yes
keepalive = 300
lpq cache time = 30
max smbd processes = 0
paranoid server security = Yes
max disk size = 0
max open files = 1024
socket options = TCP_NODELAY
use mmap = Yes
hostname lookups = No
name cache timeout = 660
ctdbd socket = 
cluster addresses = 
clustering = No
load 

[Samba] samba member of workgroup

[Fernando]

Hello,

I want to setup a samba server as
a member of a workgroup, for example MYWORKGROUP. I want to share a folder,
for example /share.
This share should be available to example.com domain clients only.

Can someone give me a smb.conf for that?

Would that do it?

[global]
workgroup = MYWORKGROUP
server string = Samba Server Version %v
security = domain
hosts allow = .example.com

[share]
comment = Public Stuff
path = /share
public = no
writable = no
printable = no

Thank you.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Error join Samba: error setting trust account password

[Fernando Xavier]

Hello!

I'm trying join client in samba server. But, get this error:

[2008/04/12 12:18:53, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(304)
  error setting trust account password: NT code 0x1c010002
Unable to join domain PDCSERVER.

The password is correct (when i type wrong password the error message
changes) and my network is:

- Client: 192.168.0.X
- PDC Server: 192.168.1.1
- Wireless Router: 192.168.0.1/192.168.1.2 (wan port)

If i type the command net rpc testjoin

[2008/04/12 12:24:57, 0] rpc_client/cli_pipe.c:get_schannel_session_key(2449)
  get_schannel_session_key: could not fetch trust account password for
domain 'PDCSERVER'
[2008/04/12 12:24:57, 0] utils/net_rpc_join.c:net_rpc_join_ok(70)
  net_rpc_join_ok: failed to get schannel session key from server
SERVIDOR1 for domain PDCSERVER. Error was
NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Join to domain 'PDCSERVER' is not valid

Any idea?

Regards

Fernando


==Configuration files=

Client smb.conf

workgroup = PDCSERVER
netbios name = julio
winbind use default domain = yes
obey pam restrictions = yes
security = DOMAIN
password server = 192.168.1.1 (already tried "PDCSERVER" too)
encrypt passwords = true
wins server = 192.168.1.1
winbind uid = 1-2
winbind gid = 1-2
template shell = /bin/bash
template homedir = /home/%U
winbind separator = +
printing = cups
invalid users = teste

Server smb.conf

workgroup = PDCSERVER
netbios name = SERVIDOR1
netbios aliases = servidor1
server string = SERVIDOR1
domain master = Yes
preferred master = Yes
local master = yes
domain logons = yes
logon script = netlogon.bat
logon home = \\%L\%U\.profiles
#logon path = \\%L\profiles\%U
logon path =
security = user
encrypt passwords = yes
os level = 100
wins support = yes
logon drive = H:
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] uid x sid on LDAP

[fernando]

Hi there,

I'm the process of centralizing user authentication for a medium-sized network 
with a few Linux
servers, some of them runnng samba. The idea is migrating all user definitions 
from both
/etc/{passwd,shadow,groups} and samba tdb to a central LDAP directory.

Most servers had the same set of users, but as each one was administered in 
isolation (no NIS not
all samba servers were part of the same windows domain) there are many 
inconsistencies between all
servers.

I have already done my homework and found whenever the same user had different 
uids or group
assignments, and planed the steps required to get everything in sync (like 
changing file owners).

My question regards sambaAccount x posixAccount in LDAP. Samba docs state that 
Unix uids/gids and
Windows SIDs are algoritmically mapped implying that given a Windows user SID 
the Unix uid needs to
have a certain value, and vice-versa.

But I wish to change as few as possible existing uid/gids. I see sambaAccount 
has a sid field, and
posixAccount has a uid field. So, if I do store values for both, using the ones 
from previous
servers, they won't conform to the mapping algoritm.

Is that ok? Or will I have to change either the Windows user sid or the Unix 
user uid so
sambaAccount and posixAccout values agree with the mapping algoritm?



[]s, Fernando Lozano

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Performance problem with SAMBA

[Fernando Naranjo]

I have a Debian printer server implemented with SAMBA and CUPS. The 
total amount of printing jobs is high (about 600 jobs per hour). The 
SAMBA configuration is standard. The main problem is that the smbd 
processes which are created for the printing requests collapse the 
processor, provoking a slow printing service. ¿Could anybody help me 
about which are the reasons of this behaviour?


Thanks in advance

--














/Fernando Naranjo Palomino, Informática Distribuida/
/Centro de Cálculo - Universidad de Zaragoza
Ciudad Escolar s/n (Escuela Universitaria Politécnica de Teruel)
44003 TERUEL
SPAIN
Tlf.: Ext. 86-1265 / +34 978 61.82.65
Fax: +34 978 61.81.04/
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] AD integration: "getent passwd" can't see *new* users,but "wbinfo -u" can

[Fernando Ruza]

Did you solve it ?? I have a similar problem. wbinfo -u give me a user,
however when a look for it with getent passwd it doesn't appear. With
other users everything is correct.

Thanks,

Fernando.


El lun, 12-02-2007 a las 01:17 -0500, Noah Dain escribió:
> I have two different systems (on different networks) showing this
> behavior.  Both are running Ubuntu Dapper/606.1 LTS with samba version
> 3.0.22 and windows 2003 sp1 servers (not R2).  AD integration is done
> via winbind, with nss using winbind.  At some point in time (which is
> unknown to me), the samba server stopped seeing new users, groups,
> machines which are added to AD.
> 
> scenario:
> I add a new user to AD, say "smbtest".  I then look for the user with
> "wbinfo -u", and it shows up.  However, it does not show up with
> "getent passwd" (same for groups, "getent group").  If I try to map a
> share to a drive letter, it goes something like this:
> 
> C:\WINDOWS>net use h: \\SAMBASRV\smbtest /user:DOMAIN\smbtest password
> 
> System error 1326 has occurred.
> 
> 
> Logon failure: unknown user name or bad password.
> 
> (The same results occur for existing shares, so it's not from lack of
> a home directory)
> 
> Of particular interest is log.winbindd-idmap.  Whenever I try to
> connect as the user smbtest to their home directory or another share,
> this is logged here several times:
> 
> [2007/02/11 20:45:40, 0] sam/idmap_rid.c:rid_idmap_get_id_from_sid(485)
>   rid_idmap_get_id_from_sid: no suitable range available for sid:
> S-1-5-21-4050315045-3251428658-993335031-3123
> 
> "wbinfo -s S-1-5-21-4050315045-3251428658-993335031-3123" returns
> "smbtest" as expected.
> "wbinfo -n smbtest" returns that sid.
> Other users/sids work.
> 
> other stuff I've tried / observed:
> 
> "net ads testjoin" looks good.
> kerberos looks good.
> There are no local accounts within the idmap uid/gid range.
> "/var/lib/samba/winbindd_idmap.tdb" shows no new entries.
> I've restarted samba and winbindd, and the whole machine went down for
> a reboot, but I'm still getting the same behavior.
> 
> -- only config files below --
> smb.conf:
> 
> [global]
> workgroup = DOMAIN
> realm = DOMAIN
> server string = samba server
> interfaces = eth0
> bind interfaces only = Yes
> security = ADS
> allow trusted domains = No
> obey pam restrictions = Yes
> pam password change = Yes
> log level = 2 winbind:3 passdb:2 auth:2
> log file = /var/log/samba/%m.log
> socket options = TCP_noDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> load printers = No
> dns proxy = No
> wins server = DC1
> idmap backend = rid:BUILTIN=1000-, DOMAIN=1-6
> idmap uid = 1000-6
> idmap gid = 1000-6
> template homedir = /home/%U
> template shell = /bin/bash
> winbind separator = /
> winbind use default domain = Yes
> winbind nested groups = Yes
> hosts allow = 192.168.1.0/255.255.255.0, 127.
> hosts deny = 0.0.0.0/0.0.0.0
> 
> [homes]
> comment = Home Directory
> path = /home/%U
> read only = No
> create mask = 0640
> directory mask = 0750
> browseable = No
> 
> /end smb.conf
> 
> /etc/nsswitch.conf:
> 
> passwd: compat winbind
> group:  compat winbind
> shadow: compat winbind
> hosts:  files dns mdns
> networks:   files
> protocols:  db files
> services:   db files
> ethers: db files
> rpc:db files
> netgroup:   nis
> 
> /end nsswitch.conf
> 
> -- 
> Noah Dain
> "The beatings will continue, until moral improves" - the Management
-- 
Fernando Ruza ([EMAIL PROTECTED])
Dto. Informatica
Hospital Univesitario de Guadalajara
Tfl: 949 209 215
 661 123 845
Linux user: #273644 (http://counter.li.org)
Debian Sid (Kernel 2.6.14.3 & ext3)
---
Por favor, NO utilice formatos de archivo propietarios para el
intercambio de documentos, como DOC y XLS, sino HTML, RTF, TXT, CSV o
cualquier otro que no obligue a utilizar un programa de un fabricante
concreto. Gracias.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] SAMBA 4 AND LDAP, Where can we get the information??

[Fernando Moreno]

SAMBA 4 AND LDAP, Where can we get the information??
We are trying to get samba 4 working together with ldap, but there's no
information anywhere.
We'll be pleased if someone can tell us how to get this working.
Thanks, and one more question... Why we can get the SAMBA4_TP4 and there is
no man pages or any information about the implementations of this??
Thanks you so much and sorry for my poor english.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Change password from XP

[Fernando M. Maresca]

Hello.
I've migrated samba to ldap, and everithing works fine except that when
a user changes the password from an xp client receives an error
indicating that the "old" password was wrong, but the password is
changed in the server, so the user gets confused.

Here http://lists.samba.org/archive/samba/2004-August/090254.html are a
thread about this same problem; it's says that this was corrected in
version 3.0.4. I'm runnig debian testing's 3.0.24 samba server with
smbldap-tools 0.92. Xp clientes are pro SP2. smbldap-passwd returns 0.
There is a workaround for this?
Thanks in advance.
Regards,

-- 
Fernando M. Maresca
Monitoring Station S.A.
Calle 48 nº 812
La Plata (B1900AHN) - BA - ARG
Tel/Fax: (+54) 221 425 3355
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] new added users can't join from xp clients

[Fernando M. Maresca]

Hello,
after upgrading a Debian samba server to 3.0.24 a few weeks ago,
everything seems to be ok until yesterday, when I've added a new user to
the domain. Now, the new user can join the shares from the samba server
from linux or win9x machines, but not from XP/2000 machines, wich
refuses to log in with ~ "User does not exits, or passwd is incorrect..."

Old users can login ok from everywhere so this must to be related 
to new users added post upgrade.

The server is PDC for the domain, here's the smb.conf:
[global]
workgroup = MONSSA
netbios name = JOHANN
server string = %h (Samba %v)
passdb backend = tdbsam
os level = 255
preferred master = auto
domain master = yes
local master = yes
security = user
domain logons = yes
logon path = \\johann\profiles\%U
logon drive = z:
logon script = login.bat
encrypt passwords = true
update encrypted = Yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .

add machine script = /usr/sbin/useradd -d /dev/null -g 300 -s /bin/false -c 
"Cuenta de maquina" -M %u
time server = Yes
idmap uid = 1-2
idmap gid = 1-2
hosts allow = 192.168.1.
guest account = nobody
guest ok = yes
map to guest = Bad User

Can somebody give a hint about this issue? I've reviewed three last months of 
the list and found nothing similar to this.

Thanks a lot,
-- 
Fernando M. Maresca
Monitoring Station S.A.
Calle 48 nº 812
La Plata (B1900AHN) - BA - ARG
Tel/Fax: (+54) 221 425 3355
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Issue with pam_winbind for MS AD authentication and moduleoptions

[Andre Fernando Goldacker]

Have tested it but it didn't made any difference unfortunatelly.
Perhaps my pam config is still wrong, don't know, but it looks like a
small bug to me that maybe has not been noticed yet, and if so, perhaps
a timeout option in pam_winbind could do the job, who knows!!

cheers,

Andre

Miles, Noal wrote:
> I haven't tested but perhaps this pam entry in system-auth will help
> (insert before winbind account entry)
>
> account sufficient/lib/security/$ISA/pam_succeed_if.so uid < 100
> quiet
>
> Noal
>
> -Original Message-
> From: Andre Fernando Goldacker [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, April 04, 2007 11:06 AM
> To: Andre Fernando Goldacker
> Cc: Miles, Noal; samba@lists.samba.org
> Subject: Re: [Samba] Issue with pam_winbind for MS AD authentication and
> moduleoptions
>
>
> I made a mistake, group in nsswitch.conf looks like this:
>
> group:files winbind
>
> sorry about that!!
>
> Andre
>
> Andre Fernando Goldacker wrote:
>   
>> Hello!
>>
>> passwd, shadow and group looks as follows in nsswitch.conf:
>>
>> passwd:  files winbind
>> shadow:  files
>> group: files group
>>
>> What really confuses me is that when my AD server is up and running, 
>> root or any local user logs in with no problem. And even when AD 
>> server is down, after trying a zillion times, root and other local 
>> users login, and then if I log them out and try again a few minutes 
>> later it won't go again, then again after a few minutes it works again
>> 
>
>   
>> and it keeps going like that.
>>
>> My guess is that when it's not going pam_winbind and winbind are 
>> trying to connect to the AD Server resulting in a huge delay in the 
>> login process afecting also local users login. That's why I was 
>> wondering if there is a "timeout" option or something for pam_winbind 
>> to avoid that. Well, that's my guess I could be wrong and maybe the 
>> problem is something else.
>>
>> Anyway thank's so far for your help, if you or anyone has a light...
>>
>> Andre
>>
>>
>>
>> Miles, Noal wrote:
>>   
>> 
>>> You have files before winbind in /etc/nsswitch.conf for passwd, 
>>> shadow, group?
>>>
>>> Noal
>>>
>>> -Original Message-
>>> From: [EMAIL PROTECTED]
>>> [mailto:[EMAIL PROTECTED] On 
>>> Behalf Of Andre Fernando Goldacker
>>> Sent: Wednesday, April 04, 2007 8:40 AM
>>> To: samba@lists.samba.org
>>> Subject: [Samba] Issue with pam_winbind for MS AD authentication and 
>>> moduleoptions
>>>
>>>
>>> Hello!
>>>
>>> I've configured samba with winbind and pam_winbind module to 
>>> authenticate users that connect to my linux box against MS AD.
>>>
>>> Works like a charm. If a user exists both in AD and locally, login 
>>> should assume local users. Again, it works pretty well (It seems at 
>>> least with my current config).
>>>
>>> If my AD server goes down for any reason, local users should be able 
>>> to login. For example, root has to login always no matter if my AD 
>>> server exploded.
>>>
>>> That's where is the problem. When I shutdown my AD server and I try 
>>> to login with a local user (root as well), my guess is that it seems 
>>> that pam_winbind waits for a very very long time trying to find my AD
>>>   
>
>   
>>> server to authenticate that even the local login times out. I don't 
>>> really know if that is the reason for this behaviour, but if it is, 
>>> I'm wondering if there is a hidden or maybe a new "timeout" option 
>>> for pam_winbind module as I didn't found anything related in the man 
>>> pages and the mailing lists archive. Or maybe if login finds the user
>>>   
>
>   
>>> in the local database, bypass winbind authentication, don't know if 
>>> that is possible.
>>>
>>> The reason why I came up with this idea is that when the AD server is
>>>   
>
>   
>>> down and I try to login with root for eg. over and over many times, 
>>> after a while it goes (looks like pam config order is right), but a 
>>> few minutes later it won't again, which made me thought that perhaps 
>>> winbind or pam_winbind are trying to estabilish a connection with AD 
>>> and somehow because of that the whole process slows down so much that
>>&g

Re: [Samba] Issue with pam_winbind for MS AD authentication and moduleoptions

[Andre Fernando Goldacker]

Hi,

Thanks for your reply!
As you said that you have a similiar issue, I think you can achieve this
with pam_winbind module as well, with the cached_login option set and
with  "winbind offline logon" enabled in your smb.conf file if I'm correct.

In both cases, I can't think of how it could work when you have for
example two usernames with the same name in ad and linux but with
different passwords.

Any ideas

Andre

Sebastian Knieschewski wrote:
> Hi,
>
> maybe this isn't exactly what you're looking for, but it could help you:
>
> "pam_ccreds"
>
> cached credentials, this should give you full access to your server
> even if the ad-server is down. I haven't used this module yet. Just
> found it today while looking for a solution concerning a similar issue.
>
> Good luck!
>
> Sebastian Knieschewski
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Issue with pam_winbind for MS AD authentication and moduleoptions

[Andre Fernando Goldacker]

I made a mistake, group in nsswitch.conf looks like this:

group:files winbind

sorry about that!!

Andre

Andre Fernando Goldacker wrote:
> Hello!
>
> passwd, shadow and group looks as follows in nsswitch.conf:
>
> passwd:  files winbind
> shadow:  files
> group: files group
>
> What really confuses me is that when my AD server is up and running,
> root or any local user logs in with no problem.
> And even when AD server is down, after trying a zillion times, root and
> other local users login, and then if I log them out and try again a few
> minutes later it won't go again, then again after a few minutes it works
> again and it keeps going like that.
>
> My guess is that when it's not going pam_winbind and winbind are trying
> to connect to the AD Server resulting in a huge delay in the login
> process afecting also local users login. That's why I was wondering if
> there is a "timeout" option or something for pam_winbind to avoid that.
> Well, that's my guess I could be wrong and maybe the problem is
> something else.
>
> Anyway thank's so far for your help, if you or anyone has a light...
>
> Andre
>
>
>
> Miles, Noal wrote:
>   
>> You have files before winbind in /etc/nsswitch.conf for passwd, shadow,
>> group?
>>
>> Noal
>>
>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] On
>> Behalf Of Andre Fernando Goldacker
>> Sent: Wednesday, April 04, 2007 8:40 AM
>> To: samba@lists.samba.org
>> Subject: [Samba] Issue with pam_winbind for MS AD authentication and
>> moduleoptions
>>
>>
>> Hello!
>>
>> I've configured samba with winbind and pam_winbind module to
>> authenticate users that connect to my linux box against MS AD.
>>
>> Works like a charm. If a user exists both in AD and locally, login
>> should assume local users. Again, it works pretty well (It seems at
>> least with my current config).
>>
>> If my AD server goes down for any reason, local users should be able to
>> login. For example, root has to login always no matter if my AD server
>> exploded.
>>
>> That's where is the problem. When I shutdown my AD server and I try to
>> login with a local user (root as well), my guess is that it seems that
>> pam_winbind waits for a very very long time trying to find my AD server
>> to authenticate that even the local login times out. I don't really know
>> if that is the reason for this behaviour, but if it is, I'm wondering if
>> there is a hidden or maybe a new "timeout" option for pam_winbind module
>> as I didn't found anything related in the man pages and the mailing
>> lists archive. Or maybe if login finds the user in the local database,
>> bypass winbind authentication, don't know if that is possible.
>>
>> The reason why I came up with this idea is that when the AD server is
>> down and I try to login with root for eg. over and over many times,
>> after a while it goes (looks like pam config order is right), but a few
>> minutes later it won't again, which made me thought that perhaps winbind
>> or pam_winbind are trying to estabilish a connection with AD and somehow
>> because of that the whole process slows down so much that even local
>> login times out.
>>
>> Samba is configured to catch UID's, GID's from AD using SFU and ad idmap
>> backend. Only users that are members of a specified AD group are able to
>> login. The purpose of the machine is to be an application server and
>> share folders based on AD users and group permissions.
>>
>> My system is RHEL AS3 with update 7 and samba-3.0.24
>>
>> Below are my pam lines in the system-auth file:
>>
>> #%PAM-1.0
>> # This file is auto-generated.
>> # User changes will be destroyed the next time authconfig is run.
>> authrequired  /lib/security/$ISA/pam_env.so
>> authsufficient/lib/security/$ISA/pam_unix.so likeauth nullok
>> authsufficient/lib/security/$ISA/pam_winbind.so
>> try_first_pass require_membership_of=DOMAIN+group
>> authrequired  /lib/security/$ISA/pam_deny.so
>>
>> account required  /lib/security/$ISA/pam_unix.so nullok_secure
>> account sufficient/lib/security/$ISA/pam_winbind.so
>>
>> passwordrequired  /lib/security/$ISA/pam_cracklib.so retry=3
>> passwordsufficient/lib/security/$ISA/pam_unix.so nullok
>> use_authtok md5 shadow
>> passwordrequired  /lib/security/$ISA/pam_deny.so
>>
>> ses

Re: [Samba] Issue with pam_winbind for MS AD authentication and moduleoptions

[Andre Fernando Goldacker]

Hello!

passwd, shadow and group looks as follows in nsswitch.conf:

passwd:  files winbind
shadow:  files
group: files group

What really confuses me is that when my AD server is up and running,
root or any local user logs in with no problem.
And even when AD server is down, after trying a zillion times, root and
other local users login, and then if I log them out and try again a few
minutes later it won't go again, then again after a few minutes it works
again and it keeps going like that.

My guess is that when it's not going pam_winbind and winbind are trying
to connect to the AD Server resulting in a huge delay in the login
process afecting also local users login. That's why I was wondering if
there is a "timeout" option or something for pam_winbind to avoid that.
Well, that's my guess I could be wrong and maybe the problem is
something else.

Anyway thank's so far for your help, if you or anyone has a light...

Andre



Miles, Noal wrote:
> You have files before winbind in /etc/nsswitch.conf for passwd, shadow,
> group?
>
> Noal
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On
> Behalf Of Andre Fernando Goldacker
> Sent: Wednesday, April 04, 2007 8:40 AM
> To: samba@lists.samba.org
> Subject: [Samba] Issue with pam_winbind for MS AD authentication and
> moduleoptions
>
>
> Hello!
>
> I've configured samba with winbind and pam_winbind module to
> authenticate users that connect to my linux box against MS AD.
>
> Works like a charm. If a user exists both in AD and locally, login
> should assume local users. Again, it works pretty well (It seems at
> least with my current config).
>
> If my AD server goes down for any reason, local users should be able to
> login. For example, root has to login always no matter if my AD server
> exploded.
>
> That's where is the problem. When I shutdown my AD server and I try to
> login with a local user (root as well), my guess is that it seems that
> pam_winbind waits for a very very long time trying to find my AD server
> to authenticate that even the local login times out. I don't really know
> if that is the reason for this behaviour, but if it is, I'm wondering if
> there is a hidden or maybe a new "timeout" option for pam_winbind module
> as I didn't found anything related in the man pages and the mailing
> lists archive. Or maybe if login finds the user in the local database,
> bypass winbind authentication, don't know if that is possible.
>
> The reason why I came up with this idea is that when the AD server is
> down and I try to login with root for eg. over and over many times,
> after a while it goes (looks like pam config order is right), but a few
> minutes later it won't again, which made me thought that perhaps winbind
> or pam_winbind are trying to estabilish a connection with AD and somehow
> because of that the whole process slows down so much that even local
> login times out.
>
> Samba is configured to catch UID's, GID's from AD using SFU and ad idmap
> backend. Only users that are members of a specified AD group are able to
> login. The purpose of the machine is to be an application server and
> share folders based on AD users and group permissions.
>
> My system is RHEL AS3 with update 7 and samba-3.0.24
>
> Below are my pam lines in the system-auth file:
>
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> authrequired  /lib/security/$ISA/pam_env.so
> authsufficient/lib/security/$ISA/pam_unix.so likeauth nullok
> authsufficient/lib/security/$ISA/pam_winbind.so
> try_first_pass require_membership_of=DOMAIN+group
> authrequired  /lib/security/$ISA/pam_deny.so
>
> account required  /lib/security/$ISA/pam_unix.so nullok_secure
> account sufficient/lib/security/$ISA/pam_winbind.so
>
> passwordrequired  /lib/security/$ISA/pam_cracklib.so retry=3
> passwordsufficient/lib/security/$ISA/pam_unix.so nullok
> use_authtok md5 shadow
> passwordrequired  /lib/security/$ISA/pam_deny.so
>
> session required  /lib/security/$ISA/pam_limits.so
> session required  /lib/security/$ISA/pam_unix.so
> session required  /lib/security/$ISA/pam_mkhomedir.so umask=0022
> skel=/etc/skel
>
> Considering that if a user exists both in the local user database and
> AD, login has to assume local user (seems to be working fine), could
> someone give me a hint if I'm in the right path, and maybe an idea why
> or what I could do when my AD servers goes down to my local users
> (including root) log in normally??
>
> Any help will be greatly appreciated,
>
> Andre
>
>   
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Issue with pam_winbind for MS AD authentication and module options

[Andre Fernando Goldacker]

Hello!

I've configured samba with winbind and pam_winbind module to
authenticate users that connect to my linux box against MS AD.

Works like a charm. If a user exists both in AD and locally, login
should assume local users. Again, it works pretty well (It seems at
least with my current config).

If my AD server goes down for any reason, local users should be able to
login. For example, root has to login always no matter if my AD server
exploded.

That's where is the problem. When I shutdown my AD server and I try to
login with a local user (root as well), my guess is that it seems that
pam_winbind waits for a very very long time trying to find my AD server
to authenticate that even the local login times out. I don't really know
if that is the reason for this behaviour, but if it is, I'm wondering if
there is a hidden or maybe a new "timeout" option for pam_winbind module
as I didn't found anything related in the man pages and the mailing
lists archive. Or maybe if login finds the user in the local database,
bypass winbind authentication, don't know if that is possible.

The reason why I came up with this idea is that when the AD server is
down and I try to login with root for eg. over and over many times,
after a while it goes (looks like pam config order is right), but a few
minutes later it won't again, which made me thought that perhaps winbind
or pam_winbind are trying to estabilish a connection with AD and somehow
because of that the whole process slows down so much that even local
login times out.

Samba is configured to catch UID's, GID's from AD using SFU and ad idmap
backend. Only users that are members of a specified AD group are able to
login. The purpose of the machine is to be an application server and
share folders based on AD users and group permissions.

My system is RHEL AS3 with update 7 and samba-3.0.24

Below are my pam lines in the system-auth file:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authrequired  /lib/security/$ISA/pam_env.so
authsufficient/lib/security/$ISA/pam_unix.so likeauth nullok
authsufficient/lib/security/$ISA/pam_winbind.so
try_first_pass require_membership_of=DOMAIN+group
authrequired  /lib/security/$ISA/pam_deny.so

account required  /lib/security/$ISA/pam_unix.so nullok_secure
account sufficient/lib/security/$ISA/pam_winbind.so

passwordrequired  /lib/security/$ISA/pam_cracklib.so retry=3
passwordsufficient/lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
passwordrequired  /lib/security/$ISA/pam_deny.so

session required  /lib/security/$ISA/pam_limits.so
session required  /lib/security/$ISA/pam_unix.so
session required  /lib/security/$ISA/pam_mkhomedir.so umask=0022
skel=/etc/skel

Considering that if a user exists both in the local user database and
AD, login has to assume local user (seems to be working fine), could
someone give me a hint if I'm in the right path, and maybe an idea why
or what I could do when my AD servers goes down to my local users
(including root) log in normally??

Any help will be greatly appreciated,

Andre

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba-problems

[Fernando j Cabello]

Hi

  i am having some problems with my samba, it is runnig on an Slackware
linux. I have arround 20 directories on it, were every day around 20
users exchange files from them. The situation is that  when I try to get
logg into one of this directories with one of the users(just with one
user,) the loggin is not allowed. I had already delete this user, create
it again.
 do you have any clue about it?

thanks



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba logs

[Fernando Villarreal]

Hi, every one

   I'd like to log my users activity, when hi logs to samba server and 
which files access, is that possible?.


Thanks

Fernando
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] smbclient chown and chmod problem

[Fernando Ruza]

Hi,

I'm trying to change permisions (chmod) or owner (chown) of a file
through smbclient conected to a samba server (version: samba-3.0.4-1). I
always receive the following error message:

  Pushing string of 'unlimited' length into non-SMB buffer!

hpcinf03:/etc/samba# smbclient //hserint2/HomesUsuarios -U inform
Password: 
Domain=[HGUV] OS=[Unix] Server=[Samba 3.0.4]
smb: \> cd bperez
smb: \bperez\> chown bperez inf prueba.xls
Pushing string of 'unlimited' length into non-SMB buffer!
smb: \bperez\> chmod 775 prueba.xls
Pushing string of 'unlimited' length into non-SMB buffer!

man of smbclient said that these commands depends on the server
supporting the CIFS UNIX extensions and will fail if the server does
not. By default this command is in smb.conf: unix extensions = yes  so I
understand it has to work. Do I have to do something to enable CIFS UNIX
extensions on my samba server ?

Does anyone can give me any clue ?? Thanks in advanced.

Grettings,

Fernando.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] wbinfo not looking up groups in mixed MS NT/2k AD

[Andre Fernando Goldacker]

I've upgraded to samba-3.0.20b and it's working fine. nscd isn't
running.
I've noticed that, when I add / remove someone to / from the group
"internet", which in my case is the one I give internet access, it is
taking a while for the user appear / be removed in the group when I run
getent group, the user appears only after a while, more or less 10
minutes. Is there a setting or something in which it updates quicker??

Thanks in advance,

André


On Sat, 2005-10-15 at 17:24 -0600, John H Terpstra wrote:

> On Friday 14 October 2005 12:25, Andre Fernando Goldacker wrote:
> > Upgraded to samba-3.0.20b and it's working fine now.
> >
> > I've noticed that, when I add / remove someone to / from the group
> > "internet", which in my case is the one I give internet access, it is
> > taking a while for the user appear / be removed in the group, when I do
> > getent group the user only appears after a while, more or less 10
> > minutes. Is there a setting or something in which it updates quicker??
> 
> Pleae check that nscd is not running. It sounds like it may be.
> 
> - John T.
> 
> >
> > Thanks in advance,
> >
> > André
> >
> > On Fri, 2005-10-14 at 10:14 -0300, Felipe Augusto van de Wiel wrote:
> > > -BEGIN PGP SIGNED MESSAGE-
> > > Hash: SHA1
> > >
> > > Andre Fernando Goldacker escreveu:
> > > [...]
> > >
> > > > wbinfo -n 'EARTH\testgroup'
> > > > Could not lookup name EARTH\testgroup
> > > >
> > > > I think that's the reason why my squid can't match users / groups.
> > > > My winbind log file reports me the following lines when I try to
> > > > match user/group from squid:
> > > >
> > > > [2005/10/13 16:46:48, 0] lib/util_sid.c:string_to_sid(301)
> > > >   string_to_sid: Sid Could not lookup name internet does not start
> > > > with 'S-'.
> > > > [2005/10/13 16:46:48, 1]
> > > > nsswitch/winbindd_sid.c:winbindd_sid_to_gid(241)
> > > >
> > > >   Could not cvt string to sid Could not lookup name internet
> > > > Any clues why I can lookup users, but not goups?
> > > > My AD has about 1100 users and 150 groups.
> > > > Any help will be much appreciated,
> > >
> > >   Never saw this problem before, but looking at the logs,
> > > looks like your group entry does not have the proper field set,
> > > or the field is not right, in other words, it does not start
> > > with a "S-" like all the SID's.
> > >
> > >   It is not much help, but perhaps could be a start,
> > > good luck! Kind regards,
> > >
> > > - --
> > > //
> > > // Felipe Augusto van de Wiel <[EMAIL PROTECTED]>
> > > // CTI/Suporte - SEDU/PARANACIDADE
> > > // http://www.paranacidade.org.br/
> > > //
> > > -BEGIN PGP SIGNATURE-
> > > Version: GnuPG v1.4.1 (GNU/Linux)
> > > Comment: Using GnuPG with Debian - http://enigmail.mozdev.org
> > >
> > > iD8DBQFDT69HCj65ZxU4gPQRAud7AKCXdp+qPvaiyDX10VuqO3WpftM5MgCfQ4rN
> > > t1bixV+pGNo1N9MTvz9SfsA=
> > > =AqZF
> > > -END PGP SIGNATURE-
> 
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] wbinfo not looking up groups in mixed MS NT/2k AD

[Andre Fernando Goldacker]

Upgraded to samba-3.0.20b and it's working fine now.

I've noticed that, when I add / remove someone to / from the group
"internet", which in my case is the one I give internet access, it is
taking a while for the user appear / be removed in the group, when I do
getent group the user only appears after a while, more or less 10
minutes. Is there a setting or something in which it updates quicker??

Thanks in advance,

André


On Fri, 2005-10-14 at 10:14 -0300, Felipe Augusto van de Wiel wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Andre Fernando Goldacker escreveu:
> [...]
> > wbinfo -n 'EARTH\testgroup'
> > Could not lookup name EARTH\testgroup
> 
> > I think that's the reason why my squid can't match users / groups.
> > My winbind log file reports me the following lines when I try to 
> > match user/group from squid:
> 
> > [2005/10/13 16:46:48, 0] lib/util_sid.c:string_to_sid(301)
> >   string_to_sid: Sid Could not lookup name internet does not start 
> > with 'S-'.
> > [2005/10/13 16:46:48, 1]
> > nsswitch/winbindd_sid.c:winbindd_sid_to_gid(241)
> 
> >   Could not cvt string to sid Could not lookup name internet
> > Any clues why I can lookup users, but not goups?
> > My AD has about 1100 users and 150 groups.
> > Any help will be much appreciated,
> 
>   Never saw this problem before, but looking at the logs,
> looks like your group entry does not have the proper field set,
> or the field is not right, in other words, it does not start
> with a "S-" like all the SID's.
> 
>   It is not much help, but perhaps could be a start,
> good luck! Kind regards,
> 
> - --
> //
> // Felipe Augusto van de Wiel <[EMAIL PROTECTED]>
> // CTI/Suporte - SEDU/PARANACIDADE
> // http://www.paranacidade.org.br/
> //
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.1 (GNU/Linux)
> Comment: Using GnuPG with Debian - http://enigmail.mozdev.org
> 
> iD8DBQFDT69HCj65ZxU4gPQRAud7AKCXdp+qPvaiyDX10VuqO3WpftM5MgCfQ4rN
> t1bixV+pGNo1N9MTvz9SfsA=
> =AqZF
> -END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] wbinfo not looking up groups in mixed MS NT/2k AD

[Andre Fernando Goldacker]

Hello,

I'm having trouble when I try do get a group SID from my domain, the
user lookup and authentication is working fine.
Actually what I'm trying to do is to authenticate squid against MS AD
using winbind. I need to restrict access by group, so I'm using
wbinfo_group.pl to do it.
The machine has been built to be a proxy server only.
I'm using Suse Linux 9.3 Professional
samba-3.0.13-1.1
squid-2.5.STABLE9-4.4

Below are my .conf files:

/etc/nsswitch.conf

passwd: files winbind
shadow: files nis
group:  files winbind
hosts:  files lwres dns
networks:   files dns
services:   files
protocols:  files
rpc:files
ethers: files
netmasks:   files
netgroup:   files winbind
publickey:  files
bootparams: files
automount:  files nis
aliases:files

/etc/samba/smb.conf
[global]
workgroup = EARTH
server string = Samba Server
netbios name = Mordor
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
printer admin = @ntadmin, root, administrator
security = ads
realm = EARTH.COM
allow trusted domains = no
password server = ads01.earth.com ads02.earth.com
encrypt passwords = yes
winbind uid = 5000-1
winbind gid = 5000-1
#   winbind use default domain = yes
winbind separator = \\
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash

Auth lines from my squid.conf file:

auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
external_acl_type grupo ttl=900 concurrency=70 %
LOGIN /usr/sbin/wbinfo_group.pl
acl acesso external grupo internet
acl CONNECT method CONNECT
acl rede proxy_auth REQUIRED src 172.31.16.0/24
http_access allow acesso

If I change to just authenticate users against the AD it works, but
group restrictions don't...

OK, let's see what's going on

wbinfo -t
checking the trust secret via RPC calls succeeded
 Looks ok...

wbinfo -u
EARTH\user1
EARTH\user2
EARTH\user3
... Looks great too...

wbinfo -g
BUILTIN\system operators
BUILTIN\replicators
BUILTIN\guests
BUILTIN\power users
BUILTIN\print operators
BUILTIN\administrators
BUILTIN\account operators
BUILTIN\backup operators
BUILTIN\users
EARTH\domain users
EARTH\domain guests
EARTH\domain computers
EARTH\group policy creator owners
EARTH\schema adm
 Again everything seems to be fine, as with the getent passwd and
getent group too...

getent passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
EARTH\user1:x:502:501:User1:/home/EARTH/user1:/bin/bash
EARTH\user2:x:503:501:User2:/home/EARTH/user2:/bin/bash
EARTH\user3:x:504:501:User3:/home/EARTH/user3:/bin/bash

getent group
root:x:0:
bin:x:1:daemon
EARTH\domain users:x:501:
EARTH\domain guests:x:504:
EARTH\domain computers:x:503:
EARTH\testgroup:x:603:EARTH\user1,EARTH\user-xyz

Let's try to authenticate a user

wbinfo -a 'EARTH\user1%testuser'
plaintext password authentication succeeded
challenge/response password authentication succeeded

OK, let's try to get a user SID

wbinfo -n 'EARTH\user1'
S-1-5-21-1707697585-1731156218-134157935-4028 User (1)

But the same with a group SID doesn't work, and theres nothing in the
winbind log file

wbinfo -n 'EARTH\testgroup'
Could not lookup name EARTH\testgroup

I think that's the reason why my squid can't match users / groups.
My winbind log file reports me the following lines when I try to match
user/group from squid:

[2005/10/13 16:46:48, 0] lib/util_sid.c:string_to_sid(301)
  string_to_sid: Sid Could not lookup name internet does not start with
'S-'.
[2005/10/13 16:46:48, 1]
nsswitch/winbindd_sid.c:winbindd_sid_to_gid(241)
  Could not cvt string to sid Could not lookup name internet


Any clues why I can lookup users, but not goups?
My AD has about 1100 users and 150 groups.
Any help will be much appreciated,

André

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Help !!!

[Ing. Fernando Cabrera R.]

We are running samba-2.0.20-2 on Fedora C4. It was installed 2 weeks ago,
and it was working just fine. But suddenly, today smb refuse all
connections.

In the log file it shows several lines like this:
 libsmb/unexpected.c:unexpedted_packet (53)
 Failed to open unexpected.tdb

 Nmbd/nmbd_serverlistdb.c:write_browse_list(341)
 Write_browse_list: Can't open file /var/lib/samba/browse.dat.. Error was
Permission denied.

Both files exist, and all files in /var/lib/samba have owner rw permission.

Any suggest is welcome

TIA 

Ing. Fernando Cabrera Ruiz
Departamento de Sistemas
Vamsa Aguascalientes, SA de CV
(449)910 9393 x4023
www.nissanvamsaags.com.mx


-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.344 / Virus Database: 267.11.14/127 - Release Date: 10/10/2005
 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] help

[Fernando Ruza]

A bit Off Topic. You can use bacula: http://www.bacula.org/

Regards,

Fernando.


On Tue, 2005-04-19 at 11:16 +0300, Amani Makala wrote:
> hi!
> i need to configure a linux backup server, let me give u some hints on the
> real environment, i have one linux machine and two windows machines, now i
> need to make backup of files found on windows machine,but the backup should
> be done on the linux machine. please anybody who can help me!
> thanks.
> 
-- 
Fernando Ruza ([EMAIL PROTECTED])
Dto. Informatica
Hospital Univesitario de Guadalajara
Tfl: 949 209 215
 661 123 845
Linux user: #273644 (http://counter.li.org)
Debian Sid (Kernel 2.4.30 & ext3)
---
Por favor, NO utilice formatos de archivo propietarios para el
intercambio de documentos, como DOC y XLS, sino HTML, RTF, TXT, CSV o
cualquier otro que no obligue a utilizar un programa de un fabricante
concreto. Gracias.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] problems with user-level Access Control on win9x

[Fernando Augusto Medeiros Silva]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
I am with problems in user-level Access Control on Win95 and Samba3, i'm
getting "You Cannot View the List of Users at this time, Try Again
later" if the number of groups in groupmap is greater than 90. i had 460
users. if the number of groups is reduced, the list is displayed.
i'm using samba 3.0.7 on a debian sarge. my passwd backend is tdb, the
filesystem is ext3.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBkhBMV6PgEbWdCgYRAuziAKCgs5UWQ0d1663mtRQAE4YSkNy9lACeP7wy
lnNeeM6PIr7ossqx0efIBUo=
=J5rF
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: smbldap-tools don't create machine account properlly

[Fernando Ribeiro]

My ldap.conf restrict search to ou=Usuarios

only comment nss_base options and it work fine

Thanks all


Palavras de [EMAIL PROTECTED] [Fri, Oct 22, 2004 at 11:22:12AM -0300]:
> 
> 
> Your ldap.conf
>   nss_base_passwd ou=Usuarios,dc=unimix,dc=com,dc=br?one
> Your smb.conf
>   ldap machine suffix = ou=Computadores
> 
> Your search on ldap base by nsswitch is restrict at ou=Usuarios,
> dc=unimix,dc=com,dc=br ...
> You need change your machine suffix to the same suffix used by
> nss_base_passwd or leave nsswitch search in machine suffix base
> 
> 
> ---
> Emerson Henrique Kfuri Pereira
> 
> Divisão de Atendimento e Consultoria
> CECOM - Reitoria - UFMG
> Telefone: 34994009
> ---
> 
> > Fernando Ribeiro <[EMAIL PROTECTED]>
> > Enviado Por: [EMAIL PROTECTED]
> >
> > 22/10/2004 11:52
> >
> > Para
> >
> > [EMAIL PROTECTED]
> >
> > cc
> >
> > Assunto
> >
> > Re: [Samba] Re: smbldap-tools don't create machine account properlly
> >
> > Hi Igor,
> >
> >my slapd.conf
> >
> >include /usr/local/etc/openldap/schema/core.schema
> >include /usr/local/etc/openldap/schema/cosine.schema
> >include /usr/local/etc/openldap/schema/inetorgperson.schema
> >include /usr/local/etc/openldap/schema/nis.schema
> >include /usr/local/etc/openldap/schema/samba.schema
> >include /usr/local/etc/openldap/schema/qmail.schema
> >
> >pidfile /usr/local/var/run/slapd.pid
> >argsfile /usr/local/var/run/slapd.args
> >
> >database  bdb
> >suffix "dc=unimix,dc=com,dc=br"
> >rootdn "cn=suporte,dc=unimix,dc=com,dc=br"
> >rootpw {SSHA}pass
> >directory /usr/local/var/openldap-data
> >
> >password-hash {CRYPT}
> >password-crypt-salt-format "$1$.8s"
> >
> >index objectClass,uidNumber,gidNumber eq
> >index cn,sn,uid,displayName eq
> >index memberUid,mail,mailAlternateAddress,givenname,
> > accountStatus,mailHost,deliveryMode eq
> >index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
> >index default sub
> >
> >access to attrs=userPassword,sambaLMPassword,sambaNTPassword
> >   by self write
> >   by anonymous auth
> >   by * read
> >
> >   access to *
> >   by * read
> >
> >
> >   My ldap.conf
> >
> >   base dc=unimix,dc=com,dc=br
> >   host ldap.unimix.com.br
> >
> >   rootbinddn cn=suporte,dc=unimix,dc=com,dc=br
> >   nss_base_passwd ou=Usuarios,dc=unimix,dc=com,dc=br?one
> >   nss_base_shadow ou=Usuarios,dc=unimix,dc=com,dc=br?one
> >   nss_base_group ou=Grupos,dc=unimix,dc=com,dc=br?one
> >
> >
> > My smb.conf
> >
> >
> > [global]
> >workgroup = UNIMIX
> >netbios name = PDC
> >server string = PDC
> >security = user
> >encrypt passwords = yes
> >load printers = yes
> >log file = /var/log/samba/%m.log
> >max log size = 50
> >log level = 2
> >os level = 255
> >local master = yes
> >domain master = yes
> >preferred master = yes
> >domain logons = yes
> >admin users = Administrador, Administrator, fernando.ribeiro
> >logon script = %U.bat
> >logon path = \\%L\profiles\%U
> >ldap passwd sync = yes
> > ldap delete dn = Yes
> >passdb backend = ldapsam:ldap://ldap.unimix.com.br/
> >ldap admin dn = cn=suporte,dc=unimix,dc=com,dc=br
> >ldap suffix = dc=unimix,dc=com,dc=br
> >ldap group suffix = ou=Grupos
> >ldap user suffix = ou=Usuarios
> >ldap machine suffix = ou=Computadores
> >idmap uid = 1-15000
> > idmap gid = 1-15000
> >nt acl support = yes
> >create mask = 600
> >directory mask = 0700
> >force directory mode = 0700
> >passwd chat = *New*password* %n\n *Retype*new*password* %
> > n\n*passwd:*all*authentication*tokens*updated*successfully*
> >socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192
> SO_SNDBUF=8192
> > add user script = /usr/local/sbin/smbldap-useradd -m "%u"
> > add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
> > add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
> >  add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
> "%g"
> > delete user script =

Re: [Samba] Re: smbldap-tools don't create machine account properlly

[Fernando Ribeiro]

4/10/22 10:48:34, 5] lib/username.c:Get_Pwnam_internals(251)
  Get_Pwnam_internals didn't find user [suporte$]!
  [2004/10/22 10:48:35, 3] rpc_server/srv_samr_nt.c:_samr_create_user(2245)
  _samr_create_user: Running the command `/usr/local/sbin/smbldap-useradd -w 
"suporte$"' gave 9
  [2004/10/22 10:48:35, 5] lib/username.c:Get_Pwnam(293)
  Finding user suporte$
  [2004/10/22 10:48:35, 5] lib/username.c:Get_Pwnam_internals(223)
  Trying _Get_Pwnam(), username as lowercase is suporte$
  [2004/10/22 10:48:35, 5] lib/username.c:Get_Pwnam_internals(239)
  Trying _Get_Pwnam(), username as uppercase is SUPORTE$
  [2004/10/22 10:48:35, 5] lib/username.c:Get_Pwnam_internals(247)
  Checking combinations of 0 uppercase letters in suporte$
  [2004/10/22 10:48:35, 5] lib/username.c:Get_Pwnam_internals(251)
  Get_Pwnam_internals didn't find user [suporte$]!

It don't found suporte$ machine.
But it exists.

> > dn: uid=suporte$,ou=Computadores,dc=unimix,dc=com,dc=br
> > objectClass: top
> > objectClass: inetOrgPerson
> > objectClass: posixAccount
> > cn: suporte$
> > sn: suporte$
> > uid: suporte$
> > uidNumber: 1020
> > gidNumber: 1000
> > homeDirectory: /dev/null
> > loginShell: /bin/false
> > description: Computer
> > gecos: Computer

But without sambasamaccount.

PS. s/Computers/Computadores/g =)

Any idea?

Thanks


Palavras de Igor Belyi [Thu, Oct 21, 2004 at 06:32:27PM -0400]:
> Is it possible that 'ldap admin dn' used in your smb.conf does not have 
> write access to 'ou=Computers,dc=unimix,dc=com,dc=br'? What was the 
> error in smbd log when machine failed to join the Domain?
> 
> Igor
> 
> Fernando Ribeiro wrote:
> >Hi all,
> >
> > I have smb.conf with:
> >
> >
> > add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
> > add user script = /usr/local/sbin/smbldap-useradd -m "%u"
> > add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
> > add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
> > add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" 
> > "%g"
> > delete user script = /usr/local/sbin/smbldap-userdel "%u"
> > delete group script = /usr/local/sbin/smbldap-groupdel "%g"
> > delete user from group script = /usr/local/sbin/smbldap-groupmod -x 
> > "%u" "%g"
> > set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" 
> > "%u"
> >
> > while i try include the w2k machine in samba domain it create the 
> > ldap
> > machine account entry:
> >
> > dn: uid=suporte$,ou=Computers,dc=unimix,dc=com,dc=br
> > objectClass: top
> > objectClass: inetOrgPerson
> > objectClass: posixAccount
> > cn: suporte$
> > sn: suporte$
> > uid: suporte$
> > uidNumber: 1020
> > gidNumber: 1000
> > homeDirectory: /dev/null
> > loginShell: /bin/false
> > description: Computer
> > gecos: Computer
> > 
> > And don't join in samba domain.
> >
> > While i create a machine account manually with:
> >
> > dn: uid=suporte$,ou=Computadores,dc=unimix,dc=com,dc=br
> > gidNumber: 3
> > uidNumber: 1022
> > uid: suporte$
> > sambaSID: S-1-5-21-715268823-1473299472-2771147885-3044
> > sambaAcctFlags: [W  ]
> > cn: suporte
> > homeDirectory: /dev/null
> > objectClass: top
> > objectClass: sambaSamAccount
> > objectClass: posixAccount
> > objectClass: account
> >
> > It join in the samba domain without problem.
> >
> > Anyone know why it don't create sambaSamAccount ? 
> > Machine account need inetOrgPerson ?
> > 
> > Thanks
> >
> >
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 

-- 
Fernando Ribeiro - GPG-KEY: 0x8D7255F4
Linux Counter: #273768 - ICQ: 175630330
LPIC-2 - Advanced Linux
Death the graph! Death the mouse
Death patents! Death closed standards!
http://www.nerdgroup.org
http://musb.nerdgroup.org
--
"Grandes mentes discutem idéias;
Mentes medianas discutem eventos;
Mentes pequenas discutem pessoas."
--
"A mente que se abre a uma nova idéia
jamais volta ao seu tamanho original."
Albert Einstein
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] smbldap-tools don't create machine account properlly

[Fernando Ribeiro]

Hi all,

I have smb.conf with:


add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
delete user script = /usr/local/sbin/smbldap-userdel "%u"
delete group script = /usr/local/sbin/smbldap-groupdel "%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"

while i try include the w2k machine in samba domain it create the ldap
machine account entry:

dn: uid=suporte$,ou=Computers,dc=unimix,dc=com,dc=br
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
cn: suporte$
sn: suporte$
uid: suporte$
uidNumber: 1020
gidNumber: 1000
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer

And don't join in samba domain.

While i create a machine account manually with:

dn: uid=suporte$,ou=Computadores,dc=unimix,dc=com,dc=br
gidNumber: 3
uidNumber: 1022
uid: suporte$
sambaSID: S-1-5-21-715268823-1473299472-2771147885-3044
sambaAcctFlags: [W  ]
cn: suporte
homeDirectory: /dev/null
objectClass: top
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: account

It join in the samba domain without problem.

Anyone know why it don't create sambaSamAccount ? 
Machine account need inetOrgPerson ?

Thanks
   

-- 
Fernando Ribeiro - GPG-KEY: 0x8D7255F4
Linux Counter: #273768 - ICQ: 175630330
LPIC-2 - Advanced Linux
Death the graph! Death the mouse
Death patents! Death closed standards!
http://www.nerdgroup.org
http://musb.nerdgroup.org
--
"Grandes mentes discutem idéias;
Mentes medianas discutem eventos;
Mentes pequenas discutem pessoas."
--
"A mente que se abre a uma nova idéia
jamais volta ao seu tamanho original."
Albert Einstein
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] "getpeername failed. Error was Transport endpoint is not connected", don't solve?

[Fernando Ribeiro]

bjectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
cn: windows$
sn: windows$
uid: windows$
uidNumber: 1008
gidNumber: 1000
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer

My wins.dat don't have entry to this machine:

[EMAIL PROTECTED]:~# cat /usr/local/samba/var/locks/wins.dat 
VERSION 1 0
"PDC#00" 1098458484 10.0.0.4 66R
"PDC#03" 1098458484 10.0.0.4 66R
"PDC#20" 1098458484 10.0.0.4 66R
"domain#00" 1098458484 255.255.255.255 e4R
"domain#1b" 1098458484 10.0.0.4 64R
"domain#1c" 1098458484 10.0.0.4 e4R
    "domain#1e" 1098458484 255.255.255.255 e4R

I have dns working fine.
I don't have firewall, and network work fine too.

Anyone have a idea?

Thanks

-- 
Fernando Ribeiro - GPG-KEY: 0x8D7255F4
Linux Counter: #273768 - ICQ: 175630330
LPIC-2 - Advanced Linux
Death the graph! Death the mouse
Death patents! Death closed standards!
http://www.nerdgroup.org
http://musb.nerdgroup.org
--
"Grandes mentes discutem idéias;
Mentes medianas discutem eventos;
Mentes pequenas discutem pessoas."
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] NetBios problem with Samba 2.x

[Fernando Ribeiro]

Palavras de Aaron Grewell [Fri, Oct 15, 2004 at 11:35:52AM -0700]:
> On Fri, 2004-10-15 at 11:30 -0700, Nate Schindler wrote:
> > I'm in a bit of a pickle, and I need some help.
> > 
> > I'm forced to disable netbios on any machine that leaves the company because of 
> > how MS Exchange works over a VPN.
> > I have Samba 2.x on two Compaq Tru64 5.x machines, each with one (public) share.
> > 
> > With netbios enabled, the client machines can access the share with no issues.  
> > With netbios disabled, I get something like "No network provider accepted the 
> > given network path."
> 
> 
> I don't think Samba 2 supported DNS resolution.  IIRC it requires
> NetBIOS Name Resolution in order to correctly resolve.  Can you go
> direct to the IP?
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 

Hi,

I have same problem with samba 3.0.7 :-(

Thanks

-- 
Fernando Ribeiro - GPG-KEY: 0x8D7255F4
Linux Counter: #273768 - ICQ: 175630330
LPIC-2 - Advanced Linux
Death the graph! Death the mouse
Death patents! Death closed standards!
http://www.nerdgroup.org
http://musb.nerdgroup.org
--
"Grandes mentes discutem idéias;
Mentes medianas discutem eventos;
Mentes pequenas discutem pessoas."
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] migrating from samba-2.2.7 to samba-3.0.7

[Fernando Cachay G.]

 = No
ldap filter = (uid=%u)
ldap group suffix =
ldap idmap suffix =
ldap machine suffix =
ldap passwd sync = no
ldap replication sleep = 1000
ldap suffix =
ldap ssl =
ldap timeout = 15
ldap user suffix =
add share command =
change share command =
delete share command =
config file =
preload =
lock directory = /var/cache/samba
pid directory = /var/run
utmp directory =
wtmp directory =
utmp = No
default service =
message command =
dfree command =
get quota command =
set quota command =
remote announce =
remote browse sync =
socket address = 0.0.0.0
homedir map = auto.home
afs username map =
time offset = 0
NIS homedir = No
panic action =
host msdfs = No
enable rid algorithm = Yes
idmap backend =
idmap uid =
idmap gid =
template primary group = nobody
template homedir = /home/%D/%U
template shell = /bin/false
winbind separator = \
winbind cache time = 300
winbind enable local accounts = No
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = No
winbind trusted domains only = No
winbind nested groups = No
comment =
path =
username =
invalid users =
valid users =
admin users =
read list =
write list =
printer admin =
force user =
force group =
read only = Yes
create mask = 0744
force create mode = 00
 security mask = 0777
force security mode = 00
directory mask = 0755
force directory mode = 00
directory security mask = 0777
force directory security mode = 00
force unknown acl user = No
inherit permissions = No
inherit acls = No
guest only = No
guest ok = No
only user = No
hosts allow =
hosts deny =
ea support = No
nt acl support = Yes
profile acls = No
map acl inherit = No
afs share = No
block size = 1024
max connections = 0
min print space = 0
strict allocate = No
strict sync = No
sync always = No
use sendfile = Yes
write cache size = 0
max reported print jobs = 0
max print jobs = 1000
printable = No
printing = cups
cups options =
print command =
lpq command =
lprm command =
lppause command =
lpresume command =
queuepause command =
queueresume command =
printer name =
use client driver = No
default devmode = No
default case = lower
case sensitive = Auto
preserve case = Yes
short preserve case = Yes
mangling char = ~
hide dot files = Yes
hide special files = No
hide unreadable = No
hide unwriteable files = No
delete veto files = No
veto files =
hide files =
veto oplock files =
map system = No
map hidden = No
map archive = Yes
mangled names = Yes
mangled map =
store dos attributes = No
browseable = Yes
blocking locks = Yes
csc policy = manual
fake oplocks = No
locking = Yes
oplocks = Yes
level2 oplocks = Yes
oplock contention limit = 2
posix locking = Yes
strict locking = Yes
share modes = Yes
copy =
include =
exec =
preexec close = No
postexec =
root preexec =
root preexec close = No
root postexec =
available = Yes
volume =
fstype = NTFS
set directory = No
wide links = Yes
follow symlinks = Yes
dont descend =
magic script =
magic output =
delete readonly = No
dos filemode = No
dos filetimes = No
dos filetime resolution = No
fake directory create times = No
vfs objects =
msdfs root = No
msdfs proxy =


Thanks
Fernando
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] netbios name failure, wins problem?

[Fernando Ribeiro]

Hi all,

[EMAIL PROTECTED]:/var/log/samba# nmblookup -S PDC
querying PDC on 10.0.0.255
10.0.0.4 PDC<00>
Looking up status of 10.0.0.4
PDC <00> - H  


[EMAIL PROTECTED]:/var/log/samba# nmblookup -S testefinal
querying testefinal on 10.0.0.255
10.0.0.100 testefinal<00>
Looking up status of 10.0.0.100
TESTEFINAL  <00> - B  


But it don't found in master-browser.

[EMAIL PROTECTED]:/var/log/samba# nmblookup -M testefinal
querying testefinal on 10.0.0.255
querying testefinal on 127.255.255.255
name_query failed to find name testefinal#1d
[EMAIL PROTECTED]:/var/log/samba# nmblookup
  

It don't found into wins.dat

[EMAIL PROTECTED]:/var/log/samba# tail -f 
/usr/local/samba/var/locks/wins.dat 
VERSION 1 0
"PDC#00" 1097349014 10.0.0.4 66R
"PDC#03" 1097349014 10.0.0.4 66R
"PDC#20" 1097349014 10.0.0.4 66R
"DOMAINNAME#00" 1097349014 255.255.255.255 e4R
"DOMAINNAME#1b" 1097349014 10.0.0.4 64R
"DOMAINNAME#1c" 1097349014 10.0.0.4 e4R
"DOMAINNAME#1e" 1097349014 255.255.255.255 e4R


[EMAIL PROTECTED]:/var/log/samba# ifconfig 
eth0  Link encap:Ethernet  HWaddr 00:90:27:70:E7:A5  
  inet addr:10.0.0.4  Bcast:10.0.0.255  Mask:255.255.255.0

10.0.0.100 is my windows workstation.

My smb.conf


[global]
   workgroup = DOMAINMANE
   netbios name = PDC 
   server string = PDC
   security = user
   encrypt passwords = yes
   load printers = yes
   log file = /var/log/samba/%m.log
   max log size = 50
   os level = 33
   local master = yes
   domain master = yes 
   preferred master = yes
   domain logons = yes
   admin users = fernando.ribeiro, wesley.lago
   logon script = %U.bat
   logon path = \\%L\profiles\%U
   wins support = yes
 name resolve order = wins lmhosts hosts bcast
   dns proxy = no
#   smb ports = 137 138 139 445
   interfaces = 127.0.0.1 eth0
   bind interfaces only = Yes
   ldap passwd sync = yes
 ldap delete dn = Yes
 ldap port = 636
 ldap ssl = yes
   passdb backend = ldapsam:ldaps://ldap.domain.com.br/
   ldap admin dn = cn=suporte,dc=domain,dc=com,dc=br
   ldap suffix = dc=domain,dc=com,dc=br
   ldap group suffix = ou=Grupos
   ldap user suffix = ou=Usuarios
   ldap machine suffix = ou=Computadores
   idmap uid = 1-15000
 idmap gid = 1-15000
   nt acl support = yes 
   create mask = 600
   directory mask = 0700
   force directory mode = 0700
   passwd chat = *New*password* %n\n *Retype*new*password* 
%n\n*passwd:*all*authentication*tokens*updated*successfully*
   socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
 add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
 add user script = /usr/local/sbin/smbldap-useradd -m "%u"
 delete user script = /usr/local/sbin/smbldap-userdel "%u"
 add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
 add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
 delete group script = /usr/local/sbin/smbldap-groupdel "%g"
 add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
   delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
 set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
   dos charset = UTF-8
 unix charset = UTF-8
 cups server = 10.0.0.11

[homes]
comment = Diretorio Home
browseable = no
writable = yes
  force user = %U
 
[profiles]
  path = /home/profiles
  read only = No
  create mask = 0600
  directory mask = 0700
  browseable = No
  guest ok = Yes
  profile acls = Yes
  csc policy = disable
  force user = %U
valid users = %U @"Domain Admins"

[netlogon]
path = /home/netlogon
browseable = No
read only = yes
   
[printers]
   comment = Impressoras
   path = /var/spool/samba
   browseable = no
   guest ok = no
   writable = no
   printable = yes

Anyone know why?



-- 
Fernando Ribeiro - GPG-KEY: 0x8D7255F4
Linux Counter: #273768 - ICQ: 175630330
Linux Professional Institute - LPIC-1
Death the graph! Death the mouse!
Death patents! Death closed standards!
http://www.nerdgroup.org
http://musb.nerdgroup.org
--
"Grandes mentes discutem idéias;
Mentes medianas discutem eventos;
Mentes pequenas discutem pessoas."
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] getpeername failed. Error was Transport endpoint is not connected

[Fernando Ribeiro]

It trying port 430 and 455?
Why??


Palavras de Fernando Ribeiro [Tue, Oct 05, 2004 at 01:45:26PM -0300]:
> Hi all,
> 
>   I'm using slackware 10, running samba-3.0.7, OpenLDAP-2.2.17 with ssl,
>   tls and sasl2.
> 
> 
>   While i trying include a workstation windows xp in the samba domain it
>   return this:
> 
>   [2004/10/05 12:51:25, 0] lib/util_sock.c:send_smb(647)
>   Error writing 4 bytes to client. -1. (Connection reset by peer)
>   [2004/10/05 12:51:26, 0] lib/util_sock.c:get_peer_addr(1000)
>   getpeername failed. Error was Transport endpoint is not connected
>   [2004/10/05 12:51:26, 0] lib/util_sock.c:write_socket_data(430)
>   write_socket_data: write failure. Error = Connection reset by peer
>   [2004/10/05 12:51:26, 0] lib/util_sock.c:write_socket(455)
>   write_socket: Error writing 4 bytes to socket 22: ERRNO = Connection 
> reset by peer
>   [2004/10/05 12:51:26, 0] lib/util_sock.c:send_smb(647)
>   Error writing 4 bytes to client. -1. (Connection reset by peer)
> 
>   Anyone know why?
> 
>   My configuration has been in
>   http://www.nerdgroup.org/doc/samba+ldap+qmail.txt
> 
>   Thanks
> 
> -- 
> Fernando Ribeiro - GPG-KEY: 0x8D7255F4
> Linux Counter: #273768 - ICQ: 175630330
> Linux Professional Institute - LPIC-1
> Death the graph! Death the mouse!
> Death patents! Death closed standards!
> http://www.nerdgroup.org
> http://musb.nerdgroup.org
> --
> "Grandes mentes discutem idéias;
> Mentes medianas discutem eventos;
> Mentes pequenas discutem pessoas."
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 

-- 
Fernando Ribeiro - GPG-KEY: 0x8D7255F4
Linux Counter: #273768 - ICQ: 175630330
Linux Professional Institute - LPIC-1
Death the graph! Death the mouse!
Death patents! Death closed standards!
http://www.nerdgroup.org
http://musb.nerdgroup.org
--
"Grandes mentes discutem idéias;
Mentes medianas discutem eventos;
Mentes pequenas discutem pessoas."
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] getpeername failed. Error was Transport endpoint is not connected

[Fernando Ribeiro]

Hi all,

I'm using slackware 10, running samba-3.0.7, OpenLDAP-2.2.17 with ssl,
tls and sasl2.


While i trying include a workstation windows xp in the samba domain it
return this:

[2004/10/05 12:51:25, 0] lib/util_sock.c:send_smb(647)
Error writing 4 bytes to client. -1. (Connection reset by peer)
[2004/10/05 12:51:26, 0] lib/util_sock.c:get_peer_addr(1000)
getpeername failed. Error was Transport endpoint is not connected
[2004/10/05 12:51:26, 0] lib/util_sock.c:write_socket_data(430)
write_socket_data: write failure. Error = Connection reset by peer
[2004/10/05 12:51:26, 0] lib/util_sock.c:write_socket(455)
write_socket: Error writing 4 bytes to socket 22: ERRNO = Connection 
reset by peer
[2004/10/05 12:51:26, 0] lib/util_sock.c:send_smb(647)
Error writing 4 bytes to client. -1. (Connection reset by peer)

Anyone know why?

My configuration has been in
http://www.nerdgroup.org/doc/samba+ldap+qmail.txt

Thanks

-- 
Fernando Ribeiro - GPG-KEY: 0x8D7255F4
Linux Counter: #273768 - ICQ: 175630330
Linux Professional Institute - LPIC-1
Death the graph! Death the mouse!
Death patents! Death closed standards!
http://www.nerdgroup.org
http://musb.nerdgroup.org
--
"Grandes mentes discutem idéias;
Mentes medianas discutem eventos;
Mentes pequenas discutem pessoas."
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Problems com password in win2k

[Fernando]

I have a problem with password in win2k clients
Samba run in a HP-UX version 11.11

I connect  to a server, map the drive, and give to me to put a login and a
password,
but when i reboot the client machine, give me again the login and password.

I would like to stop the give to me a login and a password when i reboot the
client machine.


smb.conf:

#=== Global Settings
=
[global]
   netbios name = l1000
   workgroup = micromidia
   server string = Samba Server
   log file = /var/opt/samba/log.%m
   max log size = 1000
   security = share
   password server =
   encrypt passwords = no
   socket options = TCP_NODELAY
   local master = no
   preserve case = yes
   short preserve case = no
   dos filetime resolution = yes
   read only = no
   syslog = 0

# Share Definitions
==
[tmp]
 comment = teste do samba share
 path = /tmp
 browseable = yes
 writeable = yes


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] tuning for samba server

[Fernando Ruza]

Hi,

I'm also very interested in this. I have a similar configuration with
even more users (right now I have 50, but it will be increased slowly to
more than 300). My server is also a HP Netserver with scsi disks and two
network cards. The only thing I've done to increase performance is to
setup bonding for the network cards in high availability mode
(http://www.kernel.org/pub/linux/kernel/people/marcelo/linux-2.4/Documentation/networking/bonding.txt)
 and it works really well.

Any info about tuning samba server will be greatly appreciate.

Thanks in advance,

Fernando.


El lun, 16-08-2004 a las 03:26, Raúl D. Pittí Palma escribió:
> Hi!
> anyone knows where to get some info for kernel (maybe via sysctl) and or
> samba tuning for high performance ?
> I have read all the samba docs available, so aim looking for others tips
> besides the tcp tunings usually applied in smb.conf ?
> i am setting a server on a client site, with many clients (about 100), and i
> am using a real server hardware (an HP netserver with xeon [EMAIL PROTECTED],
> 1Gig of RAm and fast scsi hdds (scsi 320 @ 15krpm).  the budget can be
> stressed out for buying a raid enable server  :-)  .
> thanks for all your help.
> RP
> 
> Raúl Pittí Palma
> Associate
> Global Engineering and Technology S.A.
> móvil. (507) - 616 - 0194

--
Fernando Ruza ([EMAIL PROTECTED])
Dto. Informatica
Hospital Univesitario de Guadalajara
Tfl: 949 209 215
 661 123 845
Linux user: #273644 (http://counter.li.org)
Debian Sid (Kernel 2.4.20 & ext3)
---
Por favor, NO utilice formatos de archivo propietarios para el
intercambio de documentos, como DOC y XLS, sino HTML, RTF, TXT, CSV o
cualquier otro que no obligue a utilizar un programa de un fabricante
concreto. Gracias.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] special chars in windows filenames

[Fernando Pintabona]

Check the "unix charset" setting in smb.conf.
For Spanish, I had to add the following:
unix charset = CP850

Cheers

Fernando P

On Mon, 2004-04-05 at 12:47, Joachim Thüx wrote:
> Hi folks!
> 
> I upgraded a red hat linux fileserver (kernel version 2.4.18-14)
> from samba 2.x to samba 3.02.
> 
> After the upgrade, the special chars in windows filenames
> (German Umlaute) were no more visible to clients but either
> substituted with a little black rectangle or completely suppressed -
> depending on the client operating system (W2000/W98).
> 
> Within the archived list I found a hint that the smb options dos/unix charset
> might not be the solution, but it could be related to kernel restrictions.
> 
> Any hints?
> 
> Regards,
> 
> Joachim


signature.asc
Description: This is a digitally signed message part
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba as remote file share

[Fernando Pintabona]

No offense...but I guess you'd be better off with FTP or SFTP than SAMBA
on this particular setup...

Fernando P

On Thu, 2004-04-01 at 16:54, Adam Stanley wrote:
> Hello,
> 
> I have a client who is hoping to use Samba over the internet.  He hopes 
> to be able to setup a single mount point that can be used by employees 
> from various locations via their broadband internet connections.  The 
> clients will be a mixture of Linux, Windows 98, and Windows 2000/XP 
> machines.  I know that a solution like this would be possible if all of 
> the clients and the server were on the same LAN, however, I've not had 
> any luck attempting to deploy Samba over the internet.  Is this a 
> feasible solution with Samba or should I have him look elsewhere?  If 
> Samba will cut it does anyone have any pointers or suggestions for the 
> most secure way to implement a setup like this?  Thanks in advance for 
> any help...
> 
> Adam Stanley
> Nethosters, Inc.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Purpose of param. "time server" ?

[Fernando Pintabona]

It is in fact for that.
NTP syncs time in Unix. "time server = yes" tells SAMBA to be a time
server for win workstations.
Then, you should use "net time \\server /set /yes" in netlogon scripts
to sync your workstations' time with the one of the SAMBA server.

Fernando P

On Mon, 2004-03-29 at 16:22, M. Vancl wrote:
> Hi,
> 
> I need to make a decision whether or not to install ntp server on my network
> in order to give time source to WinXP workstations. I found this parameter
> but I don't know how to employ it. I have got some unsure information about
> new functionality (other then ntp and 'net time' service) on WinXP (DC)
> server for setting clock on its workstations. Is it true ? And is "time
> server = yes" parameter on SAMBA intended for setting such functionality on
> it ? Unfortunately my trial with it was not successful. Can anybody help me
> ?
> 
> Thanks
> 
> M. Vancl
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] clients logout .............

[Fernando Pintabona]

Somewhere on W2k's connect new share wizard, there's a sort of link
that, apparently, allows you to connect to that share using another user
name. I found this today on a w2k PC logged onto a SAMBA domain. I don't
know if this is still true on a w2k PC on a workgroup. Maybe someone
else can take a look at it.

Fernando P

On Tue, 2004-03-16 at 16:43, Mike Stewart wrote:
> Thanks Steve, I've just tried that but it doesn't work - the PC seems to
> remember the last login name and password and reconnects to the server as
> that user again :-(
> 
> Mike
> 
> - Original Message - 
> From: "Aden, Steve" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, March 16, 2004 3:29 PM
> Subject: RE: [Samba] clients logout .
> 
> 
> You should be able to click Tools/Disconnect Network Drive from a
> Windows Explorer window, then select the connection to the Samba server
> and click ok. Note, this can be done even if the connection was not
> mapped to a drive letter, such as by typing \\server\share in the run
> box. You can then map a drive to the server with a different user
> account.
> 
> Steve Aden
> 
> 
> Privileged/Confidential Information may be contained in this message. If you
> are not the addressee indicated in this message (or responsible for delivery
> of the message to such person), you may not copy or deliver this message to
> anyone. In such case, you should destroy this message and kindly notify the
> sender by reply email. Opinions, conclusions and other information contained
> in this message that do not relate to official business shall be understood
> as neither given nor endorsed by ITS
> 
> -Original Message-
> From: Mike Stewart [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, March 16, 2004 8:55 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Samba] clients logout .
> 
> 
> I hope someone can anser that... I would find it ver useful too !!
> There
> was the DOS "net logoff" but that will not work in a Windows VM, only in
> "real mmode" :-(
> 
> 
> > Hi,
> >
> > Two questions, only slightly related to SAMBA :
> >
> > 1) when I have logged into my Samba server (rh9) from
> > a W2K or XP
> > client, how can I log out again so that I can log in
> > as someone else. I
> > know logging out of W2K/XP will work, but I would like
> > to log out of the
> > SAMBA server w/o logging out of W2K/XP. My Mac OS X
> > client has an
> > 'eject' button which I can use - something similar to
> > that is what I am
> > after.
> >
> 
> 
> 
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.622 / Virus Database: 400 - Release Date: 13/03/2004
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 
> 
> _
> This message was content-scanned by IXC Shield
> Powered by GatewayDefender - BJ089f8ac1.0001.mml
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Migrating Profiles

[Fernando Pintabona]

Take a look at
http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf

You'll find everything about profiles as from page 354 (Chapter 24)

Fernando P

On Fri, 2004-03-12 at 14:02, Matthias Spork wrote:
> Hello,
> 
> we are migration from Netware 4.11 to Samba. Many of our 150 users have
> lokal NT/2K-Profiles. I migrate this Profiles by copying them to Samba
> (System > Profiles > xxx ) and changing the SID and GID with "profiles".
> 
> Some settings will not be set. In example: Desktop-Background,
> Office-Settings , IE configuration...
> 
> What did I wrong?
> 
> 
> matze


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Trouble mounting a windows share from Linux

[Fernando Pintabona]

Sorry, my memory failed...

I really meant when you execute smbmount with no parameters. :)
and not the man page.

Fernando p

On Thu, 2004-03-11 at 18:55, Shawn Iverson wrote:
> On Thursday, March 11, 2004 10:27 AM, Fernando Pintabona said:
> > 
> > Right at the end of smbmount man page, you have an example using mount.
> > SMB type of filesystem is the way linux sees a SAMBA (or NT
> > domain/workgroup )share. You may want to try specifying the domain also.
> > 
> > Fernando P
> > 
> 
> Sorry, I could not find an example on the man page on this particular
> machine.
> 
> snip
> 
> > > What does "failed" mean? Didn't work at all, permission problem, or
> > what?
> > >
> 
> Aplologies for not posting the output.  Here it is:
> 
> Using smbclient works:
> 
> [EMAIL PROTECTED] shawn]$ smbclient //testtech/shawn -U shawn
> Password:
> smb: \> ls
>   .  DA0  Thu Mar 11 11:53:32 2004
>   .. DA0  Thu Mar 11 11:53:32 2004
>   New Folder  D0  Thu Mar 11 11:53:32 2004
>  
> 49580 blocks of size 65536. 48830 blocks available
> smb: \> quit
> 
> Using smbmount fails.  I am unsure how to install smbmnt as suid root:
> 
> [EMAIL PROTECTED] shawn]$ smbmount //testtech/shawn /home/shawn/mnt
> username=shawn uid=shawn gid=shawn fmask=0755 gmask=0755 workgroup=tech rw
> Password:
> smbmnt must be installed suid root for direct user mounts (503,503)
> smbmnt failed: 1
> 
> Attempted as root:
> 
>  [EMAIL PROTECTED] root]# smbmount //testtech/shawn /home/shawn/mnt
> username=shawn uid=root gid=root fmask=0755 gmask=0755 workgroup=tech rw
> Password:
> 4606: session setup failed: ERRDOS - ERRnoaccess (Access denied.)
> SMB connection failed


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Trouble mounting a windows share from Linux

[Fernando Pintabona]

Right at the end of smbmount man page, you have an example using mount.
SMB type of filesystem is the way linux sees a SAMBA (or NT
domain/workgroup )share. You may want to try specifying the domain also.

Fernando P

On Thu, 2004-03-11 at 16:21, =?iso-8859-1?Q? Stefan=20G=FCnther ?=
wrote:
>  > First off, I need to somehow connect the workstations to these shares after 
> > the user logs in.  I can successfully connect to them with smbclient, but I 
> > need a much more user friendly connection, such as a mount point using 
> > smbmount.  My attempts to use smbmount have failed,  
> > 
> What does "failed" mean? Didn't work at all, permission problem, or what? 
>  
> >and I was a bit 
> > discouraged when I read through the man page and noted that smbmount is for 
> > "Linux smb filesystems."  Does that mean that smbmount will only work with a 
> > samba server, not an NT server? 
> > 
> Well, I' m sure that I have used smbmount to connect to Windows servers in the past. 
>
> Stefan 
> --   
>   
> *  
> in-put GbR - Das Linux-Systemhaus  
> Stefan-Michael Günther  
> Moltkestraße 49   D-76133 Karlsruhe  
> Tel./Fax : +49 (0)721 / 83044 - 98/93  
> http://www.in-put.de/  
> *  
> ___
> ... and the winner is... WEB.DE FreeMail! - Deutschlands beste E-Mail
> ist zum 39. Mal Testsieger (PC Praxis 03/04) http://f.web.de/?mc=021191


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba and LDAP backend - howto docs problems?

[Fernando Pintabona]

here:
http://www.amazon.com/exec/obidos/tg/detail/-/0131472216/qid=1079009247/sr=1-1/ref=sr_1_1/103-1507164-4910244?v=glance&s=books

A really good place to start ;)

On Thu, 2004-03-11 at 13:39, Beast wrote:
> * Graham Leggett <[EMAIL PROTECTED]> nulis:
> 
> > Excessive documentation is one of the biggest problems I have found with 
> > software projects, both open source and commercial. People begin skim 
> > reading them because they just go on too long, or by the time you've 
> > reached chapter 14, you forgot that little snippet of information that > was 
> > mentioned in chapter 2.
> 
> Yes, we need a samba quick start guide, which must conform to the latest release.
>  
> Who will take this project? ;-)
> 
> > 
> > Regards,
> > Graham
> > --
> 
> 
> 
> --beast


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Group owner ID not mapped to name.

[Fernando Ruza]

Hi,

I'm using samba as a member of a W2k domain (security=DOMAIN) and
winbind to unify logins with users from the W2k. The problem is that
when I assign an owner user and group to a file/directory in the samba
server the group is not mapped to the name of the group, the user is ok.
Instead it appears the group number.

[EMAIL PROTECTED] fruza]# ls -l
total 8
drwxrwxr-x2 HGUV+fruza 14096 dic 18 15:21 kk

The group 1 is "HGUV+Usuarios del dominio", in English "HGUV+Domain
users" however the name doesn't appear. Anyone knows why ?? How can I
solve it ?? It's not very important however I'd like to see the group
name instead the number.

wbinfo -u, wbinfo -g, getent passwd, getent group everytying works ok.

My smb.conf is:

# Global parameters
[global]
workgroup = HGUV
server string = %h server (Samba %v)
security = DOMAIN
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = No
idmap uid = 1-2
idmap gid = 1-2
template shell = /bin/bash
winbind separator = +
printing = lprng

[homes]
comment = Homes: (%u) (%U) (%D\%S)
path = /home/%D/%U
read only = No
create mask = 0664
directory mask = 0775
browseable = No

[Prueba]
comment = Pruebas (usuario: %u o tambien: %D+%U)
path = /home/prueba
valid users = HGUV+fruza, HGUV+administrador
read only = No
guest ok = Yes

[tmp]
comment = Temporary file space
path = /tmp
force user = inform
force group = inform
read only = No
    guest ok = Yes


Regards,

Fernando.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] ADS and Winbind ... Can't access with Samba host name ...

[Fernando Ruza]

Hi,

On Wed, 2003-12-24 at 09:12, C.Lee Taylor wrote:
>   Samba 3.0.1 as a domain member of Win2K3 AD, I have had problems, which
> I have not been able to fix, so I am staying with Samba 3.0.1 as PDC.
>
>   Samba 3.0.0 as a domain member of Win2K3 AD, works fine, but I need the
> other fixes that have gone into Samba 3.0.1, so Samba 3.0.0 is still on
> my testing system until I can find the problem with Samba 3.0.1 or the
> next upgrade ...
>

I completely agree. I'm setting up a production machine as a file server
and for the moment I'm going to set it up as a security=DOMAIN which is
totaly valid for me. However, in a test machine I will follow testing AD
domain member of Win2K and wait for the following release to see if it
works.

Thanks,

Fernando.



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] ADS and Winbind ... Can't access with Samba host name ...

[Fernando Ruza]

Thank for the reply Tim,

On Tue, 2003-12-23 at 17:53, Tim Jordan wrote:
> Please provide your OS platform, ./configure options, design goals
> etc...

I'm using RH8.0 with kerberos 1.3.1 (from source tar.gz) and package
pam_krb5-1.60-1 compiled from source.rpm against kerberos 1.3.1 libs.
I've used samba 3.0.0, 3.0.1rc2 and 3.0.1 compiled from source.rpm with
the following options:

--prefix=%{prefix} \
--localstatedir=/var \
--with-configdir=/etc/samba \
--with-privatedir=/etc/samba \
--with-fhs \
--with-quotas \
--with-smbmount \
--with-pam \
--with-pam_smbpass \
--with-syslog \
--with-utmp \
--with-sambabook=%{prefix}/share/swat/using_samba \
--with-swatdir=%{prefix}/share/swat \
--with-libsmbclient \
--sysconfdir=/etc/samba \
--with-ldap \
--with-ads \
--with-krb5=/usr/local/krb5 \
--with-winbind \
--with-acl-support

Regards and happy christmas,

Fernando.



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] ADS and Winbind ... Can't access with Samba host name ...

[Fernando Ruza]

Still with the problem. I have tested with the version 3.0.0 and right,
I can see the shares however cannot connect to the home shares or shares
with valid users option in smb.conf. Besides this version cannot
substitute correctly the %D %u %U %S variables. I have written them in
the comment option of a share and I can see that the values are not
correct. %D gives me the samba hostname, %S gives me "IPC_"

Trying with version 3.0.1 cannot see no shares.

Trying with version 3.0.1rc2, it's the same like 3.0.0, but it seems
that some variables are correct like %u but %U is empty. I don't know is
very strange. It worked once with this version after I changed the
password for the Administrator of my PDC/KDC and the user I use to test
the shares however in the next reboot of the WinXP client machine it
already doesn't work again.

I think that doing samba 3 be a member of AD is not working properly.
Does anyone got it ?? Could make a howto ?

Thanks in advance,

Fernando.


On Fri, 2003-12-19 at 14:00, C.Lee Taylor wrote:
> Greetings ...
>
> Sorry for the long post, but I prefer to keep a copy of what I think
> is need for this thread ...
>
> As requested, here are my smb.conf ... I have left in my comment to
> show what I have been changing and see if it makes a differance ... plus
> some shares ( not all that I use ) ...
>
> # Global parameters
> [global]
> workgroup = TEST-ZA
> realm = TEST-ZA.CORP
> security = ads
> #   netbios aliases = nasrec
> server string = Samba Server %v %h
> interfaces = eth0*,lo
> bind interfaces only = Yes
> #   encrypt passwords = Yes
> #   update encrypted = Yes
> #   min passwd length = 4
> #   pam password change = Yes
> #   passwd program = /usr/bin/passwd %u
> #   passwd chat debug = Yes
> #   unix password sync = Yes
> #   username map = /etc/samba/smbusers
> #   admin users = administrator, TEST-ZA\administrator
> log file = /var/log/samba/%m.log
> max log size = 150
> time server = Yes
> unix extensions = Yes
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> logon script = login.bat
> logon drive = l:
> domain logons = no
> #   lm announce = yes
> preferred master = no
> domain master = no
> #   dns proxy = yes
> #   wins support = yes
> #   wins server = *
> #   wins server = naszadc01.test-za.corp, naszadc02.test-za.corp
> wins server = 10.1.1.16, 10.1.1.17
> utmp = Yes
> message command = /bin/mail -s 'message from %f on %m' root <
> %s; rm %s
> comment = Test Nasrec Linux Box
> create mask = 0660
> force create mode = 0660
> directory mask = 0770
> force directory mode = 0770
> inherit permissions = Yes
> map archive = No
>
> #   name resolve order = host, wins
> #   password server = *
> password server = 10.1.1.16, 10.1.1.17
>
> #   ldap suffix = dc=test-za,dc=corp
> #   ldap idmap suffix = ou=idmap
> #   ldap admin dn = cn=root,dc=test-za,dc=corp
> ldap suffix = dc=test,dc=co,dc=za
> ldap admin dn = cn=Manager,dc=test,dc=co,dc=za
> ldap idmap suffix = ou=idmap
> #   ldap ssl = start tls
> ldap ssl = no
> #   ldap passwd sync = yes
>
> #   winbind separator = +
> #   idmap backend = ldap:ldap://localhost
> idmap backend = ldap:ldap://zeus.test.co.za
> idmap uid = 1-2
> idmap gid = 1-2
>
> #   client schannel = no
> #   server schannel = no
>
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> #   winbind trusted domains only = yes
>
> #   template shell = /sbin/nologin
> #   template shell = /bin/bash
> #   template homedir = /home/%D/%U
> template homedir = /home/TEST-ZA/%U
>
> load printers = yes
> printing = cups
> printcap = cups
>
> #   log level = 1
>
> #   guest account = NULL
> restrict anonymous = yes
>
> [printers]
> comment = All Printers
> path = /var/spool/samba
> guest ok = Yes
> printable = Yes
> browseable = No
> public = yes
> writable = no
> write list = root, Administrator, TEST-ZA\Administrator
> printer admin = root, Administrator, TEST-ZA\Administrator
> vfs object = extd_audit
>
> [print$]
> comment = Printer Driver Download Area
> path = /home

Re: [Samba] ADS and Winbind ... Can't access with Samba host name ...

[Fernando Ruza]

Same problem, same error log messages. I'm using samba 3.0.1rc2 with
kerberos 1.3.1. Everything following is working:

wbinfo -u, wbinfo -g, getent passwd, getent group
wbinfo -I ip_address, wbinfo -N netbios_name
smbclient //Server/share -k
net lookup dc
net lookup kdc -> No output, and echo $? gives me: 255

Connecting from Win2k/XP clients to a samba share (share with valid user
option in smb.conf) using netbios name it doesn't work, using IP address
it works.

When I use IP address it uses NTLM authentication, that's why it works,
however when I use netbios name it uses kerberos and that's what it
doesn't work. I think it's something wrong in the configuration of
kerberos. My krb5.conf file is:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = HGUV.LOCAL
 default_tgs_enctypes = des-cbc-crc des-cbc-md5
 default_tkt_enctypes = des-cbc-crc des-cbc-md5
 clockskew = 600
 dns_lookup_realm = false
 dns_lookup_kdc = false
 kdc_req_checksum_type = 2
 checksum_type = 2
 ccache_type = 1
 forwardable = true
 proxiable = true

[realms]
 HGUV.LOCAL = {
  kdc = 10.36.192.24:88
  admin_server = 10.36.192.24:749
  default_domain = hguv.local
 }

[domain_realm]
 .hguv.local = HGUV.LOCAL
 hguv.local = HGUV.LOCAL

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

[login]
 krb4_convert = false
 krb4_get_tickets = false


Thanks for any reply.

Regards,

Fernando.



On Fri, 2003-12-19 at 05:50, Peter wrote:
> It appears there are a number of us with this exact same problem. I
> posted this same question a few days ago and have seen 2 or 3 others
> mention the same symptoms since then but have yet to see any specific
> sollution.
>
> I assumed this would be an issue with WINS but I've tested WINS lookups
> from both Windows clients, Linux clients and Samba server and all seem
> to function properly.
>
> The fact that my net lookup all work fine is the only difference between
> our problems.
>
> [log.smbd]
>
> [2003/12/17 18:40:04, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
>   Failed to verify incoming ticket!
>
> [lob.winbindd]
>
> [2003/12/17 18:39:58, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269)
>   krb5_cc_get_principal failed (No credentials cache found)
>
>
> Would appreciate some direct answers to this problem regarding WINS host
> vs. IP address share mapping from Windows clients.
>
> Thanks,
>
> Peter
>
>
> 
> > From: C.Lee Taylor <[EMAIL PROTECTED]>
> > To: [EMAIL PROTECTED]
> > Subject: [Samba] ADS and Winbind ... Can't access with Samba host name ...
> > Date: Thu, 18 Dec 2003 16:59:28 +0200
> >
> > Greetings ...
> >
> > It seems I have really got myself confused ...
> >
> > I have a Win2K3 ADS domain, I have two FedoraCore systems, one with
> > Samba 3.0.0 and the other with Samba 3.0.1.  Both give me the same problem.
> >
> > If I try access the Samba shares from Win2K3 using the host number,
> > I get prompted for a username and password, and no matter what I type
> > in, I can't get in.
> >
> > If I use the Samba server IP address, I am able to get into shares
> > without been prompted for user details, but Point'nPrint don't work, it
> > too requests user details.
> >
> > I do seem to be getting two errors in my logs ... First in smbd.log
> >
> > [2003/12/18 13:50:19, 0] lib/util_sock.c:get_peer_addr(948)
> >   getpeername failed. Error was Transport endpoint is not connected
> > [2003/12/18 16:18:07, 0] lib/util_sock.c:get_peer_addr(948)
> >   getpeername failed. Error was Transport endpoint is not connected
> >
> > And the other in the machine log with the IP address eg ...
> > 10.1.1.20.log
> > [2003/12/18 14:51:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
> >   Failed to verify incoming ticket!
> > [2003/12/18 14:51:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
> >   Failed to verify incoming ticket!
> >
> > But in the machine log with the hostname, I am getting normal
> > messages ...
> >
> > I have tried to make changes in /etc/krb5.conf, but I don't get any
> > further ...
> >
> > I have tried a few status checks with net, all hosts work fine ...
> >
> > [EMAIL PROTECTED] samba]# net lookup ldap
> > 10.1.1.16:389
> > 10.1.1.17:389
> >
> > [EMAIL PROTECTED] samba]# net lookup dc
> > 10.1.1.16
> > 10.1.1.17
> >
> > But net lookup kdc, master domain don't return any thing, so I don't
> > know what else to look for ...
> >
> > Thanks
> > Mailed
> > Lee

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] ADS and Winbind ... Can't access with Samba host name ...

[Fernando Ruza]

I'd like to have a copy of your smb.conf and krb5.conf files. I have had
the same problem like you for weeks and still without success.

Thanks C.Lee.

Fernando.


On Fri, 2003-12-19 at 10:41, C.Lee Taylor wrote:
> Greetings ...
>
> > please file a bug for me and we'll work on
>
> Still waiting for an account ... sorry, I don't have time to wait
> around, I have to fix this problem chop chop ... ;-}
>
> > getting this resolved.  This is the 3rd report
> > of the same symptoms.   Thanks.
>
> Okay, first I throught that maybe this a problem with Samba3, but I
> know that I have been able to use this, so I tried on both Samba 3.0.0
> (FC1 rpms ) and Samba 3.0.1 ( compiled on FC1 by myself rpms ) ...
>
> At first I had no joy with either, so I throught that maybe I had
> done something wrong ( blush! ) ... So, I went back to basics ... I
> found that if I removed all the funky options in /etc/krb5.conf and used
> Samba 3.0.0, all seems to work fine ( expect for know bugs in 3.0.0,
> understandable ) ... I think upgraded to Samba 3.0.1, and I could not
> access the Samba server again using is hostname ...
>
> So now I have two servers for test, both with FC1 and all the
> updates, one with Samba 3.0.0 ( FC1 rpms ) and the other with Samba
> 3.0.1 ( self maybe rpms ).
>
> If anybody wants a copy of my smb.conf and krb5.conf, let me know.
>
> Thanks
> Mailed
> Lee
>
> > |I have a Win2K3 ADS domain, I have two FedoraCore systems, one with
> > | Samba 3.0.0 and the other with Samba 3.0.1.  Both give me the same
> > problem.
> > |
> > |If I try access the Samba shares from Win2K3 using the host
> > number, I
> > | get prompted for a username and password, and no matter what I type in,
> > | I can't get in.
> > |
> > |If I use the Samba server IP address, I am able to get into shares
> > | without been prompted for user details, but Point'nPrint don't work, it
> > | too requests user details.
> > |
> > |I do seem to be getting two errors in my logs ... First in smbd.log
> > |
> > | [2003/12/18 13:50:19, 0] lib/util_sock.c:get_peer_addr(948)
> > |  getpeername failed. Error was Transport endpoint is not connected
> > | [2003/12/18 16:18:07, 0] lib/util_sock.c:get_peer_addr(948)
> > |  getpeername failed. Error was Transport endpoint is not connected
> > |
> > |And the other in the machine log with the IP address eg ...
> > |10.1.1.20.log
> > | [2003/12/18 14:51:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
> > |  Failed to verify incoming ticket!
> > | [2003/12/18 14:51:23, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
> > |  Failed to verify incoming ticket!
> > |
> > |But in the machine log with the hostname, I am getting normal
> > | messages ...
> > |
> > |I have tried to make changes in /etc/krb5.conf, but I don't get any
> > | further ...
> > |
> > |I have tried a few status checks with net, all hosts work fine ...
> > |
> > | [EMAIL PROTECTED] samba]# net lookup ldap
> > | 10.1.1.16:389
> > | 10.1.1.17:389
> > |
> > | [EMAIL PROTECTED] samba]# net lookup dc
> > | 10.1.1.16
> > | 10.1.1.17
> > |
> > |But net lookup kdc, master domain don't return any thing, so I don't
> > | know what else to look for ...
>
>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Windows 2000 and krb5 tickets...SOLVED

[Fernando Ruza]

Hi Tim,

I'm still with the krb5_tickets+AD problem. It worked for me once and I
still don't know what I did. I thought it was the Administrator password
change however I've done a clean installation in another server (RH8
again and krb5 1.3.1 and samba_3.0.1rc2) and I have again the same
problem.

Could you give me your "klist -e" output for your KDC server ticket I'd
like to compare it with mine. I still have the encryption to
ARCFOUR-HMAC-MD5 for my KDC server and I cannot change to DES-CBC-MD5
although I have the following lines in my /etc/krb5.conf file:

default_tgs_enctypes = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
# Commented out the following line.
# permitted_enctypes = des-cbc-md5 des-cbc-crc

How can I change it to DES-CBC-MD5 ??
The ticket for my kdc server is:

12/18/03 11:15:22  12/18/03 21:03:19  [EMAIL PROTECTED]
renew until 12/19/03 10:14:31, Etype (skey, tkt): ArcFour with HMAC/md5,
ArcFour with HMAC/md5

Thanks and regards,

Fernando.


On Fri, 2003-12-12 at 21:56, Tim Jordan wrote:
> Browsing is working from my W2K and XP clients to the samba server
> using kerberos.
> Samba Server is joined to Active Directory as a Domain Member server.
>
> I commented out the following line of my krb5.conf:
>
> #permitted_enctypes = des-cbc-crc des-cbc-md5
>
> Make sure these lines are correct:
>  default_tgs_enctypes = des-cbc-crc des-cbc-md5
>  efault_tkt_enctypes = des-cbc-crc des-cbc-md5
>
> *Make sure to stop and restart smbd, nmbd, and winbindd.  These
> changes did nothing for me until I restarted at least winbindd.
>
>
> I set this up with Mandrake 9.2 using samba3.0.1-0.pre3.2mdk.i586
> rpm's from:
> http://ranger.dnsalias.com/mandrake/9.2/samba-3.0.1/
>
>
> I'm working on a final write up of my configuration if anyone is
> interested in creating an Active Directory member server running Samba
> 3.
>
> Thanks to Jeff Jordan with the State of Alaska, Dept. of Labor for
> lending his Windows expertise!
>
> Tim
>
>
>
>
> On Fri, 2003-12-12 at 08:07, Tom Dickson wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA1
> >
> > You can try running the
> >
> > strings /usr/lib/libkrb5.so.3.2 | grep BRAND
> >
> > command and looking at what you get. 1-3-1 or something is MIT.
> >
> > Also, I'm wondering if the fact that you can connect by IP and not by
> > name indicates that the 2000 server is looking up the name in, say, DNS
> > only and ignoring WINS. Perhaps my WINS server is misconfigured.
> >
> > Well, I have to run Netbench tests, so I just dropped back to NT4 style
> > auth, which works fine for me.
> >
> > - -Tom
> >
> > Tim Jordan wrote:
> >
> > | Perhaps we can work together.  Jerry mentioned in previous posts about
> > | the encryption options if the krb5.conf.
> > | The Official Samba How To states: " On a Windows 2000 client, try /net
> > | use * \\server\share/.  You should be logged in with Kerberos without
> > | needing to know a password.  If this fails then run /klist tickets./
> > | Did you get a tecket for the server?  Does it have an encryption type of
> > | DES-CBC-MD5?"
> > |
> > | "Samba can use both DES-CBC-MD5 encryption as well as ARCFOUR-HMAC-MD5
> > | encoding."
> > |
> > | I went ahead and added the DES-CBC-MD5 encryption to my krb5.conf as
> > | Jerry sugested:
> > |
> > | /etc/krb5.conf:
> > |
> > |>[EMAIL PROTECTED] samba3]# cat /etc/krb5.conf
> > |>[logging]
> > |> default = FILE:/var/log/kerberos/krb5libs.log
> > |> kdc = FILE:/var/log/kerberos/krb5kdc.log
> > |> admin_server = FILE:/var/log/kerberos/kadmind.log
> > |>
> > |>[libdefaults]
> > |> ticket_lifetime = 24000
> > |> default_realm = LABOR.AK
> > |> default_tgs_enctypes = des-cbc-md5 des-cbc-crc
> > |> default_tkt_enctypes = des-cbc-md5 des-cbc-crc
> > |> permitted_enctypes = des-cbc-md5 des-cbc-crc
> > |> dns_lookup_realm = false
> > |> dns_lookup_kdc = false
> > |> kdc_req_checksum_type = 2
> > |> checksum_type = 2
> > |> ccache_type = 1
> > |> forwardable = true
> > |> proxiable = true
> > |>
> > |>[realms]
> > |> LABOR.AK = {
> > |>  kdc = MY-KDC.LABOR.AK:88
> > |>  admin_server = MY-KDC.LABOR.AK:749
> > |>  default_domain = LABOR.AK
> > |> }
> > |>
> > |>[domain_realm]
> > |> .LABOR.AK = LABOR.AK
> > |>
> > |>[kdc]
> > |> profile = /etc/kerberos/krb5kdc/kdc.conf
> > |>
> > 

[Samba] Problem with admin users

[Luiz Fernando Aguiar Leme]

Hi all,

on my smb.conf, contents the following lines:

admin users = root claudio roberto
security = server

when this users save  or write files on shared folders, they saves with
root:wheels.

How do i force this users to save your own user:group and not root:wheels???

On the shared folders contents the following lines, for example:

[publico]
   comment = Diretorio publico
   path = /usuarios/publico
   public = yes
   writable = yes
   security mask = 770
   create mask = 0770
   force create mode = 770
   force directory mode = 770
   force security mode = 770
   printable = no

thanks!

- Original Message - 
From: "Dragan Krnic" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Monday, December 15, 2003 10:48 AM
Subject: [Samba] Re: Profile privelege problem


> > ...
> > I used the latest and greatest SuSE 9.0 Professional...
> > I then installed all the latest patches via YaST.  That
> > gives me a kernel of 2.4.21 (-144 in SuSE speak) and
> > Samba 2.2.8a
> >
> > I had the configuration backed up on another box, so I
> > used that as the base for Samba 2.2.8a.  I have tried
> > chmod, chown of various directories, making profile
> > world readable, writeable, executeable, all to no avail.
> > have tried commenting out various lines as suggested by
> > other posts...also to no avail.
> >
> > W2K reports it can not find roaming profile, and then
> > also reports it can not find a local profile, and signs
> > the user (any user) on with a "temp" profile.  All drive
> > mappings are available, just no profiles, recent lists, etc...
> >
> > Samba log is showing:  api_samr_set_userinfo: Unable to
> > unmarshall SAMR_SET_Q_USERINFO
> >
> > bumping the samba log level, verifies that I am going after
> > the user profile and I am "dying" because of lack of
> > privelegesyet I can ssh into the box as a user and read
> > or touch or execute anything I want !?
>
> Must be something trivial, but whoever wants to help you will
> need your smb.conf to see how you set it up. I can suggest
> relevant options how I handle the profiles:
>
> [global]
>...
>logon path = \\p90.p1.n.d.d\profiles\%U
>domain logons = Yes
>create mask = 0664
>directory mask = 0775
>...
>
> [profiles]
>path = /local/profiles
>valid users = %U
>read only = No
>inherit permissions = No
>security mask = 0777
>directory security mask = 0777
>browseable = No
>csc policy = disable
>
>
> My Samba server is a PDC for the domain with wins and all.
> It runs SuSE 8.2 (kernel 2.4.20-86) but that shouldn't matter.
> The permissions on user profile directories are all "drwx--S--".
> All directories belong to individual users, group "users".
>
> If you can't recognize what your problem is, enclose smb.conf
> next time.
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Windows 2000 and krb5 tickets...SOLVED

[Fernando Ruza]

Well, I think I have already solved my problem.

I've changed the Administrator password (as it says in the samba howto
page 84, 7.4.6. Notes) and now it works great :-D

However, I have a doubt. After mapping from win2k client using:

net use * \\MySambaServer\share

The share is mapped properly but in my samba server I don't have a
ticket for this win2k client:

[EMAIL PROTECTED] samba]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]

Valid starting ExpiresService principal
12/15/03 10:57:13  12/15/03 20:57:14  krbtgt/[EMAIL PROTECTED]
renew until 12/16/03 10:57:13, Etype (skey, tkt): DES cbc mode with
CRC-32, DES cbc mode with CRC-32
12/15/03 10:57:49  12/15/03 20:57:14  [EMAIL PROTECTED]
renew until 12/16/03 10:57:13, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5
12/15/03 10:57:49  12/15/03 20:57:14  kadmin/[EMAIL PROTECTED]
renew until 12/16/03 10:57:13, Etype (skey, tkt): DES cbc mode with
CRC-32, DES cbc mode with CRC-32


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached


Should I have got one ticket for each Win2k or XP client connected ?? Is
this correct ??

Thanks in advanced,

Fernando.


On Mon, 2003-12-15 at 10:57, Fernando Ruza wrote:
> Hi,
>
> I did what you advise. I still have the same problem. Can see the shares
> from Win2k and XP but cannot browse the share that need authentication
> (valid users). I can map them with IP address but not with netbios name.
> I don't get any ticket from win2k and XP clients.
>
> All of the following works right: net ads leave, net ads join, wbinfo
> -u, wbinfo -g, getent passwd, getent group, smbclient
> //win2k_server/share -k
>
> Could you see something wrong in my conf files?? Any more things to try
> ??
>
> My krb5.conf file is the following:
>
> === krb5.conf ==
>
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  ticket_lifetime = 24000
>  default_realm = HGUV.LOCAL
>  default_etypes = des-cbc-crc des-cbc-md5
>  default_etypes_des = des-cbc-crc des-cbc-md5
>  default_tgs_enctypes = des-cbc-crc des-cbc-md5
>  default_tkt_enctypes = des-cbc-crc des-cbc-md5
> # permitted_enctypes = des-cbc-md5 des-cbc-crc
>  kdc_req_checksum_type = 2
>  clockskew = 600
>  dns_lookup_realm = false
>  dns_lookup_kdc = true
>  forwardable = true
>  proxiable = true
>  checksum_type = 2
>  ccache_type = 1
>
> [realms]
>  HGUV.LOCAL = {
>   kdc = 10.36.192.24:88
>   admin_server = 10.36.192.24:749
>   default_domain = hguv.local
>  }
>
> [domain_realm]
>  .hguv.local = HGUV.LOCAL
>  hguv.local = HGUV.LOCAL
>
> [kdc]
>  profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
>  pam = {
>debug = false
>ticket_lifetime = 36000
>renew_lifetime = 36000
>forwardable = true
>krb4_convert = false
>  }
>
> [login]
>  krb4_convert = false
>  krb4_get_tickets = false
>
> 
>
> The tickets I get are:
>
> [EMAIL PROTECTED] etc]# klist -e
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: [EMAIL PROTECTED]
>
> Valid starting ExpiresService principal
> 12/15/03 09:34:53  12/15/03 19:34:54  krbtgt/[EMAIL PROTECTED]
>   renew until 12/16/03 09:34:53, Etype (skey, tkt): DES cbc mode with
> CRC-32, DES cbc mode with CRC-32
> 12/15/03 09:35:09  12/15/03 19:34:54  [EMAIL PROTECTED]
>   renew until 12/16/03 09:34:53, Etype (skey, tkt): ArcFour with
> HMAC/md5, ArcFour with HMAC/md5
> 12/15/03 09:35:09  12/15/03 19:34:54  kadmin/[EMAIL PROTECTED]
>   renew until 12/16/03 09:34:53, Etype (skey, tkt): DES cbc mode with
> CRC-32, DES cbc mode with CRC-32
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>
> =
>
> I don't get a ticket for Win2k and XP clients.
> More interested info:
>
>  libs used by winbindd and smbd 
> [EMAIL PROTECTED] sbin]# ldd winbindd
>   libcrypt.so.1 => /lib/libcrypt.so.1 (0x4002c000)
>   libresolv.so.2 => /lib/libresolv.so.2 (0x4005a000)
>   libnsl.so.1 => /lib/libnsl.so.1 (0x4006c000)
>   libdl.so.2 => /lib/libdl.so.2 (0x40081000)
>   libpopt.so.0 => /usr/lib/libpopt.so.0 (0x40084000)
>   libcrypto.so.2 => /lib/libcrypto.so.2 (0x4008c000)
>   libgssapi_krb5.so.2 => /usr/local/lib/libgssapi_krb5.so.2 (0x4016)
>   libkrb5.so.3 => /usr/local/lib/libkrb5.so.3 (0x40172000)
>   lib

Re: [Samba] Windows 2000 and krb5 tickets...SOLVED

[Fernando Ruza]

   libsasl.so.7 => /usr/lib/libsasl.so.7 (0x40286000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x4000)
libgdbm.so.2 => /usr/lib/libgdbm.so.2 (0x40292000)

 kerberos version ===

[EMAIL PROTECTED] sbin]# strings /usr/local/lib/libkrb5.so.3.2 | grep BRAND
KRB5_BRAND: krb5-1-3-1-final 1.3.1 20030730

 ld.so.conf =

/usr/local/lib
/usr/X11R6/lib
/usr/lib/mysql
/usr/lib/qt-3.0.5/lib
/usr/lib/sane
/usr/lib/qt2/lib
/usr/lib/wine

= smb.conf 
[global]
workgroup = HGUV
realm = HGUV.LOCAL
server string = %h server (Samba %v)
security = ADS
password server = 10.36.192.24
log level = 2 winbind:5
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = No
idmap uid = 1-2
idmap gid = 1-2
template shell = /bin/bash
winbind separator = +
printing = lprng

[homes]
comment = Home Directories
path = /home/%U
valid users = %D+%U
read only = No
create mask = 0664
directory mask = 0775
browseable = No

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No

[tmp]
comment = Temporary file space
path = /tmp
force user = inform
force group = inform
read only = No
guest ok = Yes

[Intranet]
comment = DocumentRoot del servidor web de la intranet del HGUV
path = /var/www
valid users = root, HGUV+Administrador, HGUV+fruza, HGUV+bperez
force user = inform
force group = inform
read only = No
create mask = 0777
directory mask = 0777

[mysql]
comment = Base de datos mysql
path = /var/lib/mysql
force user = inform
force group = inform
read only = No
guest ok = Yes

=

Thanks in advanced for any reply,

Fernando.


On Fri, 2003-12-12 at 21:56, Tim Jordan wrote:
> Browsing is working from my W2K and XP clients to the samba server
> using kerberos.
> Samba Server is joined to Active Directory as a Domain Member server.
>
> I commented out the following line of my krb5.conf:
>
> #permitted_enctypes = des-cbc-crc des-cbc-md5
>
> Make sure these lines are correct:
>  default_tgs_enctypes = des-cbc-crc des-cbc-md5
>  efault_tkt_enctypes = des-cbc-crc des-cbc-md5
>
> *Make sure to stop and restart smbd, nmbd, and winbindd.  These
> changes did nothing for me until I restarted at least winbindd.
>
>
> I set this up with Mandrake 9.2 using samba3.0.1-0.pre3.2mdk.i586
> rpm's from:
> http://ranger.dnsalias.com/mandrake/9.2/samba-3.0.1/
>
>
> I'm working on a final write up of my configuration if anyone is
> interested in creating an Active Directory member server running Samba
> 3.
>
> Thanks to Jeff Jordan with the State of Alaska, Dept. of Labor for
> lending his Windows expertise!
>
> Tim
>
>
>
>
> On Fri, 2003-12-12 at 08:07, Tom Dickson wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA1
> >
> > You can try running the
> >
> > strings /usr/lib/libkrb5.so.3.2 | grep BRAND
> >
> > command and looking at what you get. 1-3-1 or something is MIT.
> >
> > Also, I'm wondering if the fact that you can connect by IP and not by
> > name indicates that the 2000 server is looking up the name in, say, DNS
> > only and ignoring WINS. Perhaps my WINS server is misconfigured.
> >
> > Well, I have to run Netbench tests, so I just dropped back to NT4 style
> > auth, which works fine for me.
> >
> > - -Tom
> >
> > Tim Jordan wrote:
> >
> > | Perhaps we can work together.  Jerry mentioned in previous posts about
> > | the encryption options if the krb5.conf.
> > | The Official Samba How To states: " On a Windows 2000 client, try /net
> > | use * \\server\share/.  You should be logged in with Kerberos without
> > | needing to know a password.  If this fails then run /klist tickets./
> > | Did you get a tecket for the server?  Does it have an encryption type of
> > | DES-CBC-MD5?"
> > |
> > | "Samba can use both DES-CBC-MD5 encryption as well as ARCFOUR-HMAC-MD5
> > | encoding."
> > |
> > | I went ahead and added the DES-CBC-MD5 encryption to my krb5.conf as
> > | Jerry sugested:
> > |
> > | /etc/krb5.conf:
> > |
> > |>[EMAIL PROTECTED] samba3]# cat /etc/krb5.conf
> > |>[logging]
>

Re: [Samba] Windows 2000 and krb5 tickets.

[Fernando Ruza]

Same problem. I have been with it for weeks. I can connect using IP
address from the Win2k clients however with the netbios name I get the
error.

Someone has told me today that this was solved in the new release
samba-3.0.1rc2-1 , however I've already tested it and I still have the
same problem.

Please any more clues.

Thanks,

Fernando.


On Fri, 2003-12-12 at 00:26, Tim Jordan wrote:
> I'm getting same error about encryption ...
>
> I have taken Tom's lead and have provided the output below.  Is there a
> certain version of krb5 that we should be running?
>
>
> [EMAIL PROTECTED] tim]# smbd3 --version
> Version 3.0.1pre3
>
> [EMAIL PROTECTED] tim]# strings /usr/lib/libkrb5.so.3.2 | grep BRAND
> KRB5_BRAND: krb5-1-3-final 1.3 20030708
>
> I'm running Mandrake 9.2
>
> Thank You Samba Team!
> Tim
>
> On Thu, 2003-12-11 at 13:59, Tom Dickson wrote:
>
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA1
> >
> > OK. I've done some more research, and here's what I get.
> >
> > smbd --version
> > Version 3.0.0
> >
> > strings libkrb5.so.3.2 | grep BRAND
> > KRB5_BRAND: krb5-1-3-1-final 1.3.1 20030730
> >
> > Everything seems to work, but trying to access the Samba server results in:
> >
> > [2003/12/11 14:54:19, 3] libads/kerberos_verify.c:ads_verify_ticket(308)
> > ~  ads_verify_ticket: enc type [23] failed to decrypt with error Decrypt
> > integrity check failed
> > [2003/12/11 14:54:19, 3] libads/kerberos_verify.c:ads_verify_ticket(316)
> > ~  ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
> > [2003/12/11 14:54:19, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
> > ~  Failed to verify incoming ticket!
> > [2003/12/11 14:54:19, 3] smbd/error.c:error_packet(109)
> > ~  error packet at smbd/sesssetup.c(173) cmd=115 (SMBsesssetupX)
> > NT_STATUS_LOGON_FAILURE
> >
> > This is the same error you get if you're running the wrong KRB5 libs,
> > but I've the right ones. The windows 2000 machine is 5.00.2195
> >
> > Windows 2000 clients connect to the ADS server fine, and will connect to
> > the Samba server if you enter Username/Password. The 2000 server cannot
> > connect to the Samba machine at all, even with the right username/pass.
> >
> > Is there a magic registry setting I'm missing? I've changed the
> > Administrator password at least once.
> >
> > - -Tom
> > -BEGIN PGP SIGNATURE-
> > Version: GnuPG v1.2.2-nr2 (Windows 2000)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> >
> > iD8DBQE/2PbO2dxAfYNwANIRAmuuAKCI9NMssxwHqQlyF7njkP+sZBt3PQCfWApO
> > F9F+8BTOPIyoybZBYIlCouU=
> > =94FA
> > -END PGP SIGNATURE-

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] No credentials cache found

[Fernando Ruza]

Hi everybody,

Me and a lot of people around in the list we are having the following
problem for sometime without solution.

I'd like to join Win2000 AD with Samba. I have samba-3.0.1pre3-1
compiled with the last kerberos support (1.3.1). The steps I do are:

1. Leave the AD (if it was registered before)
   net ads leave
2. I open a kerberos session with the Administrator user
   kinit [EMAIL PROTECTED]
   Password: 
3. I newly join the AD using the kerberos session opened
   net ads join
   It succeds and after this I have three kerberos tickets however in
the winbindd.log I see the following error message, which I don't like
and I think that's the source of the problem:
[2003/11/24 11:00:16, 1] libsmb/clikrb5.c:ads_krb5_mk_req(269)
  krb5_cc_get_principal failed (No credentials cache found)

4. Everything seems to work: wbinfo -u , wbinfo -g , getent passwd ,
getent groups and wbinfo -t

5. Also it works the access to any share in the network from my Linux
box without having to authenticate:
   smbclient //Server-Name/share -k

6. However, trying to access from other windows workstation (Win2k or
WinXP) to the shares on my Linux box it asks me for a user and password
and I get the following error message in the log:
[2003/11/25 08:47:05, 1] smbd/sesssetup.c:reply_spnego_kerberos(210)
  Username (null) is invalid on this system

  But if I mount the share with IP address it works, however using the
netbios name of my Linux box it doesn't. Very strange, isn't it ?

Any help will be greatly appreciate.

Thanks in advance,

Fernando.

=== smb.conf file ===
# Global parameters
[global]
workgroup = HGUV
realm = HGUV.LOCAL
server string = %h server (Samba %v)
security = ADS
password server = 10.36.192.24
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = No
idmap uid = 1-2
idmap gid = 1-2
winbind separator = +
printing = lprng

[homes]
comment = Home Directories
path = /home/%U
valid users = %D+%U
read only = No
create mask = 0664
directory mask = 0775
browseable = No
=

=== krb5.conf ===
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = HGUV.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 HGUV.LOCAL = {
  kdc = 10.36.192.24:88
  admin_server = 10.36.192.24:749
 }

[domain_realm]
 .hguv.local = HGUV.LOCAL

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
=


--
Yo uso software libre, ¿Y tu?
¿Qué es el software libre? consulta: http://www.gnu.org/philosophy/free-sw.es.html

Fernando Ruza
e-mail: [EMAIL PROTECTED]
web: http://guada24.guadawireless.net
Tlf: 661123845
Yahoo! Messenger id: fruza
Linux user: #273644 (http://counter.li.org)
Debian Sid (Kernel 2.4.20 & ext3)

"In an internet without fences ... who needs 'gates'"

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 3.0 client connection error

[Fernando Ruza]

Same like Tommy,

Anyone out there can help us. There are a lot of people with this
problem and without solution. We don't know if it's something wrong in
our configuration or it's a samba bug.

When I'm trying to access a share in my linux box from Win2k
or WinXP using the IP address of my linux box it works great, however
using the netbios name it doesn't work:

== Example ==
C:\>net use * \\HSERINT1\fruza
The password or name of the user it's not valid for \\HSERINT1\fruza.

Write the password for \\HSERINT1\fruza:
Sytem error 5.

Access denyed.

C:\>net use * \\10.36.192.17\fruza
The unit F: is connected to \\10.36.192.17\fruza.

The command has completed succesfully.

C:\>
=

In the samba log file I have the following error when I try to connect
using the netbios name:

[2003/11/18 14:01:49, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
  Failed to verify incoming ticket!

Winbind, getent, wbinfo, joining ads, kinit, klist everything works. My
smb.conf file is:

# Global parameters
[global]
workgroup = HGUV
realm = HGUV.LOCAL
server string = %h server (Samba %v)
security = ADS
password server = 10.36.192.24
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = No
idmap uid = 1-2
idmap gid = 1-2
winbind separator = +
printing = lprng

[homes]
comment = Home Directories
path = /home/%U
valid users = %D+%U
read only = No
create mask = 0664
directory mask = 0775
browseable = No

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No

[tmp]
comment = Temporary file space
path = /tmp
force user = inform
force group = inform
read only = No
guest ok = Yes

[Intranet]
comment = DocumentRoot del servidor web de la intranet del HGUV
path = /var/www
force user = inform
force group = inform
read only = No
create mask = 0777
directory mask = 0777
guest ok = Yes


Thanks in advance for any reply give us a clue.

Regards,

Fernando.



El mié, 19 de 11 de 2003 a las 08:02, Fallsen, Tommy escribió:
> Hi
> I successfully joined the AD as member server, smbclient
> hostname\\homes -U username works,
> but on a windows 2000 client connecting to the homes share using \\hostname
> failes with
>
> [2003/11/13 16:39:46, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
>   Failed to verify incoming ticket!
> [2003/11/13 16:39:46, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
>   Failed to verify incoming ticket!
> [2003/11/13 16:39:51, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
>   Failed to verify incoming ticket!
> [2003/11/13 16:42:38, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
>   Failed to verify incoming ticket!
> [2003/11/13 16:42:38, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
>   Failed to verify incoming ticket!
> [2003/11/13 16:48:14, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
>   Failed to verify incoming ticket!
> [2003/11/13 16:48:14, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
>   Failed to verify incoming ticket!
>
> Oddly connecting to the share \\ip-adress works just fine, no errors.
> Is there something wrong with my setup?
>
> My smb.conf
> [global]
>  workgroup = 
>  realm = .?.COM
>  netbios name =  hostname
>  security = ADS
>  password server = ads server
>  log file = /opt/samba/var/log.%m
>  max log size = 50
>  preferred master = No
>  local master = No
>  domain master = No
>  dns proxy = No
>  wins proxy = Yes
>  wins server = ?.?.?.?
>  remote announce = ?.?.?.?
>  NIS homedir = Yes
>
> [homes]
>  comment = Home Directories
>  read only = No
>  browseable = No
>
> [printers]
>  comment = All Printers
>  path = /usr/spool/samba
>  printable = Yes
>  browseable = No
>
>
>
> kdc.onf and krb5.conf
>
>
> #
> # Copyright 1998-2002 Sun Microsystems, Inc.  All rights reserved.
> # Use is subject to license terms.
> #
> #ident "@(#)kdc.conf 1.2 02/02/14 SMI"
>
> [kdcdefaults]
>  kdc_ports = 88,750
>
> [realms]
>  ___default_realm___ = {
>   profile = /etc/krb5/krb5.conf
>   database_name = /var/krb5/principal
>   admin_keytab = /etc/krb5/kadm5.keytab
>   acl_file = /etc/krb5/kadm5.acl
>   kadmind_port = 749
>   max_life = 8h 0m 0s
>   max_renewable_life = 7d 0h 0m 0s
>   default_principal_flags = +preauth
>  }
>
>
>
> #
> #pragma ident "@(#)krb5.conf 1.2 99/07/20 SMI"
> # Copyright (

Re: [Samba] WinXP/2k can't connect to Linux ADS member

[Fernando Ruza]

Hi all,

Regarding the problem I described in the mail attached bellow, I've
found that when I'm trying to access a share in my linux box from Win2k
or WinXP using the IP address of my linux box it works great, however
using the netbios name it doesn't work:

===
C:\>net use * \\HSERINT1\fruza
The password or name of the user it's not valid for \\HSERINT1\fruza.

Write the password for \\HSERINT1\fruza:
Sytem error 5.

Access denyed.

C:\>net use * \\10.36.192.17\fruza
The unit F: is connected to \\10.36.192.17\fruza.

The command has completed succesfully.

C:\>
===

In the samba log file I have the following error when I try to connect
using the netbios name:

[2003/11/18 14:01:49, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
  Failed to verify incoming ticket!

Winbind, getent, wbinfo, joining ads, kinit, klist everything works. My
smb.conf file is:

# Global parameters
[global]
workgroup = HGUV
realm = HGUV.LOCAL
server string = %h server (Samba %v)
security = ADS
password server = 10.36.192.24
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = No
idmap uid = 1-2
idmap gid = 1-2
winbind separator = +
printing = lprng

[homes]
comment = Home Directories
path = /home/%U
valid users = %D+%U
read only = No
create mask = 0664
directory mask = 0775
browseable = No

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No

[tmp]
comment = Temporary file space
path = /tmp
force user = inform
force group = inform
read only = No
guest ok = Yes

[Intranet]
comment = DocumentRoot del servidor web de la intranet del HGUV
path = /var/www
force user = inform
force group = inform
read only = No
create mask = 0777
directory mask = 0777
guest ok = Yes


Thanks in advance for any reply. Regards,

Fernando.


El lun, 27 de 10 de 2003 a las 12:53, Fernando Ruza escribió:
> Hi,
>
> I have a linux box configured with samba-3.0.1pre1-1 joined to my Win2k
> ADS domain.  I can succesfully use kinit and smbclient -k without
> entering a user/pass to connect to things on my network. Winbind,
> getent, wbinfo, ... everything works great however, from WinXP and Win2k
> client  hosts I cannot connect to my linux shares. From Win95/98 clients
> works great.
>
> Always that I connect from WinXP and Win2k hosts to the Linux shares it
> asks me for username/password authentication and none works. The error I
> get from WinXP, Win2k hosts is ALWAYS:
>
> [2003/09/29 11:09:57, 1] smbd/sesssetup.c:reply_spnego_kerberos(218)
>Username $ is invalid on this system
>
> No other errors.  I've tried setting client use spnego = no with no
> luck.
>
> This is very strange. I don't know what to do and where to see know. Any
> suggestions will be very apprecicate?
>
> Thanks in advance,
>
> Fernando.
>
>
> --
> Yo uso software libre, ¿Y tu?
> ¿Qué es el software libre? consulta: http://www.gnu.org/philosophy/free-sw.es.html
>
> Fernando Ruza
> e-mail: [EMAIL PROTECTED]
> web: http://guada24.guadawireless.net
> Tlf: 661123845
> Yahoo! Messenger id: fruza
> Linux user: #273644 (http://counter.li.org)
> Debian Sid (Kernel 2.4.20 & ext3)
>
> "In an internet without fences ... who needs 'gates'"
--
Yo uso software libre, ¿Y tu?
¿Qué es el software libre? consulta: http://www.gnu.org/philosophy/free-sw.es.html

Fernando Ruza
e-mail: [EMAIL PROTECTED]
web: http://guada24.guadawireless.net
Tlf: 661123845
Yahoo! Messenger id: fruza
Linux user: #273644 (http://counter.li.org)
Debian Sid (Kernel 2.4.20 & ext3)

"In an internet without fences ... who needs 'gates'"

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] ADS with Kerberos trust

[Fernando Fonseca]

Hi Fergus,

Look at the PDF included in the /doc directory source package of Samba caled 
HOWTO Collection, in the section 4.3.5 and 7.4 you will see how to do it.

I understand that just seting the 2 following parameters you say to AD to use 
Kerberos:
security = ADS
encrypt password = yes

To test your kerberos conection you can use kinit and klist, usualy placed in 
/usr/kerberos/bin.

[ ]'s


On Saturday 15 November 2003 01:42, Fergus wrote:
> Hi Fernando,
> We are using Samba 3 and I got it to authenticate to ADS.. But the key
> is to try and get it to authenticate to ADS using the alternative
> kerberos mapping.  When you do thi mapping in AD you can login using
> kerberos credentials.  I'm just not sure how to tell Samba to do this.
>
> Fergus
>
> -Original Message-
> From: Fernando Fonseca [mailto:[EMAIL PROTECTED]
> Sent: Friday, 14 November 2003 9:31 PM
> To: Fergus McKenzie-Kay; [EMAIL PROTECTED]
> Subject: Re: [Samba] ADS with Kerberos trust
>
>
> Fergus,
>
> What version of Samba are you using?
>
> With the version 3.0 if you set ¨encrypt password = yes¨ in smb.conf you
> will
> tell it to use Kerberos, but I think that you already do it.
>
> Other parameter is the ¨security = ADS¨ that enable the search in ADS.
>
> On Friday 14 November 2003 04:18, Fergus McKenzie-Kay wrote:
> > Hi,
> > We have an environment where we use LDAP and Kerberos and we are
> > having trouble setting up Samba with both of these. We also have a
> > win2k Active Directory server that has all the users mapped to our
> > kerberos realm.  Unfortunately when we try and configure to use the
> > Active Directory server for authentication it tries to use the native
> > win2k password and not the kerberos realm mapping. I have tried to set
> >
> > the smb.conf to the kerberos realm and the password server to the KDC
> > but I get: "session setup failed: NT_STATUS_NO_LOGON_SERVERS"
> >
> > Does anyone have any ideas how to make samba either use active
> > directory with the username mappings to kerberos?  Or simply use
> > kerberos authentication while and LDAP authorisation? I believe the
> > first solution would be easier as then AD would look after all the
> > details.. whereas when we tried to setup samba talking to kerberos and
> >
> > ldap, the ldap config needed changing and samba had to know how to
> > create users in kerberos and ldap.
> >
> > Any ideas would be appreciated.
> >
> > --
> > Fergus McKenzie-Kay <[EMAIL PROTECTED]>

-- 
Fernando Fonseca
Network Administrator
Tel: +55(11)4039-9260
Triaton do Brasil 
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] The boss will discharge me, I spoiled the system. HELP!

[Fernando Fonseca]

Ferreto,

Give more information about your problem, your configuration, message errors, 
logs,  etc.

There are a new version of Samba, released at November 14. I will try to solve 
some of my problems installing it.

[ ]'s
Fernando Fonseca
Network Administrator
Tel: +55(11)4039-9260
Triaton do Brasil 



On Monday 17 November 2003 10:25, Ferretero Herraduras Clavo wrote:
> I have a mixture network with WinXP machines and IRIX (UNIX of Silicon
> Graphics) machines. In the machine with IRIX (O2) there was an old version
> of samba. It worked well. But recently I've downloaded. I installed this
> new version, and I spoiled the system. Now I don't know if I have to
> reconfigure the smb.conf only or if I have to install more pakages or if I
> have to reconfigure several files... CAN ANYONE HELP ME???
>
> Ferretero
>
>
> -
>
> Antivirus • Filtros antispam • 6 MB gratis
> ¿Todavía no tienes un correo inteligente?

-- 

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] ADS with Kerberos trust

[Fernando Fonseca]

Fergus,

What version of Samba are you using?

With the version 3.0 if you set Âencrypt password = yes in smb.conf you will 
tell it to use Kerberos, but I think that you already do it.

Other parameter is the Âsecurity = ADSÂ that enable the search in ADS.








On Friday 14 November 2003 04:18, Fergus McKenzie-Kay wrote:
> Hi,
> We have an environment where we use LDAP and Kerberos and we are having
> trouble setting up Samba with both of these.
> We also have a win2k Active Directory server that has all the users
> mapped to our kerberos realm.  Unfortunately when we try and configure
> to use the Active Directory server for authentication it tries to use
> the native win2k password and not the kerberos realm mapping.
> I have tried to set the smb.conf to the kerberos realm and the password
> server to the KDC but I get:
> "session setup failed: NT_STATUS_NO_LOGON_SERVERS"
>
> Does anyone have any ideas how to make samba either use active directory
> with the username mappings to kerberos?  Or simply use kerberos
> authentication while and LDAP authorisation?
> I believe the first solution would be easier as then AD would look after
> all the details.. whereas when we tried to setup samba talking to
> kerberos and ldap, the ldap config needed changing and samba had to know
> how to create users in kerberos and ldap.
>
> Any ideas would be appreciated.
>
> --
> Fergus McKenzie-Kay <[EMAIL PROTECTED]>

-- 
Fernando Fonseca
Network Administrator
Tel: +55(11)4039-9260
Triaton do Brasil 
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Autenticating SQUID in ADS

[Fernando Fonseca]

Hi, 

I have to install a SQUID in my company and autenticate the users in a Active 
Directory, I have some questions about it:

1) The Better way to do it is diretct with a LDAP helper or using SAMBA 3.0. I 
don't need to do a trasparent autentication, the user will have to introduce 
login and password to use the brouser.

2) Trying do do it with a SAMBA I'm with a follow error message whem testing 
the wbinfo (wbinfo -u or -g) ¨Error looking up domain users¨.

3) Security is needed here, what's the most secure way to autenticate the 
users? 

4) We use QMAIL too and I want to autenticate the user in AD too, it will be 
good if I found a unique solution to both problems.

Thanks a lot!



-- 
Fernando Fonseca
Network Administrator
Tel: +55(11)4039-9260
Triaton do Brasil 
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] WinXP/2k can't connect to Linux ADS member

[Fernando Ruza]

Hi,

I have a linux box configured with samba-3.0.1pre1-1 joined to my Win2k
ADS domain.  I can succesfully use kinit and smbclient -k without
entering a user/pass to connect to things on my network. Winbind,
getent, wbinfo, ... everything works great however, from WinXP and Win2k
client  hosts I cannot connect to my linux shares. From Win95/98 clients
works great.

Always that I connect from WinXP and Win2k hosts to the Linux shares it
asks me for username/password authentication and none works. The error I
get from WinXP, Win2k hosts is ALWAYS:

[2003/09/29 11:09:57, 1] smbd/sesssetup.c:reply_spnego_kerberos(218)
   Username $ is invalid on this system

No other errors.  I've tried setting client use spnego = no with no
luck.

This is very strange. I don't know what to do and where to see know. Any
suggestions will be very apprecicate?

Thanks in advance,

Fernando.


--
Yo uso software libre, ¿Y tu?
¿Qué es el software libre? consulta: http://www.gnu.org/philosophy/free-sw.es.html

Fernando Ruza
e-mail: [EMAIL PROTECTED]
web: http://guada24.guadawireless.net
Tlf: 661123845
Yahoo! Messenger id: fruza
Linux user: #273644 (http://counter.li.org)
Debian Sid (Kernel 2.4.20 & ext3)

"In an internet without fences ... who needs 'gates'"

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] WinXP/2k can't connect to Linux ADS member

[Fernando Ruza]

Hi,

I have a linux box configured with samba-3.0.1pre1-1 joined to my Win2k
ADS domain.  I can succesfully use kinit and smbclient -k without
entering a user/pass to connect to things on my network. Winbind,
getent, wbinfo, ... everything works great however, from WinXP and Win2k
client  hosts I cannot connect to my linux shares. From Win95/98 clients
works great.

Always that I connect from WinXP and Win2k hosts to the Linux shares it
asks me for username/password authentication and none works. The error I
get from WinXP, Win2k hosts is ALWAYS:

[2003/09/29 11:09:57, 1] smbd/sesssetup.c:reply_spnego_kerberos(218)
   Username $ is invalid on this system

No other errors.  I've tried setting client use spnego = no with no
luck.

This is very strange. I don't know what to do and where to see know. Any
suggestions will be very apprecicate?

Thanks in advance,

Fernando.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] samba 3.0.0 + mysql

[Fernando Athayde - Eturbo]

I configured the samba to function with mysql, this functioning perfect, but it would 
like that it nao tied the user of mysql with the usuario of/etc/passwd of linux, 
exists some skill. 


thanks,
Fernando Athayde
>From Brazil
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] FYI: Samba 3.0 news @ TheInquirer.net

[Fernando Cassia]

FYI,

I'm just a lurker and not an expert on samba, but I have fond memories 
of the joy of discovering and installing an ancient version of the samba 
1.x port to OS/2, and running it under OS/2 Warp 3.0 (back when even IBM 
didn't include peer-to-peer LAN networking on the OS) as early as in 
mid-1994 or early-1995. ( http://www.jacco2.dds.nl/samba/samba2.html )

This was before I discovered Linux and the *ix world. Well, I thought 
that the 3.0 release of samba was something worth reporting about, hence 
I wrote this:

Samba quietly turned 3.0
Networking for the masses, even SCO.
http://www.theinquirer.net/?article=11830
Please, email any comments, flames and/or corrections via private mail 
please, to avoid polluting this list.

Regards
Fernando Cassia
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] samba+ldap how pdc, problem nobody user

[Fernando Ribeiro]

#
# ldbm database definitions
###
databaseldbm
suffix  "o=domain,c=br"
#suffix "o=My Organization Name,c=US"
rootdn  "cn=root,o=domain,c=br"
#rootdn "cn=Manager,o=My Organization Name,c=US"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw  {SSHA}5y658hVH9FHiaEr4/E73lCMaUMThwZ5H
# rootpw{crypt}ijFYNcSNctg52
# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory   /var/lib/ldap
# Indices to maintain
index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
index   cn,mail,surname,givenname   eq,subinitial
# Replicas to which we should propagate changes
#replica host=ldap-1.example.com:389 tls=yes
#   bindmethod=sasl saslmech=GSSAPI
#   authcId=host/[EMAIL PROTECTED]


Thanks Very Much!

-- 
+ 
| Fernando Ribeiro
| Linux User 273768
| Tel.: 55+61+92860361
| ICQ. 175630330
| Death to the mouse! Death to the graph!
| Death to the closed standards! Death the patents!
| Powered by VIm, MUTT
+ 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] couldn't write to home dir

[Luiz Fernando Aguiar Leme]

andre,

Verify owner end group of the your home directory (ex andre:group) and
permissions (wrx__)

inside the file smb.conf, in the your home share, add the option

valid users = OWNER OF THE HOME DIRECTORY
writable = yes
write list = OWNER OF THE HOME DIRECORY

Try to do the changes..

Bye
- Original Message - 
From: "andrej misovic" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, September 19, 2003 1:21 PM
Subject: [Samba] couldn't write to home dir


> hello,
> I try to use samba as PDC on NetBSD,
> but I 've had problem with that combination..
>
> samba work perfectly..but
> if someone want to write into homedir, they couldn't,
> and w2k workstation appear message ,
> that disk is full..
> disk isn't full, and permission are set correct
> I don't know, where should be a mistake,
> I check configuration problably 100x,
> but I haven't found any problem in it..
>
> have you ever had someone similiar problem?
> thx a lot
>
> andrej
> -- 
>
>>>  jabber: [EMAIL PROTECTED]   <<
>>>  e-mail: [EMAIL PROTECTED]  <<
> 
> // just visit> http://www.nirvanaclub.sk
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

RES: [Samba] Is Samba ready for it?

[Fernando Ribeiro]

Thank you all, for the advices and answers.
They are being very useful.
And I may not know a lot of things about Samba but I sure know why samba
was written for (cheers John!) :-)
BTW I am reading the Samba-HOWTO-Collection, thanks again.
I considered changing to LDAP but time was a problem (as usual), now I
will reconsider the LDAP idea.
I will use the Samba 3 new release as soon as possible, that's because I
have already started the migration process.
I am going slowly, and solving some problems that come up.

[]'s

Fernando

-Mensagem original-
De: Phil Brutsche [mailto:[EMAIL PROTECTED] 
Enviada em: terça-feira, 16 de setembro de 2003 14:04
Para: [EMAIL PROTECTED]
Assunto: Re: [Samba] Is Samba ready for it?




--On Tuesday, September 16, 2003 8:54 AM -0300 Fernando Ribeiro 
<[EMAIL PROTECTED]> wrote:

> Hi,
>
> I am migrating from WinNT 4 to Samba 3 beta3 in a production 
> environment. It would be nice to have some advice, because I don't 
> know if Samba is ready for assuming this ;-)

First piece of advice: don't use Samba 3 betas, *especially* when
release 
candidates are available.

Second piece of advice: at this point in time don't use Samba 3 for 
production unless you *need* functionality that's not in Samba 2.2.x. 
Since you're looking at making Samba a PDC with BDCs, I would go with
Samba 
3 RC3 or RC4.

> I never heard about any one that had something like this. This is kind

> of a big network so it will be 1 PDC (Samba) , 4 BDC's
> (Samba) and 2 File Servers (w2k). I will have a minimum of 800 
> machines and 2000 users logging on to Samba. There are more users 
> because of Internet Authentication. I have Samba 3 beta3 working with 
> NIS and rsync synchronization of smbpasswd, no db backend. Is this a 
> problem? And I can't find a solution for using account policy to block

> the user account after bad logins, pdbedit doesn't seem to work.

You should consider using LDAP as a password backend.

-- 

Phil Brutsche
[EMAIL PROTECTED]

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Is Samba ready for it?

[Fernando Ribeiro]

Hi,
 
I am migrating from WinNT 4 to Samba 3 beta3 in a production
environment.
It would be nice to have some advice, because I don't know if Samba is
ready for assuming this ;-)
I never heard about any one that had something like this.
This is kind of a big network so it will be 1 PDC (Samba) , 4 BDC's
(Samba) and 2 File Servers (w2k). I will have a minimum of 800 machines
and 2000 users logging on to Samba.
There are more users because of Internet Authentication.
I have Samba 3 beta3 working with NIS and rsync synchronization of
smbpasswd, no db backend. Is this a problem?
And I can't find a solution for using account policy to block the user
account after bad logins, pdbedit doesn't seem to work.
 
If more information is needed just ask me.
 
Any thoughts will be welcome.
 
Thanks in advance for advices!


--
Fernando Henrique Ribeiro da Silva

-- 


 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba