[Samba] FW: Segfault in Samba
A Debian stable server running Version 3.0.23d wrote: The Samba 'panic action' script, /usr/share/samba/panic-action, was called for pid 7785 (/usr/sbin/nmbd). Below is a backtrace for this process generated with gdb, which shows the state of the program at the time the error occured. You are encouraged to submit this information as a bug report to Debian. For information about the procedure for submitting bug reports , please see http://www.debian.org/Bugs/Reporting or the reportbug(1) manpage. (no debugging symbols found) Using host libthread_db library /lib/tls/i686/cmov/libthread_db.so.1. (no debugging symbols found) `system-supplied DSO at 0xe000' has disappeared; keeping its symbols. (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) [Thread debugging using libthread_db enabled] [New Thread 1077480288 (LWP 7785)] (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) 0xe410 in __kernel_vsyscall () #0 0xe410 in __kernel_vsyscall () #1 0x40202d93 in waitpid () from /lib/tls/i686/cmov/libc.so.6 #2 0x40198d52 in system () from /lib/tls/i686/cmov/libc.so.6 #3 0x080d4dc7 in smb_panic () #4 0x080c29fc in dbgtext () #5 signal handler called #6 0x08074e95 in remove_response_record () #7 0x08072bd7 in retransmit_or_expire_response_records () #8 0x080654c0 in unbecome_local_master_browser () #9 0x08065836 in unbecome_local_master_browser () #10 0x0806df3a in query_name_from_wins_server () #11 0x08072a14 in reply_netbios_packet () #12 0x08072a9f in run_packet_queue () #13 0x0806360a in queue_dns_query () #14 0x08063d19 in main () Regards Geoff Scott -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Active Directory Primary group dont' show users
this is not fully implemented yet. See here: http://groups.google.com.au/group/linux.samba/browse_thread/thread/ a464f34c32de1184/4d20dc2e81cd2034? lnk=stq=samba+domain+users+group+no+membersrnum=3hl=en#4d20dc2e81cd20 34 cheers GS On 23 Jun 2006, at 20:44, Ashish Tyagi wrote: Hi all I have configured samba 3.0.11 in a windows 2003 domain as a domain member (security=ads).issue is, when i issue command getent group |grep domain users it shows DOMAIN+domain users:x:1004: it don't shows any user in this group while this group contains all the users in domain.it is primary group of all the users. if i set primary group of a user to something else then it shows user in 'domain user' group. Thanks Ashish -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Is there a way to map user ids to the same rid on eve ry smbbox
IN an AD domain? -Original Message- Subject: [Samba] Is there a way to map user ids to the same rid on every smbbox I know the documentation talks about using a backend ldap server which I don't have, nor do I want to dig into figuring out how to setup. Are there other easy methods, such as replicate a file among all my smb servers. If so, what is the file? Thanks in advance for the help. Michael -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Manual UID GID mapping with Active Directory
Yanick Quirion wrote: Hi Geoffrey, Is it possible for you to be more specific about this configuration? Have you already done it in the past? I'm not very good with ldap and more hints how to setup this will be helpful. If you look in Chapter 7 of the samba by example book (available in dead tree format which means John gets paid for his efforts, or online in PDF in the docs section of the samba.org site) You'll see a few more specifics of how to set up both scenarios. I personally chose to use idmap_rid for simplicities sake, but that was with Debian. as I understand it, Redhat doesn't build idmap_rid.so by default, so you may want to update your locate db and use locate to search for idmap_rid. I haven't checked yet to see if the sernet rpms have it built so that may be something for you to investigate. If you follow the recipe in chapter 7 for idmap_rid keep in mind that John is a little vague on the need for setting up the krb.conf file. You may need to follow part of chapter 12 where he shows how to configure that file and use kinit etc (although you must have had success in this already). HTH Regards Geoff Regards, Yanick However, all systems don't seem having the same database to UID GID mapping. There is a way to make all my Linux system having the same mapping? Look up idmap_rid or research storing winbind stuff in ldap and then a using master and slave ldap servers to push the consistent uid and gid from one server to all others GS -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Manual UID GID mapping with Active Directory
Yanick Quirion wrote: idmap uid = 2-3 idmap gid = 2-3 However, all systems don't seem having the same database to UID GID mapping. There is a way to make all my Linux system having the same mapping? Look up idmap_rid or research storing winbind stuff in ldap and then a using master and slave ldap servers to push the consistent uid and gid from one server to all others GS -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] RE: Print Migrator help needed...
Gerald (Jerry) Carter wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Aarti Varshney (asadhnan) wrote: This snippet from the error log: Looks like something is timing out... Anyone knows how to increase the timeout? Aarti, I don't think it's a timeout issue. I think the client is just disconnecting due to the failed access check. ... Both Arti and I can successfully individually add printers from windows clients. But in my case the spooler thing doesn't seem to exist. 2006:01:25 15:35:38 Access Granted to: \\sambaShare 2006:01:25 15:35:38 Couldn't start the target spooler 2006:01:25 15:35:38 Remote Tree View Failed You can use the Manage you computer mmc plugin against the Samba box to test starting/stopping the internal spooler server (nothing to do with cups). to debug the access checks. On a debian Sarge box this is what I get in the log for the machine connected from after using the mmc plugin: sh: line 1: /usr/lib/samba/svcctl/NETLOGON: No such file or directory sh: line 1: /usr/lib/samba/svcctl/Spooler: No such file or directory sh: line 1: /usr/lib/samba/svcctl/Spooler: No such file or directory It looks like the samba packages for Debian don't set it up: # ls /usr/lib/samba/ idmap vfs Should the Debian package set it up for me? Should I log another bug for Simo to look at? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] windows print migrator + add printer command
Aarti Varshney (asadhnan) wrote: hi Geoff, Looks like you have figured out how to use the printmig.exe. No I didn't. :-( I had no issues at all using the add/remove printer scripts that are in the example docs. So I could add and remove printers from a windows workstation without problems. Make sure that you read through the scripts before use. You can figure out from them where spaces in names are allowed and where they aren't. Can you please give me some pointers: I am trying to migrate print queues from a windows server to a samba share. this is what I did: 1. I ran printmig.exe on the windows server. 2. Backed up the printers on the windows servers to a cab file. 3. Tries to restore the printers to the sambashare by specifying the target as //sambaShare. But I get the following error: 2006:01:25 15:35:38 Access Granted to: \\sambaShare file://sambaShare/ 2006:01:25 15:35:38 Couldn't start the target spooler 2006:01:25 15:35:38 Remote Tree View Failed How do I starter the target spooler? Well no such spooler exist AFAIK. I was hoping jerry could spread some enlightenment but he never came back to this thread. I haven't had time to do an ethereal trace on this lately due to server crashes (bad hardware) Do I need some config in smb.conf? In smb.conf I have a addprinter command. Jerry reckons that you only need a working add printer command. Have you tested adding a printer by itself, and not using the print migrator? I just assumed that I must be doing something wrong. So I gave up and did each printer manually. Thanks, Aarti. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Tiger 10.4.4 Finder hangs browsing over VPN
Bill Burgess wrote: On Friday, 29 Jul 2005, Brian Daniels wrote under [Samba] Samba, VPN, and Mac OSX 10.4.2: After upgrading to Tiger, [our Mac OS X systems] still work fine when on our LAN. But if they try to connect to a [Samba 3.0.10-1] share over the [IPsec] VPN, Finder hangs. The Mac logs the following messages in /var/log/system.log during the hang: From what I have seen from lurking on this list for a year or so is that you are always best referring these types of issues to your Apple Rep. Apple seem to take FOSS software, squirrel it away in their lair, do what ever they want to it and then ages later say to the team that maintains it; Here, look at what we've done to your code. Aren't we clever! We've basically forked your code! Yay! There doesn't seem to be any communication between Apple dev teams and the original FOSS teams. AFAIR, Apple have been promising machines (refurbed I believe) for months to the Samba team. They still haven't gotten them. I haven't ever seen an Apple rep on this list... Oh, by the way I do like Macs. I'm working on one now...at home. Just a view from the sidelines Cheers GS -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] I can't access a Linux box from windows
Antonello PAPA wrote: Hi every one, sorry for bad english and thanks. I'm starting using linux, sorry if i ask something simple. I have a small network and I would like to access a file on a linux box with fedora 4 and of course samba from windows xp , windows 2000 and windows 98. I see the directory bat when clic on them to see what's inside i get a message that tell that i don't have the right to access. I have tried to change from security = user and also encripeted password = no but nothing changed. This is my smb.conf [global] workgroup = didattica server string = Samba Server printcap name = /etc/printcap load printers = yes cups options = raw log file = /var/log/samba/%m.log max log size = 50 dns proxy = no encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/false winbind use default domain = no guest ok = yes guest account = ipsia security = share [homes] comment = Home Directories browseable = no writeable = yes [printers] comment = All Printers path = /var/spool/samba browseable = no printable = yes [ipsia] comment = Alunno path = /home/ipsia writeable = yes browseable = yes guest ok = yes [mimmoge] path = /home/mimmoge writeable = yes browseable = yes guest ok = yes [papa] path = /home/papa writeable = yes browseable = yes guest ok = yes these are some kind of log from pc: [2006/01/13 17:53:58, 0] smbd/service.c:make_connection_snum(615) '/home/ipsia' does not exist or is not a directory, when connecting to [ipsia] mkdir -p /home/{ipsia,mimmoge,papa} chmod -R /home/{ipsia,mimmoge,papa} this is snbd log file [2006/01/11 15:21:21, 1] lib/account_pol.c:account_policy_get(204) account_policy_get: tdb_fetch_uint32 failed for field 1 (min password length), returning 0 [2006/01/11 15:21:21, 1] lib/account_pol.c:account_policy_get(204) account_policy_get: tdb_fetch_uint32 failed for field 2 (password history), returning 0 Does your user exist in samba? Have you added them? [2006/01/11 16:58:40, 0] lib/util_sock.c:get_peer_addr(1150) getpeername failed. Error was Transport endpoint is not connected Your windows machine terminated a connection -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] I can't access a Linux box from windows
Geoffrey Scott wrote: chmod -R /home/{ipsia,mimmoge,papa} chmod -R 777 /home/{ipsia,mimmoge,papa} Sorry. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] samba menber of AD domain and ACL support question
Adam Nielsen wrote: - why get I a strange display on security option ? Samba has always behaved like this for me, but I'm not exactly sure why. If you scroll down you'll notice that 'Special Permissions' is ticked, which is Windows' way of saying there are permissions that don't fit the checkboxes here. It seems to work fine if you just ignore that initial permissions window and use the Advanced options only. AFAIRC this is standard behaviour when using Samba. You always need to go to the advanced options page to set permissions. Cheers GS -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net rpc vampire - segmentation fault
Antonius Aji wrote: Hi all, I am trying to migrate NT4 domain to Samba-3 PDC, yet I stuck at migrating NT4 PDC information using net rpc vampire -- giving segmentation fault. Any help? It looks like it's currently a common problem. See: http://lists.samba.org/archive/samba/2006-January/subject.html And search for the word vampire using your web browser. So it's probably not you that's at fault.. Cheers GS -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] net rpc vampire - segmentation fault
Antonius Aji wrote: Thanks for the reply. You're right ... it is becoming common problem in 3.0.21a In one of the message: it says that there is a patch to solve this problem in bugzilla repository. I am still searching that patch in bugzilla. If it is not found, I will use older version. rgds, antonius aji Not a bad idea at all... Download old version; 3.0.14a comes to mind as one that had a working vampire. Vampire your users across and then upgrade once everything is working to 3.0.21a . Cheers GS -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] windows print migrator + add printer command
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin Zielinski wrote : I just tried out to add a port on two MS systems and it *looks* like it could work with SPOOLSS calls. Unfortunatly some of the packets are not decoded by Ethereal. Looks like this: -- EnumMonitors -- Response: ... Standard TCP / IP Port -- OpenPrinterEx \\host\,XcvMonitor Standard TCP / IP Port -- Response OK -- UNKNOWN (Opnum 88) You can read AddPort ... IP_x ... public ...) -- UNKNOWN -- ClosePrinterEx Or are these the registry calls you mentioned? I'm having problems with this as well. What I am seeing; and this is after having successfully added a printer using the add printer command + the example script you suggested; is that 1. I am asked for a username and password. 2. The rights are then granted and then nothing happens. It complains that it can't stop and then start the spools service on the target server (samba 3.21a Debain sarge) i went back over the setup a number of times and removed spaces from the share names and added socket://xxx.xxx.xxx.xxx:9100 to the location section of the printers before backing them up to a printers.cab. I left spaces in names elsewhere, (you can't have spaces in the share name due to the expectations of CUPS). The utility consistently fails to add the printers to the target server. Hopefully this info is of some use otherwise I'll try to get an ethereal trace and send it to you. Cheers Geoff. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] windows print migrator + add printer command
Hi all. I was wondering if anyone had a successful exampel of using the add printer command with cups so that the windows print migrator could be utilised. Seeing as Jerry as spent time on this it would be a shame not to know how to use it. ;-) I'm guessing that it would be along the lines of: add printer command = lpadmin option1 option2 cupsaddsmb option1 but am currently unsure how to proceed. Can someone hit me with a clue by four? cheers geoff -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] windows print migrator + add printer command
Geoffrey Scott wrote: Hi all. I was wondering if anyone had a successful exampel of using the add printer command with cups so that the windows print migrator could be utilised. Seeing as Jerry as spent time on this it would be a shame not to know how to use it. ;-) I'm guessing that it would be along the lines of: add printer command = lpadmin option1 option2 cupsaddsmb option1 The main thing that I found when migrating printers is to make sure that your add printer script can handles spaces in names. There's also a little bit of a data model problem in that Windows creates subkeys in the registry based on printer name and Samba uses the share name. The best solution is a little prep work that renames the printer names to the share name and then you can reset the printer name after migration. Drivers and printer settings migrate without any difficulty. cheers, jerry = Um, I really do appreciate the background info and pointers. but i was hoping you might be kind enough to post your add printer script so that i can get up and running quickly. Please please, please, please... It seems obvious that you have acheived this in testing. i googled for exampels of the add printer command but could find none. Or is this an exercise for the reader? ;-) Cheers Geoff -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] windows print migrator + add printer command
Gerald (Jerry) Carter wrote: Geoffrey Scott wrote: Um, I really do appreciate the background info and pointers. but I was hoping you might be kind enough to post your add printer script so that i can get up and running quickly. I use cups so the scripts in samba/examples/scripts/printing/cups/ is what I used in testing. Those don't have printer names with spaces but otherwise worked fine. cheers, jerry thud! Ouch, that was the clue by four hitting me on the back of the head Thanks Jerry! I'll check them out. Cheers Geoff -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind idmap_rid - no members in domain users .....
On my ADS member server it doesn't show any members of GUESTSHIRE\domain users:x:5513: using getent group Is this normal behavior? If not any ideas how do I fix it? Out of curiosity I shutdown winbind and samba, deleted all *.tdb files ( except secrets) and restarted them. Same thing happens. There are no users in there... But if I check in AD users and computers my users are all members of domain users This wouldn't have been where template primary group = Domain Users was useful would it? I know it has now been removed as an option, but would it have fixed this problem in the past? Global below: [global] workgroup = GUESTSHIRE realm = GUESTSFURNITUREHIRE.COM.AU server string = Guests_NSW File Print server security = ADS allow trusted domains = No syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 printcap name = CUPS addprinter command = /usr/local/bin/smbaddprinter.pl panic action = /usr/share/samba/panic-action %d idmap backend = idmap_rid:GUESTSHIRE=5000-100 idmap uid = 5000-100 idmap gid = 5000-100 template homedir = /home/%U template shell = /bin/bash winbind nested groups = Yes printer admin = @GUESTSHIRE\Domain Admins printing = cups print command = lpq command = %p lprm command = -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Getent not returning complete results.
Sarkar, Anirban wrote: I have some Redhat(ES 3) Linux servers authenticating agains Active Directory. One of the servers is not returning the complete list of users and groups for commands : getent passwd getent group But when I do wbinfo -u, I do get all the users. This is baffling me. The other servers don't have this problem. I have tallied the configuration on the servers and they are same. Thanks. Is /etc/nsswitch configured? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Only one Case for file name in samba share
updatemyself . wrote: Hai All, is there any way to make one case for file naming in sama share upper case or lower case man smb.conf Then press the / key Then enter the word case Then press n to search through the next instance of the word case and n for the next instance etc, until you find this: default case = upper/lower controls what the default case is for new filenames (ie. files that don't cur- rently exist in the filesystem). Default lower. IMPORTANT NOTE: This option will be used to modify the case ofall incoming client filenames, not just new file- names if the options case sensitive = yes, preserve case = No,short preserve case = No are set. This change is needed as part of the optimisations for direc- tories containing large numbers of files. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] allowing users to install printers
It's not very handy to do so with Samba and 100 clients if you know what I mean... Perhaps some registry entry that can be added in a script? I thought the idea with group policies was that you apply the policy once, and it takes effect on a whole group of machines. If your XP machines are set up properly, you should just be able to apply that policy to all 100 of them in one go. Cheers, Adam. -- I don't recall if the OP said if he had a win PDC or ads or samba pdc. But the full power of group policy is only available to those with a windows domain. JHT mentions this in the happy users chapter of SBE. You can set up a local policy on the machine before deployment as he shows Or there are external packages that can do this for you on a samba controlled domain. Tony Earnshaw used to be *quite vocal* ;-) on this list about one of them (Nitrobit?) from memory. You could search for his name and the words group policy in Google. It may bring you some joy Never used it myself. Regards Geoff Scott -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] winbind without localuser account
Paul Matthews wrote: hi there, i'm trying to get my winbind working without having a local account on the machine, but it's just not working for me can someone show me an example of a pam module that requires only a Active directory password.(i'm working with /etc/pam.d/dovecot) i can use my AD password as long as i have a local account, but i don't want to have a local account. For samba on debian this works: authsufficient pam_winbind.so authrequiredpam_unix.so nullok account sufficient pam_winbind.so account requiredpam_unix.so session requiredpam_unix.so passwordrequiredpam_unix.so Also what do the getent wbinfo tests show? Do they work? Regards Geoff Scott -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] winbind without localuser account
Paul Matthews wrote: [EMAIL PROTECTED] pam.d]# wbinfo -g builtin\system operators builtin\replicators builtin\guests builtin\power users builtin\print operators builtin\administrators builtin\account operators builtin\backup operators builtin\users domain guests domain users domain computers etc..., etc... What does the global section look like? i'm running fedora core 3 Everyone seems to have probs with selinux that's not in core 3 is it? i've never used 'getent' before what do i do there? getent passwd | less but i have a local account called 'pma' with the password 'unix' set locally and the password 'ads' set on active directory, i can set my pam module so i can login with the username 'pma and password 'ads'. so i think my winbind is working fine. You shouldn't need any local account. Did you read SBE? You should have followed chapter 12.3.1 12.3.2 then 7.3.4 I personally use 7.3.4.1 like this though, (idmap_rid only allows one AD domain): [global] workgroup = GUESTSHIRE realm = GUESTSFURNITUREHIRE.COM.AU server string = Guests_NSW File Print server security = ADS allow trusted domains = No syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 printcap name = CUPS panic action = /usr/share/samba/panic-action %d idmap backend = idmap_rid:GUESTSHIRE=5000-100 idmap uid = 5000-100 idmap gid = 5000-100 template homedir = /home/%U template shell = /bin/bash winbind nested groups = Yes printer admin = @GUESTSHIRE\Domain Admins printing = cups print command = lpq command = %p lprm command = [homes] comment = Home Directories path = /home/%U valid users = GUESTSHIRE\%S admin users = @GUESTSHIRE\Domain Admins read only = No browseable = No ps: i tried that pam module below, same thing happened i can login with my ads password, but i need a local account without a local account it wont let me. i'm using squirriel mail and '/etc/pam.d/dovecot' to test it out. So you put those contents in there then? Regards Geoff Scott -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] winbind without localuser account
Paul Matthews wrote: [EMAIL PROTECTED] pam.d]# wbinfo -g builtin\system operators builtin\replicators builtin\guests builtin\power users builtin\print operators builtin\administrators builtin\account operators builtin\backup operators builtin\users domain guests domain users domain computers etc..., etc... What does the global section look like? i'm running fedora core 3 Everyone seems to have probs with selinux that's not in core 3 is it? i've never used 'getent' before what do i do there? getent passwd | less but i have a local account called 'pma' with the password 'unix' set locally and the password 'ads' set on active directory, i can set my pam module so i can login with the username 'pma and password 'ads'. so i think my winbind is working fine. You should need any local account. Did you read SBE? You should have followed chapter 12.3.1 12.3.2 then 7.3.4 I personally use 7.3.4.1 like this though: [global] workgroup = GUESTSHIRE realm = GUESTSFURNITUREHIRE.COM.AU server string = Guests_NSW File Print server security = ADS allow trusted domains = No syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 printcap name = CUPS panic action = /usr/share/samba/panic-action %d idmap backend = idmap_rid:GUESTSHIRE=5000-100 idmap uid = 5000-100 idmap gid = 5000-100 template homedir = /home/%U template shell = /bin/bash winbind nested groups = Yes printer admin = @GUESTSHIRE\Domain Admins printing = cups print command = lpq command = %p lprm command = [homes] comment = Home Directories path = /home/%U valid users = GUESTSHIRE\%S admin users = @GUESTSHIRE\Domain Admins read only = No browseable = No ps: i tried that pam module below, same thing happened i can login with my ads password, but i need a local account without a local account it wont let me. i'm using squirriel mail and '/etc/pam.d/dovecot' to test it out. Regards Geoff Scott -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Translate file permissions from rsync using ssh in cygwin
Helloo all, I thought I might have found an easy way to sync server shares and permissions using rsync -avz --delete [EMAIL PROTECTED] But the uid and gid come up as numeric (in hindsight this should have been obvious) is there some other way of using an rsync to map permissions? I just read that in the bugs the perms are transferred in native numerical mode. I can do a find based on uid and gid, does anyone have some ideas for chowning files by using the same algorithm used to create uid and gid in winbind idmap_rid? what strategies has anyone else employed for syncing 2 servers across vast geographical distances, in preparation for retiring the windows one? Regards Geoff Scott -- IT Systems Administrator Guests Furniture Hire Pty Ltd Tel: 03 9426 9143 Fax: 03 9428 7605 Mob: 0437 037 421 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] winbind without localuser account
Paul Matthews wrote: i have try is with the ssh pam module as well and it just rejects me username, would it have something to do with the users not having home directories and shells? how can i make them automatically be added when a new user logins in? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ]On Behalf Of Paul Matthews Sent: Thursday, 12 January 2006 1:28 To: Samba Lists Subject: RE: [Samba] winbind without localuser account this is the how-to i followed to get to where i am. http://www.yourhowto.org/content/view/31/9/ This howto doesn't mention editing /etc/nsswitch.conf. try editing it like so : passwd: files winbind group: files winbind shadow: files winbind Have a read of the chapters that I mentioned to you before: http://au1.samba.org/samba/docs/man/Samba-Guide/ Regards Geoff Scott -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Can I have some help please with smb.conf?
Adam Kendall wrote: grep ^[^#] kendall-smbconf | grep ^[^\;] smb.conf.txt shows what it is that is actually in there or testparm -s | less You know, mv smb.conf master-smb.conf and then testparm -s master-smb.conf smb.conf would give you something much nicer to send to the list. Anyway, have you done mkdir -p /home/akendall/adam_temp just to make sure? No firewall in the way? Is the machine named nuwvics5 or fedorabox? What is it named in /etc/hosts? Regards Geoff Scott [global] workgroup = myorg.org.au server string = Samba Server hosts allow = 192.168.0. 127. printcap name = /etc/printcap cups options = raw log file = /var/log/samba/%m.log max log size = 50 security = domain socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = no idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 password server = sever1 [homes] comment = Home Directories browseable = yes writeable = yes [printers] comment = All Printers path = /var/spool/samba browseable = no printable = yes [ADAM_TEMP] path = /home/akendall/adam_temp/ writeable = yes force user = akendall force group = akendall case sensitive = no msdfs proxy = no hosts allow = mypcxp comment = Temp folder for Adam browseable = yes valid users = akendall [test] path = /home/akendall/test writeable = yes browseable = yes guest ok = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Profile trouble
What does your [global] section say? -Original Message- From: [EMAIL PROTECTED] on behalf of Tjaco Sent: Wed 4/01/2006 4:59 AM To: samba@lists.samba.org Subject: [Samba] Profile trouble Hi everyone, I'm relatively new to Samba and struggling with the folowing: The system is a W2003 domain with W2K clients and Samba 3.0.14a-3sa on Debian (Debian package) I've made two shares: [homes] comment = Home directory read only = No valid users = %S create mask = 0755 directory mask = 0775 browseable = No [profiles] path = /mnt/sdb1/data/profiles/ browseable = No writeable = yes create mask = 0777 directory mask = 0777 /mnt/sdb1/data/profiles/ is set with all permissions for user 'user' and group 'domusers'. domusers is mapped #net groupmap list|grep Domain Users Domain Users (S-1-5-21-2334634195-46418153-2501264360-513) - -1 Domain Users (S-1-5-21-1657160631-611637488-1835888628-3005) - domusers Domain Users (S-1-5-21-1657160631-611637488-1835888628-513) - -1 In the domain the the account is set to map the homedir to \\linux\user and \\linux\profiles\user As my W2K client logs on it complains about not being able to retrieve the roaming profile stored on the server. It does get it's homeshare though. While logging on it does create a directory 'user' in profiles but it does not fill it. After logging on the \\linux\profiles\user share is mappable and writeable. I'm quite sure I'm missing some basic configuration but I can't figure it out. Many thanks in advance. Tjaco -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind idmap_rid working but still no access to shares
Hi all. My ADS samba member server passes all the tests in SBE chapter 7.3, but users still get asked for their password when they access their home share from a windows box. Please can someone take a look at the attached config and log files (if they get through) and tell me what's wrong? The only thing that seems different in the testing is that the domain part doesn't get returned when I do wbinfo -u and so on. The rest of the testing gets passed with flying colours... Oh, there's a slab of VB in it for any resident in Australia that can solve the problem ;-) Regards Geoff Scott -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] OK .. Just one question
No. Only a domain member server. and vice versa. A samba server can only be a domain member server (or lower) in an ADS domain -Original Message- From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Fri 6/01/2006 10:42 PM To: samba@lists.samba.org Subject: [Samba] OK .. Just one question Does Windows 2003 can be a BDC server with a Linux Samba PDC ? thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] OK .. Just one question
I know Samba can act as a PDC. you asked if win2k3 can be a BDC in a NT style Samba domain. - no is this answer. Then I thought you might also ask if a samba server can be an ADS DC and again no is the answer So if citrix on w2k3 can cope with only being an NT style Samba domain member server then this may be worth investigating -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Sat 7/01/2006 12:06 AM To: Geoffrey Scott Cc: samba@lists.samba.org Subject: RE: [Samba] OK .. Just one question Thanks for your answer, but in fact I have no ADS, no LDAP too. My 2003 will be used to be a citrix one, so I need to log on it with a profil hosted on my samba PDC. I just want that ... Regards Franck -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Debian AD member server setup with winbind idmap_rid - us ers prompted for password - solved
Geoffrey Scott wrote: Geoffrey Scott wrote: Question: How can I stop users from being prompted for a password? This was when they accessed their own homes share. I found that when the user accessed other shares everything was fine. So this morning I finally realized that it had to be my home shares stanza. It *seems* that valid users = %S is not enough that it has to be valid users = DOMAIN\%S . I doubt that anyone reads my posts - to correct me, so you'll have to try this yourself to see if I am right (that's if you happen to be someone searching the archives down the track, and you have a similar problem) The logs repeatedly show this: [2005/12/30 15:00:38, 1] smbd/sesssetup.c:reply_spnego_kerberos(180) Failed to verify incoming ticket! OK. Despite SBE chapter 7.3 not pointing you to chapter 12 and stating that you need to have a correctly configured /etc/krb.conf file for Ads Domain member server, it certainly seems that you have to have one. It won't hurt to do it anyway. See the debian howto at the bottom. These things work: root# net ads testjoin Join is OK wbinfo -t or -u or -g all show what they are supposed to show. My working smb.conf for a debian sarge ADS domain member server using winbind idmap_rid: [global] # This was an NT4 domain that was upgraded to ADS workgroup = DYNOHIRE # So the shortname can be different to the realm name # by that I mean that the FQDN can be server.DYNAMITEHIRE.COM.AU # not server.dynohire.DYNAMITEHIRE.COM.AU realm = DYNAMITEHIRE.COM.AU server string = Dyno_NSW File Print server security = ADS allow trusted domains = No syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 printcap name = CUPS panic action = /usr/share/samba/panic-action %d idmap backend = idmap_rid:DYNOHIRE=5000-100 idmap uid = 5000-100 idmap gid = 5000-100 template homedir = /home/%U template shell = /bin/bash winbind nested groups = Yes printer admin = @DYNOHIRE\Domain Admins printing = cups print command = lpq command = %p lprm command = [homes] comment = Home Directories path = /home/%U valid users = DYNOHIRE\%S admin users = @DYNOHIRE\Domain Admins read only = No browseable = No [profiles] comment = Profile Share path = /home/samba/profiles read only = No profile acls = Yes [profdata] comment = Profile Data Share path = /home/samba/profdata read only = No profile acls = Yes [printers] comment = All Printers path = /var/spool/samba guest ok = Yes printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers Debian specific howto from here: http://wiki.randompage.org/index.php/Using_Samba_on_Debian_Linux_to_authenti cate_against_Active_Directory Included Below: Using Samba on Debian Linux to authenticate against Active Directory From WikiRoland This document will show you how to install Samba 3.X on Debian Linux 3.1 (Sarge) and make it authenticate against a Windows server using Active Directory. It is not intended on replacing the actual official Samba 3 manual - which is a quite good read anyway. Core software Make sure apt's package index files are synchronized: apt-get update apt-get upgrade This section will show you two ways of installing Samba, using apt or directly from source. To install from apt run: apt-get install samba smbclient winbind krb5-doc krb5-user krb5-config If you for some reason want to compile Samba yourself, then you need to have the latest versions of MIT Kerberos and OpenLDAP installed: apt-get install libkrb53 libcupsys2-gnutls10 libldap2 libldap2-dev libkrb5-dev krb5-doc krb5-user krb5-config Then grap the latest version of the Samba source (for this manual we will use samba-3.0.9.tar.gz), and do: tar zxvf samba-3.0.9.tar.gz -C /tmp/ cd /tmp/samba-3.0.9/source ./configure \ --prefix=/usr \ --localstatedir=/var \ --with-configdir=/etc/samba \ --with-privatedir=/etc/samba \ --with-fhs \ --with-quotas \ --with-smbmount \ --with-pam \ --with-pam_smbpass \ --with-syslog \ --with-utmp \ --with-sambabook=/usr/share/swat/using_samba \ --with-swatdir=/usr/share/swat \ --with-shared-modules=idmap_rid \ --with-libsmbclient \ --with-automount \ --with-msdfs \ --with-ads \ --with-winbind \ --with-winbind-auth-challenge \ --with-manpages-langs=en \ --with-idmap \ --with-acl-support \ --with-ldap make make install That is it, you will now have a running Samba installation. [edit] Windows server setup Install a Windows server and make it act as a domain controller, running Active Directory in mixed mode (this document explains that proces). For the rest of this document I will asume you have a server setup as described here: * Domain
[Samba] Is passdb.tdb needed?
When you have a samba ADS domain member server with idmap_rid declared in smb.conf? Even after multiple domain joins and trying various things I can't get access to shares to work. I don't see it having been created on my system. Is it needed in this configuration? Regards Geoff Scott -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Need krb5 on Interdomain trust Win2003SP1 - Samba3.0.21?
SHA1 wrote: Simon Leung wrote: Anyway, my question is beside Winbind, do I need to configure krb5 on Samba (Domain A) when talking to Win2003SP1 on Domain B? Beginning with 3.0.21 if you are talking to AD in anyways (domain member server, domain controller with domain trusts, etc...) you should ensure that you configure with ADS support and correctly configure /etc/krb5.conf. Hi Jerry JHT hasn't got any mention of configuring /etc/krb5.conf in S by example chapter 7.3.4 but he has in chapter 12.3.2. Other docs say only an empty config file is needed or non at all depending on whether you are using Heimdal or MIT kerberos. How much info if any should be in /etc/krb5.conf? is the chapter 12 example enough?: [libdefaults] default_realm = LONDON.ABMAS.BIZ [realms] LONDON.ABMAS.BIZ = { kdc = w2k3s.london.abmas.biz } Sorry to ask a basic question, but if I do an apt-get install samba and samba-common, will it install all the files needed for ADS domain membership? Regards Geoff Scott Gerald (Jerry) Carter wrote: -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] AD member server setup with winbind idmap_rid - usersprom pted fo r password
Geoffrey Scott wrote: Question: How can I stop users from being prompted for a password? secrets.tdb doesn't get created. Answering my own post. Secrets.tdb gets created but for some reason in /var/lib/samba/. The logs repeatedly show this: [2005/12/30 15:00:38, 1] smbd/sesssetup.c:reply_spnego_kerberos(180) Failed to verify incoming ticket! Jerry posted a comment about this here, to him it seems that secrets.tdb was not found: http://lists.samba.org/archive/samba/2004-August/091388.html He asked what does smbd -b | grep PRIVATE show. For me this is it: PRIVATE_DIR: /etc/samba So, what creates secrets.tdb when you net ads join? I ask as I am running the Samba teams .debs for Sarge on a Ubuntu-server box. Would there be a mismatch because of this or has Simo, the samba package maintainer made a tiny boo-boo? I will create a symlink to get around the problem. But will an updated package change this and cause me difficulties? These things work: root# net ads testjoin Join is OK wbinfo -t or -u or -g all show what they are supposed to show. Regards Geoff -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Update LDAP password
Yusuf Tikupadang wrote: Btw, if I have to change the backend, maybe using MySQL so I can change password from web, no problem, because I just implemented it in one department, not all department in my company. Thank's before. MySQL as a backend is apparently a bad idea. Look for recent posts at the end of December in the archives to see why. Regards Geoff -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] AD member server setup with winbind idmap_rid - users prompted fo r password
Question: How can I stop users from being prompted for a password? Is secrets.tdb needed? Do you think my problems are caused by having a different workgroup to realm? Problems: I've gone over samba-by-example 7.3.4.1 on setting up idmap_rid with winbind quite a few times now. I also checked what JHT has said in chapter 12. All of it seems correct. However I get loads of this before the machine finally joins and shows up in the computers container of AD: [2005/12/30 17:11:45, 0] libads/kerberos.c:get_service_ticket(356) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@GUESTSFURNITUREHIRE.COM.AU failed: Client not found in Kerberos database [2005/12/30 17:11:45, 0] libads/kerberos.c:get_service_ticket(356) get_service_ticket: kerberos_kinit_password [EMAIL PROTECTED]@GUESTSFURNITUREHIRE.COM.AU failed: Client not found in Kerberos database Joined 'FPSYD' to realm 'GUESTSFURNITUREHIRE.COM.AU' I also have users being constantly asked for a username password when they access their homes share. secrets.tdb doesn't get created. These things work: root# net ads testjoin Join is OK wbinfo -t or -u or -g all show what they are supposed to show. CONF file below: [global] workgroup = GUESTSHIRE realm = GUESTSFURNITUREHIRE.COM.AU security = ADS allow trusted domains = No idmap backend = idmap_rid:GUESTSHIRE=5000-100 idmap uid = 5000-100 idmap gid = 5000-100 winbind use default domain = Yes winbind nested groups = Yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Is it possible to vampire over individual users?
I am taking a lot longer to fully implement an open source solution due to the complex path that I have taken with integrating Samba with other open-source components. I have been adding users to the old NT4 server over time and am wondering if there is a way to vampire just those individual accounts (user and computers) and their group memberships over? I had previously vampired over the entire domain, but that is getting a bit out of date. Any other suggestions would be much appreciated. Regards Geoff Scott -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] samba banner string
Edson Capitani wrote: How do I do to rid of the banner SAMBA 3.0.14a on Debian on sarge (pdcsrv) This thread should answer all your questions: http://lists.samba.org/archive/samba/2005-June/107373.html Cheers GS -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] filtering user files
In our users directories, there are a number of dot files and folders and I was wondering if there was a way to tell Samba not to show them when a user is in their directory? Maybe some sort of file filter perhaps. A great way to do it is to drop them into a directory lower than the home eg: [homes] comment = Home Directories path = /home/%U/Documents valid users = %S read only = No browseable = No -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Re: SuSE 9.3 + Samba 3 + LDAP
Horst Simon wrote: On Thu, 11 Aug 2005 14:55, Geoffrey Scott wrote: David Krider wrote: * The IDEALX smbldap-useradd script example in their smb.conf file is a little misleading. You'll need a `-a' to get it to add a sambaSamAccount object-classed account. You need to use an -a when using the smbldap-tools scripts on the commandline, but there should be no such need within your smb.conf as samba takes care of samba attributes by itself. GS I think this is my problem too, but using the -a option still did not add sambaSamAccount. I am using smbldap tools 0.91. From previous messages I found a patch for smbldap-useradd for version 0.91, after I applied the patch, the sambaSAMAccount object class and information was added, but still no luck. The next step is to add the computers into ou=Users and not into ou=Computers as discussed in some other posts. Samba and the idealx tools can handle having users in one ou and computers in another quite easily. Eg ou=Users,ou=split,ou=OxObjects,dc=dynohire,dc=com Ou=Computers,ou=split,ou=OxObjects,dc=dynohire,dc=com Then you point your nss and pam at ou=split,ou=OxObjects,dc=dynohire,dc=com as the base password etc But OpenXchange isn't that flexible. There are config files for the javastuff that have to be edited heavily to allow for this sort of set up. Therefore it is easier to just put computers and users in the same ou. Regards Geoff -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Migrated fine except passwords
Kevin B wrote: Hello, We couldn't connect to the server as any user from client PC's. The smbldaptools were set to use SSHA encryption for password attribute but phpldapadmin showed the passwords as CRYPT with only 8 chars for all users. I suspect the passwords never came over. In my previous lab, the passwords migrated as SSHA encryption and worked fine. You know that no POSIX passwd info will come over don't you? To do that the samba passwd stuff would have to be cracked ond then put into SSHA or MD5 format. Which the tools don't do. So you will only get the samba passwd and then if you are wanting to use other linux services that require POSIX passwords you will need to use some of the password sync option s in smb.conf. Cheers GS -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] smbldap-tools unresovled problem.
Chris Ong wrote: smbldap-useradd -w %u will add a workstation account to the LDAP tree with all POSIX attribute but without all the SambaSAMAccount attribute. Is this on the command line? Because in the smb.conf this would be correct, as samba adds the necessary SambaSAMAccount attributes by itself. But if you are using the smbldap-tools on the command line you need to specify the -a option to have SambaSAMAccount attributes added. Eg: -a is a Windows User (otherwise, Posix stuff only) Regards Geoff -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Migrated fine except passwords
Kevin B wrote: Kevin B wrote: The effect of this was the user could see their home directory [so they did auth propery with CRYPT] but they could not connect to their own home directory as it was 'owned' by some other uid. So I removed everything including the /home directories and now they connect. I'm not sure why a password reset with SSHA did anything but it's all good now running with CRYPT. Thanks for the info and the prompt reply. Kevin B I would say that you are better off using MD5. Most service just work with it. Cheers GS -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] SuSE 9.3 + Samba 3 + LDAP
Horst B. Simon wrote: Hi All, I have OX with Samba 3 and Ldap working fine, except that workstation can not join the domain. When I try to join the domain I get following error message: The following error occurred attempting to join the domain. Can not find user name in Domain. But the user is there and it creates the computer in ou=computers in ldap. All users have no problems accessing the samba shares and using OX. Anyone in this group has successful joined a computer into ldap with OX and Samba3? Regards, Horst Horst, Is the user either root account in LDAP or been given sepriveledges as per chapter 5 of JHT example book? Does your smb.conf point to the correct part of ldap for your users? Have nss and pam been configured pointing correctly to where to the users are? Is the user that you are trying actually in that part of LDAP? Eg. You aren't trying to use: cn=Manager,dc=hsimon,dc=com,dc=au When your users are in : ou=Users,ou=OxObjects,dc=hsimon,dc=com,dc=au Are you? Cheers Geoff -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Re: SuSE 9.3 + Samba 3 + LDAP
David Krider wrote: * The IDEALX smbldap-useradd script example in their smb.conf file is a little misleading. You'll need a `-a' to get it to add a sambaSamAccount object-classed account. You need to use an -a when using the smbldap-tools scripts on the commandline, but there should be no such need within your smb.conf as samba takes care of samba attributes by itself. GS -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba, Windows 2003 server and large file copy failure
Michael Jenkin wrote: We have a Windows 2003 Small Business Server and Redhat database server. We used mount.cifs 10.0.0.10\\icebackup /mnt/backup -o user=iceserver Mount.cifs is a different mailing list. Running ps -e shows the cp command is running. Running a Kill PID against it will not stop the process. The only way to stop the process is a reboot. kill -9 PID should kill anything, but you aren't being nice to the process doing that. The log in /var/log/samba/10.0.0.10.log does not seem to have any issues in it. Mount.cifs is a kernel module and so does no logging to the samba logs. Look in the kernel related logs. Has anyone seen this before and can anyone recommend a solution or fault detection method? You could try going the other way with a scheduled xcopy job from the W2K3 server off the RHAS4 server. You could take one of the examples from the first few chapters of the Samba3 by example book online and make up a simple share. Something like this should do: # Global parameters [global] workgroup = COPYWORLD netbios name = Firebird comment = Firebird database server server string = Firebird database server security = SHARE disable spoolss = Yes show add printer wizard = No wins server = 10.0.0.2 hosts allow = 10.0.0.(W2K3IP), 127. [Firebird] comment = Firebird database path = /data/Firebird force user = iceserver force group = iceservergroup read only = No guest ok = Yes nt acl support = No Look at the book for the rest of the configs and procedures. This may not be as secure as you would like, Caveat Emptor. Michael Jenkin I.T. Manager -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Running SMB protocol on a web server - Secure or not?
SCOTT BARRIE wrote: We have a persistent request from web developers to install samba on web servers (Solaris 8\Apache) located in our DMZ to enable them to view log files and data etc from their XP desktops in real time...they do not have Unix Accounts in Production. I've been led to believe that installing samba on a web server seriously compromises security and those responsible for the firewall in the DMZ agree. The problem is I'm having difficulty finding up to date information to present a case either to refuse or grant permission for this request. Any opinions or links to related papers more than welcome. Thanks for your time Scott hosts allow = 192.168., 127. hosts deny = 0.0.0.0/0 Or maybe you could also use: bind interfaces only = eth1, lo etc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] NT4 migration errors
Kevin B wrote: Geoff kindly replied... spot on with that assumption. You are using: add user script = /usr/local/sbin/smbldap-useradd -a -m '%u' In you smb.conf aren't you? It should be: add user script = /usr/local/sbin/smbldap-useradd -m '%u' No *-a* flag. Samba now takes care of the samba attributes for a user. You are correct. I recall at one point I had to add the -a to fix some other problem. Sounds like my whole approach was a bit off [or maybe a byte] so that fix wasn't really relevent. Like I said you only need that for adding users on the command line I wiped the ldap clean and did as you advised. Everything was looking good up to this point [step 16]: pc-00129:~ # net groupmap list Domain Admins (S-1-5-21-1348277581-813059936-1947940980-512) - 512 Does the SID shown by a net rpc info for the old NT4 server look the same as the one shown by a net getlocalsid? Do you have all the delete scripts commented out before you vampire? Can you show us your smb.conf? It also looks like the /home directoy has everyones $HOME but the uid and gid for each user is numeric instead of resolving the username and groupname [same as before btw]. Right this is a fairly good indicator that either nsswitch.conf, or the pam-ldap files aren't configured properly or that the pam-ldap components aren't installed. You need to double check all those things. Thanks for the help Geoff. If you have any more ideas let me know :] What version of the smbldap tools do you have? Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] NT4 migration errors
Kevin B wrote: Geoff kindly replied... It also looks like the /home directoy has everyones $HOME but the uid and gid for each user is numeric instead of resolving the username and groupname [same as before btw]. Thanks for the help Geoff. If you have any more ideas let me know :] Kevin net rpc vampire -S nt4 -W DOMAIN Fetching DOMAIN database Creating unix group: 'Domain Admins' /usr/local/sbin/smbldap-groupadd: group Domain Admins exists [2005/07/14 14:27:20, 0] groupdb/mapping.c:smb_create_group(978) smb_create_group: Running the command `/usr/local/sbin/smbldap-groupadd 'Domain Admins'' gave 6 Creating unix group: 'Domain Users' /usr/local/sbin/smbldap-groupadd: group Domain Users exists [2005/07/14 14:27:20, 0] groupdb/mapping.c:smb_create_group(978) smb_create_group: Running the command `/usr/local/sbin/smbldap-groupadd 'Domain Users'' gave 6 Creating unix group: 'Domain Guests' /usr/local/sbin/smbldap-groupadd: group Domain Guests exists [2005/07/14 14:27:21, 0] groupdb/mapping.c:smb_create_group(978) smb_create_group: Running the command `/usr/local/sbin/smbldap-groupadd 'Domain Guests'' gave 6 Creating unix group: 'Sales' Creating unix group: 'Accounting' Creating account: Administrator Could not create posix account info for 'Administrator' You need to revisit: http://au1.samba.org/samba/docs/man/Samba-Guide/happy.html#sbehap-PAM-NSS Your systems ability to resolve posix info is hosed or not set up properly. Geoff -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] NT4 migration errors
Kevin B wrote: Hi I've setup samba 3.0.14 with the latest idealx scripts on FC3. Now I have a test lab to migrate from NT4 box which different than the standalone PDC I have running. Here's the order I used and my ldap and samba configs are clean as far as I can tell since I do get a partial migration. When using 'net rpc vampire -S nt4 -W DOMAIN' it populates the groups from NT4 and shows the group membership but the users fail to come over. Here's what I've done so far. BTW SLES9 server. [continued below] From a clean ldap database I add in the top level ldif: -- Then ldapadd the preload ldif to be ready for the NT4 accounts: -- It kind of looks like you are working off an old copy of the Samba3 by example book. Would that be right? I just checked through some of the output in you post, and think that I am spot on with that assumption. You are using: add user script = /usr/local/sbin/smbldap-useradd -a -m '%u' In you smb.conf aren't you? It should be: add user script = /usr/local/sbin/smbldap-useradd -m '%u' No *-a* flag. Samba now takes care of the samba attributes for a user. You only need the *-a* flag set if you are adding a user on the command line using the smbldap-adduser script. Tah dah! ;-) John T very kindly pointed this out to me when I was having problems. It's one of the small but infuriatingly important changes made to the book Without looking too hard at what you are doing, I would suggest that you follow the online version where you'll see that the smbldap-tools make it very easy to set up the initial groups by doing the following: Set up your smb.conf Go to the smbldap-tools directory and run the configure.pl to configure the tools. The tools now pick up most of your settings from the smb.conf Run the smbldap-populate script as per JHT's example (the reason that I suggest this is that it will reduce any human errors made in creating the initial ldif) Then follow on as before, checking against the examples shown in the samba3 By Example book online: Next add the smbpasswd to secrets.tdb. Then grab the NT4 SID: net rpc getsid -S nt4 -W DOMAIN [which succeeds and tdbdump shows it] Now join the domain: net rpc join -S nt4 -W DOMAIN -U Administrator%34567 [it joins] Now we migrate: net rpc vampire -S nt4 -W DOMAIN I'd be interested to see if you still had problems after that. Thanks in advance. Kevin Happy samba-ing, Geoff -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba