Re: [Samba] Re: Samba server as part of AD domain keeps asking for username and password
Sorry, My german is not that good so I´ll stick to english. I had a similar problem which was cause by samba not being able to recognize machines (AWM013 is a machine account or a user?), we have a unix heavy samba enviroment with user in both AD and unix both computers only in AD. We had problems when the computer account tried to gain access to IPC$? but where denied because the account not being recognized by samba. If you to allow guest for bad users that would go away, security might be solvable by mapping guest to nobody? Not that I would run this in production but it´s a way to test. Also if wbinfo -u or -g doesn´t work to set a valid user account in winbind to use when connecting to the domain. /Henrik 2008/9/5 Andreas Ladanyi [EMAIL PROTECTED] Hallo Hendrik, Dein Beitrag ist leider nur bei mir gelandet ! Weder bei Wolfgang, noch auf der Mailingliste :-( Zum testen finde ich den parameter: map to guest = Bad User ok, aber nicht unbedingt fürs Produktivsystem. Was meinst Du ? Sollte ein öffentliches share public=yes oder guest ok = yes nicht dazu führen, dass Du eben kein Passwort Popup bekommst ? Sonst macht das ja irgendwo keinen Sinn oder ? Grüße, Andy -Ursprüngliche Nachricht- Von: Henrik Beckman [EMAIL PROTECTED] Gesendet: 04.09.08 22:06:33 An: Andreas Ladanyi [EMAIL PROTECTED] Betreff: Re: [Samba] Re: Samba server as part of AD domain keeps asking for username and password On Thu, Sep 4, 2008 at 8:45 PM, Andreas Ladanyi [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] schrieb: Hi Andy, Thanks for the answer but I've tryed this already. With guest ok = yes And/or valid users = TESTDOM\awm013 awm013 testdom\awm013 AWM013 I haven't set the winbind seperator so it should be ok to use \ And also with guest ok = yes I still get the password promt. Thanks Wolfgang Hi Wolfgang, The error message is: Username TESTDOM\AWM013 is invalid on this system -- -- There it is [2008/08/29 11:40:00, 3] smbd/error.c:error_packet_set(106) error packet at smbd/sesssetup.c(444) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE The username is invalid !! Is AWM013 really a user with unix attributes in the Active Directory ? You are working with winbind. Which backend do you use to save you unix user information ? Windows Server 2003 R2 ? Iam wondering i cant read an idmap backend = parameter in your smb.conf ! What is the result of wbinfo -u and wbinfo -g and wbinfo -t ??? Bye, Andy Is awm013 a computer? If so try guest = Ok and map to guest = Bad User. Also as Andy asks does wbinfo -u and -g work, otherwise what user does winbindd use? Do you have 2008 server as password servers? /Henrik _ Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! http://smartsurfer.web.de/?mc=100071distributionid=0066 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] DFS and 2008
Hi, does anyone have samba dfs working in enviroment with 2008 password servers? /Henrik -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] problems with DFS
Hi, We have been a samba shop since way back and have used DFS quit a lot the last years. When we went with security ads instead of domain our dfs died. We have tried 3.028(sun) in solaris wich we are leaving and 3.2.1 in linux, our migration target. For our 3.2.1 installation the config looks liket this and the problem manifests itself as a empty share. [Global] kernel oplocks = False oplocks = False level2 oplocks = False realm = SGU.SE workgroup = SGU netbios name = fs4 server string = fs4 security = ADS use kerberos keytab = true password server = ad1 ad2 wins server = 10.1.9.10 10.1.9.9 name resolve order = ads hosts wins bcast map to guest = Bad User disable netbios = No log level = 5 client use spnego = Yes server signing = auto host msdfs = Yes #msdfs root = Yes ntlm auth = No lanman auth = no dos charset = ISO8859-1 unix charset = ISO8859-1 winbind trusted domains only = yes [drift-a] msdfs root = Yes path = /export/dfsroot read only = no guest ok = yes ls -l in /export/dfsroot drift-a - msdfs:filer2\drift-a Domain servers are 2008 for, domainlevel is still 2003. We have all our users both in Unix LDAP and AD so we map username to username, no idmap ranges. HELP! /Henrik -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: problems with DFS
Seem to be netbios related, after some modifications it now works if server is accessed through ip address instead of name. I´m a bit lost now to why normal shares work with \\name\share but not dfs shares, \\FQDN\share also fails. \\name\share 0.00 10.1.20.201 - 10.1.9.34SMB Session Setup AndX Request 0.2410.1.9.34 - 10.1.20.201 TCP microsoft-ds sunlps-http [ACK] Seq=1 Ack=1351 Win=11680 Len=0 0.02013410.1.9.34 - 10.1.20.201 SMB Session Setup AndX Response, Error: STATUS_LOGON_FAILURE 0.023257 10.1.20.201 - 10.1.9.34SMB Session Setup AndX Request 0.03206010.1.9.34 - 10.1.20.201 SMB Session Setup AndX Response, Error: STATUS_LOGON_FAILURE 0.216549 10.1.20.201 - 10.1.9.34SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: \it-service 0.21789010.1.9.34 - 10.1.20.201 SMB Trans2 Response, QUERY_PATH_INFO 0.218327 10.1.20.201 - 10.1.9.34SMB Trans2 Request, FIND_FIRST2, Pattern: \it-service\* 0.21902310.1.9.34 - 10.1.20.201 SMB Trans2 Response, FIND_FIRST2, Error: STATUS_OBJECT_NAME_NOT_FOUND 0.240259 10.1.20.201 - 10.1.9.34SMB Session Setup AndX Request 0.25649310.1.9.34 - 10.1.20.201 SMB Session Setup AndX Response, Error: STATUS_LOGON_FAILURE 0.261364 10.1.20.201 - 10.1.9.34SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: \it-service 0.26260510.1.9.34 - 10.1.20.201 SMB Trans2 Response, QUERY_PATH_INFO 0.262962 10.1.20.201 - 10.1.9.34SMB NT Create AndX Request, Path: \it-service 0.26367010.1.9.34 - 10.1.20.201 SMB NT Create AndX Response, FID: 0x, Error: STATUS_OBJECT_NAME_NOT_FOUND 0.264969 10.1.20.201 - 10.1.9.34SMB Session Setup AndX Request 0.268266 10.1.20.201 - 10.1.9.34SMB NT Cancel Request 0.26829310.1.9.34 - 10.1.20.201 TCP microsoft-ds sunlps-http [ACK] Seq=404 Ack=5869 Win=20250 Len=0 0.27679410.1.9.34 - 10.1.20.201 SMB Session Setup AndX Response, Error: STATUS_LOGON_FAILURE 0.27741910.1.9.34 - 10.1.20.201 SMB NT Trans Response, unknown, Error: STATUS_CANCELLED 0.277587 10.1.20.201 - 10.1.9.34TCP sunlps-http microsoft-ds [ACK] Seq=5869 Ack=518 Win=63473 Len=0 0.278332 10.1.20.201 - 10.1.9.34SMB Close Request, FID: 0x1bb7 0.27907210.1.9.34 - 10.1.20.201 SMB Close Response 0.462238 10.1.20.201 - 10.1.9.34TCP sunlps-http microsoft-ds [ACK] Seq=5914 Ack=557 Win=63434 Len=0 If accessed by ip address\share 0.00 10.1.20.201 - 10.1.9.34SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: \10.1.9.34\drift 0.00120010.1.9.34 - 10.1.20.201 SMB Trans2 Response, QUERY_PATH_INFO 0.001843 10.1.20.201 - 10.1.9.34SMB Trans2 Request, QUERY_FS_INFO, Query FS Size Info 0.00297110.1.9.34 - 10.1.20.201 SMB Trans2 Response, QUERY_FS_INFO 0.003553 10.1.20.201 - 10.1.9.34SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: \10.1.9.34\drift\it-service 0.00430010.1.9.34 - 10.1.20.201 SMB Trans2 Response, QUERY_PATH_INFO, Error: STATUS_PATH_NOT_COVERED 0.005632 10.1.20.201 - 10.1.9.34SMB Trans2 Request, GET_DFS_REFERRAL, File: \10.1.9.34\drift\it-service\ 0.01046810.1.9.34 - 10.1.20.201 SMB Trans2 Response, GET_DFS_REFERRAL 0.183732 10.1.20.201 - 10.1.9.34TCP scp microsoft-ds [ACK] Seq=453 Ack=484 Win=63597 Len=0 3.136382 10.1.20.201 - 10.1.9.34SMB NT Cancel Request 3.13709410.1.9.34 - 10.1.20.201 SMB NT Trans Response, unknown, Error: STATUS_CANCELLED 3.137466 10.1.20.201 - 10.1.9.34SMB Close Request, FID: 0x1bf3 3.13829810.1.9.34 - 10.1.20.201 SMB Close Response 3.356468 10.1.20.201 - 10.1.9.34TCP scp microsoft-ds [ACK] Seq=538 Ack=598 Win=63483 Len=0 On Wed, Aug 27, 2008 at 9:27 AM, Henrik Beckman [EMAIL PROTECTED]wrote: Hi, We have been a samba shop since way back and have used DFS quit a lot the last years. When we went with security ads instead of domain our dfs died. We have tried 3.028(sun) in solaris wich we are leaving and 3.2.1 in linux, our migration target. For our 3.2.1 installation the config looks liket this and the problem manifests itself as a empty share. [Global] kernel oplocks = False oplocks = False level2 oplocks = False realm = SGU.SE workgroup = SGU netbios name = fs4 server string = fs4 security = ADS use kerberos keytab = true password server = ad1 ad2 wins server = 10.1.9.10 10.1.9.9 name resolve order = ads hosts wins bcast map to guest = Bad User disable netbios = No log level = 5 client use spnego = Yes server signing = auto host msdfs = Yes #msdfs root = Yes ntlm auth = No lanman auth = no dos charset = ISO8859-1 unix charset = ISO8859-1 winbind trusted domains only = yes [drift-a] msdfs root = Yes path = /export/dfsroot read only = no guest ok = yes ls -l in /export/dfsroot drift-a - msdfs:filer2\drift-a Domain servers are 2008 for, domainlevel is still 2003. We have
Re: [Samba] Acl problems with 3.07 on solaris 9
Hi Well it works but not the way I want... ; ) I would like to have the SID for user0 to map to the UID for user0, otherwise if winbindd maps user0 SID to UID 15000 when the user has UID 512 all permissions that are set from windows are worthless when accessing the filestructure from unix with NIS permissions. If the files are moved to another fileserver same thing the mapping would also break. My NT users and groups are for legacy reasons empty and only for windows login, all permissions are managed by NIS users and groups and are set by standar file permission or acl:s. Standard user/group and rwx can be set from windows but the acls can´t. Your winnbindd instructions solves that but not in a usable way, can I solve this with some kind of static UID-SID mapping list or am I forced to use ldap or AD ? /Henrik www.sgu.se John H Terpstra [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 2004-10-01 19:19 Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED] cc Subject Re: [Samba] Acl problems with 3.07 on solaris 9 On Friday 01 October 2004 02:41, Henrik Beckman wrote: Hi all I get the following errors when trying to set acls, client os is NT4 and XP, server is 3.0.7 on solaris9 [2004/10/01 09:33:22, 0] smbd/posix_acls.c:create_canon_ace_lists(1385) create_canon_ace_lists: unable to map SID sid number removed by me to uid or gid. Samba is a member in a NT4 domain, all permissions is managed by unix uid/gid which are in NIS, each unix user exists in NT but no groups. (passwords are syncronized.) There is a user.map fil for those 5 user who doesn´t have the same username in unix as in the domain but those are admin accounts only. Do I have to use winbind to get the mapping to work ? [global] workgroup = DOMAIN NAME netbios name =netbios NAME server string = server name security = DOMAIN encrypt passwords = Yes This is already default behavior - no need to set it. min passwd length = 6 password server = pdc bdc This is worked out automatically - only need to specify it if you absolutely need to force samba to authenticate to a particular PDC or BDC server. username map = /usr/local/samba/lib/users.map #loglevel = 2 log file = /var/opt/samba/log/%m name resolve order = host wins bcast Suggest: name resolve order = wins bcast host time server = Yes deadtime = 10 wins server = wins1 wins2 Specifiy only one WINS server. kernel oplocks = No host msdfs = Yes invalid users = smsclitoknacct smsclisvcacct create mask = 0644 inherit acls = Yes Add: idmap uid = 15000-2 idmap gid = 15000-2 Also, you must run winbindd. I hope you have added to your /etc/nsswitch.conf file: hosts: files dns wins passwd: files winbind shadow: files winbind group: files winbind Make sure that the following work: wbinfo -u wbinfo -g getent passwd getent group Samba is compiled with acl support. ACL are used in the ufs filesystem and works. This is slowly driving me insane. http://www.samba.org/samba/docs/Samba-Guide.pdf See chapter 9. It's all explained there. If it is not clear and I have failed to cover your needs please let me know so I can update the documentation. - John T. -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 OpenLDAP by Example, ISBN: 0131488732 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Acl problems with 3.07 on solaris 9
Hi all I get the following errors when trying to set acls, client os is NT4 and XP, server is 3.0.7 on solaris9 [2004/10/01 09:33:22, 0] smbd/posix_acls.c:create_canon_ace_lists(1385) create_canon_ace_lists: unable to map SID sid number removed by me to uid or gid. Samba is a member in a NT4 domain, all permissions is managed by unix uid/gid which are in NIS, each unix user exists in NT but no groups. (passwords are syncronized.) There is a user.map fil for those 5 user who doesn´t have the same username in unix as in the domain but those are admin accounts only. Do I have to use winbind to get the mapping to work ? [global] workgroup = DOMAIN NAME netbios name =netbios NAME server string = server name security = DOMAIN encrypt passwords = Yes min passwd length = 6 password server = pdc bdc username map = /usr/local/samba/lib/users.map #loglevel = 2 log file = /var/opt/samba/log/%m name resolve order = host wins bcast time server = Yes deadtime = 10 wins server = wins1 wins2 kernel oplocks = No host msdfs = Yes invalid users = smsclitoknacct smsclisvcacct create mask = 0644 inherit acls = Yes Samba is compiled with acl support. ACL are used in the ufs filesystem and works. This is slowly driving me insane. TIA /Henrik -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Compile problems with 3.07 on solaris
Hi all
I have severe problems compiling samba 3.0.7 on solaris8, my gcc is
built with /usr/ccs/bin/ld and therefore gcc bails with an ld -E error
since the -E parameter isn´t supported in /usr/css/bin/ld.
Trying to compile with suns forte 6.2 compiler produces the following
error, don´t know if it´s related to the compiler though.
Linking nsswitch/libnss_wins.so
ld: fatal: file dynconfig.po.o: open failed: No such file or directory
ld: fatal: file lib/version.po.o: open failed: No such file or directory
ld: fatal: File processing errors. No output written to
nsswitch/libnss_wins.so
make: *** [nsswitch/libnss_wins.so] Error 1
*_Parameters_*
./configure --prefix=/usr/local/samba-3.0.7 --libdir=/etc/samba
--sysconfdir=/etc/samba
--localstatedir=/var/opt/samba--with-privatedir=/etc/samba --with-quotas
--with-acl-support --with-msdfs
*_From Makefile_*
prefix=/usr/local/samba-3.0.7
exec_prefix=${prefix}
LIBS= -lsendfile -lsec -lgen -lresolv -lsocket -lnsl -ldl -liconv
CC=/prog/forte62/bin/cc
SHLD=${CC} ${CFLAGS}
CFLAGS= -O
CPPFLAGS= -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/local/include
EXEEXT=
LDFLAGS= -L/usr/local/lib
AR=ar
LDSHFLAGS=-G ${CFLAGS} -L/usr/local/lib
WINBIND_NSS_LDSHFLAGS=-G ${CFLAGS} -L/usr/local/lib
AWK=gawk
DYNEXP=
PYTHON=
PERL=/usr/local/bin/perl
Please help, I´m running out of ideas.
TIA
/Henrik
www.sgu.se
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
