Re: [Samba] Samba + Winbind + Windows 2003 AD
as req. I will resend part of first message:
My Samba config: http://pastebin.com/ZqaA0Ypn
After the join I'm able to lookup peoples with
# wbinfo -u
[...]
XX
hds
XXX
[...]
# wbinfo -g
[...]
bg XX
bg hds
bg XXX
[...]
Now the problem, getent only returns the local users and not the users
from the AD
The funny thing is that if a user is local on the UNIX and in the AD, I
can login with the password from both local and AD, so I know that it
can lookup people and passwords
# getent passwd hs ; echo $?
2
When I debug on getent it returns 2, witch means that it can't find the
user.
I know there can be a problem with this if the resolv-names is not working
# ping addc.UNDERVISNING.LOCAL
PING addc.birke-gym.dk (10.3.17.1) 56(84) bytes of data.
64 bytes from bgdc.birke-gym.dk (10.3.17.1): icmp_seq=1 ttl=128
time=0.211 ms
64 bytes from bgdc.birke-gym.dk (10.3.17.1): icmp_seq=2 ttl=128
time=0.207 ms
# ping mail.UNDERVISNING.LOCAL
PING mail.birke-gym.dk (127.0.1.1) 56(84) bytes of data.
64 bytes from mail.birke-gym.dk (127.0.1.1): icmp_seq=1 ttl=64
time=0.099 ms
64 bytes from mail.birke-gym.dk (127.0.1.1): icmp_seq=2 ttl=64
time=0.094 ms
My krb5-conf:
Med Venlig Hilsen / Best Regards
Henrik Dige Semark
Den 19-07-2010 01:49, Necos Secon skrev:
I accidentally deleted the first set of messages in my email for this thread,
but does your DNS resolve properly? What does your resolv.conf look like? Also,
what do these files look like:
krb5.conf
smb.conf
There's an option in smb.conf, winbind enum users, which needs to be set in
order for getent to function properly. There is a corresponding option for
groups as well. Look at them and let us know.
Date: Mon, 19 Jul 2010 01:12:41 +0200
From:h...@semark.dk
To:esiot...@gmail.com
CC:samba@lists.samba.org
Subject: Re: [Samba] Samba + Winbind + Windows 2003 AD
Hi Micheal
Sorry for not sending that information in the first place, but I though
that it was so basic that it wasn't necessary.
My nsswitch.conf:
# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat winbind
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
services: db files
ethers: db files
protocols: db files
rpc:db files
netgroup: nis
I will mean that it is the way to do this (and it works just fine on the
UNIX servers that run there own Domain Controller)
Med Venlig Hilsen / Best Regards
Henrik Dige Semark
Den 18-07-2010 17:03, Michael Wood skrev:
On 18 July 2010 01:34, Henrik Dige Semark wrote:
Hey out there.
I have to join my UNIX server with an existing Win2k3 AD network.
My system info:
Debian Lenny
Samba - 3.4.8
Winbind - 3.4.8
Windows Server 2003 with 2000-style-AD
My problem is that, I have en UNIX server that have to run auth up against
our existing windows 2003 AD.
I have successfully joined my UNIX server to the AD, without problems.
# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- TEST
Joined 'MAIL' to realm 'TEST.LOCAL'
My Samba config:http://pastebin.com/ZqaA0Ypn
After the join I'm able to lookup peoples with
# wbinfo -u
[...]
# wbinfo -g
[...]
Now the problem, getent only returns the local users and not the users from
the AD
The funny thing is that if a user is local on the UNIX and in the AD, I can
login with the password from both local and AD, so I know that it can lookup
people and passwords
# getent passwd hs ; echo $?
2
When I debug on getent it returns 2, witch means that it can't find the
user.
Do you have winbind specified in your nsswitch.conf file as mentioned here:
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html#id2654732
_
The New Busy is not the old busy. Search, chat and e-mail from your inbox.
http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + Winbind + Windows 2003 AD
Hi Micheal Sorry for not sending that information in the first place, but I though that it was so basic that it wasn't necessary. My nsswitch.conf: # cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat winbind group: compat winbind shadow: compat winbind hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files services: db files ethers: db files protocols: db files rpc:db files netgroup: nis I will mean that it is the way to do this (and it works just fine on the UNIX servers that run there own Domain Controller) Med Venlig Hilsen / Best Regards Henrik Dige Semark Den 18-07-2010 17:03, Michael Wood skrev: On 18 July 2010 01:34, Henrik Dige Semark wrote: Hey out there. I have to join my UNIX server with an existing Win2k3 AD network. My system info: Debian Lenny Samba - 3.4.8 Winbind - 3.4.8 Windows Server 2003 with 2000-style-AD My problem is that, I have en UNIX server that have to run auth up against our existing windows 2003 AD. I have successfully joined my UNIX server to the AD, without problems. # net ads join -U Administrator Enter Administrator's password: Using short domain name -- TEST Joined 'MAIL' to realm 'TEST.LOCAL' My Samba config: http://pastebin.com/ZqaA0Ypn After the join I'm able to lookup peoples with # wbinfo -u [...] # wbinfo -g [...] Now the problem, getent only returns the local users and not the users from the AD The funny thing is that if a user is local on the UNIX and in the AD, I can login with the password from both local and AD, so I know that it can lookup people and passwords # getent passwd hs ; echo $? 2 When I debug on getent it returns 2, witch means that it can't find the user. Do you have winbind specified in your nsswitch.conf file as mentioned here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html#id2654732 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + Winbind + Windows 2003 AD
Hi Tobias To be honest I don't really know that mutch about the Windows AD, I'm not an Windows guy, when I talked with the Windows AD Administrator he told my that it was an RFC2307 schema and not an old SFU, but I have just now logged on to the AD server and it doesn't seams like any schemas is loaded at all. My winbind debugging: http://pastebin.com/WjDRvp8q Winbind debugging while getent passwd USER: http://pastebin.com/0B24yePY I don't know way there is a lot of UVROOT.LOCAL, my server is only joined to UNDERVISNING.LOCAL, but the windows AD server do know UVROOT also. -- Med Venlig Hilsen / Best Regards Henrik Dige Semark Den 18-07-2010 08:58, Mucke, Tobias, FCI4 skrev: Hi Henrik, I am also fighting with Winbind for a few days now experiencing some weird behaviour. Regarding your explanation I assume you have SFU running in your AD Domain. Do you really have a RFC2307 complaint schema in AD or do you still stick to SFU schema? For debugging the winbind it was helpful to me to start it in a shell as a foreground process with debugging on, e. g. /usr/sbin/winbindd -SFi -d3 Now you should be able to see the different Winbind behaviour regarding the login and getent. Good luck. Tobias Mucke LFK-Lenkflugkörpersysteme GmbH Serverpool, FCI4 Landshuter Straße 26, 85716 Unterschleißheim, GERMANY Phone: +49 89 3179 8438 Fax: +49 89 3179 8927 Mobile: +49 170 635 3830 E-Mail: tobias.mu...@mbda-systems.de http://www.mbda.net Chairman of the Supervisory Board: Antoine Bouvier Managing Director: Werner Kaltenegger Registered Office: Schrobenhausen Commercial Register: Amtsgericht Ingolstadt, HRB 4365 -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Henrik Dige Semark Sent: Sunday, July 18, 2010 1:35 AM To: samba@lists.samba.org Subject: [Samba] Samba + Winbind + Windows 2003 AD Hey out there. I have to join my UNIX server with an existing Win2k3 AD network. My system info: Debian Lenny Samba - 3.4.8 Winbind - 3.4.8 Windows Server 2003 with 2000-style-AD My problem is that, I have en UNIX server that have to run auth up against our existing windows 2003 AD. I have successfully joined my UNIX server to the AD, without problems. # net ads join -U Administrator Enter Administrator's password: Using short domain name -- TEST Joined 'MAIL' to realm 'TEST.LOCAL' My Samba config: http://pastebin.com/ZqaA0Ypn After the join I'm able to lookup peoples with # wbinfo -u [...] XX hds XXX [...] # wbinfo -g [...] bg XX bg hds bg XXX [...] Now the problem, getent only returns the local users and not the users from the AD The funny thing is that if a user is local on the UNIX and in the AD, I can login with the password from both local and AD, so I know that it can lookup people and passwords # getent passwd hs ; echo $? 2 When I debug on getent it returns 2, witch means that it can't find the user. I know there can be a problem with this if the resolv-names is not working # ping addc.UNDERVISNING.LOCAL PING addc.birke-gym.dk (10.3.17.1) 56(84) bytes of data. 64 bytes from bgdc.birke-gym.dk (10.3.17.1): icmp_seq=1 ttl=128 time=0.211 ms 64 bytes from bgdc.birke-gym.dk (10.3.17.1): icmp_seq=2 ttl=128 time=0.207 ms # ping mail.UNDERVISNING.LOCAL PING mail.birke-gym.dk (127.0.1.1) 56(84) bytes of data. 64 bytes from mail.birke-gym.dk (127.0.1.1): icmp_seq=1 ttl=64 time=0.099 ms 64 bytes from mail.birke-gym.dk (127.0.1.1): icmp_seq=2 ttl=64 time=0.094 ms Is there anyone that can see where I have done something rung in my samba-config.? -- Med Venlig Hilsen / Best Regards Henrik Dige Semark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba + Winbind + Windows 2003 AD
Hey out there. I have to join my UNIX server with an existing Win2k3 AD network. My system info: Debian Lenny Samba - 3.4.8 Winbind - 3.4.8 Windows Server 2003 with 2000-style-AD My problem is that, I have en UNIX server that have to run auth up against our existing windows 2003 AD. I have successfully joined my UNIX server to the AD, without problems. # net ads join -U Administrator Enter Administrator's password: Using short domain name -- TEST Joined 'MAIL' to realm 'TEST.LOCAL' My Samba config: http://pastebin.com/ZqaA0Ypn After the join I'm able to lookup peoples with # wbinfo -u [...] XX hds XXX [...] # wbinfo -g [...] bg XX bg hds bg XXX [...] Now the problem, getent only returns the local users and not the users from the AD The funny thing is that if a user is local on the UNIX and in the AD, I can login with the password from both local and AD, so I know that it can lookup people and passwords # getent passwd hs ; echo $? 2 When I debug on getent it returns 2, witch means that it can't find the user. I know there can be a problem with this if the resolv-names is not working # ping addc.UNDERVISNING.LOCAL PING addc.birke-gym.dk (10.3.17.1) 56(84) bytes of data. 64 bytes from bgdc.birke-gym.dk (10.3.17.1): icmp_seq=1 ttl=128 time=0.211 ms 64 bytes from bgdc.birke-gym.dk (10.3.17.1): icmp_seq=2 ttl=128 time=0.207 ms # ping mail.UNDERVISNING.LOCAL PING mail.birke-gym.dk (127.0.1.1) 56(84) bytes of data. 64 bytes from mail.birke-gym.dk (127.0.1.1): icmp_seq=1 ttl=64 time=0.099 ms 64 bytes from mail.birke-gym.dk (127.0.1.1): icmp_seq=2 ttl=64 time=0.094 ms Is there anyone that can see where I have done something rung in my samba-config.? -- Med Venlig Hilsen / Best Regards Henrik Dige Semark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Debian Lenny: Samba PDC + LDAP
I have just checked my PAM.d settings. http://pastebin.com/m6844b37b and I can't see what might be rung here. I will test if I can logon to the console when I get my hands on the server, do I have to reboot when pam.d settings have changed, is this case I will wait to I'm next to the server. Its not possible to logon to a samba-share with the Admin user, error in LDAP, "NT_STATUS_NO_SUCH_USER" --- Med Venlig Hilsen / Best regards Henrik Dige Semark David Harrison skrev: The error log you posted seems to suggest an error with your PAM/LDAP configuration. The error messages you are seeing are exactly the same as these people: http://lists.samba.org/archive/samba/2004-November/095960.html http://lists.samba.org/archive/samba/2006-December/127799.html Take a second look at how this is all configured. If it is working you should be able to login to the local server console using your LDAP-based credentials. Likewise run some tests just connecting to a Samba share as Admin. If both these things are working then your domain logons should be happier. David On Mon, Feb 15, 2010 at 9:29 PM, Henrik Dige Semark <mailto:h...@semark.dk>> wrote: Hey out there. I have to get my PDC to work now, and I'm so close to desperation that I have taken my self in looking at a windows server. My problem is that I have to get roaming profile for some Windows XP Pro clients to work, and I have a Debian based server solution. The problem is that I can't see where I do something rung... When I run "smbldap-useradd -w testing$" it gets imported to LDAP, when I try to connect my client, Samba connects to LDAP, when I do an LDAP-search I get the info that I wants, when I test to see if my Admin user is possible to find from UNIX it returns the right thing, what have I missed.? # getent passwd Admin Admin:x:0:0:Netbios Domain Administrator:/home/Admin:/bin/false LDAP-search string: http://pastebin.com/m6d9f595a Log when I try to join a client: http://pastebin.com/m697c7f35 Samba-conf <http://pastebin.com/m697c7f35%0ASamba-conf>: http://pastebin.com/m188ee119 slapd.conf: http://pastebin.com/m6f13648a schema.conf: http://pastebin.com/m71cca406 ldap.conf: http://pastebin.com/m52b39761 nsswitch.conf: http://pastebin.com/m7d2dc9b0 System info: Clean installed Debian Lenny (5.0.3) Clean installed Samba 3.2.5 + Winbind 3.2.5 Clean installed OpenLDAP 2.4.11 (slapd) Debian default smbldap-tools (smbldap-populate is working and have populated LDAP without problems) if there is something I have forgotten please just ask for it, I'm still close to be desperate.! -- Med Venlig Hilsen / Best regards Henrik Dige Semark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba smime.p7s Description: S/MIME Cryptographic Signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Debian Lenny: Samba PDC + LDAP
Hey out there. I have to get my PDC to work now, and I'm so close to desperation that I have taken my self in looking at a windows server. My problem is that I have to get roaming profile for some Windows XP Pro clients to work, and I have a Debian based server solution. The problem is that I can't see where I do something rung... When I run "smbldap-useradd -w testing$" it gets imported to LDAP, when I try to connect my client, Samba connects to LDAP, when I do an LDAP-search I get the info that I wants, when I test to see if my Admin user is possible to find from UNIX it returns the right thing, what have I missed.? # getent passwd Admin Admin:x:0:0:Netbios Domain Administrator:/home/Admin:/bin/false LDAP-search string: http://pastebin.com/m6d9f595a Log when I try to join a client: http://pastebin.com/m697c7f35 Samba-conf: http://pastebin.com/m188ee119 slapd.conf: http://pastebin.com/m6f13648a schema.conf: http://pastebin.com/m71cca406 ldap.conf: http://pastebin.com/m52b39761 nsswitch.conf: http://pastebin.com/m7d2dc9b0 System info: Clean installed Debian Lenny (5.0.3) Clean installed Samba 3.2.5 + Winbind 3.2.5 Clean installed OpenLDAP 2.4.11 (slapd) Debian default smbldap-tools (smbldap-populate is working and have populated LDAP without problems) if there is something I have forgotten please just ask for it, I'm still close to be desperate.! -- Med Venlig Hilsen / Best regards Henrik Dige Semark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Debian Lenny - Samba 3.2.5 + OpenLDAP (slapd) 2.4.11
count pol cache Adding cache entry with key = ACCT_POL/maximum password age; value = 4294967295 and timeout = Wed Jan 27 22:28:14 2010 (60 seconds ahead) Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF # net groupmap list | grep "Domain Admins" Domain Admins (S-1-5-21-860714184-2299130787-2886737959-512) -> 512 My system is still not authorising against LDAP for UNIX login so not sure that I can check groups --- Med Venlig Hilsen / Best regards Henrik Dige Semark On 27-01-2010 22:22, Gaiseric Vandal wrote: > Sorry, should be "Administrator" > > > Verify the user exists in samba with " pdbedit -Lv Administrator" > > and that group mapping is setup. > > # net groupmap list | grep "Domain Admins" > Domain Admins (S-1-5-21-x-512) -> Domain Admins > # > > The unix group name (on the right side of the mapping) may not > exactly match the windows name. > You might have > > # net groupmap list | grep "Domain Admins" > Domain Admins (S-1-5-21-x-512) -> Samba_Domain_Admins > # > > > Also verify that the Administrator is the correct groups > > #groups Administrator > Domain Admins Domain Users > > > > I also had mappings for > Domain Users > Domain Computers > Domain Guests > Domain Controllers > > > > On 01/27/10 15:33, Henrik Dige Semark wrote: >> I have just tried with "net join -U Admin" and I get the same error as >> before. >> >> # net join -U Admin >> Enter admin's password: >> Could not connect to server PDC >> The username or password was not correct. >> Connection failed: NT_STATUS_LOGON_FAILURE >> [ ... ] >> quality_candidates: id=0, first=0, last=0 >> Jan 27 21:32:11 hds-debian-virt slapd[1868]: bdb_search_candidates: >> id=0 first=17 last=0 >> Jan 27 21:32:11 hds-debian-virt slapd[1868]: hdb_search: no candidates >> Jan 27 21:32:11 hds-debian-virt slapd[1868]: send_ldap_result: conn=5 >> op=1146 p=3 >> Jan 27 21:32:11 hds-debian-virt slapd[1868]: send_ldap_result: err=0 >> matched="" text="" >> Jan 27 21:32:11 hds-debian-virt slapd[1868]: send_ldap_response: >> msgid=1147 tag=101 err=0 >> >> --- >> Med Venlig Hilsen / Best regards >> Henrik Dige Semark >> >> >> On 27-01-2010 21:06, Gaiseric Vandal wrote: >> >>> Try using "net ... -U Administrator" instead, since "root" is not >>> by default a member of the domain admin group. This presumes you have >>> created the Administrator account in samba, created the "domain >>> admins" group and setup the approp group mapping for key groups >>> (domain admins, domain users etc.) >>> >>> >>> >>> >>> On 01/27/10 14:23, Henrik Dige Semark wrote: >>> >>>> Dos the PDC have to join the domain also? >>>> >>>> When I try to join my PDC to its domain with "net join" I get the >>>> following error. >>>> >>>> Enter root's password: >>>> Could not connect to server PDC >>>> The username or password was not correct. >>>> Connection failed: NT_STATUS_LOGON_FAILURE >>>> >>>> >>>> The netbios name for my PDC is pdc.semarktest.dk I guess that way it >>>> tells my that is can't connect to server PDC >>>> I have checked that pdc is in the name server (nameserver is on >>>> 127.0.0.1) >>>> >>>> # host pdc >>>> pdc.semarktest.dk has address 192.168.1.182 >>>> >>>> Is there something I'm missing? >>>> >>>> Log dump from net join command: >>>> >>>> # tail -200 /var/log/syslog | grep slapd >>>> Jan 27 20:21:53 hds-debian-virt slapd[1868]: connection_get(22): got >>>> connid=15 >>>> Jan 27 20:21:53 hds-debian-virt slapd[1868]: connection_read(22): >>>> checking for input on id=15 >>>> Jan 27 20:21:53 hds-debian-virt slapd[1868]: conn=15 op=2 do_search >>>> Jan 27 20:21:53 hds-debian-virt slapd[1868]:>>> >>>> dnPrettyNormal: >>>> >>>> [ ... ] >>>> Jan 27 20:21:53 hds-debian-virt slapd[1868]: connection_closing: >>>> readying conn=15 sd=22 for close >>>> Jan 27 20:21:53 hds-debian-virt slapd[1868]: connection_close: >>>> conn=15 sd=22 >>>> >>>> --- >>>> Med V
Re: [Samba] Debian Lenny - Samba 3.2.5 + OpenLDAP (slapd) 2.4.11
I have remembered to run smbpassd -W, and I still get the same error when I try with -S pdc on net join command. I can see that LDAP is activated, and that samba is doing something, but it seams like the answer is disappear on the way back. Samba have initialised my LDAP with its SID and RID's, when it can do this way is it not possible to lookup users? Is it necessary to join my PDC to its own domain btw.? cause the new server here is going to be PDC and replace my old Win2k DC (its not a member it a separate test-domain) --- Med Venlig Hilsen / Best regards Henrik Dige Semark On 27-01-2010 21:56, Dale Schroeder wrote: > Did you remember to run "smbpasswd -W"? > > Sometimes you have to add the -S switch for the join to work. > net rpc join -S pdc -U root > > Dale > > > On 01/27/2010 2:33 PM, Henrik Dige Semark wrote: >> I have just tried with "net join -U Admin" and I get the same error as >> before. >> >> # net join -U Admin >> Enter admin's password: >> Could not connect to server PDC >> The username or password was not correct. >> Connection failed: NT_STATUS_LOGON_FAILURE >> >> Ldap search for Admin: >> >> # ldapsearch -x -h 127.0.0.1 -p 389 >> >> # Admin, Users, semark-testing.dk >> dn: uid=Admin,ou=Users,dc=semark-testing,dc=dk >> cn: Admin >> sn: Admin >> objectClass: top >> objectClass: person >> objectClass: organizationalPerson >> objectClass: inetOrgPerson >> objectClass: sambaSamAccount >> objectClass: posixAccount >> objectClass: shadowAccount >> gidNumber: 0 >> uid: Admin >> uidNumber: 0 >> homeDirectory: /home/Admin >> sambaLogonTime: 0 >> sambaLogoffTime: 2147483647 >> sambaKickoffTime: 2147483647 >> sambaPwdCanChange: 0 >> sambaHomePath: \\192.168.1.182\Admin >> sambaHomeDrive: H: >> sambaProfilePath: \\192.168.1.182\profiles\Admin >> sambaPrimaryGroupSID: S-1-5-21-860714184-2299130787-2886737959-512 >> sambaSID: S-1-5-21-860714184-2299130787-2886737959-500 >> loginShell: /bin/false >> gecos: Netbios Domain Administrator >> sambaLMPassword: my-pass >> sambaAcctFlags: [U] >> sambaNTPassword: my-pass >> sambaPwdLastSet: 1264374249 >> sambaPwdMustChange: 1268262249 >> shadowMax: 45 >> >> Log dump from net join command: >> >> Jan 27 21:31:11 hds-debian-virt slapd[1868]: connection_get(22) >> Jan 27 21:31:11 hds-debian-virt slapd[1868]: connection_get(22): got >> connid=22 >> Jan 27 21:31:11 hds-debian-virt slapd[1868]: connection_read(22): >> checking for input on id=22 >> Jan 27 21:31:11 hds-debian-virt slapd[1868]: conn=22 op=3 do_search >> Jan 27 21:31:11 hds-debian-virt slapd[1868]:>>> >> dnPrettyNormal: >> Jan 27 21:31:11 hds-debian-virt slapd[1868]:<<< >> dnPrettyNormal:, >> Jan 27 21:31:11 hds-debian-virt slapd[1868]: SRCH >> "dc=semark-testing,dc=dk" 2 0 >> Jan 27 21:31:11 hds-debian-virt slapd[1868]: 0 15 0 >> Jan 27 21:31:11 hds-debian-virt slapd[1868]: filter: >> (&(uid=admin)(objectClass=sambaSamAccount)) >> Jan 27 21:31:11 hds-debian-virt slapd[1868]: attrs: >> Jan 27 21:31:11 hds-debian-virt slapd[1868]: uid >> Jan 27 21:31:11 hds-debian-virt slapd[1868]: uidNumber >> Jan 27 21:31:11 hds-debian-virt slapd[1868]: gidNumber >> Jan 27 21:31:11 hds-debian-virt slapd[1868]: homeDirectory >> Jan 27 21:31:11 hds-debian-virt slapd[1868]: sambaPwdLastSet >> Jan 27 21:31:11 hds-debian-virt slapd[1868]: sambaPwdCanChange >> Jan 27 21:31:11 hds-debian-virt slapd[1868]: sambaPwdMustChange >> Jan 27 21:31:11 hds-debian-virt slapd[1868]: sambaLogonTime >> Jan 27 21:31:11 hds-debian-virt slapd[1868]: sambaLogoffTime >> Jan 27 21:31:11 hds-debian-virt slapd[1868]: sambaKickoffTime >> Jan 27 21:31:11 hds-debian-virt slapd[1868]: cn >> Jan 27 21:31:11 hds-debian-virt slapd[1868]: sn >> Jan 27 21:31:11 hds-debian-virt slapd[1868]: displayName >> Jan 27 21:31:11 hds-debian-virt slapd[1868]: sambaHomeDrive >> Jan 27 21:31:11 hds-debian-virt slapd[1868]: sambaHomePath >> Jan 27 21:31:11 hds-debian-virt slapd[1868]: sambaLogonScript >> Jan 27 21:31:11 hds-debian-virt slapd[1868]: sambaProfilePath >> Jan 27 21:31:11 hds-debian-virt slapd[1868]: description >> Jan 27 21:31:11 hds-debian-virt slapd[1868]: sambaUserWorkstations >> Jan 27 21:31:11 hds-debian-virt slapd[1868]: sambaSID >> Jan 27 21:31:11 hds-debian-virt slapd[1868]: sambaPrimaryGroupSID >> Jan 27 21:31:11 hds-debian-virt slapd[1868]: sambaLMPassword >> Jan 27 21:31:11 hds-debian-virt slapd[1868]:
Re: [Samba] Debian Lenny - Samba 3.2.5 + OpenLDAP (slapd) 2.4.11
: failed (-30990)
Jan 27 21:32:11 hds-debian-virt slapd[1868]: <= bdb_equality_candidates: id=0,
first=0, last=0
Jan 27 21:32:11 hds-debian-virt slapd[1868]: bdb_search_candidates: id=0
first=17 last=0
Jan 27 21:32:11 hds-debian-virt slapd[1868]: hdb_search: no candidates
Jan 27 21:32:11 hds-debian-virt slapd[1868]: send_ldap_result: conn=5 op=1146
p=3
Jan 27 21:32:11 hds-debian-virt slapd[1868]: send_ldap_result: err=0 matched=""
text=""
Jan 27 21:32:11 hds-debian-virt slapd[1868]: send_ldap_response: msgid=1147
tag=101 err=0
---
Med Venlig Hilsen / Best regards
Henrik Dige Semark
On 27-01-2010 21:06, Gaiseric Vandal wrote:
> Try using "net ... -U Administrator" instead, since "root" is not
> by default a member of the domain admin group. This presumes you have
> created the Administrator account in samba, created the "domain
> admins" group and setup the approp group mapping for key groups
> (domain admins, domain users etc.)
>
>
>
>
> On 01/27/10 14:23, Henrik Dige Semark wrote:
>> Dos the PDC have to join the domain also?
>>
>> When I try to join my PDC to its domain with "net join" I get the
>> following error.
>>
>> Enter root's password:
>> Could not connect to server PDC
>> The username or password was not correct.
>> Connection failed: NT_STATUS_LOGON_FAILURE
>>
>>
>> The netbios name for my PDC is pdc.semarktest.dk I guess that way it
>> tells my that is can't connect to server PDC
>> I have checked that pdc is in the name server (nameserver is on
>> 127.0.0.1)
>>
>> # host pdc
>> pdc.semarktest.dk has address 192.168.1.182
>>
>> Is there something I'm missing?
>>
>> Log dump from net join command:
>>
>> # tail -200 /var/log/syslog | grep slapd
>> Jan 27 20:21:53 hds-debian-virt slapd[1868]: connection_get(22): got
>> connid=15
>> Jan 27 20:21:53 hds-debian-virt slapd[1868]: connection_read(22):
>> checking for input on id=15
>> Jan 27 20:21:53 hds-debian-virt slapd[1868]: conn=15 op=2 do_search
>> Jan 27 20:21:53 hds-debian-virt slapd[1868]:>>>
>> dnPrettyNormal:
>>
>> Jan 27 20:21:53 hds-debian-virt slapd[1868]:<<<
>> dnPrettyNormal:,
>>
>> Jan 27 20:21:53 hds-debian-virt slapd[1868]: SRCH
>> "sambaDomainName=SEMARKTEST,sambaDomainName=semarktest,dc=semark-testing,dc=dk"
>> 2 0
>> Jan 27 20:21:53 hds-debian-virt slapd[1868]: 0 15 0
>> Jan 27 20:21:53 hds-debian-virt slapd[1868]: filter:
>> (&(objectClass=sambaTrustedDomainPassword)(sambaDomainName=semarktest))
>> Jan 27 20:21:53 hds-debian-virt slapd[1868]: attrs:
>> Jan 27 20:21:53 hds-debian-virt slapd[1868]:
>> Jan 27 20:21:53 hds-debian-virt slapd[1868]: => hdb_search
>> Jan 27 20:21:53 hds-debian-virt slapd[1868]:
>> bdb_dn2entry("sambaDomainName=semarktest,sambaDomainName=semarktest,dc=semark-testing,dc=dk")
>>
>> Jan 27 20:21:53 hds-debian-virt slapd[1868]: =>
>> hdb_dn2id("sambaDomainName=semarktest,sambaDomainName=semarktest,dc=semark-testing,dc=dk")
>>
>> Jan 27 20:21:53 hds-debian-virt slapd[1868]:<= hdb_dn2id: get failed:
>> DB_NOTFOUND: No matching key/data pair found (-30990)
>> Jan 27 20:21:53 hds-debian-virt slapd[1868]: send_ldap_result:
>> conn=15 op=2 p=3
>> Jan 27 20:21:53 hds-debian-virt slapd[1868]: send_ldap_result: err=10
>> matched="sambaDomainName=semarktest,dc=semark-testing,dc=dk" text=""
>> Jan 27 20:21:53 hds-debian-virt slapd[1868]: send_ldap_response:
>> msgid=3 tag=101 err=32
>> Jan 27 20:21:53 hds-debian-virt slapd[1868]: connection_get(22)
>> Jan 27 20:21:53 hds-debian-virt slapd[1868]: connection_get(22): got
>> connid=15
>> Jan 27 20:21:53 hds-debian-virt slapd[1868]: connection_read(22):
>> checking for input on id=15
>> Jan 27 20:21:53 hds-debian-virt slapd[1868]: conn=15 op=3 do_search
>> Jan 27 20:21:53 hds-debian-virt slapd[1868]:>>>
>> dnPrettyNormal:
>> Jan 27 20:21:53 hds-debian-virt slapd[1868]:<<<
>> dnPrettyNormal:,
>> Jan 27 20:21:53 hds-debian-virt slapd[1868]: SRCH
>> "dc=semark-testing,dc=dk" 2 0
>> Jan 27 20:21:53 hds-debian-virt slapd[1868]: 0 15 0
>> Jan 27 20:21:53 hds-debian-virt slapd[1868]: filter:
>> (&(uid=root)(objectClass=sambaSamAccount))
>> Jan 27 20:21:53 hds-debian-virt slapd[1868]: attrs:
>> Jan 27 20:21:53 hds-debian-virt slapd[1868]: uid
>> Jan 27 20:21:53 hds-debian-virt slapd[1868]: uidNumber
>> Jan 27 20:21:53 hds-debian-virt slapd[1868]: gidNumber
>> Jan 2
Re: [Samba] Debian Lenny - Samba 3.2.5 + OpenLDAP (slapd) 2.4.11
8]: sambaLogonHours
Jan 27 20:21:53 hds-debian-virt slapd[1868]: modifyTimestamp
Jan 27 20:21:53 hds-debian-virt slapd[1868]: uidNumber
Jan 27 20:21:53 hds-debian-virt slapd[1868]:
Jan 27 20:21:53 hds-debian-virt slapd[1868]: => hdb_search
Jan 27 20:21:53 hds-debian-virt slapd[1868]:
bdb_dn2entry("dc=semark-testing,dc=dk")
Jan 27 20:21:53 hds-debian-virt slapd[1868]: search_candidates:
base="dc=semark-testing,dc=dk" (0x0001) scope=2
Jan 27 20:21:53 hds-debian-virt slapd[1868]: =>
hdb_dn2idl("dc=semark-testing,dc=dk")
Jan 27 20:21:53 hds-debian-virt slapd[1868]: => bdb_equality_candidates
(objectClass)
Jan 27 20:21:53 hds-debian-virt slapd[1868]: => key_read
Jan 27 20:21:53 hds-debian-virt slapd[1868]: bdb_idl_fetch_key: [b49d1940]
Jan 27 20:21:53 hds-debian-virt slapd[1868]: <= bdb_index_read: failed (-30990)
Jan 27 20:21:53 hds-debian-virt slapd[1868]: <= bdb_equality_candidates: id=0,
first=0, last=0
Jan 27 20:21:53 hds-debian-virt slapd[1868]: => bdb_equality_candidates (uid)
Jan 27 20:21:53 hds-debian-virt slapd[1868]: => key_read
Jan 27 20:21:53 hds-debian-virt slapd[1868]: bdb_idl_fetch_key: [15f2129b]
Jan 27 20:21:53 hds-debian-virt slapd[1868]: <= bdb_index_read: failed (-30990)
Jan 27 20:21:53 hds-debian-virt slapd[1868]: <= bdb_equality_candidates: id=0,
first=0, last=0
Jan 27 20:21:53 hds-debian-virt slapd[1868]: bdb_search_candidates: id=0
first=1 last=0
Jan 27 20:21:53 hds-debian-virt slapd[1868]: hdb_search: no candidates
Jan 27 20:21:53 hds-debian-virt slapd[1868]: send_ldap_result: conn=15 op=3 p=3
Jan 27 20:21:53 hds-debian-virt slapd[1868]: send_ldap_result: err=0 matched=""
text=""
Jan 27 20:21:53 hds-debian-virt slapd[1868]: send_ldap_response: msgid=4
tag=101 err=0
Jan 27 20:21:53 hds-debian-virt slapd[1868]: connection_get(22)
Jan 27 20:21:53 hds-debian-virt slapd[1868]: connection_get(22): got connid=15
Jan 27 20:21:53 hds-debian-virt slapd[1868]: connection_read(22): checking for
input on id=15
Jan 27 20:21:53 hds-debian-virt slapd[1868]: ber_get_next on fd 22 failed
errno=0 (Success)
Jan 27 20:21:53 hds-debian-virt slapd[1868]: connection_closing: readying
conn=15 sd=22 for close
Jan 27 20:21:53 hds-debian-virt slapd[1868]: connection_close: conn=15 sd=22
---
Med Venlig Hilsen / Best regards
Henrik Dige Semark
On 26-01-2010 22:42, Dale Schroeder wrote:
> Henrik,
>
> I saw that another user wanted you to make sure that the PDC was added
> to the domain, and he is correct.
> If it is still not working after adding the PDC to the domain,
> consider changing the add machine script to this:
>
> add machine script = /usr/sbin/smbldap-useradd -i -w '%u'
>
> I ran into this problem with Samba 3.4.3 on Debian Squeeze, and that
> is what fixed the issue.
>
> Dale
>
>
> On 01/25/2010 3:23 PM, Henrik Dige Semark wrote:
>> I have a serous problem.
>>
>> I have for some time now tried to get an SAMBA based Domain Controller
>> working.
>> I have tried with OpenLDAP and tdbsam as backend, but I get the same
>> error every time.
>>
>> I wood prefer to use LDAP as my backend.
>> I have read tons of how-to SAMBA + LDAP, but non of the seams to work
>> for my, is there someone that maybe can see what I have done rung in
>> my config.?
>>
>> I have attached my samba conf and LDAP conf.
>>
>> Samba is connected to OpenLDAP, and LDAP is running fine.
>> But when I try to join my Windows XP Pro SP3 I takes about one Min and
>> it tells my that Username and/or Password maybe rung, ore not existing.
>>
>> There is no doubt that Samba and Ldap is talking together (samba have
>> updated the SID and RID's), cause when I try to join the domain LDAP
>> is activated, but the return value is somehow disappearing on the way
>> back to my client
>>
>> I have some wireshark dump that I can provide if its necessary.
>> I can provide LOGS, DUMPS, and everything needed if its necessary.
>>
>> System info:
>> Clean installed Debian Lenny (5.0.3)
>> Clean installed Samba 3.2.5 + Winbind 3.2.5
>> Clean installed OpenLDAP 2.4.11 (slapd)
>> Debian default smbldap-tools (smbldap-populate is working and have
>> populated LDAP without problems)
>> if there is something I have forgotten please just ask for it, I'm
>> close to be desperate.!
>>
>> ---
>> Med Venlig Hilsen / Best regards
>> Henrik Dige Semark
>>
>>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] Debian Lenny - Samba 3.2.5 + OpenLDAP (slapd) 2.4.11
I have a serous problem. I have for some time now tried to get an SAMBA based Domain Controller working. I have tried with OpenLDAP and tdbsam as backend, but I get the same error every time. I wood prefer to use LDAP as my backend. I have read tons of how-to SAMBA + LDAP, but non of the seams to work for my, is there someone that maybe can see what I have done rung in my config.? I have attached my samba conf and LDAP conf. Samba is connected to OpenLDAP, and LDAP is running fine. But when I try to join my Windows XP Pro SP3 I takes about one Min and it tells my that Username and/or Password maybe rung, ore not existing. There is no doubt that Samba and Ldap is talking together (samba have updated the SID and RID's), cause when I try to join the domain LDAP is activated, but the return value is somehow disappearing on the way back to my client I have some wireshark dump that I can provide if its necessary. I can provide LOGS, DUMPS, and everything needed if its necessary. System info: Clean installed Debian Lenny (5.0.3) Clean installed Samba 3.2.5 + Winbind 3.2.5 Clean installed OpenLDAP 2.4.11 (slapd) Debian default smbldap-tools (smbldap-populate is working and have populated LDAP without problems) if there is something I have forgotten please just ask for it, I'm close to be desperate.! --- Med Venlig Hilsen / Best regards Henrik Dige Semark # Defining domain name, hostname [global] dns proxy = no netbios name = pdc wins support = Yes workgroup = semarktest include = /etc/samba/dhcp.conf server string = Debian Lenny (5.0.3) PDC name resolve order = host lmhosts bcast wins # Netwok-settings hosts deny = ALL hosts allow = 192.168.1.0/24 127. # Specifying passwd backend database #username map = /etc/samba/smbusers #smb passwd file = /etc/samba/smbpasswd #passdb backend = tdbsam:/etc/samba/userdatabase.tdb passdb backend = ldapsam:ldap://127.0.0.1 # LDAPSMB-CONFIG - SMBLDAP-TOOLS # LDAPSMB-CONFIG # add user script = /usr/sbin/ldapsmb -a -u "%u" # add machine script = /usr/sbin/ldapsmb -a -w "%u" # add group script = /usr/sbin/ldapsmb -a -g "%g" # add user to group script = /usr/sbin/ldapsmb -j -u "%u" -g "%g" # delete user script = /usr/sbin/ldapsmb -d -u "%u" # delete group script = /usr/sbin/ldapsmb -d -g "%g" # delete user from group script = /usr/sbin/ldapsmb -r -u "%u" -g "%g" # set primary group script = /usr/sbin/ldapsmb -m -u "%u" -g "%g" # SMBLDAP-TOOLS add user script = /usr/sbin/smbldap-useradd -a -m "%u" -M "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user script = /usr/sbin/smbldap-userdel "%u" delete group script = /usr/sbin/smbldap-groupdel "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" # TDBSAM # add user script = /usr/sbin/useradd -m %u # delete user script = /usr/sbin/userdel -r %u # add group script = /usr/sbin/groupadd %g # delete group script = /usr/sbin/groupdel %g # add user to group script = /usr/sbin/usermod -G %g %u # add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null -g machines %u # Various other directives ( man smb.conf ) ### logon drive = H: logon home = \\%L\%U #logon path = \\%L\profile\%U logon script = scripts/logon.bat os level = 65 time server = Yes domain master = Yes domain logons = Yes preferred master = Yes enable privileges = yes show add printer wizard = yes dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd # Windbind ## winbind separator = % winbind cache time = 10 winbind enum users = Yes winbind uid = 1000-21000 winbind gid = 1000-21000 winbind enum groups = Yes template shell = /bin/bash template homedir = /home/%U winbind use default domain = Yes # OpenLDAP stuff is defined here ### ldap ssl = no ldap delete dn = Yes ldap passwd sync = Yes ldap
Re: [Samba] Is Samba useful in an all-Linux environment?
Steve Litt skrev: On Monday 17 August 2009 15:55:34 John Drescher wrote: On Mon, Aug 17, 2009 at 3:52 PM, Eero Volotinen wrote: Steve Litt kirjoitti: Hi all, This isn't meant to be a troll. It's a legitimate question asked because I haven't done much with Samba for 9 years. Is there anything Samba can contribute to an all-Linux environment with no Windows or Mac computers? Well, atleast it is more secure than nfsv3 ? That along with better performance and also better handling of disconnections are a couple of reasons to use samba/cifs over nfs3. How about performance and security of Samba vs. NFS4 on an all Linux network? Samba is definitely more secure then NFS but performance wise it is definitely my expiration that NFS is much fasten with small files, but about the same on big files. Thanks SteveT Steve Litt Recession Relief Package http://www.recession-relief.US Twitter: http://www.twitter.com/stevelitt -- Med Venlig Hilsen / Best regards Henrik Dige Semark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Fwd: Re: Samba PDC + OpenLDAP (Debian Lenny)]
Henrik Dige Semark skrev: Adam Tauno WIlliams skrev: [2009/08/14 18:22:24, 0] passdb/pdb_get_set.c:pdb_get_group_sid(210) pdb_get_group_sid: Failed to find Unix account for DomAdmin [2009/08/14 18:22:24, 1] auth/auth_util.c:make_server_info_sam(562) User DomAdmin in passdb, but getpwnam() fails! I don't know why it is looking for a "DomAdmin" account. Perhaps your directory is not fully initialized? Loaded with the required users, etc... DomAdmin, is a Domain-administrator accaunt I have created instead of "admin" ore "root" I have ran "smbldap-populate -u 1 -g 1 -a admin -g guest" and it populates LDAP with all the default users and groupes windows need to be able to join. -u uidNumber first uidNumber to allocate (default: 1000) -g gidNumber first uidNumber to allocate (default: 1000) -a user administrator login name (default: root) -b user guest login name (default: nobody) Error: modifications require authentication at /usr/share/perl5/smbldap_tools.pm line 1083. [2009/08/14 18:22:48, 0] passdb/pdb_interface.c:pdb_default_create_user(336) _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -t 0 -w -i "hds$"' gave 127 I don't use smblap-tools but this looks like they don't have sufficient config to authenticate to the DSA. Don't know what the problem is with smbldap-useradd, but when I run the command alone it creates a windows machine user: # smbldap-useradd -w -i testcomputer New password : 1234 Retype new password : 1234 *failed to add entry: structural object class modification from 'account' to 'inetOrgPerson' not allowed at /usr/sbin/smbldap-useradd line 311, line 2. * I have the schemas that provite account and inetOrgPerson # smbldap-useradd -? (c) Jerome Tournier - (jtourn...@gmail.com)- Licensed under the GPL Usage: /usr/sbin/smbldap-useradd [-awmugdsckABCDEFGHMNPST?] username -ais a Windows User (otherwise, Posix stuff only) -bis a AIX User -cgecos -dhome -ggid -iis a trust account (Windows Workstation) -kskeleton dir (with -m) -mcreates home directory and copies /etc/skel -ndo not create a group -oadd the user in the organizational unit (relative to the user suffix. Ex: 'ou=admin,ou=all') -uuid -sshell -ttime. Wait 'time' seconds before exiting (when adding Windows Workstation) -wis a Windows Workstation (otherwise, Posix stuff only) -Acan change password ? 0 if no, 1 if yes -Bmust change password ? 0 if no, 1 if yes -CsambaHomePath (SMB home share, like '\\PDC-SRV\homes') -DsambaHomeDrive (letter associated with home share, like 'H:') -EsambaLogonScript (DOS script to execute on login) -FsambaProfilePath (profile directory, like '\\PDC-SRV\profiles\foo') -Gsupplementary comma-separated groups -HsambaAcctFlags (samba account control bits like '[NDHTUMWSLKI]') -Mlocal mailAddress (comma seperated) -Ngiven name -Pends by invoking smbldap-passwd -Ssurname (Family name) -TmailToAddress (forward address) (comma seperated) -?show this help message Mike Eggleston skrev: I'm not at work and am unable to compare your configuration with my production configuration. I have a similar environment, though, and found for windows boxes I needed to create the account in LDAP first (I use smbldap-adduser ...), then I must also add my samba server as a WINS server to the windows box, then I can join the windows box to my samba pdc domain. Mike I have now tryed to set my server as wins-server - still samme problem More info: There is something I don't understand when I try to join the domain there is no traffic to LDAP at all, but when i do # wbinfo -u guest domadmin # wbinfo -g domain admins domain users domain guests domain computers BUILTIN%users # wbinfo --ping Ping to winbindd succeeded It looks up in LDAP just fine, so the link is apparently working fine -- Med Venlig Hilsen / Best regards Henrik Dige Semark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Fwd: Re: Samba PDC + OpenLDAP (Debian Lenny)]
Adam Tauno WIlliams skrev: I'm trying to move my existing MS-AD over to SAMBA, the place I'm So you have an AD domain? Samba 3.x does not provide an AD domain, it provides an NT domains, so your requirement of "everything keeps running in the same or almost the same way" cannot be met. Unless you want to try Samba 4. We are not using the AD-functionalitys so what I ment was that my windows-clients is able to join the domain, and user-validate. When I try to join a Windows Vista Ultimate ore Windows XP Pro to the domain it takes 30 sec and then it says "The machine account dos not exist" but as I understand that is what "add machine script = /usr/sbin/smbldap-useradd -t 0 -w -i "%u"" has to do right ? It is supposed to, yes. socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 Get rid of all the "socket options" stuff. Are you using an old HOWTO or some crap Wiki entry from somewhere? Setting this directive is an OLD habit and very obsolete. Use only the Samba HOWTO and By-Example as provided on Samba docs. Assume everything else on the Internet is obsolete and out-of-date, because it most likely is. It was en the example file for smbldatp-tools Domain config. I have removed it now, but still now differance [2009/08/14 18:22:24, 0] passdb/pdb_get_set.c:pdb_get_group_sid(210) pdb_get_group_sid: Failed to find Unix account for DomAdmin [2009/08/14 18:22:24, 1] auth/auth_util.c:make_server_info_sam(562) User DomAdmin in passdb, but getpwnam() fails! I don't know why it is looking for a "DomAdmin" account. Perhaps your directory is not fully initialized? Loaded with the required users, etc... DomAdmin, is a Domain-administrator accaunt I have created instead of "admin" ore "root" I have ran "smbldap-populate -u 1 -g 1 -a admin -g guest" and it populates LDAP with all the default users and groupes windows need to be able to join. -u uidNumber first uidNumber to allocate (default: 1000) -g gidNumber first uidNumber to allocate (default: 1000) -a user administrator login name (default: root) -b user guest login name (default: nobody) Error: modifications require authentication at /usr/share/perl5/smbldap_tools.pm line 1083. [2009/08/14 18:22:48, 0] passdb/pdb_interface.c:pdb_default_create_user(336) _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -t 0 -w -i "hds$"' gave 127 I don't use smblap-tools but this looks like they don't have sufficient config to authenticate to the DSA. Don't know what the problem is with smbldap-useradd, but when I run the command alone it creates a windows machine user: # smbldap-useradd -w -i testcomputer New password : 1234 Retype new password : 1234 failed to add entry: structural object class modification from 'account' to 'inetOrgPerson' not allowed at /usr/sbin/smbldap-useradd line 311, line 2. I have the schemas that provite account and inetOrgPerson # smbldap-useradd -? (c) Jerome Tournier - (jtourn...@gmail.com)- Licensed under the GPL Usage: /usr/sbin/smbldap-useradd [-awmugdsckABCDEFGHMNPST?] username -ais a Windows User (otherwise, Posix stuff only) -bis a AIX User -cgecos -dhome -ggid -iis a trust account (Windows Workstation) -kskeleton dir (with -m) -mcreates home directory and copies /etc/skel -ndo not create a group -oadd the user in the organizational unit (relative to the user suffix. Ex: 'ou=admin,ou=all') -uuid -sshell -ttime. Wait 'time' seconds before exiting (when adding Windows Workstation) -wis a Windows Workstation (otherwise, Posix stuff only) -Acan change password ? 0 if no, 1 if yes -Bmust change password ? 0 if no, 1 if yes -CsambaHomePath (SMB home share, like '\\PDC-SRV\homes') -DsambaHomeDrive (letter associated with home share, like 'H:') -EsambaLogonScript (DOS script to execute on login) -FsambaProfilePath (profile directory, like '\\PDC-SRV\profiles\foo') -Gsupplementary comma-separated groups -HsambaAcctFlags (samba account control bits like '[NDHTUMWSLKI]') -Mlocal mailAddress (comma seperated) -Ngiven name -Pends by invoking smbldap-passwd -Ssurname (Family name) -TmailToAddress (forward address) (comma seperated) -?show this help message Mike Eggleston skrev: I'm not at work and am unable to compare your configuration with my production configuration. I have a similar environment, though, and found for windows boxes I needed to create the account in LDAP first (I use smbldap-adduser ...), then I must also add my samba server as a WINS server to the windows box, then I can join the windows box to my samba pdc doma
[Samba] [Fwd: Re: Samba PDC + OpenLDAP (Debian Lenny)]
Sorry to Adam Tauno WIlliams for sending direct. -- Med Venlig Hilsen / Best regards Henrik Dige Semark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba PDC + OpenLDAP (Debian Lenny)
Aug 14 18:33:01 hds-linux slapd[4180]: SRCH "sambaDomainName=MY-DOMAIN,sambaDomainName=MY-DOMAIN,dc=domain,dc=dk" 2 0 Aug 14 18:33:01 hds-linux slapd[4180]: 0 15 0 Aug 14 18:33:01 hds-linux slapd[4180]: filter: (&(?objectClass=sambaTrustedDomainPassword)(sambaDomainName=MY-DOMAIN)) Aug 14 18:33:01 hds-linux slapd[4180]: attrs: Aug 14 18:33:01 hds-linux slapd[4180]: Aug 14 18:33:01 hds-linux slapd[4180]: send_ldap_result: err=10 matched="sambaDomainName=MY-DOMAIN,dc=domain,dc=dk" text="value does not conform to assertion syntax" Aug 14 18:33:01 hds-linux slapd[4180]: connection_get(14) Aug 14 18:33:01 hds-linux slapd[4180]: SRCH "dc=domain,dc=dk" 2 0 Aug 14 18:33:01 hds-linux slapd[4180]: 0 15 0 Aug 14 18:33:01 hds-linux slapd[4180]: filter: (&(uid=domadmin)(objectClass=sambaSamAccount)) Aug 14 18:33:01 hds-linux slapd[4180]: attrs: Aug 14 18:33:01 hds-linux slapd[4180]: uid Aug 14 18:33:01 hds-linux slapd[4180]: uidNumber Aug 14 18:33:01 hds-linux slapd[4180]: gidNumber [ ... ] Aug 14 18:33:02 hds-linux slapd[4180]: bdb_idl_fetch_key: [36d2b1e2] Aug 14 18:33:02 hds-linux slapd[4180]: bdb_idl_fetch_key: [9767cf87] Aug 14 18:33:02 hds-linux slapd[4180]: bdb_idl_fetch_key: [4194d841] Aug 14 18:33:02 hds-linux slapd[4180]: send_ldap_result: err=0 matched="" text="" Aug 14 18:33:12 hds-linux slapd[4180]: connection_get(14) Aug 14 18:33:02 hds-linux slapd[4180]: send_ldap_result: err=0 matched="" text="" Aug 14 18:33:12 hds-linux slapd[4180]: connection_get(14) [ ... ] Aug 14 18:33:25 hds-linux slapd[4180]: conn=44 op=2 modifications: Aug 14 18:33:25 hds-linux slapd[4180]: ^Ireplace: uidNumber Aug 14 18:33:25 hds-linux slapd[4180]: ^I^Ione value, length 5 Aug 14 18:33:25 hds-linux slapd[4180]: send_ldap_result: err=8 matched="" text="modifications require authentication" Aug 14 18:33:25 hds-linux slapd[4180]: connection_get(29) Aug 14 18:33:35 hds-linux slapd[4180]: connection_get(14) # net groupmap list -- Domain Admins (S-1-5-21-3045805106-2558287267-4023452987-512) -> 512 Domain Users (S-1-5-21-3045805106-2558287267-4023452987-513) -> 513 Domain Guests (S-1-5-21-3045805106-2558287267-4023452987-514) -> 514 Domain Computers (S-1-5-21-3045805106-2558287267-4023452987-515) -> 515 Administrators (S-1-5-32-544) -> 544 Account Operators (S-1-5-32-548) -> 548 Print Operators (S-1-5-32-550) -> 550 Backup Operators (S-1-5-32-551) -> 551 Replicators (S-1-5-32-552) -> 552 Users (S-1-5-32-545) -> 1 System info: -- Debian Lenny 5.0.2 Kernel - 2.6.26-2-xen-686 Samba Version 3.2.5 Winbind Version 3.2.5 OpenLDAP Version 2.4.11 if there is more info you need plz just ask :) -- Med Venlig Hilsen / Best regards Henrik Dige Semark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
RE: [Samba] RE: return codes ?
Never mind I forgot to start the winbindd in daemon mode :P sorry Med Venlig Hilsen / Best regards Henrik Dige Semark > From: hendig...@hotmail.com > To: samba@lists.samba.org > Date: Wed, 14 Jan 2009 20:00:30 + > Subject: [Samba] RE: return codes ? > > > > > > > Hey I have just installed Samba 3.2.7 on my Debian 4.0 with compile. > > But I'm trying to to join my Windows AD, and samba returns > > Using short domain name -- UNDERVISNING > Joined 'MAIL' to realm 'UNDERVISNING.LOCAL' > return code = 0 > > First I got > > return code = -1 I just assumed that this was bad, so I powered on, but now I > get return code = 0 but I still can't get any user info out of my AD > > is this a good thing ? ore what is return code = 0 means ? > > > My debug: > net ads join -U Administrator --debuglevel=10 --long > > [2009/01/14 20:28:02, 5] lib/debug.c:debug_dump_status(407) > INFO: Current debug levels: > all: True/10 > tdb: False/0 > printdrivers: False/0 > lanman: False/0 > smb: False/0 > rpc_parse: False/0 > rpc_srv: False/0 > rpc_cli: False/0 > passdb: False/0 > sam: False/0 > auth: False/0 > winbind: False/0 > vfs: False/0 > idmap: False/0 > quota: False/0 > acls: False/0 > locking: False/0 > msdfs: False/0 > dmapi: False/0 > registry: False/0 > [2009/01/14 20:28:02, 3] param/loadparm.c:lp_load_ex(8753) > lp_load_ex: refreshing parameters > [2009/01/14 20:28:02, 3] param/loadparm.c:init_globals(4597) > Initialising global parameters > [2009/01/14 20:28:02, 3] param/params.c:pm_process(569) > params.c:pm_process() - Processing configuration file > "/usr/local/samba/lib/smb.conf" > [2009/01/14 20:28:02, 3] param/loadparm.c:do_section(7416) > Processing section "[global]" > doing parameter server string = Debian 4.0 - Samba %v - BDC > doing parameter netbios name = mail > [2009/01/14 20:28:02, 4] param/loadparm.c:handle_netbios_name(6764) > handle_netbios_name: set global_myname to: MAIL > doing parameter workgroup = UNDERVISNING > doing parameter Inherit permissions = yes > doing parameter Inherit owner = yes > doing parameter security = ADS > doing parameter idmap uid = 500-1000 > doing parameter idmap gid = 500-1000 > doing parameter template shell = /bin/bash > doing parameter winbind use default domain = yes > doing parameter winbind separator = % > doing parameter winbind enum users = yes > doing parameter winbind enum groups = yes > doing parameter template homedir = /home/%D/%U > doing parameter client use spnego = yes > doing parameter password server = bgdc.birke-gym.dk > doing parameter encrypt passwords = Yes > doing parameter realm = UNDERVISNING.LOCAL > doing parameter wins server = bgdc.birke-gym.dk > doing parameter nt acl support = true > doing parameter os level = 255 > doing parameter preferred master = no > doing parameter domain master = no > doing parameter local master = no > doing parameter domain logons = no > doing parameter hide special files = Yes > doing parameter hide unreadable = Yes > doing parameter disable netbios = yes > doing parameter name resolve order = wins lmhosts hosts bcast > doing parameter log level = 10 > doing parameter log file = /var/log/samba/UNDERVISNING > [2009/01/14 20:28:02, 4] param/loadparm.c:lp_load_ex(8797) > pm_process() returned Yes > [2009/01/14 20:28:02, 7] param/loadparm.c:lp_servicenumber(9002) > lp_servicenumber: couldn't find homes > [2009/01/14 20:28:02, 10] param/loadparm.c:set_server_role(7975) > set_server_role: role = ROLE_DOMAIN_MEMBER > [2009/01/14 20:28:02, 5] lib/iconv.c:smb_register_charset(104) > Attempting to register new charset UCS-2LE > [2009/01/14 20:28:02, 5] lib/iconv.c:smb_register_charset(112) > Registered charset UCS-2LE > [2009/01/14 20:28:02, 5] lib/iconv.c:smb_register_charset(104) > Attempting to register new charset UTF-16LE > [2009/01/14 20:28:02, 5] lib/iconv.c:smb_register_charset(112) > Registered charset UTF-16LE > [2009/01/14 20:28:02, 5] lib/iconv.c:smb_register_charset(104) > Attempting to register new charset UCS-2BE > [2009/01/14 20:28:02, 5] lib/iconv.c:smb_register_charset(112) > Registered charset UCS-2BE > [2009/01/14 20:28:02, 5] lib/iconv.c:smb_register_charset(104) > Attempting to register new charset UTF-16BE > [2009/01/14 20:28:02, 5] lib/iconv.c:smb_register_charset(112) > Registered charset UTF-16BE > [2009/01/14 20:28:02, 5] lib/iconv.c:smb_register_charset(104) >
[Samba] RE: return codes ?
ibnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : 'UNDERVISNING' dns_domain_name : 'UNDERVISNING.LOCAL' dn : 'CN=mail,CN=Computers,DC=UNDERVISNING,DC=LOCAL' domain_sid : * domain_sid : S-1-5-21-3246059169-2696874919-626726505 modified_config : 0x00 (0) error_string : NULL domain_is_ad : 0x01 (1) result : WERR_OK [2009/01/14 20:28:10, 10] intl/lang_tdb.c:lang_tdb_init(147) lang_tdb_init: loading /usr/local/samba/var/locks/lang_da_DK.UTF-8.tdb [2009/01/14 20:28:10, 10] libads/kerberos.c:kerberos_kinit_password_ext(217) kerberos_kinit_password: as ma...@undervisning.local using [MEMORY:net_ads] as ccache and config [(null)] [2009/01/14 20:28:10, 10] lib/util.c:name_to_fqdn(2953) name_to_fqdn: lookup for MAIL -> MAIL.birke-gym.dk. [2009/01/14 20:28:10, 2] lib/interface.c:add_interface(337) added interface eth4 ip=fe80::218:f3ff:fe52:e93%eth4 bcast=fe80:::::%eth4 netmask=::::: [2009/01/14 20:28:10, 2] lib/interface.c:add_interface(337) added interface eth1 ip=fe80::280:c8ff:feca:9081%eth1 bcast=fe80:::::%eth1 netmask=::::: [2009/01/14 20:28:10, 2] lib/interface.c:add_interface(337) added interface eth2 ip=fe80::280:c8ff:feca:9082%eth2 bcast=fe80:::::%eth2 netmask=::::: [2009/01/14 20:28:10, 2] lib/interface.c:add_interface(337) added interface eth3 ip=fe80::280:c8ff:feca:9083%eth3 bcast=fe80:::::%eth3 netmask=::::: [2009/01/14 20:28:10, 2] lib/interface.c:add_interface(337) added interface tap0 ip=fe80::9c8d:42ff:fe8d:d632%tap0 bcast=fe80:::::%tap0 netmask=::::: [2009/01/14 20:28:10, 2] lib/interface.c:add_interface(337) added interface eth1:INTRANET ip=194.182.87.2 bcast=194.182.87.127 netmask=255.255.255.128 [2009/01/14 20:28:10, 2] lib/interface.c:add_interface(337) added interface eth1 ip=194.182.87.97 bcast=194.182.87.127 netmask=255.255.255.128 [2009/01/14 20:28:10, 2] lib/interface.c:add_interface(337) added interface eth1:MAIL ip=194.182.87.98 bcast=194.182.87.127 netmask=255.255.255.128 [2009/01/14 20:28:10, 2] lib/interface.c:add_interface(337) added interface eth1:VIDEO ip=194.182.87.121 bcast=194.182.87.127 netmask=255.255.255.128 [2009/01/14 20:28:10, 2] lib/interface.c:add_interface(337) added interface eth4:GADM ip=10.3.2.1 bcast=10.3.3.255 netmask=255.255.254.0 [2009/01/14 20:28:10, 2] lib/interface.c:add_interface(337) added interface eth4 ip=10.3.2.250 bcast=10.3.3.255 netmask=255.255.254.0 [2009/01/14 20:28:10, 2] lib/interface.c:add_interface(337) added interface eth3 ip=10.3.16.1 bcast=10.3.31.255 netmask=255.255.240.0 [2009/01/14 20:28:10, 2] lib/interface.c:add_interface(337) added interface eth2 ip=10.3.255.1 bcast=10.3.255.255 netmask=255.255.255.0 [2009/01/14 20:28:10, 2] lib/interface.c:add_interface(337) added interface tap0 ip=10.8.0.1 bcast=10.8.0.255 netmask=255.255.255.0 [2009/01/14 20:28:10, 4] libads/dns.c:ads_dns_lookup_ns(620) ads_dns_lookup_ns: 1 records returned in the answer section. DNS update failed! [2009/01/14 20:28:10, 2] utils/net.c:main(1172) return code = 0 Med Venlig Hilsen / Best regards Henrik Dige Semark T?v dine venner i retro spillet UNO med Windows Live Messenger. Start spillet her! _ Spil det nye spil Atomic Subattle med dine venner i Windows Live Messenger http://www2.messengerplayground.dk/spil/84-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba + Windows 2003 AD
19:12:36, 10] libads/dns.c:ads_dns_parse_rr_srv(213) ads_dns_parse_rr_srv: Parsed bgdc.undervisning.local [0, 100, 389] [2009/01/09 19:12:36, 10] libsmb/dsgetdcname.c:process_dc_dns(1160) LDAP ping to bgdc.undervisning.local [2009/01/09 19:12:41, 3] lib/util_sock.c:interpret_string_addr_internal(122) interpret_string_addr_internal: getaddrinfo failed for name bgdc.undervisning.local [Name or service not known] [2009/01/09 19:12:41, 3] lib/util_sock.c:interpret_addr(158) interpret_addr: Unknown host. bgdc.undervisning.local [2009/01/09 19:12:41, 1] libads/cldap.c:recv_cldap_netlogon(156) no reply received to cldap netlogon [2009/01/09 19:12:41, 1] libnet/libnet_join.c:libnet_Join(1801) libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : NULL dns_domain_name : NULL dn : NULL domain_sid : NULL domain_sid : (NULL SID) modified_config : 0x00 (0) error_string : 'failed to find DC for domain UNDERVISNING.LOCAL' domain_is_ad : 0x00 (0) result : WERR_DOMAIN_CONTROLLER_NOT_FOUND [2009/01/09 19:12:41, 10] intl/lang_tdb.c:lang_tdb_init(138) lang_tdb_init: /usr/share/samba/da_DK:da:en_GB:en.msg: No such file or directory Failed to join domain: failed to find DC for domain UNDERVISNING.LOCAL [2009/01/09 19:12:41, 2] utils/net.c:main(1172) return code = -1 # nslookup undervisning.local Server:10.3.17.1 Address:10.3.17.1#53 Name:undervisning.local Address: 10.3.17.8 Name:undervisning.local Address: 10.3.17.1 # nslookup bgdc.undervisning.local Server: 10.3.17.1 Address:10.3.17.1#53 Name:bgdc.undervisning.local Address: 10.3.17.1 BTW. I have updated my SMB to version 3.2.7 with LDAP and ADS support Med Venlig Hilsen / Best regards Henrik Dige Semark From: hendig...@hotmail.com To: ag...@aeso.ca; samba@lists.samba.org Subject: RE: [Samba] Samba + Windows 2003 AD Date: Thu, 8 Jan 2009 22:42:44 + I don't know way my last mail did not got posted, but now I have add my domains to my resolv.conf mail:~# nslookup undervisning.local Server: 10.3.17.1 Address:10.3.17.1#53 Name: undervisning.local Address: 10.3.17.1 Name: undervisning.local Address: 10.3.17.8 nslookup bgdc.undervisning.local Server: 10.3.17.1 Address:10.3.17.1#53 Name: bgdc.undervisning.local Address: 10.3.17.1 But its still the same error when I try to join the debian with Win2k3 domain [2009/01/08 23:39:30, 0] utils/net_ads.c:ads_startup(289) ads_connect: Operations error [2009/01/08 23:39:30, 2] utils/net.c:main(988) return code = -1 I might think that its my anonymous user on the win-server that isen't configured right as Avron said in the first mail (https://bugzilla.samba.org/show_bug.cgi?id=4771) Med Venlig Hilsen / Best regards Henrik Dige Semark > Subject: RE: [Samba] Samba + Windows 2003 AD > Date: Thu, 8 Jan 2009 10:59:06 -0700 > From: ag...@aeso.ca > To: hendig...@hotmail.com; samba@lists.samba.org > > I have two domains. One is production and one is development. > - - - - - - > Development domain: > bash-2.05# cat /etc/resolv.conf > domain dev.ca > search dev.ca > nameserver yyy.yyy.yyy.xx > nameserver yyy.yyy.yyy.yy > > bash-2.05# ping -I 1 dev.ca > PING dev.ca: 56 data bytes > 64 bytes from ddc01.dev.ca (yyy.yyy.yyy.zz): icmp_seq=0. time=14. ms > 64 bytes from ddc01.dev.ca (yyy.yyy.yyy.zz): icmp_seq=1. time=21. ms > ^C > - - - - - - > Production domain: > bash-2.05# cat /etc/resolv.conf > doamin prod.ca > search prod.ca > nameserver xxx.xxx.xxx.xx > nameserver xxx.xxx.xxx.yy > > bash-2.05# ping -I 1 prod.ca > PING prod.ca: 56 data bytes > 64 bytes from pdc01 (xxx.xxx.xxx.zz): icmp_seq=0. time=0. ms > 64 bytes from pdc01 (xxx.xxx.xxx.zz): icmp_seq=1. time=0. ms > ^C > - - - - - - > I have one host that sees BOTH domains: > # cat /etc/resolv.conf > doamin dev.ca > search dev.ca prod.ca > > nameserver yyy.yyy.yyy.xx > nameserver yyy.yyy.yyy.yy > nameserver xxx.xxx.xxx.xx > > bash-2.05# ping -I 1 dev.ca > PING dev.ca: 56 data bytes > 64 bytes from ddc01.dev.ca (yyy.yyy.yyy.zz): icmp_seq=0. time=14. ms > 64 bytes from ddc01.dev.ca (yyy.yyy.yyy.zz): icmp_seq=1. time=21. ms > ^C > > bash-2.05# ping -I 1 prod.ca > PING prod.ca: 56 data bytes > 64 bytes from pdc01 (xxx.xxx.xxx.zz): icmp_seq=0. time=0. ms > 64 bytes from pdc01 (xxx.xxx.xxx.zz): icmp_seq=1. time=0. ms > ^C > - - - - - - > > Can you ping XXX.UNDERVISNING.LOCAL by IP address? Can you nslookup > XXX.UNDERVISNING.LOCAL? > > - Avron _ Del dine billeder med alle vennerne med Windows Live Photo Gallery. http://download.live.com/photogallery-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba + Windows 2003 AD
When I run mail:~# ping -I eth3 bgdc.birke-gym.dk PING bgdc.birke-gym.dk (10.3.17.1) from 10.3.16.1 eth3: 56(84) bytes of data. 64 bytes from bgdc.birke-gym.dk (10.3.17.1): icmp_seq=1 ttl=128 time=0.142 ms 64 bytes from bgdc.birke-gym.dk (10.3.17.1): icmp_seq=2 ttl=128 time=0.230 ms but if I just type: mail:~# ping -I eth3 birke-gym.dk ping: unknown host birke-gym.dk and no, I cant ping anything with XXX.UNDERVISNING.LOCAL How do I set this up in my resolv.conf ? If it's possible can you then post your resolv.conf ? Solaris an Debian is much alike :P Med Venlig Hilsen / Best regards Henrik Dige Semark Subject: RE: [Samba] Samba + Windows 2003 AD Date: Thu, 8 Jan 2009 10:36:51 -0700 From: ag...@aeso.ca To: hendig...@hotmail.com; samba@lists.samba.org Is the name of the existing Windows Domain "UNDERVISNING.LOCAL"? On my host: tstsmb08|/#ping -I 1 domain.ca PING domain.ca: 56 data bytes 64 bytes from dc2.domain.ca (192.168.1.12): icmp_seq=0. time=1.12 ms 64 bytes from dc2.domain.ca (192.168.1.12): icmp_seq=1. time=0.622 ms ^C Now, if you run: ping -I 1 birke-gym.dk the domain controller should respond Can you ping any hosts on the undervisning.local domain? ie: ping -I 1 hostname1.undervisning.local ping -I 1 hostname2.undervisning.local - Avron From: Henrik Dige Semark [mailto:hendig...@hotmail.com] Sent: Thursday, January 08, 2009 10:24 AM To: Avron Gray; Samba list Subject: RE: [Samba] Samba + Windows 2003 AD Im trying to join a already existing Windows Domain :) Med Venlig Hilsen / Best regards Henrik Dige Semark > Subject: RE: [Samba] Samba + Windows 2003 AD > Date: Thu, 8 Jan 2009 10:22:05 -0700 > From: ag...@aeso.ca > To: hendig...@hotmail.com; samba@lists.samba.org > > Are you trying to join an existing Windows domain? Or create a new domain? > > - Avron > > -Original Message- > From: samba-bounces+agray=aeso...@lists.samba.org [mailto:samba-bounces+agray=aeso...@lists.samba.org] On Behalf Of Henrik Dige Semark > Sent: Thursday, January 08, 2009 10:16 AM > To: Samba list > Subject: RE: [Samba] Samba + Windows 2003 AD > > > > How can I ping > UNDERVISNING.LOCAL when its just the domain ? the windows server that runs the domain is bgdc.birke-gym.dk and I can ping that just fine > > > > My resolv.conf > --- > search birke-gym.dk > nameserver 127.0.0.1 > > > My nsswitch.conf > --- > passwd: files winbind compat > group: files winbind compat > shadow: files winbind compat > > hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 > networks: files > > protocols: files winbind db files > services: files winbind db files > > ethers: db files > rpc: db files > > netgroup: files winbind nis > automount: files winbind > > is I'm missing something ? > > > > Med Venlig Hilsen / Best regards > > Henrik Dige Semark > > > > Subject: RE: [Samba] Samba + Windows 2003 AD > Date: Thu, 8 Jan 2009 09:54:22 -0700 > From: ag...@aeso.ca > To: hendig...@hotmail.com > > > > > > > > > > > Can you : > ping -I 1 UNDERVISNING.LOCAL > > No? Check resolv.conf or nsswitch.conf > > (I have a SUN Solaris background - not much > Debian) > > For more help, please include samba@lists.samba.org in to: or > cc: > > Good luck (held og lykke)! > (Sorry, I don't speak Danish... ) > > - Avron > > > > From: Henrik Dige Semark [mailto:hendig...@hotmail.com] > > Sent: Thursday, January 08, 2009 9:48 AM > To: Avron > Gray > Subject: RE: [Samba] Samba + Windows 2003 AD > > > > > > > Hey thanx for the quick answer > :) > > When I try the net ads testjoin its not very informative :P > > # > net ads testjoin ma...@undervisning.local's password: > [2009/01/08 > 17:39:52, 0] utils/net_ads.c:ads_startup(289) > ads_connect: Operations > error > Join to domain is not valid > > > > > > I have also tried wbinfo --all-domains > but it can't see the domain I try to connect to, will this say that my smb.conf > I rung in some point ? > > > > I have an older SMB witch is running a > Domain it self, and it can see the domain when I run this command > > > Med Venlig Hilsen / Best regards > Henrik Dige Semark > > > > > > Subject: RE: [Samba] Samba + Windows 2003 AD > > Date: Thu, 8 Jan 2009 > 09:25:47 -0700 > > From: ag...@aeso.ca > > To: hendig...@hotmail.com; > samba@lists.samba.org > > > > Have you run: > > net ads > testjoin > &
RE: [Samba] Samba + Windows 2003 AD
Im trying to join a already existing Windows Domain :) Med Venlig Hilsen / Best regards Henrik Dige Semark > Subject: RE: [Samba] Samba + Windows 2003 AD > Date: Thu, 8 Jan 2009 10:22:05 -0700 > From: ag...@aeso.ca > To: hendig...@hotmail.com; samba@lists.samba.org > > Are you trying to join an existing Windows domain? Or create a new domain? > > - Avron > > -Original Message- > From: samba-bounces+agray=aeso...@lists.samba.org > [mailto:samba-bounces+agray=aeso...@lists.samba.org] On Behalf Of Henrik Dige > Semark > Sent: Thursday, January 08, 2009 10:16 AM > To: Samba list > Subject: RE: [Samba] Samba + Windows 2003 AD > > > > How can I ping > UNDERVISNING.LOCAL when its just the domain ? the windows server that runs > the domain is bgdc.birke-gym.dk and I can ping that just fine > > > > My resolv.conf > --- > search birke-gym.dk > nameserver 127.0.0.1 > > > My nsswitch.conf > --- > passwd: files winbind compat > group: files winbind compat > shadow: files winbind compat > > hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 > networks: files > > protocols: files winbind db files > services: files winbind db files > > ethers: db files > rpc:db files > > netgroup: files winbind nis > automount: files winbind > > is I'm missing something ? > > > > Med Venlig Hilsen / Best regards > > Henrik Dige Semark > > > > Subject: RE: [Samba] Samba + Windows 2003 AD > Date: Thu, 8 Jan 2009 09:54:22 -0700 > From: ag...@aeso.ca > To: hendig...@hotmail.com > > > > > > > > > > > Can you : > ping -I 1 UNDERVISNING.LOCAL > > No? Check resolv.conf or nsswitch.conf > > (I have a SUN Solaris background - not much > Debian) > > For more help, please include samba@lists.samba.org in to: or > cc: > > Good luck (held og lykke)! > (Sorry, I don't speak Danish... ) > > - Avron > > > > From: Henrik Dige Semark [mailto:hendig...@hotmail.com] > > Sent: Thursday, January 08, 2009 9:48 AM > To: Avron > Gray > Subject: RE: [Samba] Samba + Windows 2003 AD > > > > > > > Hey thanx for the quick answer > :) > > When I try the net ads testjoin its not very informative :P > > # > net ads testjoin ma...@undervisning.local's password: > [2009/01/08 > 17:39:52, 0] utils/net_ads.c:ads_startup(289) > ads_connect: Operations > error > Join to domain is not valid > > > > > > I have also tried wbinfo --all-domains > but it can't see the domain I try to connect to, will this say that my > smb.conf > I rung in some point ? > > > > I have an older SMB witch is running a > Domain it self, and it can see the domain when I run this command > > > Med Venlig Hilsen / Best regards > Henrik Dige Semark > > > > > > Subject: RE: [Samba] Samba + Windows 2003 AD > > Date: Thu, 8 Jan 2009 > 09:25:47 -0700 > > From: ag...@aeso.ca > > To: hendig...@hotmail.com; > samba@lists.samba.org > > > > Have you run: > > net ads > testjoin > > > > Does it say "Join is OK"? > > > > > > > This might not be related... > > > > I had to compile samba 3.0.33 to > get around a Windows Domain restriction > > issue: > > > https://bugzilla.samba.org/show_bug.cgi?id=4771 The bug indicates that > > > if the \NETLOGON pipe is opened up on the Windows AD server, the join > > > works fine. As soon as it is restricted via domain policies, it > > > restricts anonymous access to the ports. As soon as this happens, we are > > > unable to complete a net join ads successfully. > > > > - Avron > > > > > -Original Message- > > From: > samba-bounces+agray=aeso...@lists.samba.org > > > [mailto:samba-bounces+agray=aeso...@lists.samba.org] On Behalf Of Henrik > > > Dige Semark > > Sent: Thursday, January 08, 2009 9:13 AM > > To: Samba > list > > Subject: [Samba] Samba + Windows 2003 AD > > > > > > > Hey, I don't know if this is the right list to ask this question in, but > > > I have tried on the IRC (irc.freenode.net #samba) and people on there > > > advised me to try here instead. > > > > > > I have: > > > Debian 4.0r4 > > Samba version 3.0.24 - mail.birke-gym.dk - > 10.3.16.1 > > krb5 Version 1.4.4
RE: [Samba] Samba + Windows 2003 AD
How can I ping UNDERVISNING.LOCAL when its just the domain ? the windows server that runs the domain is bgdc.birke-gym.dk and I can ping that just fine My resolv.conf --- search birke-gym.dk nameserver 127.0.0.1 My nsswitch.conf --- passwd: files winbind compat group: files winbind compat shadow: files winbind compat hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files protocols: files winbind db files services: files winbind db files ethers: db files rpc:db files netgroup: files winbind nis automount: files winbind is I'm missing something ? Med Venlig Hilsen / Best regards Henrik Dige Semark Subject: RE: [Samba] Samba + Windows 2003 AD Date: Thu, 8 Jan 2009 09:54:22 -0700 From: ag...@aeso.ca To: hendig...@hotmail.com Can you : ping -I 1 UNDERVISNING.LOCAL No? Check resolv.conf or nsswitch.conf (I have a SUN Solaris background - not much Debian) For more help, please include samba@lists.samba.org in to: or cc: Good luck (held og lykke)! (Sorry, I don't speak Danish... ) - Avron From: Henrik Dige Semark [mailto:hendig...@hotmail.com] Sent: Thursday, January 08, 2009 9:48 AM To: Avron Gray Subject: RE: [Samba] Samba + Windows 2003 AD Hey thanx for the quick answer :) When I try the net ads testjoin its not very informative :P # net ads testjoin ma...@undervisning.local's password: [2009/01/08 17:39:52, 0] utils/net_ads.c:ads_startup(289) ads_connect: Operations error Join to domain is not valid I have also tried wbinfo --all-domains but it can't see the domain I try to connect to, will this say that my smb.conf I rung in some point ? I have an older SMB witch is running a Domain it self, and it can see the domain when I run this command Med Venlig Hilsen / Best regards Henrik Dige Semark > Subject: RE: [Samba] Samba + Windows 2003 AD > Date: Thu, 8 Jan 2009 09:25:47 -0700 > From: ag...@aeso.ca > To: hendig...@hotmail.com; samba@lists.samba.org > > Have you run: > net ads testjoin > > Does it say "Join is OK"? > > > This might not be related... > > I had to compile samba 3.0.33 to get around a Windows Domain restriction > issue: > https://bugzilla.samba.org/show_bug.cgi?id=4771 The bug indicates that > if the \NETLOGON pipe is opened up on the Windows AD server, the join > works fine. As soon as it is restricted via domain policies, it > restricts anonymous access to the ports. As soon as this happens, we are > unable to complete a net join ads successfully. > > - Avron > > -Original Message- > From: samba-bounces+agray=aeso...@lists.samba.org > [mailto:samba-bounces+agray=aeso...@lists.samba.org] On Behalf Of Henrik > Dige Semark > Sent: Thursday, January 08, 2009 9:13 AM > To: Samba list > Subject: [Samba] Samba + Windows 2003 AD > > > Hey, I don't know if this is the right list to ask this question in, but > I have tried on the IRC (irc.freenode.net #samba) and people on there > advised me to try here instead. > > > I have: > Debian 4.0r4 > Samba version 3.0.24 - mail.birke-gym.dk - 10.3.16.1 > krb5 Version 1.4.4-7etch6 > Kernel Version 2.6.18-6-amd64 > > A Windows Server 2003 SP2 with AD/DC - bgdc.birke-gym.dk - 10.3.17.1 > > > -- > > When I try to connect my samba to the DC I get this output: > > # net ads join -U Administrator --debuglevel=10 > [2009/01/08 17:10:15, 5] lib/debug.c:debug_dump_status(391) > INFO: Current debug levels: > all: True/10 > tdb: False/0 > printdrivers: False/0 > lanman: False/0 > smb: False/0 > rpc_parse: False/0 > rpc_srv: False/0 > rpc_cli: False/0 > passdb: False/0 > sam: False/0 > auth: False/0 > winbind: False/0 > vfs: False/0 > idmap: False/0 > quota: False/0 > acls: False/0 > locking: False/0 > msdfs: False/0 > dmapi: False/0 > [2009/01/08 17:10:15, 3] param/loadparm.c:lp_load(4953) > lp_load: refreshing parameters > [2009/01/08 17:10:15, 3] param/loadparm.c:init_globals(1418) > Initialising global parameters > [2009/01/08 17:10:15, 3] param/params.c:pm_process(572) > params.c:pm_process() - Processing configuration file > "/etc/samba/smb.conf" > [2009/01/08 17:10:15, 3] param/loadparm.c:do_section(3695) > Processing section "[global]" > doing parameter server string = Debian 4.0 - Samba %v - BDC > doing parameter netbios name = mail > [2009/01/08 17:10:15, 4] param/loadparm.c:handle_netbios_name(3053) > handle_netbios_name: set global_myname to: MAIL > doing parameter workgroup = UNDERVISNING &
RE: [Samba] Samba + Windows 2003 AD
Sorry to Avron for sending my answer direct and not over the groupe :) Hey thanx for the quick answer :) When I try the net ads testjoin its not very informative :P # net ads testjoin ma...@undervisning.local's password: [2009/01/08 17:39:52, 0] utils/net_ads.c:ads_startup(289) ads_connect: Operations error Join to domain is not valid I have also tried wbinfo --all-domains but it can't see the domain I try to connect to, will this say that my smb.conf I rung in some point ? I have an older SMB witch is running a Domain it self, and it can see the domain when I run this command Med Venlig Hilsen / Best regards Henrik Dige Semark > Subject: RE: [Samba] Samba + Windows 2003 AD > Date: Thu, 8 Jan 2009 09:25:47 -0700 > From: ag...@aeso.ca > To: hendig...@hotmail.com; samba@lists.samba.org > > Have you run: > net ads testjoin > > Does it say "Join is OK"? > > > This might not be related... > > I had to compile samba 3.0.33 to get around a Windows Domain restriction > issue: > https://bugzilla.samba.org/show_bug.cgi?id=4771 The bug indicates that > if the \NETLOGON pipe is opened up on the Windows AD server, the join > works fine. As soon as it is restricted via domain policies, it > restricts anonymous access to the ports. As soon as this happens, we are > unable to complete a net join ads successfully. > > - Avron > > -Original Message- > From: samba-bounces+agray=aeso...@lists.samba.org > [mailto:samba-bounces+agray=aeso...@lists.samba.org] On Behalf Of Henrik > Dige Semark > Sent: Thursday, January 08, 2009 9:13 AM > To: Samba list > Subject: [Samba] Samba + Windows 2003 AD > > > Hey, I don't know if this is the right list to ask this question in, but > I have tried on the IRC (irc.freenode.net #samba) and people on there > advised me to try here instead. > > > I have: > Debian 4.0r4 > Samba version 3.0.24 - mail.birke-gym.dk - 10.3.16.1 > krb5 Version 1.4.4-7etch6 > Kernel Version 2.6.18-6-amd64 > > A Windows Server 2003 SP2 with AD/DC - bgdc.birke-gym.dk - 10.3.17.1 > > > -- > > When I try to connect my samba to the DC I get this output: > > # net ads join -U Administrator --debuglevel=10 > [2009/01/08 17:10:15, 5] lib/debug.c:debug_dump_status(391) > INFO: Current debug levels: > all: True/10 > tdb: False/0 > printdrivers: False/0 > lanman: False/0 > smb: False/0 > rpc_parse: False/0 > rpc_srv: False/0 > rpc_cli: False/0 > passdb: False/0 > sam: False/0 > auth: False/0 > winbind: False/0 > vfs: False/0 > idmap: False/0 > quota: False/0 > acls: False/0 > locking: False/0 > msdfs: False/0 > dmapi: False/0 > [2009/01/08 17:10:15, 3] param/loadparm.c:lp_load(4953) > lp_load: refreshing parameters > [2009/01/08 17:10:15, 3] param/loadparm.c:init_globals(1418) > Initialising global parameters > [2009/01/08 17:10:15, 3] param/params.c:pm_process(572) > params.c:pm_process() - Processing configuration file > "/etc/samba/smb.conf" > [2009/01/08 17:10:15, 3] param/loadparm.c:do_section(3695) > Processing section "[global]" > doing parameter server string = Debian 4.0 - Samba %v - BDC > doing parameter netbios name = mail > [2009/01/08 17:10:15, 4] param/loadparm.c:handle_netbios_name(3053) > handle_netbios_name: set global_myname to: MAIL > doing parameter workgroup = UNDERVISNING > doing parameter display charset = ASCII > [2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(105) > Attempting to register new charset UCS-2LE > [2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(113) > Registered charset UCS-2LE > [2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(105) > Attempting to register new charset UTF-16LE > [2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(113) > Registered charset UTF-16LE > [2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(105) > Attempting to register new charset UCS-2BE > [2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(113) > Registered charset UCS-2BE > [2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(105) > Attempting to register new charset UTF-16BE > [2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(113) > Registered charset UTF-16BE > [2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(105) > Attempting to register new charset UTF8 > [2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(113) > Registered charset UTF8 > [2009/01/08 17:10:15, 5] lib/iconv.c:smb_register_charset(105)
[Samba] Samba + Windows 2003 AD
ackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege
SeEnableDelegationPrivilege
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
==
Windows Server Event - [23:01:34]
User Logoff:
User Name:BGDC$
Domain:UNDERVISNING
Logon ID:(0x0,0x1C82893)
Logon Type:3
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
--
My klist:
===
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administra...@undervisning.local
Valid starting ExpiresService principal
01/04/09 16:36:47 01/04/09 23:16:47
krbtgt/undervisning.lo...@undervisning.local
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
--
smb.conf
===
cat /etc/samba/smb.conf | grep -v "#"
[global]
dos charset = ASCII
display charset = ASCII
workgroup = UNDERVISNING
realm = UNDERVISNING.LOCAL
server string = Debian 4.0 - Samba %v - BDC
security = ADS
password server = bgdc.birke-gym.dk
log level = 10
log file = /var/log/samba/UNDERVISNING
disable netbios = Yes
name resolve order = wins lmhosts hosts bcast
os level = 1000
preferred master = No
local master = No
domain master = No
wins server = bgdc.birke-gym.dk
idmap uid = 500-1000
idmap gid = 500-1000
template shell = /bin/bash
winbind separator = %
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
inherit permissions = Yes
inherit owner = Yes
hide special files = Yes
hide unreadable = Yes
[homes]
comment = Home Directories
valid users = %U
read only = No
browseable = No
--
# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
^C
--
krb5.conf
==
[logging]
default = FILE:/var/log/krb5libs.log
#kdc = FILE:/var/log/krb5kdc.log
#admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = UNDERVISNING.LOCAL
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
# Birke-gym.dk =
UNDERVISNING.LOCAL = {
kdc = bgdc.birke-gym.dk
admin_server = bgdc.birke-gym.dk
default_domain = UNDERVISNING.LOCAL
}
[domain_realm]
.undervisning.local = UNDERVISNING.LOCAL
undervisning.local = UNDERVISNING.LOCAL
[login]
krb4_convert = true
krb4_get_tickets = false
--
# cat /etc/hosts
127.0.0.1 localhost mail
127.0.1.1 mail.birke-gym.dk mail
10.3.17.1 bgdc.birke-gym.dk bgdc
--
Any suggestion ?
And how mutch do I have to setup on the Windows Server ? I have createt a krb.
trust on it and I use the pass I gave there, but is there more I have to set ?
Sorry for my bad english, and if there is anything plz feel free to write, all
help is resived with love
Med Venlig Hilsen / Best regards
Henrik Dige Semark
_
Del dine billeder med alle vennerne med Windows Live Photo Gallery.
http://download.live.com/photogallery--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] HELP: Samba + Windows Server 2003 SP2 AD/DC
0.0.1 localhost mail 127.0.1.1 mail.birke-gym.dk mail 10.3.17.1 bgdc.birke-gym.dk bgdc -- Any suggestion ? And how mutch do I have to setup on the Windows Server ? I have createt a krb. trust on it and I use the pass I gave there, but is there more I have to set ? Sorry for my bad english, and if there is anything plz feel free to write, all help is resived with love Med Venlig Hilsen / Best regards Henrik Dige Semark _ Spil det nye spil Atomic Subattle med dine venner i Windows Live Messenger http://www2.messengerplayground.dk/spil/84-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
