[Samba] GPFS Samba CTDB cluster how to

[Ian CLANCY]

Hi List,
I've created an extensive how to for setup of clustered Samba on GPFS using
CTDB .
Can anyone suggest an appropriate forum to share this information  .
Perhaps the Samba Wiki ?.
Ian Clancy
IS Department
Valeo Vision Systems (VVS)

This e-mail message is intended only for the use of the intended recipient(s).
The information contained therein may be confidential or privileged,
and its disclosure or reproduction is strictly prohibited.
If you are not the intended recipient, please return it immediately to its 
sender 
at the above address and destroy it. 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Share not accessible from Windows 7 after upgrade from 4.0.9 to 4.0.10

[Ian CLANCY]

Hi Samba Users,
I upgraded my version of Samba from 4.0.9 to 4.0.10 on my test system this
morning using the Sernet RPM's for Centos 6 . I got the following error
when trying to access shares on the server from Win 7.
\\servername\gpfstest is not accessible. You might not have permission to
use this network resource. Contact the administrator of this server to find
out if you have access permissions. The process cannot access the file
because it is being used by another process.
I can still access the share from Win XP so i'm guessing this is and SMB2
issue. In the server logs is see the following error :


[2013/10/09 10:30:30.593372,  1]
../source3/locking/share_mode_lock.c:137(parse_share_modes)
  ndr_pull_share_mode_lock failed: Bad Array Size
[2013/10/09 10:30:30.593402,  0]
../source3/smbd/open.c:2238(open_file_ntcreate)
  Could not get share mode lock
[2013/10/09 10:30:30.594086,  3]
../source3/smbd/vfs.c:1140(check_reduced_name)
  check_reduced_name [.] [/gpfstest]
[2013/10/09 10:30:30.594130,  3]
../source3/smbd/vfs.c:1270(check_reduced_name)
  check_reduced_name: . reduced to /gpfstest
[2013/10/09 10:30:30.594372,  3] ../source3/smbd/dosmode.c:160(unix_mode)
  unix_mode(.) returning 0770
[2013/10/09 10:30:30.594446,  1] ../librpc/ndr/ndr.c:412(ndr_pull_error)
  ndr_pull_error(1): non-zero array offset 10

My Samba install is running atop a GPFS Cluster and i'm using acl's so
maybe these are contributing factors.
I took a peek at the code but can't see anything obvious. Maybe it is
related to the Bug fix for #10106 ?

For now i have downgraded to 4.0.9 and all is well :)
Rgds


Ian Clancy
IS Department
Valeo Vision Systems (VVS)

This e-mail message is intended only for the use of the intended recipient(s).
The information contained therein may be confidential or privileged,
and its disclosure or reproduction is strictly prohibited.
If you are not the intended recipient, please return it immediately to its 
sender 
at the above address and destroy it. 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Excel 'Document not saved' Error when using SMB2 Protocol

[Ian CLANCY]

Hi Samba Users,
I'm in the process of building a Samba4 CTDB /GPFS Cluster joined as a
member server to AD that also supports ACL's .
It has taken some time but almost everything is working now :) . My one
outstanding issue is editing files using Excel 2007 on Windows 7 results in
a 'Document not saved' error. I believe this is an issue with the SMB2
protocol as I can edit the same files with the same user and version of
Excel on a Windows XP workstation. Using Wireshark i can see that
communication between the Windows 7 client is using SMB2 . Excel is quite a
strange beast, it creates temporary files etc..
As a test i have set the parameter client max protocol = NT1 in the
smb.conf of my cluster members but the Win 7 clients continue to use the
SMB2 protocol.

Looking more closely at the communication between the Win 7 client and the
Samba Servers when i attempt a file save in Excel i see that the Client
issues a FILE_INFO/SMB2_FILE_RENAME_INFO request and the samba server
returns a STATUS_ACCESS_DENIED response.

I suspect disabling ACL's would resolve the issue but unfortunately these
are necessary for the project . Ideally i would be able to use SMB2 but it
is not a show stopper if i could force Win 7 clients to use SMB1.

I'm currently using samba 4.0.9 / CTDB 2.4 on Centos 6.4 with GPFS 3.4.0-14.
my smb.conf is pasted below.
Thanks in advance for any comment of feedback.
Ian Clancy
IS Department
Valeo Vision Systems (VVS)


[global]
workgroup = MYNET
realm = MYNET.BALEO.COM
netbios name = TESTCLUSTER
security = ADS
map to guest = Bad User
client max protocol = NT1
unix extensions = No
clustering = Yes
winbind cache time = 900
winbind use default domain = Yes
idmap config *:range = 1000-9
idmap config * : backend = tdb2
force unknown acl user = Yes
ea support = Yes
map archive = No
map readonly = no
mangled names = No
store dos attributes = Yes

[gpfstest]
comment = GPFS File System
path = /gpfstest
read only = No
create mask = 0770
force create mode = 0770
nt acl support = No
vfs objects = shadow_copy2, gpfs, fileid
fileid:algorithm = fsname
shadow:fixinodes = yes
shadow:basedir = /gpfstest
shadow:snapdir = /gpfstest/.snapshots
nfs4:acedup = merge
nfs4:chown = yes
nfs4:mode = special
gpfs:winattr = yes
gpfs:sharemodes = yes

This e-mail message is intended only for the use of the intended recipient(s).
The information contained therein may be confidential or privileged,
and its disclosure or reproduction is strictly prohibited.
If you are not the intended recipient, please return it immediately to its 
sender 
at the above address and destroy it. 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Excel 'Document not saved' Error when using SMB2 Protocol

[Ian CLANCY]

Dan,
Thanks very much !. Your suggestion worked a treat.
For everyone else's benefit . You need to set the
cifsBypassShareLocksOnRename flag on your GPFS Cluster.
You can do this by running the following command against the GPFS Cluster.
mmchconfig cifsBypassShareLocksOnRename=yes -i
Rgds
Ian Clancy
IS Department
Valeo Vision Systems (VVS)

On 8 October 2013 16:36, Dan Cohen1 dan...@il.ibm.com wrote:

 Hi Ian,

 You should verify that the following GPFS configuration flag is set to
 'yes':
 cifsBypassShareLocksOnRename

 This flag is not very well documented, but you can get some more details
 here: 
 *http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004008*http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004008.

 Cheers,
 Dan Cohen
 IBM - XIV, Israel
 NAS Development Team



 From:Ian CLANCY ian.cla...@valeo.com
 To:samba@lists.samba.org,
 Date:08/10/2013 17:37
 Subject:[Samba] Excel 'Document not saved' Error when using SMB2
 Protocol
 Sent by:samba-boun...@lists.samba.org
 --



 Hi Samba Users,
 I'm in the process of building a Samba4 CTDB /GPFS Cluster joined as a
 member server to AD that also supports ACL's .
 It has taken some time but almost everything is working now :) . My one
 outstanding issue is editing files using Excel 2007 on Windows 7 results in
 a 'Document not saved' error. I believe this is an issue with the SMB2
 protocol as I can edit the same files with the same user and version of
 Excel on a Windows XP workstation. Using Wireshark i can see that
 communication between the Windows 7 client is using SMB2 . Excel is quite a
 strange beast, it creates temporary files etc..
 As a test i have set the parameter client max protocol = NT1 in the
 smb.conf of my cluster members but the Win 7 clients continue to use the
 SMB2 protocol.

 Looking more closely at the communication between the Win 7 client and the
 Samba Servers when i attempt a file save in Excel i see that the Client
 issues a FILE_INFO/SMB2_FILE_RENAME_INFO request and the samba server
 returns a STATUS_ACCESS_DENIED response.

 I suspect disabling ACL's would resolve the issue but unfortunately these
 are necessary for the project . Ideally i would be able to use SMB2 but it
 is not a show stopper if i could force Win 7 clients to use SMB1.

 I'm currently using samba 4.0.9 / CTDB 2.4 on Centos 6.4 with GPFS
 3.4.0-14.
 my smb.conf is pasted below.
 Thanks in advance for any comment of feedback.
 Ian Clancy
 IS Department
 Valeo Vision Systems (VVS)


 [global]
workgroup = MYNET
realm = MYNET.BALEO.COM
netbios name = TESTCLUSTER
security = ADS
map to guest = Bad User
client max protocol = NT1
unix extensions = No
clustering = Yes
winbind cache time = 900
winbind use default domain = Yes
idmap config *:range = 1000-9
idmap config * : backend = tdb2
force unknown acl user = Yes
ea support = Yes
map archive = No
map readonly = no
mangled names = No
store dos attributes = Yes

 [gpfstest]
comment = GPFS File System
path = /gpfstest
read only = No
create mask = 0770
force create mode = 0770
nt acl support = No
vfs objects = shadow_copy2, gpfs, fileid
fileid:algorithm = fsname
shadow:fixinodes = yes
shadow:basedir = /gpfstest
shadow:snapdir = /gpfstest/.snapshots
nfs4:acedup = merge
nfs4:chown = yes
nfs4:mode = special
gpfs:winattr = yes
gpfs:sharemodes = yes

 This e-mail message is intended only for the use of the intended
 recipient(s).
 The information contained therein may be confidential or privileged,
 and its disclosure or reproduction is strictly prohibited.
 If you are not the intended recipient, please return it immediately to its
 sender
 at the above address and destroy it.
 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba




This e-mail message is intended only for the use of the intended recipient(s).
The information contained therein may be confidential or privileged,
and its disclosure or reproduction is strictly prohibited.
If you are not the intended recipient, please return it immediately to its 
sender 
at the above address and destroy it. 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] 3.0.25b problem joining 3.0.23d domain..

[Ian Clancy]

Marcin,
Did you have any luck resolving this issue ?. I am having the same problem.
I ran ethereal on my domain controller and the join appeared to fail at 
RPC_NETLOGON NetrServerAuthenticate2 where the domain controller 
returned a STATUS_ACCESS_DENIED response.

Regards

--
Ian Clancy
IT Co-ordinator




Marcin Giedz wrote:

Hi,

My PDC is running on 3.0.23d. I have more than 50+ users (Win XP , 
Linux) connected to it. Today I've downloaded 3.0.25b and wanted to 
add to domain new server. For a while I was wondering if 3.0.25b can 
join to elder 3.0.23d but gave it goal. This message I got during 
joining:


/opt/samba-3.0.25b/bin/net rpc join -U user1%pass1

Starting service: samba
[2007/07/20 13:02:35, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(304)
error setting trust account password: NT code 0x1c010002
Unable to join domain PDC.

My smb.conf for this new test server is as follows:

[global]
netbios name = test
workgroup = PDC
server string = TEST Samba Server
security = domain
hosts allow = 192.168.89. 127. 10.9.
load printers = no
log file = /opt/samba-3.0.25b/var/log.%m
max log size = 1
log level = 5
interfaces = 192.168.89.0/24
wins server = 192.168.89.3

Has it changed something related to joining process since 3.0.23d? 
Should I keep 3.0.23d on all servers including a new one or should I 
upgrade my PDC to 3.0.25b - if this is the case - should I expect any 
problems with changing PDC. As a backend for PDC I use LDAPv3 - 2.3.35.


Best regards,
Marcin


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba ACLs?

[Ian Clancy]

Hi,
This is actually quite a complex topic. Basically  ...

   * Linux (and other *nix)  generally support Posix ACL's . These are
 similar to but not exactly the same as Window ACL's. I use the
 ext3 filesystem on Linux and this supports ACL's.
   * Get familiar with posix ACL's . Play around with getfacl and
 setfacl on your unix box. Here is a good article on ACL's on Linux
 http://www.vanemery.com/Linux/ACL/linux-acl.html .
   * Samba attempts to map Posix ACL's to Windows ACL's . This would
 explain the difference in permissions you are seeing when creating
 a file locally or remotely via windows. You'll find the specific
 documentation on the on the samba website. There are a number of
 paremeters in the smb.conf which control this specific behaviour .

Hope that helps.

--
Ian Clancy
IT Co-ordinator
Connaught Electronics Ltd.
Dunmore Rd,
Tuam,
Co. Galway,
Ireland.

P : ++353 93 23151
F : ++353 93 23110
E : mailto:[EMAIL PROTECTED]
W : http://www.cel-europe.com




Chuck Kollars wrote:

How exactly do Samba 3.x and ACLs interrelate? With
the mount parameter I've turned on ACLs on the whole
filesystem that Samba has various pointers into
(including all the home directories and the netlogon).


I started out naively assuming that the *nix
uidNumber/gidNumber Samba mapped the end user to would
behave exactly the same whether they were a Samba user
or were logged on locally. But my experience is a file
created through Samba and a file created locally by
`touch` do _not_ necessarily have the exact same
permissions/ACLs. Most likely there's some pattern to
what permissions/ACLs are actually created by Samba;
but I haven't succeeded in figuring it out. 


What's the recipe for figuring out exactly what
permissions/ACLs a file created through Samba will
actually be given?

thanks!

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
  

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: Fw: [Samba] computer outside domain can access resource to inside

[Ian Clancy]

Syamsu,
If you read the Handling of Foreign SIDs in Chapter 23 of the how to 
http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html#id2622804 
this will explain why you need winbind. If you have winbind running then 
yes, your theory is correct (with the exception that more recent 
versions of samba allow you to delegate the addition of users to the 
domain to other users).

Hope this helps.

--
Ian Clancy
IT Co-ordinator
Connaught Electronics Ltd.
Dunmore Rd,
Tuam,
Co. Galway,
Ireland.

P : ++353 93 23151
F : ++353 93 23110
E : mailto:[EMAIL PROTECTED]
W : http://www.cel-europe.com




syamsu alam wrote:


Thank's for you Guys, Wolfgang and Ian,

I think I will try to read about Winbind and implement it in my PDC.

But, what do you think about my theory. Is it right ?

Users cannot access resources in the network if they don't join to 
Domain. And, only administrator with root user+password can make users 
joined to Domain


Thanks
SA


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] computer outside domain can access resource to inside

[Ian Clancy]

Syamsu,
You need to have winbind running on your PDC and also on any of your 
domain member servers. Otherwise, anyone with a username on their 
private PC that already exists on the Domain will be able to access 
resources as this user.


--
Ian Clancy
IT Co-ordinator
Connaught Electronics Ltd.
Dunmore Rd,
Tuam,
Co. Galway,
Ireland.

P : ++353 93 23151
F : ++353 93 23110
E : mailto:[EMAIL PROTECTED]
W : http://www.cel-europe.com




[EMAIL PROTECTED] wrote:


Dear,

I have PDC Server running under Redhat 9 and use samba 2.2.7. It has running 
until now.

That I know, users cannot access resources in the network if they don't join to 
Domain. And, only administrator with root user+password can make users joined 
to Domain.

But, I have one problem.
There is one user, bring the private notebook. He create ip address (same with 
his office-computer), local account and password (same with his account in PDC) 
in his notebook.Then he un-plug LAN cable from his office-computer and plug-in 
to his private-notebook. And he can access share-file in other computer.

What's wrong ? Please help me.

Thanks,
SA

 


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] ACLs and EXT3

[Ian Clancy]

Hi Daniel,
You need to read up on Default ACLs. This article should cover what you 
need to know.


http://www.vanemery.com/Linux/ACL/linux-acl.html
regards,
Ian

Daniel Haas wrote:


Hi List,

I am working with ACLs and the EXT3 Filesystem and I have the same problem how 
already discussed in several NGs.

If I move a file from one directory into another, the file do not change the 
persmissons. So the users who should be authorize to access the file, do not 
have these permissons. This is a great problem in my data structure because we 
have to exchange a lot of files.

I know that this is the way the filesystems works. But I think there are more 
people who wants to work in the discribed way. So is there a filesystem which 
have another way to handle the scrolling of files and directories?

Is there really no chance to inherit the permissions from the parent-directory?
Or do anybody know a workaround to mange my problem? How do other 
administrators handle this?

for info:
I am working with Samba 3.0.13 under SuSE 9.3
The service of the smb.conf for tests:
  [data]
   comment = Daten
   path = /data
   writeable = yes
   create mask = 0770
   directory mask = 0770
   valid users = @samba
Test with inherit permissions and inherit ACL was not successful.

Thanks for your help
Daniel
__
Verschicken Sie romantische, coole und witzige Bilder per SMS!
Jetzt bei WEB.DE FreeMail: http://f.web.de/?mc=021193

 



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] wbinfo -t not working on BDC

[Ian Clancy]

All,
An update on the following problem below. I've updated to 3.0.20 today 
and the problem remains. I think my problem lies with the 
NetrServerAuthenticate2 call that the BDC makes to the PDC. The bdc 
seems to be attempting to authenticate to the pdc using the account 
mydomainname$ instead of mybdcname? . The account domainname$ does 
not exist of course.


Another thing i noticed is that it takes two attempts to join the 
domain. The first attempt returns Creation of workstation account failed

. At the second attempt Joined domain DOMAINNAME. is returned.

Does anybody know where i can find more info about the 
NetrServerAuthenticate2 protocol ?.

regards,
Ian


Ian Clancy wrote:


Hi,
I just can't seem to get winbind to work on my BDC. I'm using FC3 and 
samba 3.0.20rc2. My PDC is RHEL4 running Samba 3.0.14a. / Openldap.
I can join the BDC to the domain successfully using net rpc join... 
, but when i enter wbinfo -t to check the trust relationship i get


checking the trust secret via RPC calls failed
error code was  (0x0)
Could not check secret

I placed a packet sniffer on the PDC to see what was happening and 
captured the folloing RPM_NETLOGON communication between the BDC and 
the PDC (see attached ethereal dump file). It appears to fail when the 
BDC looks for an account of the same name as the my domain -  CEL. The 
question is , Do i need to create a trust account for my own domain ?.

thanks for reading :)
Ian



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Access to shares from a machine with no trust account

[Ian Clancy]

Hi Michael,
It sound like you are not using winbind.  See the Handling of Foreign 
SIDs section of Chapter 23 in the how to for more info.


http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html#id2632948

regards

--
Ian Clancy
IT Systems Engineer
Connaught Electronics Ltd.
Dunmore Rd,
Tuam,
Co. Galway,
Ireland.

P : ++353 93 23151
F : ++353 93 23110
E : mailto:[EMAIL PROTECTED]
W : http://www.cel-europe.com



Michael Free wrote:


Hi folks


I don't understand why it is possible to access a share on the samba
server from a pc that hasn't a Trust Account on the samba server.

All i do is to log in on the pc with a local login account (not in the domain).
Then i can access the shares in the following way on the server:
\\server\MyShare
pc asks for username/password -- i login with a valid combination --
i get access to shares

security level is set to user (not to shares!)


Can anybody explain what's going on here?

Thanks.

Michael
 




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Binding to Tun0 device

[Ian Clancy]

Lonnie wrote:


Hello all,

We have a few aliased Ethernet addresses on our server and if I do not 
use the Bind statement in the Global section then the NMBD seems to 
try to bind to all of the addresses.


We are actually using OpenVPN which make the connections just fine on 
a 172.16.x.x subnet to tun0 device.


The problem is that Samba does not seem to find the tun0 device and 
reports that there are no network cards available if I use the:


Bind Interfaces Only = True
Interfaces tun0 172.16.0.1

How can I just bind Samba to the tun0 device?

Also, with my home machine on the 192.168.x.x subnet and can see 
another Samba server just fine in the WORKGROUP but I cannot see the 
workgroup on the 172.16.x.x subnet through the VPN connection.


Any ideas on how to be able to see the other workgroup as well?


Lonnie,
The cleanest way to do this is to set up a single WINS server for all 
your subnets and domains. also, check out the remote announce parameter 
in smb.conf .

Maybe a search on the openvpn list will help you with the other problem.
regards,
Ian


--
Ian Clancy
IT Systems Engineer
Connaught Electronics Ltd.
Dunmore Rd,
Tuam,
Co. Galway,
Ireland.

P : ++353 93 23151
F : ++353 93 23110
E : mailto:[EMAIL PROTECTED]
W : http://www.cel-europe.com


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Question on BDC secrets.tdb file

[Ian Clancy]

Hi,
I am having problems getting winbind on a BDC to work in a Samba3 /LDAP 
Enviornment and have one straightforward question.
Should the secrets.tdb file on the BDC contain an entry with the name of 
the BDC , e.g. where BACKUP is the name of the BDC ?.


{
key = SECRETS/SID/BACKUP
data = 
\01\04\00\00\00\00\00\05\15\00\00\00\CE/\8B\B05\AF\A5\D4h\C0\DB\04\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00

}

All my other domain member servers contain an entry similar to this, but 
not the BDC. This is why i think winbind is failing.

Thanks,

--
Ian Clancy
IT Systems Engineer
Connaught Electronics Ltd.
Dunmore Rd,
Tuam,
Co. Galway,
Ireland.

P : ++353 93 23151
F : ++353 93 23110
E : mailto:[EMAIL PROTECTED]
W : http://www.cel-europe.com


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] wbinfo -t not working on BDC (Attempt to bind using schannel without successful serverauth2)

[Ian Clancy]

Hi,
Further to this. I'm recieving the following error in the log's of the BDC:

Attempt to bind using schannel without successful serverauth2

regards,
Ian


Ian Clancy wrote:


Hi,
I just can't seem to get winbind to work on my BDC. I'm using FC3 and 
samba 3.0.20rc2. My PDC is RHEL4 running Samba 3.0.14a. / Openldap.
I can join the BDC to the domain successfully using net rpc join... 
, but when i enter wbinfo -t to check the trust relationship i get


checking the trust secret via RPC calls failed
error code was  (0x0)
Could not check secret

I placed a packet sniffer on the PDC to see what was happening and 
captured the folloing RPM_NETLOGON communication between the BDC and 
the PDC (see attached ethereal dump file). It appears to fail when the 
BDC looks for an account of the same name as the my domain -  CEL. The 
question is , Do i need to create a trust account for my own domain ?.

thanks for reading :)
Ian




--
Ian Clancy
IT Systems Engineer
Connaught Electronics Ltd.
Dunmore Rd,
Tuam,
Co. Galway,
Ireland.

P : ++353 93 23151
F : ++353 93 23110
E : mailto:[EMAIL PROTECTED]
W : http://www.cel-europe.com


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] RPM SPEC rebuild errors

[Ian Clancy]

Lonnie,
Had a similar problem to you. This should help 
http://www.rpm.org/hintskinks/unpackaged-files/


--
Ian Clancy
IT Systems Engineer
Connaught Electronics Ltd.
Dunmore Rd,
Tuam,
Co. Galway,
Ireland.

P : ++353 93 23151
F : ++353 93 23110
E : mailto:[EMAIL PROTECTED]
W : http://www.cel-europe.com



Lonnie wrote:


Hello All,

I have been trying all afternoon to rebuild the Samba RPM for my 
Fedora 3 with the MySQL passdb support and from what I can see it only 
needs the inclusion of --with-expsam=mysql in the SPEC file in 
addition to the regular ones.


The problem is that no matter what version of Samba I try to rebuild, 
it always gice an error at the same place:

---
Processing files: samba-client-3.0.10-1.fc3
Requires(rpmlib): rpmlib(CompressedFileNames) = 3.0.4-1 
rpmlib(PayloadFilesHavePrefix) = 4.0-1
Requires: /bin/sh /usr/bin/perl libc.so.6 libc.so.6(GLIBC_2.0) 
libc.so.6(GLIBC_2.1) libc.so.6(GLIBC_2.1.3) libc.so.6(GLIBC_2.2) 
libc.so.6(GLIBC_2.2.3) libc.so.6(GLIBC_2.3) libcom_err.so.2 
libcrypt.so.1 libdl.so.2 libdl.so.2(GLIBC_2.0) libdl.so.2(GLIBC_2.1) 
libgssapi_krb5.so.2 libk5crypto.so.3 libkrb5.so.3 liblber-2.2.so.7 
libldap-2.2.so.7 libncurses.so.5 libnsl.so.1 libnsl.so.1(GLIBC_2.0) 
libpopt.so.0 libreadline.so.4 libresolv.so.2 samba-common = 0:3.0.10

Obsoletes: smbfs
Processing files: samba-common-3.0.10-1.fc3
Provides: CP437.so CP850.so config(samba-common) = 0:3.0.10-1.fc3 
libnss_winbind.so libnss_wins.so libsmbclient.so.0 pam_winbind.so

Requires(interp): /bin/sh /bin/sh /bin/sh
Requires(rpmlib): rpmlib(CompressedFileNames) = 3.0.4-1 
rpmlib(PayloadFilesHavePrefix) = 4.0-1

Requires(post): /bin/sh
Requires(preun): /bin/sh
Requires(postun): /bin/sh
Requires: /bin/sh config(samba-common) = 0:3.0.10-1.fc3 libc.so.6 
libc.so.6(GLIBC_2.0) libc.so.6(GLIBC_2.1) libc.so.6(GLIBC_2.1.3) 
libc.so.6(GLIBC_2.2) libc.so.6(GLIBC_2.2.3) libc.so.6(GLIBC_2.3) 
libcom_err.so.2 libcrypt.so.1 libcrypto.so.4 libcups.so.2 libdl.so.2 
libdl.so.2(GLIBC_2.0) libdl.so.2(GLIBC_2.1) libgssapi_krb5.so.2 
libk5crypto.so.3 libkrb5.so.3 liblber-2.2.so.7 libldap-2.2.so.7 
libnsl.so.1 libnsl.so.1(GLIBC_2.0) libpam.so.0 libpopt.so.0 
libresolv.so.2 libssl.so.4

Processing files: samba-swat-3.0.10-1.fc3
Provides: config(samba-swat) = 0:3.0.10-1.fc3
Requires(rpmlib): rpmlib(CompressedFileNames) = 3.0.4-1 
rpmlib(PayloadFilesHavePrefix) = 4.0-1
Requires: config(samba-swat) = 0:3.0.10-1.fc3 libc.so.6 
libc.so.6(GLIBC_2.0) libc.so.6(GLIBC_2.1) libc.so.6(GLIBC_2.1.3) 
libc.so.6(GLIBC_2.2) libc.so.6(GLIBC_2.2.3) libc.so.6(GLIBC_2.3) 
libcom_err.so.2 libcrypt.so.1 libcrypto.so.4 libcups.so.2 libdl.so.2 
libdl.so.2(GLIBC_2.0) libdl.so.2(GLIBC_2.1) libgssapi_krb5.so.2 
libk5crypto.so.3 libkrb5.so.3 liblber-2.2.so.7 libldap-2.2.so.7 
libnsl.so.1 libnsl.so.1(GLIBC_2.0) libpam.so.0 libpopt.so.0 
libresolv.so.2 libssl.so.4 samba = 0:3.0.10 xinetd


Processing files: samba-debuginfo-3.0.10-1.fc3
Provides: CP437.so.debug CP850.so.debug audit.so.debug cap.so.debug 
default_quota.so.debug expand_msdfs.so.debug extd_audit.so.debug 
fake_perms.so.debug full_audit.so.debug libnss_winbind.so.2.debug 
libnss_wins.so.2.debug libsmbclient.so.debug mysql.so.debug net.debug 
netatalk.so.debug nmbd.debug nmblookup.debug ntlm_auth.debug 
pam_smbpass.so.debug pam_winbind.so.debug pdbedit.debug profiles.debug 
readonly.so.debug recycle.so.debug rpcclient.debug 
shadow_copy.so.debug smbcacls.debug smbclient.debug smbcontrol.debug 
smbcquotas.debug smbd.debug smbmnt.debug smbmount.debug 
smbpasswd.debug smbspool.debug smbstatus.debug smbtree.debug 
smbumount.debug swat.debug tdbbackup.debug tdbdump.debug tdbtool.debug 
testparm.debug testprns.debug wbinfo.debug winbindd.debug
Requires(rpmlib): rpmlib(CompressedFileNames) = 3.0.4-1 
rpmlib(PayloadFilesHavePrefix) = 4.0-1
Checking for unpackaged file(s): /usr/lib/rpm/check-files 
/var/tmp/samba-3.0.10-root

error: Installed (but unpackaged) file(s) found:
  /usr/lib/samba/pdb/mysql.so


RPM build errors:
   Installed (but unpackaged) file(s) found:
  /usr/lib/samba/pdb/mysql.so


This /usr/lib/samba/pdb/mysql.so does not exist and if I understnd 
this error then it is saying that it keeps finding it.


Can someone please tell me what is happening here?




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] smbldap-tools unresovled problem.

[Ian Clancy]

Hi,
Correct me if i am wrong, but i think an account (user or computer) does 
not have to be listed as a member of a group if it's gid is that group.
I had the same problem joining PC's to the domain as yourself and wrote 
a patch to fix this in smbldap-useradd (attached). I appears to be 
working fine.

regards,
Ian

Markus Markert wrote:

i found the problem in the smbldap-tools. the problem in my case is, that if i 
add a workstation with smbldap-useradd -w test, that the computer is added in 
computers, but the id of this computer is not set in the group Domain 
Computers in the field memberUid. hope this is the global failure of the 
scripts.


can somebody confirm this?

Am Freitag, 12. August 2005 14:46 schrieb Markus Markert:
 


hi, have the same problem with the smbldap-tools v0.9.0 , but on suse 9.3.
if i say:

./smbldap-useradd -w -a xxx

it only adds the posix stuff, not the samba things.

i have read, that computers should not be in the computers dn in ldap. it
should be in the users dn. is that right?
http://marc.theaimsgroup.com/?l=sambam=108439612826440w=2

can somebody send the filechanges from smb.conf, nss???...

greetings

markus

Am Freitag, 12. August 2005 12:17 schrieb Chris Ong:
   


Geert Stappers wrote:
 


Recently changed the LDAP master account passwd in phpldapadmin?
Did you also update it the samba side? ( smbpasswd -w )
   


Nope. The LDAP master account passwd has never been changed since the
implementation.

--
Regards,
C. K. Ong (Chris) Linux System Engineer,
RHCT Cert No: 603004347692007
http://www.redhat.com/rhce/rhce603004347692007.html

My Directory Sdn. Bhd.
Your Open Source Partner.
http://www.md.com.my http://www.net.my 2005

---
After watching Gentoo in Antartica, I decided to go home with RedHat
on my head.
---

*
**POWERED BY BYNARI INSIGHT SERVER* *
*  The Enterprise Email Server That Rocks!  *
*
 




--
Ian Clancy
IT Systems Engineer
Connaught Electronics Ltd.
Dunmore Rd,
Tuam,
Co. Galway,
Ireland.

P : ++353 93 23151
F : ++353 93 23110
E : mailto:[EMAIL PROTECTED]
W : http://www.cel-europe.com


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] wbinfo -t not working on BDC

[Ian Clancy]

Hi,
I just can't seem to get winbind to work on my BDC. I'm using FC3 and 
samba 3.0.20rc2. My PDC is RHEL4 running Samba 3.0.14a. / Openldap.
I can join the BDC to the domain successfully using net rpc join... , 
but when i enter wbinfo -t to check the trust relationship i get


checking the trust secret via RPC calls failed
error code was  (0x0)
Could not check secret

I placed a packet sniffer on the PDC to see what was happening and 
captured the folloing RPM_NETLOGON communication between the BDC and the 
PDC (see attached ethereal dump file). It appears to fail when the BDC 
looks for an account of the same name as the my domain -  CEL. The 
question is , Do i need to create a trust account for my own domain ?.

thanks for reading :)
Ian

--
Ian Clancy
IT Systems Engineer
Connaught Electronics Ltd.
Dunmore Rd,
Tuam,
Co. Galway,
Ireland.

P : ++353 93 23151
F : ++353 93 23110
E : mailto:[EMAIL PROTECTED]
W : http://www.cel-europe.com


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] wbinfo -t not working on BDC

[Ian Clancy]

Ian Clancy wrote:


Hi,
I just can't seem to get winbind to work on my BDC. I'm using FC3 and 
samba 3.0.20rc2. My PDC is RHEL4 running Samba 3.0.14a. / Openldap.
I can join the BDC to the domain successfully using net rpc join... 
, but when i enter wbinfo -t to check the trust relationship i get


checking the trust secret via RPC calls failed
error code was  (0x0)
Could not check secret

I placed a packet sniffer on the PDC to see what was happening and 
captured the folloing RPM_NETLOGON communication between the BDC and 
the PDC (see attached ethereal dump file). It appears to fail when the 
BDC looks for an account of the same name as the my domain -  CEL. The 
question is , Do i need to create a trust account for my own domain ?.

thanks for reading :)
Ian


Forgot to attach the file.
BTW, this is the log entry from my PDC.

[2005/08/12 18:18:48, 5] rpc_parse/parse_prs.c:prs_debug(82)
get_md4pw: Workstation CEL$: no account in domain
[2005/08/12 18:18:48, 0] rpc_server/srv_netlog_nt.c:get_md4pw(244)
005c neg_flags: 400701ff

--
Ian Clancy
IT Systems Engineer
Connaught Electronics Ltd.
Dunmore Rd,
Tuam,
Co. Galway,
Ireland.

P : ++353 93 23151
F : ++353 93 23110
E : mailto:[EMAIL PROTECTED]
W : http://www.cel-europe.com


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba-3.0.20pre2 rpms very BIG

[Ian Clancy]

Hi,
I just downloaded the fedora samba-3.0.20pre2 source rpm. I built the 
binary RPM's using the rpmbuild -bb samba-spec command. I hav'nt 
installed the new rpm's yet but noticed they are much bigger than 
previous rpms. see below:


-rw-r--r--  1 root root  23M Jun 14 20:12 samba-3.0.14a-4.i386.rpm
-rw-r--r--  1 root root  25M Jun 30 19:04 samba-3.0.20pre1-1.i386.rpm
-rw-r--r--  1 root root  79M Jul 13 21:35 samba-3.0.20pre2-1.i386.rpm
-rw-r--r--  1 root root 3.7M Jun 14 20:12 samba-client-3.0.14a-4.i386.rpm
-rw-r--r--  1 root root 3.9M Jun 30 19:04 samba-client-3.0.20pre1-1.i386.rpm
-rw-r--r--  1 root root  98M Jul 13 21:39 samba-client-3.0.20pre2-1.i386.rpm
-rw-r--r--  1 root root  26M Jun 14 20:13 samba-common-3.0.14a-4.i386.rpm
-rw-r--r--  1 root root  29M Jun 30 19:05 samba-common-3.0.20pre1-1.i386.rpm
-rw-r--r--  1 root root 103M Jul 13 21:42 samba-common-3.0.20pre2-1.i386.rpm
-rw-r--r--  1 root root 6.7M Jun 14 20:13 samba-swat-3.0.14a-4.i386.rpm
-rw-r--r--  1 root root 3.4M Jun 30 19:05 samba-swat-3.0.20pre1-1.i386.rpm
-rw-r--r--  1 root root  19M Jul 13 21:43 samba-swat-3.0.20pre2-1.i386.rpm

--
Ian Clancy
IT Systems Engineer
Connaught Electronics Ltd.
Dunmore Rd,
Tuam,
Co. Galway,
Ireland.

P : ++353 93 23151
F : ++353 93 23110
E : mailto:[EMAIL PROTECTED]
W : http://www.cel-europe.com


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] winbind creating duplicate users

[Ian Clancy]

Hi again,
In responce to queries for more info here is the smb.conf (- shares) of 
my pdc :


workgroup = ted
netbios name = tedDC
server string = SAMBA-LDAP %v PDC Server
domain logons = Yes
domain master = Yes
preferred master = Yes
local master = Yes
interfaces = lo, eth0
bind interfaces only = Yes
logon script = scripts\tedmap.bat
logon home =
logon path =
wins support = Yes
name resolve order = lmhosts host wins bcast
remote announce = 192.168.2.2
log level = 1 auth:1 winbind:5 passdb:2
printing = cups
printcap name = CUPS
printer admin = Administrator
show add printer wizard = Yes
passdb backend = ldapsam:ldap://127.0.0.1;
ldap passwd sync = Yes
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=ted,dc=org
ldap suffix = dc=ted,dc=org
ldap group suffix = ou=Groups
ldap user suffix = ou=People
ldap machine suffix = ou=Computers
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 1-15000
idmap gid = 1-15000
winbind separator = +
winbind use default domain = Yes
add machine script = /usr/sbin/smbldap-useradd -w %u
add user script = /usr/sbin/smbldap-useradd -m %u
ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel %u
add machine script = /usr/sbin/smbldap-useradd -w %u
add group script = /usr/sbin/smbldap-groupadd -p %g
delete group script = /usr/sbin/smbldap-groupdel %g
add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
set primary group script = /usr/sbin/smbldap-usermod -g %g %u
Dos charset = 850
Unix charset = ISO8859-1

here is the smb.conf of a typical domain member server :

  workgroup = TED
  netbios name = TEDFS02
  server string = Samba %v on Fedora Core 2
  security = DOMAIN
  encrypt passwords = Yes
  password server = *
  interfaces = lo, eth0
  bind interfaces only = Yes
  unix extensions = Yes
  username map = /etc/samba/smbusers
  wins server = 192.0.2.14
  winbind separator = +
  winbind use default domain = Yes
  idmap backend = ldap:ldap://teddc.ted
  idmap uid = 1-15000
  idmap gid = 1-15000
  ldap admin dn = cn=Manager,dc=ted,dc=org
  ldap suffix = dc=ted,dc=org
  ldap machine suffix = ou=Computers
  ldap user suffix = ou=People
  ldap group suffix = ou=Groups
  ldap idmap suffix = ou=Idmap
  log file = /var/log/samba/log.%m
  log level = 1
  max log size = 50
  socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192


Ian Clancy wrote:


Hi everybody,
I'm having a problem with winbind creating 2 entries for some of my 
users that really wrecking my head ;-/ .

My situation is as follows :
I have a typical Samba (3.0.14a)/LDAP setup. I have a trusted domain 
(another Samba/LDAP setup) and use winbind to map the users from the 
foreign domain, with the UID to SID mappings stored in LDAP . This 
works very well.

The relevant part of my nsswitch.conf file is as follows :

passwd: files ldap winbind
shadow: files ldap winbind
group:  files ldap winbind

When i 'getent passwd' on a domain member server the following are 
listed:

1.) local user accounts
2.) accounts resolved via LDAP (UID 5'000+)
3.) winbind resolved accounts from the foreign domain (i.e. 
FDOMAIN+user) UID = 10'000 +


This was all working fine for a while. However, recently i noticed 
that winbind began storing additional UID to SID mappings for members 
of the local domain in LDAP.
So when i ran e.g. 'getent passwd | grep brightstop'  i would get 2 
entries for the 1 user account, 1 resolved from LDAP, the other from 
winbind


brightstor:x:5586:513:System User:/home/brightstor:/bin/false
brightstor:x:10168:513:Brightstor:/home/CEL/brightstor:/bin/false

This occurs for some accounts but not others:
pdbedit on this account returns :

[EMAIL PROTECTED] etc]# pdbedit -Lv brightstor
init_sam_from_ldap: Entry found for user: brightstor
Unix username:brightstor
NT username:  brightstor
Account Flags:[UX ]
User SID: S-1-5-21-193554404-1789558652-91453608-12172
Primary Group SID:S-1-5-21-193554404-1789558652-91453608-513
Full Name:Brightstor
Home Directory:
HomeDir Drive:
Logon Script: scripts\tedmap.bat
Profile Path:
Domain:   TED
Account desc: System User
Workstations:
Munged dial:
Logon time:   0
Logoff time:  Tue, 19 Jan 2038 03:14:07 GMT
Kickoff time: Tue, 19 Jan 2038 03:14:07 GMT
Password last set:Tue, 28 Jun 2005 10:53:57 GMT
Password can change:  Tue, 28 Jun 2005 10:53:57 GMT
Password must change: Tue, 19 Jan 2038 03:14:07 GMT
Last bad password   : 0
Bad password count  : 0
Logon hours : FF

Even when i stop winbind, delete winbindd_cache.tdb and 
winbindd_idmap.tdb and delete the bad entries from the LDAP Directory 
the problem returns ?.


Can anone make sence of this behaviour ?.
Thanks




--
Ian Clancy
IT Systems

Re: [Samba] winbind creating duplicate users

[Ian Clancy]

Hi,
I've been working on this for the last couple of hours and think i have 
found the root of the problem. Users that do not have a problem with 
have an SID such as the following :


S-1-5-21-193554404-1789558652-91453608-1264

However, any users that i have created recently have an SID similar to 
the following :


S-1-5-21-193554404-1789558652-91453608-12188

As you may have noticed the value of the last user part of the SID seems 
to have jumped considerably , another digit has been added. This seems 
to be messing up winbind somehow and winbind is allocating the SID a UID 
from the idmap pool.


Can anyone explain how the SID is generated ?. Is there some kind of 
Algorithm ?

thanks,
Ian

Ian Clancy wrote:


Hi again,
In responce to queries for more info here is the smb.conf (- shares) 
of my pdc :


workgroup = ted
netbios name = tedDC
server string = SAMBA-LDAP %v PDC Server
domain logons = Yes
domain master = Yes
preferred master = Yes
local master = Yes
interfaces = lo, eth0
bind interfaces only = Yes
logon script = scripts\tedmap.bat
logon home =
logon path =
wins support = Yes
name resolve order = lmhosts host wins bcast
remote announce = 192.168.2.2
log level = 1 auth:1 winbind:5 passdb:2
printing = cups
printcap name = CUPS
printer admin = Administrator
show add printer wizard = Yes
passdb backend = ldapsam:ldap://127.0.0.1;
ldap passwd sync = Yes
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=ted,dc=org
ldap suffix = dc=ted,dc=org
ldap group suffix = ou=Groups
ldap user suffix = ou=People
ldap machine suffix = ou=Computers
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 1-15000
idmap gid = 1-15000
winbind separator = +
winbind use default domain = Yes
add machine script = /usr/sbin/smbldap-useradd -w %u
add user script = /usr/sbin/smbldap-useradd -m %u
ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel %u
add machine script = /usr/sbin/smbldap-useradd -w %u
add group script = /usr/sbin/smbldap-groupadd -p %g
delete group script = /usr/sbin/smbldap-groupdel %g
add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
set primary group script = /usr/sbin/smbldap-usermod -g %g %u
Dos charset = 850
Unix charset = ISO8859-1

here is the smb.conf of a typical domain member server :

  workgroup = TED
  netbios name = TEDFS02
  server string = Samba %v on Fedora Core 2
  security = DOMAIN
  encrypt passwords = Yes
  password server = *
  interfaces = lo, eth0
  bind interfaces only = Yes
  unix extensions = Yes
  username map = /etc/samba/smbusers
  wins server = 192.0.2.14
  winbind separator = +
  winbind use default domain = Yes
  idmap backend = ldap:ldap://teddc.ted
  idmap uid = 1-15000
  idmap gid = 1-15000
  ldap admin dn = cn=Manager,dc=ted,dc=org
  ldap suffix = dc=ted,dc=org
  ldap machine suffix = ou=Computers
  ldap user suffix = ou=People
  ldap group suffix = ou=Groups
  ldap idmap suffix = ou=Idmap
  log file = /var/log/samba/log.%m
  log level = 1
  max log size = 50
  socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192


Ian Clancy wrote:


Hi everybody,
I'm having a problem with winbind creating 2 entries for some of my 
users that really wrecking my head ;-/ .

My situation is as follows :
I have a typical Samba (3.0.14a)/LDAP setup. I have a trusted domain 
(another Samba/LDAP setup) and use winbind to map the users from the 
foreign domain, with the UID to SID mappings stored in LDAP . This 
works very well.

The relevant part of my nsswitch.conf file is as follows :

passwd: files ldap winbind
shadow: files ldap winbind
group:  files ldap winbind

When i 'getent passwd' on a domain member server the following are 
listed:

1.) local user accounts
2.) accounts resolved via LDAP (UID 5'000+)
3.) winbind resolved accounts from the foreign domain (i.e. 
FDOMAIN+user) UID = 10'000 +


This was all working fine for a while. However, recently i noticed 
that winbind began storing additional UID to SID mappings for members 
of the local domain in LDAP.
So when i ran e.g. 'getent passwd | grep brightstop'  i would get 2 
entries for the 1 user account, 1 resolved from LDAP, the other from 
winbind


brightstor:x:5586:513:System User:/home/brightstor:/bin/false
brightstor:x:10168:513:Brightstor:/home/CEL/brightstor:/bin/false

This occurs for some accounts but not others:
pdbedit on this account returns :

[EMAIL PROTECTED] etc]# pdbedit -Lv brightstor
init_sam_from_ldap: Entry found for user: brightstor
Unix username:brightstor
NT username:  brightstor
Account Flags:[UX ]
User SID: S-1-5-21-193554404-1789558652-91453608-12172
Primary Group SID:S-1-5-21-193554404-1789558652-91453608-513
Full Name:Brightstor
Home Directory:
HomeDir Drive:
Logon Script: scripts\tedmap.bat
Profile

[Samba] winbind creating duplicate users

[Ian Clancy]

Hi everybody,
I'm having a problem with winbind creating 2 entries for some of my 
users that really wrecking my head ;-/ .

My situation is as follows :
I have a typical Samba (3.0.14a)/LDAP setup. I have a trusted domain 
(another Samba/LDAP setup) and use winbind to map the users from the 
foreign domain, with the UID to SID mappings stored in LDAP . This works 
very well.

The relevant part of my nsswitch.conf file is as follows :

passwd: files ldap winbind
shadow: files ldap winbind
group:  files ldap winbind

When i 'getent passwd' on a domain member server the following are listed:
1.) local user accounts
2.) accounts resolved via LDAP (UID 5'000+)
3.) winbind resolved accounts from the foreign domain (i.e. 
FDOMAIN+user) UID = 10'000 +


This was all working fine for a while. However, recently i noticed that 
winbind began storing additional UID to SID mappings for members of the 
local domain in LDAP.
So when i ran e.g. 'getent passwd | grep brightstop'  i would get 2 
entries for the 1 user account, 1 resolved from LDAP, the other from winbind


brightstor:x:5586:513:System User:/home/brightstor:/bin/false
brightstor:x:10168:513:Brightstor:/home/CEL/brightstor:/bin/false

This occurs for some accounts but not others:
pdbedit on this account returns :

[EMAIL PROTECTED] etc]# pdbedit -Lv brightstor
init_sam_from_ldap: Entry found for user: brightstor
Unix username:brightstor
NT username:  brightstor
Account Flags:[UX ]
User SID: S-1-5-21-193554404-1789558652-91453608-12172
Primary Group SID:S-1-5-21-193554404-1789558652-91453608-513
Full Name:Brightstor
Home Directory:
HomeDir Drive:
Logon Script: scripts\tedmap.bat
Profile Path:
Domain:   TED
Account desc: System User
Workstations:
Munged dial:
Logon time:   0
Logoff time:  Tue, 19 Jan 2038 03:14:07 GMT
Kickoff time: Tue, 19 Jan 2038 03:14:07 GMT
Password last set:Tue, 28 Jun 2005 10:53:57 GMT
Password can change:  Tue, 28 Jun 2005 10:53:57 GMT
Password must change: Tue, 19 Jan 2038 03:14:07 GMT
Last bad password   : 0
Bad password count  : 0
Logon hours : FF

Even when i stop winbind, delete winbindd_cache.tdb and 
winbindd_idmap.tdb and delete the bad entries from the LDAP Directory 
the problem returns ?.


Can anone make sence of this behaviour ?.
Thanks

--
Ian Clancy
IT Systems Engineer
Connaught Electronics Ltd.
Dunmore Rd,
Tuam,
Co. Galway,
Ireland.

P : ++353 93 23151
F : ++353 93 23110
E : mailto:[EMAIL PROTECTED]
W : http://www.cel-europe.com


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Exchange 5.5 not seeing new Domain accounts - lsass.exe searching local SAM

[Ian Clancy]

Hi,
First of all, The problem i am having is not directly related to Samba. 
So apologies, however there are a lot of people on this list who know a 
good deal about how windows (and related technologies) work so i'm 
hoping they can shed some light on the matter.


Background :
I successfully completed a migration from a Windows NT4 Domain to s 
Samba domain with LDAP backend about 2 months. The old NT4 PDC also 
hosted an exchange 5.5 sp4 email server so i could not just rubbish it. 
Once the migration was complete i used a tool called UPromote to demote 
the old PDC and rejoined it to the new domain (Same Domain Name). All 
appeared to work well...


However,  When a added new account to the system they could not access 
their email using their domain account whereas existing accounts were 
working fine. The mail server reported this error (from event log):

--
A logon attempt failed because an attempt to look up Windows NT account 
information failed. Error 1332.

--

The new accounts worked perfectly in every other sense. Even at the old 
PDC i could log on with the new accounts, see the new accounts in 
usrmgr.exe, and select them as the Primary Windows NT account for the 
associated mailbox in the Exchange admin program.


So i though, Maybe exchange is somehow looking on the old PDC for 
account data. I was able to confirm my suspicion using an application 
called regmon which records access to the registry. From the following 
out put i can see the lsass.exe program searching the SAM portion of the 
registry for the user account.


Output using the regmon utility
---
20490   160.25828604lsass.exe:48OpenKey 
HKLM\SAM\SAM\DOMAINS\Account\Groups\2F6ANOTFOUND
20491   160.25839958lsass.exe:48OpenKey 
HKLM\SAM\SAM\DOMAINS\Account\Aliases\2F6A   NOTFOUND
20492   160.25852070lsass.exe:48OpenKey 
HKLM\SAM\SAM\DOMAINS\Account\Users\2F6A NOTFOUND

-

Finally (and thanks for your patience :) ). How do i get Exchange (or 
lsass.exe) to search the domain for accounts and not the local registry 
(HKEY_LOCAL_MACHINE) ?.


Any suggestion welcome,
thanks



--
Ian Clancy
IT Systems Engineer
Connaught Electronics Ltd.
Dunmore Rd,
Tuam,
Co. Galway,
Ireland.

P : ++353 93 23151
F : ++353 93 23110
E : mailto:[EMAIL PROTECTED]
W : http://www.cel-europe.com


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Proper behavior of Interdomain Trust uid mappings

[Ian Clancy]

Robert Kelly wrote:


Hi there,
I'm running Samba 3.0.14a-sernet on Suse 9.1 using ldapsam.
I've got an interdomain trust setup across a vpn connection with a
2k3sp1 domain (DOMB).
The trust works.
 


Robert,
I have a similar setup to yourself except i have 2 samba domains accross 
a VPN.



What is strange is that a user from DOMB can't access any shares until
they browse a share on our domain controller, say netlogon, then samba
creates a new posix account for them in the ou=users base.
 

I spent quite a while myself trying to figure this out. I'm not sure if 
what i have done is correct but in nsswitch.conf i have :


passwd: files ldap winbind
shadow: files ldap winbind
group:  files ldap winbind
-

winbind is used to give the foreign sid's from the trusted domain uid on 
your PDC or Domain member Server



I have nsswitch.conf using ldap, and samba configured to use winbind as
per the howto. Same wins etc.
What isn't clear to me is why the user account gets created as a regular
account and not in the ou=idmap base.

 

I had this same problem until i added winbind to the nsswitch.conf file. 
Can you see the users from the trusted domain when you enter 'wbinfo -u 
' at the shell ?



Shouldn't just a sambaIdmapEntry object be created in ou=IdMap and not a
posixaccount in ou=users?
The account gets created with a uid from the regular users range not
from the idmap uid range and still gets created when winbind is stopped.

I've read Chapter 18. Interdomain Trust Relationships over and over
again, but need some suggestions on the correct way to setup winbind on
a domain controller when using a trust.

Any clues?

 


The book is not very clear on this. It took me some time to figure it out


Thanks,
Rob

 




--
Ian Clancy
IT Systems Engineer
Connaught Electronics Ltd.
Dunmore Rd,
Tuam,
Co. Galway,
Ireland.

P : ++353 93 23151
F : ++353 93 23110
E : mailto:[EMAIL PROTECTED]
W : http://www.cel-europe.com


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba BDC for Backup

[Ian Clancy]

Hiu Yen Onn wrote:


Hiu Yen Onn wrote:


hi,

i have no experience in configure any of the BDC before. just curious 
to ask, if i have configured a BDC, then if any fail down of my PDC, 
does BDC will take turn automatically??? stupid question but, i 
didnt know it... sorry



another question

1. I have a master ldap tree for my PDC, likewise my BDC also having a 
slave ldap tree, do i need to replicate the master ldap to the slave 
ldap?


In a word, Yes. If you are using openldap you will find plenty of 
documentation on the Internet about how to do this.


2. How about the sid number??? does PDC sid have to be similar to the 
BDC sid??? what is sid? what does is working for??? dun understand... 
pls enlighten.. thanks..


The PDC and the BDC have the same SID number. Usually each computer / 
users has a unique SID. However domain controllers are a unique case. 
You can import the SID into a BDC using the 'net rpc getsid 
DOMAINNAME' command.


--
Ian Clancy
IT Systems Engineer
Connaught Electronics Ltd.
Dunmore Rd,
Tuam,
Co. Galway,
Ireland.

P : ++353 93 23151
F : ++353 93 23110
E : mailto:[EMAIL PROTECTED]
W : http://www.cel-europe.com


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] updating samba via rpm

[Ian Clancy]

Stuart Highlander wrote:


good afternoon,

current status:
samba pdc running samba 3.0.10-1.fc3 on fedora core 3 on a dell server.
clients are windows 2000 pro workstations.
authentication is via tdbsam.

pretty vanilla setup.  no active directory, ldap, winbind, etc.

i have downloaded the rpm's from samba.org for current stable release samba
3.0.14a-1.  usually  i perform upgrades to samba server using rpm -Fvh
samba-*, with this set of rpm's the update does not run using the rpm -Fvh
command.

i do recall list traffic that did not recommend upgrading this way, but have
not had any problems in the past doing it this way.

could someone steer me to documentation that would help me upgrade the samba
software via rpm?

i have downloaded and read the samba pdf manuls by john terpstra, jelmer
vernooij, and jerry carter (excellent reading), but did not find my specific
issue.

thank you,

stuart

 


Stuart,
I understand your predicament.
Redhat/ Fedora package Samba in a different way than the rpm you just 
downloaded from the site.  You can usually find 3 or 4 samba rpm's 
installed on Fedora 3 :

samba-common-3.0.10-1.fc3
samba-3.0.10-1.fc3
samba-client-3.0.10-1.fc3

I can't remember exactly, but i think gnome-vfs2-smb depends on 
samba-common. Other gnome rpm's depend on gnome-vfs2-smb etc 

The rpm from the site provides one rpm package :
samba-3.0.14a-1

If your not bothered about using gnome you can uninstall the Fedora 
Samba rpm's (stop samba first of course):

rpm --nodeps -e samba samba-common samba-client

then install the rpm from samba.org
rpm -Uvh samba-3.0.14a-1.i386.rpm

One thing to look out for. What was previously located in 
/var/cache/samba is now located in /var/lib/samba.

regards

--
Ian Clancy
IT Systems Engineer
Connaught Electronics Ltd.
Dunmore Rd,
Tuam,
Co. Galway,
Ireland.

P : ++353 93 23151
F : ++353 93 23110
E : mailto:[EMAIL PROTECTED]
W : http://www.cel-europe.com


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba trusted domains and access control lists problem (cannot delete or rename)

[Ian Clancy]

Hi,
I am having difficuly deleting and renaming files with users from a 
foreign domain using acls.

My setup is as follows :
I have two Samba (3.0.14a)/LDAP domains connected via a VPN (OpenVPN) 
with a bi-directional trust relationship established. The trust 
relationship appears to be working correctly. I can log on onto PC's at 
either end on either Domain :) and the browse lists of both domains are 
syncronising properly.
I am using the same WINS server for both domains and this is located in 
DomA on the Primary Domain Controller.
I want users on DomB to be able to access shares on Domain Member 
servers on DomA.
Winbind is running on my fileservers and i am using ldap as an idmap 
backend.
Users from DomA are mapped on my Domain member server using ldap and 
DomB users are mapped using winbind. I have the following entry in my 
nsswitch.conf file:


passwd: files ldap winbind
shadow: files ldap winbind
group:  files ldap winbind

I have not seen anyone else do this so i am not sure if it is correct 
:). It appears to work however as  'getent passwd' and 'getent group' 
return users from both Domains. Users of DomB are prepended with DomB+ 
(as expected). So far so good ...


The following is a share on one of my Domain member server on DomA

[Materials]
   comment = Materials Share
   path = /var/shares/Materials
   read only = No
   inherit permissions = Yes
   inherit acls = Yes

I can successfully set the acls's from the shell using setfacl. The 
permissions on the above share are as follows


# file: Materials
# owner: root
# group: DomA Users
user::rwx
group::rwx
group:DomB+DomB users:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::rwx
default:group:DomA Users:rwx
default:group:DomB+DomB users:rwx
default:mask::rwx
default:other::---


Users from DomB can successfully access the share. They can even create 
files as follows in the root directory of the above share :


# file: New Text Document.txt
# owner: DomB+yorketom
# group: DomB+domain users
user::rwx
user:root:rwx   #effective:rw-
group::rwx  #effective:rw-
group:DomA Users:rwx #effective:rw-
group:DomB+DomB users:rwx #effective:rw-
mask::rw-
other::---

However, I cannot delete or rename this file ?!.

So to summerise i have two main questions:

1. Why are the effective permissions on the file above 'rw-' ?

2. In windows i can see permissions for the owner, group and also 
Everyone but none of the other permissions, for example 'group:DomA 
Users:rwx #effective:rw-' as listed above ?



If you've managed to get this far, thanks for reading :).
regards,
Ian


--
Ian Clancy
IT Systems Engineer
Connaught Electronics Ltd.
Dunmore Rd,
Tuam,
Co. Galway,
Ireland.

P : ++353 93 23151
F : ++353 93 23110
E : mailto:[EMAIL PROTECTED]
W : http://www.cel-europe.com


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] failing WINS test #1

[Ian Clancy]

Hi Samba users,
I'm using  a typical Samba 3.0.14a PDC/Ldap setup. The pdc is also the 
WINS server.
The wins server is working perfectly with one exception. The server 
cannot query itself.

I searched through log.nmbd and this is what i found :

[2005/05/26 17:06:55, 4] 
nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(173)

  find_name_on_subnet: on subnet 192.0.2.14 - name CELCZPDC00 NOT FOUND
[2005/05/26 17:06:55, 9] nmbd/nmbd_namelistdb.c:find_name_on_subnet(129)
1 == memcmp( CELCZPDC00, CEL1e, 84 )
nmbd_subnetdb:namelist_entry_compare()
[2005/05/26 17:06:55, 10] nmbd/nmbd_subnetdb.c:namelist_entry_compare(69)
-1 == memcmp( CELCZPDC00, CELDC00, 84 )
nmbd_subnetdb:namelist_entry_compare()
[2005/05/26 17:06:55, 10] nmbd/nmbd_subnetdb.c:namelist_entry_compare(69)
-1 == memcmp( CELCZPDC00, CELDC20, 84 )
nmbd_subnetdb:namelist_entry_compare()
[2005/05/26 17:06:55, 10] nmbd/nmbd_subnetdb.c:namelist_entry_compare(69)
1 == memcmp( CELCZPDC00, CEL1d, 84 )
nmbd_subnetdb:namelist_entry_compare()
[2005/05/26 17:06:55, 10] nmbd/nmbd_subnetdb.c:namelist_entry_compare(69)
  process_name_query_request: Name query from 192.0.2.14 on subnet 
192.0.2.14 for name CELCZPDC00
[2005/05/26 17:06:55, 3] 
nmbd/nmbd_incomingrequests.c:process_name_query_request(454)

  packet_is_for_wins_server: failing WINS test #1.
[2005/05/26 17:06:55, 10] 
nmbd/nmbd_winsserver.c:packet_is_for_wins_server(155)

  question: q_name=CELCZPDC00 q_type=32 q_class=1
  header: rcode=0 qdcount=1 ancount=0 nscount=0 arcount=0
  header: flags: bcast=Yes rec_avail=No rec_des=Yes trunc=No auth=No
  nmb packet from 192.0.2.14(42713) header: id=327 opcode=Query(0) 
response=No

[2005/05/26 17:06:55, 4] libsmb/nmblib.c:debug_nmb_packet(109)
  Received a packet of len 50 from (192.0.2.14) port 42713



Anybody know what failing WINS test #1 means ?
thanks,

--
Ian Clancy
IT Systems Engineer
Connaught Electronics Ltd.
Dunmore Rd,
Tuam,
Co. Galway,
Ireland.

P : ++353 93 23151
F : ++353 93 23110
E : mailto:[EMAIL PROTECTED]
W : http://www.cel-europe.com


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Can't join PC's to Domain - object class 'sambaSamAccount' requires attribute 'sambaSID'

[Ian Clancy]

Hi Samba Admins,
I have a problem with my new Samba3.0.14a/LDAP domain. I can no longer 
join computers to the domain using the normal procedure in windows.

I wetnt to the domain controller to investigate. When i run
# pdbedit -m -a mambo50
i am returned the following error


init_ldap_from_sam: Setting entry for user: mambo50$
ldapsam_modify_entry: Failed to add user dn= 
uid=mambo50$,ou=Computers,dc=zed,dc=org with: Object class violation

object class 'sambaSamAccount' requires attribute 'sambaSID'
ldapsam_add_sam_account: failed to modify/add user with uid = mambo50$ 
(dn = uid=mambo50$,ou=Computers,dc=zel,dc=org)

Unable to add machine! (does it already exist?)



I have checked and the previous machine does not already exist.
I use the IDEALX tools to manage my Domain, when i try to add the PC 
with the following command :

smbldap-useradd -w mambo50$
This creates the entry in my Directory. However, only the posix user 
attributes are created, SambaSamAccount is not present.


Last week , I accidentally deleted the sambaDomainName branch of my 
Directory. I restored this part of the tree in a couple of minutes 
without any problems. This is where the SambaSID attribute is stored so 
i wounder if this has in some way upset my samba setup. Does anyone know 
how i can test this ?

Thanks for your help.
I will repost if i resove this issue myself.
regards,

--
Ian Clancy
IT Systems Engineer
Connaught Electronics Ltd.
Dunmore Rd,
Tuam,
Co. Galway,
Ireland.

P : ++353 93 23151
F : ++353 93 23110
E : mailto:[EMAIL PROTECTED]
W : http://www.cel-europe.com


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] WINS resolution not working on WINS Server

[Ian Clancy]

Hi Samba Users,
I'm using a typical Samba/LDAP Solution. My PDC is running samba 3.0.14a 
on RHEL4. This is also my acting WINS server.
WINS resolution appears to be working fine for all other PC's on the 
network. It works for my BDC, and Domain member servers and the various 
windows clients on the network. However WINS does not appear to work on 
the PDC itself.


On the pdc i have the following line in nsswitch.conf:

hosts:  files wins dns

The following output from log.nmbd show an unsuccessful wins lookup by 
the PDC (in reverse using tac). I can see CELCZPDC00 clearly in the 
wins.dat file:


 find_name_on_subnet: on subnet 192.0.2.14 - name CELCZPDC00 NOT FOUND
[2005/05/24 09:43:09, 9] nmbd/nmbd_namelistdb.c:find_name_on_subnet(129)
-1 == memcmp( CELCZPDC00, CELDC00, 84 )
nmbd_subnetdb:namelist_entry_compare()
[2005/05/24 09:43:09, 10] nmbd/nmbd_subnetdb.c:namelist_entry_compare(69)
-1 == memcmp( CELCZPDC00, CELDC03, 84 )
nmbd_subnetdb:namelist_entry_compare()
[2005/05/24 09:43:09, 10] nmbd/nmbd_subnetdb.c:namelist_entry_compare(69)
1 == memcmp( CELCZPDC00, CEL1e, 84 )
nmbd_subnetdb:namelist_entry_compare()
[2005/05/24 09:43:09, 10] nmbd/nmbd_subnetdb.c:namelist_entry_compare(69)
-1 == memcmp( CELCZPDC00, CELDC20, 84 )
nmbd_subnetdb:namelist_entry_compare()
[2005/05/24 09:43:09, 10] nmbd/nmbd_subnetdb.c:namelist_entry_compare(69)
1 == memcmp( CELCZPDC00, CEL1d, 84 )
nmbd_subnetdb:namelist_entry_compare()
[2005/05/24 09:43:09, 10] nmbd/nmbd_subnetdb.c:namelist_entry_compare(69)
 process_name_query_request: Name query from 192.0.2.14 on subnet 
192.0.2.14 for name CELCZPDC00
[2005/05/24 09:43:09, 3] 
nmbd/nmbd_incomingrequests.c:process_name_query_request(454)



Here is a copy of my smb.conf :

# Global parameters
[global]
   dos charset = 850
   unix charset = ISO8859-1
   workgroup = CEL
   server string = SAMBA-LDAP %v PDC Server
   interfaces = lo, eth0
   bind interfaces only = Yes
   passdb backend = ldapsam:ldap://127.0.0.1
   enable privileges = Yes
   passwd program = /usr/sbin/smbldap-passwd -u %u
   log level = 1 auth:3 winbind:5 passdb:5
   name resolve order = lmhosts host wins bcast
   printcap name = CUPS
   add user script = /opt/IDEALX/sbin/smbldap-useradd -m %u
   delete user script = /opt/IDEALX/sbin/smbldap-userdel %u
   add group script = /opt/IDEALX/sbin/smbldap-groupadd -p %g
   delete group script = /opt/IDEALX/sbin/smbldap-groupdel %g
   add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m 
%u %g
   delete user from group script = 
/opt/IDEALX/sbin/smbldap-groupmod -x %u %g
   set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g 
%g %u

   add machine script = /opt/IDEALX/sbin/smbldap-useradd -w %u
   logon script = scripts\celmap.bat
   logon path =
   logon home =
   domain logons = Yes
   preferred master = Yes
   domain master = Yes
   wins support = Yes
   ldap admin dn = cn=Manager,dc=cel,dc=org
   ldap delete dn = Yes
   ldap group suffix = ou=Groups
   ldap idmap suffix = ou=Idmap
   ldap machine suffix = ou=Computers
   ldap passwd sync = Yes
   ldap suffix = dc=cel,dc=org
   ldap user suffix = ou=People
   remote announce = 192.168.2.2
   idmap backend = ldap:ldap://127.0.0.1
   idmap uid = 1-15000
   idmap gid = 1-15000
   winbind separator = +
   winbind use default domain = Yes
   winbind trusted domains only = Yes
   printer admin = Administrator


I need wins to work on the PDC to implement trusted domains . Anyone got 
any idea's as to what could be wrong.

regards,

--
Ian Clancy
IT Systems Engineer
Connaught Electronics Ltd.
Dunmore Rd,
Tuam,
Co. Galway,
Ireland.

P : ++353 93 23151
F : ++353 93 23110
E : mailto:[EMAIL PROTECTED]
W : http://www.cel-europe.com


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Exchange 5.5 on a Samba Domain

[Ian Clancy]

Hi,
I recently migrated from an NT4 Domain to a Samba domain with LDAP 
backend. We use Exchange 5.5 on NT4 as our mail/groupware.
All existing users on the domain appear to be using the Exchange Server 
without any problems. However, when i create new users they cannot 
access their mail box'es from Outlook. The Event log on the Exchange 
Server reports the following error :

A logon attempt failed because an attempt to look up Windows NT 
account information failed. Error 1332.

The new user accounts appear to work perfectly otherwise. They can log 
onto the Domain and the Exchange NT4 Serve itself. They can even check 
their mail using squirrelmail webmail which connects to the exchange 
server using IMAP.
I sniffed the communication between the Exchange server and the Samba 
Domain server with ethereal and the only communication i can see is a 
couple of DCERPC packets.

Anyone had this problem before ?.
Thanks,
--
Ian Clancy
IT Systems Engineer
Connaught Electronics Ltd.
Dunmore Rd,
Tuam,
Co. Galway,
Ireland.
P : ++353 93 23151
F : ++353 93 23110
E : mailto:[EMAIL PROTECTED]
W : http://www.cel-europe.com
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Exchange 5.5 on a Samba Domain - Further Information

[Ian Clancy]

Ian Clancy wrote:
Hi,
I recently migrated from an NT4 Domain to a Samba domain with LDAP 
backend. We use Exchange 5.5 on NT4 as our mail/groupware.
All existing users on the domain appear to be using the Exchange 
Server without any problems. However, when i create new users they 
cannot access their mail box'es from Outlook. The Event log on the 
Exchange Server reports the following error :

A logon attempt failed because an attempt to look up Windows NT 
account information failed. Error 1332.

The new user accounts appear to work perfectly otherwise. They can log 
onto the Domain and the Exchange NT4 Serve itself. They can even check 
their mail using squirrelmail webmail which connects to the exchange 
server using IMAP.
I sniffed the communication between the Exchange server and the Samba 
Domain server with ethereal and the only communication i can see is a 
couple of DCERPC packets.

Anyone had this problem before ?.
Thanks,

Hi Again,
Some further information to add.
My samba PDC is running RHEL4 with samba version 3.0.10 (red hat rpm) 
and OpenLDAP 2.2.13.
Exchange 5.5 SP4 Build 2653.23 on NT4 SP6.
I have created the Domain user accounts with usrmgr.exe and the smbldap 
tools with the same results.
The samba domain is working apart from 1 other problem, adding computer 
accounts to the domain. When i attempt to add a PC to the domain from 
windows only a posix account is created in the directory. Creating the 
computer account with the smbldap tools works fine though so i am using 
this as a workaround for the moment.
Thanks,
Ian

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Exchange 5.5 on a Samba Domain - Further Information

[Ian Clancy]

Guenther Deschner wrote:

Date:
Thu, 12 May 2005 10:52:51 +0100

Hi,
On Thu, May 12, 2005 at 10:29:52AM +0100, Ian Clancy wrote:
 

Hi Again,
Some further information to add.
My samba PDC is running RHEL4 with samba version 3.0.10 (red hat rpm) 
and OpenLDAP 2.2.13.
Exchange 5.5 SP4 Build 2653.23 on NT4 SP6.
I have created the Domain user accounts with usrmgr.exe and the smbldap 
tools with the same results.
   

to first concentrate on your Exchange issues: You have to use Samba Version 

3.0.11 when using Exchange 5.5 on NT4 with a Samba DC. In Samba 3.0.11 there
have been added a couple of fixes w.r.t Exchange 5.5.
Let us know if an update solves your Exchange-problems. I'm not sure if RedHat
provides official Samba package updates, you could also use RedHat rpms from
SerNet.
Hope that helps,
Guenther
 

Guenther,
I would like to upgrade to the latest version 3.0.14a. Red hat tend to 
only update samba when a security vulnerability is discovered so i will 
probably have to use the SerNet rpm's. I would have used Sernet rpms 
originally but had issues with winbind that i won't go into here.
Does any body percieve any difficult in upgrading from samba version 
3.0.10 (red hat rpm) to 3.0.14 SerNet rpm's ?

--
Ian Clancy
IT Systems Engineer
Connaught Electronics Ltd.
Dunmore Rd,
Tuam,
Co. Galway,
Ireland.
P : ++353 93 23151
F : ++353 93 23110
E : mailto:[EMAIL PROTECTED]
W : http://www.cel-europe.com
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] nscd, ldap and the root/Administrator account

[Ian Clancy]

Hi,
I'm using Samba 3 as a PDC with an Openldap backend and  also have a 
number of Samba domain member servers that lookup the ldap directory for 
their account information. I use ssh to perform various administration 
tasks. There is an account called Administrator in the LDAP directory 
that has a UID of 0 . However, after nscd has been started, the next 
time i login to one of the member servers using the root account my 
username is reported as Administrator and not as root as expected. This 
causes various issues with ssh keys etc..

I have the following lines in my nsswitch.conf file.
passwd: files ldap
shadow: files ldap
group:  files ldap
grepping the output of 'getent passwd' for x:0:
root:x:0:0:root:/root:/bin/bash
Administrator:x:0:5001:Netbios Domain 
Administrator:/home/Administrator:/bin/bash

When i stop the nscd service the behaviour of the system returns to normal.
I apologise if this topic is not directly samba related. However, i'm 
sure somebody else must have come accross this behaviour.

Thanks,
Ian
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] nscd, ldap and the root/Administrator account

[Ian Clancy]

Adam Tauno Williams wrote:
I'm using Samba 3 as a PDC with an Openldap backend and  also have a 
number of Samba domain member servers that lookup the ldap directory
   

for 
 

their account information. I use ssh to perform various administration
   

 

tasks. There is an account called Administrator in the LDAP directory 
that has a UID of 0 . However, after nscd has been started, the next 
time i login to one of the member servers using the root account my 
username is reported as Administrator and not as root as expected.
   

This 
 

causes various issues with ssh keys etc..
   

It only works when you're not running nscd because you're lucky.  NSS
will return the first matching entry for a uidnumber={0} lookup.
I would have though that it works because  i have 'files' before 'ldap' 
in the nsswitch.conf file

   It
doesn't really support multiple accounts with the same uidnumber, id
suggest not having a Administration;uidnumber=0 account.  Simply map
Administrator = root in Samba if this is the behaviour you want.
 

I'm not sure how to map Administrator = root. Sounds like a good idea. I 
will have to look into this.

I have the following lines in my nsswitch.conf file.
   

passwd: files ldap
shadow: files ldap
group:  files ldap
 

grepping the output of 'getent passwd' for x:0:
   

root:x:0:0:root:/root:/bin/bash
Administrator:x:0:5001:Netbios Domain 
Administrator:/home/Administrator:/bin/bash
 

When i stop the nscd service the behaviour of the system returns to
   

normal.
 

I apologise if this topic is not directly samba related. However, i'm 
sure somebody else must have come accross this behaviour.
   

nscd is just a dumb cache,  you're getting the results of a uidnumber=0
lookup into its cache.
 

Thanks for your reply
--
Ian Clancy
IT Systems Engineer
Connaught Electronics Ltd.
Dunmore Rd,
Tuam,
Co. Galway,
Ireland.
P : ++353 93 23151
F : ++353 93 23110
E : mailto:[EMAIL PROTECTED]
W : http://www.cel-europe.com
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Migrating from NT4 to Samba/LDAP - Demoting PDC to domain member

[Ian Clancy]

Hello All,
I'm looking for some advice \ shared past experiences of users on the list.
I am in the process of planning a migration from an existing NT Domain to
a Samba 3 / LDAP based domain. However, the existing NT4 PDC is also home
to our Exchange 5.5 email server which we would like to keep in service.
I imagine what i need to do is add the old NT4 PDC server to the new Samba
Domain once i have completed the migration. I am not sure how to do this
?. I have found this software (U Promote ) at
http://www.purenetworking.net/Products/UPromote/UPromote.htm that may do
the trick.
Has anyone out there performed a task similar to this or used this product
? or is it even necessary. Is there another (free) way ?.
Thanks,
Ian Clancy



Legal Disclaimer: Any views expressed by the sender of this message are
not necessarily those of Connaught Electronics Ltd. Information in this 
e-mail may be confidential and is for the use of the intended recipient
only, no mistake in transmission is intended to waive or compromise such 
privilege. Please advise the sender if you receive this e-mail by mistake.



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] allowing users to change system time

[Ian Clancy]

Greetings Samba users,
I'm the proud administrator of a samba 3 domain with openldap backend. All
is well but for one niggling little problem which i hope somebody could help
me with ?.
My pdc is set up as a time server time server = yes and I have created a
logon script with the following entry :

net time \\mypdc /set /yes

Now, when i logon to a windows 2k domain client as Administrator the above
command sync's the time on the client with the server, no problems. However
when ordinary users logon they get the following error :

System error 1314 has occurred.
A required privilege is not held by the client.

I would like to give the users the privilege to change the time on their
systems. Does anyone know how i could go about doing this ?. Using the
usrmgr.exe program i can make a number of changes to the samba domain,
usfortunately their is not an option to do this ?
All help , ideas welcome.
Thanks for your time.
Ian Clancy

Legal Disclaimer: Any views expressed by the sender of this message are
not necessarily those of Connaught Electronics Ltd. Information in this 
e-mail may be confidential and is for the use of the intended recipient
only, no mistake in transmission is intended to waive or compromise such 
privilege. Please advise the sender if you receive this e-mail by mistake.



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] allowing users to change system time

[Ian Clancy]

Stu,
Thank you for your incredibly quick response. What you describle below
works great, thanks very much. Now i could be barking up the wrong tree
but does anybody know if it would be possible to  place this setting
somehow into NTConfig.POL so this setting could be changed on all users
PC's as they log in ?.
Ian

-Original Message-
From: Stuart Highlander
To: Ian Clancy; [EMAIL PROTECTED]
Sent: 12/1/2004 10:38 PM
Subject: Re: [Samba] allowing users to change system time

ian,

your problem is probably with the local computer policy on the w2k
boxes.

on the win2k box, go to start, run, gpedit.msc, Local Computer Policy,
Computer Configuration, Windows Settings, Securty Settings, Local
Policies,
User Rights Assignments, Change the System Time.  Add users or
authenticated
users to this key.

there may be an easier way, but works for me.

stu


- Original Message - 
From: Ian Clancy [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, December 01, 2004 4:07 PM
Subject: [Samba] allowing users to change system time


 Greetings Samba users,
 I'm the proud administrator of a samba 3 domain with openldap backend.
All
 is well but for one niggling little problem which i hope somebody
could
help
 me with ?.
 My pdc is set up as a time server time server = yes and I have
created a
 logon script with the following entry :

 net time \\mypdc /set /yes

 Now, when i logon to a windows 2k domain client as Administrator the
above
 command sync's the time on the client with the server, no problems.
However
 when ordinary users logon they get the following error :

 System error 1314 has occurred.
 A required privilege is not held by the client.

 I would like to give the users the privilege to change the time on
their
 systems. Does anyone know how i could go about doing this ?. Using the
 usrmgr.exe program i can make a number of changes to the samba domain,
 usfortunately their is not an option to do this ?
 All help , ideas welcome.
 Thanks for your time.
 Ian Clancy

 Legal Disclaimer: Any views expressed by the sender of this message
are
 not necessarily those of Connaught Electronics Ltd. Information in
this
 e-mail may be confidential and is for the use of the intended
recipient
 only, no mistake in transmission is intended to waive or compromise
such
 privilege. Please advise the sender if you receive this e-mail by
mistake.



 -- 
 To unsubscribe from this list go to the following URL and read the
 instructions:  http://lists.samba.org/mailman/listinfo/samba


Legal Disclaimer: Any views expressed by the sender of this message are
not necessarily those of Connaught Electronics Ltd. Information in this 
e-mail may be confidential and is for the use of the intended recipient
only, no mistake in transmission is intended to waive or compromise such 
privilege. Please advise the sender if you receive this e-mail by mistake.



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Using Winbind with Squid

[Ian Clancy]

Hello,
I've configured a squid proxy server to use the wb_auth module to
authenticate NT Users . I'm aware that this is not the squid users mailing
list but since the wb_auth modle uses the winbind application i thought this
might be a good place to look for some help.
Basically, the wb_auth module asks winbind to authenticate a users. Winbind
then returns a '0' if the authentication was successful, or a '1' if the
authentication was unsuccessful. This is working perfectly except for one
problem. I want to be able to authenticate only specified users or groups.
At the moment every domain user is able to use the proxy server. Can anyone
think of a way to get winbind to only authenticate members of an 'Internet
Users' group ?.

Has anyone any previous experience of the setup ?
All help much appreciated.
Ian


Legal Disclaimer: Any views expressed by the sender of this message are
not necessarily those of Connaught Electronics Ltd. Information in this 
e-mail may be confidential and is for the use of the intended recipient
only, no mistake in transmission is intended to waive or compromise such 
privilege. Please advise the sender if you receive this e-mail by mistake.



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Using PAM - Logging into Linux using an NT Domain account

[Ian Clancy]

Hello Samba Users,
I work for the IT Department of a small company and we've already replaced
our NT4 File Servers with Linux servers running Samba. We'd like to replace
some of our windows workstations also. It would be really cool if employee's
could log into the Linux workstations using their existing NT accounts !

Has anybody had much luck using winbind and PAM to allow log on to Linux
worksataions using a windows NT Domain acount ?. Any info, or past
experiences shared will be helpful and much appriciated
Ian Clancy


Legal Disclaimer: Any views expressed by the sender of this message are
not necessarily those of Connaught Electronics Ltd. Information in this 
e-mail may be confidential and is for the use of the intended recipient
only, no mistake in transmission is intended to waive or compromise such 
privilege. Please advise the sender if you receive this e-mail by mistake.



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] NEWBIE : Problem saving M$ word documents on samba fileserver

[Ian Clancy]

Hi,
The users of my company's NT4 domain have their home drives located on a RH8
machine running Samba 2.2.7.
Anytime a user saves a Microsoft Office document from a windows 2000 client
to their home drive they lose write and execute permissions. Thus users can
no longer edit their files (a serious problem!). I want users to have RWX
permissions on their own files but it appears that office is changing the
permissions of the files.
This problem does not occur on windows 95/98 clients, or for users of Open
Office. 

Thanks in advance for your help.

Ian Clancy


Legal Disclaimer: Any views expressed by the sender of this message are
not necessarily those of Connaught Electronics Ltd. Information in this 
e-mail may be confidential and is for the use of the intended recipient
only, no mistake in transmission is intended to waive or compromise such 
privilege. Please advise the sender if you receive this e-mail by mistake.



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba